Edit tour

Windows Analysis Report
http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d187249b7de2efd8

Overview

General Information

Sample URL:	http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d187249b7de2efd8
Analysis ID:	632526
Infos:

Detection

Score:	8
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

chrome.exe (PID: 2332 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d187249b7de2efd8 MD5: C139654B5C1438A95B321BB01AD63EF6)

chrome.exe (PID: 5812 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,4069944722488659976,14944427691238441646,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1940 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)

chrome.exe (PID: 6748 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1612,4069944722488659976,14944427691238441646,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4788 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)

elevation_service.exe (PID: 6728 cmdline: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe MD5: AFD137B53BA091ACBA569255B16DF837)

ChromeRecovery.exe (PID: 492 cmdline: "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=85.0.4183.121 --sessionid={071c9bf8-cee5-4f16-a546-0f1aec4e4f3e} --system MD5: 49AC3C96D270702A27B4895E4CE1F42A)

cleanup

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: unknown

DNS traffic detected: queries for: accounts.google.com

Source: global traffic

HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: 17_2_00DC9029 lstrlenW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,

17_2_00DC9029

Source: ChromeRecovery.exe.14.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ChromeRecovery.exe.14.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DDC8DF	17_2_00DDC8DF
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DE51B0	17_2_00DE51B0
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DD7AF1	17_2_00DD7AF1
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DE328B	17_2_00DE328B
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DD02A1	17_2_00DD02A1
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DE4A67	17_2_00DE4A67
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DE423B	17_2_00DE423B
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DE44E5	17_2_00DE44E5
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DDF428	17_2_00DDF428
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DE3EC9	17_2_00DE3EC9
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DE56B9	17_2_00DE56B9
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DD7E39	17_2_00DD7E39
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DE47AC	17_2_00DE47AC
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DDEFA0	17_2_00DDEFA0

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: String function: 00DCFE60 appears 43 times

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: 17_2_00DC9D31: CreateFileW,DeviceIoControl,CloseHandle,

17_2_00DC9D31

Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d187249b7de2efd8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,4069944722488659976,14944427691238441646,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1940 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1612,4069944722488659976,14944427691238441646,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4788 /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Process created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=85.0.4183.121 --sessionid={071c9bf8-cee5-4f16-a546-0f1aec4e4f3e} --system
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,4069944722488659976,14944427691238441646,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1940 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1612,4069944722488659976,14944427691238441646,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4788 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Process created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=85.0.4183.121 --sessionid={071c9bf8-cee5-4f16-a546-0f1aec4e4f3e} --system	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Mutant created: \BaseNamedObjects\Global\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: 17_2_00DC1209 LoadResource,LockResource,SizeofResource,

17_2_00DC1209

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\Chrome\Application\Dictionaries

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-628C37CF-91C.pma

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Local\Temp\fdde1a6e-3537-40bb-94ac-392e6702c2fa.tmp

Jump to behavior

Source: classification engine

Classification label: clean8.win@33/121@2/5

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Directory created: C:\Program Files\Google\Chrome\ChromeRecovery	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecoveryCRX.crx	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\_metadata\verified_contents.json	Jump to behavior

Source:	Binary string: GoogleUpdateB231574670_unsigned.pdb` source: ChromeRecovery.exe, 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmp, ChromeRecovery.exe, 00000011.00000000.560813476.0000000000DE7000.00000002.00000001.01000000.00000003.sdmp, ChromeRecovery.exe.14.dr
Source:	Binary string: GoogleUpdateB231574670_unsigned.pdb source: ChromeRecovery.exe, 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmp, ChromeRecovery.exe, 00000011.00000000.560813476.0000000000DE7000.00000002.00000001.01000000.00000003.sdmp, ChromeRecovery.exe.14.dr

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DE39A3 push ecx; ret		17_2_00DE39B6
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DCFEA6 push ecx; ret		17_2_00DCFEB9

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: 17_2_00DCE00C CloseHandle,InitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection,

17_2_00DCE00C

Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe

File created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Jump to dropped file

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: 17_2_00DC3298 GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,

17_2_00DC3298

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Local\Temp\2332_230541184\LICENSE.txt

Jump to behavior

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: 17_2_00DD02A1 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

17_2_00DD02A1

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_17-20377

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_17-19488

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: 17_2_00DE525D VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

17_2_00DE525D

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: 17_2_00DD98C3 FindFirstFileExW,

17_2_00DD98C3

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: 17_2_00DCF243 IsDebuggerPresent,OutputDebugStringW,

17_2_00DCF243

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DD3E6C mov ecx, dword ptr fs:[00000030h]		17_2_00DD3E6C
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DD9665 mov eax, dword ptr fs:[00000030h]		17_2_00DD9665

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: 17_2_00DE525D VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

17_2_00DE525D

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: 17_2_00DC41A3 CreateFileW,GetFileAttributesExW,OutputDebugStringW,CloseHandle,GetLastError,WriteFile,

17_2_00DC41A3

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

17_2_00DCE00C

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: 17_2_00DC13D8 GetProcessHeap,

17_2_00DC13D8

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DCE00C CloseHandle,InitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection,	17_2_00DCE00C
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DCE2C3 FreeLibrary,FreeLibrary,FreeLibrary,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection,DeleteCriticalSection,ReleaseSemaphore,WaitForSingleObject,CloseHandle,FindCloseChangeNotification,DeleteCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection,	17_2_00DCE2C3
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DCFE00 SetUnhandledExceptionFilter,	17_2_00DCFE00
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DCF886 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00DCF886
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DD323D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00DD323D
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DCE4E6 EnterCriticalSection,SetUnhandledExceptionFilter,	17_2_00DCE4E6
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DCFC6A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00DCFC6A
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	Code function: 17_2_00DCE553 SetUnhandledExceptionFilter,LeaveCriticalSection,	17_2_00DCE553

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: 17_2_00DC59D6 GetSecurityDescriptorDacl,SetSecurityDescriptorDacl,

17_2_00DC59D6

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: 17_2_00DC8FB3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

17_2_00DC8FB3

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: 17_2_00DCFAC3 cpuid

17_2_00DCFAC3

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: 17_2_00DC8E0B GetVersionExW,GetProcAddress,FreeLibrary,

17_2_00DC8E0B

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Code function: 17_2_00DC3047 GetLocalTime,GetCurrentThreadId,GetCurrentProcessId,

17_2_00DC3047

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Native API	Path Interception	1 Process Injection	3 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	3 Security Software Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	14 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	4 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d187249b7de2efd8	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	1%	Virustotal	Browse
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	0%	Metadefender	Browse
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://dns.google	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
accounts.google.com	142.250.184.205	true	false	high
clients.l.google.com	142.250.185.110	true	false	high
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dns.google	0b6b6f12-a23f-4eca-9dbc-aa10a76b0d74.tmp.2.dr, d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, 05187f3a-574f-40d6-b7f6-b4de239a77c6.tmp.2.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	false	URL Reputation: safe	unknown
https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p	craw_background.js.1.dr, craw_window.js.1.dr	false		high
https://www.google.com/intl/en-US/chrome/blank.html	craw_background.js.1.dr	false		high
https://ogs.google.com	d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	false		high
https://www.google.com/images/cleardot.gif	craw_window.js.1.dr	false		high
https://payments.google.com/payments/v4/js/integrator.js	manifest.json.1.dr, craw_window.js.1.dr	false		high
https://easylist.to/)	LICENSE.txt.1.dr	false		high
https://sandbox.google.com/payments/v4/js/integrator.js	manifest.json.1.dr, craw_window.js.1.dr	false		high
https://www.google.com/images/x2.gif	craw_window.js.1.dr	false		high
https://accounts.google.com/MergeSession	craw_window.js.1.dr	false		high
https://creativecommons.org/compatiblelicenses	LICENSE.txt.1.dr	false		high
https://www.google.com	d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	false		high
https://www.google.com/images/dot2.gif	craw_window.js.1.dr	false		high
https://github.com/easylist)	LICENSE.txt.1.dr	false		high
https://creativecommons.org/.	LICENSE.txt.1.dr	false		high
https://accounts.google.com	d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	false		high
https://clients2.googleusercontent.com	d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	false		high
https://apis.google.com	d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	false		high
https://www.google.com/accounts/OAuthLogin?issueuberauth=1	craw_window.js.1.dr	false		high
https://www.google.com/	manifest.json.1.dr	false		high
https://www-googleapis-staging.sandbox.google.com	craw_background.js.1.dr, craw_window.js.1.dr	false		high
https://clients2.google.com	d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	false		high
https://clients2.google.com/service/update2/crx	manifest.json.1.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.110	clients.l.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.184.205	accounts.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	632526
Start date and time: 23/05/202218:40:21	2022-05-23 18:40:21 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d187249b7de2efd8
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean8.win@33/121@2/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 94.4%) Quality average: 80% Quality standard deviation: 27.5%
HCA Information:	Successful, ratio: 99% Number of executed functions: 36 Number of non-executed functions: 80
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 184.30.21.144, 173.222.108.210, 173.222.108.226, 142.250.186.174, 74.125.108.200, 34.104.35.123, 142.250.186.131, 142.250.185.131, 142.250.185.99
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, r3.sn-1gi7znek.gvt1.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, clientservices.googleapis.com, a767.dspw65.akamai.net, arc.msn.com, wu-bg-shim.trafficmanager.net, r3---sn-1gi7znek.gvt1.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, redirector.gvt1.com, edgedl.me.gvt1.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, update.googleapis.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, www.gstatic.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	451603
Entropy (8bit):	5.009711072558331
Encrypted:	false
SSDEEP:	12288:ZHfRTyGZ6lup8Cfrvq4JBPKh+FBlESBw4p6:NfOCzvRKhGvwJ
MD5:	A78AD14E77147E7DE3647E61964C0335
SHA1:	CECC3DD41F4CEA0192B24300C71E1911BD4FCE45
SHA-256:	0D6803758FF8F87081FAFD62E90F0950DFB2DD7991E9607FE76A8F92D0E893FA
SHA-512:	DDE24D5AD50D68FC91E9E325D31E66EF8F624B6BB3A07D14FFED1104D3AB5F4EF1D7969A5CDE0DFBB19CB31C506F7DE97AF67C2F244F7E7E8E10648EA8321101
Malicious:	false
Reputation:	low
Preview:	BDic.... ....6...."..Z..4g....6.2...{/...3...5....AF 1363.AF nm.AF pt.AF n1.AF p.AF tc.AF SM.AF M.AF S.AF MS.AF MNR.AF GDS.AF MNT.AF MH.AF MR.AF SZMR.AF MJ.AF MT.AF MY.AF MRZ.AF MN.AF MG.AF RM.AF N.AF MV.AF XM.AF DSM.AF SD.AF G.AF R.AF MNX.AF MRS.AF MD.AF MNRB.AF B.AF ZSMR.AF PM.AF SMNGJ.AF SMN.AF ZMR.AF SMGB.AF MZR.AF GM.AF SMR.AF SMDG.AF RMZ.AF ZM.AF MDG.AF MDT.AF SMNXT.AF SDY.AF LSDG.AF LGDS.AF GLDS.AF UY.AF U.AF DSGNX.AF GNDSX.AF DSG.AF Y.AF GS.AF IEMS.AF YP.AF ZGDRS.AF XGNVDS.AF UT.AF GNDS.AF GVDS.AF MYPS.AF XGNDS.AF TPRY.AF MDSG.AF ZGSDR.AF DYSG.AF PMYTNS.AF AGDS.AF DRZGS.AF PY.AF GSPMDY.AF EGVDS.AF SL.AF GNXDS.AF DSBG.AF IM.AF I.AF MDGS.AF SMY.AF DSGN.AF DSLG.AF GMDS.AF MDSBG.AF SGD.AF IY.AF P.AF DSMG.AF BLZGDRS.AF TR.AF AGSD.AF ZGBDRSL.AF PTRY.AF ASDGV.AF ASM.AF ICANGSD.AF ICAM.AF IKY.AF AMS.AF PMYTRS.AF BZGVDRS.AF SDRBZG.AF GVMDS.AF PSM.AF DGLS.AF GNVXDS.AF AGDSL.AF DGS.AF XDSGNV.AF BZGDRS.AF AM.AF AS.AF A.AF LDSG.AF AGVDS.AF SDG.AF LDSMG.AF EDSMG.AF EY.AF DRSMZG.AF PRYT.AF LZ

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

Download File

Process:	C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	259472
Entropy (8bit):	6.621401853828968
Encrypted:	false
SSDEEP:	6144:wgtABO5wl1poLsQXo2fJjazGDJvvLAOk7CWn5l4rB+5Jb:wgtAFB+sQXo2ZRG7CWnaB+5Jb
MD5:	49AC3C96D270702A27B4895E4CE1F42A
SHA1:	55B90405F1E1B72143C64113E8BC65608DD3FD76
SHA-256:	82AA3FD6A25CDA9E16689CFADEA175091BE010CECAE537E517F392E0BEF5BA0F
SHA-512:	B62F6501CB4C992D42D9097E356805C88AC4AC5A46EAD4A8EEE9F8CBAE197B2305DA8AAB5B4A61891FE73951588025F2D642C32524B360687993F98C913138A0
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 1%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;....zp..zp..zp...s.qzp...u..zp...t.\zp...s.izp...u.;zp...t.gzp...q.fzp..zq..{p...y.Ezp.....~zp..z..~zp...r.~zp.Rich.zp.................PE..L....a\|b.................V..........\|........p....@.......................... ......vI....@.................................Tl..........p2...............#...... $...\..T...........................(]..@............p..H............................text....U.......V.................. ..`.rdata.......p.......Z..............@..@.data...d'...........j..............@....rsrc...p2.......4...x..............@..@.reloc.. $.......&..................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecoveryCRX.crx

Download File

Process:	C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	145035
Entropy (8bit):	7.995615725071868
Encrypted:	true
SSDEEP:	3072:TdgEhmDf+E8VY0x81Rkc6L2oqzqkPEu30gZlc3G2ZknF:TyEhmDf+/+Fnkj6lEukgZyyF
MD5:	EA1C1FFD3EA54D1FB117BFDBB3569C60
SHA1:	10958B0F690AE8F5240E1528B1CCFFFF28A33272
SHA-256:	7C3A6A7D16AC44C3200F572A764BCE7D8FA84B9572DD028B15C59BDCCBC0A77D
SHA-512:	6C30728CAC9EAC53F0B27B7DBE2222DA83225C3B63617D6B271A6CFEDF18E8F0A8DFFA1053E1CBC4C5E16625F4BBC0D03AA306A946C9D72FAA4CEB779F8FFCAF
Malicious:	false
Reputation:	low
Preview:	Cr24..............0.."0....H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L\|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.\|1..n.<Fb..f..Q1.....s..2..{.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-eu...b..........S'.....2.{.....'....+.'.."..Y.x.ISa...)....H.&92..?!..~..F.5."...n,.B.-\|\.)..(..... ]G..j.-M)....C......o&L..0.K.....UtP.&.N...;..^w/a{)v...~KG;...?.1...k.c..D.U......J.6.`.G.5.x.k..[...i.A.@I^..I.<A. J...j.'.G.`.$q.N..Tdq]2]p.OF..#.#......'....8.3......0.."0....H.............0.............O..(...':19..O/.>....=.....m.n\.z..q.....JW..F......+H.Z+KGO.9....8.....U...&.y....,$...?.Eo.....\f/.Z..+M8...B.3'..Y.r...X.AS?.~..k..n....... Z...&.G....."n..........l.0v.x#<....Lx,-.w..-..d.....J.pT..('e~{%kQ.Q......rI.....Z....v.N.....J.d_......rX.......w@.b.[.c../V.'c...!.~.k..}z...U.S..nC......@.......Y..#.D.z.....5&.1O...X=p..2.F..P.6yP..>{.....HBX.*.E5....y..

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1772
Entropy (8bit):	6.019907048086037
Encrypted:	false
SSDEEP:	48:p/hPGxBJ7akeSpKssMLgWuG7bmTkfhs8vox:R9i7aaKssMUWuG7biIQx
MD5:	35C7E305A06F30D3F0A97693C3504265
SHA1:	B30C965F53A93676CC9D87D29F5E6AC5B605DD84
SHA-256:	3B6FB2683B4DFD83FDD0C6EE096F378AA85C6B1ACC73EC66288802A71C9381F7
SHA-512:	A6AC0DDC3C99D59A2C667410FE94BB8F267D1CF422C337FEBCFBAE23D5C965B0E965FF0B77FC88FA9E7B06EE6CE6D532B6ECB0D87A53FB282260EF812379EB7C
Malicious:	false
Reputation:	low
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJDaHJvbWVSZWNvdmVyeS5leGUiLCJyb290X2hhc2giOiJVUTRsOWhOY3VCS21lc2Utakd2ZE52X1VCWXFTTWNpTGZQM3pxZ2tnXy0wIn0seyJwYXRoIjoibWFuaWZlc3QuanNvbiIsInJvb3RfaGFzaCI6IjBhd25UUEVCZ0NEeTJXTmFVWTdSb2ZJY3dzdnA0cVE1THNlUzFVdGJVdjQifV0sImZvcm1hdCI6InRyZWVoYXNoIiwiaGFzaF9ibG9ja19zaXplIjo0MDk2fV0sIml0ZW1faWQiOiJmcGplb2FkbWdlZGFqcGxtcG9hYWprY2hkb2ZjbHBrZiIsIml0ZW1fdmVyc2lvbiI6IjEuMy4zNi4xNDEiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"ef1pxaTj-_-MaYe95eLdI4WHEPJq4PB7n1seVNh9AxlAGhDeKZD2PDPdzEYwLEXP6d3DCgNBaZDMZeByzQbRob9fSKBwHKzITZC0ScxWJTc8DuWlYfQdRMTrzxr_7S1FVvRx4Fxi7FFg921RIa7d2zXCGnA8qIvfUzYBU0TYoMeo--GC5JmJGpwrDi_9Xq0saxXUViu8o7Vlbul2ZEFLNMpHSfafBFLJVD_0cJc5arSdhdEVdAW1MztVSQ8CFfKhci2LBn3fKihN2_klwBKfbfmzKNm5aLoOf_iG3hjIoLji8dcxYo5sYXugJENpRrs-_AclQKykKKuD8wi45RK

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.682333395896383
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFJ9LAG9Xg0XTFHqS1wP/pEeSWU4pv/8F/FxLj2RF2fcTZTotL:F6VlM90ggITgS1wnuWfB0NpK4aotL
MD5:	7A8E3A0B6417948DF4D49F3915428D7A
SHA1:	4FC084AABDB13483567D5C417C7ED8FD16726A80
SHA-256:	D1AC274CF1018020F2D9635A518ED1A1F21CC2CBE9E2A4392EC792D54B5B52FE
SHA-512:	064D84A57B28C19AD10742859DA493D0826B47ADC632F6C623DFB4DE36D72A9D29BE98518061A9FFD42D99FCF01F27DE39CE74782B3A5ACBBE11DFDDEEAB59A1
Malicious:	false
Reputation:	low
Preview:	{. "manifest_version": 2,. "name": "ImprovedRecoveryComponentInner",. "version": "1.3.36.141",. "imageName": "image.squash",. "squash": true,. "fsType": "squashfs",. "isRemovable": false.}

C:\Users\user\AppData\Local\Google\Chrome\User Data\2db15e99-6dfc-42b5-beea-8434781f5299.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	400260
Entropy (8bit):	6.026690077443186
Encrypted:	false
SSDEEP:	6144:UeX5kVfXhSm/TCXnqn3A9cG0OP1eVxR+v+F7EFpfY4XB3iE7ZPXYGzLxinq:UUkhxSa+qKcGNPUZ+w7wJHyEtAWr
MD5:	48D31CAA475C0790BE217FA92A8A5E22
SHA1:	EF2EB57642FBAF82AD2634388ADFB06D7FC0A1D1
SHA-256:	8BF1D7AB52753D4B49D3DD0820229CE75C1313392CAA2A3057AB2D10B3AA7A5E
SHA-512:	71CFC8E80515DCDCF13E59FCAE8AB1AB74537B5EB8616FAC535A0438D7AEDF11AD967DFE5BF50B1CC9FCA8B1AC0AB04C9D0B63D5C9981A82AADA0E5D70361AAF
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.653356498580682e+12,"network":1.6533241e+12,"ticks":178557639.0,"uncertainty":3967768.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACMBYze0bKMTIhZGR/AW4M5AAAAAAIAAAAAABBmAAAAAQAAIAAAACoSPhbyumSaNjLuAHEna2OUDn+rpXOk+H/ONjHe5ZwbAAAAAA6AAAAAAgAAIAAAADezR1ii2QiPYGPz0Jd0ZQiE5jKOKMttbbwwADHJYDpEMAAAACuIP4EJtfud3aEFZzvijkFSTP1RNwcy8fFg19xXfiV1Q9wriZb5iS+jYbOXKVX44kAAAAByJv8rXU2wt9ZoSemiGl7Rv1MeHwgrJRvbYcUfMpjLAz2bh77nWHOppVpZzR2K2uw89vs6aWrPXuiWeIEQQvEM"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13291230364373940"},"plugins":{"metadata":{"adobe-flash-player":{"displa

C:\Users\user\AppData\Local\Google\Chrome\User Data\426527fa-1326-451c-ab76-fc2c90e7ffeb.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	408721
Entropy (8bit):	6.046944454828111
Encrypted:	false
SSDEEP:	6144:seX5kVfXhSm/TCXnqn3A9cG0OP1eVxR+v+F7EFpfY4XB3iE7ZPXYGzLxinq:sUkhxSa+qKcGNPUZ+w7wJHyEtAWr
MD5:	0535709FD1A7EFC88A75B816AF6B92B5
SHA1:	68D9B3564A43127532D366DA139315F286347756
SHA-256:	782F5BADCF68EE587C29EA1EF1800A96D7EB6808BB40B234FB5322DB711BF5F7
SHA-512:	DCA0E8A919E4B365A125521F88BCC492FE63F7D62CEB1FE3AB990EEE115900099311DF9DF075F797393C8D7CD35CE33C8B3EDB2E803B1C1AD0D0580E8CFE2330
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.653356498580682e+12,"network":1.6533241e+12,"ticks":178557639.0,"uncertainty":3967768.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACMBYze0bKMTIhZGR/AW4M5AAAAAAIAAAAAABBmAAAAAQAAIAAAACoSPhbyumSaNjLuAHEna2OUDn+rpXOk+H/ONjHe5ZwbAAAAAA6AAAAAAgAAIAAAADezR1ii2QiPYGPz0Jd0ZQiE5jKOKMttbbwwADHJYDpEMAAAACuIP4EJtfud3aEFZzvijkFSTP1RNwcy8fFg19xXfiV1Q9wriZb5iS+jYbOXKVX44kAAAAByJv8rXU2wt9ZoSemiGl7Rv1MeHwgrJRvbYcUfMpjLAz2bh77nWHOppVpZzR2K2uw89vs6aWrPXuiWeIEQQvEM"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245952488007586"},"plugins":{"metadata":{"adobe-flash-player":{"displa

C:\Users\user\AppData\Local\Google\Chrome\User Data\4f2d5ca0-f60d-498f-965c-dc3d8f7f9e3c.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	102308
Entropy (8bit):	3.7488300768756004
Encrypted:	false
SSDEEP:	384:E/89J5Hs23s/PVoOV0Ntruvxr3SlDeHrI6GdWxrsPFxyxb6xSrzPirQhmYsCMrFM:i6u5ddJA24ej14fUHHO3KRf1Zh
MD5:	A850CAAC4AAEE14B2407F377D66C8205
SHA1:	2083DEE3A71ECD80CAFACCE2CF08D8D5DA819D34
SHA-256:	BFE748E9B87A352FD4C4A670441EFADADB801C7626E23666B3EE4640A6B4824F
SHA-512:	C3B7BE5110B1ACA9F066A26B52025B90F700EA3B36EB1942A58FEB45ECF9FC4007F0FCAEBFD5877F50DA6C749B63B5BEFADBF7C6338A9094EAA025C0B46AC441
Malicious:	false
Reputation:	low
Preview:	...................C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L..P!...[)...%.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .o.f.f.i.c.e.\.o.f.f.i.c.e.1.6.\.......g.r.o.o.v.e.e.x...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .2.0.1.6......M.i.c.r.o.s.o.f.t. .O.n.e.D.r.i.v.e. .f.o.r. .B.u.s.i.n.e.s.s. .E.x.t.e.n.s.i.o.n.s.....1.6...0...4.7.1.1...1.0.0.0.....*...C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....]8.D...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.m.m.o.n. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .S.h.a.r.e.d.\.O.F.F.I.C.E.1.6.\.m.s.o.s.h.e.x.t...d.l.l..@.....U/...%.c.o.m.m.o.n.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .s.h.a.r.e.d.\.o.f.f.i.c.e.1.6.\.......m.s.o.s.h.e.x.t...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.)...M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .S.h.e.l.l. .E.x.t.e.n.s.i.o.n. .H.a.n.d.l.e.r.s.......1.6...0...4.2.6.6...1.0.0.1.....D...C.:.\.P.r.o.g.r.a.m.

C:\Users\user\AppData\Local\Google\Chrome\User Data\6cd790b6-5099-416e-9dac-a9f89a1d53f5.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	408721
Entropy (8bit):	6.046943637982165
Encrypted:	false
SSDEEP:	6144:FeX5kVfXhSm/TCXnqn3A9cG0OP1eVxR+v+F7EFpfY4XB3iE7ZPXYGzLxinq:FUkhxSa+qKcGNPUZ+w7wJHyEtAWr
MD5:	B429378DED7DC53443B11C0F8E4F9AA8
SHA1:	45B3C969F32268F06611C12C0C189D4B3E3CD4A5
SHA-256:	2A2BD57E2BE36166A51CF827D4287CA96DF464EF843D47BA493098E26DC291A5
SHA-512:	D32A0C4B637EFB44BA599E07A3E3EA49ABD1ED6EA64318A06FC9790BCD97D4D4EB64F8A63BFD7B08F702DE3AF5FEA1E9233A6A8A7A14B8A698F5F51403AEA139
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.653356498580682e+12,"network":1.6533241e+12,"ticks":178557639.0,"uncertainty":3967768.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACMBYze0bKMTIhZGR/AW4M5AAAAAAIAAAAAABBmAAAAAQAAIAAAACoSPhbyumSaNjLuAHEna2OUDn+rpXOk+H/ONjHe5ZwbAAAAAA6AAAAAAgAAIAAAADezR1ii2QiPYGPz0Jd0ZQiE5jKOKMttbbwwADHJYDpEMAAAACuIP4EJtfud3aEFZzvijkFSTP1RNwcy8fFg19xXfiV1Q9wriZb5iS+jYbOXKVX44kAAAAByJv8rXU2wt9ZoSemiGl7Rv1MeHwgrJRvbYcUfMpjLAz2bh77nWHOppVpZzR2K2uw89vs6aWrPXuiWeIEQQvEM"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13291230364373940"},"plugins":{"metadata":{"adobe-flash-player":{"displa

C:\Users\user\AppData\Local\Google\Chrome\User Data\8bec16de-ccc2-4bdd-884b-5a4ae16f8318.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	408721
Entropy (8bit):	6.046944454828111
Encrypted:	false
SSDEEP:	6144:seX5kVfXhSm/TCXnqn3A9cG0OP1eVxR+v+F7EFpfY4XB3iE7ZPXYGzLxinq:sUkhxSa+qKcGNPUZ+w7wJHyEtAWr
MD5:	0535709FD1A7EFC88A75B816AF6B92B5
SHA1:	68D9B3564A43127532D366DA139315F286347756
SHA-256:	782F5BADCF68EE587C29EA1EF1800A96D7EB6808BB40B234FB5322DB711BF5F7
SHA-512:	DCA0E8A919E4B365A125521F88BCC492FE63F7D62CEB1FE3AB990EEE115900099311DF9DF075F797393C8D7CD35CE33C8B3EDB2E803B1C1AD0D0580E8CFE2330
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.653356498580682e+12,"network":1.6533241e+12,"ticks":178557639.0,"uncertainty":3967768.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACMBYze0bKMTIhZGR/AW4M5AAAAAAIAAAAAABBmAAAAAQAAIAAAACoSPhbyumSaNjLuAHEna2OUDn+rpXOk+H/ONjHe5ZwbAAAAAA6AAAAAAgAAIAAAADezR1ii2QiPYGPz0Jd0ZQiE5jKOKMttbbwwADHJYDpEMAAAACuIP4EJtfud3aEFZzvijkFSTP1RNwcy8fFg19xXfiV1Q9wriZb5iS+jYbOXKVX44kAAAAByJv8rXU2wt9ZoSemiGl7Rv1MeHwgrJRvbYcUfMpjLAz2bh77nWHOppVpZzR2K2uw89vs6aWrPXuiWeIEQQvEM"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245952488007586"},"plugins":{"metadata":{"adobe-flash-player":{"displa

C:\Users\user\AppData\Local\Google\Chrome\User Data\8e3d563a-7914-407b-945b-76d626f1938d.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	400455
Entropy (8bit):	6.027044571698599
Encrypted:	false
SSDEEP:	6144:/eX5kVfXhSm/TCXnqn3A9cG0OP1eVxR+v+F7EFpfY4XB3iE7ZPXYGzLxinq:/UkhxSa+qKcGNPUZ+w7wJHyEtAWr
MD5:	3AE48C95C300DDEF8FD4A547CDB3DA65
SHA1:	042C983DDDFC844193F1F1AA1081E0C88CDE4F7D
SHA-256:	EF2BCED24AFDC3E693FF2DDC9776AA274CC97E5B879E47CE0A67E5AAD0CF0CDF
SHA-512:	D4D4F7E0FD4CE8E7D8FED48F0E398C7589EC0B44FFEC07D50FF4A465A6B1619C0DBBF69C74FA3F47B811179EACA481B47F40E8358863415D973C0686418A2F9F
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.653356498580682e+12,"network":1.6533241e+12,"ticks":178557639.0,"uncertainty":3967768.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACMBYze0bKMTIhZGR/AW4M5AAAAAAIAAAAAABBmAAAAAQAAIAAAACoSPhbyumSaNjLuAHEna2OUDn+rpXOk+H/ONjHe5ZwbAAAAAA6AAAAAAgAAIAAAADezR1ii2QiPYGPz0Jd0ZQiE5jKOKMttbbwwADHJYDpEMAAAACuIP4EJtfud3aEFZzvijkFSTP1RNwcy8fFg19xXfiV1Q9wriZb5iS+jYbOXKVX44kAAAAByJv8rXU2wt9ZoSemiGl7Rv1MeHwgrJRvbYcUfMpjLAz2bh77nWHOppVpZzR2K2uw89vs6aWrPXuiWeIEQQvEM"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13291230364373940"},"plugins":{"metadata":{"adobe-flash-player":{"displa

C:\Users\user\AppData\Local\Google\Chrome\User Data\9729e2f1-e929-420b-9a9e-5255264f83b0.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	101588
Entropy (8bit):	3.7491500287729234
Encrypted:	false
SSDEEP:	384:6/89J5Hs23s/PVoOV0Ntruvxr3SlDeHrI6GdWxrsPFxyxb6xSrzPirQhmYTMrF1e:o6u5ddJ224ej14fUHHO3KRf1Z9
MD5:	F0F521C5FA766607B6138136EC910A86
SHA1:	B200E96EDCA6A903A97D818396551902EECC416C
SHA-256:	1B06A046D1DF6A7729A121456C80C3383E136F9DEC858AEA872B437F096716D3
SHA-512:	76714033AB9C4D0ABDD5CAFB3EF2C33027D9BCE3E23D6FCB45FF935E0F22B8B8C3C24FBC8761BE389A5B158231413CABFDCCF0DE8ED85CB6B39035DAF9CD78C5
Malicious:	false
Reputation:	low
Preview:	..................C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L..P!...[)...%.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .o.f.f.i.c.e.\.o.f.f.i.c.e.1.6.\.......g.r.o.o.v.e.e.x...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .2.0.1.6......M.i.c.r.o.s.o.f.t. .O.n.e.D.r.i.v.e. .f.o.r. .B.u.s.i.n.e.s.s. .E.x.t.e.n.s.i.o.n.s.....1.6...0...4.7.1.1...1.0.0.0.....*...C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....]8.D...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.m.m.o.n. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .S.h.a.r.e.d.\.O.F.F.I.C.E.1.6.\.m.s.o.s.h.e.x.t...d.l.l..@.....U/...%.c.o.m.m.o.n.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .s.h.a.r.e.d.\.o.f.f.i.c.e.1.6.\.......m.s.o.s.h.e.x.t...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.)...M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .S.h.e.l.l. .E.x.t.e.n.s.i.o.n. .H.a.n.d.l.e.r.s.......1.6...0...4.2.6.6...1.0.0.1.....D...C.:.\.P.r.o.g.r.a.m.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.3041625260016576
Encrypted:	false
SSDEEP:	3:FkXEwozZHn:+EwozZHn
MD5:	BEBB369FF4A565B19D5E0BC83CD176AE
SHA1:	A6F07666F8DDDF61E5AACE533129BFB541A8A769
SHA-256:	8018F98553432706436A31FFD1E743018C3B7F1AA8D34B2FA18F494A4CFCEB19
SHA-512:	5D2F9F6E9502517AFF4673C3157D57046D4E38D70B5E228F468FB820363E559087D1A2F2E4006B4589BF3F175A4507F1FA3D7BE5FC34F9FA39EB17757DAEC17F
Malicious:	false
Reputation:	low
Preview:	sdPC.......................y3..M.Y.NbD.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\000001.dbtmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Reputation:	low
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\000002.dbtmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Xv:1qIF/
MD5:	206702161F94C5CD39FADD03F4014D98
SHA1:	BD8BFC144FB5326D21BD1531523D9FB50E1B600A
SHA-256:	1005A525006F148C86EFCBFB36C6EAC091B311532448010F70F7DE9A68007167
SHA-512:	0AF09F26941B11991C750D1A2B525C39A8970900E98CBA96FD1B55DBF93FEE79E18B8AAB258F48B4F7BDA40D059629BC7770D84371235CDB1352A4F17F80E145
Malicious:	false
Reputation:	low
Preview:	MANIFEST-000002.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\066e39b9-23bd-4f7c-bb6c-a7165e9ed069.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	19792
Entropy (8bit):	5.564142719542289
Encrypted:	false
SSDEEP:	384:D1qtxLlrSX91kXqKf/pUZNCgVLH2HfDzrUNXHGaM27e4H4m:YLlU91kXqKf/pUZNCgVLH2HfPrUN3GOp
MD5:	C07D34462593B2DB24D228428F7928D4
SHA1:	2E7B9029294566B201E89FC5CAC7792DED69C5C6
SHA-256:	47A21948B074945A9CD281F52B0B0FD560833AA11D4B6AE6E1BD3F7A6C929149
SHA-512:	1749173D85785F5361A4255CEB89E16B3374C64E6E3994758AA08BFE818E2050FD28DC8BE2A65591D0972A595FEDC4F7732E34697DCC854A79B88939EB1AFC12
Malicious:	false
Reputation:	low
Preview:	{"download":{"always_open_pdf_externally":true,"directory_upgrade":true,"extensions_to_open":"pdf:doc:docx:docxm:docm:xls:xlsx:xlsxm:xlsm:ppt:pptx:pptxm:pptm:mht:rtf:pub:vsd:mpp:mdb:dot:dotm:xlsb:xll:hwp:show:cell:hwpx:hwt:jtd:zip:iso:7z:rar:tar:vbs:js:jse:vbe:exe:html:htm:xhtml:tbz2:lz"},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"manifest_permissions":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13297830096201255","location":5,"manifest":{"app":{"launch":{"web_url":"https://chrome.google.com/webstore"},"urls":["https://chrome.google.com/webstore"]},"description":"Discover great apps, games, extensions and themes for Google Chrome.","icons":{"128":"webstore_i

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\11da441b-c044-4c92-a38b-87f8969125b6.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	modified
Size (bytes):	19793
Entropy (8bit):	5.564205421621885
Encrypted:	false
SSDEEP:	384:D1qtxLlrSX91kXqKf/pUZNCgVLH2HfDzrUNXHGRM27DH4o:YLlU91kXqKf/pUZNCgVLH2HfPrUN3GhX
MD5:	9E388EDB7C50A0969071299AEA95CC46
SHA1:	09CDC3AB21F78162C2A06F7BDC0B791409A4C8C6
SHA-256:	0552501B27EE54A53A9D2F6C1756A2257F1C46C94022C626D0FDD20631CE1D61
SHA-512:	A1E425E33EFF34A03E72E40A2B7CEF05E892D474FD36443FCDF9961B4F5ACA70B4842DF95190DAEB4AA86BC9328D96715FF5763F64810D4D555D9DF55D9157BB
Malicious:	false
Reputation:	low
Preview:	{"download":{"always_open_pdf_externally":true,"directory_upgrade":true,"extensions_to_open":"pdf:doc:docx:docxm:docm:xls:xlsx:xlsxm:xlsm:ppt:pptx:pptxm:pptm:mht:rtf:pub:vsd:mpp:mdb:dot:dotm:xlsb:xll:hwp:show:cell:hwpx:hwt:jtd:zip:iso:7z:rar:tar:vbs:js:jse:vbe:exe:html:htm:xhtml:tbz2:lz"},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"manifest_permissions":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13297830096201255","location":5,"manifest":{"app":{"launch":{"web_url":"https://chrome.google.com/webstore"},"urls":["https://chrome.google.com/webstore"]},"description":"Discover great apps, games, extensions and themes for Google Chrome.","icons":{"128":"webstore_i

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\21468ea5-c2f9-4805-900a-a85c6a81064d.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	4900
Entropy (8bit):	4.958200198907086
Encrypted:	false
SSDEEP:	96:nqXbVNp1paAKIA+xk0JCKL8rsbOTQVuwn:nqXbV1p9f4KsW
MD5:	E9B4A91EFA2644A53C5D4ED6174B77CF
SHA1:	F95C78C075B17C295AAFA8FC20590A2F4B5CEC92
SHA-256:	5ED92975835C9043D9CE4137BD654E827BE1994BDD217B4221B52A0E24D51A1C
SHA-512:	F8A265D34A7C82FE268BFEB1DB9B5248C6C08DB75E8581A6DF473E41EAA8843F78F4024946AFB9A5A32B820F4CC097BC567E6EAC56DD420288DC31E7655165F4
Malicious:	false
Reputation:	low
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13297830097125389","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245952891998324","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"browser":{"default_browser_infobar_last_declined":"13245952963463509","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1501624"],"daily_received_length":["0","0","0","0","0","0","0","

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\67b09b8d-05f5-4327-8bbf-a835e0389c40.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	17703
Entropy (8bit):	5.577306283416428
Encrypted:	false
SSDEEP:	384:D1qtxLlrSX91kXqKf/pUZNCgVLH2HfDzrU+M272H4E:YLlU91kXqKf/pUZNCgVLH2HfPrUNHT
MD5:	38996251B9A45188818ED80F66BEC619
SHA1:	62DA618462BC1691C8A02C76C266B3C167D4C6BF
SHA-256:	FC9DBDF29916D4339726329E2D6626E317E80DA17AA2EF8C735A1B3E2466529B
SHA-512:	1D5AF2E0293DB9FEF94CE410C9679BE6AB5B2E792BC0F47EFC49F45CB16DB4211D4566AEC748834A7E7AB9506B954C224E06F4E603132623A255828180A17B3A
Malicious:	false
Reputation:	low
Preview:	{"download":{"always_open_pdf_externally":true,"directory_upgrade":true,"extensions_to_open":"pdf:doc:docx:docxm:docm:xls:xlsx:xlsxm:xlsm:ppt:pptx:pptxm:pptm:mht:rtf:pub:vsd:mpp:mdb:dot:dotm:xlsb:xll:hwp:show:cell:hwpx:hwt:jtd:zip:iso:7z:rar:tar:vbs:js:jse:vbe:exe:html:htm:xhtml:tbz2:lz"},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"manifest_permissions":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13297830096201255","location":5,"manifest":{"app":{"launch":{"web_url":"https://chrome.google.com/webstore"},"urls":["https://chrome.google.com/webstore"]},"description":"Discover great apps, games, extensions and themes for Google Chrome.","icons":{"128":"webstore_i

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\690e0051-d682-4267-8c8f-e41f19bd3b24.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2825
Entropy (8bit):	4.86435102445835
Encrypted:	false
SSDEEP:	48:YALtdpBeMsNMHK5sJDysACs37sHWsd5/sSYMHCKs/MHCzsSOMHwsSJtFsX3RLs9D:HQxGKWDS1i/5vYGmGqOGKJ03QshS
MD5:	95488A82D5073BDAAFC1480073FF801F
SHA1:	E2E979B6D4A3EE16A815115C414D0A98E1DFA93F
SHA-256:	C091AE68AFCD5EC632B2C324B983D70F722463CB4D05A3CE8D52E07AA7E5A5D6
SHA-512:	D536466352320C5D394130A59B605617580050CDF325C4B3392D87D384C246E9D8C54FC16A247FF4B379F162536304E0D312D7781FFE245C643C5081B8BE08CD
Malicious:	false
Reputation:	low
Preview:	{"net":{"http_server_properties":{"broken_alternative_services":[{"broken_count":1,"host":"accounts.google.com","isolation":[],"port":443,"protocol_str":"quic"},{"broken_count":1,"host":"www.google.com","isolation":[],"port":443,"protocol_str":"quic"}],"servers":[{"alternative_service":[{"advertised_versions":[],"expiration":"13248544952675493","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":32613},"server":"https://dns.google","supports_spdy":true},{"alternative_service":[{"advertised_versions":[],"expiration":"13248544952813644","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://ogs.google.com","supports_spdy":true},{"alternative_service":[{"advertised_versions":[],"expiration":"13248544952748754","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://apis.google.com","supports_spdy":true},{"alternative_service":[{"advertised_versions":[],"expiration":"13248544952634896","port":443,"protocol_str":"quic"}],"isolation":[],"server"

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\6b026497-acd5-444c-9805-8f953863c848.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	4873
Entropy (8bit):	4.951814512232185
Encrypted:	false
SSDEEP:	96:nqXbVfp1paAKIA+xk0JCKL8robOTQVuwn:nqXbf1p9f4Ksa
MD5:	B7609861BFE77E00051C631D987E82F2
SHA1:	7B57ED512B959247F49F9DFE407E6EA424950CFC
SHA-256:	1937669F7C546AD5C8A0B9E3EBD29ADE58A1C0B37D54C2E9E1A67290A9FEE818
SHA-512:	8D2F015A599860C925F5DEEAE493B56E7D71E270423E98DC6233FF6A89004F03D3CD94C86FEDC876EE57A87BF34A3F6373E1663C366A1DC1C38FF7FE3FF94598
Malicious:	false
Reputation:	low
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13297830097125389","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245952891998324","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"browser":{"default_browser_infobar_last_declined":"13245952963463509","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1501624"],"daily_received_length":["0","0","0","0","0","0","0","

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\6ee571ac-bfb3-408d-af18-493dab2de1ae.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Reputation:	low
Preview:	.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\7ac3a54c-29a4-42d5-af80-c182e7baa737.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	17356
Entropy (8bit):	5.571397338242429
Encrypted:	false
SSDEEP:	384:D1qtALlrSX91kXqKf/pUZNCgVLH2HfDzrUkMt7eH40:HLlU91kXqKf/pUZNCgVLH2HfPrUAHr
MD5:	6C399CE3B4780A87656C43A6671558B0
SHA1:	A878F71973617E8FE9FDF8CACE9F73D43EE9370B
SHA-256:	3CD6208C0AE017ECD0D6DA51BAE542677EF5C89CECF83BACFB1D3764EAF2E355
SHA-512:	36CF2684036E4145ED4F592BB0FE1332E04823B3AFCCA5E9E4769FA8D6356779903D49830C64E56867D0CC4F354ED9DD3F569AB70E2B850032EACA85861A6419
Malicious:	false
Reputation:	low
Preview:	{"download":{"always_open_pdf_externally":true,"directory_upgrade":true,"extensions_to_open":"pdf:doc:docx:docxm:docm:xls:xlsx:xlsxm:xlsm:ppt:pptx:pptxm:pptm:mht:rtf:pub:vsd:mpp:mdb:dot:dotm:xlsb:xll:hwp:show:cell:hwpx:hwt:jtd:zip:iso:7z:rar:tar:vbs:js:jse:vbe:exe:html:htm:xhtml:tbz2:lz"},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"manifest_permissions":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13297830096201255","location":5,"manifest":{"app":{"launch":{"web_url":"https://chrome.google.com/webstore"},"urls":["https://chrome.google.com/webstore"]},"description":"Discover great apps, games, extensions and themes for Google Chrome.","icons":{"128":"webstore_i

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\8d147cfb-1162-43f5-8e60-89b9195c1946.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	4873
Entropy (8bit):	4.952279934313265
Encrypted:	false
SSDEEP:	96:nqXbVMqm1paAKIA+xk0JCKL8robOTQVuwn:nqXbtm1p9f4Ksa
MD5:	BF5DCF12BABD89E1E56B2D0EC5BE4A07
SHA1:	17E60AEEAFC0C16C4285961A4FD484ED1090673F
SHA-256:	4BDDE570192C2CA8ABDEEE3FD9851E25305F0EA7E8AA88C8A7DB188D19161328
SHA-512:	DF81C208D2200ECBDA2001542BCD2960EA7DF846E6E218B498120B4970E5DB8160A656B0C15F20AB83604228BF4898FBC6B946BCD19BA690F98C70BD4EC9F5DE
Malicious:	false
Reputation:	low
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13297830097125389","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245952891998324","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"browser":{"default_browser_infobar_last_declined":"13245952963463509","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1501624"],"daily_received_length":["0","0","0","0","0","0","0","

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CURRENT (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Xv:1qIF/
MD5:	206702161F94C5CD39FADD03F4014D98
SHA1:	BD8BFC144FB5326D21BD1531523D9FB50E1B600A
SHA-256:	1005A525006F148C86EFCBFB36C6EAC091B311532448010F70F7DE9A68007167
SHA-512:	0AF09F26941B11991C750D1A2B525C39A8970900E98CBA96FD1B55DBF93FEE79E18B8AAB258F48B4F7BDA40D059629BC7770D84371235CDB1352A4F17F80E145
Malicious:	false
Reputation:	low
Preview:	MANIFEST-000002.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\computed_hashes.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	11217
Entropy (8bit):	6.069602775336632
Encrypted:	false
SSDEEP:	192:GbylJnlTwGB7V9Hne4qasKxXItmLG48gcLg/PkI:Gb+nldByaFx4toj8VEPT
MD5:	90F880064A42B29CCFF51FE5425BF1A3
SHA1:	6A3CAE3996E9FFF653A1DDF731CED32B2BE2ACBF
SHA-256:	965203D541E442C107DBC6D5B395168123D0397559774BEAE4E5B9ABC44EF268
SHA-512:	D9CBFCD865356F19A57954F8FD952CAF3D31B354112766C41892D1EF40BD2533682D4EC3F4DA0E59A5397364F67A484B45091BA94E6C69ED18AB681403DFD3F3
Malicious:	false
Reputation:	low
Preview:	{"file_hashes":[{"block_hashes":["A+1PYW3V6CJbBuQ7aqrgYhyH3bT8PKyBXp3hN2slpI0=","WSOpQRkYTHjPSlG9Zif2a7TNhy43NDcG1Zg5Nv0UbH0=","jDctR8ImG5KZrQKm4kDjUB7FokSJfjo/pmvFowRVlaY=","LPxhhJiuU0lprt0T6flpS7TkaDg7MocrbmzO65xH6RI=","nZ9zLb2By96AkKXALRM+C0Eu11XUjPiMXEKjiCPdtHE=","wifibc1QfMBN2jrtUtLgsCefvuceTpAatmLvul11RJA=","dHjWlSIIdjj7MWqg3T8MG58RuuqRXk32vqi/13JqEgA=","zd3DV7dbvfNvx1hdhU01fW5ily52DLN0CFL/ADaEeTI=","DpjXcO85FFFY9KJFPkGNfFUtdQIOsGwO5jUckiUwY14=","gqid6l1+mk/6yWgUECRofI9lMipXgXh2jEN2+CxmPE0=","prDB91X2Mmfg/M/txVMITWBmEGbOGjqBTP7CMjYqdHs=","yLPAqV4gqoyS/zFkEt3Cn2j0q2v9QOSthVFfWn8EzCM=","EPQ3jzdrLkAHyvf3920B5Y3aAkO1IJdn/UtbnAmq6T0=","+oOc6ca+ChKUpTu+oa2ZRxRE+wG3QJmuYWEvYCs40NI=","3mBGNAiRlTANEQkqzU3TEi+5wJ0ubR5uwtS4/9OOM7w=","1A9NNawxuhu95H5eThvf1rewJ4QQWhhPNxJXO1C/n68=","E3vWLQxzmj+e5QxYbUscllJ5n0ITpw5JBHV1Kph3/KM=","i3I8ghdTF9c1ZXNBZmvsID+DV4gxBVN27rj9wsMtRpg=","R8B8qYabnMSlLPhrtu0hGYrHn3llsMHqBbi70gkIjEE=","rhlzuEvv2KRAFMms896xFwkNgPrw6WvmgPn6xrBSa2Y=","LAMXv6sRb0VZrY34aVXF3Fftxs

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\000003.log

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlX:qTCT
MD5:	51A2CBB807F5085530DEC18E45CB8569
SHA1:	7AD88CD3DE5844C7FC269C4500228A630016AB5B
SHA-256:	1C43A1BDA1E458863C46DFAE7FB43BFB3E27802169F37320399B1DD799A819AC
SHA-512:	B643A8FA75EDA90C89AB98F79D4D022BB81F1F62F50ED4E5440F487F22D1163671EC3AE73C4742C11830214173FF2935C785018318F4A4CAD413AE4EEEF985DF
Malicious:	false
Reputation:	low
Preview:	.f.5................f.5...............

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	378
Entropy (8bit):	5.210553819194177
Encrypted:	false
SSDEEP:	6:AXOHMQL+q2PN723iKKdK25+Xqx8chI+IFUtqVfXOcFMG1ZmwYVfXOf3QLVkwON7l:AXaMQyvVa5KkTXfchI3FUtiXCg/IX63V
MD5:	3E65020A844D1E7170602C00EB5586D0
SHA1:	F587E8C37BE4BE973BE3FF0D7697C861B84EA54F
SHA-256:	3EB76B58F7F0897E369789B94A7CE85E67951AC1B390F4CE68863B0A9E97FD58
SHA-512:	6BFA8E0D4F3C63DEDB5A4F8A0F9438D1253C36F2BA4CC55D45F56B13E8C965946C097272071B7402CCD9958CE378E5E561B00B47F6BE3538DFC49D88A777BD21
Malicious:	false
Reputation:	low
Preview:	2022/05/23-18:41:54.318 1ba8 Reusing MANIFEST C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB/MANIFEST-000001.2022/05/23-18:41:54.320 1ba8 Recovering log #3.2022/05/23-18:41:54.331 1ba8 Reusing old log C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB/000003.log .

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.old (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	378
Entropy (8bit):	5.210553819194177
Encrypted:	false
SSDEEP:	6:AXOHMQL+q2PN723iKKdK25+Xqx8chI+IFUtqVfXOcFMG1ZmwYVfXOf3QLVkwON7l:AXaMQyvVa5KkTXfchI3FUtiXCg/IX63V
MD5:	3E65020A844D1E7170602C00EB5586D0
SHA1:	F587E8C37BE4BE973BE3FF0D7697C861B84EA54F
SHA-256:	3EB76B58F7F0897E369789B94A7CE85E67951AC1B390F4CE68863B0A9E97FD58
SHA-512:	6BFA8E0D4F3C63DEDB5A4F8A0F9438D1253C36F2BA4CC55D45F56B13E8C965946C097272071B7402CCD9958CE378E5E561B00B47F6BE3538DFC49D88A777BD21
Malicious:	false
Reputation:	low
Preview:	2022/05/23-18:41:54.318 1ba8 Reusing MANIFEST C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB/MANIFEST-000001.2022/05/23-18:41:54.320 1ba8 Recovering log #3.2022/05/23-18:41:54.331 1ba8 Reusing old log C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB/000003.log .

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\MANIFEST-000001

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PGP\011Secret Key -
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Reputation:	low
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1960
Entropy (8bit):	4.890462155836508
Encrypted:	false
SSDEEP:	48:YALteBdpNntw3qyvTCXDHz5sgGsltRLs9WSyBsWMHJYhbG:2lNnOa+TCXDHzrbtVjGWhS
MD5:	627B4C3BA4DB42F7AD357185B29FFF79
SHA1:	40F85D64270D0708A2EA8510B9D6A1BC542284BE
SHA-256:	57891A62B042EB3CB149598477FF854D02493CD1061C6B30C147731FDFF58350
SHA-512:	DEEF9AA39DFF583517051056CDE95C0592EF434B0F10567121E379C857BDA17EA1FBFB5A10889C5737CBC57C9457E510C124F7D404E5BD67F861E59EC84BC98D
Malicious:	false
Reputation:	low
Preview:	{"net":{"http_server_properties":{"broken_alternative_services":[{"broken_count":1,"host":"www.google.com","isolation":[],"port":443,"protocol_str":"quic"},{"broken_count":1,"host":"accounts.google.com","isolation":[],"port":443,"protocol_str":"quic"}],"servers":[{"isolation":[],"server":"https://www.google.com","supports_spdy":true},{"isolation":[],"server":"https://ssl.gstatic.com","supports_spdy":true},{"isolation":[],"server":"https://www.googleapis.com","supports_spdy":true},{"isolation":[],"server":"https://clients2.googleusercontent.com","supports_spdy":true},{"isolation":[],"server":"https://www.gstatic.com","supports_spdy":true},{"isolation":[],"server":"https://fonts.gstatic.com","supports_spdy":true},{"isolation":[],"server":"https://apis.google.com","supports_spdy":true},{"isolation":[],"server":"https://ogs.google.com","supports_spdy":true},{"isolation":[],"server":"https://dns.google","supports_spdy":true},{"alternative_service":[{"advertised_versions":[50],"expiration":"

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	4900
Entropy (8bit):	4.958200198907086
Encrypted:	false
SSDEEP:	96:nqXbVNp1paAKIA+xk0JCKL8rsbOTQVuwn:nqXbV1p9f4KsW
MD5:	E9B4A91EFA2644A53C5D4ED6174B77CF
SHA1:	F95C78C075B17C295AAFA8FC20590A2F4B5CEC92
SHA-256:	5ED92975835C9043D9CE4137BD654E827BE1994BDD217B4221B52A0E24D51A1C
SHA-512:	F8A265D34A7C82FE268BFEB1DB9B5248C6C08DB75E8581A6DF473E41EAA8843F78F4024946AFB9A5A32B820F4CC097BC567E6EAC56DD420288DC31E7655165F4
Malicious:	false
Reputation:	low
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13297830097125389","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245952891998324","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"browser":{"default_browser_infobar_last_declined":"13245952963463509","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1501624"],"daily_received_length":["0","0","0","0","0","0","0","

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	19793
Entropy (8bit):	5.564205421621885
Encrypted:	false
SSDEEP:	384:D1qtxLlrSX91kXqKf/pUZNCgVLH2HfDzrUNXHGRM27DH4o:YLlU91kXqKf/pUZNCgVLH2HfPrUN3GhX
MD5:	9E388EDB7C50A0969071299AEA95CC46
SHA1:	09CDC3AB21F78162C2A06F7BDC0B791409A4C8C6
SHA-256:	0552501B27EE54A53A9D2F6C1756A2257F1C46C94022C626D0FDD20631CE1D61
SHA-512:	A1E425E33EFF34A03E72E40A2B7CEF05E892D474FD36443FCDF9961B4F5ACA70B4842DF95190DAEB4AA86BC9328D96715FF5763F64810D4D555D9DF55D9157BB
Malicious:	false
Reputation:	low
Preview:	{"download":{"always_open_pdf_externally":true,"directory_upgrade":true,"extensions_to_open":"pdf:doc:docx:docxm:docm:xls:xlsx:xlsxm:xlsm:ppt:pptx:pptxm:pptm:mht:rtf:pub:vsd:mpp:mdb:dot:dotm:xlsb:xll:hwp:show:cell:hwpx:hwt:jtd:zip:iso:7z:rar:tar:vbs:js:jse:vbe:exe:html:htm:xhtml:tbz2:lz"},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"manifest_permissions":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13297830096201255","location":5,"manifest":{"app":{"launch":{"web_url":"https://chrome.google.com/webstore"},"urls":["https://chrome.google.com/webstore"]},"description":"Discover great apps, games, extensions and themes for Google Chrome.","icons":{"128":"webstore_i

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\05187f3a-574f-40d6-b7f6-b4de239a77c6.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	325
Entropy (8bit):	4.95629898779197
Encrypted:	false
SSDEEP:	6:YHpoNXR8+eq7JdV5kjxZsDHF4R8HLJ2AVQBR70S7PMVKJw1K3KnMRK3VY:YHO8sdSZsBdLJlyH7E4f3K33y
MD5:	D5BB2F0F1694209F0C6AE5BA44DAC338
SHA1:	41B2CDE10C8937FC9607E608AF65EDF709033350
SHA-256:	20FC2ED4DA8AC625B83B6B84C1B88B534BC35B18DC8BD7521C66FFDABAB53738
SHA-512:	A713918E0F88AE62AFAC2A6202107CF547B962900BCB779C7C5C2C8A228C140AAC5191A50BDAF5718EAAE91446DB21648CF2A7B967B9029AF16F13E923FD6EE2
Malicious:	false
Reputation:	low
Preview:	{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_versions":[50],"expiration":"13248544897343531","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://dns.google","supports_spdy":true}],"version":5},"network_qualities":{"CAASABiAgICA+P////8B":"4G","CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache\data_1

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	325
Entropy (8bit):	4.95629898779197
Encrypted:	false
SSDEEP:	6:YHpoNXR8+eq7JdV5kjxZsDHF4R8HLJ2AVQBR70S7PMVKJw1K3KnMRK3VY:YHO8sdSZsBdLJlyH7E4f3K33y
MD5:	D5BB2F0F1694209F0C6AE5BA44DAC338
SHA1:	41B2CDE10C8937FC9607E608AF65EDF709033350
SHA-256:	20FC2ED4DA8AC625B83B6B84C1B88B534BC35B18DC8BD7521C66FFDABAB53738
SHA-512:	A713918E0F88AE62AFAC2A6202107CF547B962900BCB779C7C5C2C8A228C140AAC5191A50BDAF5718EAAE91446DB21648CF2A7B967B9029AF16F13E923FD6EE2
Malicious:	false
Reputation:	low
Preview:	{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_versions":[50],"expiration":"13248544897343531","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://dns.google","supports_spdy":true}],"version":5},"network_qualities":{"CAASABiAgICA+P////8B":"4G","CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\0b6b6f12-a23f-4eca-9dbc-aa10a76b0d74.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	modified
Size (bytes):	325
Entropy (8bit):	4.958114650763609
Encrypted:	false
SSDEEP:	6:YHpoNXR8+eq7JdV59YIEsDHF4R8HLJ2AVQBR70S7PMVKJw1K3KnMRK3VY:YHO8sdXXEsBdLJlyH7E4f3K33y
MD5:	F08847672DDD58749FE32FEFD1DBBAE9
SHA1:	C4C1750B297311628D53B0D3DD473F3EDD6019E9
SHA-256:	4165A9C7A2CA81E34A969C02FC75FFA899F49A5B04899EBA10E341C44839CC90
SHA-512:	541C4ADF3A92398F61F1E90C9995FD9CCB668FF51F578968C6CCD73AB81AB24668D969A9F98A1B529F631022EF4A3D224D76B4EDCB656ADADB27A7E4065395A0
Malicious:	false
Reputation:	low
Preview:	{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_versions":[50],"expiration":"13248544901990438","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://dns.google","supports_spdy":true}],"version":5},"network_qualities":{"CAASABiAgICA+P////8B":"4G","CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_1

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	325
Entropy (8bit):	4.958114650763609
Encrypted:	false
SSDEEP:	6:YHpoNXR8+eq7JdV59YIEsDHF4R8HLJ2AVQBR70S7PMVKJw1K3KnMRK3VY:YHO8sdXXEsBdLJlyH7E4f3K33y
MD5:	F08847672DDD58749FE32FEFD1DBBAE9
SHA1:	C4C1750B297311628D53B0D3DD473F3EDD6019E9
SHA-256:	4165A9C7A2CA81E34A969C02FC75FFA899F49A5B04899EBA10E341C44839CC90
SHA-512:	541C4ADF3A92398F61F1E90C9995FD9CCB668FF51F578968C6CCD73AB81AB24668D969A9F98A1B529F631022EF4A3D224D76B4EDCB656ADADB27A7E4065395A0
Malicious:	false
Reputation:	low
Preview:	{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_versions":[50],"expiration":"13248544901990438","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://dns.google","supports_spdy":true}],"version":5},"network_qualities":{"CAASABiAgICA+P////8B":"4G","CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1960
Entropy (8bit):	4.890462155836508
Encrypted:	false
SSDEEP:	48:YALteBdpNntw3qyvTCXDHz5sgGsltRLs9WSyBsWMHJYhbG:2lNnOa+TCXDHzrbtVjGWhS
MD5:	627B4C3BA4DB42F7AD357185B29FFF79
SHA1:	40F85D64270D0708A2EA8510B9D6A1BC542284BE
SHA-256:	57891A62B042EB3CB149598477FF854D02493CD1061C6B30C147731FDFF58350
SHA-512:	DEEF9AA39DFF583517051056CDE95C0592EF434B0F10567121E379C857BDA17EA1FBFB5A10889C5737CBC57C9457E510C124F7D404E5BD67F861E59EC84BC98D
Malicious:	false
Reputation:	low
Preview:	{"net":{"http_server_properties":{"broken_alternative_services":[{"broken_count":1,"host":"www.google.com","isolation":[],"port":443,"protocol_str":"quic"},{"broken_count":1,"host":"accounts.google.com","isolation":[],"port":443,"protocol_str":"quic"}],"servers":[{"isolation":[],"server":"https://www.google.com","supports_spdy":true},{"isolation":[],"server":"https://ssl.gstatic.com","supports_spdy":true},{"isolation":[],"server":"https://www.googleapis.com","supports_spdy":true},{"isolation":[],"server":"https://clients2.googleusercontent.com","supports_spdy":true},{"isolation":[],"server":"https://www.gstatic.com","supports_spdy":true},{"isolation":[],"server":"https://fonts.gstatic.com","supports_spdy":true},{"isolation":[],"server":"https://apis.google.com","supports_spdy":true},{"isolation":[],"server":"https://ogs.google.com","supports_spdy":true},{"isolation":[],"server":"https://dns.google","supports_spdy":true},{"alternative_service":[{"advertised_versions":[50],"expiration":"

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Rv:1qIFJ
MD5:	6752A1D65B201C13B62EA44016EB221F
SHA1:	58ECF154D01A62233ED7FB494ACE3C3D4FFCE08B
SHA-256:	0861415CADA612EA5834D56E2CF1055D3E63979B69EB71D32AE9AE394D8306CD
SHA-512:	9CFD838D3FB570B44FC3461623AB2296123404C6C8F576B0DE0AABD9A6020840D4C9125EB679ED384170DBCAAC2FA30DC7FA9EE5B77D6DF7C344A0AA030E0389
Malicious:	false
Reputation:	low
Preview:	MANIFEST-000004.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Rv:1qIFJ
MD5:	6752A1D65B201C13B62EA44016EB221F
SHA1:	58ECF154D01A62233ED7FB494ACE3C3D4FFCE08B
SHA-256:	0861415CADA612EA5834D56E2CF1055D3E63979B69EB71D32AE9AE394D8306CD
SHA-512:	9CFD838D3FB570B44FC3461623AB2296123404C6C8F576B0DE0AABD9A6020840D4C9125EB679ED384170DBCAAC2FA30DC7FA9EE5B77D6DF7C344A0AA030E0389
Malicious:	false
Reputation:	low
Preview:	MANIFEST-000004.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Last Browser

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	106
Entropy (8bit):	3.138546519832722
Encrypted:	false
SSDEEP:	3:tbloIlrJ5ldQxl7aXVdJiG6R0RlAl:tbdlrnQxZaHIGi0R6l
MD5:	DE9EF0C5BCC012A3A1131988DEE272D8
SHA1:	FA9CCBDC969AC9E1474FCE773234B28D50951CD8
SHA-256:	3615498FBEF408A96BF30E01C318DAC2D5451B054998119080E7FAAC5995F590
SHA-512:	CEA946EBEADFE6BE65E33EDFF6C68953A84EC2E2410884E12F406CAC1E6C8A0793180433A7EF7CE097B24EA78A1FDBB4E3B3D9CDF1A827AB6FF5605DA3691724
Malicious:	false
Reputation:	low
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Last Version

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.8150724101159437
Encrypted:	false
SSDEEP:	3:Yx7:4
MD5:	C422F72BA41F662A919ED0B70E5C3289
SHA1:	AAD27C14B27F56B6E7C744A8EC5B1A7D767D7632
SHA-256:	02E71EB4C587FEB7EE00CE8600F97411C2774C2FC34CB95B92D5538E7F30DA59
SHA-512:	86010ED2B2EEBDCC5A8A076B37703669C294C6D1BFAAEA963E26A9C94B81B4C53EC765D9425E5B616159C43923F800A891F9B903659575DF02F8845521F8DC46
Malicious:	false
Reputation:	low
Preview:	85.0.4183.121

C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	400455
Entropy (8bit):	6.027044571698599
Encrypted:	false
SSDEEP:	6144:/eX5kVfXhSm/TCXnqn3A9cG0OP1eVxR+v+F7EFpfY4XB3iE7ZPXYGzLxinq:/UkhxSa+qKcGNPUZ+w7wJHyEtAWr
MD5:	3AE48C95C300DDEF8FD4A547CDB3DA65
SHA1:	042C983DDDFC844193F1F1AA1081E0C88CDE4F7D
SHA-256:	EF2BCED24AFDC3E693FF2DDC9776AA274CC97E5B879E47CE0A67E5AAD0CF0CDF
SHA-512:	D4D4F7E0FD4CE8E7D8FED48F0E398C7589EC0B44FFEC07D50FF4A465A6B1619C0DBBF69C74FA3F47B811179EACA481B47F40E8358863415D973C0686418A2F9F
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.653356498580682e+12,"network":1.6533241e+12,"ticks":178557639.0,"uncertainty":3967768.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACMBYze0bKMTIhZGR/AW4M5AAAAAAIAAAAAABBmAAAAAQAAIAAAACoSPhbyumSaNjLuAHEna2OUDn+rpXOk+H/ONjHe5ZwbAAAAAA6AAAAAAgAAIAAAADezR1ii2QiPYGPz0Jd0ZQiE5jKOKMttbbwwADHJYDpEMAAAACuIP4EJtfud3aEFZzvijkFSTP1RNwcy8fFg19xXfiV1Q9wriZb5iS+jYbOXKVX44kAAAAByJv8rXU2wt9ZoSemiGl7Rv1MeHwgrJRvbYcUfMpjLAz2bh77nWHOppVpZzR2K2uw89vs6aWrPXuiWeIEQQvEM"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13291230364373940"},"plugins":{"metadata":{"adobe-flash-player":{"displa

C:\Users\user\AppData\Local\Google\Chrome\User Data\Module Info Cache (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	102932
Entropy (8bit):	3.748990580111419
Encrypted:	false
SSDEEP:	384:6/89J5Hs23s/PVoOV0Ntruvxr3SlDeHrI6GdWxrsPFxyxb6xPFrzPirQhmYsCMrd:o6u5dd+A24ej14fUHHO3KRf1Za
MD5:	C5A329D4D21FCB3275CB6ABE13ED0060
SHA1:	69255E391018CF446E10332DF3C11E5B1B5B15D6
SHA-256:	54806E02E7BC83F31B08F25D78EDC60D33C8FA00E39DDDDCAB96429A0A3CD9BA
SHA-512:	B9E05C99615CEE22DDCB27A9766876A0A6C882BAE85BC70BF165DFEF00A3858C4E4344E86C681E17ADD21DAC66EF69EF6D774836E60D3EC0125BC15684F21A5A
Malicious:	false
Reputation:	low
Preview:	...................C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L..P!...[)...%.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .o.f.f.i.c.e.\.o.f.f.i.c.e.1.6.\.......g.r.o.o.v.e.e.x...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .2.0.1.6......M.i.c.r.o.s.o.f.t. .O.n.e.D.r.i.v.e. .f.o.r. .B.u.s.i.n.e.s.s. .E.x.t.e.n.s.i.o.n.s.....1.6...0...4.7.1.1...1.0.0.0.....*...C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....]8.D...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.m.m.o.n. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .S.h.a.r.e.d.\.O.F.F.I.C.E.1.6.\.m.s.o.s.h.e.x.t...d.l.l..@.....U/...%.c.o.m.m.o.n.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .s.h.a.r.e.d.\.o.f.f.i.c.e.1.6.\.......m.s.o.s.h.e.x.t...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.)...M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .S.h.e.l.l. .E.x.t.e.n.s.i.o.n. .H.a.n.d.l.e.r.s.......1.6...0...4.2.6.6...1.0.0.1.....D...C.:.\.P.r.o.g.r.a.m.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\27\scoped_dir2332_2059111382\Ruleset Data

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	147504
Entropy (8bit):	4.859567224410241
Encrypted:	false
SSDEEP:	3072:KJ4VHTSRJJYd7eF9yBrohsNSlkSTmLzpN1VZihdfjAUoIUeFjK:A4VGJ2JoySl61edbPq
MD5:	BC811D916CF7D8E6B13B5E63C7B6A474
SHA1:	CCCB6EB391D88DDFCE3E3BAB3AB63AC799459484
SHA-256:	CE9183903AA22B624FBA2877EFEE026D53EF7B38FF28D4119E70F55B7BFF79C3
SHA-512:	158DA5CD955DA0AA16DA80A894FB277181753854A011C8CC3ECFF4075A5A4449CC85A51C17446C0096310CF897045EA549D4B21A756541335DE82E69413E9D8F
Malicious:	false
Reputation:	low
Preview:	........................4Y................................. ...X...l...h...d...0.......X...T...P...L...H.......@...<.......4...0...,.......\|...`...D........... ................................)......ozama.......,".........g.bat........ .. ......onwod.......D...8......ennab...........P......nozam...........h......geips.......H..........rekoj.................lgoog..................uotpo........#.........lreko.......X......t...........\|W..............PW..4W...W...V...V..XW...V..PW..LW..HW..DW...V..<W..8W..4W..0W..,W..dV..$W.. W..@V...W.. V...W...V...W...W...U...V...V...V...V...V...V...U...V...U...V..hU...V..HU...V...V...V...V...V...V...V...V...V...V...V...V...V...T...T...V...V...V...V...T..xV..tV..pV..lV...T..dV..dT..HT..XV..TV..PV.. T..HV..DV..@V..<V..8V..4V..0V..,V..(V..$V.. V...V...V...V...V...V...S...S...V...S...U...U..dS...U...U...U...U..8S...S...S...U...U...U...U...U...U...R...U...U...U...U...R...U...R..dR...U...U...U...U...U...U..\|U..xU..tU..$R..lU..hU..dU..`U...Q..XU..

C:\Users\user\AppData\Local\Google\Chrome\User Data\a81bf1c0-ae16-4a5f-aa2d-8bd9c3fa1e24.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	400352
Entropy (8bit):	6.0268601015185075
Encrypted:	false
SSDEEP:	6144:ueX5kVfXhSm/TCXnqn3A9cG0OP1eVxR+v+F7EFpfY4XB3iE7ZPXYGzLxinq:uUkhxSa+qKcGNPUZ+w7wJHyEtAWr
MD5:	D2F20410D3C1A6368533541ACB4D97EC
SHA1:	538C69616D4FFDC6D36558844D06DED3F4FD4D47
SHA-256:	318033C8FAEE6140306ABEDC6817E1BAA84BF23283994EA9652FC58BA44CFE66
SHA-512:	BEC8B4535D3122F614422477930726286F3ABDF2F161DB56874788352DB2FCC297E711820DD9622CEDF37086CDD189B64B7D662DE71B8DEDD23ABABC27F5A36F
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.653356498580682e+12,"network":1.6533241e+12,"ticks":178557639.0,"uncertainty":3967768.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACMBYze0bKMTIhZGR/AW4M5AAAAAAIAAAAAABBmAAAAAQAAIAAAACoSPhbyumSaNjLuAHEna2OUDn+rpXOk+H/ONjHe5ZwbAAAAAA6AAAAAAgAAIAAAADezR1ii2QiPYGPz0Jd0ZQiE5jKOKMttbbwwADHJYDpEMAAAACuIP4EJtfud3aEFZzvijkFSTP1RNwcy8fFg19xXfiV1Q9wriZb5iS+jYbOXKVX44kAAAAByJv8rXU2wt9ZoSemiGl7Rv1MeHwgrJRvbYcUfMpjLAz2bh77nWHOppVpZzR2K2uw89vs6aWrPXuiWeIEQQvEM"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13291230364373940"},"plugins":{"metadata":{"adobe-flash-player":{"displa

C:\Users\user\AppData\Local\Google\Chrome\User Data\dc39d5d1-11ba-416b-bebd-361cb28678c7.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	99604
Entropy (8bit):	3.7485857384929337
Encrypted:	false
SSDEEP:	384:e/89J5Hs2z/4V0Ntruvxr3SlDeHrI6GdWxrsPFxyxb6xSrzPirQhmYTMrF11yOP3:tu5ddJ224ej14fUHHO3KRf1ZW
MD5:	BFA29265C9D43CD7E2749DD09B20DF44
SHA1:	ABCE696155497D79E99EB0427D44AA5F1CB2A41A
SHA-256:	8775CB657B6C7228965D22A9BE0E8D5CF603F22BD7AC95BEDF2C9DF46A629098
SHA-512:	710E72B02AD132048D5776C1842344B20D69C5C79FF6E585C39C9E13C4CFF9EAAC7B1F4235D904D0A62D0807D2DA7EF7974ED04A4386769F472DFC08DEC9BF43
Malicious:	false
Reputation:	low
Preview:	...................C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L..P!...[)...%.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .o.f.f.i.c.e.\.o.f.f.i.c.e.1.6.\.......g.r.o.o.v.e.e.x...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .2.0.1.6......M.i.c.r.o.s.o.f.t. .O.n.e.D.r.i.v.e. .f.o.r. .B.u.s.i.n.e.s.s. .E.x.t.e.n.s.i.o.n.s.....1.6...0...4.7.1.1...1.0.0.0.....*...C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....]8.D...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.m.m.o.n. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .S.h.a.r.e.d.\.O.F.F.I.C.E.1.6.\.m.s.o.s.h.e.x.t...d.l.l..@.....U/...%.c.o.m.m.o.n.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .s.h.a.r.e.d.\.o.f.f.i.c.e.1.6.\.......m.s.o.s.h.e.x.t...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.)...M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .S.h.e.l.l. .E.x.t.e.n.s.i.o.n. .H.a.n.d.l.e.r.s.......1.6...0...4.2.6.6...1.0.0.1.....D...C.:.\.P.r.o.g.r.a.m.

C:\Users\user\AppData\Local\Google\Chrome\User Data\fabb3fe1-a404-4524-8479-d64489129d92.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	400260
Entropy (8bit):	6.026690077443186
Encrypted:	false
SSDEEP:	6144:UeX5kVfXhSm/TCXnqn3A9cG0OP1eVxR+v+F7EFpfY4XB3iE7ZPXYGzLxinq:UUkhxSa+qKcGNPUZ+w7wJHyEtAWr
MD5:	48D31CAA475C0790BE217FA92A8A5E22
SHA1:	EF2EB57642FBAF82AD2634388ADFB06D7FC0A1D1
SHA-256:	8BF1D7AB52753D4B49D3DD0820229CE75C1313392CAA2A3057AB2D10B3AA7A5E
SHA-512:	71CFC8E80515DCDCF13E59FCAE8AB1AB74537B5EB8616FAC535A0438D7AEDF11AD967DFE5BF50B1CC9FCA8B1AC0AB04C9D0B63D5C9981A82AADA0E5D70361AAF
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.653356498580682e+12,"network":1.6533241e+12,"ticks":178557639.0,"uncertainty":3967768.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACMBYze0bKMTIhZGR/AW4M5AAAAAAIAAAAAABBmAAAAAQAAIAAAACoSPhbyumSaNjLuAHEna2OUDn+rpXOk+H/ONjHe5ZwbAAAAAA6AAAAAAgAAIAAAADezR1ii2QiPYGPz0Jd0ZQiE5jKOKMttbbwwADHJYDpEMAAAACuIP4EJtfud3aEFZzvijkFSTP1RNwcy8fFg19xXfiV1Q9wriZb5iS+jYbOXKVX44kAAAAByJv8rXU2wt9ZoSemiGl7Rv1MeHwgrJRvbYcUfMpjLAz2bh77nWHOppVpZzR2K2uw89vs6aWrPXuiWeIEQQvEM"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13291230364373940"},"plugins":{"metadata":{"adobe-flash-player":{"displa

C:\Users\user\AppData\Local\Google\Chrome\User Data\fc06df90-f329-4f82-8fd9-1b17e37832cc.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	102932
Entropy (8bit):	3.748990580111419
Encrypted:	false
SSDEEP:	384:6/89J5Hs23s/PVoOV0Ntruvxr3SlDeHrI6GdWxrsPFxyxb6xPFrzPirQhmYsCMrd:o6u5dd+A24ej14fUHHO3KRf1Za
MD5:	C5A329D4D21FCB3275CB6ABE13ED0060
SHA1:	69255E391018CF446E10332DF3C11E5B1B5B15D6
SHA-256:	54806E02E7BC83F31B08F25D78EDC60D33C8FA00E39DDDDCAB96429A0A3CD9BA
SHA-512:	B9E05C99615CEE22DDCB27A9766876A0A6C882BAE85BC70BF165DFEF00A3858C4E4344E86C681E17ADD21DAC66EF69EF6D774836E60D3EC0125BC15684F21A5A
Malicious:	false
Reputation:	low
Preview:	...................C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L..P!...[)...%.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .o.f.f.i.c.e.\.o.f.f.i.c.e.1.6.\.......g.r.o.o.v.e.e.x...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .2.0.1.6......M.i.c.r.o.s.o.f.t. .O.n.e.D.r.i.v.e. .f.o.r. .B.u.s.i.n.e.s.s. .E.x.t.e.n.s.i.o.n.s.....1.6...0...4.7.1.1...1.0.0.0.....*...C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....]8.D...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.m.m.o.n. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .S.h.a.r.e.d.\.O.F.F.I.C.E.1.6.\.m.s.o.s.h.e.x.t...d.l.l..@.....U/...%.c.o.m.m.o.n.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .s.h.a.r.e.d.\.o.f.f.i.c.e.1.6.\.......m.s.o.s.h.e.x.t...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.)...M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .S.h.e.l.l. .E.x.t.e.n.s.i.o.n. .H.a.n.d.l.e.r.s.......1.6...0...4.2.6.6...1.0.0.1.....D...C.:.\.P.r.o.g.r.a.m.

C:\Users\user\AppData\Local\Temp\2332_230541184\Filtering Rules

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	96166
Entropy (8bit):	5.4897674246314825
Encrypted:	false
SSDEEP:	1536:F3eywFManDiYhqzOBD/mpEV+SYkdD0No8grXyT00LschZ0J5b5wDj:LwFManGeAOBDwEfRD0NTCCT00fhZ0JxM
MD5:	81BE5836F8740802C2CD3436AF0D326C
SHA1:	88BD294563A3E1BA663375609E83DFED3B57E6FE
SHA-256:	409C37FBE8373412615BBDE198F234BCACFE8BB32DA179B1F84B003EB558488F
SHA-512:	4EC450888C8C0505B7AD517891AD158153CF2E93A0A32A670D5709B8C74DA3BF0D30EE59F35F9D529FE033E7771FA8B28B9EB06204E732F0308BC4C073E6ABFC
Malicious:	false
Reputation:	low
Preview:	............0.8.@.R.-728x90...........0.8.@.R.adtdp.com^..........0.8.@.R.rvpsrv.com^..........0.8.@.R.yomeno.xyz^.:...........adcore.com.au.....adcore.ch..0.8.@.R./adcore_..........0.8.@.R.uwoaptee.com^.8.........safeway.com0.8.@.R.fwcdn2.com/js/embed-feed.js..........0.8.@.R._468_60..3........0.8.@.R#/wp-content/plugins/wp-super-popup/.9........0.8.@.R)bancodevenezuela.com/imagenes/publicidad/..........0.8.@.R..adbutler-..........0.8.@.R.adrecover.com^..........0.8.@.R.hdbcode.com^.?...........google.com0.8.@.R!developers.google.com/google-ads/.-...........konograma.com..0.8.@.R./adserver..............vk.com0.8.@.R.vk.me/css/al/ads.css.,........0.8.@.R.mysmth.net/nForum//ADAgent_..........0.8.@.R.indoleads.com^.%......0.8.@.R.discordapp.com/banners/.E...........daum.net0.8.@.R)daumcdn.net/adfit/static/ad-native.min.js.(........0.8.@.R.looker.com/api/internal/.#........0.8.@.R.broadstreetads.com^..........0.8.@.R./banner.cgi?..............thefreedictionary.com...downloads.co

C:\Users\user\AppData\Local\Temp\2332_230541184\LICENSE.txt

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24623
Entropy (8bit):	4.588307081140814
Encrypted:	false
SSDEEP:	384:mva5sf5dXrCN7tnBxpxkepTqzazijFgZk231Py9zD6WApYbm0:mvagXreRnTqzazWgj0v6XqD
MD5:	D33AAA5246E1CE0A94FA15BA0C407AE2
SHA1:	11D197ACB61361657D638154A9416DC3249EC9FB
SHA-256:	1D4FF95CE9C6E21FE4A4FF3B41E7A0DF88638DD449D909A7B46974D3DFAB7311
SHA-512:	98B1B12FF0991FD7A5612141F83F69B86BC5A89DD62FC472EE5971817B7BBB612A034C746C2D81AE58FDF6873129256A89AA8BB7456022246DC4515BAAE2454B
Malicious:	false
Reputation:	low
Preview:	EasyList Repository Licences.... Unless otherwise noted, the contents of the EasyList repository.. (https://github.com/easylist) is dual licensed under the GNU General.. Public License version 3 of the License, or (at your option) any later.. version, and Creative Commons Attribution-ShareAlike 3.0 Unported, or.. (at your option) any later version. You may use and/or modify the files.. as permitted by either licence; if required, "The EasyList authors.. (https://easylist.to/)" should be attributed as the source of the.. material. All relevant licence files are included in the repository..... Please be aware that files hosted externally and referenced in the.. repository, including but not limited to subscriptions other than.. EasyList, EasyPrivacy, EasyList Germany and EasyList Italy, may be.. available under other conditions; permission must be granted by the.. respective copyright holders to authorise the use of their material.......Creative Commons Attribut

C:\Users\user\AppData\Local\Temp\2332_230541184\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1641
Entropy (8bit):	5.960820521871119
Encrypted:	false
SSDEEP:	48:p/h4IebKC0tH6TGkakQUyXyPtvojkmFz6fdH:RmIeMHwaPUd6j7adH
MD5:	6977480C932C6C233E72BCD27AB40151
SHA1:	AFB95CE40A8DC75B3A609C07E506F3C45719683F
SHA-256:	EC90E259556575C81F6B989F7E0251730A7286BDE2CE50720CFA38E484644EB2
SHA-512:	965D6788B7910F1FE27F9D4CB3F311C04B1029422174C2ABD1ABBDD562C2776684037A3D36C506FEEF7F6BAE2B020DEBFD43FEEBD6A904FE24E7B537D4BB1C8B
Malicious:	false
Reputation:	low
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJGaWx0ZXJpbmcgUnVsZXMiLCJyb290X2hhc2giOiJDR2dDUjZpQ1YzT3gtc281bHk2aXo1NU45MFpacHg3TjJjSWZrNmNyd1NvIn0seyJwYXRoIjoiTElDRU5TRS50eHQiLCJyb290X2hhc2giOiIyaWswNmk0TFlCdVNHNWphRGFIS253NE9pdnVSRzZsQ0JKMVk0TGtzRFJJIn0seyJwYXRoIjoibWFuaWZlc3QuanNvbiIsInJvb3RfaGFzaCI6IktBdVZLYTlfRVBXWUM0eHhSZnViZGlTNkp2aUNzVVVwRkVWZndBQ3lMRFUifSx7InBhdGgiOiJtYW5pZmVzdC5qc29ufiIsInJvb3RfaGFzaCI6Imd1VUJDV01mNTlub1p2M3JRVlJsQ3gwdUFWcjdlUjRzNFRGdEx4VnBoUFEifV0sImZvcm1hdCI6InRyZWVoYXNoIiwiaGFzaF9ibG9ja19zaXplIjo0MDk2fV0sIml0ZW1faWQiOiJnY21qa21nZGxnbmtrY29jbW9laW1pbmFpam1tam5paSIsIml0ZW1fdmVyc2lvbiI6IjkuMzUuMCIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"dPaqf1rdJc9ZDJ6G_NiG8qMiRszkbuJQ9viGJwKZUmL6umoX42eImE9lFHWlKnzQp6T-f9zDk3d-3im1Z2hnKtonTmCGV73T8d2b7I7N0lrFnwARV_umlIqB7qCcdtMKC

C:\Users\user\AppData\Local\Temp\2332_230541184\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.767625222183077
Encrypted:	false
SSDEEP:	3:SQbYGEUfWRjj3WWEA5ajcGn:SQEYfWRjjXgj
MD5:	69B6F159F9B1421EBD5224D3F61ADCA9
SHA1:	5F778F3E0B566C638F1C9436F567E17D13F1EC02
SHA-256:	42B2668908F5B710DDDACB59DCB6547B5BCC247A90102F2E2B2FE0190BE28C23
SHA-512:	C5D6467D87C25405FE99386EFFD0BB37C0728DECCECA647B6C85DD24BD28D6321B841852ACE3B83EC37D94A8ED9251683D4655AA71D185CB6A156D53B252AE93
Malicious:	false
Reputation:	low
Preview:	1.53b83738fad69a9f3db36848834a1d5003880033cae857eadfc37d3802dfcb8c

C:\Users\user\AppData\Local\Temp\2332_230541184\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	115
Entropy (8bit):	4.563301657145084
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFHXG7LGMdv5HcDKhtUJKS1Yav:F6VlMZWuMt5SKPS1Yk
MD5:	8C5308E53C3B2FF7B5C645BB2FF50A01
SHA1:	2CA75B325F6263E2B2A0C8C4C9FF6161992152F0
SHA-256:	280B9529AF7F10F5980B8C7145FB9B7624BA26F882B1452914455FC000B22C35
SHA-512:	DD70A682733891E546B4BEABC73E3D2E3D85810AD9196AE92F7B9722FEC7622F085500F5BEEDCFB44F2EA6EB8953C509C8EE9729567A7E47D88C0C8DC4C19B2A
Malicious:	false
Reputation:	low
Preview:	{. "manifest_version": 2,. "name": "Subresource Filtering Rules",. "ruleset_format": 1,. "version": "9.35.0".}.

C:\Users\user\AppData\Local\Temp\2332_230541184\manifest.json~

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	115
Entropy (8bit):	4.563301657145084
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFHXG7LGMdv5HcDKhtUJKS1Vqn:F6VlMZWuMt5SKPS1kn
MD5:	9BE1BC3AB4909AFF0167952B7170AC53
SHA1:	F4A9E494B2E8E9AB52E7DD6EA72DA933470E5572
SHA-256:	82E50109631FE7D9E866FDEB4154650B1D2E015AFB791E2CE1316D2F156984F4
SHA-512:	9A3F0104C5D6190DC697B1DC442F3AAD18D6AAD43579344EA569E9925ECDEB640A55DBAA1FFD194EE00479CF68059F1C708EEF80159F90FA0012A5A95E971CFF
Malicious:	false
Reputation:	low
Preview:	{. "manifest_version": 2,. "name": "Subresource Filtering Rules",. "ruleset_format": 1,. "version": "9.34.0".}.

C:\Users\user\AppData\Local\Temp\2332_963267159\Recovery.crx3

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	145035
Entropy (8bit):	7.995615725071868
Encrypted:	true
SSDEEP:	3072:TdgEhmDf+E8VY0x81Rkc6L2oqzqkPEu30gZlc3G2ZknF:TyEhmDf+/+Fnkj6lEukgZyyF
MD5:	EA1C1FFD3EA54D1FB117BFDBB3569C60
SHA1:	10958B0F690AE8F5240E1528B1CCFFFF28A33272
SHA-256:	7C3A6A7D16AC44C3200F572A764BCE7D8FA84B9572DD028B15C59BDCCBC0A77D
SHA-512:	6C30728CAC9EAC53F0B27B7DBE2222DA83225C3B63617D6B271A6CFEDF18E8F0A8DFFA1053E1CBC4C5E16625F4BBC0D03AA306A946C9D72FAA4CEB779F8FFCAF
Malicious:	false
Reputation:	low
Preview:	Cr24..............0.."0....H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L\|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.\|1..n.<Fb..f..Q1.....s..2..{.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-eu...b..........S'.....2.{.....'....+.'.."..Y.x.ISa...)....H.&92..?!..~..F.5."...n,.B.-\|\.)..(..... ]G..j.-M)....C......o&L..0.K.....UtP.&.N...;..^w/a{)v...~KG;...?.1...k.c..D.U......J.6.`.G.5.x.k..[...i.A.@I^..I.<A. J...j.'.G.`.$q.N..Tdq]2]p.OF..#.#......'....8.3......0.."0....H.............0.............O..(...':19..O/.>....=.....m.n\.z..q.....JW..F......+H.Z+KGO.9....8.....U...&.y....,$...?.Eo.....\f/.Z..+M8...B.3'..Y.r...X.AS?.~..k..n....... Z...&.G....."n..........l.0v.x#<....Lx,-.w..-..d.....J.pT..('e~{%kQ.Q......rI.....Z....v.N.....J.d_......rX.......w@.b.[.c../V.'c...!.~.k..}z...U.S..nC......@.......Y..#.D.z.....5&.1O...X=p..2.F..P.6yP..>{.....HBX.*.E5....y..

C:\Users\user\AppData\Local\Temp\2332_963267159\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1765
Entropy (8bit):	6.027545161275716
Encrypted:	false
SSDEEP:	48:p/hii6zkvVI1Jip2qRNHvakuQkCNFxdsGwmBKkgum91:Rz0kv6cNvaYNFwSEhug
MD5:	45821E6EB1AEC30435949B553DB67807
SHA1:	B3CADEB17FE5B76B5DBB428B8D3A07B341F8B1BC
SHA-256:	E5FAE91295BECF7F66BFA4BE1061CA5537ED763EB5D01485F23ECFB583304FEE
SHA-512:	BCBE40CAFAA4B14566D91E361D8FB7F0288D5C459FA478AA4C575444DA4D406E1076FC0B3A31D4A9E5EE034F0FE15A0EFE8A8A52B838DE94B96D3E488D28F0FE
Malicious:	false
Reputation:	low
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJSZWNvdmVyeS5jcngzIiwicm9vdF9oYXNoIjoiaGdCR051SzhNR2NKaDlfNmZQaFdEWmpVYUFKeklzeDlJS21DUEZvb0dfUSJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiIwYXduVFBFQmdDRHkyV05hVVk3Um9mSWN3c3ZwNHFRNUxzZVMxVXRiVXY0In1dLCJmb3JtYXQiOiJ0cmVlaGFzaCIsImhhc2hfYmxvY2tfc2l6ZSI6NDA5Nn1dLCJpdGVtX2lkIjoiaWhubGNlbm9jZWhnZGFlZ2RtaGJpZGpobmhkY2hmbW0iLCJpdGVtX3ZlcnNpb24iOiIxLjMuMzYuMTQxIiwicHJvdG9jb2xfdmVyc2lvbiI6MX0","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"iFuMX_kOZ-zJ7KVu6Lxb3rHWZgQvkZhv25x_SGlBiDV_okALrGbj6rUOWyNNNsHXMnT118XZmA696XR8qkr4dwT5Gvez-9gi-WYBY7XBkgo7v6NspGgJF89BNCeI-P9k-zBHOGgrf-fCEiAcoM7xCx9_f8qlRy7nhQPyjOIHn5eEJEir0uSu6gdqR9afnVZ3UoR-VOLdOBt7fA4ee38MP2ut5qWU50F5dvIezfKkTVDMHwztvcLCy6R9SVkdSYv6jwWGccYRl-aclvkkHu6SnbZGI7fmDZdkcBAxBHYEZZMmvb76ro4SO15GDyEVAo_Qf4trdrY_GyN_Bm73imCTjgtoGc

C:\Users\user\AppData\Local\Temp\2332_963267159\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.7900469623255675
Encrypted:	false
SSDEEP:	3:SpOXzxlQ4BdPWfDL9c:SpOjDQFfVc
MD5:	2AE14F91312C4E8034366B09D49D5B18
SHA1:	AD4933A5D838D0FA0B960C327A5039A9E8249642
SHA-256:	4F122332EF0F2BB490EF59619D3602C1A7277C0A7A19C132202DB4803A09BFA2
SHA-512:	FB0CC467A4B8463F6A3BF42CDC11C23B34EB94A9397644B68714DCB819EE326BAE05022D59D23DC9907DF1E6928064D853FD0900BB6083417892D4D5A9BA7716
Malicious:	false
Reputation:	low
Preview:	1.aeedb246d19256a956fedaa89fb62423ae5bd8855a2a1f3189161cf045645a19

C:\Users\user\AppData\Local\Temp\2332_963267159\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.682333395896383
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFJ9LAG9Xg0XTFHqS1wP/pEeSWU4pv/8F/FxLj2RF2fcTZTotL:F6VlM90ggITgS1wnuWfB0NpK4aotL
MD5:	7A8E3A0B6417948DF4D49F3915428D7A
SHA1:	4FC084AABDB13483567D5C417C7ED8FD16726A80
SHA-256:	D1AC274CF1018020F2D9635A518ED1A1F21CC2CBE9E2A4392EC792D54B5B52FE
SHA-512:	064D84A57B28C19AD10742859DA493D0826B47ADC632F6C623DFB4DE36D72A9D29BE98518061A9FFD42D99FCF01F27DE39CE74782B3A5ACBBE11DFDDEEAB59A1
Malicious:	false
Reputation:	low
Preview:	{. "manifest_version": 2,. "name": "ImprovedRecoveryComponentInner",. "version": "1.3.36.141",. "imageName": "image.squash",. "squash": true,. "fsType": "squashfs",. "isRemovable": false.}

C:\Users\user\AppData\Local\Temp\26620b0b-e526-485b-943d-dc608904fe24.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Reputation:	low
Preview:	.

C:\Users\user\AppData\Local\Temp\fdde1a6e-3537-40bb-94ac-392e6702c2fa.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	248531
Entropy (8bit):	7.963657412635355
Encrypted:	false
SSDEEP:	3072:r+nmRykNgoldZ8GjJCiUXZSk+QSVh85PxEalRVHmcld9R6yYfEp4ABUGDcaKklrv:k3oF4Z4h45P99Fld9RBQYBVcaxlnfL
MD5:	541F52E24FE1EF9F8E12377A6CCAE0C0
SHA1:	189898BB2DCAE7D5A6057BC2D98B8B450AFAEBB6
SHA-256:	81E3A4D43A73699E1B7781723F56B8717175C536685C5450122B30789464AD82
SHA-512:	D779D78A15C5EFCA51EBD6B96A7CCB6D718741BDF7D9A37F53B2EB4B98AA1A78BC4CFA57D6E763AAB97276C8F9088940AC0476690D4D46023FF4BF52F3326C88
Malicious:	false
Reputation:	low
Preview:	Cr24..............0.."0....H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L\|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.\|1..n.<Fb..f..Q1.....s..2..{.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-eu...b.........\..F!...b...l5....zJ.q.......L].....w[T0.6....E.....r..%Z.vFm.9..5!,.~g5...;.t...']....+A.....u....k...e..&..l.6r[yU...%..f.......N..V.....<+.....l..}.{...z...)y.n..'..).....,.b....5.08K%..O.g..D.S.F5o..<(....>....\f..X..I..2."l...w....7f\|.~.c.4.E.......0..0....H............0.......).'..b.$w\$.q&.]zF_2..;...?.U,...W..L1.2...R..#....W.....c1k.$W..$.J....+M!.Hz.n`U.I)N.\|b.l....{.K@]6.LlP/....](.A..................I...).H....IQ.y.;MG.d..ix..#f.Z$\|..\|.?...0K...t"i..s...Y..%.Ky....0...{.!+.~v.;....J.....Z....).(6..@?v.;~..2..c....[0Y0....H.=.....H.=....B..............r...2..+Y.I...k..bR.j5Sl..8.......H"i.-l..`.Q.{...F0D. .0...\|!..A..L.+.=...kP.!.1..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\bg\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	796
Entropy (8bit):	4.864931792423268
Encrypted:	false
SSDEEP:	12:1HEJMLkSlwZGGMLkSlwZ+WYpU34f145Gb+dgoxTyO8ZpU34f1L0frhmJ03OyZnLt:1HE7n4gn8WYpYrbhz8ZpotHOGAOf6aD
MD5:	6F8E288A9AD5B1ED8633B430E2B4D4CA
SHA1:	F671D3D4BEFA431D1946D706F4192D44E29B6F08
SHA-256:	A114E2783D0E9B12155017323BA70838F0F82A71C7EE8DC1F115AE36991241F8
SHA-512:	0F87F3F0D115B872288949E59ACD3CD41B1FBC64A622D8FDA6D71FAFC5A900D92ADFBB0E7EB926F2A8759BBAA0896D48728FB719BBF5EF54AC21027328F7700C
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "........ . ... ........ .. Chrome".. },.. "app_name": {.. "message": "........ . ... ........ .. Chrome".. },.. "craw_app_unavailable": {.. "message": "........... .... ...... .. .............".. },.. "craw_connect_to_network": {.. "message": "...., ........ .. . ......".. },.. "iap_unavailable": {.. "message": "........... .... ...... .. .......... ....... .. .........".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "...., ...... . Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\ca\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	675
Entropy (8bit):	4.536753193530313
Encrypted:	false
SSDEEP:	12:1HEJ0gbbGG0gbb+WYpU34g3YbiLO+dgyGFoO8ZpU34+puiPmb03OyZnLAOfTYABk:1HE5baib6WYpm31Lt0Z8Zp8pxOGAOfKD
MD5:	1FDAFC926391BD580B655FBAF46ED260
SHA1:	C95743C3F43B2B099FEBEBC5BD850F0C20E820AC
SHA-256:	C67898B67F9C9209EAFDA6532B62D5789863CFB855998DD6A70E7775316CEC20
SHA-512:	39D95D45C5746DA3BAA7AE6A3344EA17D7A7C3569C2A56959FF119261DA08C747A320FCF701AC72B8DBDBF8BF06FD8B239017A282CDDA444F3826D4EC672CBB4
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Sistema de pagaments de Chrome Web Store".. },.. "app_name": {.. "message": "Sistema de pagaments de Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "Ara mateix aquesta aplicaci. no est. disponible.".. },.. "craw_connect_to_network": {.. "message": "Connecteu-vos a una xarxa.".. },.. "iap_unavailable": {.. "message": "La funci. Pagaments a l'aplicaci. no est. disponible actualment.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Inicieu la sessi. a Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\cs\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	641
Entropy (8bit):	4.698608127109193
Encrypted:	false
SSDEEP:	12:1HEJfZGGfZ+WYpU34OBh+dgN/O8ZpU34j05U03OyZnLAOfTYWc:1HEl4G8WYpdt8Zpq5TOGAOfW
MD5:	76DEC64ED1556180B452A13C83171883
SHA1:	CFB1E56FD587BCDC459C1D9A683B71F9849058F9
SHA-256:	32290D69A90E6BAAC428B10382C99221B12773BB9A184F3B93DFB48A4F6D7A40
SHA-512:	5230A217968D5DC463E2E92D704544311A721E5CEF65C3125CBD8DEB9C0293D3BFB5C820A6011ABF77095FDEE7DAF67D541DC202B0C9CDB0908CBB85D84885CB
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Platby Internetov.ho obchodu Chrome".. },.. "app_name": {.. "message": "Platby Internetov.ho obchodu Chrome".. },.. "craw_app_unavailable": {.. "message": "Aplikace v sou.asn. dob. nen. dostupn..".. },.. "craw_connect_to_network": {.. "message": "P.ipojte se pros.m k s.ti.".. },.. "iap_unavailable": {.. "message": "Platby v aplikaci aktu.ln. nejsou k dispozici.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "P.ihlaste se do Chromu.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\da\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	624
Entropy (8bit):	4.5289746475384565
Encrypted:	false
SSDEEP:	12:1HEJJMKKFZGGJMKKFZ+WYpU34OHu+dgxlCZO8ZpU34J4Wu03OyZnLAOfTYzD:1HErMKfqMKVWYpM6lL8ZpDNOGAOfiD
MD5:	238B97A36E411E42FF37CEFAF2927ED1
SHA1:	4E47AC90BA24C8F4724D9293FA40CFD4ADA66FE0
SHA-256:	4977D4A053542FF66967FAED6B06585DD70E68E20BFEB533B66FE3287F9655D9
SHA-512:	FD0742D47B5F5AB9AAD9B4C3D57F63CB693E060EECE123A72036C6E92156D099495C7E9E9CC6DC83EEBCDDCC4B4C81FB47E4C9559DA3EBA024780FFF10C53E0A
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Betalinger i Chrome Webshop".. },.. "app_name": {.. "message": "Betalinger i Chrome Webshop".. },.. "craw_app_unavailable": {.. "message": "Appen er ikke tilg.ngelig i .jeblikket.".. },.. "craw_connect_to_network": {.. "message": "Opret forbindelse til et netv.rk.".. },.. "iap_unavailable": {.. "message": "Betaling i appen er ikke tilg.ngelig i .jeblikket.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Log ind p. Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\de\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	651
Entropy (8bit):	4.583694000020627
Encrypted:	false
SSDEEP:	12:1HEJQ1ZGGQ1Z+WYpU34pCEMT+dgJMlCTO8ZpU34p6FK603OyZnLAOfTYJ6K:1HEzWWYp3Bewv8Zp7k4OGAOfQj
MD5:	6B3E916E8C1991AA0453CBA00FEDCAAA
SHA1:	D6366D15912E40CA107FD42BFE9579C3336A51F9
SHA-256:	A62FFAB910E31531758EEE48B2CC71A8857BEC3021DEAD50B668CBA3C8667053
SHA-512:	87EA4311B61F29543B13F3E17DFA919D0C320B4FE370CC152E0B1514BCA79B0ABB526DDCF08621D6EBFA48923EE8FB4C667EFB120A72BD9583EEBEE7BFB80552
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Chrome Web Store-Zahlungen".. },.. "app_name": {.. "message": "Chrome Web Store-Zahlungen".. },.. "craw_app_unavailable": {.. "message": "Die App ist momentan nicht verf.gbar.".. },.. "craw_connect_to_network": {.. "message": "Bitte stellen Sie eine Verbindung zu einem Netzwerk her.".. },.. "iap_unavailable": {.. "message": "In-App-Zahlungen sind momentan nicht m.glich.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Bitte melden Sie sich in Chrome an.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\el\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	787
Entropy (8bit):	4.973349962793468
Encrypted:	false
SSDEEP:	24:1HEw+aZ+6WYpbWZe80A08ZpCGyDVWlOGAOf+XD:WguYpCZnpEZbGoD
MD5:	05C437A322C1148B5F78B2F341339147
SHA1:	AB53003A678E44A170E73711FBD9949833BBF3AA
SHA-256:	A052C32B4FCAC61152EB0ADB2C260FB6A8256AD104AA0013DB93E9798D41A070
SHA-512:	C36CB9202A34356DD06D377E2A088F428D0B8EBE7D2E54F8380485E9D94A0598D7F651C1E7A2FD55BE481D49C02B0812F2BA335E08611EC85EE0BD60784A6B40
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "........ ... Chrome Web Store".. },.. "app_name": {.. "message": "........ ... Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": ". ........ .... .. ..... ... ..... ..........".. },.. "craw_connect_to_network": {.. "message": ".......... .. ... .......".. },.. "iap_unavailable": {.. "message": ".. ........ ..... ......... ... ..... ..... .. ...... ...........".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": ".......... ... Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\en\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	593
Entropy (8bit):	4.483686991119526
Encrypted:	false
SSDEEP:	12:1HEJ6GG6+WYpU34OuFpR+dgGfFZO8ZpU34aEGFpR03OyZnLAOfTYdD:1HEVSWYpVp0JS8Zp5KpaOGAOfuD
MD5:	91F5BC87FD478A007EC68C4E8ADF11AC
SHA1:	D07DD49E4EF3B36DAD7D038B7E999AE850C5BEF6
SHA-256:	92F1246C21DD5FD7266EBFD65798C61E403D01A816CC3CF780DB5C8AA2E3D9C9
SHA-512:	FDC2A29B04E67DDBBD8FB6E8D2443E46BADCB2B2FB3A850BBD6198CDCCC32EE0BD8A9769D929FEEFE84D1015145E6664AB5FEA114DF5A864CF963BF98A65FFD9
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Chrome Web Store Payments".. },.. "app_name": {.. "message": "Chrome Web Store Payments".. },.. "craw_app_unavailable": {.. "message": "App currently unavailable.".. },.. "craw_connect_to_network": {.. "message": "Please connect to a network.".. },.. "iap_unavailable": {.. "message": "In-App Payments is currently unavailable.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Please sign into Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\en_GB\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	593
Entropy (8bit):	4.483686991119526
Encrypted:	false
SSDEEP:	12:1HEJ6GG6+WYpU34OuFpR+dgGfFZO8ZpU34aEGFpR03OyZnLAOfTYdD:1HEVSWYpVp0JS8Zp5KpaOGAOfuD
MD5:	91F5BC87FD478A007EC68C4E8ADF11AC
SHA1:	D07DD49E4EF3B36DAD7D038B7E999AE850C5BEF6
SHA-256:	92F1246C21DD5FD7266EBFD65798C61E403D01A816CC3CF780DB5C8AA2E3D9C9
SHA-512:	FDC2A29B04E67DDBBD8FB6E8D2443E46BADCB2B2FB3A850BBD6198CDCCC32EE0BD8A9769D929FEEFE84D1015145E6664AB5FEA114DF5A864CF963BF98A65FFD9
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Chrome Web Store Payments".. },.. "app_name": {.. "message": "Chrome Web Store Payments".. },.. "craw_app_unavailable": {.. "message": "App currently unavailable.".. },.. "craw_connect_to_network": {.. "message": "Please connect to a network.".. },.. "iap_unavailable": {.. "message": "In-App Payments is currently unavailable.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Please sign into Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\es\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	661
Entropy (8bit):	4.450938335136508
Encrypted:	false
SSDEEP:	12:1HEJHlbGGHlb+WYpU34ubdDH+dgxbFxTO8ZpU34lPbdlVo03OyZnLAOfTY6xjD:1HEvaC6WYpcDeEFxq8ZpNl5OGAOffD
MD5:	82719BD3999AD66193A9B0BB525F97CD
SHA1:	41194D511F1ACC16C1CA828AC81C18C8C6B47287
SHA-256:	4DB9B2721E625C18B9E05C04B31AF5D9694712F1CAAF6219ABE34BB08E5DB1C7
SHA-512:	D4C49B43427799B6292CEED11CACB1D76F7CE43EBF402B43B638A6EB2B414ED0981E386CB8CDF0B51D1BD9552934FE25B2F6392266BB73D8C9A691F65BCE0128
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Sistema de pagos de Chrome Web Store".. },.. "app_name": {.. "message": "Sistema de pagos de Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "Esta aplicaci.n no est. disponible en este momento.".. },.. "craw_connect_to_network": {.. "message": "Con.ctate a una red.".. },.. "iap_unavailable": {.. "message": "Los pagos en la aplicaci.n no est.n disponibles en este momento.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Inicia sesi.n en Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\es_419\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	637
Entropy (8bit):	4.47253983486615
Encrypted:	false
SSDEEP:	12:1HEJHlbGGHlb+WYpU34ubdDH+dgxbFxTO8ZpU34GLO03OyZnLAOfTYiJD:1HEvaC6WYpcDeEFxq8Zp4LlOGAOfvD
MD5:	6B2583D8D1C147E36A69A88009CBEBC7
SHA1:	4D4DEEB4BE6AA0181825F3371A761ABC5B4D5937
SHA-256:	6659BC3705311D7641A73995DCFEA80C7734F2F4EBBC3787B3892A240348324F
SHA-512:	37F0DBFCC1B5A2B8E4C92C49D2D9DEEF25616421350324F57E0149A45A6CCB437F5E3CBE97412C4B5DBBF2593783C7DF71E9C25A851AEAE6E4764C545723FA53
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Sistema de pagos de Chrome Web Store".. },.. "app_name": {.. "message": "Sistema de pagos de Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "Esta aplicaci.n no est. disponible en este momento.".. },.. "craw_connect_to_network": {.. "message": "Con.ctate a una red.".. },.. "iap_unavailable": {.. "message": "En este momento, Pagos En-Apps no est. disponible.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Accede a Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\et\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	595
Entropy (8bit):	4.467205425399467
Encrypted:	false
SSDEEP:	12:1HEJfPGGGfPG+WYpU34Ze7z+dgrW9O8ZpU34ZwZz03OyZnLAOfTYgoLIR:1HEdvqlWYpTeObk8ZpT/OGAOfuLIR
MD5:	CFF6CB76EC724B17C1BC920726CB35A7
SHA1:	14ED068251D65A840F00C05409D705259D329FFC
SHA-256:	C85800BF45942FCC7FD6B1DF929C25F9CC2A977A6678966BD03D4B6B69889AFD
SHA-512:	53D7D01BB30C0306DE65A79FD9551D2E8C1F71F4F45F71906B009071CB3E0F231E6A50FDD78773E9B4DE94085BC7B97F829842FA21A89A2080D33458B745C46F
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Chrome'i veebipoe maksed".. },.. "app_name": {.. "message": "Chrome'i veebipoe maksed".. },.. "craw_app_unavailable": {.. "message": "Rakendus pole praegu saadaval.".. },.. "craw_connect_to_network": {.. "message": "Looge .hendus v.rguga.".. },.. "iap_unavailable": {.. "message": "Rakendusesisesed maksed ei ole praegu saadaval.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Logige Chrome'i sisse.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\fi\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	4.595421267152647
Encrypted:	false
SSDEEP:	12:1HEJRuzGGRuz+WYpU34ujSBu+dgYO8ZpU34J+Bu03OyZnLAOfTY5HN:1HEFcWYpPNa8ZpD+FOGAOfEHN
MD5:	3A01FEE829445C482D1721FF63153D16
SHA1:	F3EAAADDC03F943FC88B30B67F534AA13E3336DD
SHA-256:	0BDE54B20845124113383B6EB81E43A0F05E4EB0C44BEE3C1DFAC4CC5FEC2836
SHA-512:	3B92B6C86D30FD36AA3CEFF8773BA60C3FC5CC19C693540137044C5838A5503895C770C0336A4D0A3DB5E42F3FB36274D8D3F85B9DCA2F3EC0E974FDDB0BEAD8
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Chrome Web Storen maksut".. },.. "app_name": {.. "message": "Chrome Web Storen maksut".. },.. "craw_app_unavailable": {.. "message": "Sovellus ei ole t.ll. hetkell. k.ytett.viss..".. },.. "craw_connect_to_network": {.. "message": "Muodosta verkkoyhteys.".. },.. "iap_unavailable": {.. "message": "Sovelluksen sis.iset maksut eiv.t ole t.ll. hetkell. k.ytett.viss..".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Kirjaudu sis..n Chromeen.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\fil\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	658
Entropy (8bit):	4.5231229502550745
Encrypted:	false
SSDEEP:	12:1HEJADlbGGADlb+WYpU34hTUT+dgHfZAFFZO8ZpU34hTjzeT03OyZnLAOfTYHfvF:1HEYah6WYp7TUSoxOS8Zp7TOsOGAOfqV
MD5:	57AF5B654270A945BDA8053A83353A06
SHA1:	EEEF7A4F869F97CF471A05D345E74F982D15E167
SHA-256:	EC002ED92359F67818B49455DFC579E140368E6A004080AF022FD4F57F6B03F2
SHA-512:	5F0AE839FCF3F4EA48FF41A76655AE0F3821564AFD5D42FBB9FBB9A38E8D8F7BB5E9B6F71064588CD441261F644095A44A755C134CE546D506D9A21E488BAF52
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Mga Pagbabayad sa Chrome Web Store".. },.. "app_name": {.. "message": "Mga Pagbabayad sa Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "Kasalukuyang hindi available ang app.".. },.. "craw_connect_to_network": {.. "message": "Mangyaring kumonekta sa isang network.".. },.. "iap_unavailable": {.. "message": "Kasalukuyang hindi available ang Mga Pagbabayad na In-App.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Mangyaring mag-sign in sa Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\fr\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	677
Entropy (8bit):	4.552569602149629
Encrypted:	false
SSDEEP:	12:1HEJALf/nbGGALf/nb+WYpU34Owdgbyb+dgdQjO8ZpU34ITQpGnbyb03OyZnLAO8:1HE4Hna1Hn6WYpNdgpY8ZpSTQwnBOGAh
MD5:	8D11C90F44A6585B57B933AB38D1FFF8
SHA1:	3F9D44EA8807069A32AACA2AAAD02FD892E6CC90
SHA-256:	599491F8C52B945C16C441ADF45BFD45AFAE046DA07757D97C56AF4DE75ED3B5
SHA-512:	D7EF7F5AD7EF1A1595825D79B69E2B1E988AD3CF1F3881496FCCD30F241E4E9C6E457F9F5D0F855DE3536DB7A40C3E1C55946B50D3F556F4A35285066A0CD6F7
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Paiements via le Chrome.Web.Store".. },.. "app_name": {.. "message": "Paiements via le Chrome.Web.Store".. },.. "craw_app_unavailable": {.. "message": "Application indisponible pour le moment.".. },.. "craw_connect_to_network": {.. "message": "Veuillez vous connecter . un r.seau.".. },.. "iap_unavailable": {.. "message": "Les paiements via l'application ne sont pas disponibles pour le moment.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Veuillez vous connecter . Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\hi\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	835
Entropy (8bit):	4.791154467711985
Encrypted:	false
SSDEEP:	24:1HEs07J0JWYp9vnCSVLP8Zp6CsOGAOf8SLm:Wh7qgYp1CMLUph1GiSLm
MD5:	E376D757C8FD66AC70A7D2D49760B94E
SHA1:	1525C5B1312D409604F097768503298EC440CC4D
SHA-256:	8106D98C4F8DA16DB698444409558E29CC96735E188BFA303C333A5D99231C1D
SHA-512:	673F3F259AF2946E4F49BBED14A2A70D44BF9FDA9D7A71DC9172BA9B7B3C7F7062B16D29682B638D485B0520ED6F99E7A735F28C7C719B539559005B69FA7555
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Chrome ... ..... ......".. },.. "app_name": {.. "message": "Chrome ... ..... ......".. },.. "craw_app_unavailable": {.. "message": "......... .. ... ...... .... ...".. },.. "craw_connect_to_network": {.. "message": "..... ....... .. ...... .....".. },.. "iap_unavailable": {.. "message": "..-.. ...... ... ...... .... ...".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "..... Chrome ... .... .. .....".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\hr\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	618
Entropy (8bit):	4.56999230891419
Encrypted:	false
SSDEEP:	12:1HEJGiimxmbZGGGiimxmbZ+WYpU34OBOEuhopIO+dgcapZO8ZpU34GiiZrMrQphK:1HE4H4TH8WYpNjTta28ZpQVLP0SOGAOK
MD5:	8185D0490C86363602A137F9A261CC50
SHA1:	5BD933B874441CEACB9201CCC941FF67BAED6DC0
SHA-256:	A2B2EC359A9DD9DCCCE02859CE1E738BD30FAA4A05F1DC522893FFDF722BBC15
SHA-512:	D7629978FC031EA5F716F9C1065FB2FEAB48C15F10CD68830DC966FA1002C03DDC7ACDE314C7D075F9F3A0A68552A6ACBCCDEE24CF20B6C3DD1BCE6562D0396E
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Pla.anja u web-trgovini Chrome".. },.. "app_name": {.. "message": "Pla.anja u web-trgovini Chrome".. },.. "craw_app_unavailable": {.. "message": "Aplikacija trenuta.no nije dostupna.".. },.. "craw_connect_to_network": {.. "message": "Pove.ite se s mre.om.".. },.. "iap_unavailable": {.. "message": "Pla.anje u aplikaciji trenuta.no nije dostupno.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Prijavite se na Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\hu\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	683
Entropy (8bit):	4.675370843321512
Encrypted:	false
SSDEEP:	12:1HEJVJiGGVJi+WYpU34Hpo9O+dgMmfgijO8ZpU34Huo9O03OyZnLAOfTYBIAYm:1HEVrk5WYpQzTUg/8ZpwoXOGAOfYIAd
MD5:	85609CF8623582A8376C206556ED2131
SHA1:	1E16EB70DB5E59BB684866FF3E3925C2DEF25A12
SHA-256:	32A249749F12ADB6A220BF9ADC272C7E5D9AD5497A38B0086D961E3ABA17FBC6
SHA-512:	27883430865D3CFA6EDFE8C6CE1442BD96150B5CE520CCF7D556A330CAA6392C712B47BD86F7350E174876BC681F6DEC94D1312402655B0AF90883A2899EC78B
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Chrome Internetes .ruh.z Fizet.si rendszere".. },.. "app_name": {.. "message": "Chrome Internetes .ruh.z Fizet.si rendszere".. },.. "craw_app_unavailable": {.. "message": "Az alkalmaz.s jelenleg nem .rhet. el.".. },.. "craw_connect_to_network": {.. "message": "K.rj.k, csatlakozzon egy h.l.zathoz.".. },.. "iap_unavailable": {.. "message": "Az alkalmaz.son bel.li fizet.s jelenleg nem .rhet. el.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Jelentkezzen be a Chrome-ba.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\id\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	604
Entropy (8bit):	4.465685261172395
Encrypted:	false
SSDEEP:	12:1HEJs25bGGs25b+WYpU34ORBHAeSJ+dgkmO8ZpU34s22C/SzFAs03OyZnLAOfTYR:1HEBaA6WYpaHFH8ZptOYOGAOf2D
MD5:	EAB2B946D1232AB98137E760954003AA
SHA1:	60BDC2937905B311D2C9844DF2D639D7AC9F7F67
SHA-256:	C6E8800450602DE0F39FE9F6854472383813FB454B08ABAE7E25A9167CE004C3
SHA-512:	970FEC9A9EF0BAF7F693C4C5977F3B47914579C5B5414FCE9DBB5E4574659A5BB9AD2DE0CC886B368F49C019785AF7D2D7FE82F71341F039EADC399ED776CA12
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Pembayaran Chrome Webstore".. },.. "app_name": {.. "message": "Pembayaran Chrome Webstore".. },.. "craw_app_unavailable": {.. "message": "Aplikasi tidak tersedia saat ini.".. },.. "craw_connect_to_network": {.. "message": "Sambungkan ke jaringan.".. },.. "iap_unavailable": {.. "message": "Pembayaran Dalam Aplikasi saat ini tidak tersedia.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Harap masuk ke Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\it\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	603
Entropy (8bit):	4.479418964635223
Encrypted:	false
SSDEEP:	12:1HEJsqd/bGGsqd/b+WYpU34OcX4+dgUvIO8ZpU34vq703OyZnLAOfTYsD:1HEXd/aKd/6WYpZrv58ZpskOGAOfzD
MD5:	A328EEF5E841E0C72D3CD7366899C5C8
SHA1:	2851ED658385804E87911643F5A4200B1FB26E13
SHA-256:	CD891C45F7586FB4A2514205A11F260E4A6D4482FA03D901909DD9F57BE0536D
SHA-512:	E47297896E981774EC3B59D41B89D6BA9333F6B4435EB9727D8645A46B10C7D408ADE06844871FA757382FBE7E645276449DB7B1B23BC59C9A71A5CB5A5ECC57
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Pagamenti Chrome Web Store".. },.. "app_name": {.. "message": "Pagamenti Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "App al momento non disponibile.".. },.. "craw_connect_to_network": {.. "message": "Collegati a una rete.".. },.. "iap_unavailable": {.. "message": "La funzione Pagamenti In-App non . al momento disponibile.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Accedi a Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\ja\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	697
Entropy (8bit):	5.20469020877498
Encrypted:	false
SSDEEP:	12:1HEJ07uGG07u+WYpU34DB+dgnsVztO8ZpU34MwiB03OyZnLAOfTYmSH:1HEcnDNWYp1kxU8Zp2wiqOGAOfpSH
MD5:	9B3A5D473C3F2BBFAEECE94A07A940B8
SHA1:	61BACA342CF766BBA15C7B4D892A0E7DAC9405AA
SHA-256:	706312A4A2AEF3317223F141EB2B82685345B7EED444F16BB4DF3A272716DA1F
SHA-512:	94F6FEE9A11BD890AB8211C98D1CC142348961EBCF756F66477A3E3A76519804B70BE0AE4E551739F8AFE32D7ADE6EDE04EF6B9B9EED03E3A857E6058EEDD4C6
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Chrome ........".. },.. "app_name": {.. "message": "Chrome ........".. },.. "craw_app_unavailable": {.. "message": ".................".. },.. "craw_connect_to_network": {.. "message": "................".. },.. "iap_unavailable": {.. "message": ".......................".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Chrome ............".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\ko\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	631
Entropy (8bit):	5.160315577642469
Encrypted:	false
SSDEEP:	12:1HEJ1GG1+WYpU34K3aT+dgh8d0HTO8ZpU34KaNkaT03OyZnLAOfTY/YeHx:1HEajWYpc3aSl0Hq8Zpc6kasOGAOfyYA
MD5:	9F6B4D82A70C74CA751E2EAE70FAB5CF
SHA1:	0534F125FFCE8222277CF2BE3401C59DAF9217F8
SHA-256:	D1467B8D037114403E8F4EFC52E88C4A7FEB96126BE4CFF883FEFF1084EF7E68
SHA-512:	ED9319830314385D09C06F62EE34186E8CA576C857981205E4468A28B3ACD2AB03384E77B866032C324ABDD97A56EFD08E2D6E0C79D563578B3EC52517819BD8
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Chrome . ... ..".. },.. "app_name": {.. "message": "Chrome . ... ..".. },.. "craw_app_unavailable": {.. "message": ".. .. ... . .....".. },.. "craw_connect_to_network": {.. "message": "..... ......".. },.. "iap_unavailable": {.. "message": ".. .. ... ... . .....".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Chrome. .......".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\lt\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	665
Entropy (8bit):	4.66839186029557
Encrypted:	false
SSDEEP:	12:1HEJpqHnkGGpqHnk+WYpU346M+dgV6O8ZpU34WzSWz03OyZnLAOfTYx:1HELqHtKqHPWYpM3A8ZpwGzOGAOfg
MD5:	4CA644F875606986A9898D04BDAE3EA5
SHA1:	722A10569E93975129D67FBDB75B537D9D622AD1
SHA-256:	7C311AB751D840D750C11553C083785813E079C1D464FE568A98C9E3EF3DB96C
SHA-512:	E575E3D0622F5BD4B6C0EE79128A1B1F1882195670139D1983F4377D847141B8FB8EBB8BCED82AF3A220ED07D3577AFBE085BADC0E9C7678292B80E3EC5D3444
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": ".Chrome. internetin.s parduotuv.s mok.jimo sistema".. },.. "app_name": {.. "message": ".Chrome. internetin.s parduotuv.s mok.jimo sistema".. },.. "craw_app_unavailable": {.. "message": "Programa .iuo metu negalima.".. },.. "craw_connect_to_network": {.. "message": "Prisijunkite prie tinklo.".. },.. "iap_unavailable": {.. "message": "Mok.jimai programoje .iuo metu negalimi.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Prisijunkite prie .Chrome..".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\lv\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	671
Entropy (8bit):	4.631774066483956
Encrypted:	false
SSDEEP:	12:1HEJFhVbGGFhVb+WYpU34wDoz+dgGedBO8ZpU34wF03OyZnLAOfTYGYID:1HENQKkWYp2Doy/em8Zp2WOGAOfRYID
MD5:	C5CE2C51391EAFD3DA9E4C71549A3C28
SHA1:	1F67FF6EF6E90C0CE3AAF56ED543A3EFD381574D
SHA-256:	1FA1DF2CA8516DEF490FB8484E9AA498ACFF80EEF5C9258FFE42D3678E6C7DED
SHA-512:	C85F6281E682F52BC2147DEA7E2F3BB4DC48D98BADA8687B05C6C7271C78EA7F5431CD51671A4184C9AE004FC53C016E3C594697F483195CCBA08A93821EEF70
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Chrome interneta veikala maks.jumu sist.ma".. },.. "app_name": {.. "message": "Chrome interneta veikala maks.jumu sist.ma".. },.. "craw_app_unavailable": {.. "message": "Lietotne pagaid.m nav pieejama.".. },.. "craw_connect_to_network": {.. "message": "L.dzu, izveidojiet savienojumu ar t.klu.".. },.. "iap_unavailable": {.. "message": "Maks.jumi lietotn.s pa.laik nav pieejami.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "L.dzu, pierakstieties p.rl.k. Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\nb\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	624
Entropy (8bit):	4.555032032637389
Encrypted:	false
SSDEEP:	12:1HEJhiOGGhiO+WYpU34OHSN+dgFjdGFZO8ZpU34JgdN03OyZnLAOfTYiD:1HEDiHIitWYpCYJ8ZpD1OGAOfRD
MD5:	93C459A23BC6953FF744C35920CD2AF9
SHA1:	162F884972103A08ADB616A7EB3598431A2924C5
SHA-256:	2CD700AEB57D89C2E73333D0702556EE3FF3863516170F85669BC680FCBDC4E0
SHA-512:	F76E6E8D8499306883C3EC1E774F7E8BB6B601096DA5A14D17D3E7D5732829542041E42B7350466589291ADCC83FB065FD591B4E20CFCF8EDC586E128ECBFCB5
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Chrome Nettmarked-betalinger".. },.. "app_name": {.. "message": "Chrome Nettmarked-betalinger".. },.. "craw_app_unavailable": {.. "message": "Appen er utilgjengelig for .yeblikket.".. },.. "craw_connect_to_network": {.. "message": "Du m. koble til et nettverk.".. },.. "iap_unavailable": {.. "message": "Betaling i app er ikke tilgjengelig for .yeblikket.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Du m. logge p. Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\nl\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	615
Entropy (8bit):	4.4715318546237315
Encrypted:	false
SSDEEP:	12:1HEJJQGkbGGJQGkb+WYpU34OQKJT+dgiXUmvFZO8ZpU34g7JT03OyZnLAOfTYMD:1HErxkaqxk6WYptndXI8ZpTOGAOfbD
MD5:	7A8F9D0249C680F64DEC7650A432BD57
SHA1:	53477198AEE389F6580921B4876719B400A23CA1
SHA-256:	92BE7C2DC9CFBE5A65E9CE6488D364C8D7EC19E7B67A31E4D43C1CB2B169671C
SHA-512:	969AB979546A741C0F3EDBEEB21BABA375FA8870D4FB9248CDD4C305736E332E10CAB7B64C5C078E60EC0CD73848101B390BE8F44B89C310058AF4C1CA3C8AA7
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Betalingen via Chrome Web Store".. },.. "app_name": {.. "message": "Betalingen via Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "App momenteel niet beschikbaar.".. },.. "craw_connect_to_network": {.. "message": "Maak verbinding met een netwerk.".. },.. "iap_unavailable": {.. "message": "In-app-betalingen is momenteel niet beschikbaar.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Log in bij Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\pl\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	636
Entropy (8bit):	4.646901997539488
Encrypted:	false
SSDEEP:	12:1HEJbiVbGGbiVb+WYpU34OBHlBi9+dgQUg6O8ZpU34bdbfiIu03OyZnLAOfTYR5k:1HE5iVauiV6WYpIAYr8ZpxFiaOGAOfIC
MD5:	0E6194126AFCCD1E3098D276A7400175
SHA1:	E8127B905A640B1C46362FA6E1127BE172F4A40F
SHA-256:	E2699F98C511B18A2AFB82EAE9A4804B646C4FF1077D80E77C17A3943A6373C2
SHA-512:	A71F7C7BFBBF1E37E699601AF2E095C56CBA91F90CB7556477DF31D01B83ADFB1271E1775C9BA299FF6875BBFC2B6AB47488CC88E33DEF2F6F2E0E5AC687B777
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "P.atno.ci w sklepie Chrome Web Store".. },.. "app_name": {.. "message": "P.atno.ci w sklepie Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "Aplikacja jest obecnie niedost.pna.".. },.. "craw_connect_to_network": {.. "message": "Po..cz si. z sieci..".. },.. "iap_unavailable": {.. "message": "P.atno.ci w ramach aplikacji s. teraz niedost.pne.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Zaloguj si. w Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\pt_BR\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	636
Entropy (8bit):	4.515158874306633
Encrypted:	false
SSDEEP:	12:1HEJsc/bGGsc/b+WYpU34OLw+dgn/KzO8ZpU34FjIBMwGRO03OyZnLAOfTYN+KcY:1HEb/a8/6WYp4mZ8Zp7cKlOGAOf2tD
MD5:	86A2B91FA18B867209024C522ED665D5
SHA1:	63DEC245637818C76655E01FCB6D59784BC7184E
SHA-256:	6374880FDD1F8AF1EE8AEA6A06B73BE0AB265AFCEB4FE6F08BDE3B3989264B21
SHA-512:	DA6DBDE5028756421C2904F605632EE98831A25A1247E6238A931629B94CE8A00FD76F4235F118D2167304BD60F2C06B2AD78E54FF6CE53F8C38DF8C7B5AFCE4
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Pagamentos da Chrome Web Store".. },.. "app_name": {.. "message": "Pagamentos da Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "Aplicativo indispon.vel no momento.".. },.. "craw_connect_to_network": {.. "message": "Conecte-se a uma rede.".. },.. "iap_unavailable": {.. "message": "No momento, os Pagamentos no aplicativo n.o est.o dispon.veis.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Fa.a login no Google Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\pt_PT\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	622
Entropy (8bit):	4.526171498622949
Encrypted:	false
SSDEEP:	12:1HEJsZUkbGGsZUkb+WYpU34OAE+dgqxKzO8ZpU34rEpBfvPO03OyZnLAOfTYLD:1HEmUka5Uk6WYpFvdxZ8ZpSTnPlOGAOS
MD5:	750A4800EDB93FBE56495963F9FB3B94
SHA1:	8BFB915488A4EB3CB33D68E2E59F1F8447DB7D61
SHA-256:	C1C94F65FABAF17DEF98A8587711A56D61B1E5607500E9B01F2824DB109F9E83
SHA-512:	2AEDEF5793406221BE76AF22031CE8C30AB5FAEAED09BB394C153E2EBE990C89C1A2A73B40D8A92842641AFCA8C77FFD808A2058602D3646FD8DAE2844406F24
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Pagamentos via Chrome Web Store".. },.. "app_name": {.. "message": "Pagamentos via Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "Aplica..o atualmente indispon.vel.".. },.. "craw_connect_to_network": {.. "message": "Ligue-se a uma rede.".. },.. "iap_unavailable": {.. "message": "Os Pagamentos na app est.o atualmente indispon.veis.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Inicie sess.o no Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\ro\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	641
Entropy (8bit):	4.61125938671415
Encrypted:	false
SSDEEP:	12:1HEJqJrJZGGqJrJZ+WYpU344HIx2Z+dgrVPlZO8ZpU34qT7hI3O03OyZnLAOfTYU:1HEC4D8WYpKow8WV68ZpKhoOGAOfoVGD
MD5:	98D43E4B1054A65DF3FA3CC40AB6FB6D
SHA1:	46E0A21C4DA2BB5D4D8F837AE211C1B6FA26E7E2
SHA-256:	113A13900CBA62FE8AED06751971C23A80A99B47F9BE219CF884D57DB19611D9
SHA-512:	A76DC53912A4F46714926B9EA2B22E909540E447F61F6DD72607AB7B3BB5D4A9B39E525B04C33AEC53BA813D14AC1FB5827275B2524E52B693E83171E1CD1466
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Pl..i prin Magazinul web Chrome".. },.. "app_name": {.. "message": "Pl..i prin Magazinul web Chrome".. },.. "craw_app_unavailable": {.. "message": ".n prezent, aplica.ia nu este disponibil..".. },.. "craw_connect_to_network": {.. "message": "Conecteaz.-te la o re.ea.".. },.. "iap_unavailable": {.. "message": "Pl..ile .n aplica.ie nu sunt disponibile momentan.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Conecteaz.-te la Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\ru\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	744
Entropy (8bit):	4.918620852166656
Encrypted:	false
SSDEEP:	12:1HEJ7OJHZMSl3ZGG7OJHZMSl3Z+WYpU34zWJ2F+dgVtLSv/TO8ZpU347NWjT03On:1HElOJHZMq4uOJHZMq8WYpdWJ/YGHq8m
MD5:	DB2EDF1465946C06BD95C71A1E13AE64
SHA1:	FB4F3ECE9ECECEBBC6CA2A592A15FB9C1FDFB811
SHA-256:	FBAF22CE6E16DE174CED8CB5EA3098CCA1C3426A2111FF33BD3E64DA64ED67AB
SHA-512:	4E0CF00BAEF1757548DEB17BBE1AF55770A0A0F7351779EF55C7DEFA6D112D0227B8865C2C22E0EC62E6E2F1C8E1632A2D0CE6828D25C5ABBF143C990116F632
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "......... ....... ........-........ Chrome".. },.. "app_name": {.. "message": "......... ....... ........-........ Chrome".. },.. "craw_app_unavailable": {.. "message": ".......... ...........".. },.. "craw_connect_to_network": {.. "message": "............ . .....".. },.. "iap_unavailable": {.. "message": "....... ..... .......... ...........".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "....... . Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\sk\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	4.640777810668463
Encrypted:	false
SSDEEP:	12:1HEJfZGGfZ+WYpU34ORO+dgmmCO8ZpU34yH7u2Z03OyZnLAOfTYCUAi0D:1HEl4G8WYpetPmD8ZpcH7aOGAOfzUeD
MD5:	8DF215D1EFBDABB175CCDD68ED8DCB0A
SHA1:	2B374462137A38589A73FDD00A84CBDC7E50F9F4
SHA-256:	7FA16AF97E6CFC52EC6008EB679D3F30E7E0C24F9EF2D18A9228EAF4DED9D63B
SHA-512:	C0E623343BDAEB4731800D183B59F2FCFE285F0C7153EC99641FD84F2F2DCFE47D21E73F3D28B1240340453C5668EB0AFFBE087AAB62F1C88CD2A40CC44E599D
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Platby Internetov.ho obchodu Chrome".. },.. "app_name": {.. "message": "Platby Internetov.ho obchodu Chrome".. },.. "craw_app_unavailable": {.. "message": "Aplik.cia moment.lne nie je dostupn..".. },.. "craw_connect_to_network": {.. "message": "Pripojte sa k sieti.".. },.. "iap_unavailable": {.. "message": "Platby v aplik.cii moment.lne nie s. k dispoz.cii.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Prihl.ste sa do prehliada.a Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\sl\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	617
Entropy (8bit):	4.5101656584816885
Encrypted:	false
SSDEEP:	12:1HEJGcyvmbZGGGcyvmbZ+WYpU34OBOEtf+dgca1ZO8ZpU34GcQArERff03OyZnLh:1HE4cyY4TcyY8WYpNoWa1w8ZpQcQ6AfK
MD5:	3943FA2A647AECEDFD685408B27139EE
SHA1:	0129DD19D28373359530B3B477FE8A9279DABB7D
SHA-256:	18AFF072EE0DF7C3495045435C752A805606E6D5D462EF2321C443F1773F4B3A
SHA-512:	42E62B3855611FF2E1D39C11404CB1A09825EE4CA6A8ACB3FF538B4574388F549E3BD79137DD4DC128A8DC44DD270D7D878E4AAD20DA8250A5C25297B0DEC09D
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Pla.ila v spletni trgovini Chrome".. },.. "app_name": {.. "message": "Pla.ila v spletni trgovini Chrome".. },.. "craw_app_unavailable": {.. "message": "Aplikacija trenutno ni na voljo.".. },.. "craw_connect_to_network": {.. "message": "Pove.ite se z omre.jem.".. },.. "iap_unavailable": {.. "message": "Pla.ila v aplikacijah trenutno niso na voljo.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Prijavite se v Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\sr\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	743
Entropy (8bit):	4.913927107235852
Encrypted:	false
SSDEEP:	12:1HEJssbdOGGssbdO+WYpU347xBP+dgcucO8ZpU34s1muP03OyZnLAOfTYzDYD:1HEKsb59sbTWYplx4Xud8Zpy1mNOGAOv
MD5:	D485DF17F085B6A37125694F85646FD0
SHA1:	24D51D8642CDC6EFD5D8D7A4430232D8CDE25108
SHA-256:	7FFDE34C58E7C376C042DE64DEF6481DAE32BE8B70F0B18EDF536290CBE0C818
SHA-512:	0DDECFD860E99290B6C3AAA04F510272AE081CF2D93ED5832D9D6378EC9D36177FFBE213471247FB94721EA34A83E7665669200047091D0FDE134E3D763217E7
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "....... . Chrome ...-..........".. },.. "app_name": {.. "message": "....... . Chrome ...-..........".. },.. "craw_app_unavailable": {.. "message": ".......... .. ........ ...........".. },.. "craw_connect_to_network": {.. "message": "........ .. .......".. },.. "iap_unavailable": {.. "message": "....... . .......... .. ........ ...........".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "......... .. . Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\sv\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	630
Entropy (8bit):	4.52964089437422
Encrypted:	false
SSDEEP:	12:1HEJJMkbGGJMkb+WYpU34OACwz+dgNPGFZO8ZpU34JgpXLSb03OyZnLAOfTYLdID:1HErMkaqMk6WYpTOcb8ZpDgdZOGAOf8Y
MD5:	D372B8204EB743E16F45C7CBD3CAAF37
SHA1:	C96C57219D292B01016B37DCF82E7C79AD0DD1E8
SHA-256:	B8BA77E0089B0676545EC16D32468B727812B444F90B33A7A5B748E6C36C4388
SHA-512:	33640529E0D5DCC5CA4BDB0615A2818E8D26C6FCB7B3474C08AC3EB67B9DB40E1F0A79954ED20728CD47A686D2533DCBC76ABCBDB917F8530C8DE8BBA687352E
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Betalning via Chrome Web Store".. },.. "app_name": {.. "message": "Betalning via Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "Appen .r inte tillg.nglig f.r tillf.llet.".. },.. "craw_connect_to_network": {.. "message": "Anslut till ett n.tverk.".. },.. "iap_unavailable": {.. "message": "Betalning i appen .r inte tillg.ngligt f.r n.rvarande.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Logga in i Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\th\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	945
Entropy (8bit):	4.801079428724355
Encrypted:	false
SSDEEP:	24:1HEKa1dDa1/WYp6UFi72SmlG8ZpyactrW2SAOGAOfvSLD:WK2DNYp6U4y3bpyLxwGFW
MD5:	83E2D1E97791A4B2C5C69926EFB629C9
SHA1:	429600425CB0F196DDD717F940E94DBD8BFF2837
SHA-256:	2FECA577F43D97BAEEA464741D585892103585208FD0A935B810A03BDCE83C88
SHA-512:	60A5928DAA8CB4341487F477C56B5A98B83EDE50E5F4F55A802E01FDDAB86F3E795D391953D3D9214552D14D3F58C5A183693C613720FC12FC387D7B8F9B9AB6
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "............... Chrome .........".. },.. "app_name": {.. "message": "............... Chrome .........".. },.. "craw_app_unavailable": {.. "message": ".............................".. },.. "craw_connect_to_network": {.. "message": ".........................".. },.. "iap_unavailable": {.. "message": "...............................................".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "................. Chrome".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\tr\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	631
Entropy (8bit):	4.710869622361971
Encrypted:	false
SSDEEP:	12:1HEJ9Y8GG9Y8+WYpU34wWT+dgGb0GO8ZpU34wryd7T03OyZnLAOfTYGbPKG:1HE0jWYpyRnG8Zpyr/OGAOfFPn
MD5:	2CEAE0567B6BB1D240BBAD690A98CA3B
SHA1:	5944346FBD4A0797B13223895995CAB58E9ECD23
SHA-256:	A7CB86F30C9C31FE5540282C308BA96ADB4EC16EF98C87129EB88105E5BEF5FC
SHA-512:	108A07C6D03D7178E8D0FFEF5349E0249A898D864964FED8757BD8A08BC1C6D9613F2A6C01AA34A6606127D1C6CE14C229FA02586677DBB060B85E3E845950E1
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Chrome Web Ma.azas. .demeleri".. },.. "app_name": {.. "message": "Chrome Web Ma.azas. .demeleri".. },.. "craw_app_unavailable": {.. "message": "Uygulama .u anda kullan.lam.yor.".. },.. "craw_connect_to_network": {.. "message": "L.tfen bir a.a ba.lan.n.".. },.. "iap_unavailable": {.. "message": "Uygulama ..i .demeler .u anda kullan.lamaz.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "L.tfen Chrome'da oturum a..n.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\uk\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	720
Entropy (8bit):	4.977397623063544
Encrypted:	false
SSDEEP:	12:1HEJ7wILkSlXZGG7wILkSlXZ+WYpU34zb1Oy2P+dgSV1EjiTO8ZpU347qtfP2CTW:1HElwEkK4uwEkK8WYpd/dTV1e8Zptq5S
MD5:	AB0B56120E6B38C42CC3612BE948EF50
SHA1:	8B3F520E5713D9F116D68E71DAEED1F6E8D74629
SHA-256:	68ABA284751EB9C856032062EF9B1651E2A1E5CE5FDA0977FFC97D63BA7BED9E
SHA-512:	CD852A58217F739C1CD58567FF432D31A7AD3F68C884ABBA1DA95799BCD1545C6A5D3B06F319681C12B78AD0A709828DE4B22736316F148D21F5DB76A5BCCBEF
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "....... ...-........ Chrome".. },.. "app_name": {.. "message": "....... ...-........ Chrome".. },.. "craw_app_unavailable": {.. "message": "........ ......... ...........".. },.. "craw_connect_to_network": {.. "message": "............. .. .......".. },.. "iap_unavailable": {.. "message": "....... ..... ........ ..... .. .........".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "........ . Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\vi\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	695
Entropy (8bit):	4.855375139026009
Encrypted:	false
SSDEEP:	12:1HEJMAZrSFZGGMAZrSFZ+WYpU34WFHoz+dgdklzoO8ZpU34NFHoz03OyZnLAOfTU:1HEI4B8WYpAKytFZ8ZpXKMOGAOfd6D
MD5:	7EBB677FEAD8557D3676505225A7249A
SHA1:	F161B4B6001AEAEAB246FF8987F4D992B48D47BE
SHA-256:	051F96ED874C11C4A13589B5F68964E4F5B03B52DDA223D56524F2CA23760C04
SHA-512:	74FD267CF7E299FB8E7054605C3F651F057F676FF865082FA24F4916755456768DB0DA62DBC515D829B48AB1F9CFC8AD3E841DCBF1F194D5CB14C5335A192A0D
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Thanh to.n tr.n c.a h.ng Chrome tr.c tuy.n".. },.. "app_name": {.. "message": "Thanh to.n tr.n c.a h.ng Chrome tr.c tuy.n".. },.. "craw_app_unavailable": {.. "message": ".ng d.ng hi.n kh.ng kh. d.ng.".. },.. "craw_connect_to_network": {.. "message": "Vui l.ng k.t n.i v.i m.ng.".. },.. "iap_unavailable": {.. "message": "Thanh to.n trong .ng d.ng hi.n kh.ng kh. d.ng.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Vui l.ng ..ng nh.p v.o Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\zh_CN\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	595
Entropy (8bit):	5.210259193489374
Encrypted:	false
SSDEEP:	12:1HEJ01GG01+WYpU34zeHz+dgfO8ZpU34YKiO03OyZnLAOfTYB6U:1HEpIWYpISv8Zp+JOGAOfa6U
MD5:	BB73BF561BB79F89D9BF7C67C5AE5C65
SHA1:	2FADD3A1959B29C44830033A35C637D0311A8C9C
SHA-256:	D804F2A040D21D7511EFD5213D8E1721D64964A1A0DBB48E21622CEEDC9D967E
SHA-512:	627D44CEF1FE5C5ABD598BD47FF5E22B9EFC1CF98DDE3868FA9E5896C134A0C9C055AC34EDDADAE56B6690E51AEA89965D38F770552A85C732CC796795DC68D2
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Chrome .........".. },.. "app_name": {.. "message": "Chrome .........".. },.. "craw_app_unavailable": {.. "message": ".........".. },.. "craw_connect_to_network": {.. "message": ".......".. },.. "iap_unavailable": {.. "message": "............".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "... Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_locales\zh_TW\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	634
Entropy (8bit):	5.386215984611281
Encrypted:	false
SSDEEP:	12:1HEJ2j62GG2j62+WYpU34m7T+dgc8nOO8ZpU34mvIO03OyZnLAOfTYAuH:1HEuSZCWYpsStwP8ZpROGAOfCH
MD5:	5FF50C673CC0C661D615F0CFD0E6DCA0
SHA1:	60DFF98DEAB9C4746B288BDD9C94B3BCAE5EAA85
SHA-256:	C6F8C640F3353A7B9B1432A0C139C1AEEC40133800E6C9B467B63991AD660308
SHA-512:	361D62D91F4931C5F34092C9F2C6A5323D5EEB82A24E7ABE11F7817D8D66341C0ECAD4DCB4B10873920C8D6A3CC9F5704889E178EB2549001A9F62BEDF6C8019
Malicious:	false
Reputation:	low
Preview:	{.. "app_description": {.. "message": "Chrome ............".. },.. "app_name": {.. "message": "Chrome ............".. },.. "craw_app_unavailable": {.. "message": ".............".. },.. "craw_connect_to_network": {.. "message": "......".. },.. "iap_unavailable": {.. "message": "................".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "... Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	7780
Entropy (8bit):	5.791315351651491
Encrypted:	false
SSDEEP:	192:RktDNJ2UzsL5KcASyoH+CouKP/iNGRo/oRHMIT:AZQflcsU
MD5:	0834821960CB5C6E9D477AEF649CB2E4
SHA1:	7D25F027D7CEE9E94E9CBDEE1F9220C8D20A1588
SHA-256:	52A24FA2FB3BCB18D9D8571AE385C4A830FF98CE4C18384D40A84EA7F6BA7F69
SHA-512:	9AEAFC3ECE295678242D81D71804E370900A6D4C6A618C5A81CACD869B84346FEAC92189E01718A7BB5C8226E9BE88B063D2ECE7CB0C84F17BB1AF3C5B1A3FC4
Malicious:	false
Reputation:	low
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJfbG9jYWxlcy9iZy9tZXNzYWdlcy5qc29uIiwicm9vdF9oYXNoIjoiZHUtdGRPdUNWcmxDY254Q0poRkg2NXpLU05vb1RiUE56bDNHbzdRMGJ3SSJ9LHsicGF0aCI6Il9sb2NhbGVzL2NhL21lc3NhZ2VzLmpzb24iLCJyb290X2hhc2giOiJ6ZGtWaF9XdkxJWlhkck5xWHBvSHNRMGh1ZGtSM2d1QlMzb2VsTEZLNklVIn0seyJwYXRoIjoiX2xvY2FsZXMvY3MvbWVzc2FnZXMuanNvbiIsInJvb3RfaGFzaCI6Ik9nUkNIZlVoam9xOU93NHFfaEhvTTQxNzNMelJyYkVpUVdsRXNRSzhscFkifSx7InBhdGgiOiJfbG9jYWxlcy9kYS9tZXNzYWdlcy5qc29uIiwicm9vdF9oYXNoIjoiN2JVWW1LYkhQUUNRMXBGcmUzTHJySEhwWk9xN1c2Zk5hT0laWmdKUERTTSJ9LHsicGF0aCI6Il9sb2NhbGVzL2RlL21lc3NhZ2VzLmpzb24iLCJyb290X2hhc2giOiJOV3FkU3Rfc1NFMm9KT2VuSUZtM0pMRm9iOGtBZ3ZTa3RtZGpCRGJWazdBIn0seyJwYXRoIjoiX2xvY2FsZXMvZWwvbWVzc2FnZXMuanNvbiIsInJvb3RfaGFzaCI6ImgyaEZ0YUJoLXJQUEtoUm00QkFWM0VEZmhFbnh5MElGOVhYT3Z0aHhlNjAifSx7InBhdGgiOiJfbG9jYWxlcy9lbi9tZXNzYWdlcy5qc29uIiwicm9vdF9oYXNoIjoid0pSZDFmM3NxMERFVTJHLXd

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\craw_background.js

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	544643
Entropy (8bit):	5.385396177420207
Encrypted:	false
SSDEEP:	6144:abyfBNC2FRdjiRXqbe5Dq31IVlMqX+wd5/CcMMJcRULt0NjyTOEzZQ+h72W3GB0n:Ft/g
MD5:	6EEBED29E6A6301E92A9B8B347807F5F
SHA1:	65DFB69B650560551110B33DCBA50B25E5B876DE
SHA-256:	04CD9494B0ED83924DAD12202630B20D053D9E2819C8E826A386C814CC0A1697
SHA-512:	FEDE6DB31F2AD242E7BC7B52A8859BA7F466A0B920A8DADCB32DCFB5B2A2742E98B767FF22E0C5BC5C11FEC021240AA9E458486C9039EB4EBE5CF6AF7BE97BF2
Malicious:	false
Reputation:	low
Preview:	/.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var d,e=e\|\|{};e.scope={};e.arrayIteratorImpl=function(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}};e.arrayIterator=function(a){return{next:e.arrayIteratorImpl(a)}};e.ASSUME_ES5=!1;e.ASSUME_NO_NATIVE_MAP=!1;e.ASSUME_NO_NATIVE_SET=!1;e.SIMPLE_FROUND_POLYFILL=!1;e.ISOLATE_POLYFILLS=!1;e.FORCE_POLYFILL_PROMISE=!1;e.FORCE_POLYFILL_PROMISE_WHEN_NO_UNHANDLED_REJECTION=!1;.e.defineProperty=e.ASSUME_ES5\|\|"function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a};e.getGlobal=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("Cannot find global object");};e.global=e.getGlobal(this);.e.IS_SYMBOL_NATIVE="func

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\craw_window.js

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	261316
Entropy (8bit):	5.444466092380538
Encrypted:	false
SSDEEP:	3072:I5vU7I6s2M9duIWFCbmYJ4tnFWdqpMad2vywhIp81QFv9F9nNsZgiDdOFlV/mZmc:I5vqFCb2p8Gx9FNNsZ9Dd/ceR
MD5:	1709B6F00A136241185161AA3DF46A06
SHA1:	33DA7D262FFED1A5C2D85B7390E9DBC830CBE494
SHA-256:	5721A4B3F8E09C869A629EFFD350B51C9D46F0AC136717D4DB6265C0EE6F9AC8
SHA-512:	26835B4C050F53AD2DDB84469DF9A84BBB2786A655AB52DFC20B54BEDCB81D1ECD789198D5B7D8B940242E5CEAC818A177444D402397AE82C203438C4B1D19CB
Malicious:	false
Reputation:	low
Preview:	/.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var b,k=k\|\|{};k.scope={};k.createTemplateTagFirstArg=function(a){return a.raw=a};k.createTemplateTagFirstArgWithRaw=function(a,c){a.raw=c;return a};k.arrayIteratorImpl=function(a){var c=0;return function(){return c<a.length?{done:!1,value:a[c++]}:{done:!0}}};k.arrayIterator=function(a){return{next:k.arrayIteratorImpl(a)}};k.makeIterator=function(a){var c="undefined"!=typeof Symbol&&Symbol.iterator&&a[Symbol.iterator];return c?c.call(a):k.arrayIterator(a)};.k.arrayFromIterator=function(a){for(var c,d=[];!(c=a.next()).done;)d.push(c.value);return d};k.arrayFromIterable=function(a){return a instanceof Array?a:k.arrayFromIterator(k.makeIterator(a))};k.ASSUME_ES5=!1;k.ASSUME_NO_NATIVE_MAP=!1;k.ASSUME_NO_NATIVE_SET=!1;k.SIMPLE_FROUND_POLYFILL=!1;k.ISOLATE_POLYFILLS=!1;k.FORCE_POLYFILL_PROMISE=!1;k.FORCE_POLYFILL_PROMISE_WHEN_NO_UNHANDLED_REJECTION=!1;.k.objectCreate=k.ASSUME_ES5\|\|"function"==typeof Object.cre

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\css\craw_window.css

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1741
Entropy (8bit):	4.912380256743454
Encrypted:	false
SSDEEP:	24:LalZ74H+rMwJHwIodHRmxt3jiu1iu1RDpfeWlMl548wJHwDwCapt/VMYXj8Eq27K:Z+rMm71le88S1tWYXmrVZFH
MD5:	67BF9AABE17541852F9DDFF8245096CD
SHA1:	A4AC74DD258E8E0689034FAA1B15A5C7C56DC3BB
SHA-256:	10DFBD2D98950B79EE12F6B8E3885AABE31543048DE56AD4FC0A5E34D0D9D4EC
SHA-512:	298FA132C6F122798FDB9BC6DE8024915147ADC20355B56A92F0ED9ACCE4549BE6E7F42212E07DCA166E31624D4E66E299565845D4BA1C51CA935050641B61FE
Malicious:	false
Reputation:	low
Preview:	html, body {. margin: 0;. overflow: hidden;.}..webview {. width: 100%;. height: 100%;. min-height: 100%;. position: absolute;.}...craw_overlay {. position: absolute;.. left: 0;. top: 0;. right: 0;. bottom: 0;.. background-color: white;.. -webkit-transition: opacity 250ms linear;.. display: -webkit-flex;. -webkit-flex-direction: column;. -webkit-flex: 1 0%;. -webkit-align-items: center;. -webkit-justify-content: center;.. -webkit-app-region: drag;.}...craw_overlay img {. margin: 16px;.}..#loading_overlay {. opacity: 1;.}..#offline_overlay {. opacity: 0;. display: none;.}..#offline_overlay > img {. -webkit-filter: saturate(0%);.}..#offline_overlay > span {. font-family: 'Open Sans', 'Deja Vu Sans', Arial, sans-serif;. font-size: 15px;. line-height: 21px;. color: #8d8d8d;. display: block;.}..#loading_splash {. width: 128px;. height: 128px;.}..#drag_overlay {. position: absolute;. left: 0;. top: 0;. right: 0;. bottom: 0;. pointer-events: none;. -webkit

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\html\craw_window.html

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	810
Entropy (8bit):	4.723481385335562
Encrypted:	false
SSDEEP:	12:hYenuEJIig5fRpvV4AEdN2sAAuzg/7RwQuLYpUH9KfRnQBGgZKy3QGgjPSWZDQL:hYeLJKTVNEuLAuzg/twQucpS9bj3
MD5:	34A839BC40DEBC746BBD181D9EF9310C
SHA1:	8B4EAA74D31EED5B0BABA3CA5460201F6B10DA46
SHA-256:	BB8742615E4CD996AE5D0200E443AE6A6F0B473255F03AFFDB8FB4660DE4554D
SHA-512:	EE81E5509CBC2CB2B6C834224688C1E1B1AA9AA3866C52F8EAED040D5C390653C52D8D681E2E2CF62906643962ABAC823D5B622385B983B21E0DCCAFDF281EFF
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html>.<html>. <head>. <link href="/css/craw_window.css" rel="stylesheet">. <script src="/craw_window.js"></script>. </head>. <body>. <webview></webview>. <div class="craw_overlay" id="loading_overlay">. <img src="/images/icon_128.png" />. <img src="/images/flapper.gif" />. </div>. <div class="craw_overlay" id="offline_overlay">. <img src="/images/icon_128.png" />. <span id="app_unavailable"></span>. <span id="connect_to_network"></span>. </div>. <div id="drag_overlay"></div>. <div id="top_bar">. <div id='close_button'>. <img src='/images/topbar_floating_button_close.png'/>. </div>. <div id='maximize_button'>. <img src='/images/topbar_floating_button_maximize.png'/>. </div>. </div>. </body>.</html>.

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\images\flapper.gif

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	GIF image data, version 89a, 30 x 30
Category:	dropped
Size (bytes):	70364
Entropy (8bit):	7.119902236613185
Encrypted:	false
SSDEEP:	768:g5TXOSBAqNIPmA8NcjCWdM0VFMJEwavTeElfWupav5TXg7wV+irIPny9MTVQHydi:g5KSmiIPmAhZWiMsDfWug7DmqM6HybkF
MD5:	398ABB308EEBC355DA70BCE907B22E29
SHA1:	CFFB77B8A1724B8F81D98C6D6AD0071D10162252
SHA-256:	2B73533F47A99FFEA9CC405FFAFA9C4C53623F62487AEBFBA415945120B22040
SHA-512:	FC7A56FC8A61A582161874B54ADBAD30A84840190008EDB0B6FBF84F91393CA58E988E3FE446F11A0C3C691C18249B93AEC2904B3D0C4F0857D79034F662385A
Malicious:	false
Reputation:	low
Preview:	GIF89a.......................................................!.......!..NETSCAPE2.0.....,.............9.:.h0.bT(6.!l.&..("gk..JL1.[....o. .(:..B(.6."...Z.CUyh0.....j.C.z8..S....2.T'...Q..4 g\|]$ueW.NyQ.IoL!AoF#9h>7.0t..%..,.@.m4..7..!.......,.............9.:.h0.bT(6.!l.&..("gk..JL1.[....o. .(:..B(.6."...Z.CUyh0.....j.C.z8..S....2.T'...Q..4 g\|]$ueW.NyQ.IoL!AoF#9h>7.0t..%..,.@.m4..7..!.......,............................................................................................................'..w=.....\.)._6.k..OF...n.#\~"....2b3..I.)..eu.Q.`.e......gr.?>.s.I0.....@.~.Tr.[8.+.,.;..EE....S.*f.....,.....B8/D..;.9.q......ukC...r.I.....j......BGY...o2J....+O4....X4.....cH%7....I.....0H!.!.....!.,.............................................................................................................................................................................................................p8.a$....hh@.4....X,A.0L..(....JX.j...,..........z.X.Q....jB.d....B..

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\images\icon_128.png

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4364
Entropy (8bit):	7.915848007375225
Encrypted:	false
SSDEEP:	96:YjlLDJjTvXUtNvX8dgb9HT6y8nviyHG5iCRYtIP:YtNTfUzvX8KM+MGRsIP
MD5:	4DBC9F9E6F5A08D299BAC9E54DF07694
SHA1:	BB38F5DE34B1E0BE1109220BA55271087A4D9EA5
SHA-256:	91C2718DD23B4356D71F88F6146868369033291086DF327534546DFA459BEB0E
SHA-512:	A5F2B1F47502836130D8083F757B7773C1E1CB36B76AD298CC29AB2B428C8002D2F15BD839838FC326DAC3681C2F48AB25A3E7631D33726C4B25E8EC14170912
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............>a.....IDATx..yp.....gF#.:,[H.l.l..8...`/.k....,!a7Km...E...Te..T.....J...p....%.(....+...3....eY.e...L.o...5....h4...\....{?....~.u.`0.....`0.....`0.....`.Y......[(.......).4....ai..w38.+....Bf././..]...{......8...3.....3W~OJ.. /...u6V.C..U.0.+._=.c..9.X.?....L....S@.L...m.0..>.C...L\|TF.p5..f4M.,.V....8..a.<...RP..@)E,..E"...h.....!...-....,I..T..........m..._[[{w{{....{.^......M.x..h4.h.....\.R.E....j).7.....h4.A.E....,. ...iii.Vj?2...=/.B.FK9P..@)=Rj..D".Y...2.B..x.}0...&J...2.......f.O..e.H.....!.J)'I..R....B............QJ;K..L...L.l".L~mhh.R.@).FFF~.L&...~.B.......u.........}.....~.....f..yUU...........^M...6......].,w.e..~.!$.C.R.....E(%e9.,....k..@...W8.........@...........O..@%.~..@.S..P.....`Tp...."...?ME..c......s...`..S1...7.b..aNE..k...3.yP.}.Ch.}......B..........IPE..C.<....T....k......Z..o_......g........P..A=y.J.)h..@.q.-.].AU.4...F.M.....y%B]+ .\.~..9......:..=...r.....E].o...F..P........i...\|....

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\images\icon_16.png

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	558
Entropy (8bit):	7.505638146035601
Encrypted:	false
SSDEEP:	12:6v/7vyVgSKYsfFzXxXsrPfA+b0YX+5IOUWCQKznuow7:6yVnKYsfFzhXsrIq0YXmgQGn6
MD5:	FB9C46EA81AD3E456D90D58697C12C06
SHA1:	5FC450F7D73CCFAC8F0D818CB3392BA4D91B69DE
SHA-256:	016CA659BA080E194FBFC0929602B16506ED60AA6019FAA51410C4FD93B583E8
SHA-512:	ADD810EE9EB7CAEC505B5FD90A1F184CE39D8F8C689DCC240F188FE353B9575489492E07D572A3B1C11A1555CE66AFCA5134903E4C1AA3D54BC7C5ED3E65B50C
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................a....IDAT8...Mk.Q...;... .....F..QW.....F....J.?.w..7~......'.Q..B]... .QS...M&_w..b&.\|`......p...f.?.D$.y^..........y...\..Z..t6..oRj.@&.u..G.qN).t.-V.>(.N.Ep]wFk.60o.]0.`Y..cT..Y.Tb.`DF.d..s.Z..E..9.4._C.._...%..*.^....4.l...Y..X..R..../...Wj+w0[.].._B.k.${.\.>.%...........lz .w.ALxo.2;..a...".p..S..&..uXS...<..6..[..zD.._.N+w.WbM7ye6X<...'(,=.r}........$f..5..P....k..."..8.s.<zgSm@.....).Y.....:e..\|.....F...I..A$.....T?.....m....8.........N...z.....V..vd.h'....C.?.....H.;]..C.M.....9.b......IEND.B`.

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\images\topbar_floating_button.png

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	160
Entropy (8bit):	5.475799237015411
Encrypted:	false
SSDEEP:	3:yionv//thPl3xWrA4RthwkBDsTBZtnAkx/RPJDmV7bScsP4a9zln94FptVp:6v/lhPKM4nDspnAkZJNmgPdln2TTp
MD5:	8803665A6328D23CC1014A7B0E9BE295
SHA1:	9DA6EE729D5A6E9F30658B8EC954710F107A641F
SHA-256:	D5F9234DC36E7FFA85F35B2359A4F82276F8395EFA76E4553507EA990B27FC6C
SHA-512:	ECD9E71B8BA1ED8BD4CA5A0936CB66A83611C4ABCBDA76C250F4CDF4AD80320212E8F5EEB79A38910718F8346ECC1AD580A3FA835EC2B22BE497F36899FB5930
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<...BIDATx...Q..0......2...(p...~Z.}'.>I%O...V!s..................../...`.<..`.....IEND.B`.

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\images\topbar_floating_button_close.png

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	252
Entropy (8bit):	6.512071394066515
Encrypted:	false
SSDEEP:	6:6v/lhPKM4nDsp7q1hKVlomsj9rxKNgtmN0VZ+GFYep:6v/7iMXVq1ylxemNgtmKVnYM
MD5:	0599DFD9107C7647F27E69331B0A7D75
SHA1:	3198C0A5F34DB67F91A0035DBC297354CBC95525
SHA-256:	131817CD9311C03DF22D769DD2AD7FA2E6E9558863A89F7E5E1657424031A937
SHA-512:	0076ACB9D6A886BD987876E49495038F9388B292A9EFE5C9093CCA64CA3692E3A5D24E35172C7697F6AAE34B86CA217EE59C003423E46D9499BD27EC7D77A649
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx...... ..Pp.X....H...b@...\|.^LC_.E.BP+......X.P..........q..~..p/. ..s.....%D^...$......@.!...<...).?.4{.k.G3...4..[cH..0..l.8.!r..m.R..{..........`.f...#.x.....IEND.B`.

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\images\topbar_floating_button_hover.png

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	160
Entropy (8bit):	5.423186859407619
Encrypted:	false
SSDEEP:	3:yionv//thPl3xWrA4RthwkBDsTBZtnAkx/9lVtEHxrPLyN+ltNPhv/l2up:6v/lhPKM4nDspnAkZHVtERrPLygltNPn
MD5:	7CB6B9DC1A30F63B8BD976924B75AD96
SHA1:	0C40B0C496D2F2B5F2021C117EC8610AC03AB469
SHA-256:	721B7AAA9A42A54A349881615A12E3A26983ACA48E173FD2F66E66AA0D725735
SHA-512:	4764937364E355956B242B84010AC56102536D2AACBE4227F0E88E4DE7AB468571957EA6C33012539156E5349AE4F777115615AE3361F60ADDF9CD227424F76A
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<...BIDATx...A..0...+B.z.s...*.....$.<u..[...................h.......C.CA).....IEND.B`.

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\images\topbar_floating_button_maximize.png

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	166
Entropy (8bit):	5.8155898293424775
Encrypted:	false
SSDEEP:	3:yionv//thPl3xWrA4RthwkBDsTBZttd//HmnFz1P/ZjXlUTqyCIc30ItK1p:6v/lhPKM4nDsptF/HOP/ZjXlUeyCo/p
MD5:	232CE72808B60CBE0F4FA788A76523DF
SHA1:	721A9C98C835D2CD734153BBE07833C6637ECD68
SHA-256:	AFA4EA944CBDEC8543242E627EF46D5BFD3766DCAC664E7E50CDEEF2B352740C
SHA-512:	4048EEA5A78DD569521C488C4CE4F7B77AC0454C92EE9107A81A1B3AF91A4EE036039AC1A0A6B8DD26B12E7F1595DB80B7FAA7B6A25D9032BF385528A81A8654
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<...HIDATx......0.CQS.......~..."..........m.v+Sq....<!...M8m...'...@$..0....E........IEND.B`.

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\images\topbar_floating_button_pressed.png

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	160
Entropy (8bit):	5.46068685940762
Encrypted:	false
SSDEEP:	3:yionv//thPl3xWrA4RthwkBDsTBZtnAkx/9lVtEXIyN+ltN1/lsg1p:6v/lhPKM4nDspnAkZHVtEZgltN1eup
MD5:	E0862317407F2D54C85E12945799413B
SHA1:	FA557F8F761A04C41C9A4BA81994E43C6C275DBB
SHA-256:	5C10CE0589EB115600F77381130B70AE0B7B3752614D86D4C89E857658AA222B
SHA-512:	07CB69327961FD0019BEF8EF7590B5524905AC373A815F73F6D9E0B26840929F919A96CAA977D4B5656704DACD0F352D568FB3997F80EE6BB94C95B58839DBFE
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<...BIDATx...A..0...+B..@wu...*.....$.<u..[...................h.........M..x(....IEND.B`.

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\CRX_INSTALL\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1322
Entropy (8bit):	5.449026004350873
Encrypted:	false
SSDEEP:	24:1HEis7ViC/yox/fiqeUoLFlmF1s80FKrGfd0d3NZNZx1Fq7eY7nfj1B:WL7V2opiV1mvs8rxTZRczhB
MD5:	01334FB9D092AF2AA46C4185E405C627
SHA1:	47AD3C0E82362FFE5B881DF8D71D6F79AB7F5796
SHA-256:	F52714812D68C577A445169D11E84DF6751C2D6886BC429643072BB5D61C6C27
SHA-512:	888D96ADB7A847ABE472145258C8C46950EB2FA3BA7D596C2E90A17C8FB06FD0155C56CC8ABA5D076D89368417464BCB2D236F9E40E53241950A01F9F8ED548F
Malicious:	false
Reputation:	low
Preview:	{.. "app": {.. "background": {.. "scripts": [ "craw_background.js" ].. }.. },.. "default_locale": "en",.. "description": "__MSG_APP_DESCRIPTION__",.. "display_in_launcher": false,.. "display_in_new_tab_page": false,.. "icons": {.. "128": "images/icon_128.png",.. "16": "images/icon_16.png".. },.. "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrKfMnLqViEyokd1wk57FxJtW2XXpGXzIHBzv9vQI/01UsuP0IV5/lj0wx7zJ/xcibUgDeIxobvv9XD+zO1MdjMWuqJFcKuSS4Suqkje6u+pMrTSGOSHq1bmBVh0kpToN8YoJs/P/yrRd7FEtAXTaFTGxQL4C385MeXSjaQfiRiQIDAQAB",.. "manifest_version": 2,.. "minimum_chrome_version": "29",.. "name": "__MSG_APP_NAME__",.. "oauth2": {.. "auto_approve": true,.. "client_id": "203784468217.apps.googleusercontent.com",.. "scopes": [ "https://www.googleapis.com/auth/sierra", "https://www.googleapis.com/auth/sierrasandbox", "https://www.googleapis.com/auth/chromewebstore", "https://www.googleapis.com/auth/chromewebstore.readonly" ].. },.

C:\Users\user\AppData\Local\Temp\scoped_dir2332_751561799\fdde1a6e-3537-40bb-94ac-392e6702c2fa.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	248531
Entropy (8bit):	7.963657412635355
Encrypted:	false
SSDEEP:	3072:r+nmRykNgoldZ8GjJCiUXZSk+QSVh85PxEalRVHmcld9R6yYfEp4ABUGDcaKklrv:k3oF4Z4h45P99Fld9RBQYBVcaxlnfL
MD5:	541F52E24FE1EF9F8E12377A6CCAE0C0
SHA1:	189898BB2DCAE7D5A6057BC2D98B8B450AFAEBB6
SHA-256:	81E3A4D43A73699E1B7781723F56B8717175C536685C5450122B30789464AD82
SHA-512:	D779D78A15C5EFCA51EBD6B96A7CCB6D718741BDF7D9A37F53B2EB4B98AA1A78BC4CFA57D6E763AAB97276C8F9088940AC0476690D4D46023FF4BF52F3326C88
Malicious:	false
Reputation:	low
Preview:	Cr24..............0.."0....H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L\|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.\|1..n.<Fb..f..Q1.....s..2..{.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-eu...b.........\..F!...b...l5....zJ.q.......L].....w[T0.6....E.....r..%Z.vFm.9..5!,.~g5...;.t...']....+A.....u....k...e..&..l.6r[yU...%..f.......N..V.....<+.....l..}.{...z...)y.n..'..).....,.b....5.08K%..O.g..D.S.F5o..<(....>....\f..X..I..2."l...w....7f\|.~.c.4.E.......0..0....H............0.......).'..b.$w\$.q&.]zF_2..;...?.U,...W..L1.2...R..#....W.....c1k.$W..$.J....+M!.Hz.n`U.I)N.\|b.l....{.K@]6.LlP/....](.A..................I...).H....IQ.y.;MG.d..ix..#f.Z$\|..\|.?...0K...t"i..s...Y..%.Ky....0...{.!+.~v.;....J.....Z....).(6..@?v.;~..2..c....[0Y0....H.=.....H.=....B..............r...2..+Y.I...k..bR.j5Sl..8.......H"i.-l..`.Q.{...F0D. .0...\|!..A..L.+.=...kP.!.1..

C:\Users\user\Downloads\63df2e5c-2c92-4e96-ab74-c8a236428abf.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Microsoft Cabinet archive data, 61480 bytes, 1 file
Category:	dropped
Size (bytes):	61480
Entropy (8bit):	7.9951219482618905
Encrypted:	true
SSDEEP:	1536:kmu7iDG/SCACih0/8uIGantJdjFpTE8lTeNjiXKGgUN:CeGf5gKsG4vdjFpjlYeX9gUN
MD5:	B9F21D8DB36E88831E5352BB82C438B3
SHA1:	4A3C330954F9F65A2F5FD7E55800E46CE228A3E2
SHA-256:	998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
SHA-512:	D4A2AC7C14227FBAF8B532398FB69053F0A0D913273F6917027C8CADBBA80113FDBEC20C2A7EB31B7BB57C99F9FDECCF8576BE5F39346D8B564FC72FB1699476
Malicious:	false
Reputation:	low
Preview:	MSCF....(.......,...................I........y.........Tbr .authroot.stl..$..4..CK..<Tk...c_.d....A.K.....Y.f....!.))$7I.....e..eKT..k....n.3.......S..9.s.....3H.Mh......qV.=M6.=.4.F.....V:F..]......B`....Q...c"U.0.n....J.....4.....i7s..:.27....._...+).lE..he.4\|.?,...h....7..PA..b.,. .....#1+..o...g.....2n1m...=.......Dp.;..f..ljX.Dx..r<'.1RI3B0<w.D.z..)D\|..8<..c+..'XH..K,.Y..d.j.<.A.......l_lVb[w..rDp...'.....nL....!G.F....f.fX..r.. ?.....v(...L..<.\.Z..g;.>.0v...P ......\|...A..(..x...T0.`g...c..7.U?...9.p..a..&..9......sV..l0..D..fhi..h.F....q...y.....Mq].4..Z.....={L....AS..9.....:.:.........+..P.N....EAQ.V. sr.....y.B.`.Efe..8../....$...y-.q.J.......nP...2.Q8...O........M.@\.>=X....V..z.4.=.@...ws.N.M3.S.c?.....C4]?..\.K.9......^...CU......O....X.`........._.gU.....V.{V6..m..D.-\|.Q.t.7.....9.~....[...I.<e...~$..>......s.I.S....~1..IV.2Ri:..]R!8...q...l.X.%.)@......2.gb,t...}..;...@.Z..<q..y..:...e3..cY.we.$....z..\| .#.......I...

C:\Users\user\Downloads\authrootstl.cab.crdownload (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Microsoft Cabinet archive data, 61480 bytes, 1 file
Category:	dropped
Size (bytes):	61480
Entropy (8bit):	7.9951219482618905
Encrypted:	true
SSDEEP:	1536:kmu7iDG/SCACih0/8uIGantJdjFpTE8lTeNjiXKGgUN:CeGf5gKsG4vdjFpjlYeX9gUN
MD5:	B9F21D8DB36E88831E5352BB82C438B3
SHA1:	4A3C330954F9F65A2F5FD7E55800E46CE228A3E2
SHA-256:	998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
SHA-512:	D4A2AC7C14227FBAF8B532398FB69053F0A0D913273F6917027C8CADBBA80113FDBEC20C2A7EB31B7BB57C99F9FDECCF8576BE5F39346D8B564FC72FB1699476
Malicious:	false
Reputation:	low
Preview:	MSCF....(.......,...................I........y.........Tbr .authroot.stl..$..4..CK..<Tk...c_.d....A.K.....Y.f....!.))$7I.....e..eKT..k....n.3.......S..9.s.....3H.Mh......qV.=M6.=.4.F.....V:F..]......B`....Q...c"U.0.n....J.....4.....i7s..:.27....._...+).lE..he.4\|.?,...h....7..PA..b.,. .....#1+..o...g.....2n1m...=.......Dp.;..f..ljX.Dx..r<'.1RI3B0<w.D.z..)D\|..8<..c+..'XH..K,.Y..d.j.<.A.......l_lVb[w..rDp...'.....nL....!G.F....f.fX..r.. ?.....v(...L..<.\.Z..g;.>.0v...P ......\|...A..(..x...T0.`g...c..7.U?...9.p..a..&..9......sV..l0..D..fhi..h.F....q...y.....Mq].4..Z.....={L....AS..9.....:.:.........+..P.N....EAQ.V. sr.....y.B.`.Efe..8../....$...y-.q.J.......nP...2.Q8...O........M.@\.>=X....V..z.4.=.@...ws.N.M3.S.c?.....C4]?..\.K.9......^...CU......O....X.`........._.gU.....V.{V6..m..D.-\|.Q.t.7.....9.~....[...I.<e...~$..>......s.I.S....~1..IV.2Ri:..]R!8...q...l.X.%.)@......2.gb,t...}..;...@.Z..<q..y..:...e3..cY.we.$....z..\| .#.......I...

C:\Users\user\Downloads\authrootstl.cab:Zone.Identifier

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	139
Entropy (8bit):	4.849487575727094
Encrypted:	false
SSDEEP:	3:gAWY3tNQWHoRJ/PLr4E4eJkACA5GKRRkwRFKKRDUdSDJry:qY3tNpo/PL8+3R/RgS9+
MD5:	B22F41887E3715F6BC1DDB67413EC452
SHA1:	91B7D4A09A4D9946C3AE038718AE2DCD9A9ED21C
SHA-256:	5EA916B873EA49CA1164C3957A58EE94C6B1D60018DDCFAA36C6AED5354BD536
SHA-512:	2B3E69B5E6015742FB03340C6AD7B1417FBAA6DF957929093A98E4B414A09B023FFA7EC16101BD0060D802E24C3B6DFA1ACC73F6EFFAB1817743A68568A7A074
Malicious:	false
Reputation:	low
Preview:	[ZoneTransfer]..ZoneId=3..HostUrl=http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d187249b7de2efd8..

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2022 18:41:39.685610056 CEST	49776	443	192.168.2.6	142.250.184.205
May 23, 2022 18:41:39.685666084 CEST	443	49776	142.250.184.205	192.168.2.6
May 23, 2022 18:41:39.685790062 CEST	49776	443	192.168.2.6	142.250.184.205
May 23, 2022 18:41:39.686067104 CEST	49777	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:39.686100006 CEST	443	49777	142.250.185.110	192.168.2.6
May 23, 2022 18:41:39.686184883 CEST	49777	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:39.686592102 CEST	49776	443	192.168.2.6	142.250.184.205
May 23, 2022 18:41:39.686616898 CEST	443	49776	142.250.184.205	192.168.2.6
May 23, 2022 18:41:39.686878920 CEST	49777	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:39.686903954 CEST	443	49777	142.250.185.110	192.168.2.6
May 23, 2022 18:41:39.734813929 CEST	443	49777	142.250.185.110	192.168.2.6
May 23, 2022 18:41:39.735187054 CEST	49777	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:39.735217094 CEST	443	49777	142.250.185.110	192.168.2.6
May 23, 2022 18:41:39.735953093 CEST	443	49777	142.250.185.110	192.168.2.6
May 23, 2022 18:41:39.736030102 CEST	49777	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:39.736840010 CEST	443	49776	142.250.184.205	192.168.2.6
May 23, 2022 18:41:39.737169027 CEST	49776	443	192.168.2.6	142.250.184.205
May 23, 2022 18:41:39.737217903 CEST	443	49776	142.250.184.205	192.168.2.6
May 23, 2022 18:41:39.737556934 CEST	443	49777	142.250.185.110	192.168.2.6
May 23, 2022 18:41:39.737631083 CEST	49777	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:39.738325119 CEST	443	49776	142.250.184.205	192.168.2.6
May 23, 2022 18:41:39.738425970 CEST	49776	443	192.168.2.6	142.250.184.205
May 23, 2022 18:41:39.810008049 CEST	49777	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:39.810244083 CEST	443	49777	142.250.185.110	192.168.2.6
May 23, 2022 18:41:39.810627937 CEST	49776	443	192.168.2.6	142.250.184.205
May 23, 2022 18:41:39.810883045 CEST	443	49776	142.250.184.205	192.168.2.6
May 23, 2022 18:41:39.811145067 CEST	49777	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:39.811163902 CEST	443	49777	142.250.185.110	192.168.2.6
May 23, 2022 18:41:39.811470032 CEST	49776	443	192.168.2.6	142.250.184.205
May 23, 2022 18:41:39.811494112 CEST	443	49776	142.250.184.205	192.168.2.6
May 23, 2022 18:41:39.847345114 CEST	443	49777	142.250.185.110	192.168.2.6
May 23, 2022 18:41:39.847430944 CEST	49777	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:39.847450018 CEST	443	49777	142.250.185.110	192.168.2.6
May 23, 2022 18:41:39.847496033 CEST	443	49777	142.250.185.110	192.168.2.6
May 23, 2022 18:41:39.847541094 CEST	49777	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:39.849215984 CEST	49777	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:39.849239111 CEST	443	49777	142.250.185.110	192.168.2.6
May 23, 2022 18:41:39.868402958 CEST	443	49776	142.250.184.205	192.168.2.6
May 23, 2022 18:41:39.868515015 CEST	49776	443	192.168.2.6	142.250.184.205
May 23, 2022 18:41:39.868535042 CEST	443	49776	142.250.184.205	192.168.2.6
May 23, 2022 18:41:39.868568897 CEST	443	49776	142.250.184.205	192.168.2.6
May 23, 2022 18:41:39.868626118 CEST	49776	443	192.168.2.6	142.250.184.205
May 23, 2022 18:41:39.874562025 CEST	49776	443	192.168.2.6	142.250.184.205
May 23, 2022 18:41:39.874593019 CEST	443	49776	142.250.184.205	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2022 18:41:39.415916920 CEST	49695	53	192.168.2.6	8.8.8.8
May 23, 2022 18:41:39.421899080 CEST	61607	53	192.168.2.6	8.8.8.8
May 23, 2022 18:41:39.433645010 CEST	53	49695	8.8.8.8	192.168.2.6
May 23, 2022 18:41:39.440880060 CEST	53	61607	8.8.8.8	192.168.2.6
May 23, 2022 18:41:48.703497887 CEST	62644	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:48.729576111 CEST	443	62644	142.250.185.110	192.168.2.6
May 23, 2022 18:41:48.730021954 CEST	62644	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:48.755778074 CEST	443	62644	142.250.185.110	192.168.2.6
May 23, 2022 18:41:48.755808115 CEST	443	62644	142.250.185.110	192.168.2.6
May 23, 2022 18:41:48.755825043 CEST	443	62644	142.250.185.110	192.168.2.6
May 23, 2022 18:41:48.755842924 CEST	443	62644	142.250.185.110	192.168.2.6
May 23, 2022 18:41:48.756272078 CEST	62644	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:48.758379936 CEST	62644	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:48.784367085 CEST	62644	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:48.784810066 CEST	62644	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:48.810559034 CEST	443	62644	142.250.185.110	192.168.2.6
May 23, 2022 18:41:48.811373949 CEST	62644	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:48.821671963 CEST	443	62644	142.250.185.110	192.168.2.6
May 23, 2022 18:41:48.821698904 CEST	443	62644	142.250.185.110	192.168.2.6
May 23, 2022 18:41:48.821710110 CEST	443	62644	142.250.185.110	192.168.2.6
May 23, 2022 18:41:48.822350025 CEST	62644	443	192.168.2.6	142.250.185.110
May 23, 2022 18:41:48.847640991 CEST	62644	443	192.168.2.6	142.250.185.110

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 23, 2022 18:41:39.415916920 CEST	192.168.2.6	8.8.8.8	0x6b35	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)
May 23, 2022 18:41:39.421899080 CEST	192.168.2.6	8.8.8.8	0xa0fa	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 23, 2022 18:41:39.433645010 CEST	8.8.8.8	192.168.2.6	0x6b35	No error (0)	accounts.google.com		142.250.184.205	A (IP address)	IN (0x0001)
May 23, 2022 18:41:39.440880060 CEST	8.8.8.8	192.168.2.6	0xa0fa	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)
May 23, 2022 18:41:39.440880060 CEST	8.8.8.8	192.168.2.6	0xa0fa	No error (0)	clients.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

clients2.google.com

accounts.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49777	142.250.185.110	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2022-05-23 16:41:39 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfm X-Goog-Update-Updater: chromecrx-85.0.4183.121 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-23 16:41:39 UTC	1	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-e6_nb4BpCkM755TO2NKR-w' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 23 May 2022 16:41:39 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 5621 X-Daystart: 34899 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2022-05-23 16:41:39 UTC	2	IN	Data Raw: 33 36 64 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 35 36 32 31 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 33 34 38 39 39 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 36d<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="5621" elapsed_seconds="34899"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2022-05-23 16:41:39 UTC	2	IN	Data Raw: 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 2e 63 72 78 22 20 66 70 3d 22 31 2e 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 61 70 Data Ascii: mhkkegccagdldgiimedpiccmgmieda.crx" fp="1.81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app><ap
2022-05-23 16:41:39 UTC	3	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49776	142.250.184.205	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2022-05-23 16:41:39 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-23 16:41:39 UTC	1	OUT	Data Raw: 20 Data Ascii:
2022-05-23 16:41:39 UTC	3	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 23 May 2022 16:41:39 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-nlFSt4CDhv2GVT32EyBWgA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'nonce-nlFSt4CDhv2GVT32EyBWgA' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2022-05-23 16:41:39 UTC	4	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2022-05-23 16:41:39 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 2332, Parent PID: 636

General

Target ID:	1
Start time:	18:41:34
Start date:	23/05/2022
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d187249b7de2efd8
Imagebase:	0x7ff6220c0000
File size:	2150896 bytes
MD5 hash:	C139654B5C1438A95B321BB01AD63EF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 5812, Parent PID: 2332

General

Target ID:	2
Start time:	18:41:36
Start date:	23/05/2022
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,4069944722488659976,14944427691238441646,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1940 /prefetch:8
Imagebase:	0x7ff6220c0000
File size:	2150896 bytes
MD5 hash:	C139654B5C1438A95B321BB01AD63EF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6748, Parent PID: 2332

General

Target ID:	4
Start time:	18:41:40
Start date:	23/05/2022
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1612,4069944722488659976,14944427691238441646,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4788 /prefetch:8
Imagebase:	0x7ff6220c0000
File size:	2150896 bytes
MD5 hash:	C139654B5C1438A95B321BB01AD63EF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: elevation_service.exePID: 6728, Parent PID: 588

General

Target ID:	14
Start time:	18:42:56
Start date:	23/05/2022
Path:	C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe
Imagebase:	0x7ff7f54a0000
File size:	1322992 bytes
MD5 hash:	AFD137B53BA091ACBA569255B16DF837
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ChromeRecovery.exePID: 492, Parent PID: 6728

General

Target ID:	17
Start time:	18:43:01
Start date:	23/05/2022
Path:	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=85.0.4183.121 --sessionid={071c9bf8-cee5-4f16-a546-0f1aec4e4f3e} --system
Imagebase:	0xdc0000
File size:	259472 bytes
MD5 hash:	49AC3C96D270702A27B4895E4CE1F42A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 1%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: ChromeRecovery.exePID: 492, Parent PID: 6728COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	31

Executed Functions

Function 00DCE00C Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 217
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00DCE00C(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, intOrPtr _a40) {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				void* _v32;
				void* _v36;
				intOrPtr* _v40;
				intOrPtr _v44;
				long _v48;
				void* __ebp;
				signed int _t75;
				void** _t85;
				_Unknown_base(*)()* _t87;
				void* _t96;
				struct HINSTANCE__* _t97;
				struct HINSTANCE__* _t98;
				intOrPtr* _t99;
				_Unknown_base(*)()* _t103;
				void* _t105;
				void* _t109;
				void* _t110;
				void* _t113;
				intOrPtr _t124;
				intOrPtr _t129;
				void* _t132;
				intOrPtr _t135;
				intOrPtr* _t139;
				intOrPtr _t140;
				struct _SECURITY_ATTRIBUTES* _t142;
				signed int _t143;
				struct _CRITICAL_SECTION** _t144;

				_t132 = __edx;
				_t75 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t75 ^ _t143;
				_v40 = _a4;
				_t113 = __ecx;
				_v36 = __ecx;
				_t135 = _a28;
				asm("lock xadd [0xdf9e18], eax");
				_v44 = 2;
				_t142 = 0;
				 *((intOrPtr*)(__ecx + 8)) = _a16;
				 *__ecx = 0;
				 *((intOrPtr*)(__ecx + 4)) = E00DC95BB;
				 *((intOrPtr*)(__ecx + 0x58)) = 0;
				 *((intOrPtr*)(__ecx + 0x5c)) = 0;
				 *((intOrPtr*)(__ecx + 0x60)) = 0;
				 *((intOrPtr*)(__ecx + 0x64)) = 0;
				 *((intOrPtr*)(__ecx + 0x68)) = 0;
				 *((intOrPtr*)(__ecx + 0x6c)) = _a24;
				 *((intOrPtr*)(__ecx + 0x70)) = 0;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 7;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x80)) = 0;
				 *((intOrPtr*)(__ecx + 0x84)) = 0;
				 *((intOrPtr*)(__ecx + 0x88)) = 0;
				 *((char*)(__ecx + 0x8c)) = 0;
				 *((intOrPtr*)(__ecx + 0xa8)) = 0;
				 *((intOrPtr*)(__ecx + 0xac)) = 0;
				 *((intOrPtr*)(__ecx + 0xb0)) = 0;
				 *((intOrPtr*)(__ecx + 0xb4)) = 0;
				 *((intOrPtr*)(__ecx + 0xb8)) = 0;
				 *((short*)(__ecx + 0xbc)) = 0;
				 *((char*)(__ecx + 0xbe)) = 0;
				_t145 = _t135;
				if(_t135 == 0) {
					L9:
					if( *((intOrPtr*)(_t113 + 0xc)) == 0) {
						_t41 = _t113 + 0x90; // 0x90
						InitializeCriticalSection(_t41);
						 *((intOrPtr*)(_t113 + 0xa8)) = CreateSemaphoreW(0, 0, 1, 0);
						_t96 = CreateSemaphoreW(0, 0, 1, 0);
						 *(_t113 + 0xac) = _t96;
						if(_t96 != 0 &&  *((intOrPtr*)(_t113 + 0xa8)) != 0) {
							_t105 = CreateThread(0, 0x10000, E00DCE48D, _t113, 0,  &_v48); // executed
							 *(_t113 + 0x88) = _t105;
						}
						_t97 = LoadLibraryW(L"dbghelp.dll"); // executed
						 *(_t113 + 0x64) = _t97;
						if(_t97 != 0) {
							_t103 = GetProcAddress(_t97, "MiniDumpWriteDump"); // executed
							 *(_t113 + 0x68) = _t103;
						}
						_t98 = LoadLibraryW(L"rpcrt4.dll");
						 *(_t113 + 0x70) = _t98;
						if(_t98 != 0) {
							 *((intOrPtr*)(_t113 + 0x74)) = GetProcAddress(_t98, "UuidCreate");
						}
						_t99 = _v40;
						_t52 = _t113 + 0x10; // 0x10
						_t139 = _t52;
						if(_t139 != _t99) {
							_t124 =  *((intOrPtr*)(_t99 + 0x10));
							if( *((intOrPtr*)(_t99 + 0x14)) >= 8) {
								_t99 =  *_t99;
							}
							E00DC97AD(_t113, _t139, _t142, _t99, _t124);
						}
						if( *((intOrPtr*)(_t139 + 0x14)) >= 8) {
							_t139 =  *_t139;
						}
						 *((intOrPtr*)(_t113 + 0x58)) = _t139;
						E00DCEBE7(_t113, _t113, _t139, _t142); // executed
					}
					_v28 = 0;
					_v24 = 0;
					_v20 = 0;
					E00DCED25(_t113, _t132, _t142,  &_v28);
					if(_v44 == 1) {
						InitializeCriticalSection(0xdf9e1c);
					}
					EnterCriticalSection(0xdf9e1c);
					_t85 =  *0xdf9e34; // 0x0
					_t161 = _t85;
					if(_t85 == 0) {
						_push(0xc);
						_t85 = E00DCF36C(_t161);
						 *0xdf9e34 = _t85;
						 *_t85 = 0;
						_t85[1] = 0;
						_t85[2] = 0;
					}
					_t118 = _t85[1];
					_v32 = _t113;
					_t162 = _t85[2] - _t118;
					if(_t85[2] == _t118) {
						_t118 = _t85;
						E00DCEE84(_t113, _t85, 0, _t142, _t85,  &_v32);
					} else {
						 *_t118 = _t113;
						_t85[1] = _t85[1] + 4;
					}
					_t87 = SetUnhandledExceptionFilter(E00DCE588); // executed
					 *(_t113 + 0x7c) = _t87;
					 *((intOrPtr*)(_t113 + 0x80)) = E00DD349A(_t162, E00DCE634);
					 *_t144 = 0xdce7b0;
					 *((intOrPtr*)(_t113 + 0x84)) = E00DD2EAF(_t162);
					 *_t144 = 0xdf9e1c;
					LeaveCriticalSection(??);
					if(_t142 != 0) {
						E00DCEDE9(_t142, _t118);
					}
					return E00DCF35B(_v8 ^ _t143);
				}
				_push(0x348);
				_t140 = E00DCEFB3(E00DCF36C(_t145), _t135, _t145, _t135,  *((intOrPtr*)(_t113 + 0x6c)), _a40);
				if(_t140 == 0) {
					goto L9;
				}
				_t142 = _t140;
				if( *((intOrPtr*)(_t140 + 0x28)) != 0) {
					L5:
					_t129 =  *((intOrPtr*)(_t113 + 0xc));
					_t142 = 0;
					if(_t140 != _t129) {
						if(_t129 != 0) {
							E00DCEDE9(_t129, _t129);
						}
						 *((intOrPtr*)(_t113 + 0xc)) = _t140;
					}
					goto L9;
				}
				_t109 = E00DCF00F(_t140); // executed
				_v32 = _t109;
				_t148 = _t109;
				if(_t109 == 0) {
					goto L9;
				}
				_t110 = E00DCF0AA(_t140, _t148, _t109);
				CloseHandle(_v32);
				_t113 = _v36;
				if(_t110 == 0) {
					goto L9;
				}
				goto L5;
			}

0x00dce00c
0x00dce012
0x00dce019
0x00dce020
0x00dce023
0x00dce028
0x00dce02c
0x00dce030
0x00dce03b
0x00dce041
0x00dce043
0x00dce049
0x00dce04b
0x00dce052
0x00dce055
0x00dce058
0x00dce05b
0x00dce05e
0x00dce061
0x00dce064
0x00dce067
0x00dce06a
0x00dce071
0x00dce074
0x00dce07a
0x00dce080
0x00dce086
0x00dce08c
0x00dce092
0x00dce098
0x00dce09e
0x00dce0a4
0x00dce0aa
0x00dce0b1
0x00dce0b7
0x00dce0b9
0x00dce120
0x00dce124
0x00dce12a
0x00dce131
0x00dce146
0x00dce153
0x00dce155
0x00dce15d
0x00dce17a
0x00dce180
0x00dce180
0x00dce18b
0x00dce197
0x00dce19c
0x00dce1a4
0x00dce1a6
0x00dce1a6
0x00dce1ae
0x00dce1b4
0x00dce1b9
0x00dce1c3
0x00dce1c3
0x00dce1c6
0x00dce1c9
0x00dce1c9
0x00dce1ce
0x00dce1d4
0x00dce1d7
0x00dce1d9
0x00dce1d9
0x00dce1df
0x00dce1df
0x00dce1e8
0x00dce1ea
0x00dce1ea
0x00dce1ee
0x00dce1f1
0x00dce1f1
0x00dce201
0x00dce205
0x00dce208
0x00dce20b
0x00dce214
0x00dce21b
0x00dce21b
0x00dce226
0x00dce22c
0x00dce231
0x00dce233
0x00dce235
0x00dce237
0x00dce23d
0x00dce242
0x00dce244
0x00dce247
0x00dce247
0x00dce24a
0x00dce24d
0x00dce250
0x00dce253
0x00dce262
0x00dce264
0x00dce255
0x00dce255
0x00dce257
0x00dce257
0x00dce26e
0x00dce279
0x00dce281
0x00dce287
0x00dce293
0x00dce299
0x00dce2a0
0x00dce2a8
0x00dce2ad
0x00dce2ad
0x00dce2c0
0x00dce2c0
0x00dce0bb
0x00dce0d4
0x00dce0d8
0x00000000
0x00000000
0x00dce0de
0x00dce0e0
0x00dce10a
0x00dce10a
0x00dce10d
0x00dce111
0x00dce115
0x00dce118
0x00dce118
0x00dce11d
0x00dce11d
0x00000000
0x00dce111
0x00dce0e4
0x00dce0e9
0x00dce0ec
0x00dce0ee
0x00000000
0x00000000
0x00dce0f3
0x00dce0fd
0x00dce105
0x00dce108
0x00000000
0x00000000
0x00000000

APIs

CloseHandle.KERNEL32(?,00000000,?,?,?), ref: 00DCE0FD
InitializeCriticalSection.KERNEL32(00000090), ref: 00DCE131
CreateSemaphoreW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00DCE144
CreateSemaphoreW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00DCE153
CreateThread.KERNELBASE(00000000,00010000,Function_0000E48D,00000000,00000000,?), ref: 00DCE17A
LoadLibraryW.KERNELBASE(dbghelp.dll), ref: 00DCE18B
GetProcAddress.KERNELBASE(00000000,MiniDumpWriteDump), ref: 00DCE1A4
LoadLibraryW.KERNEL32(rpcrt4.dll), ref: 00DCE1AE
GetProcAddress.KERNEL32(00000000,UuidCreate), ref: 00DCE1C1
InitializeCriticalSection.KERNEL32(00DF9E1C,00000101), ref: 00DCE21B
EnterCriticalSection.KERNEL32(00DF9E1C,00000101), ref: 00DCE226
SetUnhandledExceptionFilter.KERNELBASE(00DCE588,?,?), ref: 00DCE26E
LeaveCriticalSection.KERNEL32(00DCE634), ref: 00DCE2A0

Part of subcall function 00DCF0AA: GetCurrentProcessId.KERNEL32(00000000,00000000,00000000), ref: 00DCF0BB
Part of subcall function 00DCF0AA: TransactNamedPipe.KERNEL32(00000000,?,0000002C,?,0000002C,?,00000000,0000003C,00000000,?,00000038,0000003C,00000040,0000001C), ref: 00DCF121
Part of subcall function 00DCF0AA: WriteFile.KERNEL32(00000000,?,0000002C,?,00000000), ref: 00DCF177

Strings

dbghelp.dll, xrefs: 00DCE186
UuidCreate, xrefs: 00DCE1BB
rpcrt4.dll, xrefs: 00DCE1A9
MiniDumpWriteDump, xrefs: 00DCE19E

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: CriticalSection$Create$AddressInitializeLibraryLoadProcSemaphore$CloseCurrentEnterExceptionFileFilterHandleLeaveNamedPipeProcessThreadTransactUnhandledWrite
String ID: MiniDumpWriteDump$UuidCreate$dbghelp.dll$rpcrt4.dll
API String ID: 1170675889-801898421
Opcode ID: b73dd0a7a4cf8abe986b3b895fac3d887e46fadfccdef2d296051ce2a79adf4a
Instruction ID: 01393e6cb0ad88cc56694c69d524016db5e8c92d291695d84b990011eaa5641c
Opcode Fuzzy Hash: b73dd0a7a4cf8abe986b3b895fac3d887e46fadfccdef2d296051ce2a79adf4a
Instruction Fuzzy Hash: 12813BB09053069FDB54EF68D885BA9BBE9FF48300F09816EE809DB356DB709844CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00DCE2C3 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 147
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00DCE2C3(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				long* _v8;
				signed int _t48;
				void* _t53;
				signed char _t60;
				long* _t62;
				long** _t78;
				long* _t92;
				void* _t96;
				long* _t100;
				long* _t102;
				void* _t103;

				_push(__ecx);
				_t96 = __ecx;
				if( *(__ecx + 0x64) != 0) {
					_t48 = FreeLibrary( *(__ecx + 0x64)); // executed
				}
				if( *(_t96 + 0x70) != 0) {
					_t48 = FreeLibrary( *(_t96 + 0x70));
				}
				_t100 = 0;
				if( *(_t96 + 0x78) != 0) {
					EnterCriticalSection(0xdf9e1c);
					_t60 =  *(_t96 + 0x78);
					if((_t60 & 0x00000001) != 0) {
						SetUnhandledExceptionFilter( *(_t96 + 0x7c)); // executed
						_t60 =  *(_t96 + 0x78);
					}
					_t108 = _t60 & 0x00000002;
					if((_t60 & 0x00000002) != 0) {
						E00DD349A(_t108,  *((intOrPtr*)(_t96 + 0x80)));
						_t60 =  *(_t96 + 0x78);
					}
					_t109 = _t60 & 0x00000004;
					if((_t60 & 0x00000004) != 0) {
						E00DD2EAF(_t109,  *((intOrPtr*)(_t96 + 0x84)));
					}
					_t78 =  *0xdf9e34; // 0x0
					_t62 =  &(_t78[1][0xffffffffffffffff]);
					if( *_t62 != _t96) {
						_push("warning: removing Breakpad handler out of order\n");
						_push(E00DDB552(2));
						E00DCDF8C();
						_t78 =  *0xdf9e34; // 0x0
						_t102 =  *_t78;
						__eflags = _t102 - _t78[1];
						if(_t102 != _t78[1]) {
							_t92 =  &(_t102[1]);
							_v8 = _t92;
							do {
								__eflags =  *_t102 - _t96;
								if( *_t102 != _t96) {
									_t102 =  &(_t102[1]);
									_t92 =  &(_t92[1]);
									__eflags = _t92;
									_v8 = _t92;
								} else {
									E00DD0690(_t102, _t92, _t78[1] - _t92);
									_t92 = _v8;
									_t103 = _t103 + 0xc;
									_t78[1] =  &(_t78[1][0xffffffffffffffff]);
									_t78 =  *0xdf9e34; // 0x0
								}
								__eflags = _t102 - _t78[1];
							} while (_t102 != _t78[1]);
						}
						_t100 = 0;
						__eflags = 0;
					} else {
						_t78[1] = _t62;
					}
					_t48 =  *_t78;
					if(_t48 == _t78[1]) {
						if(_t48 != 0) {
							E00DC1D20(_t78, _t96,  *_t78, _t78[2] -  *_t78 & 0xfffffffc);
							 *_t78 = _t100;
							_t78[1] = _t100;
							_t78[2] = _t100;
						}
						_push(0xc);
						_t48 = E00DCF62D(_t78);
						 *0xdf9e34 = _t100;
					}
					LeaveCriticalSection(0xdf9e1c);
				}
				if( *((intOrPtr*)(_t96 + 0xc)) == _t100) {
					 *((char*)(_t96 + 0x8c)) = 1;
					ReleaseSemaphore( *(_t96 + 0xa8), 1, _t100);
					WaitForSingleObject( *(_t96 + 0x88), 0xea60);
					_t100 = CloseHandle; // executed
					FindCloseChangeNotification( *(_t96 + 0x88)); // executed
					 *(_t96 + 0x88) =  *(_t96 + 0x88) & 0x00000000;
					_t40 = _t96 + 0x90; // 0x191
					DeleteCriticalSection(_t40);
					CloseHandle( *(_t96 + 0xa8));
					_t48 = CloseHandle( *(_t96 + 0xac));
				}
				asm("lock xadd [0xdf9e18], eax");
				if((_t48 | 0xffffffff) == 0) {
					DeleteCriticalSection(0xdf9e1c);
				}
				_t43 = _t96 + 0xc0; // 0x1c1
				E00DCED78(_t43, _t100);
				_t44 = _t96 + 0x40; // 0x141
				E00DC9758(_t44);
				_t45 = _t96 + 0x28; // 0x129
				E00DC9758(_t45);
				_t46 = _t96 + 0x10; // 0x111
				_t53 = E00DC9758(_t46);
				_t84 =  *((intOrPtr*)(_t96 + 0xc));
				if( *((intOrPtr*)(_t96 + 0xc)) != 0) {
					return E00DCEDE9(_t84, _t84);
				}
				return _t53;
			}

0x00dce2c6
0x00dce2d0
0x00dce2d6
0x00dce2db
0x00dce2db
0x00dce2e1
0x00dce2e6
0x00dce2e6
0x00dce2e8
0x00dce2ed
0x00dce2f8
0x00dce2fe
0x00dce303
0x00dce308
0x00dce30e
0x00dce30e
0x00dce311
0x00dce313
0x00dce31b
0x00dce320
0x00dce323
0x00dce324
0x00dce326
0x00dce32e
0x00dce333
0x00dce334
0x00dce33d
0x00dce342
0x00dce349
0x00dce356
0x00dce357
0x00dce35c
0x00dce364
0x00dce366
0x00dce369
0x00dce36b
0x00dce36e
0x00dce371
0x00dce371
0x00dce373
0x00dce394
0x00dce397
0x00dce397
0x00dce39a
0x00dce375
0x00dce37d
0x00dce382
0x00dce385
0x00dce388
0x00dce38c
0x00dce38c
0x00dce39d
0x00dce39d
0x00dce371
0x00dce3a2
0x00dce3a2
0x00dce344
0x00dce344
0x00dce344
0x00dce3a4
0x00dce3a9
0x00dce3ad
0x00dce3ba
0x00dce3c1
0x00dce3c3
0x00dce3c6
0x00dce3c6
0x00dce3c9
0x00dce3cc
0x00dce3d3
0x00dce3d3
0x00dce3de
0x00dce3de
0x00dce3ed
0x00dce3f8
0x00dce3ff
0x00dce410
0x00dce41c
0x00dce422
0x00dce424
0x00dce42b
0x00dce432
0x00dce43a
0x00dce442
0x00dce442
0x00dce447
0x00dce44f
0x00dce456
0x00dce456
0x00dce458
0x00dce45e
0x00dce463
0x00dce466
0x00dce46b
0x00dce46e
0x00dce473
0x00dce476
0x00dce47b
0x00dce483
0x00000000
0x00dce486
0x00dce48c

APIs

FreeLibrary.KERNELBASE(?,00000101,?,?,00000101,?,00DC94EA,?,?,?,?), ref: 00DCE2DB
FreeLibrary.KERNEL32(?,00000101,?,?,00000101,?,00DC94EA,?), ref: 00DCE2E6
EnterCriticalSection.KERNEL32(00DF9E1C,00000101,?,?,00000101,?,00DC94EA,?), ref: 00DCE2F8
SetUnhandledExceptionFilter.KERNELBASE(?,?,00DC94EA,?), ref: 00DCE308
LeaveCriticalSection.KERNEL32(00DF9E1C,?,00DC94EA,?), ref: 00DCE3DE
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 00DCE3FF
WaitForSingleObject.KERNEL32(?,0000EA60), ref: 00DCE410
FindCloseChangeNotification.KERNELBASE(?), ref: 00DCE422
DeleteCriticalSection.KERNEL32(00000191), ref: 00DCE432
CloseHandle.KERNEL32(?), ref: 00DCE43A
CloseHandle.KERNEL32(?), ref: 00DCE442
DeleteCriticalSection.KERNEL32(00DF9E1C,00000101,?,?,00000101,?,00DC94EA,?), ref: 00DCE456

Strings

warning: removing Breakpad handler out of order, xrefs: 00DCE349

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: CriticalSection$Close$DeleteFreeHandleLibrary$ChangeEnterExceptionFilterFindLeaveNotificationObjectReleaseSemaphoreSingleUnhandledWait
String ID: warning: removing Breakpad handler out of order
API String ID: 209165198-3173292377
Opcode ID: 6207450bc4be968afd0b6f2486c09fbe3c8a104c98e4538d73e84e173def8a57
Instruction ID: f5e469f27b0d08ee8a9e11bf239a815e85b1456363cec612572160bde9cd4897
Opcode Fuzzy Hash: 6207450bc4be968afd0b6f2486c09fbe3c8a104c98e4538d73e84e173def8a57
Instruction Fuzzy Hash: A0513871601652EFDB19AF24DC85FA8BBA4FF05321F188159E4199B2A1DB70B851CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC3298 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00DC3298(signed int __ecx) {
				WCHAR* _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				signed int _v20;
				WCHAR* _v24;
				void* __edi;
				char _t48;
				signed int _t51;
				WCHAR* _t52;
				intOrPtr _t53;
				int _t58;
				signed int _t67;
				WCHAR* _t71;
				signed int _t73;
				signed int _t75;
				void* _t76;
				WCHAR* _t77;
				void* _t78;
				void* _t79;
				WCHAR* _t80;

				_t67 = __ecx; // executed
				_t48 = E00DC2EB2(); // executed
				 *((char*)(__ecx + 0x77)) = _t48;
				E00DC3E17(__ecx, _t76,  &_v8);
				_t77 = _v8;
				_t79 = GetPrivateProfileIntW;
				_v24 = _t77;
				if( *((intOrPtr*)(_t77 - 0xc)) == 0) {
					 *((char*)(_t67 + 0x74)) = 1;
					_t51 = 1;
					 *((char*)(_t67 + 0x76)) = 1;
					 *((char*)(_t67 + 0x78)) = 0;
				} else {
					 *((char*)(_t67 + 0x74)) = GetPrivateProfileIntW(L"LoggingSettings", L"EnableLogging", 1, _t77) & 0xffffff00 | _t60 != 0x00000000;
					 *((char*)(_t67 + 0x76)) = GetPrivateProfileIntW(L"LoggingSettings", L"ShowTime", 1, _t77) & 0xffffff00 | _t62 != 0x00000000;
					 *((char*)(_t67 + 0x78)) = GetPrivateProfileIntW(L"LoggingSettings", L"LogToOutputDebug", 0, _t77) & 0xffffff00 | _t64 != 0x00000000;
					_t51 = GetPrivateProfileIntW(L"LoggingSettings", L"AppendToFile", 1, _t77) & 0xffffff00 | _t66 != 0x00000000;
				}
				 *(_t67 + 0x79) = _t51;
				if( *((char*)(_t67 + 0x75)) != 0) {
					 *((char*)(_t67 + 0x76)) = 1;
				}
				_t52 = 0;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = 7;
				_t78 = _t79;
				_v8 = 0;
				do {
					_t25 =  &(_t52[0x6fc558]); // 0xdf36b4
					_t70 =  *_t25;
					_v16 = _t70;
					if(_t70 != 0) {
						_t27 =  &(_t52[0x6fc55a]); // 0x1
						_t70 =  *_t27;
						_v20 = _t70;
						if(_t70 <= 9) {
							_t73 = _t67;
							E00DC3E17(_t73, _t78,  &_v12);
							_t80 = _v12;
							if( *((intOrPtr*)(_t80 - 0xc)) == 0) {
								_t58 = 1;
							} else {
								_t58 = GetPrivateProfileIntW(L"LoggingLevel", _v16, 1, _t80);
							}
							_t75 = _v20;
							 *((char*)(_t67 + _t75 * 8)) = _t73 & 0xffffff00 | _t58 != 0x00000000;
							_t38 = _t80 - 0x10; // -16
							_t70 = _t38;
							 *(_t67 + 4 + _t75 * 8) = _t58;
							E00DC13C0(_t58, _t38);
							_t52 = _v8;
						}
					}
					_t52 =  &(_t52[4]);
					_v8 = _t52;
				} while (_t52 < 0x48);
				_t53 = E00DC7495(_t70);
				_t71 = _v24;
				 *((intOrPtr*)(_t67 + 0x80)) = _t53;
				 *(_t67 + 0x84) = _t75;
				_t47 = _t71 - 0x10; // 0x7e845
				return E00DC13C0(_t53, _t47);
			}

0x00dc32a1
0x00dc32a3
0x00dc32a8
0x00dc32b1
0x00dc32b6
0x00dc32b9
0x00dc32bf
0x00dc32c6
0x00dc3323
0x00dc3327
0x00dc3329
0x00dc332d
0x00dc32c8
0x00dc32e9
0x00dc3300
0x00dc3317
0x00dc331e
0x00dc331e
0x00dc3331
0x00dc3338
0x00dc333a
0x00dc333a
0x00dc333e
0x00dc3340
0x00dc3343
0x00dc334a
0x00dc334c
0x00dc334f
0x00dc334f
0x00dc334f
0x00dc3355
0x00dc335a
0x00dc335c
0x00dc335c
0x00dc3362
0x00dc3368
0x00dc336d
0x00dc3370
0x00dc3375
0x00dc337c
0x00dc338f
0x00dc337e
0x00dc3389
0x00dc3389
0x00dc3390
0x00dc3398
0x00dc339b
0x00dc339b
0x00dc339e
0x00dc33a2
0x00dc33a7
0x00dc33a7
0x00dc3368
0x00dc33aa
0x00dc33ad
0x00dc33b0
0x00dc33b5
0x00dc33ba
0x00dc33bd
0x00dc33c3
0x00dc33c9
0x00dc33d5

APIs

Part of subcall function 00DC2EB2: RegOpenKeyExW.KERNELBASE(80000002,Software\Google\UpdateDev\,00000000,00020019,00000000,?,00DC32A8,?,?,00000000,00DCB7E8,?,00000001,00000000), ref: 00DC2ED2

GetPrivateProfileIntW.KERNEL32 ref: 00DC32D5
GetPrivateProfileIntW.KERNEL32 ref: 00DC32EC
GetPrivateProfileIntW.KERNEL32 ref: 00DC3303
GetPrivateProfileIntW.KERNEL32 ref: 00DC331A
GetPrivateProfileIntW.KERNEL32 ref: 00DC3389

Strings

LoggingLevel, xrefs: 00DC3384
ShowTime, xrefs: 00DC32DC
LogToOutputDebug, xrefs: 00DC32F3
AppendToFile, xrefs: 00DC330A
LoggingSettings, xrefs: 00DC32D0, 00DC32E4, 00DC32FB, 00DC3312
EnableLogging, xrefs: 00DC32CB

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: PrivateProfile$Open
String ID: AppendToFile$EnableLogging$LogToOutputDebug$LoggingLevel$LoggingSettings$ShowTime
API String ID: 2464959735-501848500
Opcode ID: d8380f0e981b564947ce6c3e421db3f870ae497e043382fa7556e3a65ec653d9
Instruction ID: 7c7bd612da7dd03e7e3e60c02d1d016999942ba42b3d80547b6904d03ccd2b86
Opcode Fuzzy Hash: d8380f0e981b564947ce6c3e421db3f870ae497e043382fa7556e3a65ec653d9
Instruction Fuzzy Hash: 9741B130A013C5AEDB04DFA58885FAE7FE4EF41744F0980ADE8509B283C6B98A48C730

Uniqueness

Uniqueness Score: -1.00%

Function 00DCFE00 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DCFE00() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00DCFE0C); // executed
				return _t1;
			}

0x00dcfe05
0x00dcfe0b

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0000FE0C,00DCF6F3), ref: 00DCFE05

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8e10c58b6ba9ecaddca2b93b633726c97889838a9d45afb2629d559096f0e940
Instruction ID: f9f8a256ef8a47d760f08b6002bcd2d274345fd4b5c1bc3c72351e4a3121591e
Opcode Fuzzy Hash: 8e10c58b6ba9ecaddca2b93b633726c97889838a9d45afb2629d559096f0e940
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00DCBC0B Relevance: 54.7, APIs: 7, Strings: 24, Instructions: 403
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00DCBC0B(void* __ebx, void* __ecx, WCHAR* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v12;
				signed int* _v16;
				int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				char _v64;
				signed int _v68;
				WCHAR* _v72;
				int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				signed int _v104;
				intOrPtr _v108;
				signed int _v112;
				intOrPtr _v116;
				signed int _v120;
				intOrPtr _v124;
				int _v128;
				char _v140;
				signed int _v144;
				signed int _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v168;
				char _v176;
				char _v184;
				char _v192;
				char _v200;
				char _v208;
				char _v216;
				int _v223;
				char _v224;
				void* __ebp;
				signed int _t143;
				void* _t148;
				char _t149;
				int _t150;
				signed int _t152;
				int _t164;
				int _t166;
				int _t167;
				int _t183;
				int _t188;
				int _t192;
				int _t194;
				intOrPtr _t195;
				int _t204;
				int _t205;
				intOrPtr _t206;
				signed int* _t207;
				intOrPtr _t211;
				intOrPtr _t218;
				int _t222;
				int _t224;
				int _t233;
				void* _t259;
				void* _t261;
				int _t271;
				signed int* _t273;
				signed int _t278;
				signed int _t284;
				signed int _t287;
				void* _t304;
				signed int _t305;
				intOrPtr _t307;
				WCHAR* _t308;
				signed int _t311;
				void* _t312;
				void* _t313;
				void* _t314;
				void* _t315;

				_t290 = __edx;
				_t143 =  *0xdf8008; // 0x9fa9e963
				_v12 = _t143 ^ _t311;
				_t304 = __ecx;
				E00DCB108( &_v224);
				_t310 =  &_v224;
				_v68 = _v68 & 0x00000000;
				_v80 =  *((intOrPtr*)(__ecx + 0x10));
				_v16 =  &_v68;
				_t148 = E00DC66D8(__ebx,  &_v224, __edx, __ecx,  &_v224); // executed
				_t318 = _t148;
				if(_t148 == 0) {
					asm("sbb ecx, ecx");
					_t222 = 1;
					_t233 =  ~( *0xdf9f1d & 0x000000ff) & 0x00df9e40;
					__eflags = _t233;
					if(__eflags != 0) {
						_v28 = _t233;
						_v24 = 7;
						_v20 = _t222;
						_t218 = E00DC3993(_t233, __edx, _t233, _t222); // executed
						_v16 = _t218;
						_push(L"[ConfigManager::LoadGroupPolicies][Machine is not Enterprise Managed]");
						_push( &_v28);
						E00DC15DB();
					}
				} else {
					_t222 = 1;
					_v224 = 1;
				}
				_t149 = E00DC86B2(L"HKLM\\Software\\Policies\\Google\\Update\\", _t290, _t318); // executed
				if(_t149 != 0) {
					_v56 = _v56 & 0x00000000;
					_v60 = 0xdf41c0;
					_v52 = 0x200;
					_t150 = E00DC80D1( &_v60, _t290, __eflags, L"HKLM\\Software\\Policies\\Google\\Update\\", 0x20019); // executed
					__eflags = _t150;
					if(__eflags >= 0) {
						_v32 = _v32 & 0x00000000;
						_v223 = _t222;
						_t223 = L"HKLM\\Software\\Policies\\Google\\Update\\";
						_t152 = E00DC8249(L"HKLM\\Software\\Policies\\Google\\Update\\", L"CloudPolicyOverridesPlatformPolicy", __eflags, 4,  &_v32, 0); // executed
						_t313 = _t312 + 0xc;
						__eflags = _t152;
						if(__eflags >= 0) {
							__eflags = _v32;
							_t34 = _v32 != 0;
							__eflags = _t34;
							 *((char*)(_t304 + 0x20)) = _t152 & 0xffffff00 | _t34;
						}
						E00DCC521(L"AutoUpdateCheckPeriodMinutes",  &_v216, __eflags); // executed
						E00DCB289(L"DownloadPreference",  &_v208, __eflags); // executed
						E00DCC521(L"PackageCacheSizeLimit",  &_v200, __eflags); // executed
						E00DCC521(L"PackageCacheLifeLimit",  &_v192, __eflags); // executed
						E00DCC521(L"UpdatesSuppressedStartHour",  &_v184, __eflags); // executed
						E00DCC521(L"UpdatesSuppressedStartMin",  &_v176, __eflags); // executed
						E00DCC521(L"UpdatesSuppressedDurationMin",  &_v168, __eflags); // executed
						E00DCB289(L"ProxyMode",  &_v160, __eflags); // executed
						E00DCB289(L"ProxyServer",  &_v156, __eflags); // executed
						E00DCB289(L"ProxyPacUrl",  &_v152, __eflags); // executed
						_v32 = _v32 & 0x00000000;
						_t164 = E00DC8249(_t223, L"InstallDefault", __eflags, 4,  &_v32, 0); // executed
						_t314 = _t313 + 0xc;
						__eflags = _t164;
						if(__eflags >= 0) {
							_v148 = _v32;
						}
						_v32 = _v32 & 0x00000000;
						_t290 = L"UpdateDefault";
						_t166 = E00DC8249(_t223, L"UpdateDefault", __eflags, 4,  &_v32, 0); // executed
						_t315 = _t314 + 0xc;
						__eflags = _t166;
						if(_t166 >= 0) {
							_v144 = _v32;
						}
						_t167 = E00DC8BC5( &_v60);
						_t305 = 0;
						_v76 = _t167;
						_v32 = 0;
						__eflags = _t167;
						if(_t167 <= 0) {
							L52:
							_t222 = 0;
							__eflags = 0;
							L53:
							_v60 = 0xdf41c0;
							E00DC7F74( &_v60);
							L54:
							E00DCB7B4(_t222, _v80, _t290, _t310);
							E00DCB19C(_t222,  &_v224, _t290);
							return E00DCF35B(_v12 ^ _t311);
						} else {
							do {
								E00DC1AD8( &_v36, _t290, E00DC13D8());
								_v48 = _v48 & 0x00000000;
								_t177 = E00DC8BEA( &_v60, _t305, _t310, _t305,  &_v36,  &_v48); // executed
								__eflags = _t177;
								if(_t177 >= 0) {
									_t224 = E00DC689F( &_v36, 0x7b, 0);
									__eflags = _t224;
									if(_t224 <= 0) {
										goto L19;
									}
									_t310 = _v36;
									_push( *((intOrPtr*)(_t310 - 0xc)) - _t224);
									_push(_t224);
									E00DC6931(_t224,  &_v36, _t305, _t310,  &_v64);
									_t183 = 0;
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t307 = _v64;
									__eflags =  *((intOrPtr*)(_t307 - 0xc)) - 0x26;
									if( *((intOrPtr*)(_t307 - 0xc)) != 0x26) {
										L48:
										_t261 = _t307 - 0x10;
										L49:
										_t177 = E00DC13C0(_t183, _t261);
										_t305 = _v32;
										_t259 = _t310 - 0x10;
										goto L50;
									}
									_t183 =  &_v28;
									__imp__IIDFromString(_t307, _t183);
									__eflags = _t183;
									if(_t183 < 0) {
										goto L48;
									}
									_t183 = E00DE3EC9(0xdebd58,  &_v28, 0x10);
									_t315 = _t315 + 0xc;
									__eflags = _t183;
									if(_t183 == 0) {
										goto L48;
									}
									E00DC680B(_t224,  &_v36, _t290,  &_v72, _t224);
									_t308 = _v72;
									_t188 = _v48 - 1;
									__eflags = _t188;
									if(_t188 == 0) {
										E00DC1AD8( &_v44, _t290, E00DC13D8());
										_t192 = E00DC84EE( &_v60, _t290, _t310,  &_v44);
										__eflags = _t192;
										if(_t192 < 0) {
											L46:
											_t193 = E00DC13C0(_t192, _v44 - 0x10);
											L47:
											_t183 = E00DC13C0(_t193, _t308 - 0x10);
											_t261 = _v64 - 0x10;
											goto L49;
										}
										_t194 = lstrcmpiW(_t308, L"TargetChannel");
										__eflags = _t194;
										if(_t194 != 0) {
											_t192 = lstrcmpiW(_t308, L"TargetVersionPrefix");
											__eflags = _t192;
											if(_t192 != 0) {
												asm("sbb ecx, ecx");
												_t271 =  ~( *0xdf9f1d & 0x000000ff) & 0x00df9e40;
												__eflags = _t271;
												if(_t271 != 0) {
													_t120 =  &_v120;
													 *_t120 = _v120 | 0xffffffff;
													__eflags =  *_t120;
													_v128 = _t271;
													_v124 = 7;
													_t195 = E00DC3993(_t271, _t290, _t271, 0xffffffff);
													_push(_v44);
													_v116 = _t195;
													_t192 = E00DC15DB( &_v128, L"[ConfigManager::LoadGroupPolicies][Unexpected String policy prefix encountered][%s][%s]", _t310);
													_t315 = _t315 + 0x10;
												}
												goto L46;
											}
											_push( &_v44);
											_t119 =  &((E00DCC3B5( &_v140, _t290,  &_v28))[3]); // 0xc
											_t273 = _t119;
											L43:
											_t192 = E00DC4860(_t273, _t310);
											goto L46;
										}
										_push( &_v44);
										_t115 =  &((E00DCC3B5( &_v140, _t290,  &_v28))[2]); // 0x8
										_t273 = _t115;
										goto L43;
									}
									_t193 = _t188 == 3;
									__eflags = _t188 == 3;
									if(_t188 == 3) {
										_v40 = _v40 & 0x00000000;
										_t193 = E00DC8413( &_v60, _t310,  &_v40);
										__eflags = _t193;
										if(_t193 < 0) {
											goto L47;
										}
										_t204 = lstrcmpiW(_t308, L"Install");
										__eflags = _t204;
										if(_t204 != 0) {
											_t205 = lstrcmpiW(_t308, L"Update");
											__eflags = _t205;
											if(_t205 != 0) {
												_t193 = lstrcmpiW(_t308, L"RollbackToTargetVersion");
												__eflags = _t193;
												if(_t193 != 0) {
													asm("sbb ecx, ecx");
													_t278 =  ~( *0xdf9f1d & 0x000000ff) & 0x00df9e40;
													__eflags = _t278;
													if(_t278 == 0) {
														goto L47;
													}
													_t102 =  &_v104;
													 *_t102 = _v104 | 0xffffffff;
													__eflags =  *_t102;
													_v112 = _t278;
													_v108 = 7;
													_t206 = E00DC3993(_t278, _t290, _t278, 0xffffffff);
													_push(_v40);
													_v100 = _t206;
													_t207 =  &_v112;
													_push(_t310);
													_push(L"[ConfigManager::LoadGroupPolicies][Unexpected DWORD policy prefix encountered][%s][%d]");
													L37:
													_push(_t207);
													_t193 = E00DC15DB();
													_t315 = _t315 + 0x10;
													goto L47;
												}
												(E00DCC3B5( &_v140, _t290,  &_v28))[4] = _v40;
												goto L47;
											}
											(E00DCC3B5( &_v140, _t290,  &_v28))[1] = _v40;
											goto L47;
										}
										 *(E00DCC3B5( &_v140, _t290,  &_v28)) = _v40;
										goto L47;
									}
									asm("sbb ecx, ecx");
									_t284 =  ~( *0xdf9f1d & 0x000000ff) & 0x00df9e40;
									__eflags = _t284;
									if(_t284 == 0) {
										goto L47;
									}
									_v88 = _v88 | 0xffffffff;
									_v96 = _t284;
									_v92 = 7;
									_t211 = E00DC3993(_t284, _t290, _t284, 0xffffffff);
									_push(_v48);
									_v84 = _t211;
									_t207 =  &_v96;
									_push(_t310);
									_push(L"[ConfigManager::LoadGroupPolicies][Unexpected Type for policy prefix encountered][%s][%d]");
									goto L37;
								}
								L19:
								_t259 = _v36 + 0xfffffff0;
								L50:
								E00DC13C0(_t177, _t259);
								_t305 = _t305 + 1;
								_v32 = _t305;
								__eflags = _t305 - _v76;
							} while (_t305 < _v76);
							_t310 =  &_v224;
							goto L52;
						}
					}
					__eflags = _v224;
					if(_v224 != 0) {
						asm("int3");
					}
					_t222 = _t150;
					goto L53;
				}
				_v224 = _t149;
				asm("sbb ecx, ecx");
				_t287 =  ~( *0xdf9f1d & 0x000000ff) & 0x00df9e40;
				if(_t287 != 0) {
					_v28 = _t287;
					_v24 = 7;
					_v20 = _t222;
					_v16 = E00DC3993(_t287, _t290, _t287, _t222);
					E00DC15DB( &_v28, L"[ConfigManager::LoadGroupPolicies][No Group Policies found under key][%s]", L"HKLM\\Software\\Policies\\Google\\Update\\");
				}
				goto L54;
			}

0x00dcbc0b
0x00dcbc14
0x00dcbc1b
0x00dcbc21
0x00dcbc29
0x00dcbc31
0x00dcbc37
0x00dcbc3b
0x00dcbc41
0x00dcbc44
0x00dcbc49
0x00dcbc4b
0x00dcbc63
0x00dcbc65
0x00dcbc66
0x00dcbc66
0x00dcbc6c
0x00dcbc70
0x00dcbc73
0x00dcbc7a
0x00dcbc7d
0x00dcbc82
0x00dcbc88
0x00dcbc8d
0x00dcbc8e
0x00dcbc94
0x00dcbc4d
0x00dcbc4f
0x00dcbc50
0x00dcbc50
0x00dcbc9a
0x00dcbca1
0x00dcbcf2
0x00dcbd03
0x00dcbd0a
0x00dcbd11
0x00dcbd16
0x00dcbd18
0x00dcbd2b
0x00dcbd34
0x00dcbd40
0x00dcbd49
0x00dcbd4e
0x00dcbd51
0x00dcbd53
0x00dcbd55
0x00dcbd59
0x00dcbd59
0x00dcbd5c
0x00dcbd5c
0x00dcbd6a
0x00dcbd7a
0x00dcbd8a
0x00dcbd9a
0x00dcbdaa
0x00dcbdba
0x00dcbdca
0x00dcbdda
0x00dcbdea
0x00dcbdfa
0x00dcbdff
0x00dcbe12
0x00dcbe17
0x00dcbe1a
0x00dcbe1c
0x00dcbe21
0x00dcbe21
0x00dcbe27
0x00dcbe33
0x00dcbe3a
0x00dcbe3f
0x00dcbe42
0x00dcbe44
0x00dcbe49
0x00dcbe49
0x00dcbe52
0x00dcbe57
0x00dcbe59
0x00dcbe5c
0x00dcbe5f
0x00dcbe61
0x00dcc141
0x00dcc141
0x00dcc141
0x00dcc143
0x00dcc146
0x00dcc14d
0x00dcc152
0x00dcc156
0x00dcc161
0x00dcc176
0x00dcbe67
0x00dcbe67
0x00dcbe70
0x00dcbe75
0x00dcbe85
0x00dcbe8a
0x00dcbe8c
0x00dcbea5
0x00dcbea7
0x00dcbea9
0x00000000
0x00000000
0x00dcbeab
0x00dcbeb6
0x00dcbeb7
0x00dcbebc
0x00dcbec1
0x00dcbec6
0x00dcbec7
0x00dcbec8
0x00dcbec9
0x00dcbeca
0x00dcbecd
0x00dcbed1
0x00dcc11b
0x00dcc11b
0x00dcc11e
0x00dcc11e
0x00dcc123
0x00dcc126
0x00000000
0x00dcc126
0x00dcbed7
0x00dcbedc
0x00dcbee2
0x00dcbee4
0x00000000
0x00000000
0x00dcbef5
0x00dcbefa
0x00dcbefd
0x00dcbeff
0x00000000
0x00000000
0x00dcbf0d
0x00dcbf15
0x00dcbf18
0x00dcbf18
0x00dcbf1b
0x00dcc050
0x00dcc05d
0x00dcc062
0x00dcc064
0x00dcc100
0x00dcc106
0x00dcc10b
0x00dcc10e
0x00dcc116
0x00000000
0x00dcc116
0x00dcc070
0x00dcc076
0x00dcc078
0x00dcc098
0x00dcc09e
0x00dcc0a0
0x00dcc0c8
0x00dcc0ca
0x00dcc0ca
0x00dcc0d0
0x00dcc0d2
0x00dcc0d2
0x00dcc0d2
0x00dcc0d9
0x00dcc0dc
0x00dcc0e3
0x00dcc0e8
0x00dcc0eb
0x00dcc0f8
0x00dcc0fd
0x00dcc0fd
0x00000000
0x00dcc0d0
0x00dcc0a5
0x00dcc0b5
0x00dcc0b5
0x00dcc0b8
0x00dcc0b8
0x00000000
0x00dcc0b8
0x00dcc07d
0x00dcc08d
0x00dcc08d
0x00000000
0x00dcc08d
0x00dcbf21
0x00dcbf21
0x00dcbf24
0x00dcbf67
0x00dcbf73
0x00dcbf78
0x00dcbf7a
0x00000000
0x00000000
0x00dcbf86
0x00dcbf8c
0x00dcbf8e
0x00dcbfaf
0x00dcbfb5
0x00dcbfb7
0x00dcbfd9
0x00dcbfdf
0x00dcbfe1
0x00dcc006
0x00dcc008
0x00dcc008
0x00dcc00e
0x00000000
0x00000000
0x00dcc014
0x00dcc014
0x00dcc014
0x00dcc01b
0x00dcc01e
0x00dcc025
0x00dcc02a
0x00dcc02d
0x00dcc030
0x00dcc033
0x00dcc034
0x00dcc039
0x00dcc039
0x00dcc03a
0x00dcc03f
0x00000000
0x00dcc03f
0x00dcbff5
0x00000000
0x00dcbff5
0x00dcbfcb
0x00000000
0x00dcbfcb
0x00dcbfa2
0x00000000
0x00dcbfa2
0x00dcbf2f
0x00dcbf31
0x00dcbf31
0x00dcbf37
0x00000000
0x00000000
0x00dcbf3d
0x00dcbf44
0x00dcbf47
0x00dcbf4e
0x00dcbf53
0x00dcbf56
0x00dcbf59
0x00dcbf5c
0x00dcbf5d
0x00000000
0x00dcbf5d
0x00dcbe8e
0x00dcbe91
0x00dcc129
0x00dcc129
0x00dcc12e
0x00dcc12f
0x00dcc132
0x00dcc132
0x00dcc13b
0x00000000
0x00dcc13b
0x00dcbe61
0x00dcbd1a
0x00dcbd21
0x00dcbd23
0x00dcbd23
0x00dcbd24
0x00000000
0x00dcbd24
0x00dcbcac
0x00dcbcb2
0x00dcbcb4
0x00dcbcba
0x00dcbcc2
0x00dcbcc5
0x00dcbccc
0x00dcbcd9
0x00dcbce5
0x00dcbcea
0x00000000

APIs

IIDFromString.OLE32(?,?,?,00000000,?,0000007B,00000000,00000000,?,00000000,00000000), ref: 00DCBEDC
_memcmp.LIBVCRUNTIME ref: 00DCBEF5

Part of subcall function 00DC8413: SHQueryValueExW.SHLWAPI(00DC7F74,00000000,00000000,00000000,?,00000000,00DF41C0,00DF41C0,?,00DC8347,IsEnrolledToDomain,?,00000000,00000000,?,HKLM\Software\Google\UpdateDev\), ref: 00DC8436

lstrcmpiW.KERNEL32(?,Install,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DCBF86
lstrcmpiW.KERNEL32(?,Update,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00DCBFAF

Part of subcall function 00DCC3B5: _memcmp.LIBVCRUNTIME ref: 00DCC3D9

Strings

PackageCacheLifeLimit, xrefs: 00DCBD95
[ConfigManager::LoadGroupPolicies][Machine is not Enterprise Managed], xrefs: 00DCBC88
CloudPolicyOverridesPlatformPolicy, xrefs: 00DCBD3A
ProxyServer, xrefs: 00DCBDE5
HKLM\Software\Policies\Google\Update\, xrefs: 00DCBC95, 00DCBCD4, 00DCBCFE, 00DCBD40
TargetChannel, xrefs: 00DCC06A
Update, xrefs: 00DCBFA9
RollbackToTargetVersion, xrefs: 00DCBFD3
Install, xrefs: 00DCBF80
AutoUpdateCheckPeriodMinutes, xrefs: 00DCBD65
[ConfigManager::LoadGroupPolicies][No Group Policies found under key][%s], xrefs: 00DCBCDF
DownloadPreference, xrefs: 00DCBD75
UpdatesSuppressedStartMin, xrefs: 00DCBDB5
[ConfigManager::LoadGroupPolicies][Unexpected String policy prefix encountered][%s][%s], xrefs: 00DCC0F2
ProxyPacUrl, xrefs: 00DCBDF5
[ConfigManager::LoadGroupPolicies][Unexpected DWORD policy prefix encountered][%s][%d], xrefs: 00DCC034
UpdatesSuppressedDurationMin, xrefs: 00DCBDC5
UpdateDefault, xrefs: 00DCBE33
InstallDefault, xrefs: 00DCBE0B
ProxyMode, xrefs: 00DCBDD5
[ConfigManager::LoadGroupPolicies][Unexpected Type for policy prefix encountered][%s][%d], xrefs: 00DCBF5D
UpdatesSuppressedStartHour, xrefs: 00DCBDA5
PackageCacheSizeLimit, xrefs: 00DCBD85
TargetVersionPrefix, xrefs: 00DCC092

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: _memcmplstrcmpi$FromQueryStringValue
String ID: AutoUpdateCheckPeriodMinutes$CloudPolicyOverridesPlatformPolicy$DownloadPreference$HKLM\Software\Policies\Google\Update\$Install$InstallDefault$PackageCacheLifeLimit$PackageCacheSizeLimit$ProxyMode$ProxyPacUrl$ProxyServer$RollbackToTargetVersion$TargetChannel$TargetVersionPrefix$Update$UpdateDefault$UpdatesSuppressedDurationMin$UpdatesSuppressedStartHour$UpdatesSuppressedStartMin$[ConfigManager::LoadGroupPolicies][Machine is not Enterprise Managed]$[ConfigManager::LoadGroupPolicies][No Group Policies found under key][%s]$[ConfigManager::LoadGroupPolicies][Unexpected DWORD policy prefix encountered][%s][%d]$[ConfigManager::LoadGroupPolicies][Unexpected String policy prefix encountered][%s][%s]$[ConfigManager::LoadGroupPolicies][Unexpected Type for policy prefix encountered][%s][%d]
API String ID: 665591740-2910296779
Opcode ID: 2c0077aca821506744910066162804a1b635c56824c4e31496ec5b63a6ac332b
Instruction ID: dee12d7643a52a4e1897287d0f20e92c1021b6b4112fe9039265f0853e2c792b
Opcode Fuzzy Hash: 2c0077aca821506744910066162804a1b635c56824c4e31496ec5b63a6ac332b
Instruction Fuzzy Hash: CDE19171D1020A9ADB04EBA5DC92FFEB7B4EF04310F04812EE616A7281DB749A49CF70

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6621 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00DC6621(void* __ecx, void* __edx) {
				_Unknown_base(*)()* _v8;
				_Unknown_base(*)()* _v12;
				intOrPtr _t7;
				_Unknown_base(*)()* _t12;
				_Unknown_base(*)()* _t15;
				_Unknown_base(*)()* _t18;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t27;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t38;

				_push(__ecx);
				_push(__ecx);
				_t39 =  *0xdf8af8 - 0xffffffff;
				if( *0xdf8af8 != 0xffffffff) {
					L15:
					_t7 =  *0xdf8af8; // 0x0
					asm("sbb al, al");
					return  ~(_t7 - 1) + 1;
				}
				_v8 = 0;
				_t36 = E00DC6765(L"NetApi32.dll", __edx, _t39);
				if(_t36 != 0) {
					_t12 = GetProcAddress(_t36, "NetGetAadJoinInformation"); // executed
					__eflags = _t12;
					if(_t12 == 0) {
						FreeLibrary(_t36);
						_t27 = 0x80004005;
					} else {
						_t18 =  *_t12(0,  &_v8); // executed
						_v12 = _t18;
						_t11 = FreeLibrary(_t36);
						_t27 = _v12;
					}
					__eflags = _t27;
					if(__eflags >= 0) {
						__eflags = _v8;
						if(__eflags != 0) {
							__eflags = 1;
						}
					}
				} else {
					_t27 = 0x80004005;
				}
				asm("lock cmpxchg [edx], ebx");
				_t41 = _t27;
				if(_t27 >= 0) {
					_t22 = _v8;
					_t38 = E00DC6765(L"NetApi32.dll", 0xdf8af8, _t41);
					if(_t38 != 0) {
						_t15 = GetProcAddress(_t38, "NetFreeAadJoinInformation");
						if(_t15 != 0) {
							 *_t15(_t22);
						}
						FreeLibrary(_t38);
					}
				}
				goto L15;
			}

0x00dc6624
0x00dc6625
0x00dc6626
0x00dc662d
0x00dc66ca
0x00dc66ca
0x00dc66d2
0x00dc66d7
0x00dc66d7
0x00dc663d
0x00dc664b
0x00dc664f
0x00dc665e
0x00dc6664
0x00dc6666
0x00dc667b
0x00dc667d
0x00dc6668
0x00dc666d
0x00dc6670
0x00dc6673
0x00dc6675
0x00dc6675
0x00dc6682
0x00dc6684
0x00dc6686
0x00dc6689
0x00dc668d
0x00dc668d
0x00dc6689
0x00dc6651
0x00dc6651
0x00dc6651
0x00dc6696
0x00dc669a
0x00dc669c
0x00dc669e
0x00dc66ab
0x00dc66af
0x00dc66b7
0x00dc66bf
0x00dc66c2
0x00dc66c2
0x00dc66c5
0x00dc66c5
0x00dc66af
0x00000000

APIs

GetProcAddress.KERNELBASE(00000000,NetGetAadJoinInformation), ref: 00DC665E
FreeLibrary.KERNEL32(00000000,?,?,?,00DC675A,?,?,00000000), ref: 00DC6673
GetProcAddress.KERNEL32(00000000,NetFreeAadJoinInformation), ref: 00DC66B7
FreeLibrary.KERNEL32(00000000,?,?,?,00DC675A,?,?,00000000), ref: 00DC66C5

Strings

NetFreeAadJoinInformation, xrefs: 00DC66B1
NetGetAadJoinInformation, xrefs: 00DC6658
NetApi32.dll, xrefs: 00DC6637, 00DC66A1

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: NetApi32.dll$NetFreeAadJoinInformation$NetGetAadJoinInformation
API String ID: 3013587201-2909723663
Opcode ID: f479e19d475d0cf3c1b33925f9e9089820687863ad66265852a0213ad0ca7646
Instruction ID: 83350f4e250f934f6d29ecec24f9f93ad946bcd1dc67e7e65122ed4836505056
Opcode Fuzzy Hash: f479e19d475d0cf3c1b33925f9e9089820687863ad66265852a0213ad0ca7646
Instruction Fuzzy Hash: D0113130B4171BBB8B10ABB58C80E7FB768DF4031070202ADEA12EB290DE70CE0197B4

Uniqueness

Uniqueness Score: -1.00%

Function 00DC65A4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E00DC65A4(void* __ecx) {
				char _v8;
				intOrPtr _t4;
				int _t8;
				_Unknown_base(*)()* _t10;
				void* _t11;
				void* _t13;
				void* _t19;
				struct HINSTANCE__* _t26;

				_push(__ecx);
				_t28 =  *0xdf8aa8 - 0xffffffff;
				if( *0xdf8aa8 == 0xffffffff) {
					_v8 = 0;
					_t8 = E00DC6765(L"MDMRegistration.dll", _t19, _t28); // executed
					_t26 = _t8;
					if(_t26 != 0) {
						_t10 = GetProcAddress(_t26, "IsDeviceRegisteredWithManagement");
						if(_t10 == 0) {
							_t8 = FreeLibrary(_t26);
							_t13 = 0x80004005;
						} else {
							_t11 =  *_t10( &_v8, 0, 0); // executed
							_t13 = _t11; // executed
							_t8 = FreeLibrary(_t26); // executed
						}
						if(_t13 >= 0 && _v8 != 0) {
						}
					}
					asm("lock cmpxchg [ecx], edi");
				}
				_t4 =  *0xdf8aa8; // 0x0
				asm("sbb al, al");
				return  ~(_t4 - 1) + 1;
			}

0x00dc65a7
0x00dc65a8
0x00dc65af
0x00dc65ba
0x00dc65bd
0x00dc65c2
0x00dc65c6
0x00dc65cf
0x00dc65d7
0x00dc65ed
0x00dc65f3
0x00dc65d9
0x00dc65df
0x00dc65e2
0x00dc65e4
0x00dc65e4
0x00dc65fb
0x00dc65fb
0x00dc65fb
0x00dc660d
0x00dc6612
0x00dc6613
0x00dc661b
0x00dc6620

APIs

GetProcAddress.KERNEL32(00000000,IsDeviceRegisteredWithManagement), ref: 00DC65CF
FreeLibrary.KERNELBASE(00000000,?,?,00DC6751,?,?,00000000), ref: 00DC65E4
FreeLibrary.KERNEL32(00000000,?,?,00DC6751,?,?,00000000), ref: 00DC65ED

Strings

IsDeviceRegisteredWithManagement, xrefs: 00DC65C9
MDMRegistration.dll, xrefs: 00DC65B5

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: FreeLibrary$AddressProc
String ID: IsDeviceRegisteredWithManagement$MDMRegistration.dll
API String ID: 1309337288-129496282
Opcode ID: 29d9069195283df440990950effdbc3e5fe38629dd1b88fdd2fcd760d40bdcaa
Instruction ID: bb56a9bac9a4d2b3fd3bf0cb32a0c8fb1334900f74fc1123b39d6a981c804689
Opcode Fuzzy Hash: 29d9069195283df440990950effdbc3e5fe38629dd1b88fdd2fcd760d40bdcaa
Instruction Fuzzy Hash: 5A012631641316AB9B215779AD88E6B77ACDBC2B24311036DE612D72C0DF70CD01D675

Uniqueness

Uniqueness Score: -1.00%

Function 00DC2EB2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00DC2EB2() {
				void* _v8;
				int _v12;
				char _v16;
				int _v20;
				long _t14;
				long _t18;
				int* _t22;
				int _t24;

				_t22 = 0;
				_v8 = 0;
				_t14 = RegOpenKeyExW(0x80000002, L"Software\\Google\\UpdateDev\\", 0, 0x20019,  &_v8); // executed
				if(_t14 == 0) {
					_t24 = 4;
					_v16 = 0;
					_v20 = _t24;
					_v12 = _t24;
					_t18 = RegQueryValueExW(_v8, L"IsEnabledLogToFile", 0,  &_v12,  &_v16,  &_v20);
					RegCloseKey(_v8);
					if(_t18 == 0 && _v12 == _t24 && _v16 != 0) {
						_t22 = 1;
					}
					return _t22;
				}
				return 0;
			}

0x00dc2ebc
0x00dc2ecf
0x00dc2ed2
0x00dc2eda
0x00dc2ee4
0x00dc2ee8
0x00dc2eef
0x00dc2ef6
0x00dc2f03
0x00dc2f0e
0x00dc2f16
0x00dc2f22
0x00dc2f22
0x00000000
0x00dc2f27
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(80000002,Software\Google\UpdateDev\,00000000,00020019,00000000,?,00DC32A8,?,?,00000000,00DCB7E8,?,00000001,00000000), ref: 00DC2ED2
RegQueryValueExW.ADVAPI32(00000000,IsEnabledLogToFile,00000000,?,?,00DC32A8,?,?,?,00DC32A8,?,?,00000000,00DCB7E8,?,00000001), ref: 00DC2F03
RegCloseKey.ADVAPI32(00000000,?,?,00DC32A8,?,?,00000000,00DCB7E8,?,00000001,00000000), ref: 00DC2F0E

Strings

IsEnabledLogToFile, xrefs: 00DC2EFB
Software\Google\UpdateDev\, xrefs: 00DC2EC5

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: IsEnabledLogToFile$Software\Google\UpdateDev\
API String ID: 3677997916-1490309917
Opcode ID: 6357bebaf83217a1a973d584f7b794ea994ebe0d4718665c04d75bd9700c59be
Instruction ID: 93b9d5e53ef9861231e6a0ee64464533b049c4209c9feed7788a036eac34824b
Opcode Fuzzy Hash: 6357bebaf83217a1a973d584f7b794ea994ebe0d4718665c04d75bd9700c59be
Instruction Fuzzy Hash: AA014CB1D4024DBFDF229F959C85EEFBBBCEB45350F14406AE941A6241D6B08A04DA70

Uniqueness

Uniqueness Score: -1.00%

Function 00DC5CF9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00DC5CF9(WCHAR** __ecx) {
				signed int _t2;
				signed int _t3;
				struct HINSTANCE__* _t7;
				WCHAR** _t11;

				_t2 =  *0xdfa744;
				_t11 = __ecx;
				if((_t2 & 0x00000001) != 0) {
					_t3 =  *0xdfa740;
				} else {
					 *0xdfa744 = _t2 | 0x00000001;
					_t3 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "AddDllDirectory");
					 *0xdfa740 = _t3;
				}
				asm("sbb eax, eax");
				_t7 = LoadLibraryExW( *_t11, 0, ( ~_t3 & 0x000007f8) + 8); // executed
				return _t7;
			}

0x00dc5cf9
0x00dc5cff
0x00dc5d03
0x00dc5d2b
0x00dc5d05
0x00dc5d12
0x00dc5d1e
0x00dc5d24
0x00dc5d24
0x00dc5d32
0x00dc5d41
0x00dc5d48

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,AddDllDirectory,00DC6751,00DC67A2,MDMRegistration.dll,00000000,?,00000000,?,?,00DC6751,?,?,00000000), ref: 00DC5D17
GetProcAddress.KERNEL32(00000000), ref: 00DC5D1E
LoadLibraryExW.KERNELBASE(00000000,00000000,?,00DC6751,00DC67A2,MDMRegistration.dll,00000000,?,00000000,?,?,00DC6751,?,?,00000000), ref: 00DC5D41

Strings

AddDllDirectory, xrefs: 00DC5D05
kernel32.dll, xrefs: 00DC5D0D

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: AddDllDirectory$kernel32.dll
API String ID: 310444273-3973626626
Opcode ID: 35b15acc68623cf403a74fbb3ce1029a18675a77cd1e8347e4a0f382f2b860f0
Instruction ID: 6b51ec6627a512bec8b76d1a7aabab9201fa3627c53616ba1bd7f7f5deb3357f
Opcode Fuzzy Hash: 35b15acc68623cf403a74fbb3ce1029a18675a77cd1e8347e4a0f382f2b860f0
Instruction Fuzzy Hash: 57E092B2954303EFDB506F68FC4AE7137B4E714311B004814F905D7364C67CA8418B30

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4FA3 Relevance: 7.6, APIs: 5, Instructions: 79
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00DC4FA3(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				long _v12;
				struct HMENU__* _v16;
				intOrPtr _v20;
				void* _v32;
				void* __ebp;
				signed int _t18;
				long _t25;
				void* _t26;
				int _t31;
				void* _t33;
				union _TOKEN_INFORMATION_CLASS _t36;
				void* _t45;
				void* _t46;
				struct HMENU__* _t48;
				signed int _t49;
				void* _t50;

				_t45 = __edi;
				_t18 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t18 ^ _t49;
				_v20 = __ecx;
				if(_a4 == 0) {
					L13:
					__eflags = 0;
				} else {
					_t36 = 1;
					GetTokenInformation( *(__ecx + 4), 1, 0, 0,  &_v12); // executed
					if(GetLastError() != 0x7a) {
						goto L13;
					} else {
						_t25 = _v12;
						_t48 = 0;
						_v16 = 0;
						_t54 = _t25 - 0x400;
						if(_t25 > 0x400) {
							L5:
							_push(_t25);
							_t26 = L00DC4F66(_t36,  &_v16, _t45, _t48);
							_t48 = _v16;
							_t46 = _t26;
						} else {
							_t33 = E00DC4B82(_t25, _t54);
							_t25 = _v12;
							if(_t33 == 0) {
								goto L5;
							} else {
								E00DE3B80();
								_t46 = _t50;
							}
						}
						if(_t46 == 0) {
							L9:
							_t36 = 0;
						} else {
							_t31 = GetTokenInformation( *(_v20 + 4), _t36, _t46, _v12,  &_v12); // executed
							if(_t31 == 0) {
								goto L9;
							} else {
								E00DC4C42(_a4,  *_t46);
								L11:
								while(_t48 != 0) {
									_t48 = _t48->i;
									GetMenuState(_t48, ??, ??);
								}
								goto L14;
							}
						}
						goto L11;
					}
				}
				L14:
				return E00DCF35B(_v8 ^ _t49);
			}

0x00dc4fa3
0x00dc4fa9
0x00dc4fb0
0x00dc4fbc
0x00dc4fbf
0x00dc5057
0x00dc5057
0x00dc4fc5
0x00dc4fcf
0x00dc4fd4
0x00dc4fe3
0x00000000
0x00dc4fe5
0x00dc4fe5
0x00dc4fe8
0x00dc4fea
0x00dc4fed
0x00dc4ff2
0x00dc500b
0x00dc500b
0x00dc500f
0x00dc5014
0x00dc5017
0x00dc4ff4
0x00dc4ff6
0x00dc4ffd
0x00dc5000
0x00000000
0x00dc5002
0x00dc5002
0x00dc5007
0x00dc5007
0x00dc5000
0x00dc501b
0x00dc5042
0x00dc5042
0x00dc501d
0x00dc502c
0x00dc5034
0x00000000
0x00dc5036
0x00dc503b
0x00000000
0x00dc504f
0x00dc5047
0x00dc5049
0x00dc504e
0x00000000
0x00dc5053
0x00dc5034
0x00000000
0x00dc501b
0x00dc4fe3
0x00dc5059
0x00dc506a

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,00000000,00000000), ref: 00DC4FD4
GetLastError.KERNEL32 ref: 00DC4FDA
GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel,00000000,00000000,00000000), ref: 00DC502C

Part of subcall function 00DC4B82: __alloca_probe_16.LIBCMT ref: 00DC4BA5

__alloca_probe_16.LIBCMT ref: 00DC5002
GetMenuState.USER32 ref: 00DC5049

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: InformationToken__alloca_probe_16$ErrorLastMenuState
String ID:
API String ID: 2569059214-0
Opcode ID: c527fc292e75bb8df34cba7cfdd2c6e0693cacbbc6ab3b6c1f3f23af4861438b
Instruction ID: e40fd06796ad035921fabc8ee737fd67996ab8af5d913e0f1d5266a32d378154
Opcode Fuzzy Hash: c527fc292e75bb8df34cba7cfdd2c6e0693cacbbc6ab3b6c1f3f23af4861438b
Instruction Fuzzy Hash: A1217131A00506AFDB10AB64D895FBEB7B8EF44350F54406DE406E7255DB30AE44EBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DCF00F Relevance: 7.6, APIs: 5, Instructions: 65
pipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00DCF00F(WCHAR** __ecx) {
				DWORD* _v8;
				long _v12;
				void* _t9;
				void* _t12;
				intOrPtr _t17;
				WCHAR* _t19;
				WCHAR** _t21;
				void* _t26;

				_t21 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t19 = __ecx;
				if(__ecx[5] >= 8) {
					_t19 =  *__ecx;
				}
				_t26 = _t21[6];
				if(_t26 == 0) {
					_v8 = 0;
					while(1) {
						_t9 = CreateFileW(_t19, 0x103, 0, 0, 3, 0x110000, 0); // executed
						_t26 = _t9;
						if(_t26 != 0xffffffff) {
							goto L10;
						}
						if(GetLastError() != 0xe7 || WaitNamedPipeW(_t19, 0x7d0) == 0) {
							L9:
							_t26 = 0;
						} else {
							_t17 = _v8 + 1;
							_v8 = _t17;
							if(_t17 < 2) {
								continue;
							} else {
								goto L9;
							}
						}
						goto L10;
					}
				} else {
					_t21[6] = 0;
				}
				L10:
				if(_t26 != 0) {
					_v12 = 2;
					if(SetNamedPipeHandleState(_t26,  &_v12, 0, 0) == 0) {
						CloseHandle(_t26);
						_t26 = 0;
					}
					_t12 = _t26;
				} else {
					_t12 = 0;
				}
				return _t12;
			}

0x00dcf00f
0x00dcf012
0x00dcf013
0x00dcf01b
0x00dcf01d
0x00dcf01f
0x00dcf01f
0x00dcf021
0x00dcf028
0x00dcf02f
0x00dcf032
0x00dcf042
0x00dcf048
0x00dcf04d
0x00000000
0x00000000
0x00dcf05a
0x00dcf078
0x00dcf078
0x00dcf06c
0x00dcf06f
0x00dcf070
0x00dcf076
0x00000000
0x00000000
0x00000000
0x00000000
0x00dcf076
0x00000000
0x00dcf05a
0x00dcf02a
0x00dcf02a
0x00dcf02a
0x00dcf07a
0x00dcf07c
0x00dcf087
0x00dcf098
0x00dcf09b
0x00dcf0a1
0x00dcf0a1
0x00dcf0a3
0x00dcf07e
0x00dcf07e
0x00dcf07e
0x00dcf0a9

APIs

CreateFileW.KERNELBASE(00000000,00000103,00000000,00000000,00000003,00110000,00000000,00000000,00000000,00000000,00000000,00000000,?,00DCE0E9,?,?), ref: 00DCF042
GetLastError.KERNEL32(?,00DCE0E9,?,?,?), ref: 00DCF04F
WaitNamedPipeW.KERNEL32(00000000,000007D0,?,00DCE0E9,?,?,?), ref: 00DCF062
SetNamedPipeHandleState.KERNEL32(00000000,00000000,00000000,00000000,?,00DCE0E9,?,?,?), ref: 00DCF090
CloseHandle.KERNEL32(00000000,?,00DCE0E9,?,?,?), ref: 00DCF09B

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: HandleNamedPipe$CloseCreateErrorFileLastStateWait
String ID:
API String ID: 1846735221-0
Opcode ID: d6236f75e4e13fd4a804eb2b6e02647bed7cd5d31ff1b7e1aa1787f6f2ee093f
Instruction ID: 0abc08a681346dfb5a5aae039820a28f0fabca22f67e8b0894d01fc6bb3481f2
Opcode Fuzzy Hash: d6236f75e4e13fd4a804eb2b6e02647bed7cd5d31ff1b7e1aa1787f6f2ee093f
Instruction Fuzzy Hash: 2411E771A00311ABC7209B25EC88F9B7AADEB85F55F20016DF941EB292D2718D41EAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC9179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00DC9179(void** __ecx, short* _a4) {
				int _v8;
				void* _v12;
				int _v16;
				void* __ebp;
				int _t15;
				void* _t17;
				int _t18;
				int _t21;
				int _t34;
				void* _t35;
				void** _t36;

				_t36 = __ecx; // executed
				_t15 = GetFileVersionInfoSizeW(_a4,  &_v16); // executed
				_t34 = _t15;
				_t37 = _t34;
				if(_t34 == 0) {
					L9:
					return 0;
				}
				_push(_t34);
				_t17 = E00DE3DB5(_t37);
				 *_t36 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t18 = GetFileVersionInfoW(_a4, _v16, _t34, _t17); // executed
				if(_t18 != 0) {
					_t35 = 0;
					_v8 = 0;
					_v12 = 0;
					_t21 = VerQueryValueW( *_t36, L"\\VarFileInfo\\Translation",  &_v12,  &_v8);
					__eflags = _t21;
					if(_t21 == 0) {
						L7:
						L00DCF9A7( *_t36);
						L8:
						_t36[1] = _t35;
						 *_t36 = _t35;
						goto L9;
					}
					__eflags = _v8;
					if(_v8 == 0) {
						goto L7;
					}
					_t36[1] = ( *_v12 & 0x0000ffff) << 0x00000010 |  *(_v12 + 2) & 0x0000ffff;
					return 1;
				}
				L00DCF9A7( *_t36);
				_t35 = 0;
				goto L8;
			}

0x00dc9188
0x00dc918a
0x00dc9190
0x00dc9192
0x00dc9194
0x00dc920a
0x00000000
0x00dc920a
0x00dc9196
0x00dc9197
0x00dc919c
0x00dc91a1
0x00000000
0x00000000
0x00dc91ab
0x00dc91b3
0x00dc91c3
0x00dc91c9
0x00dc91d4
0x00dc91d7
0x00dc91dd
0x00dc91df
0x00dc91fd
0x00dc91ff
0x00dc9204
0x00dc9204
0x00dc9207
0x00000000
0x00dc9209
0x00dc91e1
0x00dc91e4
0x00000000
0x00000000
0x00dc91f7
0x00000000
0x00dc91fa
0x00dc91b7
0x00dc91bc
0x00000000

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?,?,00000000), ref: 00DC918A
GetFileVersionInfoW.KERNELBASE(?,?,00000000,00000000,?,00000000), ref: 00DC91AB
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,00000000), ref: 00DC91D7

Strings

\VarFileInfo\Translation, xrefs: 00DC91CD

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID: \VarFileInfo\Translation
API String ID: 2179348866-675650646
Opcode ID: 961f42452867dea2b4b9141ca0b5bc5465347861ddca44cf4f8f99ec070d0941
Instruction ID: 1c0233043650c63ee5b46204c81fc01beaee8dbf3618e2074e9b1b9b2d0e507f
Opcode Fuzzy Hash: 961f42452867dea2b4b9141ca0b5bc5465347861ddca44cf4f8f99ec070d0941
Instruction Fuzzy Hash: 95113D75900246BFDB21AF65C859EAEFBF9EF84751764442EF891D7210EB318A00EB70

Uniqueness

Uniqueness Score: -1.00%

Function 00DCC246 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00DCC246(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v520;
				void* _v524;
				char _v528;
				void* __ebp;
				signed int _t13;
				char* _t18;
				void** _t19;
				void* _t27;
				void* _t28;
				void* _t36;
				void* _t37;
				signed int _t39;

				_t36 = __esi;
				_t35 = __edi;
				_t28 = __ecx;
				_t13 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t13 ^ _t39;
				_t27 = 0;
				E00DD1190(__edi,  &_v520, 0, 0x200);
				_v528 = 0x100;
				_t18 =  &_v520;
				__imp__GetComputerNameExW(3, _t18,  &_v528); // executed
				if(_t18 == 0) {
					L3:
					_t19 =  &_v524;
					_v524 = _t27;
					__imp__NetWkstaGetInfo(_t27, 0x64, _t19, _t36); // executed
					_t37 = _v524;
					if(_t19 == 0 &&  *((intOrPtr*)(_t37 + 8)) != _t27 && E00DDEBB4(_t35, _t37,  *((intOrPtr*)(_t37 + 8)), L"google") == 0) {
						_t27 = 1;
					}
					NetApiBufferFree(_t37);
				} else {
					_push(_t28);
					if(E00DC7516( &_v520) == 0) {
						goto L3;
					} else {
					}
				}
				return E00DCF35B(_v8 ^ _t39);
			}

0x00dcc246
0x00dcc246
0x00dcc246
0x00dcc24f
0x00dcc256
0x00dcc25f
0x00dcc269
0x00dcc271
0x00dcc282
0x00dcc28b
0x00dcc293
0x00dcc2aa
0x00dcc2ab
0x00dcc2b1
0x00dcc2bb
0x00dcc2c1
0x00dcc2c9
0x00dcc2e3
0x00dcc2e3
0x00dcc2e6
0x00dcc295
0x00dcc295
0x00dcc2a4
0x00000000
0x00dcc2a6
0x00dcc2a6
0x00dcc2a4
0x00dcc2fb

APIs

GetComputerNameExW.KERNEL32(00000003,?,00000100,?,?,00000000), ref: 00DCC28B
NetWkstaGetInfo.NETAPI32(00000000,00000064,?), ref: 00DCC2BB
NetApiBufferFree.NETAPI32(?,?,?,00000000), ref: 00DCC2E6

Part of subcall function 00DC7516: lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,00DCC2A1,?,?,?,00000000), ref: 00DC7526
Part of subcall function 00DC7516: lstrlenW.KERNEL32(.google.com,?,00DCC2A1,?,?,?,00000000), ref: 00DC7532
Part of subcall function 00DC7516: CharLowerW.USER32(?,?,00DCC2A1,?,?,?,00000000), ref: 00DC755B
Part of subcall function 00DC7516: CharLowerW.USER32(76EC69A0,?,00DCC2A1,?,?,?,00000000), ref: 00DC7565

Strings

google, xrefs: 00DCC2D0

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: CharLowerlstrlen$BufferComputerFreeInfoNameWksta
String ID: google
API String ID: 723138920-1696396625
Opcode ID: b2da8ffb6daf5a61f0a6530688ec38eaf3828a73f9ad1905ec87403d31ab6a63
Instruction ID: 1f0c5d45cc820594d2bb0d0d490ccb29300f6997e80c560254632ace81693dad
Opcode Fuzzy Hash: b2da8ffb6daf5a61f0a6530688ec38eaf3828a73f9ad1905ec87403d31ab6a63
Instruction Fuzzy Hash: 1F11587551031AAFDB20AF90DC89FEAB37CEB14305F1451AEE615E7291DA709E848E34

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8249 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00DC8249(void* __ecx, signed int __edx, void* __eflags, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				int _v8;
				int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v28;
				void* _t42;
				signed short _t45;
				void* _t47;
				signed short _t48;
				signed short _t49;
				void* _t51;
				void* _t53;
				void* _t54;
				WCHAR* _t64;
				signed int _t78;
				signed short _t81;
				int _t83;

				_t78 = __edx;
				_t64 = __edx;
				_t81 = 0x80070003;
				E00DC189E( &_v8, __edx, __eflags, __ecx);
				_t42 = E00DC89EB( &_v8, __edx, __eflags);
				_t83 = _v8;
				if(_t42 == 0) {
					L19:
					_t40 = _t83 - 0x10; // -16
					E00DC13C0(_t42, _t40);
					return _t81;
				}
				_v24 = _v24 & 0x00000000;
				_v28 = 0xdf41c0;
				_v20 = 0x200;
				_t45 = E00DC806C( &_v28, _t42, _t83, _t78 | 0x00020019); // executed
				_t81 = _t45;
				if(_t81 != 0) {
					L18:
					_v28 = 0xdf41c0;
					_t42 = E00DC7F74( &_v28);
					goto L19;
				}
				_t47 = _a4 - 1;
				if(_t47 == 0) {
					_t48 = E00DC844C( &_v28, _t64, _a8); // executed
					L15:
					_t81 = _t48;
					L16:
					_t49 = E00DC7F74( &_v28);
					if(_t81 == 0) {
						_t81 = _t49;
					}
					goto L18;
				}
				_t51 = _t47;
				if(_t51 == 0) {
					_v16 = _v16 & 0x00000000;
					_t48 = E00DC839C( &_v28, _t64,  &_v16, _a8, _a12);
					goto L15;
				}
				_t53 = _t51 - 1;
				if(_t53 == 0) {
					_t48 = E00DC8413( &_v28, _t64, _a8); // executed
					goto L15;
				}
				_t54 = _t53 - 3;
				if(_t54 == 0) {
					_v8 = 0;
					_v16 = 0;
					_v12 = 0;
					_t81 = E00DC839C( &_v28, _t64,  &_v16,  &_v12,  &_v8);
					__eflags = _t81;
					if(_t81 < 0) {
						goto L16;
					}
					_t48 = E00DC8585(_v12, _v8, _a8);
					goto L15;
				} else {
					if(_t54 == 4) {
						_v8 = _v8 & 0x00000000;
						_v12 = 8;
						_t81 = SHQueryValueExW(_v24, _t64, 0,  &_v8, _a8,  &_v12);
						__eflags = _t81;
						if(_t81 > 0) {
							_t81 = _t81 & 0x0000ffff | 0x80070000;
						}
					} else {
						_t81 = 0x8007065d;
					}
					goto L16;
				}
			}

0x00dc8249
0x00dc8256
0x00dc8258
0x00dc825d
0x00dc8265
0x00dc826a
0x00dc826f
0x00dc838d
0x00dc838d
0x00dc8390
0x00dc839b
0x00dc839b
0x00dc8275
0x00dc8282
0x00dc828c
0x00dc8293
0x00dc8298
0x00dc829c
0x00dc837e
0x00dc8381
0x00dc8388
0x00000000
0x00dc8388
0x00dc82a5
0x00dc82a8
0x00dc8369
0x00dc836e
0x00dc836e
0x00dc8370
0x00dc8373
0x00dc837a
0x00dc837c
0x00dc837c
0x00000000
0x00dc837a
0x00dc82af
0x00dc82b2
0x00dc834c
0x00dc835b
0x00000000
0x00dc835b
0x00dc82b8
0x00dc82bb
0x00dc8342
0x00000000
0x00dc8342
0x00dc82bd
0x00dc82c0
0x00dc8309
0x00dc830c
0x00dc830f
0x00dc8324
0x00dc8326
0x00dc8328
0x00000000
0x00000000
0x00dc8333
0x00000000
0x00dc82c2
0x00dc82c5
0x00dc82d1
0x00dc82df
0x00dc82f3
0x00dc82f5
0x00dc82f7
0x00dc82fc
0x00dc82fc
0x00dc82c7
0x00dc82c7
0x00dc82c7
0x00000000
0x00dc82c5

APIs

Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKLM,00000000,?,?,00000000,?,00000000,00000000,80070003,?,IsEnrolledToDomain,?), ref: 00DC8A91
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKEY_LOCAL_MACHINE), ref: 00DC8A9D
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKCU), ref: 00DC8AA9
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKEY_CURRENT_USER), ref: 00DC8AB9
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKU), ref: 00DC8AC5
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKEY_USERS), ref: 00DC8AD1
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKCR), ref: 00DC8ADD
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKEY_CLASSES_ROOT), ref: 00DC8AE9
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKLM[64]), ref: 00DC8AF5
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKEY_LOCAL_MACHINE[64]), ref: 00DC8B01

Part of subcall function 00DC806C: RegOpenKeyExW.KERNELBASE(?,?,00000000,?,00000000,80070003,00000000,?,?,00DC8298,00000000,00000000,?,HKLM\Software\Google\UpdateDev\,?,?), ref: 00DC80A5

SHQueryValueExW.SHLWAPI(00000000,IsEnrolledToDomain,00000000,00000000,?,?,00000000,00000000,?,HKLM\Software\Google\UpdateDev\,?,?,00000000), ref: 00DC82ED

Strings

HKLM\Software\Google\UpdateDev\, xrefs: 00DC8252
IsEnrolledToDomain, xrefs: 00DC82E9, 00DC831E, 00DC8341, 00DC835A, 00DC8368

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: lstrcmpi$OpenQueryValue
String ID: HKLM\Software\Google\UpdateDev\$IsEnrolledToDomain
API String ID: 3769408223-3092002976
Opcode ID: 34b446103b6dc4230b072405451f2e1a0c27b2c1f2cdd1b9fb8dad62bc44c853
Instruction ID: 6f750a1e801a49c2aaed6bcc85c6357a35235eddeee34e7fd93a5d5969fb5226
Opcode Fuzzy Hash: 34b446103b6dc4230b072405451f2e1a0c27b2c1f2cdd1b9fb8dad62bc44c853
Instruction Fuzzy Hash: 29414A7680014BABDB01DBA4C955FEEBBB9EB40714F24415DE502E7251DF34DA09EBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC62F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00DC62F4(void* __ebx, signed char __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v528;
				char _v532;
				void* __ebp;
				signed int _t11;
				char* _t16;
				signed char _t31;
				signed int _t38;
				char* _t44;
				intOrPtr* _t49;
				signed int _t50;

				_t43 = __edx;
				_t11 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t11 ^ _t50;
				_t49 = __edx;
				_t31 = __ecx;
				E00DC18F9(__edx);
				E00DD1190(0,  &_v528, 0, 0x208);
				_t16 =  &_v528;
				__imp__SHGetFolderPathW(0, _t31, 0, 0, _t16); // executed
				if(_t16 >= 0) {
					_push(E00DD3694( &_v528));
					L00DC1A21(_t49, _t43,  &_v528);
					__eflags = 0;
					L10:
					return E00DCF35B(_v8 ^ _t50);
				}
				_t38 = _t31 & 0x000000ff;
				_t55 = _t38 - 0x26;
				if(_t38 != 0x26) {
					__eflags = _t38 - 0x1c;
					if(__eflags != 0) {
						L6:
						if( *((intOrPtr*)( *_t49 - 0xc)) == 0) {
						}
						goto L10;
					}
					_t44 = L"LocalAppData";
					L5:
					E00DC13C0(E00DC4860(_t49, _t49, E00DC6502( &_v532, _t44, _t55)), _v532 - 0x10);
					goto L6;
				}
				_t44 = L"ProgramFiles";
				goto L5;
			}

0x00dc62f4
0x00dc62fd
0x00dc6304
0x00dc6309
0x00dc630b
0x00dc6310
0x00dc6324
0x00dc632c
0x00dc6337
0x00dc6341
0x00dc639b
0x00dc63a5
0x00dc63aa
0x00dc63ac
0x00dc63ba
0x00dc63ba
0x00dc6343
0x00dc6346
0x00dc6349
0x00dc6352
0x00dc6355
0x00dc637d
0x00dc6383
0x00dc6383
0x00000000
0x00dc6383
0x00dc6357
0x00dc635c
0x00dc6378
0x00000000
0x00dc6378
0x00dc634b
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,00000000,0000001C,00DF8B40), ref: 00DC6337

Strings

LocalAppData, xrefs: 00DC6357
ProgramFiles, xrefs: 00DC634B

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: FolderPath
String ID: LocalAppData$ProgramFiles
API String ID: 1514166925-2363656367
Opcode ID: 37c9a263787ed457099d1f88f91709e5249aece1552ed7a4fc419dd4a2d1dbaf
Instruction ID: 9ebd180c0576d17793fc9d3107df4cf6bd5ed2bfc1da2433f90e4d5780a4eace
Opcode Fuzzy Hash: 37c9a263787ed457099d1f88f91709e5249aece1552ed7a4fc419dd4a2d1dbaf
Instruction Fuzzy Hash: 9B11D375A002596ACB14EB65CC99FBF73BCDBC5300F24446EF416C7282EA70DE458A70

Uniqueness

Uniqueness Score: -1.00%

Function 00DC872A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00DC872A(void* __ecx, signed int __edx, void* __eflags) {
				char _v8;
				intOrPtr _v12;
				int* _v16;
				char _v20;
				void* _t15;
				void* _t18;
				signed int _t20;
				int* _t22;
				signed int _t30;
				short* _t32;
				intOrPtr _t33;

				_t30 = __edx;
				_t32 = __edx;
				_t22 = 0;
				E00DC189E( &_v8, __edx, __eflags, __ecx);
				_t15 = E00DC89EB( &_v8, __edx, __eflags);
				_t33 = _v8;
				if(_t15 != 0) {
					_v20 = 0xdf41c0;
					_v16 = 0;
					_v12 = 0x200;
					_t18 = E00DC806C( &_v20, _t15, _t33, _t30 | 0x00020019); // executed
					if(_t18 == 0) {
						_t20 =  ~(RegQueryValueExW(_v16, _t32, 0, 0, 0, 0));
						asm("sbb al, al");
						_t10 = _t20 + 1; // 0x1
						_t22 = _t10;
						E00DC7F74( &_v20);
					}
					_v20 = 0xdf41c0;
					_t15 = E00DC7F74( &_v20);
				}
				E00DC13C0(_t15, _t33 - 0x10);
				return _t22;
			}

0x00dc872a
0x00dc8737
0x00dc8739
0x00dc873b
0x00dc8743
0x00dc8748
0x00dc874d
0x00dc8755
0x00dc8762
0x00dc8765
0x00dc876c
0x00dc8773
0x00dc8783
0x00dc8788
0x00dc878a
0x00dc878a
0x00dc878d
0x00dc878d
0x00dc8795
0x00dc879c
0x00dc879c
0x00dc87a4
0x00dc87af

APIs

Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKLM,00000000,?,?,00000000,?,00000000,00000000,80070003,?,IsEnrolledToDomain,?), ref: 00DC8A91
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKEY_LOCAL_MACHINE), ref: 00DC8A9D
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKCU), ref: 00DC8AA9
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKEY_CURRENT_USER), ref: 00DC8AB9
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKU), ref: 00DC8AC5
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKEY_USERS), ref: 00DC8AD1
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKCR), ref: 00DC8ADD
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKEY_CLASSES_ROOT), ref: 00DC8AE9
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKLM[64]), ref: 00DC8AF5
Part of subcall function 00DC89EB: lstrcmpiW.KERNEL32(00000000,HKEY_LOCAL_MACHINE[64]), ref: 00DC8B01

Part of subcall function 00DC806C: RegOpenKeyExW.KERNELBASE(?,?,00000000,?,00000000,80070003,00000000,?,?,00DC8298,00000000,00000000,?,HKLM\Software\Google\UpdateDev\,?,?), ref: 00DC80A5

RegQueryValueExW.ADVAPI32(?,UsageStats,00000000,00000000,00000000,00000000,00000000,?,?,HKLM\Software\Google\UpdateDev\,?,00000000), ref: 00DC877D

Part of subcall function 00DC7F74: RegCloseKey.KERNELBASE(00DC7F74,00000000,00DC838D,00000000,00000000,?,HKLM\Software\Google\UpdateDev\,?,?,00000000), ref: 00DC7F81

Strings

UsageStats, xrefs: 00DC8779
HKLM\Software\Google\UpdateDev\, xrefs: 00DC8733

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: lstrcmpi$CloseOpenQueryValue
String ID: HKLM\Software\Google\UpdateDev\$UsageStats
API String ID: 1349724757-221515162
Opcode ID: 54a5e58bec8d2d5429735adac0274b8d998054faaa98554cad5a011447509080
Instruction ID: 00babfa559d0462fc46472912000683966fc1a2c5d05fd208634ee868826c49b
Opcode Fuzzy Hash: 54a5e58bec8d2d5429735adac0274b8d998054faaa98554cad5a011447509080
Instruction Fuzzy Hash: CB010C7590021AAEEB10EB95DC85EFFBB78EE51344B10466DA42263152DF705E09DA70

Uniqueness

Uniqueness Score: -1.00%

Function 00DCCCD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00DCCCD0(void* __eflags) {
				signed int _v8;
				void* __ecx;
				void* _t8;
				signed int _t13;

				_push(_t16);
				_v8 = _v8 & 0x00000000;
				_t19 = L"OemInstallTime";
				_t8 = E00DC8249(L"HKLM\\Software\\Google\\Update\\", L"OemInstallTime", __eflags, 4,  &_v8, 0); // executed
				if(_t8 >= 0) {
					_t13 = E00DE53BB(_t19, E00DE3B10(E00DC7495(L"HKLM\\Software\\Google\\Update\\"), L"OemInstallTime", 0x989680, 0) + 0x49ef6f00 - _v8);
					__eflags = _t13 - 0x3f480;
					_t6 = _t13 - 0x3f480 < 0;
					__eflags = _t6;
					return _t13 & 0xffffff00 | _t6;
				} else {
					return 0;
				}
			}

0x00dcccd4
0x00dcccd5
0x00dccce1
0x00dccceb
0x00dcccf5
0x00dccd17
0x00dccd1c
0x00dccd22
0x00dccd22
0x00dccd26
0x00dcccf7
0x00dcccfa
0x00dcccfa

APIs

__aulldiv.LIBCMT ref: 00DCCD09

Strings

OemInstallTime, xrefs: 00DCCCE1
HKLM\Software\Google\Update\, xrefs: 00DCCCE6

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: __aulldiv
String ID: HKLM\Software\Google\Update\$OemInstallTime
API String ID: 3732870572-1637396023
Opcode ID: 0c8e92d56fa6c6ce8129ccc4f2e883f924544a540d71e7366c5e859fe0c6d41f
Instruction ID: f33a38b938cbedd9a32ee9cb0f484a04c4ac48dac20dd4ca1cb83220a8a42ee7
Opcode Fuzzy Hash: 0c8e92d56fa6c6ce8129ccc4f2e883f924544a540d71e7366c5e859fe0c6d41f
Instruction Fuzzy Hash: 5DE065A2A1030976DE04A7A4DD07F7B729CC780789F104554FB05EB1C5E9A4EA005178

Uniqueness

Uniqueness Score: -1.00%

Function 00DD3E3B Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00DD3E3B(int _a4) {
				void* _t8;
				void* _t10;

				if(E00DD3E6C(_t8, _t10) != 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00DD3E8E(_a4);
				ExitProcess(_a4);
			}

0x00dd3e47
0x00dd3e53
0x00dd3e53
0x00dd3e5c
0x00dd3e65

APIs

GetCurrentProcess.KERNEL32(?,?,00DD3E35,00000022,00DD323C,?,?,9FA9E963,00DD323C,?), ref: 00DD3E4C
TerminateProcess.KERNEL32(00000000,?,00DD3E35,00000022,00DD323C,?,?,9FA9E963,00DD323C,?), ref: 00DD3E53
ExitProcess.KERNEL32 ref: 00DD3E65

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c6b3a1da04472b90ec43497543c5e643db178d85d8454a64915c5d264ef4ff2f
Instruction ID: 563db73e38810ce4321696511ba79aa046287473180e4809378348238fabc452
Opcode Fuzzy Hash: c6b3a1da04472b90ec43497543c5e643db178d85d8454a64915c5d264ef4ff2f
Instruction Fuzzy Hash: B1D09E35004344ABCF453F61DC4D9893F25EF413417045111B9098A3B1CB719A519BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA9ED Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00DCA9ED(char __ecx, intOrPtr __edx) {
				char _v5;
				WCHAR* _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t46;
				WCHAR* _t49;
				intOrPtr _t51;
				void* _t56;
				void* _t63;
				char _t66;
				char _t67;
				void* _t71;
				void* _t90;
				WCHAR* _t97;
				WCHAR* _t98;

				_t95 = __edx;
				_t66 = __ecx;
				_v28 = __edx;
				_v5 = __ecx;
				E00DCB8E6(__edx);
				_push(E00DC13D8());
				_t99 = _t66;
				if(_t66 == 0) {
					E00DC1AD8( &_v12, __edx);
					_push( &_v12);
					_push(1);
					_t46 = E00DC189E( &_v24, _t95, __eflags, L"Google\\CrashReports");
					_t96 = _t46;
					_t71 = 0x1c;
					E00DC13C0(E00DCB1E8(_t71, _t46, __eflags), _v24 - 0x10);
					_t97 = _v12;
					_t67 = 0;
					__eflags = 0;
					_t49 = _t97;
					_v24 = 0;
					_v20 = 2;
				} else {
					E00DC1AD8( &_v16, __edx);
					_push( &_v16);
					_push(1);
					_v24 = 1;
					_t63 = E00DC189E( &_v20, _t95, _t99, L"Google\\CrashReports");
					_t96 = _t63;
					_t90 = 0x26;
					E00DC13C0(E00DCB1E8(_t90, _t63, _t99), _v20 - 0x10);
					_t49 = _v16;
					_t67 = 0;
					_t97 = _v12;
					_v20 = 0;
				}
				_t20 = _t49 - 0x10; // 0xdc930a
				_t22 = E00DC1B55(_t20) + 0x10; // 0x10
				_t98 = _t22;
				_v12 = _t98;
				if(_v20 != 0) {
					_t24 = _t97 - 0x10; // -16
					_t50 = E00DC13C0(_t50, _t24);
				}
				if(_v24 != 0) {
					_t27 = _v16 - 0x10; // 0x57560cec
					E00DC13C0(_t50, _t27);
				}
				if(_v5 == 0) {
					L11:
					_t105 =  *((intOrPtr*)(_t98 - 0xc)) - _t67;
					if( *((intOrPtr*)(_t98 - 0xc)) != _t67) {
						goto L14;
					}
					goto L12;
				} else {
					_t103 =  *((intOrPtr*)(_t98 - 0xc)) - _t67;
					if( *((intOrPtr*)(_t98 - 0xc)) == _t67) {
						L12:
						_t51 = E00DC13C0(E00DC4860( &_v12, _t98, E00DC7940( &_v24, _t96, _t105)), _v24 - 0x10);
						_t98 = _v12;
						if( *((intOrPtr*)(_t98 - 0xc)) != _t67) {
							L14:
							_t51 = _v28;
							__eflags = _t51;
							if(_t51 != 0) {
								_t51 = E00DC4860(_t51, _t98,  &_v12);
							}
							L16:
							_t41 = _t98 - 0x10; // 0x0
							E00DC13C0(_t51, _t41);
							return _t67;
						}
						_t67 = 0x8004fffc;
						goto L16;
					}
					_t56 = E00DCA863(_t67,  &_v12, _t96, _t97, _t98, _t103); // executed
					_t98 = _v12;
					if(_t56 < 0) {
						RemoveDirectoryW(_t98);
					}
					goto L11;
				}
			}

0x00dca9ed
0x00dca9f5
0x00dca9f7
0x00dca9fb
0x00dca9fe
0x00dcaa08
0x00dcaa09
0x00dcaa0b
0x00dcaa54
0x00dcaa5c
0x00dcaa5d
0x00dcaa67
0x00dcaa6e
0x00dcaa70
0x00dcaa7e
0x00dcaa83
0x00dcaa86
0x00dcaa86
0x00dcaa88
0x00dcaa8a
0x00dcaa8d
0x00dcaa0d
0x00dcaa10
0x00dcaa18
0x00dcaa1f
0x00dcaa25
0x00dcaa28
0x00dcaa2f
0x00dcaa31
0x00dcaa3f
0x00dcaa44
0x00dcaa47
0x00dcaa49
0x00dcaa4c
0x00dcaa4c
0x00dcaa94
0x00dcaaa0
0x00dcaaa0
0x00dcaaa3
0x00dcaaa6
0x00dcaaa8
0x00dcaaab
0x00dcaaab
0x00dcaab4
0x00dcaab9
0x00dcaabc
0x00dcaabc
0x00dcaac5
0x00dcaae2
0x00dcaae2
0x00dcaae5
0x00000000
0x00000000
0x00000000
0x00dcaac7
0x00dcaac7
0x00dcaaca
0x00dcaae7
0x00dcaafe
0x00dcab03
0x00dcab09
0x00dcab12
0x00dcab12
0x00dcab15
0x00dcab17
0x00dcab1f
0x00dcab1f
0x00dcab24
0x00dcab24
0x00dcab27
0x00dcab32
0x00dcab32
0x00dcab0b
0x00000000
0x00dcab0b
0x00dcaacf
0x00dcaad4
0x00dcaad9
0x00dcaadc
0x00dcaadc
0x00000000
0x00dcaad9

APIs

Part of subcall function 00DC13D8: GetProcessHeap.KERNEL32(00DC3B5B,?,?,?,?,?,?,00DC15F8,?,?,?,?,?), ref: 00DC13E9

RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DCAADC

Part of subcall function 00DCB1E8: PathAppendW.SHLWAPI(?,|,00000000,00000000,?,00000000,0000001C,0000001C,?,00DCBA17,Google\Update,00000000,?,00000000,00000000,00000068), ref: 00DCB246

Strings

Google\CrashReports, xrefs: 00DCAA20, 00DCAA5F

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: AppendDirectoryHeapPathProcessRemove
String ID: Google\CrashReports
API String ID: 2444485805-2544415761
Opcode ID: 2f0fbb455a74b0110a4a3c2cd195518a21b6216d3f1d94c1d6d9e2de1a41c12d
Instruction ID: b83bbe7c70af910a3872bf105f6dc94a03370b46dea95fdd13da45e09c211b60
Opcode Fuzzy Hash: 2f0fbb455a74b0110a4a3c2cd195518a21b6216d3f1d94c1d6d9e2de1a41c12d
Instruction Fuzzy Hash: ED414B34A0025B9BDB04EBA8C891FFEB7B5EF11318F54046DE101A7182EB74AE49CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB1E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00DCB1E8(signed int __ecx, char __edx, void* __eflags, char _a4, intOrPtr _a8) {
				WCHAR* _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t16;
				int _t21;
				void* _t41;
				char _t42;
				WCHAR* _t45;
				signed int _t48;
				WCHAR* _t50;
				void* _t52;

				_t52 = __eflags;
				_push(__ecx);
				_push(__ecx);
				_t24 = _a8;
				_push(_t41);
				_v12 = __edx;
				_t48 = __ecx;
				E00DC1AD8( &_v8, __edx, E00DC13D8());
				_t16 = E00DC62F4(_a8, _t48 | 0x00004000,  &_v8, _t41, _t48 | 0x00004000, _t52); // executed
				_t50 = _v8;
				_t42 = _t16;
				if(_t42 >= 0) {
					_t6 =  &_v12; // 0xec7ce0
					_t45 =  *( *_t6);
					if((1 -  *((intOrPtr*)(_t50 - 4)) |  *((intOrPtr*)(_t50 - 8)) - 0x00000104) < 0) {
						E00DC1BA8( &_v8, 0x104, 0x104);
						_t50 = _v8;
					}
					_t21 = PathAppendW(_t50, _t45);
					_t16 = E00DC48AE( &_v8, 0xffffffff);
					if(_t21 != 0) {
						_t16 = E00DC18D0(_t24, _t50);
						__eflags = _a4;
						if(__eflags != 0) {
							_t16 = E00DC61DA(_t50, 0x104, __eflags);
						}
						_t42 = 0;
						__eflags = 0;
					} else {
						_t42 = 0x80040709;
					}
				}
				E00DC13C0(_t16, _t50 - 0x10);
				return _t42;
			}

0x00dcb1e8
0x00dcb1eb
0x00dcb1ec
0x00dcb1ee
0x00dcb1f2
0x00dcb1f3
0x00dcb1f6
0x00dcb201
0x00dcb211
0x00dcb216
0x00dcb219
0x00dcb21d
0x00dcb21f
0x00dcb234
0x00dcb236
0x00dcb23c
0x00dcb241
0x00dcb241
0x00dcb246
0x00dcb253
0x00dcb25a
0x00dcb266
0x00dcb26b
0x00dcb26f
0x00dcb273
0x00dcb273
0x00dcb278
0x00dcb278
0x00dcb25c
0x00dcb25c
0x00dcb25c
0x00dcb25a
0x00dcb27d
0x00dcb288

APIs

Part of subcall function 00DC13D8: GetProcessHeap.KERNEL32(00DC3B5B,?,?,?,?,?,?,00DC15F8,?,?,?,?,?), ref: 00DC13E9

Part of subcall function 00DC62F4: SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,00000000,0000001C,00DF8B40), ref: 00DC6337

PathAppendW.SHLWAPI(?,|,00000000,00000000,?,00000000,0000001C,0000001C,?,00DCBA17,Google\Update,00000000,?,00000000,00000000,00000068), ref: 00DCB246

Part of subcall function 00DC61DA: PathCanonicalizeW.SHLWAPI(?,?,00000000,00000000,?,00DF8B40,00DF8B40), ref: 00DC6218

Strings

|, xrefs: 00DCB21F, 00DCB244

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: Path$AppendCanonicalizeFolderHeapProcess
String ID: |
API String ID: 419238146-1049989498
Opcode ID: abaf50c0024174a55af06ed661ea58b2edd117f28cdd1efde80cbfead3c813aa
Instruction ID: aa78c58e494fb340379b8dd47dc12b31f9376cc8e67c6db97b6d2978434413c5
Opcode Fuzzy Hash: abaf50c0024174a55af06ed661ea58b2edd117f28cdd1efde80cbfead3c813aa
Instruction Fuzzy Hash: 87119876900115A7CF15EB69C852E9EF7A5DF85360F25016DE502A3241DF70EE018774

Uniqueness

Uniqueness Score: -1.00%

Function 00DC3684 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00DC3684(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __eflags) {
				char _t18;
				signed int _t26;
				void* _t35;
				signed int _t38;
				void* _t40;

				_t35 = __edx;
				_t26 = __ecx;
				E00DCFE60(0xdf6410, 0x28);
				_t38 = _t26;
				 *((intOrPtr*)(_t40 - 0x30)) = _t38;
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				_t44 =  *((char*)(_t38 + 0x7a)) - 1;
				if( *((char*)(_t38 + 0x7a)) != 1) {
					__eflags =  *((char*)(_t38 + 0x50)) - 1;
					if( *((char*)(_t38 + 0x50)) != 1) {
						__eflags =  *((char*)(_t38 + 0x51));
						if( *((char*)(_t38 + 0x51)) != 0) {
							goto L9;
						} else {
							 *((char*)(_t38 + 0x51)) = 1;
							E00DC3298(_t38); // executed
							__eflags =  *((char*)(_t38 + 0x74));
							if( *((char*)(_t38 + 0x74)) != 0) {
								 *((char*)(_t38 + 0x50)) = E00DC35F5(_t38, _t35);
							}
							 *(_t40 - 4) = 0xfffffffe;
							 *((char*)(_t38 + 0x51)) = 0;
							goto L4;
						}
					} else {
						 *(_t40 - 4) = 0xfffffffe;
						L4:
						_t18 = 1;
					}
				} else {
					_push( *((intOrPtr*)(E00DC2FB1(__ebx, _t40 - 0x28, __edi, _t44))));
					_push(L"LOG_SYSTEM: [%s]: ERROR - Calling the logging system after it has been shut down \n");
					OutputDebugStringW(E00DC6CB8(_t44));
					E00DC1894(_t22, _t40 - 0x28);
					L9:
					 *(_t40 - 4) = 0xfffffffe;
					_t18 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t40 - 0x10));
				return _t18;
			}

0x00dc3684
0x00dc3684
0x00dc368b
0x00dc3690
0x00dc3692
0x00dc3695
0x00dc3699
0x00dc369d
0x00dc36c9
0x00dc36cd
0x00dc36dd
0x00dc36e1
0x00000000
0x00dc36e7
0x00dc36e7
0x00dc36ed
0x00dc36f2
0x00dc36f6
0x00dc36ff
0x00dc36ff
0x00dc3702
0x00dc3709
0x00000000
0x00dc3709
0x00dc36cf
0x00dc36cf
0x00dc36d6
0x00dc36d6
0x00dc36d6
0x00dc369f
0x00dc36a7
0x00dc36a9
0x00dc36b6
0x00dc36bf
0x00dc376d
0x00dc376d
0x00dc3774
0x00dc3774
0x00dc3779
0x00dc3785

APIs

Part of subcall function 00DC6CB8: wvsprintfW.USER32(00000000,00000000,00000001), ref: 00DC6D50

OutputDebugStringW.KERNEL32(00000000,00DF6410,00000028,00DC37DC,?,00DC39A1,?,?,00000000,?,?,00DCB7E8,?,00000001,00000000), ref: 00DC36B6

Strings

LOG_SYSTEM: [%s]: ERROR - Calling the logging system after it has been shut down , xrefs: 00DC36A9

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: DebugOutputStringwvsprintf
String ID: LOG_SYSTEM: [%s]: ERROR - Calling the logging system after it has been shut down
API String ID: 1118214310-1171486310
Opcode ID: c4b9cf3664222d5f95aec9457d78da0b640786bdf07e2d24f20174ce0226914d
Instruction ID: b305910c2a3c395596b4ac18f1ea534dcfde4245c6da48b166e0f838735d76ea
Opcode Fuzzy Hash: c4b9cf3664222d5f95aec9457d78da0b640786bdf07e2d24f20174ce0226914d
Instruction Fuzzy Hash: 831125B190C79AAEDF21DB68C606BECBFA0EB01724F14424DE092176D2CBB196458731

Uniqueness

Uniqueness Score: -1.00%

Function 00DC3786 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00DC3786(void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				void* __edi;
				void* __ebp;
				void* _t11;
				void* _t13;
				void* _t34;
				intOrPtr* _t35;

				_push(__ecx);
				_t37 =  *((char*)(__ecx + 0x7a)) - 1;
				if( *((char*)(__ecx + 0x7a)) != 1) {
					__eflags =  *((char*)(__ecx + 0x50)) - 1;
					if(__eflags != 0) {
						_t35 = __ecx + 0x58;
						 *((intOrPtr*)( *_t35 + 4))(_t34, __ebx);
						_t11 = E00DC3684(__ebx, __ecx, __edx, __ecx, __eflags); // executed
						 *((intOrPtr*)( *_t35 + 8))();
						_t13 = _t11;
					} else {
						_t13 = 1;
					}
				} else {
					_push( *((intOrPtr*)(E00DC2FB1(__ebx,  &_v8, __ecx, _t37))));
					_push(L"LOG_SYSTEM: [%s]: ERROR - Calling the logging system after it has been shut down \n");
					OutputDebugStringW(E00DC6CB8(_t37));
					E00DC13C0(_v8, _v8 - 0x10);
					_t13 = 0;
				}
				return _t13;
			}

0x00dc3789
0x00dc378d
0x00dc3791
0x00dc37bf
0x00dc37c3
0x00dc37cb
0x00dc37d2
0x00dc37d7
0x00dc37e2
0x00dc37e6
0x00dc37c5
0x00dc37c5
0x00dc37c5
0x00dc3793
0x00dc379b
0x00dc379d
0x00dc37aa
0x00dc37b6
0x00dc37bb
0x00dc37bb
0x00dc37eb

APIs

Part of subcall function 00DC6CB8: wvsprintfW.USER32(00000000,00000000,00000001), ref: 00DC6D50

OutputDebugStringW.KERNEL32(00000000,?,?,?,00DC39A1,?,?,00000000,?,?,00DCB7E8,?,00000001,00000000,?), ref: 00DC37AA

Strings

LOG_SYSTEM: [%s]: ERROR - Calling the logging system after it has been shut down , xrefs: 00DC379D

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: DebugOutputStringwvsprintf
String ID: LOG_SYSTEM: [%s]: ERROR - Calling the logging system after it has been shut down
API String ID: 1118214310-1171486310
Opcode ID: c4d049f3e9df6e10f237db7bfe287187d9e847e5d68f8efd487add941bffe587
Instruction ID: f0b94a35744020d6e686e9529ea34b54d8624e60ba055fcf4a27e4174e5bc47b
Opcode Fuzzy Hash: c4d049f3e9df6e10f237db7bfe287187d9e847e5d68f8efd487add941bffe587
Instruction Fuzzy Hash: C9F028B5604152BFCF04AB28D946EE8F7E8EF56318714414EE44243381DBA6EE45DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC844C Relevance: 3.1, APIs: 2, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00DC844C(void* __ecx, WCHAR* _a4, void** _a8) {
				int _v8;
				int _v12;
				void* __ebp;
				signed short _t22;
				void* _t41;
				signed int _t42;
				void* _t45;
				signed short _t48;
				signed short _t53;

				_push(__ecx);
				_push(__ecx);
				_t45 = __ecx;
				_v8 = 0;
				_t5 = _t45 + 4; // 0xdc7f74
				_v12 = 0;
				_t22 = SHQueryValueExW( *_t5, _a4, 0,  &_v12, 0,  &_v8); // executed
				_t48 = _t22;
				if(_t48 > 0) {
					_t48 = _t48 & 0x0000ffff | 0x80070000;
					_t53 = _t48;
				}
				if(_t53 == 0) {
					_t42 = 2;
					_push( ~(0 | _t53 > 0x00000000) | ((_v8 >> 0x00000001) + 0x00000001) * _t42);
					_t41 = E00DE3DB5(_t53);
					 *_a8 = _t41;
					if(_t41 == 0) {
						_t48 = 0x8007000e;
					} else {
						if(_v8 == 0) {
							 *_t41 = 0;
						} else {
							_t19 = _t45 + 4; // 0xdc7f74
							_t48 = SHQueryValueExW( *_t19, _a4, 0,  &_v12, _t41,  &_v8);
							if(_t48 > 0) {
								_t48 = _t48 & 0x0000ffff | 0x80070000;
							}
						}
					}
				}
				return _t48;
			}

0x00dc844f
0x00dc8450
0x00dc8453
0x00dc8464
0x00dc8467
0x00dc846a
0x00dc846d
0x00dc8473
0x00dc8477
0x00dc847c
0x00dc8482
0x00dc8482
0x00dc8484
0x00dc8490
0x00dc849a
0x00dc84a1
0x00dc84a6
0x00dc84aa
0x00dc84e1
0x00dc84ac
0x00dc84b0
0x00dc84dc
0x00dc84b2
0x00dc84c0
0x00dc84c9
0x00dc84cd
0x00dc84d2
0x00dc84d2
0x00dc84cd
0x00dc84b0
0x00dc84aa
0x00dc84eb

APIs

SHQueryValueExW.SHLWAPI(00DC7F74,?,00000000,?,00000000,00000000,00000000,00000000,00DF41C0,00DF41C0,?,00DC836E,IsEnrolledToDomain,?,00000000,00000000), ref: 00DC846D
SHQueryValueExW.SHLWAPI(00DC7F74,?,00000000,?,00000000,00000000,?,00DC836E,IsEnrolledToDomain,?,00000000,00000000,?,HKLM\Software\Google\UpdateDev\,?,?), ref: 00DC84C3

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a9a84f36193caeb4f12444fb5c37cadd07d8724ae6f7bf2929866c2098044a7c
Instruction ID: 4477451d804fbcb17fd4ab23b7e2651472aaa8bd8fcf6739b0cf42a387272ccf
Opcode Fuzzy Hash: a9a84f36193caeb4f12444fb5c37cadd07d8724ae6f7bf2929866c2098044a7c
Instruction Fuzzy Hash: FE116377904216BBDB29CB58C905FAEB6A9EF04350F15416FFD41EB290EA70DE00D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC654E Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00DC654E(signed int __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _t9;

				if( *0xdf8aac != 0xffffffff) {
					L7:
					_t9 =  *0xdf8aac; // 0x0
					return _t9;
				} else {
					__imp__NetGetJoinInformation(0,  &_v12,  &_v8); // executed
					if(__eax == 0) {
						NetApiBufferFree(_v12);
						if(_v8 == 3) {
							_push(2);
						}
						asm("lock cmpxchg [edx], ecx");
						goto L7;
					} else {
						return __eax | 0xffffffff;
					}
				}
			}

0x00dc655a
0x00dc659d
0x00dc659d
0x00dc65a3
0x00dc655c
0x00dc6566
0x00dc656e
0x00dc6578
0x00dc6582
0x00dc6584
0x00dc6586
0x00dc6599
0x00000000
0x00dc6570
0x00dc6574
0x00dc6574
0x00dc656e

APIs

NetGetJoinInformation.NETAPI32(00000000,?,00DC6733,?,?,?,00DC6733,?,?,00000000), ref: 00DC6566
NetApiBufferFree.NETAPI32(?,?,?,?,00DC6733,?,?,00000000), ref: 00DC6578

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: BufferFreeInformationJoin
String ID:
API String ID: 3807213042-0
Opcode ID: 156eec5f854f892f6b8a8fd8cdb7a7bfb73f11dc3eaa767ca85c3a03c36cf2c1
Instruction ID: fb380bc71a480771b5154e52d832204a83061373c4b19dad289e35aa6ee68234
Opcode Fuzzy Hash: 156eec5f854f892f6b8a8fd8cdb7a7bfb73f11dc3eaa767ca85c3a03c36cf2c1
Instruction Fuzzy Hash: B0F0BE31924206EFDB08CB68EC05EA97774EB04325F20436DF1229A6D4EB70DA42EB30

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7A67 Relevance: 3.0, APIs: 2, Instructions: 23
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00DC7A67(struct _SECURITY_ATTRIBUTES* __edx) {
				intOrPtr* _t2;
				void* _t4;
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _t5;
				E00DC7A14();
				_t2 =  *0xdf9bbc;
				if(_t2 == 0) {
					return CreateMutexW(__edx, 0, _t7);
				}
				_t4 =  *_t2(__edx, _t7, 0, 0x100001); // executed
				return _t4;
			}

0x00dc7a6c
0x00dc7a6e
0x00dc7a73
0x00dc7a7a
0x00000000
0x00dc7a8d
0x00dc7a85
0x00000000

APIs

Part of subcall function 00DC7A14: GetModuleHandleW.KERNEL32(kernel32.dll,?,00DC7A73,?,00000000,?,00DCA032,00000000,?,?,?,00DCA653,?,00000000,?,?), ref: 00DC7A37
Part of subcall function 00DC7A14: GetProcAddress.KERNEL32(00000000,CreateMutexExW), ref: 00DC7A49
Part of subcall function 00DC7A14: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00DC7A5A

CreateMutexExW.KERNELBASE(?,?,00000000,00100001,?,00000000,?,00DCA032,00000000,?,?,?,00DCA653,?,00000000), ref: 00DC7A85
CreateMutexW.KERNEL32(?,00000000,?,?,00000000,?,00DCA032,00000000,?,?,?,00DCA653,?,00000000,?,?), ref: 00DC7A8D

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: AddressCreateMutexProc$HandleModule
String ID:
API String ID: 56544078-0
Opcode ID: 642c68ef2d428d4e459760f53c32d56ce1ae288692b3296aff9a8c19ebc984e8
Instruction ID: 9e8e58be294db4fd4be258116d396fd9782c3a99064f53e569843a8acbc7ba76
Opcode Fuzzy Hash: 642c68ef2d428d4e459760f53c32d56ce1ae288692b3296aff9a8c19ebc984e8
Instruction Fuzzy Hash: 31D05E3130525276D734A62AAC49F9F9A6CDFC6B61F28016DB10AE72D0DA909A0185B8

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4D7D Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00DC4D7D(void* __ecx) {
				void* _t14;
				void* _t19;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) != 0) {
					if( *((intOrPtr*)(__ecx + 4)) != 0) {
						__imp__UnloadUserProfile( *((intOrPtr*)(__ecx + 4)),  *((intOrPtr*)(__ecx + 8)));
					}
					 *(_t19 + 8) =  *(_t19 + 8) & 0x00000000;
				}
				if( *(_t19 + 4) != 0) {
					FindCloseChangeNotification( *(_t19 + 4)); // executed
					 *(_t19 + 4) =  *(_t19 + 4) & 0x00000000;
				}
				_push(4);
				_t14 = E00DCF62D( *(_t19 + 0xc));
				 *(_t19 + 0xc) =  *(_t19 + 0xc) & 0x00000000;
				return _t14;
			}

0x00dc4d7e
0x00dc4d84
0x00dc4d8a
0x00dc4d92
0x00dc4d92
0x00dc4d98
0x00dc4d98
0x00dc4da0
0x00dc4da5
0x00dc4dab
0x00dc4dab
0x00dc4daf
0x00dc4db4
0x00dc4db9
0x00dc4dc0

APIs

UnloadUserProfile.USERENV(?,?,?,00DC4D70,?,00DC4EBA), ref: 00DC4D92
FindCloseChangeNotification.KERNELBASE(?,?,00DC4D70,?,00DC4EBA), ref: 00DC4DA5

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: ChangeCloseFindNotificationProfileUnloadUser
String ID:
API String ID: 122385185-0
Opcode ID: 5cb94c42b5cdb8d156339fa330bf6f6325668d9ed074f2486b2c1898b5d41be3
Instruction ID: 4cf326069b07818b57cde370493ff92d3d0504e406666c7b9ae1000da6512b69
Opcode Fuzzy Hash: 5cb94c42b5cdb8d156339fa330bf6f6325668d9ed074f2486b2c1898b5d41be3
Instruction Fuzzy Hash: E8F03931014B01CFE7766B00E909B52B7E0EF00B26F14C81DE4AB568B0C7B5A894CF24

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA863 Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00DCA863(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v108;
				char _v204;
				char _v300;
				char _v301;
				signed int _v308;
				char _v340;
				void* __ebp;
				signed int _t29;
				void* _t35;
				signed short _t37;
				intOrPtr _t57;
				intOrPtr* _t69;
				signed char _t71;
				signed short _t72;
				signed short _t73;
				signed int _t75;
				void* _t80;

				_t80 = __eflags;
				_t67 = __edx;
				_t29 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t29 ^ _t75;
				_v308 = _v308 & 0x00000000;
				_t69 = __ecx;
				E00DC2870( &_v340);
				_push(0x12);
				E00DC24B7(__ebx, __edx, __ecx, __esi, _t80,  &_v300, 0xdf35c8, 1);
				_t50 = 1;
				_t71 = 3;
				_t35 = E00DC28ED( &_v340, _t80,  &_v300, 0x10000000, _t71);
				_t81 = _t35;
				if(_t35 == 0) {
					L3:
					_v301 = 1;
					L4:
					if((_t50 & 0x00000004) != 0) {
						_t35 = E00DC25A0(_t35,  &_v108);
					}
					if((_t50 & 0x00000002) != 0) {
						_t35 = E00DC25A0(_t35,  &_v204);
					}
					E00DC25A0(_t35,  &_v300);
					if(_v301 == 0) {
						_t37 = E00DC2712(_t50,  &_v340, _t69, _t71);
						_t57 =  *_t69;
						_t72 = _t37;
						__eflags =  *((intOrPtr*)(_t57 - 4)) - 1;
						if( *((intOrPtr*)(_t57 - 4)) > 1) {
							_t37 = E00DC1CAB(_t50, _t69, _t72,  *((intOrPtr*)(_t57 - 0xc)));
							_t57 =  *_t69;
						}
						__imp__SetNamedSecurityInfoW(_t57, 1, 0x80000004, 0, 0, _t72, 0); // executed
						_t73 = _t37;
						E00DC48AE(_t69, 0xffffffff);
						__eflags = _t73;
						if(__eflags == 0) {
							_t73 = 0;
						} else {
							if(__eflags > 0) {
								_t73 = _t73 & 0x0000ffff | 0x80070000;
							}
						}
					} else {
						_t73 = 0x8004fffb;
					}
					E00DC28B6( &_v340);
					return E00DCF35B(_v8 ^ _t75);
				}
				_push(0x220);
				_push(0x20);
				E00DC24B7(1, _t67, _t69, _t71, _t81,  &_v204, 0xdf35c8, 2);
				_t50 = _t71;
				_t35 = E00DC28ED( &_v340, _t81,  &_v204, 0x10000000, _t71);
				_t82 = _t35;
				if(_t35 == 0) {
					goto L3;
				}
				_push(0x221);
				_push(0x20);
				E00DC24B7(_t50, _t67, _t69, _t71, _t82,  &_v108, 0xdf35c8, 2);
				_t50 = 7;
				_t35 = E00DC28ED( &_v340, _t82,  &_v108, 0x20000, _t71);
				_v301 = 0;
				if(_t35 != 0) {
					goto L4;
				}
				goto L3;
			}

0x00dca863
0x00dca863
0x00dca86c
0x00dca873
0x00dca876
0x00dca880
0x00dca888
0x00dca88d
0x00dca89d
0x00dca8b3
0x00dca8b6
0x00dca8be
0x00dca8c3
0x00dca8c5
0x00dca93f
0x00dca93f
0x00dca946
0x00dca949
0x00dca94e
0x00dca94e
0x00dca956
0x00dca95e
0x00dca95e
0x00dca969
0x00dca975
0x00dca984
0x00dca989
0x00dca98b
0x00dca98d
0x00dca991
0x00dca998
0x00dca99d
0x00dca99d
0x00dca9ad
0x00dca9b7
0x00dca9b9
0x00dca9be
0x00dca9c0
0x00dca9cf
0x00dca9c2
0x00dca9c2
0x00dca9c7
0x00dca9c7
0x00dca9c2
0x00dca977
0x00dca977
0x00dca977
0x00dca9d7
0x00dca9ec
0x00dca9ec
0x00dca8c7
0x00dca8cc
0x00dca8dc
0x00dca8f0
0x00dca8f9
0x00dca8fe
0x00dca900
0x00000000
0x00000000
0x00dca902
0x00dca907
0x00dca914
0x00dca927
0x00dca92f
0x00dca934
0x00dca93d
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00DC24B7: GetSidLengthRequired.ADVAPI32(00000012,00000000,00000000,00000000,00000000,00000000,00000010,00000000), ref: 00DC2525
Part of subcall function 00DC24B7: InitializeSid.ADVAPI32(?,00000000,00000012,?,?,?,?,?,?,?,?,?,?,?,?,00DCA8A2), ref: 00DC2538
Part of subcall function 00DC24B7: GetSidSubAuthority.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00DCA8A2,?), ref: 00DC2559

SetNamedSecurityInfoW.ADVAPI32(?,00000001,80000004,00000000,00000000,00000000,00000000,?,10000000,00000003,?,00000000,00000010,00000000), ref: 00DCA9AD

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: AuthorityInfoInitializeLengthNamedRequiredSecurity
String ID:
API String ID: 1879106642-0
Opcode ID: 5d21c2b70e6f37277a627a0e66d153cb0d8ae4211320784547656201035cf8aa
Instruction ID: b9d6d1a5494b2e9ef1a604e827e7a51bbbb4ec1871f1daf6a7b8c8a7182b9de6
Opcode Fuzzy Hash: 5d21c2b70e6f37277a627a0e66d153cb0d8ae4211320784547656201035cf8aa
Instruction Fuzzy Hash: EE41D731A0022DAADB24E6A8CC87FF97778DF14758F55009DF5056B2C1DE745E88CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8BEA Relevance: 1.5, APIs: 1, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00DC8BEA(void* __ecx, void* __edi, void* __esi, int _a4, intOrPtr _a8, int* _a12) {
				signed int _v8;
				short _v32776;
				int _v32780;
				void* __ebp;
				signed int _t13;
				signed short _t18;
				intOrPtr _t32;
				signed short _t35;
				signed int _t38;
				signed short _t40;

				E00DE3CD0();
				_t13 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t13 ^ _t38;
				_t32 = _a8;
				_v32780 = 0x4000;
				_t18 = RegEnumValueW( *(__ecx + 4), _a4,  &_v32776,  &_v32780, 0, _a12, 0, 0); // executed
				_t35 = _t18;
				if(_t35 == 0) {
					_push(E00DD3694( &_v32776));
					L00DC1A21(_t32, 0,  &_v32776);
					_t40 = _t35;
				}
				if(_t40 > 0) {
					_t35 = _t35 & 0x0000ffff | 0x80070000;
				}
				return E00DCF35B(_v8 ^ _t38);
			}

0x00dc8bf2
0x00dc8bf7
0x00dc8bfe
0x00dc8c08
0x00dc8c15
0x00dc8c2d
0x00dc8c33
0x00dc8c37
0x00dc8c46
0x00dc8c50
0x00dc8c55
0x00dc8c55
0x00dc8c57
0x00dc8c5c
0x00dc8c5c
0x00dc8c71

APIs

RegEnumValueW.KERNELBASE ref: 00DC8C2D

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: a2fc8393764c9376cb2b7a171ff67da1d844c71d515d04063c5968b02b95a257
Instruction ID: e5253120efe4eaea2b4cdff473cf395e8ef07dd988a832d280bf90f6f1efe833
Opcode Fuzzy Hash: a2fc8393764c9376cb2b7a171ff67da1d844c71d515d04063c5968b02b95a257
Instruction Fuzzy Hash: 5D015676900128ABDB51DB55CD45EAF77BCFB84714F04C069B949D7240CE30DE488BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8C99 Relevance: 1.5, APIs: 1, Instructions: 46
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00DC8C99(void* __ecx, void* __edx, void* __edi, void* __esi, int _a4, intOrPtr _a8) {
				signed int _v8;
				short _v520;
				int _v524;
				void* __ebp;
				signed int _t11;
				signed short _t16;
				void* _t23;
				void* _t28;
				intOrPtr _t30;
				signed short _t32;
				signed int _t34;
				signed short _t36;

				_t28 = __edx;
				_t23 = __ecx;
				_t11 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t11 ^ _t34;
				_t30 = _a8;
				_v524 = 0x100;
				_t7 = _t23 + 4; // 0xdc7f74, executed
				_t16 = RegEnumKeyExW( *_t7, _a4,  &_v520,  &_v524, 0, 0, 0, 0); // executed
				_t32 = _t16;
				if(_t32 == 0) {
					_push(E00DD3694( &_v520));
					L00DC1A21(_t30, _t28,  &_v520);
					_t36 = _t32;
				}
				if(_t36 > 0) {
					_t32 = _t32 & 0x0000ffff | 0x80070000;
				}
				return E00DCF35B(_v8 ^ _t34);
			}

0x00dc8c99
0x00dc8c99
0x00dc8ca2
0x00dc8ca9
0x00dc8cae
0x00dc8cbd
0x00dc8cd2
0x00dc8cd5
0x00dc8cdb
0x00dc8cdf
0x00dc8cee
0x00dc8cf8
0x00dc8cfd
0x00dc8cfd
0x00dc8cff
0x00dc8d04
0x00dc8d04
0x00dc8d19

APIs

RegEnumKeyExW.KERNELBASE ref: 00DC8CD5

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: ad05b2c3bfda316924d4c3221adfd34e79d2bdcf5090b66c6d66ca30da4e4e89
Instruction ID: cea51395a48c2b35985bba9ebcb75210a5750095ff8d5fac10aef9b17d9a9c75
Opcode Fuzzy Hash: ad05b2c3bfda316924d4c3221adfd34e79d2bdcf5090b66c6d66ca30da4e4e89
Instruction Fuzzy Hash: 0D0184B6900229ABDB11EB54CD09EBFB7BCEB05310F0441A6FC45E7241DE30DE458AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC806C Relevance: 1.5, APIs: 1, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00DC806C(intOrPtr* __ecx, void* _a4, short* _a8, int _a12) {
				void* _v8;
				int _t11;
				signed short _t12;
				intOrPtr* _t21;
				signed int _t25;
				intOrPtr _t28;
				signed short _t33;

				_push(__ecx);
				_t11 = _a12;
				_v8 = _v8 & 0x00000000;
				_t21 = __ecx;
				_t25 = _t11 & 0x00000100;
				if(_t25 == 0) {
					_t11 = _t11 | 0x00000200;
				}
				asm("sbb esi, esi");
				_t28 = ( ~_t25 & 0xffffff00) + 0x200;
				_t12 = RegOpenKeyExW(_a4, _a8, 0, _t11,  &_v8); // executed
				if(_t12 > 0) {
					_t12 = _t12 & 0x0000ffff | 0x80070000;
					_t33 = _t12;
				}
				if(_t33 == 0) {
					_t12 =  *((intOrPtr*)( *_t21 + 4))();
					 *((intOrPtr*)(_t21 + 4)) = _v8;
					 *((intOrPtr*)(_t21 + 8)) = _t28;
				}
				return _t12;
			}

0x00dc806f
0x00dc8070
0x00dc8073
0x00dc807b
0x00dc8082
0x00dc8088
0x00dc808a
0x00dc808a
0x00dc808e
0x00dc8096
0x00dc80a5
0x00dc80ad
0x00dc80b2
0x00dc80b7
0x00dc80b7
0x00dc80b9
0x00dc80bf
0x00dc80c5
0x00dc80c8
0x00dc80c8
0x00dc80ce

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,00000000,80070003,00000000,?,?,00DC8298,00000000,00000000,?,HKLM\Software\Google\UpdateDev\,?,?), ref: 00DC80A5

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 32669fb6df6765d33569b4e6d31193fc6f4fa20230371c2b4d64744113b473d9
Instruction ID: 261811bd065bca38e9b652dd9c25ca826d318b5048426ee861d8b32b261982d5
Opcode Fuzzy Hash: 32669fb6df6765d33569b4e6d31193fc6f4fa20230371c2b4d64744113b473d9
Instruction Fuzzy Hash: 73F0AF72A10515ABDB048B19DC40FBAB7A8EB44320F15822DFD15D7391DB70ED00A6A4

Uniqueness

Uniqueness Score: -1.00%

Function 00DD9696 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00DD9696(signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xdf9718, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00DD4BF4();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00DD3544())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00DD3A28(__eflags, _t19);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00dd969c
0x00dd96a1
0x00dd96af
0x00dd96af
0x00dd96b5
0x00dd96b7
0x00dd96b7
0x00dd96ce
0x00dd96d7
0x00dd96df
0x00000000
0x00000000
0x00dd96bf
0x00dd96c1
0x00dd96e3
0x00dd96e8
0x00dd96ee
0x00000000
0x00dd96ee
0x00dd96c4
0x00dd96ca
0x00dd96cc
0x00000000
0x00000000
0x00dd96cc
0x00000000
0x00dd96ce
0x00dd96a7
0x00dd96ad
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,00DD93F4,00000001,00000364,?,00000006,000000FF,?,00DD3549,00DD30CD), ref: 00DD96D7

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 808d725ccae79277814d27eb9ae2a84b86e3bd2f8139a67349dc088f36e4e9be
Instruction ID: cd11ec075cd6d7261b920b4ea43d567d4e1ac39d3ee3701e0096d625e346e269
Opcode Fuzzy Hash: 808d725ccae79277814d27eb9ae2a84b86e3bd2f8139a67349dc088f36e4e9be
Instruction Fuzzy Hash: 94F0E9316443246BDB216E72DC11F9AF798DF41B60B189113F804DA390CA32DD4187F5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8413 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00DC8413(void* __ecx, WCHAR* _a4, void* _a8) {
				int _v8;
				int _v12;
				signed short _t11;
				void* _t14;

				_t14 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v12 = _v12 & 0x00000000;
				_v8 = 4;
				_t8 = _t14 + 4; // 0xdc7f74, executed
				_t11 = SHQueryValueExW( *_t8, _a4, 0,  &_v12, _a8,  &_v8); // executed
				if(_t11 > 0) {
					return _t11 & 0x0000ffff | 0x80070000;
				}
				return _t11;
			}

0x00dc8413
0x00dc8416
0x00dc8417
0x00dc8418
0x00dc8426
0x00dc8433
0x00dc8436
0x00dc843e
0x00000000
0x00dc8443
0x00dc8449

APIs

SHQueryValueExW.SHLWAPI(00DC7F74,00000000,00000000,00000000,?,00000000,00DF41C0,00DF41C0,?,00DC8347,IsEnrolledToDomain,?,00000000,00000000,?,HKLM\Software\Google\UpdateDev\), ref: 00DC8436

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fb98b69fdba4abe2cdc786315338528dfea8ef1afac806ee906030d722c8fbc9
Instruction ID: 490ce4cf46636fa2fe0671c9a241d7950fc483c54894c62ad54287c8001fefe9
Opcode Fuzzy Hash: fb98b69fdba4abe2cdc786315338528dfea8ef1afac806ee906030d722c8fbc9
Instruction Fuzzy Hash: 9DE04F7051020DBBEB01DF40CD06FEE7BBCEB00318F108059B504E5150D779DA049B74

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7F44 Relevance: 1.5, APIs: 1, Instructions: 17
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC7F44(void* __ecx, short* _a4) {
				signed short _t3;

				_t3 = RegDeleteValueW( *(__ecx + 4), _a4); // executed
				if(_t3 > 0) {
					_t3 = _t3 & 0x0000ffff | 0x80070000;
				}
				if(_t3 == 0x80070002 || _t3 == 0x80070003) {
					return 1;
				}
				return _t3;
			}

0x00dc7f4d
0x00dc7f55
0x00dc7f5a
0x00dc7f5a
0x00dc7f64
0x00000000
0x00dc7f6f
0x00dc7f71

APIs

RegDeleteValueW.KERNELBASE(?,00000001,?,00DC88B3,usagestats,00000000,?,?,00000001,?,00000001,?,{8A69D345-D564-463C-AFF1-A69D9E530F96},{8A69D345-D564-463C-AFF1-A69D9E530F96}), ref: 00DC7F4D

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: DeleteValue
String ID:
API String ID: 1108222502-0
Opcode ID: ff7c676683e8212fcc90bd896b5e9f8a1e051ed9c43abfb5a61ff065963fe25f
Instruction ID: aa0edcfb5a5f9de61ffe88cef88b92d4fd3020371174346b13ebdc3331d630ad
Opcode Fuzzy Hash: ff7c676683e8212fcc90bd896b5e9f8a1e051ed9c43abfb5a61ff065963fe25f
Instruction Fuzzy Hash: 70D0A73104C10796CB516571CD83F357AD99F00220F28842EF00DCE231C51BC8A05EB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7F14 Relevance: 1.5, APIs: 1, Instructions: 17
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC7F14(void* __ecx, short* _a4) {
				signed short _t3;

				_t3 = RegDeleteKeyW( *(__ecx + 4), _a4); // executed
				if(_t3 > 0) {
					_t3 = _t3 & 0x0000ffff | 0x80070000;
				}
				if(_t3 == 0x80070002 || _t3 == 0x80070003) {
					return 1;
				}
				return _t3;
			}

0x00dc7f1d
0x00dc7f25
0x00dc7f2a
0x00dc7f2a
0x00dc7f34
0x00000000
0x00dc7f3f
0x00dc7f41

APIs

RegDeleteKeyW.ADVAPI32(?,000F003F), ref: 00DC7F1D

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: d3a8d09e94d80ac41ed4669292d44ec2b115cb877adb037870ccc456b1922b07
Instruction ID: c1ce81ade7673ad8d158b2c4775d8c69919b84902a905e5d598440a8f056e3cc
Opcode Fuzzy Hash: d3a8d09e94d80ac41ed4669292d44ec2b115cb877adb037870ccc456b1922b07
Instruction Fuzzy Hash: 8AD0A735158107A7CB1265719D82F353AD99F00620F28846EF04DCA131C12BC4905AF5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7F74 Relevance: 1.5, APIs: 1, Instructions: 15
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC7F74(void* __ecx) {
				signed short _t7;
				void* _t10;

				_t10 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) != 0) {
					_t2 = _t10 + 4; // 0xdc7f74, executed
					_t7 = RegCloseKey( *_t2); // executed
					if(_t7 > 0) {
						_t7 = _t7 & 0x0000ffff | 0x80070000;
					}
					 *(_t10 + 4) =  *(_t10 + 4) & 0x00000000;
					 *((intOrPtr*)(_t10 + 8)) = 0x200;
					return _t7;
				}
				return 0;
			}

0x00dc7f75
0x00dc7f7c
0x00dc7f7e
0x00dc7f81
0x00dc7f89
0x00dc7f8e
0x00dc7f8e
0x00dc7f93
0x00dc7f97
0x00000000
0x00dc7f97
0x00dc7f9f

APIs

RegCloseKey.KERNELBASE(00DC7F74,00000000,00DC838D,00000000,00000000,?,HKLM\Software\Google\UpdateDev\,?,?,00000000), ref: 00DC7F81

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 70ff8f7b1c0cd3892d34bcaf4faf92ecd957b64759b0bf925002f7b94b711afa
Instruction ID: 2d630939c7a0623e7cbad10c8ce0352125e965ad330a3618f2a649a8898060eb
Opcode Fuzzy Hash: 70ff8f7b1c0cd3892d34bcaf4faf92ecd957b64759b0bf925002f7b94b711afa
Instruction Fuzzy Hash: 81D05E314187228FD3205A21D94876372E66F00712F14CC6DA09AC6560C7B4D8408BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC483D Relevance: 1.3, APIs: 1, Instructions: 12
stringCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00DC483D(WCHAR** __ecx, void* __esi, WCHAR* _a4) {
				intOrPtr* _v4;
				void* __ebp;
				int _t16;
				intOrPtr* _t18;
				intOrPtr* _t21;
				intOrPtr _t24;
				intOrPtr* _t27;
				void* _t30;

				if(_a4 == 0) {
					_push(0x80004005);
					E00DC1185(__ecx);
					asm("int3");
					_t18 = __ecx;
					_t24 =  *_v4;
					_t27 =  *__ecx - 0x10;
					_t21 = _t24 - 0x10;
					if(_t21 != _t27) {
						if( *((intOrPtr*)(_t27 + 0xc)) < 0 ||  *_t21 !=  *_t27) {
							_push( *((intOrPtr*)(_t24 - 0xc)));
							L00DC1A21(_t18, _t24, _t24);
						} else {
							_t30 = E00DC1B55(_t21, __esi);
							E00DC13C0(_t13, _t27);
							_t6 = _t30 + 0x10; // 0x10
							 *_t18 = _t6;
						}
					}
					return _t18;
				} else {
					_t16 = lstrcmpiW( *__ecx, _a4); // executed
					return _t16;
				}
			}

0x00dc4844
0x00dc4855
0x00dc485a
0x00dc485f
0x00dc4867
0x00dc486a
0x00dc486e
0x00dc4871
0x00dc4876
0x00dc487c
0x00dc489b
0x00dc48a1
0x00dc4884
0x00dc488c
0x00dc488e
0x00dc4893
0x00dc4896
0x00dc4898
0x00dc487c
0x00dc48ab
0x00dc4846
0x00dc484b
0x00dc4852
0x00dc4852

APIs

lstrcmpiW.KERNEL32(00000000,00000000,?,00DC3003), ref: 00DC484B

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: b7901ba2843b2251e43d6d41060cabb4d3a9e94b6bf0c97538709fe9b828100b
Instruction ID: 3284d71759a233c4e8546776302551c0bffe927d0df33999f3e3b438996a4d19
Opcode Fuzzy Hash: b7901ba2843b2251e43d6d41060cabb4d3a9e94b6bf0c97538709fe9b828100b
Instruction Fuzzy Hash: E5C01275000248F7E7116F90DC08F943B59EB00314F14802CB71859871C6314460DA79

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00DC9D31 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 178
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00DC9D31(intOrPtr __ecx, void* __edx, intOrPtr __edi, void* __eflags) {
				signed int _v8;
				void _v16;
				char _v32;
				short _v540;
				char _v544;
				void* _v548;
				intOrPtr _v552;
				signed int _v556;
				char _v560;
				char _v564;
				long _v568;
				intOrPtr _v572;
				signed int _v576;
				char _v580;
				void _v584;
				intOrPtr _v588;
				char _v592;
				void* _v596;
				intOrPtr _v600;
				char _v640;
				char _v644;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t66;
				void* _t68;
				intOrPtr _t72;
				int _t77;
				int _t82;
				int _t91;
				int _t98;
				int _t101;
				void* _t107;
				void* _t109;
				int _t115;
				void* _t127;
				long _t132;
				int _t133;
				void** _t142;
				void* _t152;
				void* _t159;
				int _t160;
				signed int _t162;
				void* _t164;

				_t156 = __edi;
				_t152 = __edx;
				_t66 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t66 ^ _t162;
				_v576 = _v576 & 0x00000000;
				_push(__edi);
				_v588 = __ecx;
				_v580 = 0xdf41c0;
				_v572 = 0x200;
				_t68 = E00DC80D1( &_v580, __edx, __eflags, L"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\NetworkCards", 0x20019);
				_t158 = _t68;
				if(_t68 < 0) {
					L18:
					_v580 = 0xdf41c0;
					E00DC7F74( &_v580);
					return E00DCF35B(_v8 ^ _t162);
				} else {
					_t72 = E00DC8C74( &_v580);
					_t115 = 0;
					_v600 = _t72;
					if(_t72 == 0) {
						L17:
						_t158 = 0;
						goto L18;
					} else {
						do {
							E00DC1AD8( &_v564, _t152, E00DC13D8());
							if(E00DC8C99( &_v580, _t152, _t156, _t158, _t115,  &_v564) >= 0) {
								_t156 = _v564;
								_v556 = _v556 & 0x00000000;
								_v560 = 0xdf41c0;
								_v552 = 0x200;
								_t77 = E00DC806C( &_v560, _v576, _t156, 0x20019);
								__eflags = _t77;
								if(_t77 < 0) {
									L15:
									_v560 = 0xdf41c0;
									_t76 = E00DC7F74( &_v560);
									_t127 = _t156 - 0x10;
									goto L16;
								} else {
									E00DC1AD8( &_v544, _t152, E00DC13D8());
									_t82 = E00DC84EE( &_v560, _t152, L"ServiceName",  &_v544);
									__eflags = _t82;
									if(_t82 < 0) {
										L14:
										E00DC13C0(_t82, _v544 - 0x10);
										goto L15;
									} else {
										E00DC9C43( &_v540, 0x104, 0x103, L"\\\\.\\%s", _v544);
										_t164 = _t164 + 0x14;
										_t158 = CreateFileW( &_v540, 0x80000000, 7, 0, 3, 0, 0);
										_v596 = _t158;
										__eflags = _t158 - 0xffffffff;
										if(_t158 != 0xffffffff) {
											_t132 = 6;
											_v584 = 0x1010101;
											_v568 = _t132;
											_t91 = DeviceIoControl(_t158, 0x170002,  &_v584, 4,  &_v16, _t132,  &_v568, 0);
											__eflags = _t91;
											if(_t91 == 0) {
												L12:
												E00DC7ED7();
												_t82 = CloseHandle(_t158);
												goto L13;
											} else {
												__eflags = _v568 - 6;
												if(_v568 != 6) {
													goto L12;
												} else {
													_t133 = E00DC13D8();
													__eflags = _t133;
													if(_t133 == 0) {
														_push(0x80004005);
														E00DC1185(_t133);
														asm("int3");
														_push(_t162);
														_push(_t115);
														_push(_t158);
														_t159 = _t152;
														E00DC5CB4( &_v644, __eflags);
														E00DC6162(L"{D19BAF17-7C87-467E-8D63-6C4B1C836373}", _t133, __eflags,  &_v644);
														_t98 = E00DC7A67( &_v640);
														 *(_t159 + 4) = _t98;
														__eflags = _t98;
														if(_t98 != 0) {
															L23:
															_t160 = 0;
															__eflags = 0;
														} else {
															_t101 = E00DC7A67(0);
															 *(_t159 + 4) = _t101;
															__eflags = _t101;
															if(_t101 != 0) {
																goto L23;
															} else {
																_t160 = E00DC7ED7();
															}
														}
														E00DC5CDD( &_v32, __eflags);
														return _t160;
													} else {
														_v548 =  *((intOrPtr*)( *_t133 + 0xc))() + 0x10;
														E00DC725E( &_v548);
														_t107 = E00DC7222(_t115,  &_v548, 9);
														_t142 =  &_v548;
														E00DC72FB(_t115, _t142, 9);
														_push(_t142);
														_push(_t142);
														_t109 = E00DC75DD( &_v16, _t107, 9);
														_t164 = _t164 + 0x10;
														E00DC77DC( &_v548, _t109);
														_t158 = _v548;
														_t152 = _v548;
														E00DC13C0(E00DC13C0(E00DC51B3(_v588, E00DC74C5( &_v592, _t152,  *((intOrPtr*)(_v548 - 0xc)))), _v592 - 0x10), _t158 - 0x10);
														_t82 = CloseHandle(_v596);
														L13:
														goto L14;
													}
												}
											}
										} else {
											_t82 = E00DC7ED7();
											goto L14;
										}
									}
								}
							} else {
								_t127 = _v564 + 0xfffffff0;
								goto L16;
							}
							goto L25;
							L16:
							E00DC13C0(_t76, _t127);
							_t115 = _t115 + 1;
						} while (_t115 < _v600);
						goto L17;
					}
				}
				L25:
			}

0x00dc9d31
0x00dc9d31
0x00dc9d3a
0x00dc9d41
0x00dc9d44
0x00dc9d4d
0x00dc9d53
0x00dc9d64
0x00dc9d6e
0x00dc9d78
0x00dc9d7d
0x00dc9d81
0x00dc9fd1
0x00dc9fd7
0x00dc9fe1
0x00dc9ff6
0x00dc9d87
0x00dc9d8d
0x00dc9d92
0x00dc9d94
0x00dc9d9c
0x00dc9fcf
0x00dc9fcf
0x00000000
0x00dc9da2
0x00dc9da2
0x00dc9dae
0x00dc9dc8
0x00dc9dd8
0x00dc9de4
0x00dc9df7
0x00dc9e01
0x00dc9e0b
0x00dc9e10
0x00dc9e12
0x00dc9fa5
0x00dc9fab
0x00dc9fb5
0x00dc9fba
0x00000000
0x00dc9e18
0x00dc9e24
0x00dc9e3b
0x00dc9e40
0x00dc9e42
0x00dc9f97
0x00dc9fa0
0x00000000
0x00dc9e48
0x00dc9e64
0x00dc9e69
0x00dc9e88
0x00dc9e8a
0x00dc9e90
0x00dc9e93
0x00dc9ea1
0x00dc9eaa
0x00dc9eb9
0x00dc9ecf
0x00dc9ed5
0x00dc9ed7
0x00dc9f8b
0x00dc9f8b
0x00dc9f91
0x00000000
0x00dc9edd
0x00dc9edd
0x00dc9ee4
0x00000000
0x00dc9eea
0x00dc9eef
0x00dc9ef1
0x00dc9ef3
0x00dc9ff7
0x00dc9ffc
0x00dca001
0x00dca002
0x00dca008
0x00dca00e
0x00dca00f
0x00dca011
0x00dca021
0x00dca02d
0x00dca032
0x00dca035
0x00dca037
0x00dca053
0x00dca053
0x00dca053
0x00dca039
0x00dca03e
0x00dca043
0x00dca046
0x00dca048
0x00000000
0x00dca04a
0x00dca04f
0x00dca04f
0x00dca048
0x00dca058
0x00dca062
0x00dc9ef9
0x00dc9f07
0x00dc9f0d
0x00dc9f1a
0x00dc9f21
0x00dc9f29
0x00dc9f2e
0x00dc9f2f
0x00dc9f36
0x00dc9f3b
0x00dc9f45
0x00dc9f4a
0x00dc9f56
0x00dc9f7e
0x00dc9f91
0x00dc9f91
0x00000000
0x00dc9f91
0x00dc9ef3
0x00dc9ee4
0x00dc9e95
0x00dc9e95
0x00000000
0x00dc9e95
0x00dc9e93
0x00dc9e42
0x00dc9dca
0x00dc9dd0
0x00000000
0x00dc9dd0
0x00000000
0x00dc9fbd
0x00dc9fbd
0x00dc9fc2
0x00dc9fc3
0x00000000
0x00dc9da2
0x00dc9d9c
0x00000000

APIs

Part of subcall function 00DC8C74: RegQueryInfoKeyW.ADVAPI32(00DC7F74,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00DF41C0,?,00DCC1D9,HKLM\Software\Google\Update\ClientState\), ref: 00DC8C8E

Part of subcall function 00DC13D8: GetProcessHeap.KERNEL32(00DC3B5B,?,?,?,?,?,?,00DC15F8,?,?,?,?,?), ref: 00DC13E9

Part of subcall function 00DC8C99: RegEnumKeyExW.KERNELBASE ref: 00DC8CD5

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000,HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards,00020019,00000000,HKLM\Software\Google\Update\), ref: 00DC9E82

Strings

ServiceName, xrefs: 00DC9E30
HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards, xrefs: 00DC9D5F
\\.\%s, xrefs: 00DC9E54
HKLM\Software\Google\Update\, xrefs: 00DC9D4C

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: CreateEnumFileHeapInfoProcessQuery
String ID: HKLM\Software\Google\Update\$HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards$ServiceName$\\.\%s
API String ID: 708949789-1625122553
Opcode ID: 7f75238f57315c932f85423a33f8ec08273e44f86de65c163390543897b21709
Instruction ID: 4fa730925604e828c16d964b7bac2331f2b7710be830a7eeba22be61470e065b
Opcode Fuzzy Hash: 7f75238f57315c932f85423a33f8ec08273e44f86de65c163390543897b21709
Instruction Fuzzy Hash: 12612B7590122AAADB24EB60DC99FEDB778EF14304F1041DCE619A7182DB746E88CF70

Uniqueness

Uniqueness Score: -1.00%

Function 00DC41A3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00DC41A3(void* __ebx, long __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				void _v44;
				char _v140;
				struct _OVERLAPPED* _v144;
				long _v152;
				char _v156;
				WCHAR** _v160;
				char _v192;
				void* __ebp;
				signed int _t45;
				void* _t53;
				signed char _t58;
				int _t63;
				signed char _t72;
				long _t74;
				long _t75;
				long _t84;
				signed int _t90;
				char* _t98;
				WCHAR** _t114;
				signed int _t116;

				_t45 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t45 ^ _t116;
				_t84 = __ecx;
				_v152 = __ecx;
				_t114 = __ecx + 0x14;
				_v156 = 0;
				_v144 = 0;
				_v160 = _t114;
				E00DC5138( *_t114,  &_v144, __edi, _t114);
				_t122 = _v144 -  *((intOrPtr*)(__ecx + 4));
				if(_v144 >  *((intOrPtr*)(__ecx + 4))) {
					E00DC43CE(__ecx, _t122);
				}
				_t53 = CreateFileW( *_t114, 0x40000000, 3, 0, 2 + (0 |  *((intOrPtr*)(_t84 + 0xa)) != 0x00000000) * 2, 0x80, 0);
				 *(_t84 + 0x18) = _t53;
				if(_t53 != 0xffffffff) {
					_t107 = _t114;
					E00DC7C6B( &_v144, _t114, __eflags);
					_t115 = _v144;
					_t90 = 9;
					memset( &_v44, 0, _t90 << 2);
					_t58 = GetFileAttributesExW(_v144, 0,  &_v44);
					__eflags = _t58;
					if(_t58 != 0) {
						__eflags = _v44 >> 0x0000000a & 0x00000001;
						if(__eflags != 0) {
							L6:
							_push( *((intOrPtr*)(_t84 + 0x14)));
							_push( *((intOrPtr*)(_t84 + 0x1c)));
							_push(L"LOG_SYSTEM: [%s]: ERROR - Log path %s has a reparse point");
							OutputDebugStringW(E00DC6CB8(__eflags));
							_t63 = CloseHandle( *(_t84 + 0x18));
							 *(_t84 + 0x18) = 0;
							L7:
							E00DC13C0(_t63, _t115 - 0x10);
							goto L8;
						}
						__eflags = E00DC2E47( *(_t84 + 0x18), 0, _t115);
						if(__eflags != 0) {
							goto L6;
						}
						E00DC2870( &_v192);
						_push(0x221);
						_push(0x20);
						E00DC24B7(_t84, _t107, 0, _t115, __eflags,  &_v140, 0xdf35c8, 2);
						_t72 = E00DC28ED( &_v192, __eflags,  &_v140, 0xc0010000, 0);
						_t98 =  &_v140;
						E00DC25A0(_t72, _t98);
						__eflags = _t72;
						if(_t72 != 0) {
							_push(_t98);
							E00DC2E0E( *_v160,  &_v192);
						}
						_t74 = GetLastError();
						__eflags = _t74 - 0xb7;
						if(_t74 != 0xb7) {
							_t75 = _v152;
							__eflags =  *((char*)(_t75 + 0xb));
							if( *((char*)(_t75 + 0xb)) != 0) {
								__eflags = 0;
								_v152 = 0;
								WriteFile( *(_t75 + 0x18), 0xdf25dc, 2,  &_v152, 0);
							}
						}
						_v156 = 1;
						_t63 = E00DC28B6( &_v192);
						goto L7;
					}
					E00DC7ED7();
					goto L6;
				} else {
					 *(_t84 + 0x18) = 0;
					L8:
					return E00DCF35B(_v8 ^ _t116);
				}
			}

0x00dc41ac
0x00dc41b3
0x00dc41b7
0x00dc41c2
0x00dc41c9
0x00dc41cc
0x00dc41d4
0x00dc41da
0x00dc41e0
0x00dc41eb
0x00dc41ee
0x00dc41f2
0x00dc41f2
0x00dc4219
0x00dc421f
0x00dc4225
0x00dc4230
0x00dc4238
0x00dc423d
0x00dc4248
0x00dc424b
0x00dc4255
0x00dc425b
0x00dc425d
0x00dc42ad
0x00dc42af
0x00dc4264
0x00dc4264
0x00dc4267
0x00dc426a
0x00dc4278
0x00dc4281
0x00dc4287
0x00dc428a
0x00dc428d
0x00000000
0x00dc4292
0x00dc42b9
0x00dc42bb
0x00000000
0x00000000
0x00dc42c3
0x00dc42c8
0x00dc42cd
0x00dc42dd
0x00dc42f8
0x00dc42fd
0x00dc4305
0x00dc430a
0x00dc430c
0x00dc430e
0x00dc431e
0x00dc4324
0x00dc4325
0x00dc432b
0x00dc4330
0x00dc4332
0x00dc4338
0x00dc433c
0x00dc433e
0x00dc4341
0x00dc4358
0x00dc4358
0x00dc433c
0x00dc4364
0x00dc436b
0x00000000
0x00dc436b
0x00dc425f
0x00000000
0x00dc4227
0x00dc422b
0x00dc4298
0x00dc42a6
0x00dc42a6

APIs

Part of subcall function 00DC5138: GetFileAttributesExW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,00DC41E5), ref: 00DC5165

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000000,00000080,00000000), ref: 00DC4219

Part of subcall function 00DC43CE: OutputDebugStringW.KERNEL32(LOG_SYSTEM: trying to move log file to backup,?,?,?,?,?,?,00DC41F7), ref: 00DC43E0
Part of subcall function 00DC43CE: MoveFileExW.KERNEL32(?,?,0000000B,?,?,?,?,?,?,00DC41F7), ref: 00DC4401
Part of subcall function 00DC43CE: OutputDebugStringW.KERNEL32(LOG_SYSTEM: failed to move log file to backup,?,?,?,?,?,?,00DC41F7), ref: 00DC441F

Part of subcall function 00DC7C6B: PathRemoveFileSpecW.SHLWAPI(00000000,?,00000000,00000000,?,?,?,00DC789C,?,?,?,00DCB9ED,00000000,00000068,00000000,00000068), ref: 00DC7C8C

GetFileAttributesExW.KERNEL32(?,00000000,?), ref: 00DC4255
OutputDebugStringW.KERNEL32(00000000), ref: 00DC4278
CloseHandle.KERNEL32(?), ref: 00DC4281
GetLastError.KERNEL32(?,C0010000,00000000), ref: 00DC4325
WriteFile.KERNEL32(?,00DF25DC,00000002,?,00000000), ref: 00DC4358

Part of subcall function 00DC7ED7: GetLastError.KERNEL32(?,00DC6548), ref: 00DC7ED8
Part of subcall function 00DC7ED7: RaiseException.KERNEL32(00000000,00000001,00000000,00000000), ref: 00DC7F0A

Part of subcall function 00DC6CB8: wvsprintfW.USER32(00000000,00000000,00000001), ref: 00DC6D50

Strings

LOG_SYSTEM: [%s]: ERROR - Log path %s has a reparse point, xrefs: 00DC426A

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: File$DebugOutputString$AttributesErrorLast$CloseCreateExceptionHandleMovePathRaiseRemoveSpecWritewvsprintf
String ID: LOG_SYSTEM: [%s]: ERROR - Log path %s has a reparse point
API String ID: 1325108685-1149571711
Opcode ID: 14b42c9c24e83c0d9cdd4b5e1f447d7e2e6ca9c42238b7e336c1e0dfe712cb96
Instruction ID: cb1eea4f073465319206e3e526eb88e4ede49d460b666477b2fbf5ab81bb9764
Opcode Fuzzy Hash: 14b42c9c24e83c0d9cdd4b5e1f447d7e2e6ca9c42238b7e336c1e0dfe712cb96
Instruction Fuzzy Hash: 82515E719002599EEB24EF60DC96FAA77B4EB54300F14449DF549A7292DA30AE89CF70

Uniqueness

Uniqueness Score: -1.00%

Function 00DC9029 Relevance: 12.0, APIs: 8, Instructions: 42
clipboardmemorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC9029(WCHAR* __ecx) {
				int _t4;
				signed int _t13;
				WCHAR* _t16;
				void* _t18;

				_t16 = __ecx;
				_t13 = lstrlenW(__ecx);
				_t4 = OpenClipboard(0);
				if(_t4 != 0) {
					EmptyClipboard();
					_t14 = 2 + _t13 * 2;
					_t18 = GlobalAlloc(0x2002, 2 + _t13 * 2);
					if(GlobalLock(_t18) != 0) {
						E00DD0C10(_t7, _t16, _t14);
					}
					GlobalUnlock(_t18);
					if(SetClipboardData(0xd, _t18) == 0) {
						GlobalFree(_t18);
					}
					return CloseClipboard();
				}
				return _t4;
			}

0x00dc902b
0x00dc9036
0x00dc9038
0x00dc9040
0x00dc9043
0x00dc9049
0x00dc905c
0x00dc9067
0x00dc906c
0x00dc9071
0x00dc9075
0x00dc9086
0x00dc9089
0x00dc9089
0x00dc9092
0x00dc9092
0x00dc909a

APIs

lstrlenW.KERNEL32(?,?,?,00DC6E11), ref: 00DC902E
OpenClipboard.USER32(00000000), ref: 00DC9038
EmptyClipboard.USER32(00ECD228,?,?,00DC6E11), ref: 00DC9043
GlobalAlloc.KERNEL32(00002002,00000000,?,?,00DC6E11), ref: 00DC9056
GlobalLock.KERNEL32 ref: 00DC905F
GlobalUnlock.KERNEL32(00000000,?,?,00DC6E11), ref: 00DC9075
SetClipboardData.USER32 ref: 00DC907E
GlobalFree.KERNEL32 ref: 00DC9089

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: Global$Clipboard$AllocDataEmptyFreeLockOpenUnlocklstrlen
String ID:
API String ID: 3280322382-0
Opcode ID: f6e22328b3a4cf67c190b38f55d98dbc2817d63ee72cabd3f58291f5553e2c33
Instruction ID: ade4d9ce34ca15c3108b2dec4528c1caaec79c3667fb3bd12afb28b3a5c2c915
Opcode Fuzzy Hash: f6e22328b3a4cf67c190b38f55d98dbc2817d63ee72cabd3f58291f5553e2c33
Instruction Fuzzy Hash: 1DF04F31609356ABE6903BB1BCCDFAA7B2CEB81756F040026FA05CA361DB6449059675

Uniqueness

Uniqueness Score: -1.00%

Function 00DDF428 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E00DDF428(void* __ebx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, signed int _a16, signed int _a20, signed int _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1868;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				char _v1881;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				signed int _v1900;
				signed int _v1904;
				signed int _v1908;
				intOrPtr _v1912;
				signed int* _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				signed int _v1932;
				signed int _v1936;
				char _v1944;
				signed int _v1952;
				signed int _v1956;
				char _v2416;
				signed int _v2420;
				signed int _t785;
				intOrPtr _t795;
				signed int _t802;
				signed int _t808;
				signed int _t813;
				intOrPtr _t819;
				void* _t820;
				signed int _t826;
				signed int _t831;
				signed int _t832;
				signed int _t833;
				signed int _t836;
				signed int _t838;
				signed int _t840;
				signed int _t841;
				signed int _t846;
				signed int _t847;
				signed int _t852;
				signed int _t854;
				signed int _t855;
				signed int _t862;
				signed int _t863;
				signed int _t871;
				signed int _t874;
				signed int _t879;
				signed int* _t882;
				signed int _t886;
				signed int _t897;
				signed int _t898;
				signed int _t900;
				signed int _t901;
				char* _t902;
				signed int _t905;
				signed int _t911;
				signed int _t913;
				signed int _t917;
				signed int _t925;
				signed int _t928;
				signed int _t931;
				signed int _t934;
				signed int _t943;
				signed int _t944;
				signed int _t947;
				signed int _t960;
				signed int _t961;
				signed int _t963;
				signed int _t964;
				signed int* _t965;
				signed int _t968;
				signed int* _t971;
				signed int _t974;
				signed int _t976;
				signed int _t981;
				signed int _t989;
				signed int _t992;
				signed int _t996;
				signed int _t999;
				signed int _t1008;
				intOrPtr _t1013;
				signed int _t1014;
				signed int _t1020;
				void* _t1028;
				signed int _t1029;
				signed int _t1030;
				signed int _t1031;
				signed int* _t1034;
				signed int _t1042;
				signed int _t1046;
				signed int _t1048;
				signed int _t1053;
				void* _t1059;
				signed int _t1060;
				signed int _t1061;
				signed int _t1062;
				signed int _t1065;
				signed int _t1070;
				signed int _t1071;
				signed int _t1075;
				signed int _t1077;
				signed int _t1082;
				signed int _t1084;
				signed int _t1085;
				signed int _t1090;
				signed int _t1092;
				signed int _t1099;
				intOrPtr* _t1111;
				signed int _t1116;
				signed int _t1117;
				signed int _t1122;
				signed int _t1124;
				signed int _t1125;
				signed int _t1126;
				signed int _t1133;
				signed int _t1137;
				signed int _t1138;
				signed int _t1139;
				signed int _t1140;
				signed int _t1142;
				signed int* _t1144;
				signed int _t1145;
				signed int _t1149;
				signed int _t1150;
				signed int _t1151;
				signed int _t1152;
				signed int _t1154;
				signed int _t1156;
				signed int _t1157;
				signed int _t1161;
				signed int _t1162;
				unsigned int _t1163;
				unsigned int _t1167;
				unsigned int _t1170;
				signed int _t1171;
				signed int _t1174;
				signed int* _t1177;
				signed int _t1180;
				void* _t1182;
				unsigned int _t1183;
				signed int _t1184;
				signed int _t1187;
				signed int* _t1190;
				signed int _t1193;
				signed int _t1198;
				signed int _t1199;
				signed int _t1202;
				signed int _t1204;
				signed int _t1205;
				signed int _t1207;
				char _t1210;
				signed int _t1212;
				signed int _t1213;
				signed int _t1214;
				signed int _t1215;
				signed int _t1216;
				signed int _t1217;
				signed int _t1218;
				signed int _t1220;
				signed int _t1221;
				signed int _t1222;
				signed int _t1223;
				signed int _t1224;
				void* _t1225;
				signed int _t1226;
				signed int _t1228;
				signed int _t1233;
				void* _t1238;
				intOrPtr _t1239;
				void* _t1242;
				unsigned int _t1245;
				signed int _t1246;
				signed int _t1249;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1255;
				signed int _t1256;
				signed int _t1257;
				signed int _t1258;
				signed int _t1259;
				signed int _t1262;
				signed int _t1263;
				signed int _t1264;
				signed int _t1265;
				void* _t1266;
				void* _t1269;
				signed int _t1271;
				signed int _t1275;
				signed int* _t1277;
				signed int _t1281;
				void* _t1282;
				signed int _t1283;
				signed int _t1285;
				signed int _t1286;
				signed int _t1288;
				void* _t1291;
				signed int _t1294;
				signed int _t1295;
				signed int _t1296;
				signed int _t1298;
				signed int _t1299;
				signed int _t1300;
				signed int _t1302;
				signed int _t1310;
				signed int _t1312;
				void* _t1313;
				signed int* _t1314;
				signed int* _t1315;
				signed int _t1321;
				signed int _t1329;

				_t1282 = __esi;
				_t1238 = __edi;
				_t1310 = _t1312;
				_t1313 = _t1312 - 0x970;
				_t785 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t785 ^ _t1310;
				_v1932 = _a20;
				_v1888 = _a24;
				E00DE1270(__eflags,  &_v1952);
				_t1099 = 1;
				if((_v1952 & 0x0000001f) != 0x1f) {
					E00DE12D8(__eflags,  &_v1952);
					_v1944 = 1;
				} else {
					_v1944 = 0;
				}
				_push(_t1282);
				_t1283 = _a8;
				_push(_t1238);
				_t1239 = 0x20;
				_t1321 = _t1283;
				if(_t1321 > 0 || _t1321 >= 0 && _a4 >= 0) {
					_t795 = _t1239;
				} else {
					_t795 = 0x2d;
				}
				_t1111 = _v1932;
				 *_t1111 = _t795;
				 *((intOrPtr*)(_t1111 + 8)) = _v1888;
				E00DD4C6C( &_v1956, 0, 0);
				_t1314 = _t1313 + 0xc;
				if((_t1283 & 0x7ff00000) != 0) {
					L12:
					_t802 = E00DDC7DA( &_a4);
					__eflags = _t802;
					if(_t802 == 0) {
						L24:
						_v1936 = _v1936 & 0x00000000;
						_a8 = _t1283 & 0x7fffffff;
						_t1329 = _a4;
						asm("fst qword [ebp-0x774]");
						_t1285 = _v1908;
						_v1928 = _a12 + 1;
						_t1116 = _t1285 >> 0x14;
						_t808 = _t1116 & 0x000007ff;
						__eflags = _t808;
						if(_t808 != 0) {
							_t808 = 0;
							_t41 =  &_v1868;
							 *_t41 = _v1868 & 0;
							__eflags =  *_t41;
						} else {
							_v1868 = _t1099;
						}
						_t1286 = _t1285 & 0x000fffff;
						_v1924 = _v1912 + _t808;
						asm("adc esi, edx");
						_t1117 = _t1116 & 0x000007ff;
						_v1872 = _v1868 + _t1117;
						E00DE1330(_t1117, _t1329);
						_push(_t1117);
						_push(_t1117);
						 *_t1314 = _t1329;
						_t813 = E00DE3D00(E00DE1440(_t1117, _v1912 + _t808), _t1329);
						_v1904 = _t813;
						_t1242 = 0x20;
						__eflags = _t813 - 0x7fffffff;
						if(_t813 == 0x7fffffff) {
							L29:
							__eflags = 0;
							_v1904 = 0;
						} else {
							__eflags = _t813 - 0x80000000;
							if(_t813 == 0x80000000) {
								goto L29;
							}
						}
						_t1198 = _v1872;
						__eflags = _t1286;
						_v468 = _v1924;
						_v464 = _t1286;
						_t1122 = (0 | _t1286 != 0x00000000) + 1;
						_v1868 = _t1122;
						_v472 = _t1122;
						__eflags = _t1198 - 0x433;
						if(_t1198 < 0x433) {
							__eflags = _t1198 - 0x35;
							if(_t1198 == 0x35) {
								L100:
								__eflags = _t1286;
								_t211 =  &_v1908;
								 *_t211 = _v1908 & 0x00000000;
								__eflags =  *_t211;
								_t819 =  *((intOrPtr*)(_t1310 + 4 + (0 | _t1286 != 0x00000000) * 4 - 0x1d4));
								asm("bsr eax, eax");
								if( *_t211 == 0) {
									_t820 = 0;
									__eflags = 0;
								} else {
									_t820 = _t819 + 1;
								}
								__eflags = _t1242 - _t820 - _t1099;
								asm("sbb esi, esi");
								_t1288 =  ~_t1286 + _t1122;
								__eflags = _t1288 - 0x73;
								if(_t1288 <= 0x73) {
									_t1199 = _t1288 - 1;
									__eflags = _t1199 - 0xffffffff;
									if(_t1199 != 0xffffffff) {
										_t1266 = _t1199 - 1;
										while(1) {
											__eflags = _t1199 - _t1122;
											if(_t1199 >= _t1122) {
												_t1008 = 0;
												__eflags = 0;
											} else {
												_t1008 =  *(_t1310 + _t1199 * 4 - 0x1d0);
											}
											__eflags = _t1266 - _t1122;
											if(_t1266 >= _t1122) {
												_t1163 = 0;
												__eflags = 0;
											} else {
												_t1163 =  *(_t1310 + _t1199 * 4 - 0x1d4);
											}
											 *(_t1310 + _t1199 * 4 - 0x1d0) = _t1163 >> 0x0000001f | _t1008 + _t1008;
											_t1199 = _t1199 - 1;
											_t1266 = _t1266 - 1;
											__eflags = _t1199 - 0xffffffff;
											if(_t1199 == 0xffffffff) {
												goto L115;
											}
											_t1122 = _v472;
										}
									}
									L115:
									_v472 = _t1288;
								} else {
									_v1400 = _v1400 & 0x00000000;
									_v472 = _v472 & 0x00000000;
									E00DDA434( &_v468, 0x1cc,  &_v1396, 0);
									_t1314 =  &(_t1314[4]);
								}
								_t1245 = 0x434 >> 5;
								E00DD1190(0x434 >> 5,  &_v1396, 0, 0x434);
								__eflags = 1;
								 *(_t1310 + 0xbad63d) = 1 << (0x00000434 - _v1872 & 0x0000001f);
							} else {
								_v1396 = _v1396 & 0x00000000;
								_v1392 = 0x100000;
								_v1400 = 2;
								__eflags = _t1286;
								if(_t1286 != 0) {
									_t1225 = 0;
									__eflags = 0;
									while(1) {
										_t1013 =  *((intOrPtr*)(_t1310 + _t1225 - 0x570));
										__eflags = _t1013 -  *((intOrPtr*)(_t1310 + _t1225 - 0x1d0));
										if(_t1013 !=  *((intOrPtr*)(_t1310 + _t1225 - 0x1d0))) {
											goto L100;
										}
										_t1225 = _t1225 + 4;
										__eflags = _t1225 - 8;
										if(_t1225 != 8) {
											continue;
										} else {
											__eflags = 0;
											asm("bsr eax, esi");
											_v1908 = 0;
											if(0 == 0) {
												_t1014 = 0;
											} else {
												_t1014 = _t1013 + 1;
											}
											__eflags = _t1242 - _t1014 - 2;
											asm("sbb esi, esi");
											_t1302 =  ~_t1286 + _t1122;
											__eflags = _t1302 - 0x73;
											if(_t1302 <= 0x73) {
												_t1226 = _t1302 - 1;
												__eflags = _t1226 - 0xffffffff;
												if(_t1226 != 0xffffffff) {
													_t1269 = _t1226 - 1;
													while(1) {
														__eflags = _t1226 - _t1122;
														if(_t1226 >= _t1122) {
															_t1020 = 0;
														} else {
															_t1020 =  *(_t1310 + _t1226 * 4 - 0x1d0);
														}
														__eflags = _t1269 - _t1122;
														if(_t1269 >= _t1122) {
															_t1167 = 0;
														} else {
															_t1167 =  *(_t1310 + _t1226 * 4 - 0x1d4);
														}
														 *(_t1310 + _t1226 * 4 - 0x1d0) = _t1167 >> 0x0000001e | _t1020 << 0x00000002;
														_t1226 = _t1226 - 1;
														_t1269 = _t1269 - 1;
														__eflags = _t1226 - 0xffffffff;
														if(_t1226 == 0xffffffff) {
															goto L98;
														}
														_t1122 = _v472;
													}
												}
												L98:
												_v472 = _t1302;
											} else {
												_v1400 = 0;
												_v472 = 0;
												E00DDA434( &_v468, 0x1cc,  &_v1396, 0);
												_t1314 =  &(_t1314[4]);
											}
											_t1245 = 0x435 >> 5;
											E00DD1190(0x435 >> 5,  &_v1396, 0, 0x435);
											 *(_t1310 + 0xbad63d) = 1 << (0x00000435 - _v1872 & 0x0000001f);
										}
										goto L117;
									}
								}
								goto L100;
							}
							L117:
							_t826 = _t1245 + 1;
							_t1291 = 0x1cc;
							_v1400 = _t826;
							_v936 = _t826;
							E00DDA434( &_v932, 0x1cc,  &_v1396, _t826 << 2);
							_t1315 =  &(_t1314[7]);
							_t1099 = 1;
							__eflags = 1;
						} else {
							_v1396 = _v1396 & 0x00000000;
							_v1392 = 0x100000;
							_v1400 = 2;
							__eflags = _t1286;
							if(_t1286 == 0) {
								L57:
								_t1170 = _t1198 - 0x432;
								_t1171 = _t1170 & 0x0000001f;
								_v1880 = _t1170 >> 5;
								_v1896 = _t1171;
								_v1924 = _t1242 - _t1171;
								_t1028 = E00DE3C90(_t1099, _t1242 - _t1171, 0);
								_t1228 = _v1868;
								_t1029 = _t1028 - 1;
								_t130 =  &_v1908;
								 *_t130 = _v1908 & 0x00000000;
								__eflags =  *_t130;
								_v1876 = _t1029;
								_t1030 =  !_t1029;
								_v1920 = _t1030;
								asm("bsr eax, ecx");
								if( *_t130 == 0) {
									_t138 =  &_v1868;
									 *_t138 = _v1868 & 0x00000000;
									__eflags =  *_t138;
								} else {
									_v1868 = _t1030 + 1;
								}
								_t1174 = _v1880;
								_t1291 = 0x1cc;
								_t1031 = _t1174 + _t1228;
								__eflags = _t1031 - 0x73;
								if(_t1031 <= 0x73) {
									__eflags = _t1242 - _v1868 - _v1896;
									asm("sbb eax, eax");
									_t1034 =  ~_t1031 + _t1174 + _t1228;
									_v1916 = _t1034;
									__eflags = _t1034 - 0x73;
									if(_t1034 > 0x73) {
										goto L61;
									} else {
										_t1271 = _t1174 - 1;
										_t1042 = _t1034 - 1;
										_v1900 = _t1271;
										_v1872 = _t1042;
										__eflags = _t1042 - _t1271;
										if(_t1042 != _t1271) {
											_t1275 = _t1042 - _t1174;
											__eflags = _t1275;
											_t1177 =  &(( &_v472)[_t1275]);
											_v1892 = _t1177;
											while(1) {
												__eflags = _t1275 - _t1228;
												if(_t1275 >= _t1228) {
													_t1046 = 0;
													__eflags = 0;
												} else {
													_t1046 = _t1177[1];
												}
												_v1868 = _t1046;
												_t158 = _t1275 - 1; // -4
												__eflags = _t158 - _t1228;
												if(_t158 >= _t1228) {
													_t1048 = 0;
													__eflags = 0;
												} else {
													_t1048 =  *_t1177;
												}
												_t1180 = _v1872;
												 *(_t1310 + _t1180 * 4 - 0x1d0) = (_t1048 & _v1920) >> _v1924 | (_v1868 & _v1876) << _v1896;
												_t1053 = _t1180 - 1;
												_t1177 = _v1892 - 4;
												_v1872 = _t1053;
												_t1275 = _t1275 - 1;
												_v1892 = _t1177;
												__eflags = _t1053 - _v1900;
												if(_t1053 == _v1900) {
													break;
												}
												_t1228 = _v472;
											}
											_t1174 = _v1880;
										}
										__eflags = _t1174;
										if(_t1174 != 0) {
											__eflags = 0;
											memset( &_v468, 0, _t1174 << 2);
											_t1314 =  &(_t1314[3]);
										}
										_v472 = _v1916;
									}
								} else {
									L61:
									_v1400 = 0;
									_v472 = 0;
									E00DDA434( &_v468, _t1291,  &_v1396, 0);
									_t1314 =  &(_t1314[4]);
								}
								_v1396 = 2;
								_push(4);
							} else {
								_t1182 = 0;
								__eflags = 0;
								while(1) {
									__eflags =  *((intOrPtr*)(_t1310 + _t1182 - 0x570)) -  *((intOrPtr*)(_t1310 + _t1182 - 0x1d0));
									if( *((intOrPtr*)(_t1310 + _t1182 - 0x570)) !=  *((intOrPtr*)(_t1310 + _t1182 - 0x1d0))) {
										goto L57;
									}
									_t1182 = _t1182 + 4;
									__eflags = _t1182 - 8;
									if(_t1182 != 8) {
										continue;
									} else {
										_t1183 = _t1198 - 0x431;
										_t1184 = _t1183 & 0x0000001f;
										_v1880 = _t1183 >> 5;
										_v1896 = _t1184;
										_v1876 = _t1242 - _t1184;
										_t1059 = E00DE3C90(_t1099, _t1242 - _t1184, 0);
										_t1233 = _v1868;
										_t1060 = _t1059 - 1;
										_t70 =  &_v1908;
										 *_t70 = _v1908 & 0x00000000;
										__eflags =  *_t70;
										_v1900 = _t1060;
										_t1061 =  !_t1060;
										_v1924 = _t1061;
										asm("bsr eax, ecx");
										if( *_t70 == 0) {
											_t78 =  &_v1868;
											 *_t78 = _v1868 & 0x00000000;
											__eflags =  *_t78;
										} else {
											_v1868 = _t1061 + 1;
										}
										_t1187 = _v1880;
										_t1291 = 0x1cc;
										_t1062 = _t1187 + _t1233;
										__eflags = _t1062 - 0x73;
										if(_t1062 <= 0x73) {
											__eflags = _t1242 - _v1868 - _v1896;
											asm("sbb eax, eax");
											_t1065 =  ~_t1062 + _t1187 + _t1233;
											_v1920 = _t1065;
											__eflags = _t1065 - 0x73;
											if(_t1065 > 0x73) {
												goto L39;
											} else {
												_t1277 = _t1187 - 1;
												_t1071 = _t1065 - 1;
												_v1916 = _t1277;
												_v1872 = _t1071;
												__eflags = _t1071 - _t1277;
												if(_t1071 != _t1277) {
													_t1281 = _t1071 - _t1187;
													__eflags = _t1281;
													_t1190 =  &(( &_v472)[_t1281]);
													_v1892 = _t1190;
													while(1) {
														__eflags = _t1281 - _t1233;
														if(_t1281 >= _t1233) {
															_t1075 = 0;
															__eflags = 0;
														} else {
															_t1075 = _t1190[1];
														}
														_v1868 = _t1075;
														_t98 = _t1281 - 1; // -4
														__eflags = _t98 - _t1233;
														if(_t98 >= _t1233) {
															_t1077 = 0;
															__eflags = 0;
														} else {
															_t1077 =  *_t1190;
														}
														_t1193 = _v1872;
														 *(_t1310 + _t1193 * 4 - 0x1d0) = (_t1077 & _v1924) >> _v1876 | (_v1868 & _v1900) << _v1896;
														_t1082 = _t1193 - 1;
														_t1190 = _v1892 - 4;
														_v1872 = _t1082;
														_t1281 = _t1281 - 1;
														_v1892 = _t1190;
														__eflags = _t1082 - _v1916;
														if(_t1082 == _v1916) {
															break;
														}
														_t1233 = _v472;
													}
													_t1187 = _v1880;
												}
												__eflags = _t1187;
												if(_t1187 != 0) {
													__eflags = 0;
													memset( &_v468, 0, _t1187 << 2);
													_t1314 =  &(_t1314[3]);
												}
												_v472 = _v1920;
											}
										} else {
											L39:
											_v1400 = 0;
											_v472 = 0;
											E00DDA434( &_v468, _t1291,  &_v1396, 0);
											_t1314 =  &(_t1314[4]);
										}
										_t1070 = 4;
										_v1396 = _t1070;
										_push(_t1070);
									}
									goto L56;
								}
								goto L57;
							}
							L56:
							_v1392 = _v1392 & 0x00000000;
							_push( &_v1396);
							_v936 = _t1099;
							_push(_t1291);
							_push( &_v932);
							_v1400 = _t1099;
							E00DDA434();
							_t1315 =  &(_t1314[4]);
						}
						_t831 = _v1904;
						_t1124 = 0xa;
						_v1924 = _t1124;
						__eflags = _t831;
						if(_t831 < 0) {
							_t832 =  ~_t831;
							_t833 = _t832 / _t1124;
							_v1916 = _t833;
							_t1125 = _t832 % _t1124;
							_v1908 = _t1125;
							__eflags = _t833;
							if(_t833 == 0) {
								L250:
								__eflags = _t1125;
								if(_t1125 != 0) {
									_t879 =  *(0xdeb0b4 + _t1125 * 4);
									_v1908 = _t879;
									__eflags = _t879;
									if(_t879 == 0) {
										L262:
										__eflags = 0;
										_push(0);
										_v472 = 0;
										_v2420 = 0;
										goto L263;
									} else {
										__eflags = _t879 - _t1099;
										if(_t879 != _t1099) {
											_t1140 = _v472;
											__eflags = _t1140;
											if(_t1140 != 0) {
												_v1876 = _v1876 & 0x00000000;
												_t1252 = 0;
												__eflags = 0;
												do {
													_t1214 = _t879 *  *(_t1310 + _t1252 * 4 - 0x1d0) >> 0x20;
													 *(_t1310 + _t1252 * 4 - 0x1d0) = _t879 *  *(_t1310 + _t1252 * 4 - 0x1d0) + _v1876;
													_t879 = _v1908;
													asm("adc edx, 0x0");
													_t1252 = _t1252 + 1;
													_v1876 = _t1214;
													__eflags = _t1252 - _t1140;
												} while (_t1252 != _t1140);
												__eflags = _t1214;
												if(_t1214 != 0) {
													_t886 = _v472;
													__eflags = _t886 - 0x73;
													if(_t886 >= 0x73) {
														goto L262;
													} else {
														 *(_t1310 + _t886 * 4 - 0x1d0) = _t1214;
														_v472 = _v472 + 1;
													}
												}
											}
										}
									}
								}
							} else {
								do {
									__eflags = _t833 - 0x26;
									if(_t833 > 0x26) {
										_t833 = 0x26;
									}
									_t1141 =  *(0xdeb01e + _t833 * 4) & 0x000000ff;
									_v1880 = _t833;
									_v1400 = ( *(0xdeb01f + _t833 * 4) & 0x000000ff) + ( *(0xdeb01e + _t833 * 4) & 0x000000ff);
									E00DD1190(_t1141 << 2,  &_v1396, 0, _t1141 << 2);
									_t897 = E00DD0C10( &(( &_v1396)[_t1141]), 0xdea718 + ( *(0xdeb01c + _v1880 * 4) & 0x0000ffff) * 4, ( *(0xdeb01f + _t833 * 4) & 0x000000ff) << 2);
									_t1215 = _v1400;
									_t1315 =  &(_t1315[6]);
									_v1872 = _t1215;
									__eflags = _t1215 - _t1099;
									if(_t1215 > _t1099) {
										__eflags = _v472 - _t1099;
										if(_v472 > _t1099) {
											__eflags = _t1215 - _v472;
											_t1294 =  &_v1396;
											_t547 = _t1215 - _v472 > 0;
											__eflags = _t547;
											_t898 = _t897 & 0xffffff00 | _t547;
											if(_t547 >= 0) {
												_t1294 =  &_v468;
											}
											_v1892 = _t1294;
											__eflags = _t898;
											if(_t898 == 0) {
												_v1896 = _t1215;
												_t1215 = _v472;
												_v1872 = _t1215;
												_v1876 =  &_v1396;
											} else {
												_v1896 = _v472;
												_v1876 =  &_v468;
											}
											_t900 = 0;
											_t1255 = 0;
											_v1864 = 0;
											__eflags = _t1215;
											if(_t1215 == 0) {
												L244:
												_v472 = _t900;
												_t1291 = 0x1cc;
												_t901 = _t900 << 2;
												__eflags = _t901;
												_push(_t901);
												_t902 =  &_v1860;
												goto L245;
											} else {
												do {
													__eflags =  *(_t1294 + _t1255 * 4);
													if( *(_t1294 + _t1255 * 4) != 0) {
														_t1142 = 0;
														_t1295 = _t1255;
														_v1868 = 0;
														_v1900 = 0;
														__eflags = _v1896;
														if(_v1896 != 0) {
															_t1216 = 0;
															while(1) {
																__eflags = _t1295 - 0x73;
																if(_t1295 == 0x73) {
																	break;
																}
																__eflags = _t1295 - _t900;
																if(_t1295 == _t900) {
																	 *(_t1310 + _t1295 * 4 - 0x740) =  *(_t1310 + _t1295 * 4 - 0x740) & 0x00000000;
																	_t579 = _t1255 + 1; // 0x1
																	_t917 = _t579 + _t1142;
																	__eflags = _t917;
																	_v1864 = _t917;
																}
																_t913 =  *(_v1876 + _t1142 * 4);
																_t1145 = _v1892;
																_t1216 = _t913 *  *(_t1145 + _t1255 * 4) >> 0x20;
																asm("adc edx, 0x0");
																 *(_t1310 + _t1295 * 4 - 0x740) =  *(_t1310 + _t1295 * 4 - 0x740) + _t913 *  *(_t1145 + _t1255 * 4) + _v1868;
																_t900 = _v1864;
																asm("adc edx, 0x0");
																_t1142 = _v1900 + 1;
																_t1295 = _t1295 + 1;
																_v1868 = _t1216;
																_v1900 = _t1142;
																__eflags = _t1142 - _v1896;
																if(_t1142 != _v1896) {
																	continue;
																}
																break;
															}
															__eflags = _t1216;
															if(_t1216 != 0) {
																_t1144 =  &_v1860 + _t1295 * 4;
																_v1868 = _t1144;
																while(1) {
																	__eflags = _t1295 - 0x73;
																	if(_t1295 == 0x73) {
																		goto L240;
																	}
																	__eflags = _t1295 - _t900;
																	if(_t1295 == _t900) {
																		 *_t1144 =  *_t1144 & 0x00000000;
																		__eflags =  *_t1144;
																		_t609 = _t1295 + 1; // 0x1
																		_v1864 = _t609;
																	}
																	_v1868 = _v1868 + 4;
																	_t911 = _t1216;
																	_t1295 = _t1295 + 1;
																	_t1216 = 0;
																	 *_t1144 =  *_t1144 + _t911;
																	__eflags =  *_t1144;
																	_t900 = _v1864;
																	asm("adc edx, edx");
																	if( *_t1144 != 0) {
																		_t1144 = _v1868;
																		continue;
																	}
																	goto L240;
																}
															}
															L240:
															_t1215 = _v1872;
														}
														__eflags = _t1295 - 0x73;
														if(_t1295 == 0x73) {
															_t1291 = 0x1cc;
															goto L260;
														} else {
															_t1294 = _v1892;
															goto L243;
														}
													} else {
														__eflags = _t1255 - _t900;
														if(_t1255 == _t900) {
															 *(_t1310 + _t1255 * 4 - 0x740) =  *(_t1310 + _t1255 * 4 - 0x740) & 0x00000000;
															_t568 = _t1255 + 1; // 0x1
															_t900 = _t568;
															_v1864 = _t900;
														}
														goto L243;
													}
													goto L247;
													L243:
													_t1255 = _t1255 + 1;
													__eflags = _t1255 - _t1215;
												} while (_t1255 != _t1215);
												goto L244;
											}
										} else {
											_t1256 = _v468;
											_t1291 = 0x1cc;
											_v1936 = _t1256;
											_v472 = _t1215;
											E00DDA434( &_v468, 0x1cc,  &_v1396, _t1215 << 2);
											_t1315 =  &(_t1315[4]);
											__eflags = _t1256;
											if(_t1256 != 0) {
												__eflags = _t1256 - _t1099;
												if(_t1256 == _t1099) {
													goto L246;
												} else {
													__eflags = _v472;
													if(_v472 == 0) {
														goto L246;
													} else {
														_t1149 = 0;
														_v1920 = _v472;
														_t1257 = 0;
														__eflags = 0;
														do {
															_t925 = _v1936;
															_t1217 = _t925 *  *(_t1310 + _t1257 * 4 - 0x1d0) >> 0x20;
															 *(_t1310 + _t1257 * 4 - 0x1d0) = _t925 *  *(_t1310 + _t1257 * 4 - 0x1d0) + _t1149;
															asm("adc edx, 0x0");
															_t1257 = _t1257 + 1;
															_t1149 = _t1217;
															__eflags = _t1257 - _v1920;
														} while (_t1257 != _v1920);
														__eflags = _t1149;
														if(_t1149 == 0) {
															goto L246;
														} else {
															_t928 = _v472;
															__eflags = _t928 - 0x73;
															if(_t928 >= 0x73) {
																L260:
																_v2420 = 0;
																_v472 = 0;
																E00DDA434( &_v468, _t1291,  &_v2416, 0);
																_t1315 =  &(_t1315[4]);
																_t905 = 0;
															} else {
																 *(_t1310 + _t928 * 4 - 0x1d0) = _t1149;
																_v472 = _v472 + 1;
																goto L246;
															}
														}
													}
												}
											} else {
												_v2420 = 0;
												_v472 = 0;
												_push(0);
												_t902 =  &_v2416;
												L245:
												_push(_t902);
												_push(_t1291);
												_push( &_v468);
												E00DDA434();
												_t1315 =  &(_t1315[4]);
												L246:
												_t905 = _t1099;
											}
										}
									} else {
										_t1258 = _v1396;
										__eflags = _t1258;
										if(_t1258 != 0) {
											__eflags = _t1258 - _t1099;
											if(_t1258 == _t1099) {
												goto L198;
											} else {
												__eflags = _v472;
												if(_v472 == 0) {
													goto L198;
												} else {
													_t1150 = 0;
													_v1936 = _v472;
													_t1296 = 0;
													__eflags = 0;
													do {
														_t931 = _t1258;
														_t1218 = _t931 *  *(_t1310 + _t1296 * 4 - 0x1d0) >> 0x20;
														 *(_t1310 + _t1296 * 4 - 0x1d0) = _t931 *  *(_t1310 + _t1296 * 4 - 0x1d0) + _t1150;
														asm("adc edx, 0x0");
														_t1296 = _t1296 + 1;
														_t1150 = _t1218;
														__eflags = _t1296 - _v1936;
													} while (_t1296 != _v1936);
													__eflags = _t1150;
													if(_t1150 == 0) {
														goto L198;
													} else {
														_t934 = _v472;
														__eflags = _t934 - 0x73;
														if(_t934 >= 0x73) {
															_v2420 = 0;
															_v472 = 0;
															E00DDA434( &_v468, 0x1cc,  &_v2416, 0);
															_t1315 =  &(_t1315[4]);
															_t905 = 0;
															goto L199;
														} else {
															 *(_t1310 + _t934 * 4 - 0x1d0) = _t1150;
															_v472 = _v472 + 1;
															goto L198;
														}
													}
												}
											}
											goto L265;
										} else {
											__eflags = 0;
											_v2420 = 0;
											_v472 = 0;
											E00DDA434( &_v468, 0x1cc,  &_v2416, 0);
											_t1315 =  &(_t1315[4]);
											L198:
											_t905 = _t1099;
										}
										L199:
										_t1291 = 0x1cc;
									}
									L247:
									__eflags = _t905;
									if(_t905 == 0) {
										_v2420 = _v2420 & 0x00000000;
										_v472 = _v472 & 0x00000000;
										_push(0);
										L263:
										_push( &_v2416);
										_t882 =  &_v468;
										goto L264;
									} else {
										goto L248;
									}
									goto L265;
									L248:
									_t833 = _v1916 - _v1880;
									__eflags = _t833;
									_v1916 = _t833;
								} while (_t833 != 0);
								_t1125 = _v1908;
								goto L250;
							}
						} else {
							_t943 = _t831 / _t1124;
							_v1876 = _t943;
							_t1151 = _t831 % _t1124;
							_v1936 = _t1151;
							__eflags = _t943;
							if(_t943 == 0) {
								L178:
								__eflags = _t1151;
								if(_t1151 != 0) {
									_t944 =  *(0xdeb0b4 + _t1151 * 4);
									_v1936 = _t944;
									__eflags = _t944;
									if(_t944 != 0) {
										__eflags = _t944 - _t1099;
										if(_t944 != _t1099) {
											_t1152 = _v936;
											__eflags = _t1152;
											if(_t1152 != 0) {
												_v1876 = _v1876 & 0x00000000;
												_t1259 = 0;
												__eflags = 0;
												do {
													_t1220 = _t944 *  *(_t1310 + _t1259 * 4 - 0x3a0) >> 0x20;
													 *(_t1310 + _t1259 * 4 - 0x3a0) = _t944 *  *(_t1310 + _t1259 * 4 - 0x3a0) + _v1876;
													_t944 = _v1936;
													asm("adc edx, 0x0");
													_t1259 = _t1259 + 1;
													_v1876 = _t1220;
													__eflags = _t1259 - _t1152;
												} while (_t1259 != _t1152);
												__eflags = _t1220;
												if(_t1220 != 0) {
													_t947 = _v936;
													__eflags = _t947 - 0x73;
													if(_t947 >= 0x73) {
														goto L180;
													} else {
														 *(_t1310 + _t947 * 4 - 0x3a0) = _t1220;
														_v936 = _v936 + 1;
													}
												}
											}
										}
									} else {
										L180:
										_v2420 = 0;
										_v936 = 0;
										_push(0);
										goto L184;
									}
								}
							} else {
								do {
									__eflags = _t943 - 0x26;
									if(_t943 > 0x26) {
										_t943 = 0x26;
									}
									_t1153 =  *(0xdeb01e + _t943 * 4) & 0x000000ff;
									_v1868 = _t943;
									_v1400 = ( *(0xdeb01f + _t943 * 4) & 0x000000ff) + ( *(0xdeb01e + _t943 * 4) & 0x000000ff);
									E00DD1190(_t1153 << 2,  &_v1396, 0, _t1153 << 2);
									_t960 = E00DD0C10( &(( &_v1396)[_t1153]), 0xdea718 + ( *(0xdeb01c + _v1868 * 4) & 0x0000ffff) * 4, ( *(0xdeb01f + _t943 * 4) & 0x000000ff) << 2);
									_t1221 = _v1400;
									_t1315 =  &(_t1315[6]);
									_v1872 = _t1221;
									__eflags = _t1221 - _t1099;
									if(_t1221 > _t1099) {
										__eflags = _v936 - _t1099;
										if(_v936 > _t1099) {
											__eflags = _t1221 - _v936;
											_t1298 =  &_v1396;
											_t340 = _t1221 - _v936 > 0;
											__eflags = _t340;
											_t961 = _t960 & 0xffffff00 | _t340;
											if(_t340 >= 0) {
												_t1298 =  &_v932;
											}
											_v1896 = _t1298;
											__eflags = _t961;
											if(_t961 == 0) {
												_v1892 = _t1221;
												_t1221 = _v936;
												_v1872 = _t1221;
												_v1916 =  &_v1396;
											} else {
												_v1892 = _v936;
												_v1916 =  &_v932;
											}
											_t963 = 0;
											_t1262 = 0;
											_v1864 = 0;
											__eflags = _t1221;
											if(_t1221 == 0) {
												L172:
												_v936 = _t963;
												_t1291 = 0x1cc;
												_t964 = _t963 << 2;
												__eflags = _t964;
												_push(_t964);
												_t965 =  &_v1860;
												goto L173;
											} else {
												do {
													__eflags =  *(_t1298 + _t1262 * 4);
													if( *(_t1298 + _t1262 * 4) != 0) {
														_t1154 = 0;
														_t1299 = _t1262;
														_v1880 = 0;
														_v1900 = 0;
														__eflags = _v1892;
														if(_v1892 != 0) {
															_t1222 = 0;
															while(1) {
																__eflags = _t1299 - 0x73;
																if(_t1299 == 0x73) {
																	break;
																}
																__eflags = _t1299 - _t963;
																if(_t1299 == _t963) {
																	 *(_t1310 + _t1299 * 4 - 0x740) =  *(_t1310 + _t1299 * 4 - 0x740) & 0x00000000;
																	_t372 = _t1262 + 1; // 0x1
																	_t981 = _t372 + _t1154;
																	__eflags = _t981;
																	_v1864 = _t981;
																}
																_t976 =  *(_v1916 + _t1154 * 4);
																_t1157 = _v1896;
																_t1222 = _t976 *  *(_t1157 + _t1262 * 4) >> 0x20;
																asm("adc edx, 0x0");
																 *(_t1310 + _t1299 * 4 - 0x740) = _t976 *  *(_t1157 + _t1262 * 4) +  *(_t1310 + _t1299 * 4 - 0x740) + _v1880;
																_t963 = _v1864;
																asm("adc edx, 0x0");
																_t1154 = _v1900 + 1;
																_v1880 = _t1222;
																_t1299 = _t1299 + 1;
																_v1900 = _t1154;
																__eflags = _t1154 - _v1892;
																if(_t1154 != _v1892) {
																	continue;
																}
																break;
															}
															__eflags = _t1222;
															if(_t1222 != 0) {
																_t1156 =  &_v1860 + _t1299 * 4;
																_v1880 = _t1156;
																while(1) {
																	__eflags = _t1299 - 0x73;
																	if(_t1299 == 0x73) {
																		goto L168;
																	}
																	__eflags = _t1299 - _t963;
																	if(_t1299 == _t963) {
																		 *_t1156 =  *_t1156 & 0x00000000;
																		__eflags =  *_t1156;
																		_t402 = _t1299 + 1; // 0x1
																		_v1864 = _t402;
																	}
																	_v1880 = _v1880 + 4;
																	_t974 = _t1222;
																	_t1299 = _t1299 + 1;
																	_t1222 = 0;
																	 *_t1156 =  *_t1156 + _t974;
																	__eflags =  *_t1156;
																	_t963 = _v1864;
																	asm("adc edx, edx");
																	if( *_t1156 != 0) {
																		_t1156 = _v1880;
																		continue;
																	}
																	goto L168;
																}
															}
															L168:
															_t1221 = _v1872;
														}
														__eflags = _t1299 - 0x73;
														if(_t1299 == 0x73) {
															__eflags = 0;
															_t1291 = 0x1cc;
															_v2420 = 0;
															_v936 = 0;
															_push(0);
															_t971 =  &_v2416;
															goto L182;
														} else {
															_t1298 = _v1896;
															goto L171;
														}
													} else {
														__eflags = _t1262 - _t963;
														if(_t1262 == _t963) {
															 *(_t1310 + _t1262 * 4 - 0x740) =  *(_t1310 + _t1262 * 4 - 0x740) & 0x00000000;
															_t361 = _t1262 + 1; // 0x1
															_t963 = _t361;
															_v1864 = _t963;
														}
														goto L171;
													}
													goto L175;
													L171:
													_t1262 = _t1262 + 1;
													__eflags = _t1262 - _t1221;
												} while (_t1262 != _t1221);
												goto L172;
											}
										} else {
											_t1263 = _v932;
											_t1291 = 0x1cc;
											_v1920 = _t1263;
											_v936 = _t1221;
											E00DDA434( &_v932, 0x1cc,  &_v1396, _t1221 << 2);
											_t1315 =  &(_t1315[4]);
											__eflags = _t1263;
											if(_t1263 != 0) {
												__eflags = _t1263 - _t1099;
												if(_t1263 == _t1099) {
													goto L174;
												} else {
													__eflags = _v936;
													if(_v936 == 0) {
														goto L174;
													} else {
														_t1161 = 0;
														_v1900 = _v936;
														_t1264 = 0;
														__eflags = 0;
														do {
															_t989 = _v1920;
															_t1223 = _t989 *  *(_t1310 + _t1264 * 4 - 0x3a0) >> 0x20;
															 *(_t1310 + _t1264 * 4 - 0x3a0) = _t989 *  *(_t1310 + _t1264 * 4 - 0x3a0) + _t1161;
															asm("adc edx, 0x0");
															_t1264 = _t1264 + 1;
															_t1161 = _t1223;
															__eflags = _t1264 - _v1900;
														} while (_t1264 != _v1900);
														__eflags = _t1161;
														if(_t1161 == 0) {
															goto L174;
														} else {
															_t992 = _v936;
															__eflags = _t992 - 0x73;
															if(_t992 >= 0x73) {
																_v1400 = 0;
																_v936 = 0;
																_push(0);
																_t971 =  &_v1396;
																L182:
																_push(_t971);
																_push(_t1291);
																_push( &_v932);
																E00DDA434();
																_t1315 =  &(_t1315[4]);
																_t968 = 0;
															} else {
																 *(_t1310 + _t992 * 4 - 0x3a0) = _t1161;
																_v936 = _v936 + 1;
																goto L174;
															}
														}
													}
												}
											} else {
												_v1400 = 0;
												_v936 = 0;
												_push(0);
												_t965 =  &_v1396;
												L173:
												_push(_t965);
												_push(_t1291);
												_push( &_v932);
												E00DDA434();
												_t1315 =  &(_t1315[4]);
												L174:
												_t968 = _t1099;
											}
										}
									} else {
										_t1265 = _v1396;
										__eflags = _t1265;
										if(_t1265 != 0) {
											__eflags = _t1265 - _t1099;
											if(_t1265 == _t1099) {
												goto L125;
											} else {
												__eflags = _v936;
												if(_v936 == 0) {
													goto L125;
												} else {
													_t1162 = 0;
													_v1920 = _v936;
													_t1300 = 0;
													__eflags = 0;
													do {
														_t996 = _t1265;
														_t1224 = _t996 *  *(_t1310 + _t1300 * 4 - 0x3a0) >> 0x20;
														 *(_t1310 + _t1300 * 4 - 0x3a0) = _t996 *  *(_t1310 + _t1300 * 4 - 0x3a0) + _t1162;
														asm("adc edx, 0x0");
														_t1300 = _t1300 + 1;
														_t1162 = _t1224;
														__eflags = _t1300 - _v1920;
													} while (_t1300 != _v1920);
													__eflags = _t1162;
													if(_t1162 == 0) {
														goto L125;
													} else {
														_t999 = _v936;
														__eflags = _t999 - 0x73;
														if(_t999 >= 0x73) {
															_v1400 = 0;
															_v936 = 0;
															E00DDA434( &_v932, 0x1cc,  &_v1396, 0);
															_t1315 =  &(_t1315[4]);
															_t968 = 0;
															goto L126;
														} else {
															 *(_t1310 + _t999 * 4 - 0x3a0) = _t1162;
															_v936 = _v936 + 1;
															goto L125;
														}
													}
												}
											}
											goto L265;
										} else {
											__eflags = 0;
											_v1864 = 0;
											_v936 = 0;
											E00DDA434( &_v932, 0x1cc,  &_v1860, 0);
											_t1315 =  &(_t1315[4]);
											L125:
											_t968 = _t1099;
										}
										L126:
										_t1291 = 0x1cc;
									}
									L175:
									__eflags = _t968;
									if(_t968 == 0) {
										_v2420 = _v2420 & 0x00000000;
										_t428 =  &_v936;
										 *_t428 = _v936 & 0x00000000;
										__eflags =  *_t428;
										_push(0);
										L184:
										_push( &_v2416);
										_t882 =  &_v932;
										L264:
										_push(_t1291);
										_push(_t882);
										E00DDA434();
										_t1315 =  &(_t1315[4]);
									} else {
										goto L176;
									}
									goto L265;
									L176:
									_t943 = _v1876 - _v1868;
									__eflags = _t943;
									_v1876 = _t943;
								} while (_t943 != 0);
								_t1151 = _v1936;
								goto L178;
							}
						}
						L265:
						_t1126 = _v472;
						_t1246 = _v1888;
						_v1872 = _t1246;
						__eflags = _t1126;
						if(_t1126 != 0) {
							_v1876 = _v1876 & 0x00000000;
							_t1251 = 0;
							__eflags = 0;
							do {
								_t871 =  *(_t1310 + _t1251 * 4 - 0x1d0);
								_t1212 = 0xa;
								_t1213 = _t871 * _t1212 >> 0x20;
								 *(_t1310 + _t1251 * 4 - 0x1d0) = _t871 * _t1212 + _v1876;
								asm("adc edx, 0x0");
								_t1251 = _t1251 + 1;
								_v1876 = _t1213;
								__eflags = _t1251 - _t1126;
							} while (_t1251 != _t1126);
							_t1246 = _v1872;
							__eflags = _t1213;
							if(_t1213 != 0) {
								_t874 = _v472;
								__eflags = _t874 - 0x73;
								if(_t874 >= 0x73) {
									__eflags = 0;
									_v2420 = 0;
									_v472 = 0;
									E00DDA434( &_v468, _t1291,  &_v2416, 0);
									_t1315 =  &(_t1315[4]);
								} else {
									 *(_t1310 + _t874 * 4 - 0x1d0) = _t1213;
									_v472 = _v472 + 1;
								}
							}
						}
						_t836 = E00DDEFA0( &_v472,  &_v936);
						_t1129 = _v1888;
						_t1202 = 0xa;
						__eflags = _t836 - _t1202;
						if(_t836 != _t1202) {
							__eflags = _t836;
							if(_t836 != 0) {
								_t1246 = _t1129 + 1;
								 *_t1129 = _t836 + 0x30;
								_v1872 = _t1246;
								goto L280;
							} else {
								_t838 = _v1904 - 1;
								goto L281;
							}
							goto L312;
						} else {
							_t862 = _v936;
							_t1246 = _t1129 + 1;
							_v1904 = _v1904 + 1;
							 *_t1129 = 0x31;
							_v1872 = _t1246;
							_v1908 = _t862;
							__eflags = _t862;
							if(_t862 != 0) {
								_t1250 = 0;
								_t1138 = 0;
								__eflags = 0;
								do {
									_t863 =  *(_t1310 + _t1138 * 4 - 0x3a0);
									 *(_t1310 + _t1138 * 4 - 0x3a0) = _t863 * _t1202 + _t1250;
									asm("adc edx, 0x0");
									_t1138 = _t1138 + 1;
									_t1250 = _t863 * _t1202 >> 0x20;
									_t1202 = 0xa;
									__eflags = _t1138 - _v1908;
								} while (_t1138 != _v1908);
								_v1908 = _t1250;
								__eflags = _t1250;
								_t1246 = _v1872;
								if(_t1250 != 0) {
									_t1139 = _v936;
									__eflags = _t1139 - 0x73;
									if(_t1139 >= 0x73) {
										_v2420 = 0;
										_v936 = 0;
										E00DDA434( &_v932, _t1291,  &_v2416, 0);
										_t1315 =  &(_t1315[4]);
									} else {
										 *((intOrPtr*)(_t1310 + _t1139 * 4 - 0x3a0)) = _v1908;
										_t719 =  &_v936;
										 *_t719 = _v936 + 1;
										__eflags =  *_t719;
									}
								}
								_t1129 = _v1888;
							}
							L280:
							_t838 = _v1904;
						}
						L281:
						 *((intOrPtr*)(_v1932 + 4)) = _t838;
						_t1204 = _v1928;
						__eflags = _t838;
						if(_t838 >= 0) {
							__eflags = _t1204 - 0x7fffffff;
							if(_t1204 <= 0x7fffffff) {
								__eflags = _a16;
								if(_a16 == 0) {
									_t1204 = _t1204 + _t838;
									__eflags = _t1204;
								}
							}
						}
						_t840 = _a28 - 1;
						__eflags = _t840 - _t1204;
						if(_t840 >= _t1204) {
							_t840 = _t1204;
						}
						_t841 = _t840 + _t1129;
						_t1205 = 0;
						_v1876 = _t841;
						_v1881 = 0;
						__eflags = _t1246 - _t841;
						if(_t1246 != _t841) {
							while(1) {
								_t846 = _v472;
								_v1908 = _t846;
								__eflags = _t846;
								if(_t846 == 0) {
									goto L309;
								}
								_t1248 = 0;
								_t1133 = 0;
								__eflags = 0;
								do {
									_t847 =  *(_t1310 + _t1133 * 4 - 0x1d0);
									_t1207 = _t847 * 0x3b9aca00 >> 0x20;
									 *(_t1310 + _t1133 * 4 - 0x1d0) = _t847 * 0x3b9aca00 + _t1248;
									asm("adc edx, 0x0");
									_t1133 = _t1133 + 1;
									_t1248 = 0x3b9aca00;
									__eflags = _t1133 - _v1908;
								} while (_t1133 != _v1908);
								_v1908 = 0x3b9aca00;
								__eflags = 0x3b9aca00;
								_t1249 = _v1872;
								if(0x3b9aca00 != 0) {
									_t1137 = _v472;
									__eflags = _t1137 - 0x73;
									if(_t1137 >= 0x73) {
										__eflags = 0;
										_v2420 = 0;
										_v472 = 0;
										E00DDA434( &_v468, _t1291,  &_v2416, 0);
										_t1315 =  &(_t1315[4]);
									} else {
										 *(_t1310 + _t1137 * 4 - 0x1d0) = _t1207;
										_v472 = _v472 + 1;
									}
								}
								_t852 = E00DDEFA0( &_v472,  &_v936);
								_v1928 = 8;
								_t1129 = _v1876 - _t1249;
								__eflags = _t1129;
								do {
									_v1908 = _t852 / _v1924;
									_t1210 = _t852 % _v1924 + 0x30;
									_t854 = _v1928;
									__eflags = _t1129 - _t854;
									if(_t1129 > _t854) {
										 *((char*)(_t854 + _t1249)) = _t1210;
										goto L304;
									} else {
										__eflags = _t1210 - 0x30;
										if(_t1210 == 0x30) {
											L304:
											_t1205 = _v1881;
										} else {
											_t1205 = _t1099;
											_v1881 = _t1205;
										}
									}
									_t855 = _t854 - 1;
									_v1928 = _t855;
									__eflags = _t855 - 0xffffffff;
									_t852 = _v1908;
								} while (_t855 != 0xffffffff);
								__eflags = _t1129 - 9;
								if(_t1129 > 9) {
									_t1129 = 9;
								}
								_t1246 = _t1249 + _t1129;
								_v1872 = _t1246;
								__eflags = _t1246 - _v1876;
								if(_t1246 != _v1876) {
									continue;
								}
								goto L309;
							}
						}
						L309:
						 *_t1246 = 0;
						__eflags = _v472;
						if(_v472 != 0) {
							goto L311;
						} else {
							__eflags = _t1205;
							if(__eflags != 0) {
								goto L311;
							}
						}
						goto L312;
					} else {
						_t1129 = _v1932;
						 *((intOrPtr*)(_v1932 + 4)) = _t1099;
						_t1084 = _t802 - 1;
						__eflags = _t1084;
						if(_t1084 == 0) {
							_t1085 = E00DD4D82(_v1888, _a28, "1#INF");
							__eflags = _t1085;
							if(_t1085 != 0) {
								goto L315;
							} else {
								L311:
								_t1099 = 0;
								__eflags = 0;
								goto L312;
							}
						} else {
							_t1090 = _t1084 - 1;
							__eflags = _t1090;
							if(_t1090 == 0) {
								_push("1#QNAN");
								goto L20;
							} else {
								_t1092 = _t1090 - 1;
								__eflags = _t1092;
								if(_t1092 == 0) {
									_push("1#SNAN");
									goto L20;
								} else {
									__eflags = _t1092 != 1;
									if(_t1092 != 1) {
										goto L24;
									} else {
										_push("1#IND");
										goto L20;
									}
								}
							}
						}
					}
				} else {
					_t1129 = _t1283 & 0x000fffff;
					if((_a4 | _t1283 & 0x000fffff) == 0 || (_v1956 & 0x01000000) != 0) {
						_push(0xdeb0dc);
						 *((intOrPtr*)(_v1932 + 4)) =  *(_v1932 + 4) & 0x00000000;
						L20:
						_push(_a28);
						_push(_v1888);
						if(E00DD4D82() != 0) {
							L315:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00DD3466();
							asm("int3");
							return E00DE1826(E00DE1848(__eflags));
						} else {
							L312:
							_t1327 = _v1944;
							if(_v1944 != 0) {
								E00DE128D(_t1129, _t1327,  &_v1952);
							}
							return E00DCF35B(_v8 ^ _t1310);
						}
					} else {
						goto L12;
					}
				}
			}

0x00ddf428
0x00ddf428
0x00ddf42b
0x00ddf42d
0x00ddf433
0x00ddf43a
0x00ddf440
0x00ddf449
0x00ddf457
0x00ddf467
0x00ddf46b
0x00ddf47d
0x00ddf483
0x00ddf46d
0x00ddf46d
0x00ddf46d
0x00ddf489
0x00ddf48a
0x00ddf48d
0x00ddf490
0x00ddf491
0x00ddf493
0x00ddf4a2
0x00ddf49d
0x00ddf49f
0x00ddf49f
0x00ddf4a4
0x00ddf4ae
0x00ddf4b6
0x00ddf4c0
0x00ddf4cf
0x00ddf4d4
0x00ddf502
0x00ddf506
0x00ddf50c
0x00ddf50e
0x00ddf581
0x00ddf58a
0x00ddf597
0x00ddf59b
0x00ddf59e
0x00ddf5a4
0x00ddf5ac
0x00ddf5b2
0x00ddf5bc
0x00ddf5bc
0x00ddf5bf
0x00ddf5cb
0x00ddf5d2
0x00ddf5d2
0x00ddf5d2
0x00ddf5c1
0x00ddf5c3
0x00ddf5c3
0x00ddf5de
0x00ddf5ec
0x00ddf5f2
0x00ddf5f4
0x00ddf5fc
0x00ddf602
0x00ddf607
0x00ddf608
0x00ddf609
0x00ddf613
0x00ddf618
0x00ddf620
0x00ddf621
0x00ddf626
0x00ddf62f
0x00ddf62f
0x00ddf631
0x00ddf628
0x00ddf628
0x00ddf62d
0x00000000
0x00000000
0x00ddf62d
0x00ddf637
0x00ddf645
0x00ddf647
0x00ddf650
0x00ddf656
0x00ddf657
0x00ddf65d
0x00ddf663
0x00ddf669
0x00ddfa08
0x00ddfa0b
0x00ddfb25
0x00ddfb27
0x00ddfb2c
0x00ddfb2c
0x00ddfb2c
0x00ddfb3a
0x00ddfb41
0x00ddfb44
0x00ddfb49
0x00ddfb49
0x00ddfb46
0x00ddfb46
0x00ddfb46
0x00ddfb4d
0x00ddfb4f
0x00ddfb53
0x00ddfb55
0x00ddfb58
0x00ddfb87
0x00ddfb8a
0x00ddfb8d
0x00ddfb8f
0x00ddfb92
0x00ddfb92
0x00ddfb94
0x00ddfb9f
0x00ddfb9f
0x00ddfb96
0x00ddfb96
0x00ddfb96
0x00ddfba1
0x00ddfba3
0x00ddfbae
0x00ddfbae
0x00ddfba5
0x00ddfba5
0x00ddfba5
0x00ddfbb7
0x00ddfbbe
0x00ddfbbf
0x00ddfbc0
0x00ddfbc3
0x00000000
0x00000000
0x00ddfbc5
0x00ddfbc5
0x00ddfb92
0x00ddfbcd
0x00ddfbcd
0x00ddfb5a
0x00ddfb5a
0x00ddfb67
0x00ddfb7d
0x00ddfb82
0x00ddfb82
0x00ddfbe6
0x00ddfbf2
0x00ddfbff
0x00ddfc01
0x00ddfa11
0x00ddfa11
0x00ddfa18
0x00ddfa22
0x00ddfa2c
0x00ddfa2e
0x00ddfa34
0x00ddfa34
0x00ddfa36
0x00ddfa36
0x00ddfa3d
0x00ddfa44
0x00000000
0x00000000
0x00ddfa4a
0x00ddfa4d
0x00ddfa50
0x00000000
0x00ddfa52
0x00ddfa52
0x00ddfa54
0x00ddfa57
0x00ddfa5d
0x00ddfa62
0x00ddfa5f
0x00ddfa5f
0x00ddfa5f
0x00ddfa66
0x00ddfa69
0x00ddfa6d
0x00ddfa6f
0x00ddfa72
0x00ddfa9e
0x00ddfaa1
0x00ddfaa4
0x00ddfaa6
0x00ddfaa9
0x00ddfaa9
0x00ddfaab
0x00ddfab6
0x00ddfaad
0x00ddfaad
0x00ddfaad
0x00ddfab8
0x00ddfaba
0x00ddfac5
0x00ddfabc
0x00ddfabc
0x00ddfabc
0x00ddfacf
0x00ddfad6
0x00ddfad7
0x00ddfad8
0x00ddfadb
0x00000000
0x00000000
0x00ddfadd
0x00ddfadd
0x00ddfaa9
0x00ddfae5
0x00ddfae5
0x00ddfa74
0x00ddfa7b
0x00ddfa88
0x00ddfa94
0x00ddfa99
0x00ddfa99
0x00ddfafe
0x00ddfb0a
0x00ddfb19
0x00ddfb19
0x00000000
0x00ddfa50
0x00ddfa36
0x00000000
0x00ddfa2e
0x00ddfc08
0x00ddfc08
0x00ddfc0b
0x00ddfc10
0x00ddfc16
0x00ddfc2f
0x00ddfc36
0x00ddfc39
0x00ddfc39
0x00ddf66f
0x00ddf66f
0x00ddf676
0x00ddf680
0x00ddf68a
0x00ddf68c
0x00ddf870
0x00ddf870
0x00ddf87c
0x00ddf884
0x00ddf88a
0x00ddf894
0x00ddf89a
0x00ddf89f
0x00ddf8a5
0x00ddf8a6
0x00ddf8a6
0x00ddf8a6
0x00ddf8ad
0x00ddf8b3
0x00ddf8b5
0x00ddf8c2
0x00ddf8c5
0x00ddf8d0
0x00ddf8d0
0x00ddf8d0
0x00ddf8c7
0x00ddf8c8
0x00ddf8c8
0x00ddf8d7
0x00ddf8dd
0x00ddf8e2
0x00ddf8e5
0x00ddf8e8
0x00ddf91b
0x00ddf921
0x00ddf927
0x00ddf929
0x00ddf92f
0x00ddf932
0x00000000
0x00ddf934
0x00ddf934
0x00ddf937
0x00ddf938
0x00ddf93e
0x00ddf944
0x00ddf946
0x00ddf94e
0x00ddf94e
0x00ddf956
0x00ddf959
0x00ddf95f
0x00ddf95f
0x00ddf961
0x00ddf968
0x00ddf968
0x00ddf963
0x00ddf963
0x00ddf963
0x00ddf96a
0x00ddf970
0x00ddf973
0x00ddf975
0x00ddf97b
0x00ddf97b
0x00ddf977
0x00ddf977
0x00ddf977
0x00ddf99f
0x00ddf9a7
0x00ddf9b6
0x00ddf9b7
0x00ddf9ba
0x00ddf9c0
0x00ddf9c1
0x00ddf9c7
0x00ddf9cd
0x00000000
0x00000000
0x00ddf9cf
0x00ddf9cf
0x00ddf9d7
0x00ddf9d7
0x00ddf9dd
0x00ddf9df
0x00ddf9e1
0x00ddf9e9
0x00ddf9e9
0x00ddf9e9
0x00ddf9f1
0x00ddf9f1
0x00ddf8ea
0x00ddf8ea
0x00ddf8ed
0x00ddf8f3
0x00ddf908
0x00ddf90d
0x00ddf90d
0x00ddf9f7
0x00ddfa01
0x00ddf692
0x00ddf692
0x00ddf692
0x00ddf694
0x00ddf69b
0x00ddf6a2
0x00000000
0x00000000
0x00ddf6a8
0x00ddf6ab
0x00ddf6ae
0x00000000
0x00ddf6b0
0x00ddf6b0
0x00ddf6bc
0x00ddf6c4
0x00ddf6ca
0x00ddf6d4
0x00ddf6da
0x00ddf6df
0x00ddf6e5
0x00ddf6e6
0x00ddf6e6
0x00ddf6e6
0x00ddf6ed
0x00ddf6f3
0x00ddf6f5
0x00ddf702
0x00ddf705
0x00ddf710
0x00ddf710
0x00ddf710
0x00ddf707
0x00ddf708
0x00ddf708
0x00ddf717
0x00ddf71d
0x00ddf722
0x00ddf725
0x00ddf728
0x00ddf75b
0x00ddf761
0x00ddf767
0x00ddf769
0x00ddf76f
0x00ddf772
0x00000000
0x00ddf774
0x00ddf774
0x00ddf777
0x00ddf778
0x00ddf77e
0x00ddf784
0x00ddf786
0x00ddf78e
0x00ddf78e
0x00ddf796
0x00ddf799
0x00ddf79f
0x00ddf79f
0x00ddf7a1
0x00ddf7a8
0x00ddf7a8
0x00ddf7a3
0x00ddf7a3
0x00ddf7a3
0x00ddf7aa
0x00ddf7b0
0x00ddf7b3
0x00ddf7b5
0x00ddf7bb
0x00ddf7bb
0x00ddf7b7
0x00ddf7b7
0x00ddf7b7
0x00ddf7df
0x00ddf7e7
0x00ddf7f6
0x00ddf7f7
0x00ddf7fa
0x00ddf800
0x00ddf801
0x00ddf807
0x00ddf80d
0x00000000
0x00000000
0x00ddf80f
0x00ddf80f
0x00ddf817
0x00ddf817
0x00ddf81d
0x00ddf81f
0x00ddf821
0x00ddf829
0x00ddf829
0x00ddf829
0x00ddf831
0x00ddf831
0x00ddf72a
0x00ddf72a
0x00ddf72d
0x00ddf733
0x00ddf748
0x00ddf74d
0x00ddf74d
0x00ddf839
0x00ddf83a
0x00ddf840
0x00ddf840
0x00000000
0x00ddf6ae
0x00000000
0x00ddf694
0x00ddf841
0x00ddf841
0x00ddf84e
0x00ddf855
0x00ddf85b
0x00ddf85c
0x00ddf85d
0x00ddf863
0x00ddf868
0x00ddf868
0x00ddfc3a
0x00ddfc44
0x00ddfc45
0x00ddfc4b
0x00ddfc4d
0x00de014b
0x00de014d
0x00de014f
0x00de0155
0x00de0157
0x00de015d
0x00de015f
0x00de0541
0x00de0541
0x00de0543
0x00de0549
0x00de0550
0x00de0556
0x00de0558
0x00de060b
0x00de060b
0x00de060d
0x00de060e
0x00de0614
0x00000000
0x00de055e
0x00de055e
0x00de0560
0x00de0566
0x00de056c
0x00de056e
0x00de0574
0x00de057b
0x00de057b
0x00de057d
0x00de057d
0x00de058a
0x00de0591
0x00de0597
0x00de059a
0x00de059b
0x00de05a1
0x00de05a1
0x00de05a5
0x00de05a7
0x00de05ad
0x00de05b3
0x00de05b6
0x00000000
0x00de05b8
0x00de05b8
0x00de05bf
0x00de05bf
0x00de05b6
0x00de05a7
0x00de056e
0x00de0560
0x00de0558
0x00de0165
0x00de0165
0x00de0165
0x00de0168
0x00de016c
0x00de016c
0x00de016d
0x00de017f
0x00de018c
0x00de019b
0x00de01c5
0x00de01ca
0x00de01d0
0x00de01d3
0x00de01d9
0x00de01db
0x00de02ad
0x00de02b3
0x00de037d
0x00de0383
0x00de0389
0x00de0389
0x00de0389
0x00de038c
0x00de038e
0x00de038e
0x00de0394
0x00de039a
0x00de039c
0x00de03b8
0x00de03c4
0x00de03ca
0x00de03d0
0x00de039e
0x00de03a4
0x00de03b0
0x00de03b0
0x00de03d6
0x00de03d8
0x00de03da
0x00de03e0
0x00de03e2
0x00de04f3
0x00de04f3
0x00de04f9
0x00de04fe
0x00de04fe
0x00de0501
0x00de0502
0x00000000
0x00de03e8
0x00de03e8
0x00de03e8
0x00de03ec
0x00de040c
0x00de040e
0x00de0410
0x00de0416
0x00de041c
0x00de0422
0x00de0428
0x00de042a
0x00de042a
0x00de042d
0x00000000
0x00000000
0x00de042f
0x00de0431
0x00de0433
0x00de043b
0x00de043e
0x00de043e
0x00de0440
0x00de0440
0x00de044c
0x00de044f
0x00de0455
0x00de0464
0x00de0467
0x00de046e
0x00de0474
0x00de0477
0x00de0478
0x00de0479
0x00de047f
0x00de0485
0x00de048b
0x00000000
0x00000000
0x00000000
0x00de048b
0x00de048d
0x00de048f
0x00de0497
0x00de049a
0x00de04a0
0x00de04a0
0x00de04a3
0x00000000
0x00000000
0x00de04a5
0x00de04a7
0x00de04a9
0x00de04a9
0x00de04ac
0x00de04af
0x00de04af
0x00de04b5
0x00de04bc
0x00de04be
0x00de04bf
0x00de04c1
0x00de04c1
0x00de04c3
0x00de04c9
0x00de04cb
0x00de04cd
0x00000000
0x00de04cd
0x00000000
0x00de04cb
0x00de04a0
0x00de04d5
0x00de04d5
0x00de04d5
0x00de04db
0x00de04de
0x00de05c7
0x00000000
0x00de04e4
0x00de04e4
0x00000000
0x00de04e4
0x00de03ee
0x00de03ee
0x00de03f0
0x00de03f6
0x00de03fe
0x00de03fe
0x00de0401
0x00de0401
0x00000000
0x00de03f0
0x00000000
0x00de04ea
0x00de04ea
0x00de04eb
0x00de04eb
0x00000000
0x00de03e8
0x00de02b9
0x00de02b9
0x00de02c4
0x00de02d0
0x00de02dd
0x00de02e5
0x00de02ea
0x00de02ed
0x00de02ef
0x00de030b
0x00de030d
0x00000000
0x00de0313
0x00de0313
0x00de031a
0x00000000
0x00de0320
0x00de0326
0x00de0328
0x00de032e
0x00de032e
0x00de0330
0x00de0330
0x00de0336
0x00de033f
0x00de0346
0x00de0349
0x00de034a
0x00de034c
0x00de034c
0x00de0354
0x00de0356
0x00000000
0x00de035c
0x00de035c
0x00de0362
0x00de0365
0x00de05cc
0x00de05cf
0x00de05d5
0x00de05ea
0x00de05ef
0x00de05f2
0x00de036b
0x00de036b
0x00de0372
0x00000000
0x00de0372
0x00de0365
0x00de0356
0x00de031a
0x00de02f1
0x00de02f3
0x00de02f9
0x00de02ff
0x00de0300
0x00de0508
0x00de0508
0x00de050f
0x00de0510
0x00de0511
0x00de0516
0x00de0519
0x00de0519
0x00de0519
0x00de02ef
0x00de01e1
0x00de01e1
0x00de01e7
0x00de01e9
0x00de0221
0x00de0223
0x00000000
0x00de0225
0x00de0225
0x00de022c
0x00000000
0x00de022e
0x00de0234
0x00de0236
0x00de023c
0x00de023c
0x00de023e
0x00de023e
0x00de0240
0x00de0249
0x00de0250
0x00de0253
0x00de0254
0x00de0256
0x00de0256
0x00de025e
0x00de0260
0x00000000
0x00de0262
0x00de0262
0x00de0268
0x00de026b
0x00de027f
0x00de0285
0x00de029e
0x00de02a3
0x00de02a6
0x00000000
0x00de026d
0x00de026d
0x00de0274
0x00000000
0x00de0274
0x00de026b
0x00de0260
0x00de022c
0x00000000
0x00de01eb
0x00de01eb
0x00de01ee
0x00de01f4
0x00de020d
0x00de0212
0x00de0215
0x00de0215
0x00de0215
0x00de0217
0x00de0217
0x00de0217
0x00de051b
0x00de051b
0x00de051d
0x00de05f9
0x00de0600
0x00de0607
0x00de061a
0x00de0620
0x00de0621
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00de0523
0x00de0529
0x00de0529
0x00de052f
0x00de052f
0x00de053b
0x00000000
0x00de053b
0x00ddfc53
0x00ddfc53
0x00ddfc55
0x00ddfc5b
0x00ddfc5d
0x00ddfc63
0x00ddfc65
0x00de0060
0x00de0060
0x00de0062
0x00de0068
0x00de006f
0x00de0075
0x00de0077
0x00de00db
0x00de00dd
0x00de00e3
0x00de00e9
0x00de00eb
0x00de00f1
0x00de00f8
0x00de00f8
0x00de00fa
0x00de00fa
0x00de0107
0x00de010e
0x00de0114
0x00de0117
0x00de0118
0x00de011e
0x00de011e
0x00de0122
0x00de0124
0x00de012a
0x00de0130
0x00de0133
0x00000000
0x00de0139
0x00de0139
0x00de0140
0x00de0140
0x00de0133
0x00de0124
0x00de00eb
0x00de0079
0x00de0079
0x00de007b
0x00de0081
0x00de0087
0x00000000
0x00de0087
0x00de0077
0x00ddfc6b
0x00ddfc6b
0x00ddfc6b
0x00ddfc6e
0x00ddfc72
0x00ddfc72
0x00ddfc73
0x00ddfc85
0x00ddfc92
0x00ddfca1
0x00ddfccb
0x00ddfcd0
0x00ddfcd6
0x00ddfcd9
0x00ddfcdf
0x00ddfce1
0x00ddfdb3
0x00ddfdb9
0x00ddfe99
0x00ddfe9f
0x00ddfea5
0x00ddfea5
0x00ddfea5
0x00ddfea8
0x00ddfeaa
0x00ddfeaa
0x00ddfeb0
0x00ddfeb6
0x00ddfeb8
0x00ddfed4
0x00ddfee0
0x00ddfee6
0x00ddfeec
0x00ddfeba
0x00ddfec0
0x00ddfecc
0x00ddfecc
0x00ddfef2
0x00ddfef4
0x00ddfef6
0x00ddfefc
0x00ddfefe
0x00de0016
0x00de0016
0x00de001c
0x00de0021
0x00de0021
0x00de0024
0x00de0025
0x00000000
0x00ddff04
0x00ddff04
0x00ddff04
0x00ddff08
0x00ddff28
0x00ddff2a
0x00ddff2c
0x00ddff32
0x00ddff38
0x00ddff3e
0x00ddff44
0x00ddff46
0x00ddff46
0x00ddff49
0x00000000
0x00000000
0x00ddff4b
0x00ddff4d
0x00ddff4f
0x00ddff57
0x00ddff5a
0x00ddff5a
0x00ddff5c
0x00ddff5c
0x00ddff68
0x00ddff6b
0x00ddff71
0x00ddff81
0x00ddff8a
0x00ddff91
0x00ddff97
0x00ddff9a
0x00ddff9b
0x00ddffa1
0x00ddffa2
0x00ddffa8
0x00ddffae
0x00000000
0x00000000
0x00000000
0x00ddffae
0x00ddffb0
0x00ddffb2
0x00ddffba
0x00ddffbd
0x00ddffc3
0x00ddffc3
0x00ddffc6
0x00000000
0x00000000
0x00ddffc8
0x00ddffca
0x00ddffcc
0x00ddffcc
0x00ddffcf
0x00ddffd2
0x00ddffd2
0x00ddffd8
0x00ddffdf
0x00ddffe1
0x00ddffe2
0x00ddffe4
0x00ddffe4
0x00ddffe6
0x00ddffec
0x00ddffee
0x00ddfff0
0x00000000
0x00ddfff0
0x00000000
0x00ddffee
0x00ddffc3
0x00ddfff8
0x00ddfff8
0x00ddfff8
0x00ddfffe
0x00de0001
0x00de008a
0x00de008c
0x00de0091
0x00de0097
0x00de009d
0x00de009e
0x00000000
0x00de0007
0x00de0007
0x00000000
0x00de0007
0x00ddff0a
0x00ddff0a
0x00ddff0c
0x00ddff12
0x00ddff1a
0x00ddff1a
0x00ddff1d
0x00ddff1d
0x00000000
0x00ddff0c
0x00000000
0x00de000d
0x00de000d
0x00de000e
0x00de000e
0x00000000
0x00ddff04
0x00ddfdbf
0x00ddfdbf
0x00ddfdca
0x00ddfdd6
0x00ddfde3
0x00ddfdeb
0x00ddfdf0
0x00ddfdf3
0x00ddfdf5
0x00ddfe11
0x00ddfe13
0x00000000
0x00ddfe19
0x00ddfe19
0x00ddfe20
0x00000000
0x00ddfe26
0x00ddfe2c
0x00ddfe2e
0x00ddfe34
0x00ddfe34
0x00ddfe36
0x00ddfe36
0x00ddfe3c
0x00ddfe45
0x00ddfe4c
0x00ddfe4f
0x00ddfe50
0x00ddfe52
0x00ddfe52
0x00ddfe5a
0x00ddfe5c
0x00000000
0x00ddfe62
0x00ddfe62
0x00ddfe68
0x00ddfe6b
0x00ddfe81
0x00ddfe87
0x00ddfe8d
0x00ddfe8e
0x00de00a4
0x00de00a4
0x00de00ab
0x00de00ac
0x00de00ad
0x00de00b2
0x00de00b5
0x00ddfe6d
0x00ddfe6d
0x00ddfe74
0x00000000
0x00ddfe74
0x00ddfe6b
0x00ddfe5c
0x00ddfe20
0x00ddfdf7
0x00ddfdf9
0x00ddfdff
0x00ddfe05
0x00ddfe06
0x00de002b
0x00de002b
0x00de0032
0x00de0033
0x00de0034
0x00de0039
0x00de003c
0x00de003c
0x00de003c
0x00ddfdf5
0x00ddfce7
0x00ddfce7
0x00ddfced
0x00ddfcef
0x00ddfd27
0x00ddfd29
0x00000000
0x00ddfd2b
0x00ddfd2b
0x00ddfd32
0x00000000
0x00ddfd34
0x00ddfd3a
0x00ddfd3c
0x00ddfd42
0x00ddfd42
0x00ddfd44
0x00ddfd44
0x00ddfd46
0x00ddfd4f
0x00ddfd56
0x00ddfd59
0x00ddfd5a
0x00ddfd5c
0x00ddfd5c
0x00ddfd64
0x00ddfd66
0x00000000
0x00ddfd68
0x00ddfd68
0x00ddfd6e
0x00ddfd71
0x00ddfd85
0x00ddfd8b
0x00ddfda4
0x00ddfda9
0x00ddfdac
0x00000000
0x00ddfd73
0x00ddfd73
0x00ddfd7a
0x00000000
0x00ddfd7a
0x00ddfd71
0x00ddfd66
0x00ddfd32
0x00000000
0x00ddfcf1
0x00ddfcf1
0x00ddfcf4
0x00ddfcfa
0x00ddfd13
0x00ddfd18
0x00ddfd1b
0x00ddfd1b
0x00ddfd1b
0x00ddfd1d
0x00ddfd1d
0x00ddfd1d
0x00de003e
0x00de003e
0x00de0040
0x00de00b9
0x00de00c0
0x00de00c0
0x00de00c0
0x00de00c7
0x00de00c9
0x00de00cf
0x00de00d0
0x00de0627
0x00de0627
0x00de0628
0x00de0629
0x00de062e
0x00000000
0x00000000
0x00000000
0x00000000
0x00de0042
0x00de0048
0x00de0048
0x00de004e
0x00de004e
0x00de005a
0x00000000
0x00de005a
0x00ddfc65
0x00de0631
0x00de0631
0x00de0637
0x00de063d
0x00de0643
0x00de0645
0x00de0647
0x00de064e
0x00de064e
0x00de0650
0x00de0650
0x00de0659
0x00de065a
0x00de0662
0x00de0669
0x00de066c
0x00de066d
0x00de0673
0x00de0673
0x00de0677
0x00de067d
0x00de067f
0x00de0681
0x00de0687
0x00de068a
0x00de069b
0x00de069e
0x00de06a4
0x00de06b9
0x00de06be
0x00de068c
0x00de068c
0x00de0693
0x00de0693
0x00de068a
0x00de067f
0x00de06cf
0x00de06d6
0x00de06de
0x00de06df
0x00de06e1
0x00de084b
0x00de084d
0x00de085d
0x00de0860
0x00de0862
0x00000000
0x00de084f
0x00de0855
0x00000000
0x00de0855
0x00000000
0x00de06e7
0x00de06e7
0x00de06ed
0x00de06f0
0x00de06f6
0x00de06f9
0x00de06ff
0x00de0705
0x00de0707
0x00de0709
0x00de070b
0x00de070b
0x00de070d
0x00de070d
0x00de071a
0x00de0721
0x00de0724
0x00de0725
0x00de0727
0x00de0728
0x00de0728
0x00de0730
0x00de0736
0x00de0738
0x00de073e
0x00de0740
0x00de0746
0x00de0749
0x00de0823
0x00de0829
0x00de083e
0x00de0843
0x00de074f
0x00de0755
0x00de075c
0x00de075c
0x00de075c
0x00de075c
0x00de0749
0x00de0762
0x00de0762
0x00de0768
0x00de0768
0x00de0768
0x00de076e
0x00de0774
0x00de0777
0x00de077d
0x00de077f
0x00de0781
0x00de0787
0x00de0789
0x00de078d
0x00de078f
0x00de078f
0x00de078f
0x00de078d
0x00de0787
0x00de0794
0x00de0795
0x00de0797
0x00de0799
0x00de0799
0x00de079b
0x00de079d
0x00de079f
0x00de07a5
0x00de07ab
0x00de07ad
0x00de07b3
0x00de07b3
0x00de07b9
0x00de07bf
0x00de07c1
0x00000000
0x00000000
0x00de07c7
0x00de07c9
0x00de07c9
0x00de07cb
0x00de07cb
0x00de07d7
0x00de07db
0x00de07e2
0x00de07e5
0x00de07e6
0x00de07e8
0x00de07e8
0x00de07f0
0x00de07f6
0x00de07f8
0x00de07fe
0x00de0804
0x00de080a
0x00de080d
0x00de086d
0x00de0870
0x00de0876
0x00de088b
0x00de0890
0x00de080f
0x00de0811
0x00de0818
0x00de0818
0x00de080d
0x00de08a1
0x00de08ae
0x00de08b8
0x00de08b8
0x00de08ba
0x00de08c2
0x00de08c8
0x00de08cb
0x00de08d1
0x00de08d3
0x00de08e4
0x00000000
0x00de08d5
0x00de08d5
0x00de08d8
0x00de08e7
0x00de08e7
0x00de08da
0x00de08da
0x00de08dc
0x00de08dc
0x00de08d8
0x00de08ed
0x00de08ee
0x00de08f4
0x00de08f7
0x00de08f7
0x00de08ff
0x00de0902
0x00de0906
0x00de0906
0x00de0907
0x00de0909
0x00de090f
0x00de0915
0x00000000
0x00000000
0x00000000
0x00de0915
0x00de07b3
0x00de091b
0x00de091b
0x00de091e
0x00de0925
0x00000000
0x00de0927
0x00de0927
0x00de0929
0x00000000
0x00000000
0x00de0929
0x00000000
0x00ddf510
0x00ddf510
0x00ddf516
0x00ddf519
0x00ddf519
0x00ddf51c
0x00ddf56c
0x00ddf574
0x00ddf576
0x00000000
0x00ddf57c
0x00de092b
0x00de092b
0x00de092b
0x00000000
0x00de092b
0x00ddf51e
0x00ddf51e
0x00ddf51e
0x00ddf521
0x00ddf53b
0x00000000
0x00ddf523
0x00ddf523
0x00ddf523
0x00ddf526
0x00ddf534
0x00000000
0x00ddf528
0x00ddf528
0x00ddf52b
0x00000000
0x00ddf52d
0x00ddf52d
0x00000000
0x00ddf52d
0x00ddf52b
0x00ddf526
0x00ddf521
0x00ddf51c
0x00ddf4d6
0x00ddf4db
0x00ddf4e3
0x00ddf4f7
0x00ddf4fc
0x00ddf540
0x00ddf540
0x00ddf543
0x00ddf553
0x00de0954
0x00de0956
0x00de0957
0x00de0958
0x00de0959
0x00de095a
0x00de095b
0x00de0960
0x00de096d
0x00ddf559
0x00de092d
0x00de092d
0x00de0936
0x00de093f
0x00de0944
0x00de0953
0x00de0953
0x00000000
0x00000000
0x00000000
0x00ddf4e3

APIs

__floor_pentium4.LIBCMT ref: 00DDF60C

Strings

1#INF, xrefs: 00DDF55E
1#QNAN, xrefs: 00DDF53B
1#IND, xrefs: 00DDF52D
1#SNAN, xrefs: 00DDF534

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: f6e0b0db75ff523a786e6dca772faa4b60dfb0da5253e7edb0088950cb18a04b
Instruction ID: f35c57c31ace4eb6a51af1e7a5953fdc460e380ab7f9aa3b301ee6ca427ffbb4
Opcode Fuzzy Hash: f6e0b0db75ff523a786e6dca772faa4b60dfb0da5253e7edb0088950cb18a04b
Instruction Fuzzy Hash: 6ED22671E082288BDB65DF29DD407EAB7B5EB44304F1841EAD44EE7240E778AE85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8E0B Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00DC8E0B(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				char _v10;
				signed int _v12;
				struct _OSVERSIONINFOW _v292;
				signed int _v296;
				intOrPtr _v300;
				void* __ebp;
				signed int _t25;
				signed int _t35;
				signed int _t37;
				signed int _t40;
				signed int _t43;
				void* _t46;
				intOrPtr _t51;
				void* _t57;
				signed int _t59;
				struct HINSTANCE__* _t61;
				signed int _t62;

				_t57 = __edx;
				_t25 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t25 ^ _t62;
				_t59 = 0;
				_v292.dwOSVersionInfoSize = 0x11c;
				E00DD1190(0,  &(_v292.dwMajorVersion), 0, 0x118);
				if(GetVersionExW( &_v292) == 0) {
					L8:
					L9:
					return E00DCF35B(_v8 ^ _t62);
				}
				_t51 = _v292.dwMajorVersion;
				if(_t51 == 6 || _t51 == 0xa) {
					_v296 = _t59;
					_v300 = _v292.dwMinorVersion;
					_t61 = E00DC6765(L"kernel32.dll", _t57, __eflags);
					__eflags = _t61;
					if(_t61 == 0) {
						goto L8;
					}
					_t35 = GetProcAddress(_t61, "GetProductInfo");
					__eflags = _t35;
					if(_t35 != 0) {
						_t59 =  *_t35(_t51, _v300, _t59, _t59,  &_v296);
					}
					FreeLibrary(_t61);
					__eflags = _t59;
					if(_t59 == 0) {
						goto L8;
					}
					_t37 = _v296;
					__eflags = _t37 - 0x1b;
					if(__eflags > 0) {
						__eflags = _t37 - 0x54;
						if(__eflags > 0) {
							__eflags = _t37 - 0x79;
							if(_t37 < 0x79) {
								goto L8;
							}
							__eflags = _t37 - 0x7a;
							if(_t37 <= 0x7a) {
								_push(4);
								goto L22;
							}
							__eflags = _t37 - 0x7c;
							if(_t37 <= 0x7c) {
								goto L8;
							}
							__eflags = _t37 - 0x7e;
							if(_t37 <= 0x7e) {
								L34:
								_push(3);
								goto L22;
							}
							__eflags = _t37 + 0xffffff7f - 1;
							if(_t37 + 0xffffff7f > 1) {
								goto L8;
							}
							goto L34;
						}
						if(__eflags == 0) {
							goto L34;
						}
						_t40 = _t37 - 0x30;
						__eflags = _t40;
						if(_t40 == 0) {
							goto L12;
						}
						_t43 = _t40 - 0x16;
						__eflags = _t43;
						if(_t43 == 0) {
							goto L34;
						}
						__eflags = _t43 == 0;
						if(_t43 == 0) {
							goto L34;
						}
						goto L8;
					}
					if(__eflags == 0) {
						goto L34;
					}
					_t46 = _t37 - 1;
					__eflags = _t46 - 0x18;
					if(_t46 > 0x18) {
						goto L8;
					}
					switch( *((intOrPtr*)(( *(_t46 + 0xdc8f97) & 0x000000ff) * 4 +  &M00DC8F87))) {
						case 0:
							goto L12;
						case 1:
							goto L34;
						case 2:
							goto L21;
						case 3:
							goto L8;
					}
				} else {
					if(_t51 != 5) {
						goto L8;
					}
					if(_v292.dwMinorVersion != 2) {
						__eflags = _v292.dwMinorVersion - 1;
						if(_v292.dwMinorVersion != 1) {
							goto L8;
						}
						__eflags = _v12 & 0x00000200;
						if((_v12 & 0x00000200) != 0) {
							goto L8;
						}
						L12:
						goto L9;
					}
					if(_v10 != 1 || E00DC8DBF() != 9) {
						if((_v12 & 0x00008000) == 0) {
							L21:
							_push(2);
							L22:
							goto L9;
						}
						goto L8;
					} else {
						goto L12;
					}
				}
			}

0x00dc8e0b
0x00dc8e14
0x00dc8e1b
0x00dc8e26
0x00dc8e28
0x00dc8e3a
0x00dc8e51
0x00dc8e8e
0x00dc8e90
0x00dc8e9e
0x00dc8e9e
0x00dc8e53
0x00dc8e5c
0x00dc8ec1
0x00dc8ec7
0x00dc8ed2
0x00dc8ed4
0x00dc8ed6
0x00000000
0x00000000
0x00dc8ede
0x00dc8ee4
0x00dc8ee6
0x00dc8efa
0x00dc8efa
0x00dc8efd
0x00dc8f03
0x00dc8f05
0x00000000
0x00000000
0x00dc8f07
0x00dc8f0d
0x00dc8f10
0x00dc8f34
0x00dc8f37
0x00dc8f54
0x00dc8f57
0x00000000
0x00000000
0x00dc8f5d
0x00dc8f60
0x00dc8f82
0x00000000
0x00dc8f82
0x00dc8f62
0x00dc8f65
0x00000000
0x00000000
0x00dc8f6b
0x00dc8f6e
0x00dc8f7e
0x00dc8f7e
0x00000000
0x00dc8f7e
0x00dc8f75
0x00dc8f78
0x00000000
0x00000000
0x00000000
0x00dc8f78
0x00dc8f39
0x00000000
0x00000000
0x00dc8f3b
0x00dc8f3b
0x00dc8f3e
0x00000000
0x00000000
0x00dc8f44
0x00dc8f44
0x00dc8f47
0x00000000
0x00000000
0x00dc8f4a
0x00dc8f4d
0x00000000
0x00000000
0x00000000
0x00dc8f4f
0x00dc8f12
0x00000000
0x00000000
0x00dc8f14
0x00dc8f15
0x00dc8f18
0x00000000
0x00000000
0x00dc8f25
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00dc8e63
0x00dc8e66
0x00000000
0x00000000
0x00dc8e6f
0x00dc8e9f
0x00dc8ea6
0x00000000
0x00000000
0x00dc8ea8
0x00dc8eaf
0x00000000
0x00000000
0x00dc8eb1
0x00000000
0x00dc8eb3
0x00dc8e75
0x00dc8e88
0x00dc8f2c
0x00dc8f2c
0x00dc8f2e
0x00000000
0x00dc8f2e
0x00000000
0x00000000
0x00000000
0x00000000
0x00dc8e75

APIs

GetVersionExW.KERNEL32(0000011C,?,?,00000000), ref: 00DC8E49
GetProcAddress.KERNEL32(00000000,GetProductInfo), ref: 00DC8EDE
FreeLibrary.KERNEL32(00000000), ref: 00DC8EFD

Part of subcall function 00DC8DBF: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,?,?,?,?,?,?,00DC8E7C), ref: 00DC8DD6
Part of subcall function 00DC8DBF: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00DC8DE2

Strings

kernel32.dll, xrefs: 00DC8EBC
GetProductInfo, xrefs: 00DC8ED8

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: AddressProc$FreeHandleLibraryModuleVersion
String ID: GetProductInfo$kernel32.dll
API String ID: 2785142305-182221857
Opcode ID: 5bfd768aadfe40692dc4f0898a4828489664dc992837f9bf3b5cae177cd3515f
Instruction ID: 7a2767215cc76328e888de1d2848cd4bff0f9443b1fec9124da6227e9ec1c389
Opcode Fuzzy Hash: 5bfd768aadfe40692dc4f0898a4828489664dc992837f9bf3b5cae177cd3515f
Instruction Fuzzy Hash: 6531E53090025B6ADB349A688C89FFE766DEF06700F2C059EF511D7191DF32CE84AAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC3047 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00DC3047(void* __ebx, signed int __ecx, signed int __edx, struct _SYSTEMTIME* __edi, void* __esi, intOrPtr _a4) {
				signed int _v12;
				struct _SYSTEMTIME _v28;
				signed int _v32;
				void* __ebp;
				signed int _t19;
				long _t21;
				long _t22;
				intOrPtr _t37;
				struct _SYSTEMTIME* _t43;
				signed int _t46;
				void* _t47;

				_t43 = __edi;
				_t41 = __edx;
				_t38 = __ecx;
				_t19 =  *0xdf8008; // 0x9fa9e963
				_v12 = _t19 ^ _t46;
				_v32 = __edx;
				_t37 = _a4;
				if(__ecx != 0) {
					_t43 =  &_v28;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					GetLocalTime( &_v28);
					_push(_v28.wMilliseconds & 0x0000ffff);
					_push(_v28.wSecond & 0x0000ffff);
					_push(_v28.wMinute & 0x0000ffff);
					_push(_v28.wHour & 0x0000ffff);
					_t38 = 0x64;
					_t12 = (_v28.wYear & 0x0000ffff) % _t38;
					_t41 = _t12;
					_push(_t12);
					_push(_v28.wDay & 0x0000ffff);
					E00DC7D9C(_t37, L"[%02d/%02d/%02d %02d:%02d:%02d.%03d]", _v28.wMonth & 0x0000ffff);
					_t47 = _t47 + 0x24;
				}
				_t21 = GetCurrentThreadId();
				_t22 = GetCurrentProcessId();
				_push(_t21);
				_push(_t22);
				E00DC7DB1(_t37, _t38, _t41, _t43, _t37, L"[%s][%u:%u]", _v32);
				return E00DCF35B(_v12 ^ _t46);
			}

0x00dc3047
0x00dc3047
0x00dc3047
0x00dc304d
0x00dc3054
0x00dc3057
0x00dc305b
0x00dc3062
0x00dc3066
0x00dc3069
0x00dc306a
0x00dc306b
0x00dc306c
0x00dc3071
0x00dc307d
0x00dc3082
0x00dc3087
0x00dc308c
0x00dc3093
0x00dc3094
0x00dc3094
0x00dc309a
0x00dc309b
0x00dc30a7
0x00dc30ac
0x00dc30ac
0x00dc30af
0x00dc30b7
0x00dc30bd
0x00dc30be
0x00dc30c8
0x00dc30de

APIs

GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,00DC3ABC,?,00000000), ref: 00DC3071
GetCurrentThreadId.KERNEL32 ref: 00DC30AF
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,00DC3ABC,?,00000000), ref: 00DC30B7

Strings

[%s][%u:%u], xrefs: 00DC30C2
[%02d/%02d/%02d %02d:%02d:%02d.%03d], xrefs: 00DC30A1

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: Current$LocalProcessThreadTime
String ID: [%02d/%02d/%02d %02d:%02d:%02d.%03d]$[%s][%u:%u]
API String ID: 2750998906-1978067781
Opcode ID: 3a6acef34d5d5a64b7a23813ba4595a79fe46d7b9bdfc6529fb3990423d314de
Instruction ID: 605c21f6a3b56f338de00f4139db1dd32ffea73e2b7bec4976e2e7385e2c69f4
Opcode Fuzzy Hash: 3a6acef34d5d5a64b7a23813ba4595a79fe46d7b9bdfc6529fb3990423d314de
Instruction Fuzzy Hash: 6F1170A2A00219BEDB50ABE9DC45DBFB7FCEF4C701B044025FA01E6140DA398945D770

Uniqueness

Uniqueness Score: -1.00%

Function 00DC1209 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC1209(struct HINSTANCE__* __ecx, struct HRSRC__* __edx, signed int _a4) {
				void* _t5;
				struct HINSTANCE__* _t11;
				void* _t13;
				signed int _t16;
				struct HRSRC__* _t17;
				signed short* _t18;

				_t17 = __edx;
				_t11 = __ecx;
				_t5 = LoadResource(__ecx, __edx);
				if(_t5 == 0) {
					L8:
					return 0;
				}
				_t18 = LockResource(_t5);
				if(_t18 == 0) {
					goto L8;
				}
				_t13 = _t18 + SizeofResource(_t11, _t17);
				_t16 = _a4 & 0x0000000f;
				if(_t16 <= 0) {
					L5:
					if(_t18 >= _t13 ||  *_t18 == 0) {
						goto L8;
					} else {
						return _t18;
					}
				}
				while(_t18 < _t13) {
					_t18 =  &(( &(_t18[ *_t18 & 0x0000ffff]))[1]);
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L5;
				}
				goto L8;
			}

0x00dc120f
0x00dc1211
0x00dc1215
0x00dc121d
0x00dc125f
0x00000000
0x00dc125f
0x00dc1226
0x00dc122a
0x00000000
0x00000000
0x00dc1237
0x00dc123a
0x00dc123d
0x00dc1251
0x00dc1253
0x00000000
0x00dc125b
0x00000000
0x00dc125b
0x00dc1253
0x00dc123f
0x00dc1249
0x00dc124c
0x00dc124f
0x00000000
0x00000000
0x00000000
0x00dc124f
0x00000000

APIs

LoadResource.KERNEL32 ref: 00DC1215
LockResource.KERNEL32(00000000), ref: 00DC1220
SizeofResource.KERNEL32 ref: 00DC122E

Strings

pdv, xrefs: 00DC122E

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID: pdv
API String ID: 2853612939-2118226256
Opcode ID: 3b07811782ae4ece5429b2ba0d7fde150fa6aee935ab5507164f10b5ad68ef67
Instruction ID: 6892daf5f61cc1b121d8fe6caf32a9f1b2e460fd3a613d69d62b654d7b05607f
Opcode Fuzzy Hash: 3b07811782ae4ece5429b2ba0d7fde150fa6aee935ab5507164f10b5ad68ef67
Instruction Fuzzy Hash: 9AF0C83D5002325B8B312A599C85D67F79EDBD3719704046EF949D7116D970DC4082B8

Uniqueness

Uniqueness Score: -1.00%

Function 00DDC8DF Relevance: 6.3, APIs: 4, Instructions: 337
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E00DDC8DF(signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t87;
				void* _t93;
				intOrPtr _t94;
				signed int _t98;
				signed int _t100;
				signed int _t101;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t111;
				void* _t113;
				signed int _t114;
				void* _t115;
				void* _t118;
				void* _t120;
				void* _t122;
				signed int* _t124;
				void* _t127;
				signed int _t129;
				signed int _t131;
				signed int _t136;
				signed int* _t140;
				signed int _t141;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				void* _t161;
				unsigned int _t162;
				intOrPtr _t171;
				signed int _t173;
				signed int* _t174;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t188;
				intOrPtr _t189;
				void* _t190;

				_t186 = _a24;
				if(_t186 < 0) {
					_t186 = 0;
				}
				_t183 = _a8;
				_t3 = _t186 + 0xb; // 0xb
				 *_t183 = 0;
				if(_a12 > _t3) {
					_t140 = _a4;
					_t147 = _t140[1];
					_t173 =  *_t140;
					__eflags = (_t147 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if(__eflags != 0) {
						__eflags = _t147;
						if(__eflags > 0) {
							L13:
							_t174 = _t183 + 1;
							_t87 = _a28 ^ 0x00000001;
							_v20 = 0x3ff;
							_v5 = _t87;
							_v16 = _t174;
							_v48 = ((_t87 & 0x000000ff) << 5) + 7;
							__eflags = _t147 & 0x7ff00000;
							_t93 = 0x30;
							if((_t147 & 0x7ff00000) != 0) {
								 *_t183 = 0x31;
								L18:
								_t149 = 0;
								__eflags = 0;
								L19:
								_t184 =  &(_t174[0]);
								__eflags = _t186;
								if(_t186 != 0) {
									_t94 = _a40;
									__eflags =  *((char*)(_t94 + 0x14));
									if(__eflags == 0) {
										E00DD8A50(_t94, _t174, __eflags);
										_t94 = _a40;
										_t174 = _v16;
									}
									_t149 = 0;
									__eflags = 0;
									_t98 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)) + 0x88))))));
								} else {
									_t98 = _t149;
								}
								 *_t174 = _t98;
								_t100 = _t140[1] & 0x000fffff;
								__eflags = _t100;
								_v40 = _t100;
								if(_t100 > 0) {
									L26:
									_t175 = _t149;
									_t150 = 0xf0000;
									_t101 = 0x30;
									_v12 = _t101;
									_v24 = _t149;
									_v28 = 0xf0000;
									while(1) {
										_v32 = _v12 & 0x0000ffff;
										_t104 = _t184;
										_v36 = _t184;
										_v40 = _t186;
										__eflags = _t186;
										if(__eflags <= 0) {
											break;
										}
										_t127 = E00DE3CB0( *_t140 & _t175, _v32 & 0x0000ffff, _t140[1] & _t150 & 0x000fffff);
										_t161 = 0x30;
										_t129 = _t127 + _t161 & 0x0000ffff;
										__eflags = _t129 - 0x39;
										if(_t129 > 0x39) {
											_t129 = _t129 + _v48;
											__eflags = _t129;
										}
										_t162 = _v28;
										_t175 = (_t162 << 0x00000020 | _v24) >> 4;
										 *_t184 = _t129;
										_t184 = _t184 + 1;
										_t150 = _t162 >> 4;
										_t131 = _v12 - 4;
										_t186 = _t186 - 1;
										_v24 = (_t162 << 0x00000020 | _v24) >> 4;
										_v28 = _t162 >> 4;
										_v12 = _t131;
										__eflags = _t131;
										if(_t131 >= 0) {
											continue;
										} else {
											goto L43;
										}
									}
									_t186 = _v40;
									_t184 = _t104;
									_t105 = E00DDD110(__eflags, _t140, _t175, _t150, _v32, _a36);
									_t190 = _t190 + 0x14;
									__eflags = _t105;
									if(_t105 == 0) {
										goto L43;
									}
									_t184 = _v36;
									_t146 = 0x30;
									_t124 = _t184 - 1;
									while(1) {
										_t156 =  *_t124;
										__eflags = _t156 - 0x66;
										if(_t156 == 0x66) {
											goto L36;
										}
										__eflags = _t156 - 0x46;
										if(_t156 != 0x46) {
											_t140 = _a4;
											__eflags = _t124 - _v16;
											if(_t124 == _v16) {
												_t65 = _t124 - 1;
												 *_t65 =  *(_t124 - 1) + 1;
												__eflags =  *_t65;
											} else {
												__eflags = _t156 - 0x39;
												if(_t156 != 0x39) {
													_t157 = _t156 + 1;
													__eflags = _t157;
												} else {
													_t157 = _v48 + 0x3a;
												}
												 *_t124 = _t157;
											}
											goto L43;
										}
										L36:
										 *_t124 = _t146;
										_t124 = _t124 - 1;
									}
								} else {
									__eflags =  *_t140 - _t149;
									if( *_t140 <= _t149) {
										L43:
										__eflags = _t186;
										if(_t186 > 0) {
											_push(_t186);
											_t122 = 0x30;
											_push(_t122);
											_push(_t184);
											E00DD1190(_t184);
											_t184 = _t184 + _t186;
											__eflags = _t184;
										}
										_t106 = _v16;
										__eflags =  *_t106;
										if( *_t106 == 0) {
											_t184 = _t106;
										}
										 *_t184 = (_v5 << 5) + 0x50;
										_t176 = _t140[1];
										_t111 = E00DE3CB0( *_t140, 0x34, _t176);
										_t141 = 0;
										_t188 = _t176 & 0;
										_t177 = _t184 + 2;
										_t154 = (_t111 & 0x000007ff) - _v20;
										__eflags = _t154;
										_v48 = _t177;
										asm("sbb esi, ebx");
										if(__eflags < 0) {
											L51:
											_t154 =  ~_t154;
											asm("adc esi, ebx");
											_t188 =  ~_t188;
											0x2b = 0x2d;
											goto L52;
										} else {
											if(__eflags > 0) {
												L50:
												L52:
												 *(_t184 + 1) = 0x2b;
												_t185 = _t177;
												_t113 = 0x30;
												 *_t177 = _t113;
												__eflags = _t188 - _t141;
												if(__eflags < 0) {
													L61:
													_t178 = 0x30;
													L62:
													__eflags = _t188 - _t141;
													if(__eflags < 0) {
														L66:
														_t155 = _t154 + _t178;
														__eflags = _t155;
														 *_t185 = _t155;
														 *(_t185 + 1) = _t141;
														L67:
														_t114 = 0;
														__eflags = 0;
														L68:
														return _t114;
													}
													if(__eflags > 0) {
														L65:
														_push(_t141);
														_push(_t141);
														_push(0xa);
														_push(_t188);
														_push(_t154);
														_t115 = E00DE3BB0();
														_v48 = _t178;
														_t178 = 0x30;
														 *_t185 = _t115 + _t178;
														_t185 = _t185 + 1;
														_t141 = 0;
														__eflags = 0;
														goto L66;
													}
													__eflags = _t154 - 0xa;
													if(_t154 < 0xa) {
														goto L66;
													}
													goto L65;
												}
												if(__eflags > 0) {
													L55:
													_push(_t141);
													_push(_t141);
													_push(0x3e8);
													_push(_t188);
													_push(_t154);
													_t118 = E00DE3BB0();
													_t188 = _t141;
													_v40 = _t177;
													_t177 = _v48;
													_t141 = 0;
													_t76 = _t177 + 1; // 0x1
													_t185 = _t76;
													 *_t177 = _t118 + 0x30;
													__eflags = _t185 - _t177;
													if(_t185 != _t177) {
														L59:
														_push(_t141);
														_push(_t141);
														_push(0x64);
														_push(_t188);
														_push(_t154);
														_t120 = E00DE3BB0();
														_t188 = _t141;
														_v40 = _t177;
														_t141 = 0;
														_t178 = 0x30;
														 *_t185 = _t120 + _t178;
														_t185 = _t185 + 1;
														__eflags = _t185 - _v48;
														if(_t185 != _v48) {
															goto L65;
														}
														goto L62;
													}
													L56:
													__eflags = _t188 - _t141;
													if(__eflags < 0) {
														goto L61;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t154 - 0x64;
													if(_t154 < 0x64) {
														goto L61;
													}
													goto L59;
												}
												__eflags = _t154 - 0x3e8;
												if(_t154 < 0x3e8) {
													goto L56;
												}
												goto L55;
											}
											__eflags = _t154;
											if(_t154 < 0) {
												goto L51;
											}
											goto L50;
										}
									}
									goto L26;
								}
							}
							 *_t183 = _t93;
							_t149 =  *_t140 | _t140[1] & 0x000fffff;
							__eflags = _t149;
							if(_t149 != 0) {
								_v20 = 0x3fe;
								goto L18;
							}
							_v20 = _t149;
							goto L19;
						}
						if(__eflags < 0) {
							L12:
							 *_t183 = 0x2d;
							_t183 = _t183 + 1;
							__eflags = _t183;
							_t147 = _t140[1];
							goto L13;
						}
						__eflags = _t173;
						if(_t173 >= 0) {
							goto L13;
						}
						goto L12;
					}
					_t114 = E00DDCC0B(_t140, _t147, __eflags, _t140, _t183, _a12, _a16, _a20, _t186, 0, _a32, _a36, _a40);
					__eflags = _t114;
					if(_t114 == 0) {
						_t136 = E00DE5070(_t183, 0x65);
						__eflags = _t136;
						if(_t136 != 0) {
							 *_t136 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							 *((char*)(_t136 + 3)) = 0;
						}
						goto L67;
					}
					 *_t183 = 0;
					goto L68;
				}
				_t171 = _a40;
				_t189 = 0x22;
				 *((char*)(_t171 + 0x1c)) = 1;
				 *((intOrPtr*)(_t171 + 0x18)) = _t189;
				E00DD33BC(_t183, _t189, 0, 0, 0, 0, 0, _t171);
				return _t189;
			}

0x00ddc8ea
0x00ddc8f0
0x00ddc8f2
0x00ddc8f2
0x00ddc8f4
0x00ddc8f7
0x00ddc8fa
0x00ddc8ff
0x00ddc924
0x00ddc927
0x00ddc92c
0x00ddc936
0x00ddc93b
0x00ddc994
0x00ddc996
0x00ddc9a5
0x00ddc9a8
0x00ddc9ab
0x00ddc9ad
0x00ddc9b4
0x00ddc9c6
0x00ddc9c9
0x00ddc9ce
0x00ddc9d2
0x00ddc9d3
0x00ddc9f3
0x00ddc9f6
0x00ddc9f6
0x00ddc9f6
0x00ddc9f8
0x00ddc9f8
0x00ddc9fb
0x00ddc9fd
0x00ddca03
0x00ddca06
0x00ddca0a
0x00ddca0e
0x00ddca13
0x00ddca16
0x00ddca16
0x00ddca1c
0x00ddca1c
0x00ddca26
0x00ddc9ff
0x00ddc9ff
0x00ddc9ff
0x00ddca28
0x00ddca2d
0x00ddca2d
0x00ddca32
0x00ddca35
0x00ddca3f
0x00ddca41
0x00ddca43
0x00ddca48
0x00ddca49
0x00ddca4c
0x00ddca4f
0x00ddca52
0x00ddca58
0x00ddca5b
0x00ddca5d
0x00ddca60
0x00ddca63
0x00ddca65
0x00000000
0x00000000
0x00ddca7c
0x00ddca83
0x00ddca87
0x00ddca8a
0x00ddca8d
0x00ddca8f
0x00ddca8f
0x00ddca8f
0x00ddca95
0x00ddca98
0x00ddca9c
0x00ddca9e
0x00ddcaa2
0x00ddcaa5
0x00ddcaa8
0x00ddcaa9
0x00ddcaac
0x00ddcaaf
0x00ddcab2
0x00ddcab5
0x00000000
0x00ddcab7
0x00000000
0x00ddcab7
0x00ddcab5
0x00ddcabc
0x00ddcabf
0x00ddcac7
0x00ddcacc
0x00ddcacf
0x00ddcad1
0x00000000
0x00000000
0x00ddcad3
0x00ddcad8
0x00ddcad9
0x00ddcadc
0x00ddcadc
0x00ddcade
0x00ddcae1
0x00000000
0x00000000
0x00ddcae3
0x00ddcae6
0x00ddcaed
0x00ddcaf0
0x00ddcaf3
0x00ddcb08
0x00ddcb08
0x00ddcb08
0x00ddcaf5
0x00ddcaf5
0x00ddcaf8
0x00ddcb02
0x00ddcb02
0x00ddcafa
0x00ddcafd
0x00ddcafd
0x00ddcb04
0x00ddcb04
0x00000000
0x00ddcaf3
0x00ddcae8
0x00ddcae8
0x00ddcaea
0x00ddcaea
0x00ddca37
0x00ddca37
0x00ddca39
0x00ddcb0b
0x00ddcb0b
0x00ddcb0d
0x00ddcb0f
0x00ddcb12
0x00ddcb13
0x00ddcb14
0x00ddcb15
0x00ddcb1d
0x00ddcb1d
0x00ddcb1d
0x00ddcb1f
0x00ddcb22
0x00ddcb25
0x00ddcb27
0x00ddcb27
0x00ddcb33
0x00ddcb37
0x00ddcb3a
0x00ddcb3f
0x00ddcb4b
0x00ddcb4d
0x00ddcb50
0x00ddcb50
0x00ddcb53
0x00ddcb56
0x00ddcb58
0x00ddcb64
0x00ddcb64
0x00ddcb68
0x00ddcb6a
0x00ddcb6c
0x00000000
0x00ddcb5a
0x00ddcb5a
0x00ddcb60
0x00ddcb6d
0x00ddcb6d
0x00ddcb70
0x00ddcb74
0x00ddcb75
0x00ddcb77
0x00ddcb79
0x00ddcbd5
0x00ddcbd7
0x00ddcbd8
0x00ddcbd8
0x00ddcbda
0x00ddcbfd
0x00ddcbfd
0x00ddcbfd
0x00ddcbff
0x00ddcc01
0x00ddcc04
0x00ddcc04
0x00ddcc04
0x00ddcc06
0x00000000
0x00ddcc06
0x00ddcbdc
0x00ddcbe3
0x00ddcbe3
0x00ddcbe4
0x00ddcbe5
0x00ddcbe7
0x00ddcbe8
0x00ddcbe9
0x00ddcbf2
0x00ddcbf5
0x00ddcbf8
0x00ddcbfa
0x00ddcbfb
0x00ddcbfb
0x00000000
0x00ddcbfb
0x00ddcbde
0x00ddcbe1
0x00000000
0x00000000
0x00000000
0x00ddcbe1
0x00ddcb80
0x00ddcb86
0x00ddcb86
0x00ddcb87
0x00ddcb88
0x00ddcb89
0x00ddcb8a
0x00ddcb8b
0x00ddcb90
0x00ddcb94
0x00ddcb99
0x00ddcb9c
0x00ddcb9e
0x00ddcb9e
0x00ddcba1
0x00ddcba3
0x00ddcba5
0x00ddcbb2
0x00ddcbb2
0x00ddcbb3
0x00ddcbb4
0x00ddcbb6
0x00ddcbb7
0x00ddcbb8
0x00ddcbbd
0x00ddcbc3
0x00ddcbc6
0x00ddcbc8
0x00ddcbcb
0x00ddcbcd
0x00ddcbce
0x00ddcbd1
0x00000000
0x00000000
0x00000000
0x00ddcbd3
0x00ddcba7
0x00ddcba7
0x00ddcba9
0x00000000
0x00000000
0x00ddcbab
0x00000000
0x00000000
0x00ddcbad
0x00ddcbb0
0x00000000
0x00000000
0x00000000
0x00ddcbb0
0x00ddcb82
0x00ddcb84
0x00000000
0x00000000
0x00000000
0x00ddcb84
0x00ddcb5c
0x00ddcb5e
0x00000000
0x00000000
0x00000000
0x00ddcb5e
0x00ddcb58
0x00000000
0x00ddca39
0x00ddca35
0x00ddc9d5
0x00ddc9e1
0x00ddc9e1
0x00ddc9e3
0x00ddc9ea
0x00000000
0x00ddc9ea
0x00ddc9e5
0x00000000
0x00ddc9e5
0x00ddc998
0x00ddc99e
0x00ddc99e
0x00ddc9a1
0x00ddc9a1
0x00ddc9a2
0x00000000
0x00ddc9a2
0x00ddc99a
0x00ddc99c
0x00000000
0x00000000
0x00000000
0x00ddc99c
0x00ddc955
0x00ddc95d
0x00ddc95f
0x00ddc96c
0x00ddc973
0x00ddc975
0x00ddc987
0x00ddc989
0x00ddc989
0x00000000
0x00ddc975
0x00ddc961
0x00000000
0x00ddc961
0x00ddc901
0x00ddc906
0x00ddc90d
0x00ddc911
0x00ddc914
0x00000000

APIs

_strrchr.LIBCMT ref: 00DDC96C

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 716d4ecc26b77629a783732f3220bcc07c94400b1eb225cbe04deade8fe57c63
Instruction ID: 6cca0ae6f5023de514709e5d9c6030be8072ae5240dc53ba99cf61a35939e19c
Opcode Fuzzy Hash: 716d4ecc26b77629a783732f3220bcc07c94400b1eb225cbe04deade8fe57c63
Instruction Fuzzy Hash: 03B14672A142469FDB11CF68C892BFEBBA5EF45300F1991ABE945AB341D234DD01CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DE525D Relevance: 6.1, APIs: 4, Instructions: 83
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00DE525D(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				struct _MEMORY_BASIC_INFORMATION _v52;
				struct _SYSTEM_INFO _v88;
				void* _v100;
				void* __ebp;
				signed int _t18;
				void* _t21;
				long _t22;
				long _t29;
				signed int _t38;
				signed int _t44;
				void* _t46;
				char _t48;
				long _t51;
				signed int _t52;
				void* _t53;

				_t18 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t18 ^ _t52;
				_push(4);
				E00DE3CD0();
				_t21 = _t53;
				_v16 = _t21;
				_t22 = VirtualQuery(_t21,  &_v52, 0x1c);
				_t55 = _t22;
				if(_t22 == 0) {
					L12:
					__eflags = 0;
				} else {
					_v20 = _v52.AllocationBase;
					GetSystemInfo( &_v88);
					_t38 = _v88.dwPageSize;
					_t48 = 0;
					_v12 = 0;
					if(E00DDAB6E(_t55,  &_v12) != 0 && _v12 > 0) {
						_t48 = _v12;
					}
					_t44 =  ~_t38;
					_t51 = _t48 - 0x00000001 + _t38 & _t44;
					if(_t51 != 0) {
						_t51 = _t51 + _t38;
					}
					_t29 = _t38 + _t38;
					if(_t51 < _t29) {
						_t51 = _t29;
					}
					_t46 = (_t44 & _v16) - _t51;
					if(_t46 < _v20 + _t38 || VirtualAlloc(_t46, _t51, 0x1000, 4) == 0 || VirtualProtect(_t46, _t51, 0x104,  &_v24) == 0) {
						goto L12;
					} else {
					}
				}
				return E00DCF35B(_v8 ^ _t52);
			}

0x00de5265
0x00de526c
0x00de5272
0x00de5275
0x00de527a
0x00de5283
0x00de5286
0x00de528c
0x00de528e
0x00de530e
0x00de530e
0x00de5290
0x00de5293
0x00de529a
0x00de52a0
0x00de52a6
0x00de52a9
0x00de52b3
0x00de52ba
0x00de52ba
0x00de52c0
0x00de52c4
0x00de52c6
0x00de52c8
0x00de52c8
0x00de52ca
0x00de52cf
0x00de52d1
0x00de52d1
0x00de52d9
0x00de52df
0x00000000
0x00de5309
0x00de530b
0x00de52df
0x00de5321

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00DE5286
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 00DE529A
VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004,?,?,0000001C), ref: 00DE52EA
VirtualProtect.KERNEL32(?,-00000001,00000104,?,?,?,0000001C), ref: 00DE52FF

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 76136ecff101d1705729d44a837272d0b2c0e0d2f501bde8aeaea9aad8436457
Instruction ID: ae5562abf3e0e78c089f39e0fb67d6681e201b494e6d684207f32c8fd9687a8c
Opcode Fuzzy Hash: 76136ecff101d1705729d44a837272d0b2c0e0d2f501bde8aeaea9aad8436457
Instruction Fuzzy Hash: A1219572F00259ABCB20ABA5DC85AEF77B8EB44794F190566E905EB244E670D900C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 00DCF243 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DCF243(intOrPtr* __ecx, void* __eflags) {
				intOrPtr* _t13;

				_t13 = __ecx;
				E00DCF296(__ecx);
				 *__ecx = 0x38;
				 *((intOrPtr*)(__ecx + 8)) = 0xdc0000;
				 *((intOrPtr*)(__ecx + 4)) = 0xdc0000;
				 *((intOrPtr*)(__ecx + 0xc)) = 0xe00;
				 *((intOrPtr*)(__ecx + 0x10)) = 0xde73e0;
				if(E00DC11E1(__ecx + 0x14) < 0) {
					if(IsDebuggerPresent() != 0) {
						OutputDebugStringW(L"ERROR : Unable to initialize critical section in CAtlBaseModule\n");
					}
					 *0xdf9b84 = 1;
				}
				return _t13;
			}

0x00dcf244
0x00dcf246
0x00dcf250
0x00dcf259
0x00dcf25c
0x00dcf25f
0x00dcf266
0x00dcf274
0x00dcf27e
0x00dcf285
0x00dcf285
0x00dcf28b
0x00dcf28b
0x00dcf295

APIs

Part of subcall function 00DC11E1: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,8007000E,?,-C000001E,00000001), ref: 00DC11E6
Part of subcall function 00DC11E1: GetLastError.KERNEL32(?,00000000,?,8007000E,?,-C000001E,00000001), ref: 00DC11F0

IsDebuggerPresent.KERNEL32(?,?,?,00DC1108), ref: 00DCF276
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00DC1108), ref: 00DCF285

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00DCF280

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 450123788-631824599
Opcode ID: b23537dce70f32ee0260bf9d6366643f52effa2295be96555d29358aa3d0ca28
Instruction ID: dc1cf2a0821353faa408e1d08b568c40448a7569159344a46c2f89612bf0555f
Opcode Fuzzy Hash: b23537dce70f32ee0260bf9d6366643f52effa2295be96555d29358aa3d0ca28
Instruction Fuzzy Hash: 79E06D742043528BD3B4AF65E548B86BBE4EF04354F00892CE852C7340E7B4D549CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD323D Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E00DD323D(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __ebp;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0xdf8008; // 0x9fa9e963
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00DCFE4D(_t41);
					_pop(_t62);
				}
				E00DD1190(_t67,  &_v804, 0, 0x50);
				E00DD1190(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00DCFE4D(_t57);
				}
				return E00DCF35B(_v8 ^ _t70);
			}

0x00dd323d
0x00dd323d
0x00dd323d
0x00dd323d
0x00dd3248
0x00dd324d
0x00dd324f
0x00dd3257
0x00dd3259
0x00dd325c
0x00dd3261
0x00dd3261
0x00dd326d
0x00dd3280
0x00dd328e
0x00dd3294
0x00dd329a
0x00dd32a0
0x00dd32a6
0x00dd32ac
0x00dd32b2
0x00dd32b8
0x00dd32be
0x00dd32c4
0x00dd32cb
0x00dd32d2
0x00dd32d9
0x00dd32e0
0x00dd32e7
0x00dd32ee
0x00dd32ef
0x00dd32f8
0x00dd32fe
0x00dd3301
0x00dd3307
0x00dd3314
0x00dd331d
0x00dd3326
0x00dd332f
0x00dd333d
0x00dd333f
0x00dd3354
0x00dd3360
0x00dd3363
0x00dd3368
0x00dd3375

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00DD3335
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00DD333F
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00DD334C

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6cd2542835910b661c462bb53c15dd6d4c27286d8cb8596456f92eb49cfdd3a3
Instruction ID: 5dbc5aec5228b7d17989690b9db2e5e211776d64b2dd122b2741e56aafcd58e3
Opcode Fuzzy Hash: 6cd2542835910b661c462bb53c15dd6d4c27286d8cb8596456f92eb49cfdd3a3
Instruction Fuzzy Hash: 5531D374901319ABCB21DF68D988B9DBBB8FF08310F5041EAE41CA7250EB709F858F65

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8FB3 Relevance: 4.5, APIs: 3, Instructions: 47
memoryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00DC8FB3(void* __ebx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				signed int _v20;
				void* _v24;
				void* __ebp;
				signed int _t17;
				signed int _t24;
				signed int _t31;

				_t17 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t17 ^ _t31;
				_v12 = 0x500;
				_v16.Value = 0;
				_v24 = 0;
				_t21 = AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24);
				_v20 = _t21;
				if(_t21 != 0) {
					_t24 =  &_v20;
					__imp__CheckTokenMembership(0, _v24, _t24);
					asm("sbb eax, eax");
					_v20 = _v20 &  ~_t24;
					FreeSid(_v24);
					_t21 = _v20;
				}
				return E00DCF35B(_v8 ^ _t31);
			}

0x00dc8fb9
0x00dc8fc0
0x00dc8fc6
0x00dc8fcf
0x00dc8fe5
0x00dc8fe9
0x00dc8fef
0x00dc8ff4
0x00dc8ff6
0x00dc8ffe
0x00dc9009
0x00dc900b
0x00dc900e
0x00dc9014
0x00dc9017
0x00dc9028

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00DCA636,?), ref: 00DC8FE9
CheckTokenMembership.ADVAPI32(00000000,?,00DCA636,?,?,00DCA636,?), ref: 00DC8FFE
FreeSid.ADVAPI32(?,?,?,00DCA636,?), ref: 00DC900E

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 0decd7fbb880bbbff0476c46b5b392c355e33370a9d155114e331d0cefeb2606
Instruction ID: be3c22ecfd34e0487846bee08556e0e8456f0f5a203af558ff21b608642315a0
Opcode Fuzzy Hash: 0decd7fbb880bbbff0476c46b5b392c355e33370a9d155114e331d0cefeb2606
Instruction Fuzzy Hash: CC01E8B0E0030EAFDB00DFA4DD89ABEB7B9FB08704F554469A501E6281DB749A049B71

Uniqueness

Uniqueness Score: -1.00%

Function 00DDEFA0 Relevance: 3.4, APIs: 2, Instructions: 449
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00DDEFA0(signed int* _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				char _v540;
				signed int _v544;
				signed int* _t179;
				signed int _t181;
				intOrPtr _t182;
				signed int _t185;
				signed int* _t187;
				signed int _t189;
				unsigned int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t201;
				intOrPtr _t207;
				void* _t210;
				signed int _t212;
				signed int _t223;
				void* _t227;
				signed int _t230;
				intOrPtr* _t237;
				signed int _t238;
				signed int* _t239;
				signed int _t241;
				signed int _t243;
				signed int _t244;
				void* _t245;
				intOrPtr* _t246;
				signed int _t247;
				signed int _t252;
				unsigned int _t253;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				intOrPtr _t260;
				void* _t264;
				signed char _t270;
				intOrPtr* _t272;
				signed int _t276;
				signed int* _t277;
				signed int _t284;
				signed int _t285;
				signed int* _t288;
				signed int _t291;
				signed int _t293;
				intOrPtr* _t294;
				signed int _t298;
				signed int _t299;
				intOrPtr* _t300;
				signed int _t305;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t314;
				void* _t315;
				signed int _t316;
				signed int* _t323;
				signed int* _t325;
				signed int _t329;
				signed int _t331;
				signed int _t332;
				signed int _t334;
				void* _t335;
				signed int _t340;
				signed int _t345;
				intOrPtr* _t347;
				signed int* _t348;

				_t179 = _a4;
				_t329 =  *_t179;
				if(_t329 == 0) {
					L76:
					__eflags = 0;
					return 0;
				} else {
					_t237 = _a8;
					_t310 =  *_t237;
					_v72 = _t310;
					if(_t310 == 0) {
						goto L76;
					} else {
						_t4 = _t329 - 1; // 0x1cb
						_t252 = _t4;
						_v8 = _t252;
						_t311 = _t310 + 0xffffffff;
						if(_t311 != 0) {
							__eflags = _t311 - _t252;
							if(_t311 > _t252) {
								goto L76;
							} else {
								_t181 = _t252;
								_t284 = _t252 - _t311;
								__eflags = _t252 - _t284;
								if(_t252 < _t284) {
									L19:
									_t284 = _t284 + 1;
									__eflags = _t284;
								} else {
									_t345 =  &(_a4[1]);
									__eflags = _t345;
									_t272 = _t345 + _t252 * 4;
									_t46 = _t237 + 4; // 0xde06d8
									_t347 = _t46 + _t311 * 4;
									while(1) {
										__eflags =  *_t347 -  *_t272;
										if(__eflags != 0) {
											break;
										}
										_t181 = _t181 - 1;
										_t347 = _t347 - 4;
										_t272 = _t272 - 4;
										__eflags = _t181 - _t284;
										if(_t181 >= _t284) {
											continue;
										} else {
											goto L19;
										}
										goto L20;
									}
									if(__eflags < 0) {
										goto L19;
									}
								}
								L20:
								__eflags = _t284;
								if(__eflags == 0) {
									goto L76;
								} else {
									_t182 = _a8;
									_t238 = _v72;
									_t331 =  *(_t182 + _t238 * 4);
									_t54 = _t238 * 4; // 0xffffe8cc
									_t253 =  *(_t182 + _t54 - 4);
									asm("bsr eax, esi");
									_v44 = _t331;
									_v36 = _t253;
									if(__eflags == 0) {
										_t312 = 0x20;
									} else {
										_t312 = 0x1f - _t182;
									}
									_v12 = _t312;
									_v40 = 0x20 - _t312;
									__eflags = _t312;
									if(_t312 != 0) {
										_t270 = _t312;
										_v36 = _v36 << _t270;
										_v44 = _t331 << _t270 | _t253 >> _v40;
										__eflags = _t238 - 2;
										if(_t238 > 2) {
											_t67 = _t238 * 4; // 0xe850ffff
											_t69 =  &_v36;
											 *_t69 = _v36 |  *(_a8 + _t67 - 8) >> _v40;
											__eflags =  *_t69;
										}
									}
									_t332 = 0;
									_v32 = 0;
									_t285 = _t284 + 0xffffffff;
									__eflags = _t285;
									_v80 = _t285;
									if(_t285 >= 0) {
										_t187 = _a4;
										_t256 = _t285 + _t238;
										_v48 = _t256;
										_v52 = _t187 + (_t285 + 1) * 4;
										_t189 = _t187 + _t256 * 4 + 0xfffffffc;
										__eflags = _t189;
										_v28 = _t189;
										do {
											__eflags = _t256 - _v8;
											if(_t256 > _v8) {
												_t257 = 0;
												__eflags = 0;
											} else {
												_t257 =  *(_t189 + 8);
											}
											_t291 =  *(_t189 + 4);
											_t241 = _t257;
											_t190 =  *_t189;
											_v76 = _t257;
											_v56 = 0;
											_v20 = _t190;
											__eflags = _t312;
											if(_t312 != 0) {
												_t298 = _t241;
												_t212 = E00DE3C90(_t291, _v12, _t298);
												_t257 = _v12;
												_t241 = _t298;
												_t291 = _t190 >> _v40 | _t212;
												_t332 = _v20 << _t257;
												__eflags = _v48 - 3;
												_v20 = _t332;
												if(_v48 >= 3) {
													_t257 = _v40;
													_t332 = _t332 |  *(_v28 - 4) >> _t257;
													__eflags = _t332;
													_v20 = _t332;
												}
											}
											_push(_t241);
											_t191 = E00DE3A30(_t291, _t241, _v44, 0);
											_v56 = _t241;
											_t243 = _t191;
											_t334 = _t332 ^ _t332;
											_t192 = _t291;
											_v24 = _t243;
											_v16 = _t192;
											_t314 = _t257;
											_v68 = _t243;
											_v64 = _t192;
											_v56 = _t334;
											__eflags = _t192;
											if(_t192 != 0) {
												L37:
												_t244 = _t243 + 1;
												asm("adc eax, 0xffffffff");
												_t314 = _t314 + E00DE3AD0(_t244, _t192, _v44, 0);
												asm("adc esi, edx");
												_t243 = _t244 | 0xffffffff;
												_t192 = 0;
												__eflags = 0;
												_v56 = _t334;
												_v24 = _t243;
												_v68 = _t243;
												_v16 = 0;
												_v64 = 0;
											} else {
												__eflags = _t243 - 0xffffffff;
												if(_t243 > 0xffffffff) {
													goto L37;
												}
											}
											__eflags = _t334;
											if(__eflags <= 0) {
												if(__eflags < 0) {
													goto L42;
												} else {
													__eflags = _t314 - 0xffffffff;
													if(_t314 <= 0xffffffff) {
														while(1) {
															L42:
															_v24 = _v20;
															_t210 = E00DE3AD0(_v36, 0, _t243, _t192);
															__eflags = _t291 - _t314;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L45:
																_t192 = _v16;
																_t243 = _t243 + 0xffffffff;
																_v68 = _t243;
																asm("adc eax, 0xffffffff");
																_t314 = _t314 + _v44;
																__eflags = _t314;
																_v16 = _t192;
																asm("adc dword [ebp-0x34], 0x0");
																_v64 = _t192;
																if(_t314 == 0) {
																	__eflags = _t314 - 0xffffffff;
																	if(_t314 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t210 - _v24;
																if(_t210 <= _v24) {
																	break;
																} else {
																	goto L45;
																}
															}
															L49:
															_v24 = _t243;
															goto L50;
														}
														_t192 = _v16;
														goto L49;
													}
												}
											}
											L50:
											__eflags = _t192;
											if(_t192 != 0) {
												L52:
												_t258 = _v72;
												_t315 = 0;
												_t335 = 0;
												__eflags = _t258;
												if(_t258 != 0) {
													_t246 = _v52;
													_t201 = _a8 + 4;
													__eflags = _t201;
													_v56 = _t201;
													_v20 = _t258;
													do {
														_v8 =  *_t201;
														_t207 =  *_t246;
														_t264 = _t315 + _v68 * _v8;
														asm("adc esi, edx");
														_t315 = _t335;
														_t335 = 0;
														__eflags = _t207 - _t264;
														if(_t207 < _t264) {
															_t315 = _t315 + 1;
															asm("adc esi, esi");
														}
														 *_t246 = _t207 - _t264;
														_t246 = _t246 + 4;
														_t201 = _v56 + 4;
														_t143 =  &_v20;
														 *_t143 = _v20 - 1;
														__eflags =  *_t143;
														_v56 = _t201;
													} while ( *_t143 != 0);
													_t243 = _v24;
													_t258 = _v72;
												}
												__eflags = 0 - _t335;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L61:
														__eflags = _t258;
														if(_t258 != 0) {
															_t245 = 0;
															_t294 = _v52;
															_t340 = _a8 + 4;
															__eflags = _t340;
															_t316 = _t258;
															do {
																_t260 =  *_t294;
																_t151 = _t340 + 4; // 0x8d8b5959
																_t340 = _t151;
																_t294 = _t294 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t294 - 4)) = _t260 +  *((intOrPtr*)(_t340 - 4)) + _t245;
																asm("adc eax, 0x0");
																_t245 = 0;
																_t316 = _t316 - 1;
																__eflags = _t316;
															} while (_t316 != 0);
															_t243 = _v24;
														}
														_t243 = _t243 + 0xffffffff;
														asm("adc dword [ebp-0xc], 0xffffffff");
													} else {
														__eflags = _v76 - _t315;
														if(_v76 < _t315) {
															goto L61;
														}
													}
												}
												_t259 = _v48;
												_v8 = _t259 - 1;
											} else {
												__eflags = _t243;
												if(_t243 == 0) {
													_t259 = _v48;
												} else {
													goto L52;
												}
											}
											_t332 = _v32;
											_t312 = _v12;
											asm("adc esi, 0x0");
											_v32 = 0 + _t243;
											_t293 = _v80 - 1;
											_v52 = _v52 - 4;
											_t256 = _t259 - 1;
											_t189 = _v28 - 4;
											_v80 = _t293;
											_v48 = _t256;
											_v28 = _t189;
											__eflags = _t293;
										} while (_t293 >= 0);
									}
									_t239 = _a4;
									_t255 = _v8 + 1;
									_t185 = _t255;
									__eflags = _t185 -  *_t239;
									if(_t185 <  *_t239) {
										_t288 =  &(( &(_t239[1]))[_t185]);
										do {
											 *_t288 = 0;
											_t288 =  &(_t288[1]);
											_t185 = _t185 + 1;
											__eflags = _t185 -  *_t239;
										} while (_t185 <  *_t239);
									}
									 *_t239 = _t255;
									__eflags = _t255;
									if(_t255 != 0) {
										while(1) {
											__eflags = _t239[_t255];
											if(_t239[_t255] != 0) {
												goto L75;
											}
											_t255 = _t255 + 0xffffffff;
											__eflags = _t255;
											 *_t239 = _t255;
											if(_t255 != 0) {
												continue;
											}
											goto L75;
										}
									}
									L75:
									return _v32;
								}
							}
						} else {
							_t6 = _t237 + 4; // 0xfffff8a4
							_t299 =  *_t6;
							_v8 = _t299;
							if(_t299 != 1) {
								__eflags = _t252;
								if(_t252 != 0) {
									_t247 = 0;
									_v12 = 0;
									_t323 = 0;
									_v28 = 0;
									__eflags = _t252 - 0xffffffff;
									if(_t252 != 0xffffffff) {
										_t276 = _t252 + 1;
										__eflags = _t276;
										_t277 =  &(_t179[_t276]);
										_v32 = _t277;
										do {
											_push(_t247);
											_t227 = E00DE3A30( *_t277, _t323, _t299, 0);
											_v28 = _t247;
											_t247 = _v12;
											_t323 = _t277;
											_v64 = _t299;
											_v12 = 0 + _t227;
											_t299 = _v8;
											asm("adc ebx, 0x0");
											_t277 = _v32 - 4;
											_v32 = _t277;
											_t329 = _t329 - 1;
											__eflags = _t329;
										} while (_t329 != 0);
										_t179 = _a4;
									}
									_t36 =  &(_t179[1]); // 0x4
									_t348 = _t36;
									 *_t179 = 0;
									_v544 = 0;
									E00DDA434(_t348, 0x1cc,  &_v540, 0);
									_t223 = _v28;
									_t300 = _a4;
									__eflags = 0 - _t223;
									 *_t348 = _t323;
									asm("sbb ecx, ecx");
									 *(_t300 + 8) = _t223;
									__eflags =  ~0x00000000;
									 *_t300 = 0xbadbae;
									return _v12;
								} else {
									_t325 =  &(_t179[1]);
									 *_t179 = _t252;
									_v544 = _t252;
									E00DDA434(_t325, 0x1cc,  &_v540, _t252);
									_t230 = _t179[1];
									_t305 = _t230 % _v8;
									 *_t325 = _t305;
									__eflags = 0 - _t305;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_a4 =  ~0x00000000;
									return _t230 / _v8;
								}
							} else {
								 *_t179 = _t311;
								_v544 = _t311;
								E00DDA434( &(_t179[1]), 0x1cc,  &_v540, _t311);
								return _t179[1];
							}
						}
					}
				}
			}

0x00ddefa5
0x00ddefb0
0x00ddefb5
0x00ddf41d
0x00ddf421
0x00ddf427
0x00ddefbb
0x00ddefbb
0x00ddefbe
0x00ddefc0
0x00ddefc5
0x00000000
0x00ddefcb
0x00ddefcb
0x00ddefcb
0x00ddefce
0x00ddefd1
0x00ddefd4
0x00ddf0fb
0x00ddf0fd
0x00000000
0x00ddf103
0x00ddf105
0x00ddf107
0x00ddf109
0x00ddf10b
0x00ddf135
0x00ddf135
0x00ddf135
0x00ddf10d
0x00ddf110
0x00ddf110
0x00ddf113
0x00ddf116
0x00ddf119
0x00ddf120
0x00ddf122
0x00ddf124
0x00000000
0x00000000
0x00ddf126
0x00ddf127
0x00ddf12a
0x00ddf12d
0x00ddf12f
0x00000000
0x00ddf131
0x00000000
0x00ddf131
0x00000000
0x00ddf12f
0x00ddf133
0x00000000
0x00000000
0x00ddf133
0x00ddf136
0x00ddf136
0x00ddf138
0x00000000
0x00ddf13e
0x00ddf13e
0x00ddf141
0x00ddf144
0x00ddf147
0x00ddf147
0x00ddf14b
0x00ddf14e
0x00ddf151
0x00ddf154
0x00ddf15f
0x00ddf156
0x00ddf15b
0x00ddf15b
0x00ddf169
0x00ddf16e
0x00ddf171
0x00ddf173
0x00ddf17c
0x00ddf17e
0x00ddf185
0x00ddf188
0x00ddf18b
0x00ddf193
0x00ddf199
0x00ddf199
0x00ddf199
0x00ddf199
0x00ddf18b
0x00ddf19c
0x00ddf19e
0x00ddf1a5
0x00ddf1a5
0x00ddf1a8
0x00ddf1ab
0x00ddf1b1
0x00ddf1b4
0x00ddf1b8
0x00ddf1c1
0x00ddf1c4
0x00ddf1c4
0x00ddf1c7
0x00ddf1d0
0x00ddf1d0
0x00ddf1d3
0x00ddf1da
0x00ddf1da
0x00ddf1d5
0x00ddf1d5
0x00ddf1d5
0x00ddf1dc
0x00ddf1df
0x00ddf1e1
0x00ddf1e3
0x00ddf1e6
0x00ddf1ed
0x00ddf1f0
0x00ddf1f2
0x00ddf200
0x00ddf204
0x00ddf209
0x00ddf20e
0x00ddf215
0x00ddf217
0x00ddf219
0x00ddf21d
0x00ddf220
0x00ddf225
0x00ddf22d
0x00ddf22d
0x00ddf22f
0x00ddf22f
0x00ddf220
0x00ddf232
0x00ddf23a
0x00ddf23f
0x00ddf244
0x00ddf246
0x00ddf248
0x00ddf24a
0x00ddf24d
0x00ddf250
0x00ddf252
0x00ddf255
0x00ddf258
0x00ddf25b
0x00ddf25d
0x00ddf264
0x00ddf269
0x00ddf26c
0x00ddf276
0x00ddf278
0x00ddf27a
0x00ddf27d
0x00ddf27d
0x00ddf27f
0x00ddf282
0x00ddf285
0x00ddf288
0x00ddf28b
0x00ddf25f
0x00ddf25f
0x00ddf262
0x00000000
0x00000000
0x00ddf262
0x00ddf28e
0x00ddf290
0x00ddf292
0x00000000
0x00ddf294
0x00ddf294
0x00ddf297
0x00ddf2a0
0x00ddf2a0
0x00ddf2ae
0x00ddf2b1
0x00ddf2b6
0x00ddf2b8
0x00000000
0x00000000
0x00ddf2ba
0x00ddf2c1
0x00ddf2c1
0x00ddf2c4
0x00ddf2c7
0x00ddf2ca
0x00ddf2cd
0x00ddf2cd
0x00ddf2d0
0x00ddf2d3
0x00ddf2d7
0x00ddf2da
0x00ddf2dc
0x00ddf2df
0x00000000
0x00000000
0x00ddf2e1
0x00ddf2df
0x00ddf2bc
0x00ddf2bc
0x00ddf2bf
0x00000000
0x00000000
0x00000000
0x00000000
0x00ddf2bf
0x00ddf2e6
0x00ddf2e6
0x00000000
0x00ddf2e6
0x00ddf2e3
0x00000000
0x00ddf2e3
0x00ddf297
0x00ddf292
0x00ddf2e9
0x00ddf2e9
0x00ddf2eb
0x00ddf2f5
0x00ddf2f5
0x00ddf2f8
0x00ddf2fa
0x00ddf2fc
0x00ddf2fe
0x00ddf303
0x00ddf306
0x00ddf306
0x00ddf309
0x00ddf30c
0x00ddf310
0x00ddf312
0x00ddf327
0x00ddf329
0x00ddf32b
0x00ddf32d
0x00ddf32f
0x00ddf331
0x00ddf333
0x00ddf335
0x00ddf338
0x00ddf338
0x00ddf33c
0x00ddf33e
0x00ddf344
0x00ddf347
0x00ddf347
0x00ddf347
0x00ddf34b
0x00ddf34b
0x00ddf350
0x00ddf353
0x00ddf353
0x00ddf358
0x00ddf35a
0x00ddf35c
0x00ddf363
0x00ddf363
0x00ddf365
0x00ddf36a
0x00ddf36c
0x00ddf36f
0x00ddf36f
0x00ddf372
0x00ddf374
0x00ddf374
0x00ddf376
0x00ddf376
0x00ddf37b
0x00ddf381
0x00ddf385
0x00ddf388
0x00ddf38b
0x00ddf38d
0x00ddf38d
0x00ddf38d
0x00ddf392
0x00ddf392
0x00ddf395
0x00ddf398
0x00ddf35e
0x00ddf35e
0x00ddf361
0x00000000
0x00000000
0x00ddf361
0x00ddf35c
0x00ddf39c
0x00ddf3a2
0x00ddf2ed
0x00ddf2ed
0x00ddf2ef
0x00ddf3a7
0x00000000
0x00000000
0x00000000
0x00ddf2ef
0x00ddf3aa
0x00ddf3b4
0x00ddf3b7
0x00ddf3ba
0x00ddf3c0
0x00ddf3c1
0x00ddf3c5
0x00ddf3c6
0x00ddf3c9
0x00ddf3cc
0x00ddf3cf
0x00ddf3d2
0x00ddf3d2
0x00ddf1d0
0x00ddf3dd
0x00ddf3e0
0x00ddf3e1
0x00ddf3e3
0x00ddf3e5
0x00ddf3ea
0x00ddf3f0
0x00ddf3f0
0x00ddf3f6
0x00ddf3f9
0x00ddf3fa
0x00ddf3fa
0x00ddf3f0
0x00ddf3fe
0x00ddf400
0x00ddf402
0x00ddf404
0x00ddf404
0x00ddf408
0x00000000
0x00000000
0x00ddf40a
0x00ddf40a
0x00ddf40d
0x00ddf40f
0x00000000
0x00000000
0x00000000
0x00ddf40f
0x00ddf404
0x00ddf411
0x00ddf41c
0x00ddf41c
0x00ddf138
0x00ddefda
0x00ddefda
0x00ddefda
0x00ddefdd
0x00ddefe3
0x00ddf014
0x00ddf016
0x00ddf05b
0x00ddf05d
0x00ddf064
0x00ddf066
0x00ddf069
0x00ddf06c
0x00ddf06e
0x00ddf06e
0x00ddf06f
0x00ddf072
0x00ddf075
0x00ddf075
0x00ddf07f
0x00ddf084
0x00ddf089
0x00ddf08c
0x00ddf091
0x00ddf098
0x00ddf09b
0x00ddf09e
0x00ddf0a1
0x00ddf0a4
0x00ddf0a7
0x00ddf0a7
0x00ddf0a7
0x00ddf0ac
0x00ddf0ac
0x00ddf0af
0x00ddf0af
0x00ddf0b2
0x00ddf0c0
0x00ddf0d1
0x00ddf0d6
0x00ddf0dc
0x00ddf0e1
0x00ddf0e3
0x00ddf0e5
0x00ddf0e9
0x00ddf0ef
0x00ddf0f1
0x00ddf0fa
0x00ddf018
0x00ddf01b
0x00ddf01f
0x00ddf02e
0x00ddf034
0x00ddf039
0x00ddf03d
0x00ddf048
0x00ddf04a
0x00ddf04c
0x00ddf050
0x00ddf053
0x00ddf05a
0x00ddf05a
0x00ddefe5
0x00ddefeb
0x00ddeffb
0x00ddf001
0x00ddf013
0x00ddf013
0x00ddefe3
0x00ddefd4
0x00ddefc5

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cab736e47d9e4f7878b85f2be13b9c529a610a8c5462b3cae1fefb3e2b90ecd
Instruction ID: 40e6ce2a0f3ef210c1b09d935bf44399d9033e965255ab5b1c09ade50161f6c9
Opcode Fuzzy Hash: 1cab736e47d9e4f7878b85f2be13b9c529a610a8c5462b3cae1fefb3e2b90ecd
Instruction Fuzzy Hash: 88F13071E002199FDF14CFA9D8806ADBBB1FF88314F19826AD816E7381D730AD45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DC59D6 Relevance: 3.1, APIs: 2, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00DC59D6(void* __ebx, void* __ecx, void* __edx, struct _ACL* __edi, void* _a4) {
				struct _ACL* _v8;
				long _v12;
				long _v16;
				long _v20;
				long _v24;
				struct _SECURITY_DESCRIPTOR* _v28;
				void* _v32;
				long _v36;
				long _v40;
				short _v44;
				signed char _v88;
				void* __esi;
				void* __ebp;
				struct _SECURITY_DESCRIPTOR* _t74;
				void* _t75;
				int _t77;
				int _t82;
				struct _SECURITY_DESCRIPTOR* _t87;
				int _t92;
				long _t103;
				struct _ACL* _t109;
				struct _ACL* _t113;
				void* _t117;
				void* _t119;
				void* _t123;
				struct _SECURITY_DESCRIPTOR* _t124;
				DWORD* _t129;
				intOrPtr* _t130;
				struct _ACL* _t150;
				DWORD* _t152;
				DWORD* _t154;
				void* _t157;
				struct _ACL* _t159;
				intOrPtr* _t160;
				void* _t165;
				void* _t167;
				void* _t171;
				void* _t172;
				void* _t174;

				_t150 = __edi;
				_t149 = __edx;
				_t123 = __ebx;
				_t165 = _t171;
				_t172 = _t171 - 0xc;
				_t157 = __ecx;
				_push(__edi);
				_t74 =  *(__ecx + 4);
				if(_t74 != 0) {
					L21();
					_t74 =  *(__ecx + 4);
				}
				_v8 = _v8 & 0x00000000;
				if(_t74 == 0) {
					L55();
					goto L6;
				} else {
					_t129 =  &_v16;
					if(GetSecurityDescriptorDacl(_t74, _t129,  &_v8,  &_v12) == 0) {
						E00DC239D(_t123, _t129, _t149);
						goto L19;
					} else {
						L6:
						_push(_t123);
						_t124 = _a4;
						_t9 =  &(_t124->Group); // 0x6a206a53
						_t75 =  *_t9;
						if(_t75 != 0 ||  *((intOrPtr*)(_t124 + 0x14)) == 0) {
							_t150 = 0;
							goto L11;
						} else {
							_t117 = E00DC53FF(_t124, _t124, _t149, _t150, _t157);
							_a4 = _t117;
							_t150 = E00DD3B1B();
							_t129 = _t117;
							if(_t150 == 0) {
								L19:
								_push(0x8007000e);
								goto L20;
							} else {
								_t119 = E00DC2712(_t124, _t124, _t150, _t157);
								_t149 = _a4;
								E00DC23B6(_t124, _t150, _a4, _t119, _a4);
								_t14 =  &(_t124->Group); // 0x6a206a53
								_t75 =  *_t14;
								L11:
								_pop(_t124);
								if(_t75 != 0 || _t150 != 0) {
									_t77 = 1;
								} else {
									_t77 = 0;
								}
								if(SetSecurityDescriptorDacl( *(_t157 + 4), _t77, _t150, 0) != 0) {
									return E00DD3557(_v8);
								} else {
									_t157 = E00DC2482();
									E00DD3557(_t150);
									_pop(_t129);
									_push(_t157);
									L20:
									_t82 = E00DC1185(_t129);
									asm("int3");
									_push(_t165);
									_t167 = _t172;
									_t174 = _t172 - 0x24;
									_push(_t150);
									_t152 = _t129;
									if(_t152[1] == 0) {
										L49:
										return _t82;
									} else {
										_push(_t157);
										_t159 = 0;
										_v44 = 0;
										_t82 = GetSecurityDescriptorControl(_t152[1],  &_v44,  &_v36);
										if(_t82 == 0) {
											_push(0x80004005);
											goto L53;
										} else {
											if((_v44 & 0x00008000) == 0) {
												L48:
												goto L49;
											} else {
												_v24 = 0;
												_v20 = 0;
												_v12 = 0;
												_v16 = 0;
												_v40 = 0;
												MakeAbsoluteSD(_t152[1], 0,  &_v40, 0,  &_v20, 0,  &_v24, 0,  &_v16, 0,  &_v12);
												if(GetLastError() != 0x7a) {
													L54:
													E00DC239D(_t124, _t129, _t149);
													asm("int3");
													_push(_t159);
													_push(_t152);
													_t154 = _t129;
													_t87 = E00DD3B1B();
													_t154[1] = _t87;
													_t130 = 0x14;
													if(_t87 == 0) {
														_push(0x8007000e);
														goto L60;
													} else {
														_t92 = InitializeSecurityDescriptor(_t87, 1);
														if(_t92 != 0) {
															return _t92;
														} else {
															_t159 = E00DC2482();
															E00DD3557(_t154[1]);
															_t154[1] = _t154[1] & 0x00000000;
															_pop(_t130);
															_push(_t159);
															L60:
															E00DC1185(_t130);
															asm("int3");
															_push(_t167);
															_push(_t159);
															_t160 = _t130;
															 *_t160 = 0xdf41c0;
															E00DC7F74(_t130);
															if((_v88 & 0x00000001) != 0) {
																_push(0xc);
																E00DCF62D(_t160);
															}
															return _t160;
														}
													}
												} else {
													_push(_t124);
													_push(_v40);
													_t124 = E00DD3B1B();
													if(_v16 == 0) {
														_v28 = 0;
													} else {
														_push(_v16);
														_v28 = E00DD3B1B();
													}
													if(_v12 == _t159) {
														_v32 = _t159;
													} else {
														_push(_v12);
														_v32 = E00DD3B1B();
													}
													_t103 = _v20;
													if(_t103 == 0) {
														_v36 = _t159;
													} else {
														_push(_t103);
														_v36 = E00DD3B1B();
														_t103 = _v20;
													}
													_t129 = _v24;
													if(_t129 != 0) {
														_push(_t129);
														_t113 = E00DD3B1B();
														_t129 = _v24;
														_t159 = _t113;
														_t103 = _v20;
													}
													if(_t124 == 0 || _v16 != 0 && _v28 == 0) {
														L50:
														_t152 = 0x8007000e;
														goto L51;
													} else {
														_t149 = _v32;
														if(_v12 == 0 || _t149 != 0) {
															_t109 = _v36;
															if(_t103 == 0 || _t109 != 0) {
																if(_t129 == 0 || _t159 != 0) {
																	_t129 =  &_v20;
																	if(MakeAbsoluteSD(_t152[1], _t124,  &_v40, _t109, _t129, _t159,  &_v24, _v28,  &_v16, _t149,  &_v12) != 0) {
																		_t82 = E00DC2C7E(_t152);
																		_t152[1] = _t124;
																		goto L48;
																	} else {
																		_t152 = E00DC2482();
																		L51:
																		E00DD3557(_t124);
																		E00DD3557(_v28);
																		E00DD3557(_v32);
																		E00DD3557(_v36);
																		E00DD3557(_t159);
																		_t174 = _t174 + 0x14;
																		_push(_t152);
																		L53:
																		E00DC1185(_t129);
																		goto L54;
																	}
																} else {
																	goto L50;
																}
															} else {
																goto L50;
															}
														} else {
															goto L50;
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00dc59d6
0x00dc59d6
0x00dc59d6
0x00dc59d7
0x00dc59d9
0x00dc59dd
0x00dc59df
0x00dc59e0
0x00dc59e5
0x00dc59e7
0x00dc59ec
0x00dc59ec
0x00dc59ef
0x00dc59f5
0x00dc5a16
0x00000000
0x00dc59f7
0x00dc59ff
0x00dc5a0c
0x00dc5aa2
0x00000000
0x00dc5a12
0x00dc5a1b
0x00dc5a1b
0x00dc5a1c
0x00dc5a1f
0x00dc5a1f
0x00dc5a24
0x00dc5a5f
0x00000000
0x00dc5a2c
0x00dc5a2e
0x00dc5a34
0x00dc5a3c
0x00dc5a3e
0x00dc5a41
0x00dc5aa7
0x00dc5aa7
0x00000000
0x00dc5a43
0x00dc5a48
0x00dc5a4d
0x00dc5a53
0x00dc5a58
0x00dc5a58
0x00dc5a61
0x00dc5a61
0x00dc5a64
0x00dc5a70
0x00dc5a6a
0x00dc5a6a
0x00dc5a6a
0x00dc5a80
0x00dc5a9f
0x00dc5a82
0x00dc5a88
0x00dc5a8a
0x00dc5a8f
0x00dc5a90
0x00dc5aac
0x00dc5aac
0x00dc5ab1
0x00dc5ab2
0x00dc5ab3
0x00dc5ab5
0x00dc5ab8
0x00dc5ab9
0x00dc5abf
0x00dc5c05
0x00dc5c07
0x00dc5ac5
0x00dc5ac5
0x00dc5ac9
0x00dc5acf
0x00dc5ad6
0x00dc5ade
0x00dc5c37
0x00000000
0x00dc5ae4
0x00dc5aeb
0x00dc5c04
0x00000000
0x00dc5af1
0x00dc5af4
0x00dc5afc
0x00dc5b04
0x00dc5b0c
0x00dc5b14
0x00dc5b1c
0x00dc5b2b
0x00dc5c41
0x00dc5c41
0x00dc5c46
0x00dc5c47
0x00dc5c48
0x00dc5c4b
0x00dc5c4d
0x00dc5c52
0x00dc5c55
0x00dc5c58
0x00dc5c81
0x00000000
0x00dc5c5a
0x00dc5c5d
0x00dc5c65
0x00dc5c80
0x00dc5c67
0x00dc5c6f
0x00dc5c71
0x00dc5c76
0x00dc5c7a
0x00dc5c7b
0x00dc5c86
0x00dc5c86
0x00dc5c8b
0x00dc5c8c
0x00dc5c8f
0x00dc5c90
0x00dc5c92
0x00dc5c98
0x00dc5ca1
0x00dc5ca3
0x00dc5ca6
0x00dc5cac
0x00dc5cb1
0x00dc5cb1
0x00dc5c65
0x00dc5b31
0x00dc5b31
0x00dc5b32
0x00dc5b3a
0x00dc5b40
0x00dc5b50
0x00dc5b42
0x00dc5b42
0x00dc5b4b
0x00dc5b4b
0x00dc5b56
0x00dc5b66
0x00dc5b58
0x00dc5b58
0x00dc5b61
0x00dc5b61
0x00dc5b69
0x00dc5b6e
0x00dc5b7f
0x00dc5b70
0x00dc5b70
0x00dc5b76
0x00dc5b79
0x00dc5b7c
0x00dc5b82
0x00dc5b87
0x00dc5b89
0x00dc5b8a
0x00dc5b90
0x00dc5b93
0x00dc5b95
0x00dc5b95
0x00dc5b9a
0x00dc5c08
0x00dc5c08
0x00000000
0x00dc5ba8
0x00dc5bac
0x00dc5baf
0x00dc5bb7
0x00dc5bba
0x00dc5bc2
0x00dc5bd9
0x00dc5bee
0x00dc5bfb
0x00dc5c00
0x00000000
0x00dc5bf0
0x00dc5bf5
0x00dc5c0d
0x00dc5c0e
0x00dc5c16
0x00dc5c1e
0x00dc5c26
0x00dc5c2c
0x00dc5c31
0x00dc5c34
0x00dc5c3c
0x00dc5c3c
0x00000000
0x00dc5c3c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00dc5baf
0x00dc5b9a
0x00dc5b2b
0x00dc5aeb
0x00dc5ade
0x00dc5abf
0x00dc5a80
0x00dc5a41
0x00dc5a24
0x00dc5a0c

APIs

GetSecurityDescriptorDacl.ADVAPI32(?,?,00000000,00DC60CD,00DC60CD,?,?,00DC60CD), ref: 00DC5A04
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,00DC60CD,?,?,00DC60CD), ref: 00DC5A78

Part of subcall function 00DC5AB2: GetSecurityDescriptorControl.ADVAPI32(00000000,?,?,00000000,00000000), ref: 00DC5AD6
Part of subcall function 00DC5AB2: MakeAbsoluteSD.ADVAPI32(00000000,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?), ref: 00DC5B1C
Part of subcall function 00DC5AB2: GetLastError.KERNEL32 ref: 00DC5B22

Part of subcall function 00DC5C47: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00DF35C8,00000000,00DC5896,00DF35C8,00000000,00000000,00000000,?,00DC60CD,?,00000220,?,10000000,00000000), ref: 00DC5C5D

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: DescriptorSecurity$Dacl$AbsoluteControlErrorInitializeLastMake
String ID:
API String ID: 1496159268-0
Opcode ID: fc92fd29f9030feb9d7b5463d06338f7e94f60936b7b849894cd031145cbca31
Instruction ID: 9aefdb73dc38ecf71c610ee8345743dcd8136ecbfde48b96969945981dcb50ed
Opcode Fuzzy Hash: fc92fd29f9030feb9d7b5463d06338f7e94f60936b7b849894cd031145cbca31
Instruction Fuzzy Hash: 6321B235204A42AADB14AE66E886FBF77A8DF40750F18411DA856D7246EE70FE848A70

Uniqueness

Uniqueness Score: -1.00%

Function 00DCE4E6 Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00DCE4E6(intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr _t8;
				intOrPtr _t9;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t30;
				signed int _t36;
				struct _CRITICAL_SECTION** _t38;

				_t30 = __ecx;
				EnterCriticalSection(0xdf9e1c);
				_t28 =  *0xdf9e34; // 0x0
				_t8 =  *0xdf9e38; // 0x0
				_t9 = _t8 + 1;
				 *0xdf9e38 = _t9;
				_t25 =  *_t28;
				_t36 = ( *((intOrPtr*)(_t28 + 4)) -  *_t28 >> 2) - _t9;
				_t39 =  *((intOrPtr*)(_t28 + 4)) - _t25 >> 2 - _t36;
				if( *((intOrPtr*)(_t28 + 4)) - _t25 >> 2 <= _t36) {
					E00DCEE2F(_t25);
					asm("int3");
					SetUnhandledExceptionFilter(E00DCE588);
					E00DD349A(__eflags, E00DCE634);
					 *_t38 = 0xdce7b0;
					_t16 = E00DD2EAF(__eflags);
					 *0xdf9e38 =  *0xdf9e38 - 1;
					__eflags =  *0xdf9e38;
					 *_t38 = 0xdf9e1c;
					LeaveCriticalSection(??);
					return _t16;
				} else {
					_t17 =  *((intOrPtr*)(_t25 + _t36 * 4));
					 *_t30 = _t17;
					SetUnhandledExceptionFilter( *(_t17 + 0x7c));
					E00DD349A(_t39,  *((intOrPtr*)( *_t30 + 0x80)));
					E00DD2EAF(_t39,  *((intOrPtr*)( *_t30 + 0x84)));
					return _t30;
				}
			}

0x00dce4ed
0x00dce4ef
0x00dce4f5
0x00dce4fb
0x00dce500
0x00dce501
0x00dce50b
0x00dce510
0x00dce51a
0x00dce51c
0x00dce54d
0x00dce552
0x00dce558
0x00dce563
0x00dce568
0x00dce56f
0x00dce574
0x00dce574
0x00dce57a
0x00dce581
0x00dce587
0x00dce51e
0x00dce51e
0x00dce521
0x00dce526
0x00dce534
0x00dce541
0x00dce54c
0x00dce54c

APIs

EnterCriticalSection.KERNEL32(00DF9E1C,?,?,00DCE59B), ref: 00DCE4EF
SetUnhandledExceptionFilter.KERNEL32(?,?,?,00DCE59B), ref: 00DCE526

Part of subcall function 00DD2EAF: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00DD2EB5

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: CriticalEnterExceptionFilterSectionUnhandled__crt_fast_encode_pointer
String ID:
API String ID: 1436098898-0
Opcode ID: c212739885fbe0cf34403fb002ac5d4df406313c4e4fcd375a1458c864c2e3bb
Instruction ID: 3bca149d256444456437439d486ad7c48de4d7f74bde6b2b594873aa41850fb2
Opcode Fuzzy Hash: c212739885fbe0cf34403fb002ac5d4df406313c4e4fcd375a1458c864c2e3bb
Instruction Fuzzy Hash: 60F044766012128FC755EF28ED89E59BBB1FB453107194165F414CB321DB71EC85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DCE553 Relevance: 3.0, APIs: 2, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00DCE553(void* __eflags) {
				void* _t3;
				intOrPtr* _t4;
				void* _t5;

				_t5 = __eflags;
				SetUnhandledExceptionFilter(E00DCE588);
				E00DD349A(_t5, E00DCE634);
				 *_t4 = 0xdce7b0;
				_t3 = E00DD2EAF(_t5);
				 *0xdf9e38 =  *0xdf9e38 - 1;
				 *_t4 = 0xdf9e1c;
				LeaveCriticalSection(??);
				return _t3;
			}

0x00dce553
0x00dce558
0x00dce563
0x00dce568
0x00dce56f
0x00dce574
0x00dce57a
0x00dce581
0x00dce587

APIs

SetUnhandledExceptionFilter.KERNEL32(00DCE588,?,?,00DCE59B), ref: 00DCE558

Part of subcall function 00DD2EAF: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00DD2EB5

LeaveCriticalSection.KERNEL32(00DCE634,?,?,00DCE59B), ref: 00DCE581

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: CriticalExceptionFilterLeaveSectionUnhandled__crt_fast_encode_pointer
String ID:
API String ID: 2525146520-0
Opcode ID: 59bde3fe10dd366dd273b5a3bb7875c0c82edd330a7069f7135c333c129f2c0f
Instruction ID: fbbc30ad7f2c625f891c14ff1905a0a38ef44576162fa403b6ae1160ac71025d
Opcode Fuzzy Hash: 59bde3fe10dd366dd273b5a3bb7875c0c82edd330a7069f7135c333c129f2c0f
Instruction Fuzzy Hash: 22D0C9B44963428ECB407B90989AA28BB70EA10300B41884DF48086351D7B900808B33

Uniqueness

Uniqueness Score: -1.00%

Function 00DE328B Relevance: 1.8, APIs: 1, Instructions: 274
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E00DE328B(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E00DDEE18(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E00DDED84(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x00de3299
0x00de32a0
0x00de32a5
0x00de32ab
0x00de32ae
0x00de32b4
0x00de32b9
0x00de32be
0x00de32be
0x00de32c4
0x00de32c9
0x00de32ce
0x00de32ce
0x00de32d5
0x00de32da
0x00de32df
0x00de32df
0x00de32e6
0x00de32eb
0x00de32f0
0x00de32f0
0x00de32f7
0x00de32fc
0x00de3301
0x00de3301
0x00de3309
0x00de3319
0x00de332b
0x00de333d
0x00de3350
0x00de3362
0x00de336a
0x00de336f
0x00de3374
0x00de3374
0x00de337b
0x00de3380
0x00de3380
0x00de3387
0x00de338c
0x00de338c
0x00de3393
0x00de3398
0x00de3398
0x00de339f
0x00de33a4
0x00de33a4
0x00de33ae
0x00de33b0
0x00de33ea
0x00de33b2
0x00de33b7
0x00de33db
0x00de33e3
0x00de33d7
0x00de33d7
0x00de33ed
0x00de33f4
0x00de33f6
0x00de3418
0x00de3420
0x00de3423
0x00de3423
0x00de3425
0x00de3425
0x00de3430
0x00de3436
0x00de343b
0x00de3442
0x00de347c
0x00de3487
0x00de348d
0x00de3490
0x00de3493
0x00de349f
0x00de34a7
0x00de3444
0x00de3447
0x00de3453
0x00de3459
0x00de345f
0x00de3462
0x00de346b
0x00de346b
0x00de34aa
0x00de34b8
0x00de34be
0x00de34c1
0x00de34c6
0x00de34c8
0x00de34cb
0x00de34cb
0x00de34d0
0x00de34d2
0x00de34d5
0x00de34d5
0x00de34da
0x00de34dc
0x00de34df
0x00de34df
0x00de34e4
0x00de34e6
0x00de34e9
0x00de34e9
0x00de34ee
0x00de34f0
0x00de34f0
0x00de34fd
0x00de3500
0x00de3537
0x00de3502
0x00de3502
0x00de3505
0x00de3530
0x00de3525
0x00de3525
0x00de3539
0x00de3541
0x00de3544
0x00de3563
0x00de3568
0x00de3568
0x00de356a
0x00de356f
0x00de357b
0x00de3571
0x00de3574
0x00de3574
0x00de3580
0x00de3580
0x00de3546
0x00de3549
0x00de3558
0x00000000
0x00de3558
0x00de354b
0x00de354e
0x00de3550
0x00de3550
0x00000000
0x00de354e
0x00de3507
0x00de350a
0x00de3520
0x00000000
0x00de3520
0x00de350f
0x00de3511
0x00de3511
0x00de350f
0x00000000
0x00de3500
0x00de33fd
0x00de340b
0x00de3413
0x00000000
0x00de3413
0x00de3401
0x00de3406
0x00de3406
0x00000000
0x00de3401
0x00de33be
0x00de33cc
0x00de33d4
0x00000000
0x00de33d4
0x00de33c2
0x00de33c7
0x00de33c7
0x00de33c2

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,00DE3286,00000000,?,00000008,?,?,00DE2E90,00000000), ref: 00DE34B8

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d72e8b2bd09c9ca756f59bc075a85626116cbe651fde2730ebba11ddc237d28a
Instruction ID: 0c35ae15d750a52915e02b50be34ebee982e16877ad356d46e3965dd4fbdfb42
Opcode Fuzzy Hash: d72e8b2bd09c9ca756f59bc075a85626116cbe651fde2730ebba11ddc237d28a
Instruction Fuzzy Hash: 6FB17D31610648DFD715DF29C48AB687BE0FF05364F298658E8DACF2A1C735EA81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00DD7E39 Relevance: 1.6, Strings: 1, Instructions: 388
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00DD7E39(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				short _v28;
				signed int _v32;
				signed int* _v36;
				intOrPtr _v40;
				signed int _v44;
				void* __ebp;
				signed int _t149;
				signed int _t151;
				signed int _t152;
				void* _t153;
				signed char _t157;
				signed int _t161;
				short _t163;
				signed char _t168;
				signed char _t171;
				signed int* _t176;
				signed int _t178;
				signed int _t183;
				signed int* _t188;
				signed int _t190;
				signed int* _t192;
				signed int* _t198;
				signed short _t200;
				signed int _t201;
				void* _t202;
				signed int* _t208;
				void* _t209;
				void* _t211;
				signed char _t213;
				signed char _t215;
				signed int _t216;
				signed int _t219;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				signed int** _t227;
				signed int* _t228;
				void* _t229;
				void* _t231;
				signed int _t235;
				unsigned int _t237;
				signed int* _t238;
				signed int _t240;
				signed int* _t241;
				intOrPtr _t242;
				void* _t244;
				signed char _t247;
				signed int _t248;
				signed int _t257;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				void* _t263;
				signed int _t264;
				signed int _t266;
				void* _t267;
				void* _t268;
				signed int _t269;
				short _t270;
				signed int _t273;
				intOrPtr* _t276;
				void* _t277;
				signed int _t278;
				void* _t279;
				void* _t280;
				void* _t281;

				_t268 = __edi;
				_t149 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t149 ^ _t278;
				_t276 = __ecx;
				_t226 = 0;
				_t257 = 0x41;
				_t151 =  *(__ecx + 0x2e) & 0x0000ffff;
				_v20 = _t257;
				_t231 = 0x58;
				_t280 = _t151 - 0x64;
				if(_t280 > 0) {
					__eflags = _t151 - 0x70;
					if(__eflags > 0) {
						_t152 = _t151 - 0x73;
						__eflags = _t152;
						if(_t152 == 0) {
							L9:
							_t153 = E00DD8923(_t276);
							L10:
							if(_t153 != 0) {
								__eflags =  *((intOrPtr*)(_t276 + 0x2c)) - _t226;
								if( *((intOrPtr*)(_t276 + 0x2c)) != _t226) {
									L112:
									L113:
									return E00DCF35B(_v8 ^ _t278);
								}
								_push(_t268);
								_t157 =  *(_t276 + 0x1c) >> 4;
								_v16 = _t226;
								_t235 = _t226;
								_v12 = _t226;
								_v24 = _t235;
								_t269 = 0x20;
								__eflags = 1 & _t157;
								if((1 & _t157) == 0) {
									L44:
									_t260 =  *(_t276 + 0x2e) & 0x0000ffff;
									_t270 = 0x78;
									__eflags = _t260 - _t270;
									if(_t260 == _t270) {
										L46:
										__eflags = 1;
										if(1 != 0) {
											L48:
											__eflags = _t260 - 0x61;
											if(_t260 == 0x61) {
												L50:
												_t161 = 1;
												L51:
												_v28 = 0x30;
												__eflags = _t161;
												if(_t161 != 0) {
													L53:
													 *((short*)(_t278 + _t235 * 2 - 0xc)) = _v28;
													_t163 = 0x58;
													__eflags = _t260 - _t163;
													if(_t260 == _t163) {
														L55:
														_t270 = _t163;
														L56:
														 *((short*)(_t278 + _t235 * 2 - 0xa)) = _t270;
														_t235 = _t235 + 2;
														__eflags = _t235;
														_v24 = _t235;
														L57:
														_t273 =  *((intOrPtr*)(_t276 + 0x20)) -  *(_t276 + 0x34) - _t235;
														__eflags =  *(_t276 + 0x1c) & 0x0000000c;
														if(( *(_t276 + 0x1c) & 0x0000000c) != 0) {
															L69:
															_push( *((intOrPtr*)(_t276 + 8)));
															_v36 = _t276 + 0x14;
															_t261 = _t276 + 0x448;
															_v32 = _t261;
															E00DD8C3E(_t261,  &_v16, _t235, _t276 + 0x14);
															_t237 =  *(_t276 + 0x1c);
															_t168 = _t237 >> 3;
															__eflags = _t168 & 0x00000001;
															if((_t168 & 0x00000001) == 0) {
																_t238 = _t276 + 0x14;
																L83:
																__eflags =  *((char*)(_t276 + 0x38));
																if( *((char*)(_t276 + 0x38)) != 0) {
																	L97:
																	_push( *((intOrPtr*)(_t276 + 8)));
																	E00DD8C3E(_t276 + 0x448,  *((intOrPtr*)(_t276 + 0x30)),  *(_t276 + 0x34), _t238);
																	L98:
																	_t262 = _t276 + 0x448;
																	L99:
																	_t240 =  *(_t276 + 0x14);
																	__eflags = _t240;
																	if(_t240 < 0) {
																		L111:
																		goto L112;
																	}
																	_t171 =  *(_t276 + 0x1c) >> 2;
																	__eflags = _t171 & 0x00000001;
																	if((_t171 & 0x00000001) == 0) {
																		goto L111;
																	}
																	__eflags = _t273;
																	if(_t273 <= 0) {
																		goto L111;
																	}
																	_t277 = 0x20;
																	while(1) {
																		_t263 =  *_t262;
																		__eflags =  *((intOrPtr*)(_t263 + 8)) -  *((intOrPtr*)(_t263 + 4));
																		if( *((intOrPtr*)(_t263 + 8)) !=  *((intOrPtr*)(_t263 + 4))) {
																			_t241 = _v36;
																			 *_t241 = _t240 + 1;
																			 *((intOrPtr*)(_t263 + 8)) =  *((intOrPtr*)(_t263 + 8)) + 1;
																			_t262 = _v32;
																			 *( *( *_t262)) = _t277;
																			_t176 =  *_t262;
																			 *_t176 =  *_t176 + 2;
																			__eflags =  *_t176;
																			_t240 =  *_t241;
																		} else {
																			__eflags =  *((char*)(_t263 + 0xc));
																			if( *((char*)(_t263 + 0xc)) == 0) {
																				_t240 = _t240 | 0xffffffff;
																				__eflags = _t240;
																			} else {
																				_t240 = _t240 + 1;
																			}
																			_t262 = _v32;
																			 *_v36 = _t240;
																		}
																		__eflags = _t240 - 0xffffffff;
																		if(_t240 == 0xffffffff) {
																			goto L111;
																		}
																		_t226 = _t226 + 1;
																		__eflags = _t226 - _t273;
																		if(_t226 < _t273) {
																			continue;
																		}
																		goto L111;
																	}
																	goto L111;
																}
																_t178 =  *(_t276 + 0x34);
																__eflags = _t178;
																if(_t178 <= 0) {
																	goto L97;
																}
																_t242 =  *((intOrPtr*)(_t276 + 8));
																_v40 = _t242;
																__eflags =  *((char*)(_t242 + 0x14));
																if(__eflags == 0) {
																	E00DD8A50(_t242, _t261, __eflags);
																	_t178 =  *(_t276 + 0x34);
																}
																_t243 =  *((intOrPtr*)(_t276 + 0x30));
																_v28 =  *((intOrPtr*)(_t276 + 0x30));
																_v20 = _t226;
																__eflags = _t178;
																if(_t178 == 0) {
																	goto L98;
																} else {
																	while(1) {
																		_v24 = 0;
																		_t183 = E00DDD48E(_t243, _t261,  &_v24, _t243,  *((intOrPtr*)( *((intOrPtr*)(_v40 + 0xc)) + 4)),  *((intOrPtr*)(_t276 + 8)));
																		_t279 = _t279 + 0x10;
																		_v16 = _t183;
																		_t262 = _t276 + 0x448;
																		__eflags = _t183;
																		if(_t183 <= 0) {
																			break;
																		}
																		_t244 =  *_t262;
																		_v44 = _v24 & 0x0000ffff;
																		__eflags =  *((intOrPtr*)(_t244 + 8)) -  *((intOrPtr*)(_t244 + 4));
																		if( *((intOrPtr*)(_t244 + 8)) !=  *((intOrPtr*)(_t244 + 4))) {
																			 *(_t276 + 0x14) =  *(_t276 + 0x14) + 1;
																			 *((intOrPtr*)(_t244 + 8)) =  *((intOrPtr*)(_t244 + 8)) + 1;
																			 *( *( *_t262)) = _v44;
																			_t188 =  *_t262;
																			 *_t188 =  *_t188 + 2;
																			__eflags =  *_t188;
																		} else {
																			__eflags =  *((char*)(_t244 + 0xc));
																			if( *((char*)(_t244 + 0xc)) == 0) {
																				 *(_t276 + 0x14) =  *(_t276 + 0x14) | 0xffffffff;
																			} else {
																				 *(_t276 + 0x14) =  *(_t276 + 0x14) + 1;
																			}
																		}
																		_t243 = _v28 + _v16;
																		_t190 = _v20 + 1;
																		_v28 = _v28 + _v16;
																		_v20 = _t190;
																		__eflags = _t190 -  *(_t276 + 0x34);
																		if(_t190 !=  *(_t276 + 0x34)) {
																			continue;
																		} else {
																			goto L99;
																		}
																	}
																	 *(_t276 + 0x14) =  *(_t276 + 0x14) | 0xffffffff;
																	goto L99;
																}
															}
															_t247 = _t237 >> 2;
															__eflags = _t247 & 0x00000001;
															_t238 = _t276 + 0x14;
															if((_t247 & 0x00000001) != 0) {
																goto L83;
															}
															_v24 = _t226;
															__eflags = _t273;
															if(_t273 <= 0) {
																goto L83;
															}
															_t264 =  *_t238;
															_t227 = _t276 + 0x448;
															while(1) {
																_t192 =  *_t227;
																_v20 = _t192;
																_t228 = _t192;
																__eflags = _t192[2] - _t228[1];
																_t227 = _t276 + 0x448;
																if(_t192[2] != _t228[1]) {
																	 *_t238 = _t264 + 1;
																	 *((intOrPtr*)(_v20 + 8)) =  *((intOrPtr*)(_v20 + 8)) + 1;
																	 *( *( *_t227)) = _v28;
																	_t198 =  *_t227;
																	 *_t198 =  *_t198 + 2;
																	__eflags =  *_t198;
																	_t261 =  *_t238;
																} else {
																	_t201 = _v20;
																	__eflags =  *((char*)(_t201 + 0xc));
																	if( *((char*)(_t201 + 0xc)) == 0) {
																		_t261 = _t261 | 0xffffffff;
																		__eflags = _t261;
																	} else {
																		_t261 = _t261 + 1;
																	}
																	 *_t238 = _t261;
																}
																__eflags = _t261 - 0xffffffff;
																if(_t261 == 0xffffffff) {
																	break;
																}
																_t200 = _v24 + 1;
																_v24 = _t200;
																__eflags = _t200 - _t273;
																if(_t200 < _t273) {
																	continue;
																}
																break;
															}
															_t226 = 0;
															goto L83;
														}
														__eflags = _t273;
														if(_t273 <= 0) {
															goto L69;
														}
														_t266 =  *(_t276 + 0x14);
														_t248 = _t226;
														while(1) {
															_t202 =  *(_t276 + 0x448);
															_t229 =  *(_t276 + 0x448);
															__eflags =  *((intOrPtr*)(_t202 + 8)) -  *((intOrPtr*)(_t229 + 4));
															if( *((intOrPtr*)(_t202 + 8)) !=  *((intOrPtr*)(_t229 + 4))) {
																 *(_t276 + 0x14) = _t266 + 1;
																_t267 = 0x20;
																( *(_t276 + 0x448))[2] = ( *(_t276 + 0x448))[2] + 1;
																 *( *( *(_t276 + 0x448))) = _t267;
																_t208 =  *(_t276 + 0x448);
																 *_t208 =  *_t208 + 2;
																__eflags =  *_t208;
																_t266 =  *(_t276 + 0x14);
															} else {
																_t209 = _t229;
																__eflags =  *((char*)(_t209 + 0xc));
																if( *((char*)(_t209 + 0xc)) == 0) {
																	_t266 = _t266 | 0xffffffff;
																	__eflags = _t266;
																} else {
																	_t266 = _t266 + 1;
																}
																 *(_t276 + 0x14) = _t266;
															}
															__eflags = _t266 - 0xffffffff;
															if(_t266 == 0xffffffff) {
																break;
															}
															_t248 = _t248 + 1;
															__eflags = _t248 - _t273;
															if(_t248 < _t273) {
																continue;
															}
															break;
														}
														_t235 = _v24;
														_t226 = 0;
														__eflags = 0;
														goto L69;
													}
													__eflags = _t260 - _v20;
													if(_t260 != _v20) {
														goto L56;
													}
													goto L55;
												}
												__eflags = _t161;
												if(_t161 == 0) {
													goto L57;
												}
												goto L53;
											}
											_t161 = _t226;
											__eflags = _t260 - _v20;
											if(_t260 != _v20) {
												goto L51;
											}
											goto L50;
										}
										L47:
										goto L48;
									}
									_t211 = 0x58;
									__eflags = _t260 - _t211;
									if(_t260 != _t211) {
										goto L47;
									}
									goto L46;
								}
								_t213 =  *(_t276 + 0x1c) >> 6;
								__eflags = 1 & _t213;
								if((1 & _t213) == 0) {
									__eflags =  *(_t276 + 0x1c) & 1;
									if(( *(_t276 + 0x1c) & 1) == 0) {
										_t215 =  *(_t276 + 0x1c) >> 1;
										__eflags = 1 & _t215;
										if((1 & _t215) != 0) {
											_v16 = _t269;
											_t235 = 1;
											_v24 = 1;
										}
										goto L44;
									}
									_push(0x2b);
									L41:
									_pop(_t216);
									_t235 = 1;
									_v16 = _t216;
									_v24 = 1;
									goto L44;
								}
								_push(0x2d);
								goto L41;
							}
							L11:
							goto L113;
						}
						_t219 = _t152;
						__eflags = _t219;
						if(__eflags == 0) {
							L28:
							_t153 = E00DD61CE(_t276, __eflags, _t226);
							goto L10;
						}
						__eflags = _t219 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_t153 = E00DD64CD(_t276, __eflags);
						goto L10;
					}
					if(__eflags == 0) {
						_t153 = E00DD889C(__ecx);
						goto L10;
					}
					__eflags = _t151 - 0x67;
					if(_t151 <= 0x67) {
						L29:
						_t153 = E00DD84EC(_t276);
						goto L10;
					}
					__eflags = _t151 - 0x69;
					if(_t151 == 0x69) {
						L27:
						_t4 = _t276 + 0x1c;
						 *_t4 =  *(_t276 + 0x1c) | 0x00000010;
						__eflags =  *_t4;
						goto L28;
					}
					__eflags = _t151 - 0x6e;
					if(_t151 == 0x6e) {
						_t153 = E00DD87C8(__ecx, _t257);
						goto L10;
					}
					__eflags = _t151 - 0x6f;
					if(_t151 != 0x6f) {
						goto L11;
					}
					_t153 = E00DD8869(__ecx);
					goto L10;
				}
				if(_t280 == 0) {
					goto L27;
				}
				_t281 = _t151 - _t231;
				if(_t281 > 0) {
					_t221 = _t151 - 0x5a;
					__eflags = _t221;
					if(_t221 == 0) {
						_t153 = E00DD8308(__ecx);
						goto L10;
					}
					_t222 = _t221 - 7;
					__eflags = _t222;
					if(_t222 == 0) {
						goto L29;
					}
					__eflags = _t222;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t153 = E00DD8721(_t276, _t257, __eflags, _t226);
					goto L10;
				}
				if(_t281 == 0) {
					_push(1);
					goto L13;
				}
				if(_t151 == _t257) {
					goto L29;
				}
				if(_t151 == 0x43) {
					goto L17;
				}
				if(_t151 <= 0x44) {
					goto L11;
				}
				if(_t151 <= 0x47) {
					goto L29;
				}
				if(_t151 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00dd7e39
0x00dd7e41
0x00dd7e48
0x00dd7e4d
0x00dd7e4f
0x00dd7e53
0x00dd7e56
0x00dd7e5a
0x00dd7e5d
0x00dd7e5e
0x00dd7e61
0x00dd7ed3
0x00dd7ed6
0x00dd7f26
0x00dd7f26
0x00dd7f29
0x00dd7e8f
0x00dd7e91
0x00dd7e96
0x00dd7e98
0x00dd7f44
0x00dd7f47
0x00dd824a
0x00dd824c
0x00dd8259
0x00dd8259
0x00dd7f52
0x00dd7f53
0x00dd7f57
0x00dd7f5a
0x00dd7f5c
0x00dd7f60
0x00dd7f65
0x00dd7f66
0x00dd7f68
0x00dd7f9d
0x00dd7f9d
0x00dd7fa3
0x00dd7fa4
0x00dd7fa7
0x00dd7fb1
0x00dd7fb9
0x00dd7fbb
0x00dd7fbf
0x00dd7fbf
0x00dd7fc2
0x00dd7fcc
0x00dd7fcc
0x00dd7fce
0x00dd7fce
0x00dd7fd5
0x00dd7fd7
0x00dd7fdd
0x00dd7fe2
0x00dd7fe7
0x00dd7fe8
0x00dd7feb
0x00dd7ff3
0x00dd7ff3
0x00dd7ff5
0x00dd7ff5
0x00dd7ffa
0x00dd7ffa
0x00dd7ffd
0x00dd8000
0x00dd8006
0x00dd8008
0x00dd800c
0x00dd8076
0x00dd8076
0x00dd807d
0x00dd8080
0x00dd808a
0x00dd8090
0x00dd8095
0x00dd809a
0x00dd809d
0x00dd809f
0x00dd8113
0x00dd8116
0x00dd8116
0x00dd811a
0x00dd81d0
0x00dd81d0
0x00dd81e0
0x00dd81e5
0x00dd81e5
0x00dd81eb
0x00dd81eb
0x00dd81ee
0x00dd81f0
0x00dd8249
0x00000000
0x00dd8249
0x00dd81f5
0x00dd81f8
0x00dd81fa
0x00000000
0x00000000
0x00dd81fc
0x00dd81fe
0x00000000
0x00000000
0x00dd8202
0x00dd8203
0x00dd8203
0x00dd8208
0x00dd820b
0x00dd8226
0x00dd8229
0x00dd822b
0x00dd822e
0x00dd8235
0x00dd8238
0x00dd823a
0x00dd823a
0x00dd823d
0x00dd820d
0x00dd820d
0x00dd8211
0x00dd8216
0x00dd8216
0x00dd8213
0x00dd8213
0x00dd8213
0x00dd821c
0x00dd821f
0x00dd821f
0x00dd823f
0x00dd8242
0x00000000
0x00000000
0x00dd8244
0x00dd8245
0x00dd8247
0x00000000
0x00000000
0x00000000
0x00dd8247
0x00000000
0x00dd8203
0x00dd8120
0x00dd8123
0x00dd8125
0x00000000
0x00000000
0x00dd812b
0x00dd812e
0x00dd8131
0x00dd8135
0x00dd8137
0x00dd813c
0x00dd813c
0x00dd813f
0x00dd8142
0x00dd8145
0x00dd8148
0x00dd814a
0x00000000
0x00dd8150
0x00dd8150
0x00dd8155
0x00dd8167
0x00dd816c
0x00dd816f
0x00dd8172
0x00dd8178
0x00dd817a
0x00000000
0x00000000
0x00dd817c
0x00dd8182
0x00dd8188
0x00dd818b
0x00dd819e
0x00dd81a1
0x00dd81ab
0x00dd81ae
0x00dd81b0
0x00dd81b0
0x00dd818d
0x00dd818d
0x00dd8191
0x00dd8198
0x00dd8193
0x00dd8193
0x00dd8193
0x00dd8191
0x00dd81b6
0x00dd81bc
0x00dd81bd
0x00dd81c0
0x00dd81c3
0x00dd81c6
0x00000000
0x00dd81c8
0x00000000
0x00dd81c8
0x00dd81c6
0x00dd81ca
0x00000000
0x00dd81ca
0x00dd814a
0x00dd80a1
0x00dd80a4
0x00dd80a7
0x00dd80aa
0x00000000
0x00000000
0x00dd80ac
0x00dd80af
0x00dd80b1
0x00000000
0x00000000
0x00dd80b3
0x00dd80b5
0x00dd80bb
0x00dd80bb
0x00dd80bd
0x00dd80c0
0x00dd80c5
0x00dd80c8
0x00dd80ce
0x00dd80e9
0x00dd80ee
0x00dd80f5
0x00dd80f8
0x00dd80fa
0x00dd80fa
0x00dd80fd
0x00dd80d0
0x00dd80d0
0x00dd80d3
0x00dd80d7
0x00dd80dc
0x00dd80dc
0x00dd80d9
0x00dd80d9
0x00dd80d9
0x00dd80df
0x00dd80df
0x00dd80ff
0x00dd8102
0x00000000
0x00000000
0x00dd8107
0x00dd8108
0x00dd810b
0x00dd810d
0x00000000
0x00000000
0x00000000
0x00dd810d
0x00dd810f
0x00000000
0x00dd810f
0x00dd800e
0x00dd8010
0x00000000
0x00000000
0x00dd8012
0x00dd8015
0x00dd8017
0x00dd8017
0x00dd801d
0x00dd8026
0x00dd8029
0x00dd8041
0x00dd804c
0x00dd804d
0x00dd8058
0x00dd805b
0x00dd8061
0x00dd8061
0x00dd8064
0x00dd802b
0x00dd802b
0x00dd802d
0x00dd8031
0x00dd8036
0x00dd8036
0x00dd8033
0x00dd8033
0x00dd8033
0x00dd8039
0x00dd8039
0x00dd8067
0x00dd806a
0x00000000
0x00000000
0x00dd806c
0x00dd806d
0x00dd806f
0x00000000
0x00000000
0x00000000
0x00dd806f
0x00dd8071
0x00dd8074
0x00dd8074
0x00000000
0x00dd8074
0x00dd7fed
0x00dd7ff1
0x00000000
0x00000000
0x00000000
0x00dd7ff1
0x00dd7fd9
0x00dd7fdb
0x00000000
0x00000000
0x00000000
0x00dd7fdb
0x00dd7fc4
0x00dd7fc6
0x00dd7fca
0x00000000
0x00000000
0x00000000
0x00dd7fca
0x00dd7fbd
0x00000000
0x00dd7fbd
0x00dd7fab
0x00dd7fac
0x00dd7faf
0x00000000
0x00000000
0x00000000
0x00dd7faf
0x00dd7f6d
0x00dd7f70
0x00dd7f72
0x00dd7f78
0x00dd7f7b
0x00dd7f8e
0x00dd7f90
0x00dd7f92
0x00dd7f94
0x00dd7f98
0x00dd7f9a
0x00dd7f9a
0x00000000
0x00dd7f92
0x00dd7f7d
0x00dd7f7f
0x00dd7f7f
0x00dd7f80
0x00dd7f82
0x00dd7f86
0x00000000
0x00dd7f86
0x00dd7f74
0x00000000
0x00dd7f74
0x00dd7e9e
0x00000000
0x00dd7e9e
0x00dd7f30
0x00dd7f30
0x00dd7f33
0x00dd7f04
0x00dd7f07
0x00000000
0x00dd7f07
0x00dd7f35
0x00dd7f38
0x00000000
0x00000000
0x00dd7f3e
0x00dd7ea7
0x00dd7ea9
0x00000000
0x00dd7ea9
0x00dd7ed8
0x00dd7f1c
0x00000000
0x00dd7f1c
0x00dd7eda
0x00dd7edd
0x00dd7f0e
0x00dd7f10
0x00000000
0x00dd7f10
0x00dd7edf
0x00dd7ee2
0x00dd7f00
0x00dd7f00
0x00dd7f00
0x00dd7f00
0x00000000
0x00dd7f00
0x00dd7ee4
0x00dd7ee7
0x00dd7ef9
0x00000000
0x00dd7ef9
0x00dd7ee9
0x00dd7eec
0x00000000
0x00000000
0x00dd7ef0
0x00000000
0x00dd7ef0
0x00dd7e63
0x00000000
0x00000000
0x00dd7e69
0x00dd7e6b
0x00dd7eb0
0x00dd7eb0
0x00dd7eb3
0x00dd7ecc
0x00000000
0x00dd7ecc
0x00dd7eb5
0x00dd7eb5
0x00dd7eb8
0x00000000
0x00000000
0x00dd7ebb
0x00dd7ebe
0x00000000
0x00000000
0x00dd7ec0
0x00dd7ec3
0x00000000
0x00dd7ec3
0x00dd7e6d
0x00dd7ea5
0x00000000
0x00dd7ea5
0x00dd7e71
0x00000000
0x00000000
0x00dd7e7a
0x00000000
0x00000000
0x00dd7e7f
0x00000000
0x00000000
0x00dd7e84
0x00000000
0x00000000
0x00dd7e8d
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 00DD7FCE

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: dc7516dda4c63b66f7c4b2667db066e5ccd90226eac28fa02cbf536d0e7418aa
Instruction ID: 11080a1dfcc87266193cc222e49e30ecd51082cb98d1681db478775de53d839f
Opcode Fuzzy Hash: dc7516dda4c63b66f7c4b2667db066e5ccd90226eac28fa02cbf536d0e7418aa
Instruction Fuzzy Hash: 06E16B706046068FCB26CF68C580ABAB7B1EF45310B28469AE4569B791EB30ED46DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DD98C3 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00DD98C3(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				char* _v28;
				signed short* _v32;
				WCHAR* _v36;
				signed int _v48;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				signed int _v612;
				signed int _v616;
				intOrPtr _v620;
				char* _v648;
				void* __ebp;
				intOrPtr _t44;
				void* _t49;
				signed int _t52;
				signed char _t54;
				void* _t63;
				intOrPtr _t65;
				int _t70;
				void* _t86;
				void* _t88;
				void* _t92;
				union _FINDEX_INFO_LEVELS _t93;
				intOrPtr* _t94;
				void* _t96;
				intOrPtr* _t99;
				intOrPtr _t102;
				void* _t104;
				char* _t105;
				void* _t113;
				signed short* _t114;
				signed int _t120;
				WCHAR* _t121;
				intOrPtr _t123;
				void* _t126;
				void* _t132;
				signed int _t133;
				void* _t134;

				_push(__ecx);
				_t99 = _a4;
				_push(__ebx);
				_push(__edi);
				_t2 = _t99 + 2; // 0x2
				_t113 = _t2;
				do {
					_t44 =  *_t99;
					_t99 = _t99 + 2;
				} while (_t44 != 0);
				_t120 = _a12;
				_t102 = (_t99 - _t113 >> 1) + 1;
				_v8 = _t102;
				if(_t102 <=  !_t120) {
					_push(__esi);
					_t5 = _t120 + 1; // 0x1
					_t92 = _t5 + _t102;
					_t126 = E00DD9696(_t92, 2);
					_pop(_t104);
					if(_t120 == 0) {
						L7:
						_push(_v8);
						_t92 = _t92 - _t120;
						_t49 = E00DDB7C9(_t104, _t126 + _t120 * 2, _t92, _a4);
						_t133 = _t132 + 0x10;
						if(_t49 != 0) {
							goto L12;
						} else {
							_t123 = _a16;
							_t96 = E00DD9BBC(_t123);
							if(_t96 == 0) {
								 *((intOrPtr*)( *((intOrPtr*)(_t123 + 4)))) = _t126;
								 *((intOrPtr*)(_t123 + 4)) =  *((intOrPtr*)(_t123 + 4)) + 4;
								_t96 = 0;
							} else {
								E00DD9541(_t126);
							}
							E00DD9541(0);
							_t86 = _t96;
							goto L4;
						}
					} else {
						_push(_t120);
						_t88 = E00DDB7C9(_t104, _t126, _t92, _a8);
						_t133 = _t132 + 0x10;
						if(_t88 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00DD3466();
							asm("int3");
							_t131 = _t133;
							_t134 = _t133 - 0x264;
							_t52 =  *0xdf8008; // 0x9fa9e963
							_v48 = _t52 ^ _t133;
							_t114 = _v32;
							_t105 = _v28;
							_push(_t92);
							_push(_t126);
							_push(_t120);
							_t121 = _v36;
							_v648 = _t105;
							if(_t114 != _t121) {
								while(E00DD9B98( *_t114 & 0x0000ffff) == 0) {
									_t114 = _t114 - 2;
									if(_t114 != _t121) {
										continue;
									}
									break;
								}
								_t105 = _v612;
							}
							_t127 =  *_t114 & 0x0000ffff;
							if(( *_t114 & 0x0000ffff) != 0x3a || _t114 ==  &(_t121[1])) {
								_t105 =  &_v605;
								_t54 = E00DD9B98(_t127);
								asm("sbb eax, eax");
								_t93 = 0;
								_v616 =  ~(_t54 & 0x000000ff) & (_t114 - _t121 >> 0x00000001) + 0x00000001;
								_t127 = FindFirstFileExW(_t121, 0,  &_v604, 0, 0, 0);
								if(_t127 != 0xffffffff) {
									_t94 = _v612;
									_v612 =  *((intOrPtr*)(_t94 + 4)) -  *_t94 >> 2;
									_t63 = 0x2e;
									do {
										if(_v604.cFileName != _t63 || _v558 != 0 && (_v558 != _t63 || _v556 != 0)) {
											_push(_t94);
											_t65 = E00DD98C3(_t94, _t105, _t121, _t127,  &(_v604.cFileName), _t121, _v616);
											_t134 = _t134 + 0x10;
											_v620 = _t65;
											if(_t65 != 0) {
												FindClose(_t127);
											} else {
												goto L29;
											}
										} else {
											goto L29;
										}
										goto L34;
										L29:
										_t70 = FindNextFileW(_t127,  &_v604);
										_t63 = 0x2e;
									} while (_t70 != 0);
									_t118 =  *_t94;
									_t108 = _v612;
									_t73 =  *((intOrPtr*)(_t94 + 4)) -  *_t94 >> 2;
									if(_v612 !=  *((intOrPtr*)(_t94 + 4)) -  *_t94 >> 2) {
										E00DDD630(_t94, _t121, _t127, _t118 + _t108 * 4, _t73 - _t108, 4, E00DD96F3);
									}
									FindClose(_t127);
								} else {
									_push(_v612);
									goto L20;
								}
							} else {
								_push(_t105);
								_t93 = 0;
								L20:
								E00DD98C3(_t93, _t105, _t121, _t127, _t121, _t93, _t93);
							}
							L34:
							return E00DCF35B(_v12 ^ _t131);
						} else {
							goto L7;
						}
					}
				} else {
					_t86 = 0xc;
					L4:
					return _t86;
				}
			}

0x00dd98c8
0x00dd98c9
0x00dd98cc
0x00dd98cd
0x00dd98d0
0x00dd98d0
0x00dd98d3
0x00dd98d3
0x00dd98d6
0x00dd98d9
0x00dd98de
0x00dd98e7
0x00dd98ea
0x00dd98ef
0x00dd98f8
0x00dd98f9
0x00dd98fc
0x00dd9906
0x00dd9909
0x00dd990c
0x00dd9920
0x00dd9920
0x00dd9923
0x00dd992d
0x00dd9932
0x00dd9937
0x00000000
0x00dd9939
0x00dd9939
0x00dd9943
0x00dd9947
0x00dd9955
0x00dd9957
0x00dd995b
0x00dd9949
0x00dd994a
0x00dd994f
0x00dd995f
0x00dd9965
0x00000000
0x00dd9967
0x00dd990e
0x00dd990e
0x00dd9914
0x00dd9919
0x00dd991e
0x00dd996a
0x00dd996c
0x00dd996d
0x00dd996e
0x00dd996f
0x00dd9970
0x00dd9971
0x00dd9976
0x00dd997a
0x00dd997c
0x00dd9982
0x00dd9989
0x00dd998c
0x00dd998f
0x00dd9992
0x00dd9993
0x00dd9994
0x00dd9995
0x00dd9998
0x00dd99a0
0x00dd99a2
0x00dd99b5
0x00dd99ba
0x00000000
0x00000000
0x00000000
0x00dd99ba
0x00dd99bc
0x00dd99bc
0x00dd99c2
0x00dd99c8
0x00dd99e5
0x00dd99eb
0x00dd99fa
0x00dd99fc
0x00dd9a03
0x00dd9a18
0x00dd9a1d
0x00dd9a27
0x00dd9a37
0x00dd9a3d
0x00dd9a3e
0x00dd9a45
0x00dd9a64
0x00dd9a73
0x00dd9a78
0x00dd9a7b
0x00dd9a83
0x00dd9ad2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00dd9a85
0x00dd9a8d
0x00dd9a97
0x00dd9a97
0x00dd9a9d
0x00dd9aa1
0x00dd9aa7
0x00dd9aac
0x00dd9ac7
0x00dd9acc
0x00dd9aaf
0x00dd9a1f
0x00dd9a1f
0x00000000
0x00dd9a1f
0x00dd99d1
0x00dd99d1
0x00dd99d2
0x00dd99d4
0x00dd99d7
0x00dd99dc
0x00dd9ade
0x00dd9aec
0x00000000
0x00000000
0x00000000
0x00dd991e
0x00dd98f1
0x00dd98f3
0x00dd98f4
0x00dd98f7
0x00dd98f7

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdecde67384c6503ad41279359533960239c8555d155dceb83ff26b0ee438e04
Instruction ID: 7cfc75e82f9748fa14886ec67c6b2cabdece9af5d0fb9e0ddd5f3c051973c551
Opcode Fuzzy Hash: cdecde67384c6503ad41279359533960239c8555d155dceb83ff26b0ee438e04
Instruction Fuzzy Hash: 0A31C172900219AFCB20DFB9CC95EBBB7ADEB84714F18415AF80597344EA31AE408B70

Uniqueness

Uniqueness Score: -1.00%

Function 00DD7AF1 Relevance: 1.6, Strings: 1, Instructions: 314
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00DD7AF1(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v14;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed short* _v28;
				signed int _v32;
				intOrPtr _v36;
				void* __ebp;
				signed int _t103;
				char _t105;
				signed int _t106;
				void* _t107;
				signed char _t111;
				signed int _t115;
				signed int _t119;
				signed char _t123;
				signed char _t126;
				signed int _t128;
				signed int _t133;
				signed int _t137;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t144;
				signed int _t147;
				signed char _t150;
				signed char _t152;
				signed int _t155;
				signed int _t157;
				signed int _t158;
				signed int _t162;
				void* _t164;
				intOrPtr _t170;
				unsigned int _t173;
				signed int _t176;
				signed short* _t177;
				signed char _t180;
				signed int _t182;
				signed int _t185;
				void* _t194;
				unsigned int _t195;
				void* _t196;
				signed int _t197;
				signed int* _t198;
				signed int _t200;
				intOrPtr* _t202;
				signed int _t203;
				signed int _t204;
				void* _t205;
				void* _t206;
				void* _t207;

				_t196 = __edi;
				_t103 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t103 ^ _t204;
				_t202 = __ecx;
				_t162 = 0;
				_t164 = 0x58;
				_t105 =  *((char*)(__ecx + 0x2d));
				_t206 = _t105 - 0x64;
				if(_t206 > 0) {
					__eflags = _t105 - 0x70;
					if(__eflags > 0) {
						_t106 = _t105 - 0x73;
						__eflags = _t106;
						if(_t106 == 0) {
							L9:
							_t107 = E00DD88B2(_t202);
							L10:
							if(_t107 != 0) {
								__eflags =  *((intOrPtr*)(_t202 + 0x2c)) - _t162;
								if( *((intOrPtr*)(_t202 + 0x2c)) != _t162) {
									L92:
									L93:
									return E00DCF35B(_v8 ^ _t204);
								}
								_t195 =  *(_t202 + 0x1c);
								_v16 = _t162;
								_push(_t196);
								_t111 = _t195 >> 4;
								_v14 = _t162;
								_t197 = _t162;
								_v20 = _t197;
								__eflags = 1 & _t111;
								if((1 & _t111) == 0) {
									L44:
									_t170 =  *((intOrPtr*)(_t202 + 0x2d));
									__eflags = _t170 - 0x78;
									if(_t170 == 0x78) {
										L46:
										__eflags = 1;
										if(1 != 0) {
											L48:
											__eflags = _t170 - 0x61;
											if(_t170 == 0x61) {
												L50:
												_t115 = 1;
												L51:
												__eflags = _t115;
												if(_t115 != 0) {
													L53:
													 *((char*)(_t204 + _t197 - 0xc)) = 0x30;
													__eflags = _t170 - 0x58;
													if(_t170 == 0x58) {
														L56:
														0x78 = 0x58;
														L57:
														 *((char*)(_t204 + _t197 - 0xb)) = 0x78;
														_t197 = _t197 + 2;
														__eflags = _t197;
														_v20 = _t197;
														L58:
														_t119 =  *((intOrPtr*)(_t202 + 0x20)) -  *((intOrPtr*)(_t202 + 0x34)) - _t197;
														_v32 = _t119;
														__eflags = _t195 & 0x0000000c;
														if((_t195 & 0x0000000c) != 0) {
															L66:
															_push( *(_t202 + 8));
															_t198 = _t202 + 0x14;
															_v36 = _t202 + 0x448;
															E00DD8C12(_t202 + 0x448,  &_v16, _v20, _t198);
															_t173 =  *(_t202 + 0x1c);
															_t123 = _t173 >> 3;
															__eflags = _t123 & 0x00000001;
															if((_t123 & 0x00000001) == 0) {
																L74:
																__eflags =  *((intOrPtr*)(_t202 + 0x38)) - _t162;
																if( *((intOrPtr*)(_t202 + 0x38)) == _t162) {
																	L82:
																	_push( *(_t202 + 8));
																	E00DD8C12(_t202 + 0x448,  *(_t202 + 0x30),  *((intOrPtr*)(_t202 + 0x34)), _t198);
																	L83:
																	__eflags =  *_t198 - _t162;
																	if( *_t198 < _t162) {
																		L91:
																		goto L92;
																	}
																	_t126 =  *(_t202 + 0x1c) >> 2;
																	__eflags = _t126 & 0x00000001;
																	if((_t126 & 0x00000001) == 0) {
																		goto L91;
																	}
																	_t127 =  *(_t202 + 8);
																	_t203 = _v32;
																	_v28 =  *(_t202 + 8);
																	__eflags = _t203;
																	if(_t203 <= 0) {
																		goto L91;
																	} else {
																		goto L86;
																	}
																	while(1) {
																		L86:
																		_t128 = E00DD8BD8(_v36, 0x20, _t127);
																		__eflags = _t128;
																		if(_t128 == 0) {
																			break;
																		}
																		_t176 =  *_t198;
																		 *_t198 = _t176 + 1;
																		__eflags = _t176 - 0xfffffffe;
																		if(_t176 == 0xfffffffe) {
																			goto L91;
																		}
																		_t127 = _v28;
																		_t162 = _t162 + 1;
																		__eflags = _t162 - _t203;
																		if(_t162 < _t203) {
																			continue;
																		}
																		goto L91;
																	}
																	 *_t198 =  *_t198 | 0xffffffff;
																	__eflags =  *_t198;
																	goto L91;
																}
																__eflags =  *((intOrPtr*)(_t202 + 0x34)) - _t162;
																if( *((intOrPtr*)(_t202 + 0x34)) <= _t162) {
																	goto L82;
																}
																_t177 =  *(_t202 + 0x30);
																_v24 = _t162;
																while(1) {
																	_v20 = _t162;
																	_v28 =  &(_t177[1]);
																	_t133 = E00DDD324(_t195,  &_v20,  &_v16, 6,  *_t177 & 0x0000ffff,  *(_t202 + 8));
																	_t205 = _t205 + 0x14;
																	__eflags = _t133;
																	if(_t133 != 0) {
																		break;
																	}
																	__eflags = _v20 - _t162;
																	if(_v20 == _t162) {
																		break;
																	}
																	_push( *(_t202 + 8));
																	E00DD8C12(_t202 + 0x448,  &_v16, _v20, _t198);
																	_t177 = _v28;
																	_t137 = _v24 + 1;
																	_v24 = _t137;
																	__eflags = _t137 -  *((intOrPtr*)(_t202 + 0x34));
																	if(_t137 !=  *((intOrPtr*)(_t202 + 0x34))) {
																		continue;
																	}
																	goto L83;
																}
																 *_t198 =  *_t198 | 0xffffffff;
																goto L83;
															}
															_t180 = _t173 >> 2;
															__eflags = _t180 & 0x00000001;
															if((_t180 & 0x00000001) != 0) {
																goto L74;
															}
															_t138 =  *(_t202 + 8);
															_v28 =  *(_t202 + 8);
															_v24 = _t162;
															__eflags = _v32 - _t162;
															if(_v32 <= _t162) {
																goto L74;
															} else {
																goto L69;
															}
															while(1) {
																L69:
																_t139 = E00DD8BD8(_t202 + 0x448, 0x30, _t138);
																__eflags = _t139;
																if(_t139 == 0) {
																	break;
																}
																_t182 =  *_t198;
																 *_t198 = _t182 + 1;
																__eflags = _t182 - 0xfffffffe;
																if(_t182 == 0xfffffffe) {
																	goto L74;
																}
																_t142 = _v24 + 1;
																__eflags = _t142 - _v32;
																_v24 = _t142;
																_t138 = _v28;
																if(_t142 < _v32) {
																	continue;
																}
																goto L74;
															}
															 *_t198 =  *_t198 | 0xffffffff;
															__eflags =  *_t198;
															goto L74;
														}
														_t183 =  *(_t202 + 8);
														_v28 =  *(_t202 + 8);
														_v24 = _t162;
														__eflags = _t119;
														if(_t119 <= 0) {
															goto L66;
														}
														_t200 = _v32;
														_t143 = _t202 + 0x448;
														while(1) {
															_t144 = E00DD8BD8(_t143, 0x20, _t183);
															__eflags = _t144;
															if(_t144 == 0) {
																break;
															}
															_t185 =  *(_t202 + 0x14);
															 *(_t202 + 0x14) = _t185 + 1;
															__eflags = _t185 - 0xfffffffe;
															if(_t185 == 0xfffffffe) {
																goto L66;
															}
															_t183 = _v28;
															_t147 = _v24 + 1;
															_v24 = _t147;
															__eflags = _t147 - _t200;
															_t143 = _t202 + 0x448;
															if(_t147 < _t200) {
																continue;
															}
															goto L66;
														}
														_t48 = _t202 + 0x14;
														 *_t48 =  *(_t202 + 0x14) | 0xffffffff;
														__eflags =  *_t48;
														goto L66;
													}
													__eflags = _t170 - 0x41;
													if(_t170 == 0x41) {
														goto L56;
													}
													goto L57;
												}
												__eflags = _t115;
												if(_t115 == 0) {
													goto L58;
												}
												goto L53;
											}
											_t115 = _t162;
											__eflags = _t170 - 0x41;
											if(_t170 != 0x41) {
												goto L51;
											}
											goto L50;
										}
										L47:
										goto L48;
									}
									__eflags = _t170 - 0x58;
									if(_t170 != 0x58) {
										goto L47;
									}
									goto L46;
								}
								_t150 = _t195 >> 6;
								__eflags = 1 & _t150;
								if((1 & _t150) == 0) {
									__eflags = 1 & _t195;
									if((1 & _t195) == 0) {
										_t152 = _t195 >> 1;
										__eflags = 1 & _t152;
										if((1 & _t152) != 0) {
											_v16 = 0x20;
											_t197 = 1;
											_v20 = 1;
										}
										goto L44;
									}
									_v16 = 0x2b;
									L41:
									_t197 = 1;
									_v20 = 1;
									goto L44;
								}
								_v16 = 0x2d;
								goto L41;
							}
							L11:
							goto L93;
						}
						_t155 = _t106;
						__eflags = _t155;
						if(__eflags == 0) {
							L28:
							_t107 = E00DD6051(_t202, __eflags, _t162);
							goto L10;
						}
						__eflags = _t155 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_t107 = E00DD6350(_t202, __eflags);
						goto L10;
					}
					if(__eflags == 0) {
						_t107 = E00DD8886(__ecx);
						goto L10;
					}
					__eflags = _t105 - 0x67;
					if(_t105 <= 0x67) {
						L29:
						_t107 = E00DD8362(_t162, _t202);
						goto L10;
					}
					__eflags = _t105 - 0x69;
					if(_t105 == 0x69) {
						L27:
						_t3 = _t202 + 0x1c;
						 *_t3 =  *(_t202 + 0x1c) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t105 - 0x6e;
					if(_t105 == 0x6e) {
						_t107 = E00DD87C8(__ecx, _t194);
						goto L10;
					}
					__eflags = _t105 - 0x6f;
					if(_t105 != 0x6f) {
						goto L11;
					}
					_t107 = E00DD884C(__ecx);
					goto L10;
				}
				if(_t206 == 0) {
					goto L27;
				}
				_t207 = _t105 - _t164;
				if(_t207 > 0) {
					_t157 = _t105 - 0x5a;
					__eflags = _t157;
					if(_t157 == 0) {
						_t107 = E00DD82AE(__ecx);
						goto L10;
					}
					_t158 = _t157 - 7;
					__eflags = _t158;
					if(_t158 == 0) {
						goto L29;
					}
					__eflags = _t158;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t107 = E00DD868C(_t162, _t202, _t194, __eflags, _t162);
					goto L10;
				}
				if(_t207 == 0) {
					_push(1);
					goto L13;
				}
				if(_t105 == 0x41) {
					goto L29;
				}
				if(_t105 == 0x43) {
					goto L17;
				}
				if(_t105 <= 0x44) {
					goto L11;
				}
				if(_t105 <= 0x47) {
					goto L29;
				}
				if(_t105 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00dd7af1
0x00dd7af9
0x00dd7b00
0x00dd7b05
0x00dd7b07
0x00dd7b0b
0x00dd7b0c
0x00dd7b10
0x00dd7b13
0x00dd7b86
0x00dd7b89
0x00dd7bd9
0x00dd7bd9
0x00dd7bdc
0x00dd7b42
0x00dd7b44
0x00dd7b49
0x00dd7b4b
0x00dd7bf7
0x00dd7bfa
0x00dd7e29
0x00dd7e2b
0x00dd7e38
0x00dd7e38
0x00dd7c00
0x00dd7c07
0x00dd7c0b
0x00dd7c0c
0x00dd7c10
0x00dd7c13
0x00dd7c15
0x00dd7c18
0x00dd7c1a
0x00dd7c4b
0x00dd7c4b
0x00dd7c4e
0x00dd7c51
0x00dd7c58
0x00dd7c5f
0x00dd7c61
0x00dd7c65
0x00dd7c65
0x00dd7c68
0x00dd7c71
0x00dd7c71
0x00dd7c73
0x00dd7c73
0x00dd7c75
0x00dd7c7b
0x00dd7c7b
0x00dd7c80
0x00dd7c83
0x00dd7c8e
0x00dd7c90
0x00dd7c91
0x00dd7c91
0x00dd7c95
0x00dd7c95
0x00dd7c98
0x00dd7c9b
0x00dd7ca1
0x00dd7ca3
0x00dd7ca6
0x00dd7ca9
0x00dd7cf7
0x00dd7cf7
0x00dd7cfa
0x00dd7d0a
0x00dd7d10
0x00dd7d15
0x00dd7d1a
0x00dd7d1d
0x00dd7d1f
0x00dd7d69
0x00dd7d69
0x00dd7d6c
0x00dd7dd0
0x00dd7dd0
0x00dd7de0
0x00dd7de5
0x00dd7de5
0x00dd7de7
0x00dd7e28
0x00000000
0x00dd7e28
0x00dd7dec
0x00dd7def
0x00dd7df1
0x00000000
0x00000000
0x00dd7df3
0x00dd7df6
0x00dd7df9
0x00dd7dfc
0x00dd7dfe
0x00000000
0x00000000
0x00000000
0x00000000
0x00dd7e00
0x00dd7e00
0x00dd7e06
0x00dd7e0b
0x00dd7e0d
0x00000000
0x00000000
0x00dd7e0f
0x00dd7e14
0x00dd7e16
0x00dd7e19
0x00000000
0x00000000
0x00dd7e1b
0x00dd7e1e
0x00dd7e1f
0x00dd7e21
0x00000000
0x00000000
0x00000000
0x00dd7e23
0x00dd7e25
0x00dd7e25
0x00000000
0x00dd7e25
0x00dd7d6e
0x00dd7d71
0x00000000
0x00000000
0x00dd7d73
0x00dd7d76
0x00dd7d79
0x00dd7d88
0x00dd7d8f
0x00dd7d93
0x00dd7d98
0x00dd7d9b
0x00dd7d9d
0x00000000
0x00000000
0x00dd7d9f
0x00dd7da2
0x00000000
0x00000000
0x00dd7da4
0x00dd7db5
0x00dd7dbd
0x00dd7dc0
0x00dd7dc1
0x00dd7dc4
0x00dd7dc7
0x00000000
0x00000000
0x00000000
0x00dd7dc9
0x00dd7dcb
0x00000000
0x00dd7dcb
0x00dd7d21
0x00dd7d24
0x00dd7d27
0x00000000
0x00000000
0x00dd7d29
0x00dd7d2c
0x00dd7d2f
0x00dd7d32
0x00dd7d35
0x00000000
0x00000000
0x00000000
0x00000000
0x00dd7d37
0x00dd7d37
0x00dd7d40
0x00dd7d45
0x00dd7d47
0x00000000
0x00000000
0x00dd7d49
0x00dd7d4e
0x00dd7d50
0x00dd7d53
0x00000000
0x00000000
0x00dd7d58
0x00dd7d59
0x00dd7d5c
0x00dd7d5f
0x00dd7d62
0x00000000
0x00000000
0x00000000
0x00dd7d64
0x00dd7d66
0x00dd7d66
0x00000000
0x00dd7d66
0x00dd7cab
0x00dd7cae
0x00dd7cb1
0x00dd7cb4
0x00dd7cb6
0x00000000
0x00000000
0x00dd7cb8
0x00dd7cbb
0x00dd7cc1
0x00dd7cc6
0x00dd7ccb
0x00dd7ccd
0x00000000
0x00000000
0x00dd7ccf
0x00dd7cd5
0x00dd7cd8
0x00dd7cdb
0x00000000
0x00000000
0x00dd7ce0
0x00dd7ce3
0x00dd7ce4
0x00dd7ce7
0x00dd7ce9
0x00dd7cef
0x00000000
0x00000000
0x00000000
0x00dd7cf1
0x00dd7cf3
0x00dd7cf3
0x00dd7cf3
0x00000000
0x00dd7cf3
0x00dd7c85
0x00dd7c88
0x00000000
0x00000000
0x00000000
0x00dd7c8a
0x00dd7c77
0x00dd7c79
0x00000000
0x00000000
0x00000000
0x00dd7c79
0x00dd7c6a
0x00dd7c6c
0x00dd7c6f
0x00000000
0x00000000
0x00000000
0x00dd7c6f
0x00dd7c63
0x00000000
0x00dd7c63
0x00dd7c53
0x00dd7c56
0x00000000
0x00000000
0x00000000
0x00dd7c56
0x00dd7c1e
0x00dd7c21
0x00dd7c23
0x00dd7c2b
0x00dd7c2d
0x00dd7c3c
0x00dd7c3e
0x00dd7c40
0x00dd7c42
0x00dd7c46
0x00dd7c48
0x00dd7c48
0x00000000
0x00dd7c40
0x00dd7c2f
0x00dd7c33
0x00dd7c33
0x00dd7c35
0x00000000
0x00dd7c35
0x00dd7c25
0x00000000
0x00dd7c25
0x00dd7b51
0x00000000
0x00dd7b51
0x00dd7be3
0x00dd7be3
0x00dd7be6
0x00dd7bb7
0x00dd7bba
0x00000000
0x00dd7bba
0x00dd7be8
0x00dd7beb
0x00000000
0x00000000
0x00dd7bf1
0x00dd7b5a
0x00dd7b5c
0x00000000
0x00dd7b5c
0x00dd7b8b
0x00dd7bcf
0x00000000
0x00dd7bcf
0x00dd7b8d
0x00dd7b90
0x00dd7bc1
0x00dd7bc3
0x00000000
0x00dd7bc3
0x00dd7b92
0x00dd7b95
0x00dd7bb3
0x00dd7bb3
0x00dd7bb3
0x00dd7bb3
0x00000000
0x00dd7bb3
0x00dd7b97
0x00dd7b9a
0x00dd7bac
0x00000000
0x00dd7bac
0x00dd7b9c
0x00dd7b9f
0x00000000
0x00000000
0x00dd7ba3
0x00000000
0x00dd7ba3
0x00dd7b15
0x00000000
0x00000000
0x00dd7b1b
0x00dd7b1d
0x00dd7b63
0x00dd7b63
0x00dd7b66
0x00dd7b7f
0x00000000
0x00dd7b7f
0x00dd7b68
0x00dd7b68
0x00dd7b6b
0x00000000
0x00000000
0x00dd7b6e
0x00dd7b71
0x00000000
0x00000000
0x00dd7b73
0x00dd7b76
0x00000000
0x00dd7b76
0x00dd7b1f
0x00dd7b58
0x00000000
0x00dd7b58
0x00dd7b24
0x00000000
0x00000000
0x00dd7b2d
0x00000000
0x00000000
0x00dd7b32
0x00000000
0x00000000
0x00dd7b37
0x00000000
0x00000000
0x00dd7b40
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 00DD7C7B

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: e91a43736d55db4133878045319ab29902bd22c233b7409e8124f069cb096be2
Instruction ID: 16a38ba4b97f3a31756eb27fd62bed1c5e7f7d492976ab5d66040536c47d0a3c
Opcode Fuzzy Hash: e91a43736d55db4133878045319ab29902bd22c233b7409e8124f069cb096be2
Instruction Fuzzy Hash: 32B1C470A0860A8FCB24CF68C891ABEB7A5EF45314F18059FD492A7391E730ED45CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DC13D8 Relevance: 1.3, APIs: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC13D8() {
				signed int _t4;
				void* _t9;
				signed int _t11;

				_t4 =  *0xdf9b74; // 0x3
				if((_t4 & 0x00000001) == 0) {
					_t8 = _t4 | 0x00000001;
					 *0xdf9b74 = _t4 | 0x00000001;
					_t9 = GetProcessHeap();
					 *0xdf9b78 = 0xdf25bc;
					 *0xdf9b7c = _t9;
					 *0xdf9b80 = 0;
					E00DCF618(_t8, E00DE6505);
					_t4 =  *0xdf9b74; // 0x3
				}
				if((_t4 & 0x00000002) == 0) {
					 *0xdf9b94 =  *0xdf9b94 & 0x00000000;
					 *0xdf9b98 =  *0xdf9b98 & 0x00000000;
					_t11 = 2;
					 *0xdf9b9c = _t11;
					 *0xdf9b74 = _t4 | _t11;
					 *0xdf9b88 = 0xdf35b0;
					 *0xdf9b8c = 0xdf9b78;
					 *0xdf9ba0 = 0;
					 *0xdf9b90 = 0xdf9b88;
					E00DCF618(0, 0xde6504);
				}
				return 0xdf9b88;
			}

0x00dc13d8
0x00dc13df
0x00dc13e1
0x00dc13e4
0x00dc13e9
0x00dc13f4
0x00dc13fe
0x00dc1403
0x00dc140a
0x00dc140f
0x00dc1414
0x00dc141d
0x00dc141f
0x00dc1426
0x00dc142f
0x00dc1432
0x00dc143a
0x00dc1444
0x00dc144e
0x00dc1458
0x00dc145e
0x00dc1464
0x00dc1469
0x00dc146d

APIs

GetProcessHeap.KERNEL32(00DC3B5B,?,?,?,?,?,?,00DC15F8,?,?,?,?,?), ref: 00DC13E9

Part of subcall function 00DCF618: __onexit.LIBCMT ref: 00DCF61E

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: HeapProcess__onexit
String ID:
API String ID: 2210869276-0
Opcode ID: 7026869201836345871978035758e13e386f0acd4de4f96a39c1e75b15d1c0e9
Instruction ID: 8a990e308d36405a9fc0a48cf6e715bead4047f51175d8201925c090a2764e75
Opcode Fuzzy Hash: 7026869201836345871978035758e13e386f0acd4de4f96a39c1e75b15d1c0e9
Instruction Fuzzy Hash: 670112B1E153108BD7089F24FCAA7B0BBA2A34936AF11C62DE009CB3A0C7708405CF75

Uniqueness

Uniqueness Score: -1.00%

Function 00DE56B9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f191559a4c5e35bf784cae13d2a8c8069ab6ee07ce2c992dbb7000549ae58c7
Instruction ID: 431cbd57b8fad79a1abf5f5ee6eb3a5c943a2825fe2289d796e6aa6a0f2f9ea7
Opcode Fuzzy Hash: 9f191559a4c5e35bf784cae13d2a8c8069ab6ee07ce2c992dbb7000549ae58c7
Instruction Fuzzy Hash: 60321731D25F814DD7237635D861335A289AFB73C8F15D727F81AB9AA9EF28C5834110

Uniqueness

Uniqueness Score: -1.00%

Function 00DE47AC Relevance: .3, Instructions: 254
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00DE47AC(void* __edx, void* __esi) {
				signed int _t136;
				signed char _t137;
				signed char _t138;
				signed char _t139;
				signed char _t140;
				signed char _t142;
				signed int _t185;
				void* _t207;
				void* _t212;
				void* _t216;
				void* _t220;
				void* _t224;
				void* _t228;
				void* _t232;
				void* _t235;

				_t235 = __esi;
				_t207 = __edx;
				if( *((intOrPtr*)(__esi - 0x1e)) ==  *((intOrPtr*)(__edx - 0x1e))) {
					_t185 = 0;
					goto L12;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi != 0) {
						L8:
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 - 1;
						L12:
						if(_t185 != 0) {
							L2:
							_t136 = _t185;
							return _t136;
						}
						_t137 =  *(_t235 - 0x1a);
						if(_t137 ==  *(_t207 - 0x1a)) {
							_t185 = 0;
							L21:
							if(_t185 != 0) {
								goto L2;
							}
							_t138 =  *(_t235 - 0x16);
							if(_t138 ==  *(_t207 - 0x16)) {
								_t185 = 0;
								L30:
								if(_t185 != 0) {
									goto L2;
								}
								_t139 =  *(_t235 - 0x12);
								if(_t139 ==  *(_t207 - 0x12)) {
									_t185 = 0;
									L39:
									if(_t185 != 0) {
										goto L2;
									}
									_t140 =  *(_t235 - 0xe);
									if(_t140 ==  *(_t207 - 0xe)) {
										_t185 = 0;
										L48:
										if(_t185 != 0) {
											goto L2;
										}
										if( *(_t235 - 0xa) ==  *(_t207 - 0xa)) {
											_t185 = 0;
											L57:
											if(_t185 != 0) {
												goto L2;
											}
											_t142 =  *(_t235 - 6);
											if(_t142 ==  *(_t207 - 6)) {
												_t185 = 0;
												L66:
												if(_t185 == 0 &&  *((intOrPtr*)(_t235 - 2)) ==  *((intOrPtr*)(_t207 - 2))) {
												}
												goto L2;
											}
											_t212 = (_t142 & 0x000000ff) - ( *(_t207 - 6) & 0x000000ff);
											if(_t212 != 0) {
												L62:
												_t185 = (0 | _t212 > 0x00000000) * 2 - 1;
												goto L66;
											}
											_t212 = ( *(_t235 - 5) & 0x000000ff) - ( *(_t207 - 5) & 0x000000ff);
											if(_t212 != 0) {
												goto L62;
											}
											_t212 = ( *(_t235 - 4) & 0x000000ff) - ( *(_t207 - 4) & 0x000000ff);
											if(_t212 == 0) {
												_t185 = ( *(_t235 - 3) & 0x000000ff) - ( *(_t207 - 3) & 0x000000ff);
												if(_t185 != 0) {
													_t185 = (0 | _t185 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											goto L62;
										}
										_t216 = ( *(_t235 - 0xa) & 0x000000ff) - ( *(_t207 - 0xa) & 0x000000ff);
										if(_t216 != 0) {
											L53:
											_t185 = (0 | _t216 > 0x00000000) * 2 - 1;
											goto L57;
										}
										_t216 = ( *(_t235 - 9) & 0x000000ff) - ( *(_t207 - 9) & 0x000000ff);
										if(_t216 != 0) {
											goto L53;
										}
										_t216 = ( *(_t235 - 8) & 0x000000ff) - ( *(_t207 - 8) & 0x000000ff);
										if(_t216 == 0) {
											_t185 = ( *(_t235 - 7) & 0x000000ff) - ( *(_t207 - 7) & 0x000000ff);
											if(_t185 != 0) {
												_t185 = (0 | _t185 > 0x00000000) * 2 - 1;
											}
											goto L57;
										}
										goto L53;
									}
									_t220 = (_t140 & 0x000000ff) - ( *(_t207 - 0xe) & 0x000000ff);
									if(_t220 != 0) {
										L44:
										_t185 = (0 | _t220 > 0x00000000) * 2 - 1;
										goto L48;
									}
									_t220 = ( *(_t235 - 0xd) & 0x000000ff) - ( *(_t207 - 0xd) & 0x000000ff);
									if(_t220 != 0) {
										goto L44;
									}
									_t220 = ( *(_t235 - 0xc) & 0x000000ff) - ( *(_t207 - 0xc) & 0x000000ff);
									if(_t220 == 0) {
										_t185 = ( *(_t235 - 0xb) & 0x000000ff) - ( *(_t207 - 0xb) & 0x000000ff);
										if(_t185 != 0) {
											_t185 = (0 | _t185 > 0x00000000) * 2 - 1;
										}
										goto L48;
									}
									goto L44;
								}
								_t224 = (_t139 & 0x000000ff) - ( *(_t207 - 0x12) & 0x000000ff);
								if(_t224 != 0) {
									L35:
									_t185 = (0 | _t224 > 0x00000000) * 2 - 1;
									goto L39;
								}
								_t224 = ( *(_t235 - 0x11) & 0x000000ff) - ( *(_t207 - 0x11) & 0x000000ff);
								if(_t224 != 0) {
									goto L35;
								}
								_t224 = ( *(_t235 - 0x10) & 0x000000ff) - ( *(_t207 - 0x10) & 0x000000ff);
								if(_t224 == 0) {
									_t185 = ( *(_t235 - 0xf) & 0x000000ff) - ( *(_t207 - 0xf) & 0x000000ff);
									if(_t185 != 0) {
										_t185 = (0 | _t185 > 0x00000000) * 2 - 1;
									}
									goto L39;
								}
								goto L35;
							}
							_t228 = (_t138 & 0x000000ff) - ( *(_t207 - 0x16) & 0x000000ff);
							if(_t228 != 0) {
								L26:
								_t185 = (0 | _t228 > 0x00000000) * 2 - 1;
								goto L30;
							}
							_t228 = ( *(_t235 - 0x15) & 0x000000ff) - ( *(_t207 - 0x15) & 0x000000ff);
							if(_t228 != 0) {
								goto L26;
							}
							_t228 = ( *(_t235 - 0x14) & 0x000000ff) - ( *(_t207 - 0x14) & 0x000000ff);
							if(_t228 == 0) {
								_t185 = ( *(_t235 - 0x13) & 0x000000ff) - ( *(_t207 - 0x13) & 0x000000ff);
								if(_t185 != 0) {
									_t185 = (0 | _t185 > 0x00000000) * 2 - 1;
								}
								goto L30;
							}
							goto L26;
						}
						_t232 = (_t137 & 0x000000ff) - ( *(_t207 - 0x1a) & 0x000000ff);
						if(_t232 != 0) {
							L17:
							_t185 = (0 | _t232 > 0x00000000) * 2 - 1;
							goto L21;
						}
						_t232 = ( *(_t235 - 0x19) & 0x000000ff) - ( *(_t207 - 0x19) & 0x000000ff);
						if(_t232 != 0) {
							goto L17;
						}
						_t232 = ( *(_t235 - 0x18) & 0x000000ff) - ( *(_t207 - 0x18) & 0x000000ff);
						if(_t232 == 0) {
							_t185 = ( *(_t235 - 0x17) & 0x000000ff) - ( *(_t207 - 0x17) & 0x000000ff);
							if(_t185 != 0) {
								_t185 = (0 | _t185 > 0x00000000) * 2 - 1;
							}
							goto L21;
						}
						goto L17;
					}
					__edi =  *(__esi - 0x1d) & 0x000000ff;
					__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi != 0) {
						goto L8;
					}
					__edi =  *(__esi - 0x1c) & 0x000000ff;
					__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
					if(__edi == 0) {
						__ecx =  *(__esi - 0x1b) & 0x000000ff;
						__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
						if(__ecx != 0) {
							__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
						}
						goto L12;
					}
					goto L8;
				}
			}

0x00de47ac
0x00de47ac
0x00de47b2
0x00de4803
0x00000000
0x00de47b4
0x00de47b4
0x00de47bb
0x00de47bd
0x00de47d7
0x00de47db
0x00de47de
0x00de4805
0x00de4807
0x00de44dd
0x00de44dd
0x00de4deb
0x00de4deb
0x00de480d
0x00de4813
0x00de4864
0x00de4866
0x00de4868
0x00000000
0x00000000
0x00de486e
0x00de4874
0x00de48c5
0x00de48c7
0x00de48c9
0x00000000
0x00000000
0x00de48cf
0x00de48d5
0x00de4926
0x00de4928
0x00de492a
0x00000000
0x00000000
0x00de4930
0x00de4936
0x00de4987
0x00de4989
0x00de498b
0x00000000
0x00000000
0x00de4997
0x00de49e9
0x00de49eb
0x00de49ed
0x00000000
0x00000000
0x00de49f3
0x00de49f9
0x00de4a4a
0x00de4a4c
0x00de4a4e
0x00de4a4e
0x00000000
0x00de4a4e
0x00de4a02
0x00de4a04
0x00de4a1e
0x00de4a25
0x00000000
0x00de4a25
0x00de4a0e
0x00de4a10
0x00000000
0x00000000
0x00de4a1a
0x00de4a1c
0x00de4a36
0x00de4a38
0x00de4a41
0x00de4a41
0x00000000
0x00de4a38
0x00000000
0x00de4a1c
0x00de49a1
0x00de49a3
0x00de49bd
0x00de49c4
0x00000000
0x00de49c4
0x00de49ad
0x00de49af
0x00000000
0x00000000
0x00de49b9
0x00de49bb
0x00de49d5
0x00de49d7
0x00de49e0
0x00de49e0
0x00000000
0x00de49d7
0x00000000
0x00de49bb
0x00de493f
0x00de4941
0x00de495b
0x00de4962
0x00000000
0x00de4962
0x00de494b
0x00de494d
0x00000000
0x00000000
0x00de4957
0x00de4959
0x00de4973
0x00de4975
0x00de497e
0x00de497e
0x00000000
0x00de4975
0x00000000
0x00de4959
0x00de48de
0x00de48e0
0x00de48fa
0x00de4901
0x00000000
0x00de4901
0x00de48ea
0x00de48ec
0x00000000
0x00000000
0x00de48f6
0x00de48f8
0x00de4912
0x00de4914
0x00de491d
0x00de491d
0x00000000
0x00de4914
0x00000000
0x00de48f8
0x00de487d
0x00de487f
0x00de4899
0x00de48a0
0x00000000
0x00de48a0
0x00de4889
0x00de488b
0x00000000
0x00000000
0x00de4895
0x00de4897
0x00de48b1
0x00de48b3
0x00de48bc
0x00de48bc
0x00000000
0x00de48b3
0x00000000
0x00de4897
0x00de481c
0x00de481e
0x00de4838
0x00de483f
0x00000000
0x00de483f
0x00de4828
0x00de482a
0x00000000
0x00000000
0x00de4834
0x00de4836
0x00de4850
0x00de4852
0x00de485b
0x00de485b
0x00000000
0x00de4852
0x00000000
0x00de4836
0x00de47bf
0x00de47c7
0x00de47c9
0x00000000
0x00000000
0x00de47cb
0x00de47d3
0x00de47d5
0x00de47e7
0x00de47ef
0x00de47f1
0x00de47fa
0x00de47fa
0x00000000
0x00de47f1
0x00000000
0x00de47d5

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 5a6a945cf8aabcdbc83e47e863b57b539d180128b2380c8ede4aeca0bb22935b
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: D69173726080E34ADB69663B887403EFFE15A523B571E079ED4F2DB1C1EE24C964DA30

Uniqueness

Uniqueness Score: -1.00%

Function 00DE4A67 Relevance: .2, Instructions: 244
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00DE4A67(void* __edx, void* __esi) {
				signed int _t137;
				signed char _t138;
				signed char _t139;
				signed char _t140;
				signed char _t142;
				signed char _t143;
				signed int _t186;
				void* _t208;
				void* _t211;
				void* _t214;
				void* _t218;
				void* _t222;
				void* _t226;
				void* _t230;
				void* _t234;
				void* _t237;

				_t237 = __esi;
				_t208 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t186 = 0;
					goto L11;
				} else {
					__edi =  *(__esi - 0x1f) & 0x000000ff;
					__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi != 0) {
						L7:
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 - 1;
						L11:
						if(_t186 != 0) {
							goto L1;
						}
						_t138 =  *(_t237 - 0x1b);
						if(_t138 ==  *(_t208 - 0x1b)) {
							_t186 = 0;
							L20:
							if(_t186 != 0) {
								goto L1;
							}
							_t139 =  *(_t237 - 0x17);
							if(_t139 ==  *(_t208 - 0x17)) {
								_t186 = 0;
								L29:
								if(_t186 != 0) {
									goto L1;
								}
								_t140 =  *(_t237 - 0x13);
								if(_t140 ==  *(_t208 - 0x13)) {
									_t186 = 0;
									L38:
									if(_t186 != 0) {
										goto L1;
									}
									if( *(_t237 - 0xf) ==  *(_t208 - 0xf)) {
										_t186 = 0;
										L47:
										if(_t186 != 0) {
											goto L1;
										}
										_t142 =  *(_t237 - 0xb);
										if(_t142 ==  *(_t208 - 0xb)) {
											_t186 = 0;
											L56:
											if(_t186 != 0) {
												goto L1;
											}
											_t143 =  *(_t237 - 7);
											if(_t143 ==  *(_t208 - 7)) {
												_t186 = 0;
												L65:
												if(_t186 != 0) {
													goto L1;
												}
												_t211 = ( *(_t237 - 3) & 0x000000ff) - ( *(_t208 - 3) & 0x000000ff);
												if(_t211 != 0) {
													L68:
													_t186 = (0 | _t211 > 0x00000000) * 2 - 1;
													goto L1;
												}
												_t211 = ( *(_t237 - 2) & 0x000000ff) - ( *(_t208 - 2) & 0x000000ff);
												if(_t211 == 0) {
													_t186 = ( *(_t237 - 1) & 0x000000ff) - ( *(_t208 - 1) & 0x000000ff);
													if(_t186 != 0) {
														_t186 = (0 | _t186 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												goto L68;
											}
											_t214 = (_t143 & 0x000000ff) - ( *(_t208 - 7) & 0x000000ff);
											if(_t214 != 0) {
												L61:
												_t186 = (0 | _t214 > 0x00000000) * 2 - 1;
												goto L65;
											}
											_t214 = ( *(_t237 - 6) & 0x000000ff) - ( *(_t208 - 6) & 0x000000ff);
											if(_t214 != 0) {
												goto L61;
											}
											_t214 = ( *(_t237 - 5) & 0x000000ff) - ( *(_t208 - 5) & 0x000000ff);
											if(_t214 == 0) {
												_t186 = ( *(_t237 - 4) & 0x000000ff) - ( *(_t208 - 4) & 0x000000ff);
												if(_t186 != 0) {
													_t186 = (0 | _t186 > 0x00000000) * 2 - 1;
												}
												goto L65;
											}
											goto L61;
										}
										_t218 = (_t142 & 0x000000ff) - ( *(_t208 - 0xb) & 0x000000ff);
										if(_t218 != 0) {
											L52:
											_t186 = (0 | _t218 > 0x00000000) * 2 - 1;
											goto L56;
										}
										_t218 = ( *(_t237 - 0xa) & 0x000000ff) - ( *(_t208 - 0xa) & 0x000000ff);
										if(_t218 != 0) {
											goto L52;
										}
										_t218 = ( *(_t237 - 9) & 0x000000ff) - ( *(_t208 - 9) & 0x000000ff);
										if(_t218 == 0) {
											_t186 = ( *(_t237 - 8) & 0x000000ff) - ( *(_t208 - 8) & 0x000000ff);
											if(_t186 != 0) {
												_t186 = (0 | _t186 > 0x00000000) * 2 - 1;
											}
											goto L56;
										}
										goto L52;
									}
									_t222 = ( *(_t237 - 0xf) & 0x000000ff) - ( *(_t208 - 0xf) & 0x000000ff);
									if(_t222 != 0) {
										L43:
										_t186 = (0 | _t222 > 0x00000000) * 2 - 1;
										goto L47;
									}
									_t222 = ( *(_t237 - 0xe) & 0x000000ff) - ( *(_t208 - 0xe) & 0x000000ff);
									if(_t222 != 0) {
										goto L43;
									}
									_t222 = ( *(_t237 - 0xd) & 0x000000ff) - ( *(_t208 - 0xd) & 0x000000ff);
									if(_t222 == 0) {
										_t186 = ( *(_t237 - 0xc) & 0x000000ff) - ( *(_t208 - 0xc) & 0x000000ff);
										if(_t186 != 0) {
											_t186 = (0 | _t186 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									goto L43;
								}
								_t226 = (_t140 & 0x000000ff) - ( *(_t208 - 0x13) & 0x000000ff);
								if(_t226 != 0) {
									L34:
									_t186 = (0 | _t226 > 0x00000000) * 2 - 1;
									goto L38;
								}
								_t226 = ( *(_t237 - 0x12) & 0x000000ff) - ( *(_t208 - 0x12) & 0x000000ff);
								if(_t226 != 0) {
									goto L34;
								}
								_t226 = ( *(_t237 - 0x11) & 0x000000ff) - ( *(_t208 - 0x11) & 0x000000ff);
								if(_t226 == 0) {
									_t186 = ( *(_t237 - 0x10) & 0x000000ff) - ( *(_t208 - 0x10) & 0x000000ff);
									if(_t186 != 0) {
										_t186 = (0 | _t186 > 0x00000000) * 2 - 1;
									}
									goto L38;
								}
								goto L34;
							}
							_t230 = (_t139 & 0x000000ff) - ( *(_t208 - 0x17) & 0x000000ff);
							if(_t230 != 0) {
								L25:
								_t186 = (0 | _t230 > 0x00000000) * 2 - 1;
								goto L29;
							}
							_t230 = ( *(_t237 - 0x16) & 0x000000ff) - ( *(_t208 - 0x16) & 0x000000ff);
							if(_t230 != 0) {
								goto L25;
							}
							_t230 = ( *(_t237 - 0x15) & 0x000000ff) - ( *(_t208 - 0x15) & 0x000000ff);
							if(_t230 == 0) {
								_t186 = ( *(_t237 - 0x14) & 0x000000ff) - ( *(_t208 - 0x14) & 0x000000ff);
								if(_t186 != 0) {
									_t186 = (0 | _t186 > 0x00000000) * 2 - 1;
								}
								goto L29;
							}
							goto L25;
						}
						_t234 = (_t138 & 0x000000ff) - ( *(_t208 - 0x1b) & 0x000000ff);
						if(_t234 != 0) {
							L16:
							_t186 = (0 | _t234 > 0x00000000) * 2 - 1;
							goto L20;
						}
						_t234 = ( *(_t237 - 0x1a) & 0x000000ff) - ( *(_t208 - 0x1a) & 0x000000ff);
						if(_t234 != 0) {
							goto L16;
						}
						_t234 = ( *(_t237 - 0x19) & 0x000000ff) - ( *(_t208 - 0x19) & 0x000000ff);
						if(_t234 == 0) {
							_t186 = ( *(_t237 - 0x18) & 0x000000ff) - ( *(_t208 - 0x18) & 0x000000ff);
							if(_t186 != 0) {
								_t186 = (0 | _t186 > 0x00000000) * 2 - 1;
							}
							goto L20;
						}
						goto L16;
					}
					__edi =  *(__esi - 0x1e) & 0x000000ff;
					__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi != 0) {
						goto L7;
					}
					__edi =  *(__esi - 0x1d) & 0x000000ff;
					__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						__ecx =  *(__esi - 0x1c) & 0x000000ff;
						__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__ecx != 0) {
							__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
						}
						goto L11;
					}
					goto L7;
				}
				L1:
				_t137 = _t186;
				return _t137;
			}

0x00de4a67
0x00de4a67
0x00de4a6d
0x00de4abf
0x00000000
0x00de4a6f
0x00de4a73
0x00de4a77
0x00de4a79
0x00de4a93
0x00de4a97
0x00de4a9a
0x00de4ac1
0x00de4ac3
0x00000000
0x00000000
0x00de4ac9
0x00de4acf
0x00de4b20
0x00de4b22
0x00de4b24
0x00000000
0x00000000
0x00de4b2a
0x00de4b30
0x00de4b81
0x00de4b83
0x00de4b85
0x00000000
0x00000000
0x00de4b8b
0x00de4b91
0x00de4be2
0x00de4be4
0x00de4be6
0x00000000
0x00000000
0x00de4bf2
0x00de4c44
0x00de4c46
0x00de4c48
0x00000000
0x00000000
0x00de4c4e
0x00de4c54
0x00de4ca5
0x00de4ca7
0x00de4ca9
0x00000000
0x00000000
0x00de4caf
0x00de4cb5
0x00de4d06
0x00de4d08
0x00de4d0a
0x00000000
0x00000000
0x00de4d18
0x00de4d1a
0x00de4d2c
0x00de4d33
0x00000000
0x00de4d33
0x00de4d24
0x00de4d26
0x00de4791
0x00de4793
0x00de47a0
0x00de47a0
0x00000000
0x00de4793
0x00000000
0x00de4d26
0x00de4cbe
0x00de4cc0
0x00de4cda
0x00de4ce1
0x00000000
0x00de4ce1
0x00de4cca
0x00de4ccc
0x00000000
0x00000000
0x00de4cd6
0x00de4cd8
0x00de4cf2
0x00de4cf4
0x00de4cfd
0x00de4cfd
0x00000000
0x00de4cf4
0x00000000
0x00de4cd8
0x00de4c5d
0x00de4c5f
0x00de4c79
0x00de4c80
0x00000000
0x00de4c80
0x00de4c69
0x00de4c6b
0x00000000
0x00000000
0x00de4c75
0x00de4c77
0x00de4c91
0x00de4c93
0x00de4c9c
0x00de4c9c
0x00000000
0x00de4c93
0x00000000
0x00de4c77
0x00de4bfc
0x00de4bfe
0x00de4c18
0x00de4c1f
0x00000000
0x00de4c1f
0x00de4c08
0x00de4c0a
0x00000000
0x00000000
0x00de4c14
0x00de4c16
0x00de4c30
0x00de4c32
0x00de4c3b
0x00de4c3b
0x00000000
0x00de4c32
0x00000000
0x00de4c16
0x00de4b9a
0x00de4b9c
0x00de4bb6
0x00de4bbd
0x00000000
0x00de4bbd
0x00de4ba6
0x00de4ba8
0x00000000
0x00000000
0x00de4bb2
0x00de4bb4
0x00de4bce
0x00de4bd0
0x00de4bd9
0x00de4bd9
0x00000000
0x00de4bd0
0x00000000
0x00de4bb4
0x00de4b39
0x00de4b3b
0x00de4b55
0x00de4b5c
0x00000000
0x00de4b5c
0x00de4b45
0x00de4b47
0x00000000
0x00000000
0x00de4b51
0x00de4b53
0x00de4b6d
0x00de4b6f
0x00de4b78
0x00de4b78
0x00000000
0x00de4b6f
0x00000000
0x00de4b53
0x00de4ad8
0x00de4ada
0x00de4af4
0x00de4afb
0x00000000
0x00de4afb
0x00de4ae4
0x00de4ae6
0x00000000
0x00000000
0x00de4af0
0x00de4af2
0x00de4b0c
0x00de4b0e
0x00de4b17
0x00de4b17
0x00000000
0x00de4b0e
0x00000000
0x00de4af2
0x00de4a7b
0x00de4a83
0x00de4a85
0x00000000
0x00000000
0x00de4a87
0x00de4a8f
0x00de4a91
0x00de4aa3
0x00de4aab
0x00de4aad
0x00de4ab6
0x00de4ab6
0x00000000
0x00de4aad
0x00000000
0x00de4a91
0x00de44dd
0x00de44dd
0x00de4deb

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: d033fce1e728264fe587522c57eeb41027d0582cae3b3c226422dbb695c25a7f
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: D09163722090E30ADB6D563B857413EFFE15A923A131E07AED4F2CB1C5EE24D964E630

Uniqueness

Uniqueness Score: -1.00%

Function 00DE44E5 Relevance: .2, Instructions: 240
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00DE44E5(void* __edx, void* __esi) {
				signed int _t128;
				signed char _t129;
				signed char _t130;
				signed char _t131;
				signed char _t132;
				signed char _t134;
				signed int _t175;
				void* _t195;
				void* _t198;
				void* _t202;
				void* _t206;
				void* _t210;
				void* _t214;
				void* _t218;
				void* _t221;

				_t221 = __esi;
				_t195 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t175 = 0;
					L9:
					if(_t175 != 0) {
						goto L1;
					}
					_t129 =  *(_t221 - 0x19);
					if(_t129 ==  *(_t195 - 0x19)) {
						_t175 = 0;
						L18:
						if(_t175 != 0) {
							goto L1;
						}
						_t130 =  *(_t221 - 0x15);
						if(_t130 ==  *(_t195 - 0x15)) {
							_t175 = 0;
							L27:
							if(_t175 != 0) {
								goto L1;
							}
							_t131 =  *(_t221 - 0x11);
							if(_t131 ==  *(_t195 - 0x11)) {
								_t175 = 0;
								L36:
								if(_t175 != 0) {
									goto L1;
								}
								_t132 =  *(_t221 - 0xd);
								if(_t132 ==  *(_t195 - 0xd)) {
									_t175 = 0;
									L45:
									if(_t175 != 0) {
										goto L1;
									}
									if( *(_t221 - 9) ==  *(_t195 - 9)) {
										_t175 = 0;
										L54:
										if(_t175 != 0) {
											goto L1;
										}
										_t134 =  *(_t221 - 5);
										if(_t134 ==  *(_t195 - 5)) {
											_t175 = 0;
											L63:
											if(_t175 == 0) {
												_t175 = ( *(_t221 - 1) & 0x000000ff) - ( *(_t195 - 1) & 0x000000ff);
												if(_t175 != 0) {
													_t175 = (0 | _t175 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t198 = (_t134 & 0x000000ff) - ( *(_t195 - 5) & 0x000000ff);
										if(_t198 != 0) {
											L59:
											_t175 = (0 | _t198 > 0x00000000) * 2 - 1;
											goto L63;
										}
										_t198 = ( *(_t221 - 4) & 0x000000ff) - ( *(_t195 - 4) & 0x000000ff);
										if(_t198 != 0) {
											goto L59;
										}
										_t198 = ( *(_t221 - 3) & 0x000000ff) - ( *(_t195 - 3) & 0x000000ff);
										if(_t198 == 0) {
											_t175 = ( *(_t221 - 2) & 0x000000ff) - ( *(_t195 - 2) & 0x000000ff);
											if(_t175 != 0) {
												_t175 = (0 | _t175 > 0x00000000) * 2 - 1;
											}
											goto L63;
										}
										goto L59;
									}
									_t202 = ( *(_t221 - 9) & 0x000000ff) - ( *(_t195 - 9) & 0x000000ff);
									if(_t202 != 0) {
										L50:
										_t175 = (0 | _t202 > 0x00000000) * 2 - 1;
										goto L54;
									}
									_t202 = ( *(_t221 - 8) & 0x000000ff) - ( *(_t195 - 8) & 0x000000ff);
									if(_t202 != 0) {
										goto L50;
									}
									_t202 = ( *(_t221 - 7) & 0x000000ff) - ( *(_t195 - 7) & 0x000000ff);
									if(_t202 == 0) {
										_t175 = ( *(_t221 - 6) & 0x000000ff) - ( *(_t195 - 6) & 0x000000ff);
										if(_t175 != 0) {
											_t175 = (0 | _t175 > 0x00000000) * 2 - 1;
										}
										goto L54;
									}
									goto L50;
								}
								_t206 = (_t132 & 0x000000ff) - ( *(_t195 - 0xd) & 0x000000ff);
								if(_t206 != 0) {
									L41:
									_t175 = (0 | _t206 > 0x00000000) * 2 - 1;
									goto L45;
								}
								_t206 = ( *(_t221 - 0xc) & 0x000000ff) - ( *(_t195 - 0xc) & 0x000000ff);
								if(_t206 != 0) {
									goto L41;
								}
								_t206 = ( *(_t221 - 0xb) & 0x000000ff) - ( *(_t195 - 0xb) & 0x000000ff);
								if(_t206 == 0) {
									_t175 = ( *(_t221 - 0xa) & 0x000000ff) - ( *(_t195 - 0xa) & 0x000000ff);
									if(_t175 != 0) {
										_t175 = (0 | _t175 > 0x00000000) * 2 - 1;
									}
									goto L45;
								}
								goto L41;
							}
							_t210 = (_t131 & 0x000000ff) - ( *(_t195 - 0x11) & 0x000000ff);
							if(_t210 != 0) {
								L32:
								_t175 = (0 | _t210 > 0x00000000) * 2 - 1;
								goto L36;
							}
							_t210 = ( *(_t221 - 0x10) & 0x000000ff) - ( *(_t195 - 0x10) & 0x000000ff);
							if(_t210 != 0) {
								goto L32;
							}
							_t210 = ( *(_t221 - 0xf) & 0x000000ff) - ( *(_t195 - 0xf) & 0x000000ff);
							if(_t210 == 0) {
								_t175 = ( *(_t221 - 0xe) & 0x000000ff) - ( *(_t195 - 0xe) & 0x000000ff);
								if(_t175 != 0) {
									_t175 = (0 | _t175 > 0x00000000) * 2 - 1;
								}
								goto L36;
							}
							goto L32;
						}
						_t214 = (_t130 & 0x000000ff) - ( *(_t195 - 0x15) & 0x000000ff);
						if(_t214 != 0) {
							L23:
							_t175 = (0 | _t214 > 0x00000000) * 2 - 1;
							goto L27;
						}
						_t214 = ( *(_t221 - 0x14) & 0x000000ff) - ( *(_t195 - 0x14) & 0x000000ff);
						if(_t214 != 0) {
							goto L23;
						}
						_t214 = ( *(_t221 - 0x13) & 0x000000ff) - ( *(_t195 - 0x13) & 0x000000ff);
						if(_t214 == 0) {
							_t175 = ( *(_t221 - 0x12) & 0x000000ff) - ( *(_t195 - 0x12) & 0x000000ff);
							if(_t175 != 0) {
								_t175 = (0 | _t175 > 0x00000000) * 2 - 1;
							}
							goto L27;
						}
						goto L23;
					}
					_t218 = (_t129 & 0x000000ff) - ( *(_t195 - 0x19) & 0x000000ff);
					if(_t218 != 0) {
						L14:
						_t175 = (0 | _t218 > 0x00000000) * 2 - 1;
						goto L18;
					}
					_t218 = ( *(_t221 - 0x18) & 0x000000ff) - ( *(_t195 - 0x18) & 0x000000ff);
					if(_t218 != 0) {
						goto L14;
					}
					_t218 = ( *(_t221 - 0x17) & 0x000000ff) - ( *(_t195 - 0x17) & 0x000000ff);
					if(_t218 == 0) {
						_t175 = ( *(_t221 - 0x16) & 0x000000ff) - ( *(_t195 - 0x16) & 0x000000ff);
						if(_t175 != 0) {
							_t175 = (0 | _t175 > 0x00000000) * 2 - 1;
						}
						goto L18;
					}
					goto L14;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi != 0) {
						L5:
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 - 1;
						goto L9;
					}
					__edi =  *(__esi - 0x1c) & 0x000000ff;
					__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
					if(__edi != 0) {
						goto L5;
					}
					__edi =  *(__esi - 0x1b) & 0x000000ff;
					__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
					if(__edi == 0) {
						__ecx =  *(__esi - 0x1a) & 0x000000ff;
						__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
						if(__ecx != 0) {
							__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
						}
						goto L9;
					}
					goto L5;
				}
				L1:
				_t128 = _t175;
				return _t128;
			}

0x00de44e5
0x00de44e5
0x00de44eb
0x00de453c
0x00de453e
0x00de4540
0x00000000
0x00000000
0x00de4542
0x00de4548
0x00de4599
0x00de459b
0x00de459d
0x00000000
0x00000000
0x00de45a3
0x00de45a9
0x00de45fa
0x00de45fc
0x00de45fe
0x00000000
0x00000000
0x00de4604
0x00de460a
0x00de465b
0x00de465d
0x00de465f
0x00000000
0x00000000
0x00de4665
0x00de466b
0x00de46bc
0x00de46be
0x00de46c0
0x00000000
0x00000000
0x00de46cc
0x00de471e
0x00de4720
0x00de4722
0x00000000
0x00000000
0x00de4728
0x00de472e
0x00de477f
0x00de4781
0x00de4783
0x00de4791
0x00de4793
0x00de47a0
0x00de47a0
0x00de4793
0x00000000
0x00de4783
0x00de4737
0x00de4739
0x00de4753
0x00de475a
0x00000000
0x00de475a
0x00de4743
0x00de4745
0x00000000
0x00000000
0x00de474f
0x00de4751
0x00de476b
0x00de476d
0x00de4776
0x00de4776
0x00000000
0x00de476d
0x00000000
0x00de4751
0x00de46d6
0x00de46d8
0x00de46f2
0x00de46f9
0x00000000
0x00de46f9
0x00de46e2
0x00de46e4
0x00000000
0x00000000
0x00de46ee
0x00de46f0
0x00de470a
0x00de470c
0x00de4715
0x00de4715
0x00000000
0x00de470c
0x00000000
0x00de46f0
0x00de4674
0x00de4676
0x00de4690
0x00de4697
0x00000000
0x00de4697
0x00de4680
0x00de4682
0x00000000
0x00000000
0x00de468c
0x00de468e
0x00de46a8
0x00de46aa
0x00de46b3
0x00de46b3
0x00000000
0x00de46aa
0x00000000
0x00de468e
0x00de4613
0x00de4615
0x00de462f
0x00de4636
0x00000000
0x00de4636
0x00de461f
0x00de4621
0x00000000
0x00000000
0x00de462b
0x00de462d
0x00de4647
0x00de4649
0x00de4652
0x00de4652
0x00000000
0x00de4649
0x00000000
0x00de462d
0x00de45b2
0x00de45b4
0x00de45ce
0x00de45d5
0x00000000
0x00de45d5
0x00de45be
0x00de45c0
0x00000000
0x00000000
0x00de45ca
0x00de45cc
0x00de45e6
0x00de45e8
0x00de45f1
0x00de45f1
0x00000000
0x00de45e8
0x00000000
0x00de45cc
0x00de4551
0x00de4553
0x00de456d
0x00de4574
0x00000000
0x00de4574
0x00de455d
0x00de455f
0x00000000
0x00000000
0x00de4569
0x00de456b
0x00de4585
0x00de4587
0x00de4590
0x00de4590
0x00000000
0x00de4587
0x00000000
0x00de44ed
0x00de44ed
0x00de44f4
0x00de44f6
0x00de4510
0x00de4514
0x00de4517
0x00000000
0x00de4517
0x00de44f8
0x00de4500
0x00de4502
0x00000000
0x00000000
0x00de4504
0x00de450c
0x00de450e
0x00de4520
0x00de4528
0x00de452a
0x00de4533
0x00de4533
0x00000000
0x00de452a
0x00000000
0x00de450e
0x00de44dd
0x00de44dd
0x00de4deb

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 12517562d514b38fb38cd7ab5e1f994a7c39714ca8710592c8ce1da76601ef25
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: BA9183722090E30ADB2E663F957407EFFE15A523A131E07AEE4F2CA1C5EE14C564DA30

Uniqueness

Uniqueness Score: -1.00%

Function 00DE423B Relevance: .2, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00DE423B(void* __edx, void* __esi) {
				signed char _t121;
				void* _t122;
				signed char _t123;
				signed char _t124;
				signed char _t125;
				signed char _t127;
				signed char _t128;
				void* _t172;
				void* _t194;
				void* _t197;
				void* _t201;
				void* _t205;
				void* _t209;
				void* _t213;
				void* _t217;
				void* _t221;
				void* _t224;

				_t224 = __esi;
				_t194 = __edx;
				_t121 =  *(__esi - 0x1c);
				if(_t121 ==  *(__edx - 0x1c)) {
					_t172 = 0;
					L8:
					if(_t172 != 0) {
						L64:
						_t122 = _t172;
						return _t122;
					}
					_t123 =  *(_t224 - 0x18);
					if(_t123 ==  *(_t194 - 0x18)) {
						_t172 = 0;
						L17:
						if(_t172 != 0) {
							goto L64;
						}
						_t124 =  *(_t224 - 0x14);
						if(_t124 ==  *(_t194 - 0x14)) {
							_t172 = 0;
							L26:
							if(_t172 != 0) {
								goto L64;
							}
							_t125 =  *(_t224 - 0x10);
							if(_t125 ==  *(_t194 - 0x10)) {
								_t172 = 0;
								L35:
								if(_t172 != 0) {
									goto L64;
								}
								if( *(_t224 - 0xc) ==  *(_t194 - 0xc)) {
									_t172 = 0;
									L44:
									if(_t172 != 0) {
										goto L64;
									}
									_t127 =  *(_t224 - 8);
									if(_t127 ==  *(_t194 - 8)) {
										_t172 = 0;
										L53:
										if(_t172 != 0) {
											goto L64;
										}
										_t128 =  *(_t224 - 4);
										if(_t128 ==  *(_t194 - 4)) {
											_t172 = 0;
											L62:
											if(_t172 == 0) {
												_t172 = 0;
											}
											goto L64;
										}
										_t197 = (_t128 & 0x000000ff) - ( *(_t194 - 4) & 0x000000ff);
										if(_t197 != 0) {
											L58:
											_t172 = (0 | _t197 > 0x00000000) * 2 - 1;
											goto L62;
										}
										_t197 = ( *(_t224 - 3) & 0x000000ff) - ( *(_t194 - 3) & 0x000000ff);
										if(_t197 != 0) {
											goto L58;
										}
										_t197 = ( *(_t224 - 2) & 0x000000ff) - ( *(_t194 - 2) & 0x000000ff);
										if(_t197 == 0) {
											_t172 = ( *(_t224 - 1) & 0x000000ff) - ( *(_t194 - 1) & 0x000000ff);
											if(_t172 != 0) {
												_t172 = (0 | _t172 > 0x00000000) * 2 - 1;
											}
											goto L62;
										}
										goto L58;
									}
									_t201 = (_t127 & 0x000000ff) - ( *(_t194 - 8) & 0x000000ff);
									if(_t201 != 0) {
										L49:
										_t172 = (0 | _t201 > 0x00000000) * 2 - 1;
										goto L53;
									}
									_t201 = ( *(_t224 - 7) & 0x000000ff) - ( *(_t194 - 7) & 0x000000ff);
									if(_t201 != 0) {
										goto L49;
									}
									_t201 = ( *(_t224 - 6) & 0x000000ff) - ( *(_t194 - 6) & 0x000000ff);
									if(_t201 == 0) {
										_t172 = ( *(_t224 - 5) & 0x000000ff) - ( *(_t194 - 5) & 0x000000ff);
										if(_t172 != 0) {
											_t172 = (0 | _t172 > 0x00000000) * 2 - 1;
										}
										goto L53;
									}
									goto L49;
								}
								_t205 = ( *(_t224 - 0xc) & 0x000000ff) - ( *(_t194 - 0xc) & 0x000000ff);
								if(_t205 != 0) {
									L40:
									_t172 = (0 | _t205 > 0x00000000) * 2 - 1;
									goto L44;
								}
								_t205 = ( *(_t224 - 0xb) & 0x000000ff) - ( *(_t194 - 0xb) & 0x000000ff);
								if(_t205 != 0) {
									goto L40;
								}
								_t205 = ( *(_t224 - 0xa) & 0x000000ff) - ( *(_t194 - 0xa) & 0x000000ff);
								if(_t205 == 0) {
									_t172 = ( *(_t224 - 9) & 0x000000ff) - ( *(_t194 - 9) & 0x000000ff);
									if(_t172 != 0) {
										_t172 = (0 | _t172 > 0x00000000) * 2 - 1;
									}
									goto L44;
								}
								goto L40;
							}
							_t209 = (_t125 & 0x000000ff) - ( *(_t194 - 0x10) & 0x000000ff);
							if(_t209 != 0) {
								L31:
								_t172 = (0 | _t209 > 0x00000000) * 2 - 1;
								goto L35;
							}
							_t209 = ( *(_t224 - 0xf) & 0x000000ff) - ( *(_t194 - 0xf) & 0x000000ff);
							if(_t209 != 0) {
								goto L31;
							}
							_t209 = ( *(_t224 - 0xe) & 0x000000ff) - ( *(_t194 - 0xe) & 0x000000ff);
							if(_t209 == 0) {
								_t172 = ( *(_t224 - 0xd) & 0x000000ff) - ( *(_t194 - 0xd) & 0x000000ff);
								if(_t172 != 0) {
									_t172 = (0 | _t172 > 0x00000000) * 2 - 1;
								}
								goto L35;
							}
							goto L31;
						}
						_t213 = (_t124 & 0x000000ff) - ( *(_t194 - 0x14) & 0x000000ff);
						if(_t213 != 0) {
							L22:
							_t172 = (0 | _t213 > 0x00000000) * 2 - 1;
							goto L26;
						}
						_t213 = ( *(_t224 - 0x13) & 0x000000ff) - ( *(_t194 - 0x13) & 0x000000ff);
						if(_t213 != 0) {
							goto L22;
						}
						_t213 = ( *(_t224 - 0x12) & 0x000000ff) - ( *(_t194 - 0x12) & 0x000000ff);
						if(_t213 == 0) {
							_t172 = ( *(_t224 - 0x11) & 0x000000ff) - ( *(_t194 - 0x11) & 0x000000ff);
							if(_t172 != 0) {
								_t172 = (0 | _t172 > 0x00000000) * 2 - 1;
							}
							goto L26;
						}
						goto L22;
					}
					_t217 = (_t123 & 0x000000ff) - ( *(_t194 - 0x18) & 0x000000ff);
					if(_t217 != 0) {
						L13:
						_t172 = (0 | _t217 > 0x00000000) * 2 - 1;
						goto L17;
					}
					_t217 = ( *(_t224 - 0x17) & 0x000000ff) - ( *(_t194 - 0x17) & 0x000000ff);
					if(_t217 != 0) {
						goto L13;
					}
					_t217 = ( *(_t224 - 0x16) & 0x000000ff) - ( *(_t194 - 0x16) & 0x000000ff);
					if(_t217 == 0) {
						_t172 = ( *(_t224 - 0x15) & 0x000000ff) - ( *(_t194 - 0x15) & 0x000000ff);
						if(_t172 != 0) {
							_t172 = (0 | _t172 > 0x00000000) * 2 - 1;
						}
						goto L17;
					}
					goto L13;
				}
				_t221 = (_t121 & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
				if(_t221 != 0) {
					L4:
					_t172 = (0 | _t221 > 0x00000000) * 2 - 1;
					goto L8;
				}
				_t221 = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
				if(_t221 != 0) {
					goto L4;
				}
				_t221 = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
				if(_t221 == 0) {
					_t172 = ( *(__esi - 0x19) & 0x000000ff) - ( *(__edx - 0x19) & 0x000000ff);
					if(_t172 != 0) {
						_t172 = (0 | _t172 > 0x00000000) * 2 - 1;
					}
					goto L8;
				}
				goto L4;
			}

0x00de423b
0x00de423b
0x00de423b
0x00de4241
0x00de4292
0x00de4294
0x00de4296
0x00de44dd
0x00de44dd
0x00de4deb
0x00de4deb
0x00de429c
0x00de42a2
0x00de42f3
0x00de42f5
0x00de42f7
0x00000000
0x00000000
0x00de42fd
0x00de4303
0x00de4354
0x00de4356
0x00de4358
0x00000000
0x00000000
0x00de435e
0x00de4364
0x00de43b5
0x00de43b7
0x00de43b9
0x00000000
0x00000000
0x00de43c5
0x00de4417
0x00de4419
0x00de441b
0x00000000
0x00000000
0x00de4421
0x00de4427
0x00de4478
0x00de447a
0x00de447c
0x00000000
0x00000000
0x00de447e
0x00de4484
0x00de44d5
0x00de44d7
0x00de44d9
0x00de44db
0x00de44db
0x00000000
0x00de44d9
0x00de448d
0x00de448f
0x00de44a9
0x00de44b0
0x00000000
0x00de44b0
0x00de4499
0x00de449b
0x00000000
0x00000000
0x00de44a5
0x00de44a7
0x00de44c1
0x00de44c3
0x00de44cc
0x00de44cc
0x00000000
0x00de44c3
0x00000000
0x00de44a7
0x00de4430
0x00de4432
0x00de444c
0x00de4453
0x00000000
0x00de4453
0x00de443c
0x00de443e
0x00000000
0x00000000
0x00de4448
0x00de444a
0x00de4464
0x00de4466
0x00de446f
0x00de446f
0x00000000
0x00de4466
0x00000000
0x00de444a
0x00de43cf
0x00de43d1
0x00de43eb
0x00de43f2
0x00000000
0x00de43f2
0x00de43db
0x00de43dd
0x00000000
0x00000000
0x00de43e7
0x00de43e9
0x00de4403
0x00de4405
0x00de440e
0x00de440e
0x00000000
0x00de4405
0x00000000
0x00de43e9
0x00de436d
0x00de436f
0x00de4389
0x00de4390
0x00000000
0x00de4390
0x00de4379
0x00de437b
0x00000000
0x00000000
0x00de4385
0x00de4387
0x00de43a1
0x00de43a3
0x00de43ac
0x00de43ac
0x00000000
0x00de43a3
0x00000000
0x00de4387
0x00de430c
0x00de430e
0x00de4328
0x00de432f
0x00000000
0x00de432f
0x00de4318
0x00de431a
0x00000000
0x00000000
0x00de4324
0x00de4326
0x00de4340
0x00de4342
0x00de434b
0x00de434b
0x00000000
0x00de4342
0x00000000
0x00de4326
0x00de42ab
0x00de42ad
0x00de42c7
0x00de42ce
0x00000000
0x00de42ce
0x00de42b7
0x00de42b9
0x00000000
0x00000000
0x00de42c3
0x00de42c5
0x00de42df
0x00de42e1
0x00de42ea
0x00de42ea
0x00000000
0x00de42e1
0x00000000
0x00de42c5
0x00de424a
0x00de424c
0x00de4266
0x00de426d
0x00000000
0x00de426d
0x00de4256
0x00de4258
0x00000000
0x00000000
0x00de4262
0x00de4264
0x00de427e
0x00de4280
0x00de4289
0x00de4289
0x00000000
0x00de4280
0x00000000

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 6dcb1f24690dd7a367a9b6e19747ab6b2e5f16d95dfb7f7edba747ac29313f1c
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E98182722090E34ADB2D567B857413EFFE15A923A131E07AEE4F2CB1C1EE24D964D630

Uniqueness

Uniqueness Score: -1.00%

Function 00DE51B0 Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00DE51B0(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t32 =  *(_t39 - 4) ^ _t20;
									if(_t32 == 0) {
										return _t39 - 4;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											return _t39 - 3;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												return _t39 - 2;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						return _t39 - 1;
					}
				}
				L24:
			}

0x00de51b0
0x00de51b7
0x00de520c
0x00de520c
0x00de51b9
0x00de51b9
0x00de51bf
0x00de51c9
0x00de51e1
0x00de51e1
0x00de51e4
0x00de51f8
0x00de51f8
0x00de51fb
0x00000000
0x00de51fd
0x00de51fd
0x00de51fd
0x00de51ff
0x00de5204
0x00000000
0x00000000
0x00de5206
0x00de5209
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00de5209
0x00000000
0x00de51fd
0x00de51e6
0x00de51f3
0x00de5212
0x00de5214
0x00de5222
0x00de522b
0x00000000
0x00de522d
0x00de5230
0x00de5232
0x00de525c
0x00de5234
0x00de5234
0x00de5236
0x00de5256
0x00de5238
0x00de523b
0x00de523d
0x00de5250
0x00de523f
0x00de5241
0x00000000
0x00de5243
0x00000000
0x00de5243
0x00de5241
0x00de523d
0x00de5236
0x00de5232
0x00000000
0x00de520d
0x00de520d
0x00de520d
0x00000000
0x00de51f7
0x00de51cb
0x00de51cb
0x00de51cb
0x00de51cd
0x00de51d2
0x00000000
0x00000000
0x00de51d4
0x00de51d7
0x00000000
0x00de51d9
0x00de51df
0x00000000
0x00000000
0x00000000
0x00000000
0x00de51df
0x00000000
0x00de51d7
0x00de5246
0x00de524a
0x00de524a
0x00de51c9
0x00000000

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e2fad2f29e81eafe0af22bb3803846ed58e460e0a4096f2b4f6d116f22c25be3
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 3F113B7B2419C143D614962FF8B47BBB395EBC63AC72C4369D2528B64CD123E5409924

Uniqueness

Uniqueness Score: -1.00%

Function 00DD9665 Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00DD9665(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E00DDA956(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x00dd9672
0x00dd9674
0x00dd9677
0x00dd967a
0x00dd967d
0x00dd968e
0x00dd9690
0x00dd967f
0x00dd9683
0x00dd968c
0x00000000
0x00000000
0x00dd968c
0x00dd9695

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee4aa11dc8566ed2d6e3cdea466f4b40f0607a7aea44a1bcf6c4a1883a7f50f
Instruction ID: 113a136302177fe0d6ffcbe49f43d02300c760393187a604de1da0b8de910c49
Opcode Fuzzy Hash: eee4aa11dc8566ed2d6e3cdea466f4b40f0607a7aea44a1bcf6c4a1883a7f50f
Instruction Fuzzy Hash: 3AE08C72911228EBCB19DB9CC914D8AF3ECEB48B40B164097B501D3200C670DE00DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00DD3E6C Relevance: .0, Instructions: 12
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00DD3E6C(void* __ecx, void* __eflags) {

				if(E00DD9665(__ecx) == 1 || ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) != 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x00dd3e74
0x00dd3e8d
0x00dd3e88
0x00dd3e8a
0x00dd3e8a

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ccb343fa1793e8f52bd0caeee8c3c51825ae780837d8b6eb6de58d27c9d7555
Instruction ID: 4a5f8e3cb5c66c67053a5bc337e7da85d15f656e694ee7096ab02a43e39e3297
Opcode Fuzzy Hash: 1ccb343fa1793e8f52bd0caeee8c3c51825ae780837d8b6eb6de58d27c9d7555
Instruction Fuzzy Hash: C2C08C34400E0047CE39891082B27A43368E3D1782F8805CED4270B782C65E9D83DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DC89EB Relevance: 31.6, APIs: 10, Strings: 11, Instructions: 125
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00DC89EB(intOrPtr* __ecx, void* __edx, void* __eflags) {
				WCHAR* _v8;
				intOrPtr _v12;
				char _v16;
				void* __ebx;
				void* __esi;
				void* _t37;
				void* _t53;
				intOrPtr* _t58;
				WCHAR* _t59;

				_t53 = __edx;
				_t58 = __ecx;
				_v12 = 0x200;
				_t37 = 0;
				_t55 = E00DC7745( *__ecx);
				E00DC1AD8( &_v8, _t53, E00DC13D8());
				if(_t16 != 0xffffffff) {
					E00DC13C0(E00DC4860( &_v8, _t58, E00DC680B(0, _t58, _t53,  &_v16, _t55)), _v16 - 0x10);
					E00DC13C0(E00DC4860(_t58, _t58, E00DC6850(_t58, _t53,  &_v16,  *((intOrPtr*)( *_t58 - 0xc)) - _t55 - 1)), _v16 - 0x10);
				} else {
					E00DC4860( &_v8, _t58, _t58);
					_push(E00DD3694(0xdf12c8));
					L00DC1A21(_t58, _t53, 0xdf12c8);
				}
				_t59 = _v8;
				if(lstrcmpiW(_t59, L"HKLM") == 0 || lstrcmpiW(_t59, L"HKEY_LOCAL_MACHINE") == 0) {
					L14:
					_t37 = 0x80000002;
				} else {
					if(lstrcmpiW(_t59, L"HKCU") == 0 || lstrcmpiW(_t59, L"HKEY_CURRENT_USER") == 0) {
						_t37 = 0x80000001;
					} else {
						if(lstrcmpiW(_t59, L"HKU") == 0 || lstrcmpiW(_t59, L"HKEY_USERS") == 0) {
							_t37 = 0x80000003;
						} else {
							if(lstrcmpiW(_t59, L"HKCR") == 0 || lstrcmpiW(_t59, L"HKEY_CLASSES_ROOT") == 0) {
								_t37 = 0x80000000;
							} else {
								if(lstrcmpiW(_t59, L"HKLM[64]") == 0 || lstrcmpiW(_t59, L"HKEY_LOCAL_MACHINE[64]") == 0) {
									_v12 = 0x100;
									goto L14;
								}
							}
						}
					}
				}
				_t14 = _t59 - 0x10; // -16
				E00DC13C0(_t31, _t14);
				return _t37;
			}

0x00dc89eb
0x00dc89f3
0x00dc89f5
0x00dc89fd
0x00dc8a06
0x00dc8a11
0x00dc8a19
0x00dc8a56
0x00dc8a7d
0x00dc8a1b
0x00dc8a1f
0x00dc8a30
0x00dc8a34
0x00dc8a34
0x00dc8a82
0x00dc8a95
0x00dc8b0e
0x00dc8b0e
0x00dc8aa3
0x00dc8aad
0x00dc8b33
0x00dc8abf
0x00dc8ac9
0x00dc8b2c
0x00dc8ad7
0x00dc8ae1
0x00dc8b25
0x00dc8aef
0x00dc8af9
0x00dc8b07
0x00000000
0x00dc8b07
0x00dc8af9
0x00dc8ae1
0x00dc8ac9
0x00dc8aad
0x00dc8b13
0x00dc8b16
0x00dc8b24

APIs

Part of subcall function 00DC13D8: GetProcessHeap.KERNEL32(00DC3B5B,?,?,?,?,?,?,00DC15F8,?,?,?,?,?), ref: 00DC13E9

lstrcmpiW.KERNEL32(00000000,HKLM,00000000,?,?,00000000,?,00000000,00000000,80070003,?,IsEnrolledToDomain,?), ref: 00DC8A91
lstrcmpiW.KERNEL32(00000000,HKEY_LOCAL_MACHINE), ref: 00DC8A9D
lstrcmpiW.KERNEL32(00000000,HKCU), ref: 00DC8AA9
lstrcmpiW.KERNEL32(00000000,HKEY_CURRENT_USER), ref: 00DC8AB9
lstrcmpiW.KERNEL32(00000000,HKU), ref: 00DC8AC5
lstrcmpiW.KERNEL32(00000000,HKEY_USERS), ref: 00DC8AD1
lstrcmpiW.KERNEL32(00000000,HKCR), ref: 00DC8ADD
lstrcmpiW.KERNEL32(00000000,HKEY_CLASSES_ROOT), ref: 00DC8AE9
lstrcmpiW.KERNEL32(00000000,HKLM[64]), ref: 00DC8AF5
lstrcmpiW.KERNEL32(00000000,HKEY_LOCAL_MACHINE[64]), ref: 00DC8B01

Strings

HKCR, xrefs: 00DC8AD7
HKEY_USERS, xrefs: 00DC8ACB
HKEY_CLASSES_ROOT, xrefs: 00DC8AE3
HKU, xrefs: 00DC8ABF
HKLM, xrefs: 00DC8A8B
HKEY_CURRENT_USER, xrefs: 00DC8AB3
HKCU, xrefs: 00DC8AA3
IsEnrolledToDomain, xrefs: 00DC89F1
HKEY_LOCAL_MACHINE[64], xrefs: 00DC8AFB
HKEY_LOCAL_MACHINE, xrefs: 00DC8A97
HKLM[64], xrefs: 00DC8AEF

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: lstrcmpi$HeapProcess
String ID: HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_LOCAL_MACHINE[64]$HKEY_USERS$HKLM$HKLM[64]$HKU$IsEnrolledToDomain
API String ID: 3832622189-4218959534
Opcode ID: 56f10744b5790bea9e7b41c7a1f30368c42c815aa1c5c8083b3c5dba16ad5fee
Instruction ID: 7e48ca9100ef3ff38d5d10fa37f0d85a7ae640b9af9283c5d7ee890b21647e8a
Opcode Fuzzy Hash: 56f10744b5790bea9e7b41c7a1f30368c42c815aa1c5c8083b3c5dba16ad5fee
Instruction Fuzzy Hash: CA31F2A170021F6ADB11B6648C51FBF62ADDF85B90B15422CF501F3182EFA4DE0696B4

Uniqueness

Uniqueness Score: -1.00%

Function 00DD221B Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E00DD221B(signed int __ecx, signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, char _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				signed int* _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				void* _v72;
				char _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v104;
				void _v108;
				intOrPtr* _v116;
				signed char* _v188;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t200;
				void* _t201;
				signed int _t202;
				char _t203;
				signed int _t205;
				signed int _t207;
				signed char* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t214;
				void* _t217;
				signed char* _t220;
				void* _t223;
				signed int _t228;
				void* _t230;
				signed int _t231;
				void* _t234;
				signed char _t237;
				intOrPtr* _t242;
				void* _t245;
				signed int* _t247;
				signed int _t248;
				intOrPtr _t249;
				signed int _t250;
				void* _t255;
				void* _t260;
				void* _t261;
				signed char* _t268;
				intOrPtr* _t269;
				signed char _t270;
				signed int _t271;
				signed int _t272;
				intOrPtr* _t274;
				signed int _t275;
				signed int _t276;
				signed char _t281;
				signed int _t285;
				signed int _t286;
				intOrPtr _t289;
				signed int _t296;
				signed char* _t297;
				signed int _t298;
				signed int _t299;
				signed int* _t301;
				signed char* _t304;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t326;
				void* _t328;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;

				_t296 = __edx;
				_t273 = __ecx;
				_push(_t315);
				_t301 = _a20;
				_v32 = 0;
				_v5 = 0;
				_t200 = E00DD2EF1(_a8, _a16, _t301);
				_t331 = _t330 + 0xc;
				_v16 = _t200;
				if(_t200 < 0xffffffff || _t200 >= _t301[1]) {
					L67:
					_t201 = E00DD4C30(_t268, _t273, _t296, _t301, _t315, _t354);
					asm("int3");
					_t328 = _t331;
					_t332 = _t331 - 0x38;
					_push(_t268);
					_t269 = _v116;
					if( *_t269 == 0x80000003) {
						return _t201;
					} else {
						_push(_t315);
						_push(_t301);
						_t202 = E00DD19CC(_t269, _t273, _t296, _t301, _t315);
						if( *((intOrPtr*)(_t202 + 8)) != 0) {
							__imp__EncodePointer(0);
							_t315 = _t202;
							if( *((intOrPtr*)(E00DD19CC(_t269, _t273, _t296, 0, _t315) + 8)) != _t315 &&  *_t269 != 0xe0434f4d &&  *_t269 != 0xe0434352) {
								_t214 = E00DD16D7(_t269, _a4, _a8, _a12, _a16, _a24, _a28);
								_t332 = _t332 + 0x1c;
								if(_t214 != 0) {
									L84:
									return _t214;
								}
							}
						}
						_t203 = _a16;
						_v28 = _t203;
						_v24 = 0;
						if( *((intOrPtr*)(_t203 + 0xc)) > 0) {
							_push(_a24);
							E00DD1609(_t269, _t273, 0, _t315,  &_v44,  &_v28, _a20, _a12, _t203);
							_t298 = _v40;
							_t333 = _t332 + 0x18;
							_t214 = _v44;
							_v20 = _t214;
							_v12 = _t298;
							if(_t298 >= _v32) {
								goto L84;
							}
							_t275 = _t298 * 0x14;
							_v16 = _t275;
							do {
								_t276 = 5;
								_t217 = memcpy( &_v64,  *((intOrPtr*)( *_t214 + 0x10)) + _t275, _t276 << 2);
								_t333 = _t333 + 0xc;
								if(_v64 <= _t217 && _t217 <= _v60) {
									_t220 = _v48 + 0xfffffff0 + (_v52 << 4);
									_t281 = _t220[4];
									if(_t281 == 0 ||  *((char*)(_t281 + 8)) == 0) {
										if(( *_t220 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E00DD219B(_t298, _t269, _a4, _a8, _a12, _a16, _t220, 0,  &_v64, _a24, _a28);
											_t298 = _v12;
											_t333 = _t333 + 0x30;
										}
									}
								}
								_t298 = _t298 + 1;
								_t214 = _v20;
								_t275 = _v16 + 0x14;
								_v12 = _t298;
								_v16 = _t275;
							} while (_t298 < _v32);
							goto L84;
						}
						E00DD4C30(_t269, _t273, _t296, 0, _t315, __eflags);
						asm("int3");
						_push(_t328);
						_t297 = _v188;
						_push(_t269);
						_push(_t315);
						_push(0);
						_t205 = _t297[4];
						__eflags = _t205;
						if(_t205 == 0) {
							L109:
							_t207 = 1;
							__eflags = 1;
						} else {
							_t274 = _t205 + 8;
							__eflags =  *_t274;
							if( *_t274 == 0) {
								goto L109;
							} else {
								__eflags =  *_t297 & 0x00000080;
								_t304 = _v0;
								if(( *_t297 & 0x00000080) == 0) {
									L91:
									_t270 = _t304[4];
									_t317 = 0;
									__eflags = _t205 - _t270;
									if(_t205 == _t270) {
										L101:
										__eflags =  *_t304 & 0x00000002;
										if(( *_t304 & 0x00000002) == 0) {
											L103:
											_t208 = _a4;
											__eflags =  *_t208 & 0x00000001;
											if(( *_t208 & 0x00000001) == 0) {
												L105:
												__eflags =  *_t208 & 0x00000002;
												if(( *_t208 & 0x00000002) == 0) {
													L107:
													_t317 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t297 & 0x00000002;
													if(( *_t297 & 0x00000002) != 0) {
														goto L107;
													}
												}
											} else {
												__eflags =  *_t297 & 0x00000001;
												if(( *_t297 & 0x00000001) != 0) {
													goto L105;
												}
											}
										} else {
											__eflags =  *_t297 & 0x00000008;
											if(( *_t297 & 0x00000008) != 0) {
												goto L103;
											}
										}
										_t207 = _t317;
									} else {
										_t184 = _t270 + 8; // 0x6e
										_t209 = _t184;
										while(1) {
											_t271 =  *_t274;
											__eflags = _t271 -  *_t209;
											if(_t271 !=  *_t209) {
												break;
											}
											__eflags = _t271;
											if(_t271 == 0) {
												L97:
												_t210 = _t317;
											} else {
												_t272 =  *((intOrPtr*)(_t274 + 1));
												__eflags = _t272 -  *((intOrPtr*)(_t209 + 1));
												if(_t272 !=  *((intOrPtr*)(_t209 + 1))) {
													break;
												} else {
													_t274 = _t274 + 2;
													_t209 = _t209 + 2;
													__eflags = _t272;
													if(_t272 != 0) {
														continue;
													} else {
														goto L97;
													}
												}
											}
											L99:
											__eflags = _t210;
											if(_t210 == 0) {
												goto L101;
											} else {
												_t207 = 0;
											}
											goto L110;
										}
										asm("sbb eax, eax");
										_t210 = _t209 | 0x00000001;
										__eflags = _t210;
										goto L99;
									}
								} else {
									__eflags =  *_t304 & 0x00000010;
									if(( *_t304 & 0x00000010) != 0) {
										goto L109;
									} else {
										goto L91;
									}
								}
							}
						}
						L110:
						return _t207;
					}
				} else {
					_t268 = _a4;
					if( *_t268 != 0xe06d7363 || _t268[0x10] != 3 || _t268[0x14] != 0x19930520 && _t268[0x14] != 0x19930521 && _t268[0x14] != 0x19930522) {
						_t315 = 0;
						__eflags = 0;
						goto L24;
					} else {
						_t315 = 0;
						if(_t268[0x1c] != 0) {
							L24:
							_t273 = _a12;
							_v12 = _t273;
							goto L26;
						} else {
							_t223 = E00DD19CC(_t268, _t273, _t296, _t301, 0);
							if( *((intOrPtr*)(_t223 + 0x10)) == 0) {
								L62:
								return _t223;
							} else {
								_t268 =  *(E00DD19CC(_t268, _t273, _t296, _t301, 0) + 0x10);
								_t255 = E00DD19CC(_t268, _t273, _t296, _t301, 0);
								_v32 = 1;
								_v12 =  *((intOrPtr*)(_t255 + 0x14));
								if(_t268 == 0 ||  *_t268 == 0xe06d7363 && _t268[0x10] == 3 && (_t268[0x14] == 0x19930520 || _t268[0x14] == 0x19930521 || _t268[0x14] == 0x19930522) && _t268[0x1c] == _t315) {
									goto L67;
								} else {
									if( *((intOrPtr*)(E00DD19CC(_t268, _t273, _t296, _t301, _t315) + 0x1c)) == _t315) {
										L25:
										_t273 = _v12;
										_t200 = _v16;
										L26:
										_v56 = _t301;
										_v52 = _t315;
										__eflags =  *_t268 - 0xe06d7363;
										if( *_t268 != 0xe06d7363) {
											L58:
											__eflags = _t301[3] - _t315;
											if(_t301[3] <= _t315) {
												goto L61;
											} else {
												__eflags = _a24;
												if(__eflags != 0) {
													goto L67;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t200);
													_push(_t301);
													_push(_a16);
													_push(_t273);
													_push(_a8);
													_push(_t268);
													L68();
													_t331 = _t331 + 0x20;
													goto L61;
												}
											}
										} else {
											__eflags = _t268[0x10] - 3;
											if(_t268[0x10] != 3) {
												goto L58;
											} else {
												__eflags = _t268[0x14] - 0x19930520;
												if(_t268[0x14] == 0x19930520) {
													L31:
													__eflags = _t301[3] - _t315;
													if(_t301[3] > _t315) {
														_push(_a28);
														E00DD1609(_t268, _t273, _t301, _t315,  &_v72,  &_v56, _t200, _a16, _t301);
														_t296 = _v68;
														_t331 = _t331 + 0x18;
														_t242 = _v72;
														_v48 = _t242;
														_v20 = _t296;
														__eflags = _t296 - _v60;
														if(_t296 < _v60) {
															_t285 = _t296 * 0x14;
															__eflags = _t285;
															_v36 = _t285;
															do {
																_t286 = 5;
																_t245 = memcpy( &_v108,  *((intOrPtr*)( *_t242 + 0x10)) + _t285, _t286 << 2);
																_t331 = _t331 + 0xc;
																__eflags = _v108 - _t245;
																if(_v108 <= _t245) {
																	__eflags = _t245 - _v104;
																	if(_t245 <= _v104) {
																		_t289 = 0;
																		_v24 = 0;
																		__eflags = _v96;
																		if(_v96 != 0) {
																			_t247 =  *(_t268[0x1c] + 0xc);
																			_t299 =  *_t247;
																			_t248 =  &(_t247[1]);
																			__eflags = _t248;
																			_v40 = _t248;
																			_t249 = _v92;
																			_v44 = _t299;
																			_v28 = _t249;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t314 = _v40;
																				_t326 = _t299;
																				__eflags = _t326;
																				if(_t326 <= 0) {
																					goto L42;
																				} else {
																					while(1) {
																						_push(_t268[0x1c]);
																						_t250 =  &_v88;
																						_push( *_t314);
																						_push(_t250);
																						L87();
																						_t331 = _t331 + 0xc;
																						__eflags = _t250;
																						if(_t250 != 0) {
																							break;
																						}
																						_t326 = _t326 - 1;
																						_t314 = _t314 + 4;
																						__eflags = _t326;
																						if(_t326 > 0) {
																							continue;
																						} else {
																							_t289 = _v24;
																							_t249 = _v28;
																							_t299 = _v44;
																							goto L42;
																						}
																						goto L45;
																					}
																					_push(_a24);
																					_v5 = 1;
																					_push(_v32);
																					E00DD219B(_t299, _t268, _a8, _v12, _a16, _a20,  &_v88,  *_t314,  &_v108, _a28, _a32);
																					_t331 = _t331 + 0x30;
																				}
																				L45:
																				_t296 = _v20;
																				goto L46;
																				L42:
																				_t289 = _t289 + 1;
																				_t249 = _t249 + 0x10;
																				_v24 = _t289;
																				_v28 = _t249;
																				__eflags = _t289 - _v96;
																			} while (_t289 != _v96);
																			goto L45;
																		}
																	}
																}
																L46:
																_t296 = _t296 + 1;
																_t242 = _v48;
																_t285 = _v36 + 0x14;
																_v20 = _t296;
																_v36 = _t285;
																__eflags = _t296 - _v60;
															} while (_t296 < _v60);
															_t301 = _a20;
															_t315 = 0;
															__eflags = 0;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E00DD2F1C(__eflags);
														_t273 = _t268;
													}
													__eflags = _v5;
													if(_v5 != 0) {
														L61:
														_t223 = E00DD19CC(_t268, _t273, _t296, _t301, _t315);
														__eflags =  *((intOrPtr*)(_t223 + 0x1c)) - _t315;
														if(__eflags != 0) {
															goto L67;
														} else {
															goto L62;
														}
													} else {
														__eflags = ( *_t301 & 0x1fffffff) - 0x19930521;
														if(( *_t301 & 0x1fffffff) < 0x19930521) {
															goto L61;
														} else {
															__eflags = _t301[7];
															if(_t301[7] != 0) {
																L55:
																__eflags = _t301[8] >> 0x00000002 & 0x00000001;
																if(__eflags != 0) {
																	goto L67;
																} else {
																	_push(_t301[7]);
																	_t228 = E00DD2C1A(_t268, _t301, _t315, _t268);
																	_pop(_t273);
																	__eflags = _t228;
																	if(_t228 == 0) {
																		goto L64;
																	} else {
																		goto L61;
																	}
																}
															} else {
																_t237 = _t301[8] >> 2;
																__eflags = _t237 & 0x00000001;
																if((_t237 & 0x00000001) == 0) {
																	goto L61;
																} else {
																	__eflags = _a28;
																	if(_a28 != 0) {
																		goto L61;
																	} else {
																		goto L55;
																	}
																}
															}
														}
													}
												} else {
													__eflags = _t268[0x14] - 0x19930521;
													if(_t268[0x14] == 0x19930521) {
														goto L31;
													} else {
														__eflags = _t268[0x14] - 0x19930522;
														if(_t268[0x14] != 0x19930522) {
															goto L58;
														} else {
															goto L31;
														}
													}
												}
											}
										}
									} else {
										_v20 =  *((intOrPtr*)(E00DD19CC(_t268, _t273, _t296, _t301, _t315) + 0x1c));
										_t260 = E00DD19CC(_t268, _t273, _t296, _t301, _t315);
										_push(_v20);
										 *(_t260 + 0x1c) = _t315;
										_t261 = E00DD2C1A(_t268, _t301, _t315, _t268);
										_pop(_t273);
										if(_t261 != 0) {
											goto L25;
										} else {
											_t301 = _v20;
											_t352 =  *_t301 - _t315;
											if( *_t301 > _t315) {
												_t291 = _t315;
												_v20 = _t315;
												while(E00DD28B3( *((intOrPtr*)(_t291 + _t301[1] + 4)), _t352, 0xdf8c78) == 0) {
													_t315 = _t315 + 1;
													_t291 = _v20 + 0x10;
													_v20 = _v20 + 0x10;
													_t354 = _t315 -  *_t301;
													if(_t315 <  *_t301) {
														continue;
													} else {
													}
													goto L67;
												}
												_push(1);
												_push(_t268);
												E00DD2F1C(__eflags);
												_t273 =  &_v68;
												E00DD289B( &_v68);
												E00DD1560( &_v68, 0xdf675c);
												L64:
												 *(E00DD19CC(_t268, _t273, _t296, _t301, _t315) + 0x10) = _t268;
												_t230 = E00DD19CC(_t268, _t273, _t296, _t301, _t315);
												_t273 = _v12;
												 *(_t230 + 0x14) = _v12;
												_t231 = _a32;
												__eflags = _t231;
												if(_t231 == 0) {
													_t231 = _a8;
												}
												E00DD17ED(_t273, _t231, _t268);
												E00DD2B1A(_a8, _a16, _t301);
												_t234 = E00DD2CD7(_t301);
												_t331 = _t331 + 0x10;
												_push(_t234);
												E00DD2A96(_t268, _t273, _t296, _t301, _t315, __eflags);
											}
											goto L67;
										}
									}
								}
							}
						}
					}
				}
			}

0x00dd221b
0x00dd221b
0x00dd2222
0x00dd2224
0x00dd222d
0x00dd2233
0x00dd2236
0x00dd223b
0x00dd223e
0x00dd2244
0x00dd25b4
0x00dd25b4
0x00dd25b9
0x00dd25bb
0x00dd25bd
0x00dd25c0
0x00dd25c1
0x00dd25ca
0x00dd26e9
0x00dd25d0
0x00dd25d0
0x00dd25d1
0x00dd25d2
0x00dd25dc
0x00dd25df
0x00dd25e5
0x00dd25ef
0x00dd2614
0x00dd2619
0x00dd261e
0x00dd26e5
0x00000000
0x00dd26e6
0x00dd261e
0x00dd25ef
0x00dd2624
0x00dd2627
0x00dd262a
0x00dd2630
0x00dd2636
0x00dd2648
0x00dd264d
0x00dd2650
0x00dd2653
0x00dd2656
0x00dd2659
0x00dd265f
0x00000000
0x00000000
0x00dd2665
0x00dd2668
0x00dd266b
0x00dd267a
0x00dd267b
0x00dd267b
0x00dd2680
0x00dd2693
0x00dd2695
0x00dd269a
0x00dd26a5
0x00dd26a7
0x00dd26a9
0x00dd26c5
0x00dd26ca
0x00dd26cd
0x00dd26cd
0x00dd26a5
0x00dd269a
0x00dd26d3
0x00dd26d4
0x00dd26d7
0x00dd26da
0x00dd26dd
0x00dd26e0
0x00000000
0x00dd266b
0x00dd26ea
0x00dd26ef
0x00dd26f0
0x00dd26f3
0x00dd26f6
0x00dd26f7
0x00dd26f8
0x00dd26f9
0x00dd26fc
0x00dd26fe
0x00dd2776
0x00dd2778
0x00dd2778
0x00dd2700
0x00dd2700
0x00dd2703
0x00dd2706
0x00000000
0x00dd2708
0x00dd2708
0x00dd270b
0x00dd270e
0x00dd2715
0x00dd2715
0x00dd2718
0x00dd271a
0x00dd271c
0x00dd274e
0x00dd274e
0x00dd2751
0x00dd2758
0x00dd2758
0x00dd275b
0x00dd275e
0x00dd2765
0x00dd2765
0x00dd2768
0x00dd276f
0x00dd2771
0x00dd2771
0x00dd276a
0x00dd276a
0x00dd276d
0x00000000
0x00000000
0x00dd276d
0x00dd2760
0x00dd2760
0x00dd2763
0x00000000
0x00000000
0x00dd2763
0x00dd2753
0x00dd2753
0x00dd2756
0x00000000
0x00000000
0x00dd2756
0x00dd2772
0x00dd271e
0x00dd271e
0x00dd271e
0x00dd2721
0x00dd2721
0x00dd2723
0x00dd2725
0x00000000
0x00000000
0x00dd2727
0x00dd2729
0x00dd273d
0x00dd273d
0x00dd272b
0x00dd272b
0x00dd272e
0x00dd2731
0x00000000
0x00dd2733
0x00dd2733
0x00dd2736
0x00dd2739
0x00dd273b
0x00000000
0x00000000
0x00000000
0x00000000
0x00dd273b
0x00dd2731
0x00dd2746
0x00dd2746
0x00dd2748
0x00000000
0x00dd274a
0x00dd274a
0x00dd274a
0x00000000
0x00dd2748
0x00dd2741
0x00dd2743
0x00dd2743
0x00000000
0x00dd2743
0x00dd2710
0x00dd2710
0x00dd2713
0x00000000
0x00000000
0x00000000
0x00000000
0x00dd2713
0x00dd270e
0x00dd2706
0x00dd2779
0x00dd277d
0x00dd277d
0x00dd2253
0x00dd2253
0x00dd225c
0x00dd235d
0x00dd235d
0x00000000
0x00dd228b
0x00dd228b
0x00dd2290
0x00dd235f
0x00dd235f
0x00dd2362
0x00000000
0x00dd2296
0x00dd2296
0x00dd229e
0x00dd2550
0x00dd2554
0x00dd22a4
0x00dd22a9
0x00dd22ac
0x00dd22b1
0x00dd22b8
0x00dd22bd
0x00000000
0x00dd22f5
0x00dd22fd
0x00dd2367
0x00dd2367
0x00dd236a
0x00dd236d
0x00dd236d
0x00dd2370
0x00dd2373
0x00dd2379
0x00dd251f
0x00dd251f
0x00dd2522
0x00000000
0x00dd2524
0x00dd2524
0x00dd2528
0x00000000
0x00dd252e
0x00dd252e
0x00dd2531
0x00dd2534
0x00dd2535
0x00dd2536
0x00dd2539
0x00dd253a
0x00dd253d
0x00dd253e
0x00dd2543
0x00000000
0x00dd2543
0x00dd2528
0x00dd237f
0x00dd237f
0x00dd2383
0x00000000
0x00dd2389
0x00dd2389
0x00dd2390
0x00dd23a8
0x00dd23a8
0x00dd23ab
0x00dd23b1
0x00dd23c1
0x00dd23c6
0x00dd23c9
0x00dd23cc
0x00dd23cf
0x00dd23d2
0x00dd23d5
0x00dd23d8
0x00dd23de
0x00dd23de
0x00dd23e1
0x00dd23e4
0x00dd23f3
0x00dd23f4
0x00dd23f4
0x00dd23f6
0x00dd23f9
0x00dd23ff
0x00dd2402
0x00dd2408
0x00dd240a
0x00dd240d
0x00dd2410
0x00dd2419
0x00dd241c
0x00dd241e
0x00dd241e
0x00dd2421
0x00dd2424
0x00dd2427
0x00dd242a
0x00dd242d
0x00dd2432
0x00dd2433
0x00dd2434
0x00dd2435
0x00dd2436
0x00dd2439
0x00dd243b
0x00dd243d
0x00000000
0x00dd243f
0x00dd243f
0x00dd243f
0x00dd2442
0x00dd2445
0x00dd2447
0x00dd2448
0x00dd244d
0x00dd2450
0x00dd2452
0x00000000
0x00000000
0x00dd2454
0x00dd2455
0x00dd2458
0x00dd245a
0x00000000
0x00dd245c
0x00dd245c
0x00dd245f
0x00dd2462
0x00000000
0x00dd2462
0x00000000
0x00dd245a
0x00dd2476
0x00dd247c
0x00dd2480
0x00dd249d
0x00dd24a2
0x00dd24a2
0x00dd24a5
0x00dd24a5
0x00000000
0x00dd2465
0x00dd2465
0x00dd2466
0x00dd2469
0x00dd246c
0x00dd246f
0x00dd246f
0x00000000
0x00dd2474
0x00dd2410
0x00dd2402
0x00dd24a8
0x00dd24ab
0x00dd24ac
0x00dd24af
0x00dd24b2
0x00dd24b5
0x00dd24b8
0x00dd24b8
0x00dd24c1
0x00dd24c4
0x00dd24c4
0x00dd24c4
0x00dd23d8
0x00dd24c6
0x00dd24ca
0x00dd24cc
0x00dd24cf
0x00dd24d5
0x00dd24d5
0x00dd24d6
0x00dd24da
0x00dd2546
0x00dd2546
0x00dd254b
0x00dd254e
0x00000000
0x00000000
0x00000000
0x00000000
0x00dd24dc
0x00dd24e3
0x00dd24e8
0x00000000
0x00dd24ea
0x00dd24ea
0x00dd24ee
0x00dd2500
0x00dd2506
0x00dd2508
0x00000000
0x00dd250e
0x00dd250e
0x00dd2512
0x00dd2518
0x00dd2519
0x00dd251b
0x00000000
0x00dd251d
0x00000000
0x00dd251d
0x00dd251b
0x00dd24f0
0x00dd24f3
0x00dd24f6
0x00dd24f8
0x00000000
0x00dd24fa
0x00dd24fa
0x00dd24fe
0x00000000
0x00000000
0x00000000
0x00000000
0x00dd24fe
0x00dd24f8
0x00dd24ee
0x00dd24e8
0x00dd2392
0x00dd2392
0x00dd2399
0x00000000
0x00dd239b
0x00dd239b
0x00dd23a2
0x00000000
0x00000000
0x00000000
0x00000000
0x00dd23a2
0x00dd2399
0x00dd2390
0x00dd2383
0x00dd22ff
0x00dd2307
0x00dd230a
0x00dd230f
0x00dd2313
0x00dd2316
0x00dd231c
0x00dd231f
0x00000000
0x00dd2321
0x00dd2321
0x00dd2324
0x00dd2326
0x00dd232c
0x00dd232e
0x00dd2331
0x00dd234d
0x00dd234e
0x00dd2351
0x00dd2354
0x00dd2356
0x00000000
0x00000000
0x00dd2358
0x00000000
0x00dd2356
0x00dd2555
0x00dd2557
0x00dd2558
0x00dd255f
0x00dd2562
0x00dd2570
0x00dd2575
0x00dd257a
0x00dd257d
0x00dd2582
0x00dd2585
0x00dd2588
0x00dd258b
0x00dd258d
0x00dd258f
0x00dd258f
0x00dd2594
0x00dd25a0
0x00dd25a6
0x00dd25ab
0x00dd25ae
0x00dd25af
0x00dd25af
0x00000000
0x00dd2326
0x00dd231f
0x00dd22fd
0x00dd22bd
0x00dd229e
0x00dd2290
0x00dd225c

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00DD2316
type_info::operator==.LIBVCRUNTIME ref: 00DD233D
___TypeMatch.LIBVCRUNTIME ref: 00DD2448
___DestructExceptionObject.LIBVCRUNTIME ref: 00DD24CF
IsInExceptionSpec.LIBVCRUNTIME ref: 00DD2512
___DestructExceptionObject.LIBVCRUNTIME ref: 00DD2558
__CxxThrowException@8.LIBVCRUNTIME ref: 00DD2570
_UnwindNestedFrames.LIBCMT ref: 00DD2594
CallUnexpected.LIBVCRUNTIME ref: 00DD25AF

Strings

csm, xrefs: 00DD2256
csm, xrefs: 00DD22C3
csm, xrefs: 00DD2373

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: Exception$DestructObjectSpec$CallException@8FramesMatchNestedThrowTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 1699967666-393685449
Opcode ID: e7002e8223883744fcf487787316f083c6f44bb446f42d836fd7375d075592c2
Instruction ID: fb64a2936c8320691ed9560ea241b86c691a451354e9804bc1bf473389928f7d
Opcode Fuzzy Hash: e7002e8223883744fcf487787316f083c6f44bb446f42d836fd7375d075592c2
Instruction Fuzzy Hash: 6AB13875800209AFCF29DF94D891AAEBBB5FF28310F18415BE8556B312D731EA51CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4586 Relevance: 15.1, APIs: 10, Instructions: 137
filestringsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00DC4586(void* __ecx, intOrPtr _a4) {
				void* _v12;
				long _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __ebp;
				int _t48;
				signed int _t50;
				signed int _t51;
				void* _t53;
				void* _t54;
				void* _t74;
				long _t80;
				signed int _t94;
				void* _t98;
				intOrPtr _t103;
				void* _t112;

				_push(_t74);
				_t98 = __ecx;
				if( *((char*)(__ecx + 8)) == 0) {
					_t48 = E00DC402F(_t74, __ecx, __ecx);
				}
				if( *((char*)(_t98 + 9)) == 0) {
					L21:
					return _t48;
				}
				_t48 = E00DC470B(_t98);
				if(_t48 == 0) {
					goto L21;
				}
				_t80 = SetFilePointer( *(_t98 + 0x18), 0, 0, 2);
				_t50 =  *(_t98 + 4);
				_t94 = 0xa;
				_t95 = _t50 * _t94 >> 0x20;
				_t51 = _t50 * _t94;
				_t112 = 0 - _t50 * _t94 >> 0x20;
				if(_t112 < 0 || _t112 <= 0 && _t80 < _t51) {
					L8:
					SetFilePointer( *(_t98 + 0x18), 0, 0, 2);
					_t103 = _a4;
					_v16 = 0;
					_t53 =  *(_t103 + 8);
					if(_t53 != 0) {
						_push(_t53);
						if( *((char*)(_t98 + 0xb)) == 0) {
							E00DC189E( &_v12, _t95, __eflags);
							_t95 =  &_v16;
							E00DC13C0(E00DC758C( &_v12,  &_v16, __eflags), _v16 - 0x10);
							E00DC13C0(WriteFile( *(_t98 + 0x18), _v12,  *(_v12 - 0xc),  &_v20, 0), _v12 - 0x10);
							_t103 = _a4;
						} else {
							WriteFile( *(_t98 + 0x18),  *(_t103 + 8), lstrlenW() + _t71,  &_v16, 0);
						}
					}
					_t54 =  *(_t103 + 0xc);
					if(_t54 != 0) {
						_push(_t54);
						if( *((char*)(_t98 + 0xb)) == 0) {
							E00DC189E( &_v12, _t95, __eflags);
							E00DC13C0(E00DC758C( &_v12,  &_v16, __eflags), _v16 - 0x10);
							E00DC13C0(WriteFile( *(_t98 + 0x18), _v12,  *(_v12 - 0xc),  &_v20, 0), _v12 - 0x10);
						} else {
							WriteFile( *(_t98 + 0x18),  *(_t103 + 0xc), lstrlenW() + _t62,  &_v16, 0);
						}
					}
					_push(0);
					_push( &_v16);
					if( *((char*)(_t98 + 0xb)) == 0) {
						_push(2);
						_push("\r\n");
					} else {
						_push(4);
						_push(L"\r\n");
					}
					_t48 = WriteFile( *(_t98 + 0x18), ??, ??, ??, ??);
					if( *(_t98 + 0x10) != 0) {
						_t48 = ReleaseMutex( *(_t98 + 0x10));
					}
					goto L21;
				} else {
					_t48 = E00DC4375(_t98);
					if(_t48 == 0) {
						goto L21;
					}
					goto L8;
				}
			}

0x00dc458f
0x00dc4592
0x00dc4598
0x00dc459a
0x00dc459a
0x00dc45a3
0x00dc4702
0x00dc4708
0x00dc4708
0x00dc45ab
0x00dc45b2
0x00000000
0x00000000
0x00dc45c9
0x00dc45cb
0x00dc45d0
0x00dc45d1
0x00dc45d1
0x00dc45d3
0x00dc45d5
0x00dc45ec
0x00dc45f3
0x00dc45f5
0x00dc45f8
0x00dc4602
0x00dc4607
0x00dc460d
0x00dc460e
0x00dc462e
0x00dc4633
0x00dc4647
0x00dc4663
0x00dc4668
0x00dc4610
0x00dc4626
0x00dc4626
0x00dc460e
0x00dc466b
0x00dc4670
0x00dc4676
0x00dc4677
0x00dc4697
0x00dc46b0
0x00dc46cc
0x00dc4679
0x00dc468f
0x00dc468f
0x00dc4677
0x00dc46d9
0x00dc46db
0x00dc46dc
0x00dc46e7
0x00dc46e9
0x00dc46de
0x00dc46de
0x00dc46e0
0x00dc46e0
0x00dc46f1
0x00dc46f7
0x00dc46fc
0x00dc46fc
0x00000000
0x00dc45dd
0x00dc45df
0x00dc45e6
0x00000000
0x00000000
0x00000000
0x00dc45e6

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00DC45C7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00DC45F3
lstrlenW.KERNEL32(?), ref: 00DC4610
WriteFile.KERNEL32(?,?,00000000,00000000,00000000), ref: 00DC4626
WriteFile.KERNEL32(?,?,?,?,00000000,?), ref: 00DC465E
lstrlenW.KERNEL32(?), ref: 00DC4679
WriteFile.KERNEL32(?,?,00000000,00000000,00000000), ref: 00DC468F
WriteFile.KERNEL32(?,?,?,?,00000000,?), ref: 00DC46C7
WriteFile.KERNEL32(?,00DF3F40,00000002,?,00000000), ref: 00DC46F1
ReleaseMutex.KERNEL32(00000000), ref: 00DC46FC

Part of subcall function 00DC402F: OutputDebugStringW.KERNEL32(00000000), ref: 00DC406E

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: File$Write$Pointerlstrlen$DebugMutexOutputReleaseString
String ID:
API String ID: 2872164957-0
Opcode ID: d61286037358bf6e8f3042c50d8f03fe0fb20d138fd2fa1ed046bc3074673021
Instruction ID: e99f46d01d95a0a67bf4407284c17c570aeebf623d8524beaba0479e06028745
Opcode Fuzzy Hash: d61286037358bf6e8f3042c50d8f03fe0fb20d138fd2fa1ed046bc3074673021
Instruction Fuzzy Hash: 07414575204343AFEA24AB20CCA1FAABBA9FF41314F04891DA551975D1EB60AD58CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCABD5 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 150
processCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00DCABD5(WCHAR** __ecx, void* __edx) {
				char _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				signed int _v28;
				void* _v32;
				signed int _v36;
				struct _PROCESS_INFORMATION _v52;
				struct _STARTUPINFOW _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t50;
				void* _t59;
				WCHAR* _t62;
				WCHAR* _t75;
				WCHAR* _t83;
				signed int _t87;
				void* _t112;
				void* _t113;
				WCHAR** _t116;
				char** _t118;
				signed int _t121;

				_t111 = __edx;
				_t116 = __ecx;
				_push(_t112);
				asm("sbb ecx, ecx");
				_t87 =  ~( *0xdf9f1d & 0x000000ff) & 0x00df9e40;
				if(_t87 != 0) {
					_t1 =  &_v28;
					 *_t1 = _v28 | 0xffffffff;
					_t121 =  *_t1;
					_v36 = _t87;
					_v32 = 7;
					_v24 = E00DC3993(_t87, __edx, _t87, 0xffffffff);
					E00DC15DB( &_v36, L"[StartProcessWithNoExceptionHandler][%s]",  *_t116);
					_t118 =  &(_t118[3]);
				}
				_t83 = 0;
				_v16 = 0;
				_t50 = E00DC1D4C(0, _t111, _t112, 0x18);
				 *_t118 = "1";
				 *_t50 = _t50;
				 *((intOrPtr*)(_t50 + 4)) = _t50;
				 *((intOrPtr*)(_t50 + 8)) = _t50;
				 *((short*)(_t50 + 0xc)) = 0x101;
				_v20 = _t50;
				E00DC189E( &_v12, _t111, _t121);
				E00DC189E( &_v8, _t111, _t121, L"GOOGLE_UPDATE_NO_CRASH_HANDLER");
				E00DCD82F( &_v20, _t111,  &_v8);
				E00DCDBAD( &_v20,  &_v28,  &_v8);
				_t59 = E00DC4860(_v28 + 0x14, _t116,  &_v12);
				_t23 = _v8 - 0x10; // 0xe8f04e8d
				E00DC13C0(E00DC13C0(_t59, _t23), _v12 - 0x10);
				_t113 = 0;
				_v28 = 0;
				_v32 = 0;
				_v24 = 0;
				_t62 = GetEnvironmentStringsW();
				_v12 = _t62;
				_t122 = _t62;
				if(_t62 == 0) {
					L8:
					_t83 = E00DC7ED7();
				} else {
					_push( &_v32);
					_push(_t62);
					E00DCD5F9( &_v20, _t122);
					FreeEnvironmentStringsW(_v12);
					_t113 = _v32;
					if(_t113 == _v28) {
						goto L8;
					} else {
						_v124.cb = 0x44;
						E00DD1190(_t113,  &(_v124.lpReserved), 0, 0x40);
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t75 =  *_t116;
						if( *((intOrPtr*)(_t75 - 4)) > 1) {
							E00DC1CAB(0,  &_v52, _t116,  *((intOrPtr*)(_t75 - 0xc)));
							_t75 =  *_t116;
						}
						_t113 = _v32;
						if(CreateProcessW(_t83, _t75, _t83, _t83, _t83, 0x400, _t113, _t83,  &_v124,  &_v52) == 0) {
							goto L8;
						} else {
							CloseHandle(_v52);
							CloseHandle(_v52.hThread);
						}
					}
				}
				if(_t113 != 0) {
					E00DC1D20(_t83, _t113, _t113, _v24 - _t113 & 0xfffffffe);
				}
				E00DC1D72( &_v20, _t83,  &_v20, _t111,  &_v20,  *((intOrPtr*)(_v20 + 4)));
				E00DC1D20(_t83, _t113, _v20, 0x18);
				return _t83;
			}

0x00dcabd5
0x00dcabdd
0x00dcabe8
0x00dcabe9
0x00dcabeb
0x00dcabf1
0x00dcabf3
0x00dcabf3
0x00dcabf3
0x00dcabfa
0x00dcabfd
0x00dcac0b
0x00dcac17
0x00dcac1c
0x00dcac1c
0x00dcac1f
0x00dcac23
0x00dcac26
0x00dcac2e
0x00dcac35
0x00dcac37
0x00dcac3a
0x00dcac3d
0x00dcac43
0x00dcac46
0x00dcac53
0x00dcac5f
0x00dcac6f
0x00dcac7e
0x00dcac86
0x00dcac94
0x00dcac99
0x00dcac9b
0x00dcac9e
0x00dcaca1
0x00dcaca4
0x00dcacaa
0x00dcacad
0x00dcacaf
0x00dcad39
0x00dcad3e
0x00dcacb5
0x00dcacb8
0x00dcacb9
0x00dcacbd
0x00dcacc5
0x00dcaccb
0x00dcacd1
0x00000000
0x00dcacd3
0x00dcacd8
0x00dcace1
0x00dcaceb
0x00dcacef
0x00dcacf0
0x00dcacf1
0x00dcacf2
0x00dcacf8
0x00dcacff
0x00dcad04
0x00dcad04
0x00dcad06
0x00dcad25
0x00000000
0x00dcad27
0x00dcad30
0x00dcad35
0x00dcad35
0x00dcad25
0x00dcacd1
0x00dcad42
0x00dcad4e
0x00dcad54
0x00dcad61
0x00dcad6b
0x00dcad78

APIs

GetEnvironmentStringsW.KERNEL32(?,?,00DCAE0F,00DCAE0F,GOOGLE_UPDATE_NO_CRASH_HANDLER,00000018,00DC9669,00DC9669), ref: 00DCACA4
FreeEnvironmentStringsW.KERNEL32(?,00000000,?), ref: 00DCACC5
CreateProcessW.KERNEL32 ref: 00DCAD1D
CloseHandle.KERNEL32(?), ref: 00DCAD30
CloseHandle.KERNEL32(?), ref: 00DCAD35

Part of subcall function 00DC7ED7: GetLastError.KERNEL32(?,00DC6548), ref: 00DC7ED8
Part of subcall function 00DC7ED7: RaiseException.KERNEL32(00000000,00000001,00000000,00000000), ref: 00DC7F0A

Strings

[StartProcessWithNoExceptionHandler][%s], xrefs: 00DCAC11
GOOGLE_UPDATE_NO_CRASH_HANDLER, xrefs: 00DCAC4B
D, xrefs: 00DCACD8

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: CloseEnvironmentHandleStrings$CreateErrorExceptionFreeLastProcessRaise
String ID: D$GOOGLE_UPDATE_NO_CRASH_HANDLER$[StartProcessWithNoExceptionHandler][%s]
API String ID: 2068473527-3082069127
Opcode ID: 52dd58f399800c73bc556a12152c934812c9445cdcd21d38b6f16bd1f3bbc7da
Instruction ID: a01c8497fb3b9b9820d2b291af6ea474a2fd27e2518596444e239fbc219c29cb
Opcode Fuzzy Hash: 52dd58f399800c73bc556a12152c934812c9445cdcd21d38b6f16bd1f3bbc7da
Instruction Fuzzy Hash: E2513F7590421AAEDB05EFA8DC95EEEBBB9EF04314F14412DE112A7291EB349A05CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA46A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 144
registryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00DCA46A(void* __ebx, long __ecx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				int* _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				int* _v44;
				char _v48;
				char _v52;
				void* __ebp;
				signed int _t40;
				char* _t46;
				long _t54;
				long _t58;
				long _t62;
				long _t73;
				char* _t76;
				long _t97;
				intOrPtr _t102;
				signed int _t103;
				void* _t104;

				_t40 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t40 ^ _t103;
				_t73 = __ecx;
				_t107 = __ecx;
				if(__ecx == 0 || E00DCCCD0(_t107) == 0) {
					_v32 = 0xdf4400;
					_t95 =  &_v32;
					_v28 = 0;
					E00DCA002(_t73,  &_v32, __eflags);
					_t76 =  &_v32;
					 *((intOrPtr*)(_v32 + 4))();
					_v48 = 0xdf41c0;
					_v44 = 0;
					_v40 = 0x200;
					E00DCB8E6( &_v32);
					_t46 = L"HKLM\\Software\\Google\\Update\\";
					__eflags = _t73;
					if(__eflags == 0) {
						_t46 = L"HKCU\\Software\\Google\\Update\\";
					}
					_t97 = E00DC801F( &_v48, _t95, __eflags, _t46, _t76, _t76, 0xf003f, _t76, 0);
					__eflags = _t97;
					if(_t97 < 0) {
						L18:
						_v48 = 0xdf41c0;
						E00DC7F74( &_v48);
						 *((intOrPtr*)(_v32 + 8))();
						E00DC7AB9( &_v32);
						goto L19;
					} else {
						_t54 = RegQueryValueExW(_v44, L"uid", 0, 0, 0, 0);
						__eflags = _t54;
						if(_t54 != 0) {
							E00DC1AD8( &_v36, _t95, E00DC13D8());
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_t58 =  &_v24;
							__imp__CoCreateGuid(_t58);
							__eflags = _t58;
							if(__eflags >= 0) {
								_t95 =  &_v24;
								E00DC13C0(E00DC4860( &_v36, 0, E00DC63BB( &_v52,  &_v24,  &_v24, 0, __eflags)), _v52 - 0x10);
								_t58 = 0;
								__eflags = 0;
							}
							_t102 = _v36;
							if(__eflags < 0) {
								L16:
								_t97 = _t58;
								goto L17;
							} else {
								_t97 = 1;
								_t58 = E00DC864C( &_v48, L"uid", _t102, 1);
								__eflags = _t58;
								if(__eflags < 0) {
									goto L16;
								}
								EnterCriticalSection(0xdf8b60);
								 *0xdf8b38 =  *0xdf8b38 + 1;
								asm("adc dword [0xdf8b3c], 0x0");
								LeaveCriticalSection(0xdf8b60);
								E00DCA413( &_v48, _t95, __eflags);
								_v20 = 0;
								_v16 = 0;
								_v12 = 0;
								_t62 = E00DC9D31( &_v20, _t95, 1, __eflags);
								__eflags = _t62;
								if(_t62 >= 0) {
									__eflags = _v20 - _v16;
									if(_v20 != _v16) {
										E00DCA789(_t104 - 0xc,  &_v20);
										_t97 = E00DCA063(_t73, __eflags);
									}
								}
								_t58 = E00DC51E9();
								L17:
								E00DC13C0(_t58, _t102 - 0x10);
								goto L18;
							}
						}
						_t97 = 0;
						goto L18;
					}
				} else {
					L19:
					return E00DCF35B(_v8 ^ _t103);
				}
			}

0x00dca470
0x00dca477
0x00dca47b
0x00dca47f
0x00dca481
0x00dca498
0x00dca49f
0x00dca4a2
0x00dca4a7
0x00dca4af
0x00dca4b2
0x00dca4b5
0x00dca4bc
0x00dca4bf
0x00dca4c6
0x00dca4cb
0x00dca4d0
0x00dca4d2
0x00dca4d4
0x00dca4d4
0x00dca4eb
0x00dca4ed
0x00dca4ef
0x00dca5f1
0x00dca5f4
0x00dca5fb
0x00dca606
0x00dca60c
0x00000000
0x00dca4f5
0x00dca501
0x00dca507
0x00dca509
0x00dca51b
0x00dca525
0x00dca526
0x00dca527
0x00dca528
0x00dca529
0x00dca52d
0x00dca533
0x00dca535
0x00dca537
0x00dca551
0x00dca556
0x00dca558
0x00dca558
0x00dca55a
0x00dca55d
0x00dca5e7
0x00dca5e7
0x00000000
0x00dca563
0x00dca568
0x00dca570
0x00dca575
0x00dca577
0x00000000
0x00000000
0x00dca57e
0x00dca584
0x00dca58f
0x00dca596
0x00dca59f
0x00dca5a9
0x00dca5ac
0x00dca5af
0x00dca5b2
0x00dca5b7
0x00dca5b9
0x00dca5be
0x00dca5c1
0x00dca5cc
0x00dca5db
0x00dca5db
0x00dca5c1
0x00dca5e0
0x00dca5e9
0x00dca5ec
0x00000000
0x00dca5ec
0x00dca55d
0x00dca50b
0x00000000
0x00dca50b
0x00dca48c
0x00dca613
0x00dca621
0x00dca621

APIs

RegQueryValueExW.ADVAPI32(?,uid,00000000,00000000,00000000,00000000,HKLM\Software\Google\Update\,?,?,000F003F,?,00000000), ref: 00DCA501
CoCreateGuid.OLE32(?,00000000,?,?,000F003F,?,00000000), ref: 00DCA52D
EnterCriticalSection.KERNEL32(00DF8B60,uid,?,00000001,?,?,000F003F,?,00000000), ref: 00DCA57E
LeaveCriticalSection.KERNEL32(00DF8B60,?,?,000F003F,?,00000000), ref: 00DCA596

Strings

HKCU\Software\Google\Update\, xrefs: 00DCA4D4, 00DCA4E2
old-uid, xrefs: 00DCA47E
uid, xrefs: 00DCA4F9, 00DCA56B
HKLM\Software\Google\Update\, xrefs: 00DCA4CB

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: CriticalSection$CreateEnterGuidLeaveQueryValue
String ID: HKCU\Software\Google\Update\$HKLM\Software\Google\Update\$old-uid$uid
API String ID: 969061735-2370829567
Opcode ID: eabae89b666842aa3c453a05d86ba71158c4759444c248acb3fd4fc314a3c1de
Instruction ID: 6b968fcd8bdacb8c1727bd252572fa1062d2b7e317c56a66cfee6c840953c518
Opcode Fuzzy Hash: eabae89b666842aa3c453a05d86ba71158c4759444c248acb3fd4fc314a3c1de
Instruction Fuzzy Hash: 6B416071A1025E9BCB04EBA9DC59EEFBBB4EF44348B14801DE512A7251EF709909CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC444D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 118
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00DC444D(void* __ebx, WCHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				short _v108;
				int _v112;
				int* _v116;
				WCHAR* _v120;
				int _v124;
				signed int _v128;
				void* __ebp;
				signed int _t39;
				void** _t42;
				int _t63;
				signed int _t65;
				signed int _t67;
				signed int _t82;
				WCHAR* _t83;
				int _t86;
				char* _t87;
				signed int _t88;

				_t39 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t39 ^ _t88;
				_v120 = __ecx;
				_t67 = 0x18;
				_t42 = memcpy( &_v108, L"SYSTEM\\CurrentControlSet\\Control\\Session Manager", _t67 << 2);
				_t65 = 0;
				asm("movsw");
				_v116 = 0;
				if(RegOpenKeyExW(0x80000002,  &_v108, 0, 0x20019, _t42) != 0) {
					L15:
					__eflags = 0;
				} else {
					_t86 = 7;
					_v112 = 0;
					_v124 = _t86;
					if(RegQueryValueExW(_v116, L"PendingFileRenameOperations", 0,  &_v124, 0,  &_v112) != 0) {
						goto L15;
					} else {
						_t94 = _v124 - _t86;
						if(_v124 != _t86) {
							goto L15;
						} else {
							_push(_v112);
							_t87 = E00DE3DB5(_t94);
							E00DD1190(RegQueryValueExW, _t87, 0, _v112);
							if(RegQueryValueExW(_v116, L"PendingFileRenameOperations", 0, 0, _t87,  &_v112) == 0) {
								_t82 = _v112 >> 1;
								_v128 = _t82;
								if(_t82 - 2 <= 0xffffd && _t87[_t82 * 2 - 4] == 0) {
									_t98 = _t87[_t82 * 2 - 2];
									if(_t87[_t82 * 2 - 2] == 0) {
										_t59 = E00DC47AE( &_v120, L"\\??\\", _t98,  &(_v120[0xa]));
										_t83 = _v120;
										if(_t82 == 0) {
											L10:
											_t65 = _t65 | 0xffffffff;
										} else {
											while(lstrcmpW(_t87 + _t65 * 2, _t83) != 0) {
												_t63 = lstrlenW(_t87 + _t65 * 2);
												_t59 = _t63 + 1;
												_t65 = _t65 + _t63 + 1;
												if(_t65 < _v128) {
													continue;
												} else {
													goto L10;
												}
												goto L11;
											}
										}
										L11:
										_t65 = _t65 & 0xffffff00 | _t65 != 0xffffffff;
										E00DC13C0(_t59, _t83 - 0x10);
									}
								}
							}
							if(_t87 != 0) {
								L00DCF9A7(_t87);
							}
						}
					}
				}
				return E00DCF35B(_v8 ^ _t88);
			}

0x00dc4453
0x00dc445a
0x00dc4462
0x00dc4468
0x00dc4471
0x00dc4479
0x00dc4485
0x00dc4487
0x00dc4492
0x00dc4575
0x00dc4575
0x00dc4498
0x00dc44a3
0x00dc44a9
0x00dc44b6
0x00dc44bd
0x00000000
0x00dc44c3
0x00dc44c3
0x00dc44c6
0x00000000
0x00dc44cc
0x00dc44cc
0x00dc44d7
0x00dc44db
0x00dc44f6
0x00dc44fb
0x00dc44fd
0x00dc4508
0x00dc4511
0x00dc4516
0x00dc4527
0x00dc452e
0x00dc4532
0x00dc4555
0x00dc4555
0x00000000
0x00dc4534
0x00dc4547
0x00dc454d
0x00dc454e
0x00dc4553
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00dc4553
0x00dc4534
0x00dc4558
0x00dc455e
0x00dc4561
0x00dc4561
0x00dc4516
0x00dc4508
0x00dc4568
0x00dc456b
0x00dc4570
0x00dc4571
0x00dc44c6
0x00dc44bd
0x00dc4585

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,?,?,?,00000000), ref: 00DC448A
RegQueryValueExW.ADVAPI32(?,PendingFileRenameOperations,00000000,?,00000000,?), ref: 00DC44B9
RegQueryValueExW.ADVAPI32(?,PendingFileRenameOperations,00000000,00000000,00000000,?), ref: 00DC44F2
lstrcmpW.KERNEL32(00000000,?), ref: 00DC4539
lstrlenW.KERNEL32(00000000), ref: 00DC4547

Strings

PendingFileRenameOperations, xrefs: 00DC44AE, 00DC44EA
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00DC4469
\??\, xrefs: 00DC4521

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: QueryValue$Openlstrcmplstrlen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\??\
API String ID: 2090349685-3703331852
Opcode ID: 207e34775c1c24fabdb933c8f97ff84cc81cc914b9e0475b23767627f1cfcc44
Instruction ID: 1cd4af9e74893ed5451788cc0bb28b9891bf92e2b19c47d94828c77d369b00f5
Opcode Fuzzy Hash: 207e34775c1c24fabdb933c8f97ff84cc81cc914b9e0475b23767627f1cfcc44
Instruction Fuzzy Hash: AD316D71D1034EABDB20EBB49C81EEEB7BCEF44764B24412DE415A7291EB309A05CA70

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA2B7 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 121
registryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00DCA2B7(int* __ecx, void* __edx, void* __eflags) {
				int* _v8;
				int* _v12;
				int* _v16;
				void* _v20;
				char _v24;
				intOrPtr _v28;
				void* _v32;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short* _t44;
				int* _t50;
				int* _t51;
				void* _t52;
				int* _t69;
				void* _t91;

				_v24 = 0xdf4400;
				_t94 = 0;
				_t89 =  &_v24;
				_t69 = __ecx;
				_v20 = 0;
				E00DCA002(__ecx,  &_v24, __eflags);
				 *((intOrPtr*)(_v24 + 4))(_t91);
				_v36 = 0xdf41c0;
				_v32 = 0;
				_v28 = 0x200;
				E00DCB8E6( &_v24);
				_t44 = L"HKLM\\Software\\Google\\Update\\";
				_t98 = _t69;
				if(_t69 == 0) {
					_t44 = L"HKCU\\Software\\Google\\Update\\";
				}
				E00DC80D1( &_v36, _t89, _t98, _t44, 0xf003f);
				_t92 = L"old-uid";
				if(RegQueryValueExW(_v32, L"old-uid", _t94, _t94, _t94, _t94) != 0) {
					_v8 = _t94;
					_v16 = _t94;
					_v12 = _t94;
					_t50 = E00DC85EB( &_v36, __eflags,  &_v36,  &_v8,  &_v16,  &_v12);
					__eflags = _t50;
					if(_t50 >= 0) {
						_t94 = _v8;
						_t51 = E00DC8688( &_v36, L"old-uid", _t94, _v16, _v12);
						__eflags = _t51;
						if(_t51 >= 0) {
							E00DC7F44( &_v36, L"uid");
						}
						__eflags = _t94;
						if(_t94 == 0) {
							L12:
							__eflags = _t69;
							if(_t69 != 0) {
								E00DC1AD8( &_v8, _t89, E00DC13D8());
								E00DC84EE( &_v36, _t89, _t92,  &_v8);
								_push(E00DD3694(L"; legacy"));
								E00DC492A(_t69,  &_v8, _t92, L"; legacy", L"; legacy");
								_t94 = _v8;
								E00DC13C0(E00DC864C( &_v36, _t92, _v8, 1), _v8 - 0x10);
							}
							goto L14;
						} else {
							_push(_t94);
							L11:
							L00DCF9A7();
							goto L12;
						}
					}
					__eflags = _v8 - _t94;
					if(_v8 == _t94) {
						goto L12;
					}
					_push(_v8);
					goto L11;
				} else {
					E00DC7F44( &_v36, L"uid");
					L14:
					_t52 = E00DCA46A(_t69, _t69, _t92, _t94);
					_v36 = 0xdf41c0;
					E00DC7F74( &_v36);
					 *((intOrPtr*)(_v24 + 8))();
					E00DC7AB9( &_v24);
					return _t52;
				}
			}

0x00dca2c1
0x00dca2c8
0x00dca2ca
0x00dca2ce
0x00dca2d0
0x00dca2d3
0x00dca2de
0x00dca2e1
0x00dca2e8
0x00dca2eb
0x00dca2f2
0x00dca2f7
0x00dca2fc
0x00dca2fe
0x00dca300
0x00dca300
0x00dca30e
0x00dca317
0x00dca328
0x00dca33f
0x00dca346
0x00dca34d
0x00dca355
0x00dca35a
0x00dca35c
0x00dca36b
0x00dca376
0x00dca37b
0x00dca37d
0x00dca387
0x00dca387
0x00dca38c
0x00dca38e
0x00dca397
0x00dca397
0x00dca399
0x00dca3a4
0x00dca3b1
0x00dca3c2
0x00dca3c7
0x00dca3cc
0x00dca3de
0x00dca3de
0x00000000
0x00dca390
0x00dca390
0x00dca391
0x00dca391
0x00000000
0x00dca396
0x00dca38e
0x00dca35e
0x00dca361
0x00000000
0x00000000
0x00dca363
0x00000000
0x00dca32a
0x00dca332
0x00dca3e3
0x00dca3e5
0x00dca3ed
0x00dca3f6
0x00dca401
0x00dca407
0x00dca412
0x00dca412

APIs

RegQueryValueExW.ADVAPI32(?,old-uid,00000000,00000000,00000000,00000000,HKLM\Software\Google\Update\,000F003F), ref: 00DCA320

Strings

HKCU\Software\Google\Update\, xrefs: 00DCA300, 00DCA30A
old-uid, xrefs: 00DCA317, 00DCA31C, 00DCA375, 00DCA3AD, 00DCA3D5
uid, xrefs: 00DCA32A, 00DCA37F
HKLM\Software\Google\Update\, xrefs: 00DCA2F7
; legacy, xrefs: 00DCA3B6, 00DCA3BB, 00DCA3C3

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: QueryValue
String ID: ; legacy$HKCU\Software\Google\Update\$HKLM\Software\Google\Update\$old-uid$uid
API String ID: 3660427363-3165943210
Opcode ID: e3b4e0b80a6bef1e234a706cb210f8ca94e4c9b7d3823603b4d6d0b36dcea39e
Instruction ID: d45a24832c3abe34827cd5c9943a05d779a8d4076009cae19951e974761503ea
Opcode Fuzzy Hash: e3b4e0b80a6bef1e234a706cb210f8ca94e4c9b7d3823603b4d6d0b36dcea39e
Instruction Fuzzy Hash: 0B41643290022EAACF10EBA4DD96EEFBB78EF15308B11415DE801B3251DB749A05DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD1380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00DD1380(void* __ebx, void* __ecx, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr* _v40;
				void* __edi;
				void* __ebp;
				signed int _t57;
				char _t60;
				signed int _t67;
				intOrPtr _t68;
				void* _t69;
				intOrPtr* _t70;
				intOrPtr _t72;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t84;
				intOrPtr _t85;
				intOrPtr _t87;
				signed int _t92;
				char _t94;
				intOrPtr* _t98;
				intOrPtr* _t99;
				intOrPtr _t103;
				void* _t110;
				void* _t112;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				void* _t125;
				void* _t126;
				void* _t133;

				_t84 = _a4;
				_push(_t112);
				_v5 = 0;
				_v16 = 1;
				 *_t84 = E00DE6322(__ecx,  *_t84);
				_t85 = _a8;
				_t6 = _t85 + 0x10; // 0x11
				_t118 = _t6;
				_t57 =  *(_t85 + 8) ^  *0xdf8008;
				_push(_t118);
				_push(_t57);
				_v20 = _t118;
				_v12 = _t57;
				E00DD1340(_t112, _t118);
				E00DD1F67(_a12);
				_t60 = _a4;
				_t126 = _t125 + 0x10;
				_t113 =  *((intOrPtr*)(_t85 + 0xc));
				if(( *(_t60 + 4) & 0x00000066) != 0) {
					__eflags = _t113 - 0xfffffffe;
					if(_t113 != 0xfffffffe) {
						E00DD1F50(_t85, 0xfffffffe, _t118, 0xdf8008);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t60;
					_v28 = _a12;
					 *((intOrPtr*)(_t85 - 4)) =  &_v32;
					if(_t113 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t92 = _v12;
							_t67 = _t113 + (_t113 + 2) * 2;
							_t87 =  *((intOrPtr*)(_t92 + _t67 * 4));
							_t68 = _t92 + _t67 * 4;
							_t93 =  *((intOrPtr*)(_t68 + 4));
							_v24 = _t68;
							if( *((intOrPtr*)(_t68 + 4)) == 0) {
								_t94 = _v5;
								goto L7;
							} else {
								_t69 = E00DD1F00(_t93, _t118);
								_t94 = 1;
								_v5 = 1;
								_t133 = _t69;
								if(_t133 < 0) {
									_v16 = 0;
									L13:
									_push(_t118);
									_push(_v12);
									E00DD1340(_t113, _t118);
									goto L14;
								} else {
									if(_t133 > 0) {
										_t70 = _a4;
										__eflags =  *_t70 - 0xe06d7363;
										if( *_t70 == 0xe06d7363) {
											__eflags =  *0xde812c;
											if(__eflags != 0) {
												_t80 = E00DE38B0(__eflags, 0xde812c);
												_t126 = _t126 + 4;
												__eflags = _t80;
												if(_t80 != 0) {
													_t122 =  *0xde812c; // 0xdd2f1c
													 *0xde7348(_a4, 1);
													 *_t122();
													_t118 = _v20;
													_t126 = _t126 + 8;
												}
												_t70 = _a4;
											}
										}
										E00DD1F34(_t70, _a8, _t70);
										_t72 = _a8;
										__eflags =  *((intOrPtr*)(_t72 + 0xc)) - _t113;
										if( *((intOrPtr*)(_t72 + 0xc)) != _t113) {
											E00DD1F50(_t72, _t113, _t118, 0xdf8008);
											_t72 = _a8;
										}
										_push(_t118);
										_push(_v12);
										 *((intOrPtr*)(_t72 + 0xc)) = _t87;
										E00DD1340(_t113, _t118);
										E00DD1F18();
										asm("int3");
										_push(_t113);
										_t115 = _v40;
										__eflags =  *((char*)(_t115 + 4));
										if( *((char*)(_t115 + 4)) == 0) {
											L30:
											_t98 = _a4;
											_t74 =  *_t115;
											 *_t98 = _t74;
											 *((char*)(_t98 + 4)) = 0;
										} else {
											_t99 =  *_t115;
											__eflags = _t99;
											if(_t99 == 0) {
												goto L30;
											} else {
												_t110 = _t99 + 1;
												do {
													_t75 =  *_t99;
													_t99 = _t99 + 1;
													__eflags = _t75;
												} while (_t75 != 0);
												_push(_t87);
												_push(_t118);
												_t88 = _t99 - _t110 + 1;
												_push(_t99 - _t110 + 1);
												_t120 = E00DD3B1B();
												__eflags = _t120;
												if(_t120 != 0) {
													E00DD4D82(_t120, _t88,  *_t115);
													_t78 = _a4;
													_t103 = _t120;
													_t120 = 0;
													__eflags = 0;
													 *_t78 = _t103;
													 *((char*)(_t78 + 4)) = 1;
												}
												_t74 = E00DD3557(_t120);
											}
										}
										return _t74;
									} else {
										goto L7;
									}
								}
							}
							goto L32;
							L7:
							_t113 = _t87;
						} while (_t87 != 0xfffffffe);
						if(_t94 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L32:
			}

0x00dd1387
0x00dd138b
0x00dd138c
0x00dd1392
0x00dd139e
0x00dd13a0
0x00dd13a6
0x00dd13a6
0x00dd13a9
0x00dd13af
0x00dd13b0
0x00dd13b1
0x00dd13b4
0x00dd13b7
0x00dd13bf
0x00dd13c4
0x00dd13c7
0x00dd13ca
0x00dd13d1
0x00dd142d
0x00dd1430
0x00dd143f
0x00000000
0x00dd143f
0x00000000
0x00dd13d3
0x00dd13d3
0x00dd13d9
0x00dd13df
0x00dd13e5
0x00dd1450
0x00dd1459
0x00dd13e7
0x00dd13e7
0x00dd13e7
0x00dd13ed
0x00dd13f0
0x00dd13f3
0x00dd13f6
0x00dd13f9
0x00dd13fe
0x00dd1414
0x00000000
0x00dd1400
0x00dd1402
0x00dd1407
0x00dd1409
0x00dd140c
0x00dd140e
0x00dd1424
0x00dd1444
0x00dd1444
0x00dd1445
0x00dd1448
0x00000000
0x00dd1410
0x00dd1410
0x00dd145a
0x00dd145d
0x00dd1463
0x00dd1465
0x00dd146c
0x00dd1473
0x00dd1478
0x00dd147b
0x00dd147d
0x00dd147f
0x00dd148c
0x00dd1492
0x00dd1494
0x00dd1497
0x00dd1497
0x00dd149a
0x00dd149a
0x00dd146c
0x00dd14a2
0x00dd14a7
0x00dd14aa
0x00dd14ad
0x00dd14b9
0x00dd14be
0x00dd14be
0x00dd14c1
0x00dd14c2
0x00dd14c5
0x00dd14c8
0x00dd14d8
0x00dd14dd
0x00dd14e1
0x00dd14e2
0x00dd14e5
0x00dd14e9
0x00dd1533
0x00dd1533
0x00dd1536
0x00dd1538
0x00dd153a
0x00dd14eb
0x00dd14eb
0x00dd14ed
0x00dd14ef
0x00000000
0x00dd14f1
0x00dd14f1
0x00dd14f4
0x00dd14f4
0x00dd14f6
0x00dd14f7
0x00dd14f7
0x00dd14fd
0x00dd14fe
0x00dd14ff
0x00dd1502
0x00dd1508
0x00dd150b
0x00dd150d
0x00dd1513
0x00dd1518
0x00dd151b
0x00dd1520
0x00dd1520
0x00dd1522
0x00dd1524
0x00dd1524
0x00dd1529
0x00dd1530
0x00dd14ef
0x00dd1540
0x00dd1412
0x00000000
0x00dd1412
0x00dd1410
0x00dd140e
0x00000000
0x00dd1417
0x00dd1417
0x00dd1419
0x00dd1420
0x00000000
0x00dd1422
0x00000000
0x00dd1420
0x00dd13e5
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 00DD13B7
___except_validate_context_record.LIBVCRUNTIME ref: 00DD13BF
_ValidateLocalCookies.LIBCMT ref: 00DD1448
__IsNonwritableInCurrentImage.LIBCMT ref: 00DD1473
_ValidateLocalCookies.LIBCMT ref: 00DD14C8

Strings

csm, xrefs: 00DD145D

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 33daf75c88fc0d11847c5b54267eaf53e67bc39465c2bca082e980cbdd6a08ac
Instruction ID: e59c7a26a1dea2292eb69decdade0dd2c3d916a331c889cd72c7bf6d63ee6f49
Opcode Fuzzy Hash: 33daf75c88fc0d11847c5b54267eaf53e67bc39465c2bca082e980cbdd6a08ac
Instruction Fuzzy Hash: 76419438A00258BBCF10DF68C884A9EBBB5FF45314F188156F9189B392D731DA45CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DDA808 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00DDA808(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t20;
				void* _t22;
				WCHAR* _t26;
				signed int _t29;
				void** _t30;
				signed int* _t35;
				void* _t38;
				void* _t40;

				_t35 = _a4;
				while(_t35 != _a8) {
					_t29 =  *_t35;
					_v8 = _t29;
					_t38 =  *(0xdf9640 + _t29 * 4);
					if(_t38 == 0) {
						_t26 =  *(0xde8a28 + _t29 * 4);
						_t38 = LoadLibraryExW(_t26, 0, 0x800);
						if(_t38 != 0) {
							L14:
							_t30 = 0xdf9640 + _v8 * 4;
							 *_t30 = _t38;
							if( *_t30 != 0) {
								FreeLibrary(_t38);
							}
							L16:
							_t20 = _t38;
							L13:
							return _t20;
						}
						_t22 = GetLastError();
						if(_t22 != 0x57) {
							L9:
							 *(0xdf9640 + _v8 * 4) = _t22 | 0xffffffff;
							L10:
							_t35 =  &(_t35[1]);
							continue;
						}
						_t22 = E00DD4E2B(_t26, L"api-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = E00DD4E2B(_t26, L"ext-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = LoadLibraryExW(_t26, _t38, _t38);
						_t38 = _t22;
						if(_t38 != 0) {
							goto L14;
						}
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						goto L16;
					}
					goto L10;
				}
				_t20 = 0;
				goto L13;
			}

0x00dda811
0x00dda8a6
0x00dda819
0x00dda81b
0x00dda825
0x00dda82a
0x00dda837
0x00dda84c
0x00dda850
0x00dda8b6
0x00dda8bb
0x00dda8c2
0x00dda8c6
0x00dda8c9
0x00dda8c9
0x00dda8cf
0x00dda8cf
0x00dda8b1
0x00dda8b5
0x00dda8b5
0x00dda852
0x00dda85b
0x00dda894
0x00dda8a1
0x00dda8a3
0x00dda8a3
0x00000000
0x00dda8a3
0x00dda865
0x00dda86a
0x00dda86f
0x00000000
0x00000000
0x00dda879
0x00dda87e
0x00dda883
0x00000000
0x00000000
0x00dda888
0x00dda88e
0x00dda892
0x00000000
0x00000000
0x00000000
0x00dda892
0x00dda82f
0x00000000
0x00000000
0x00000000
0x00dda835
0x00dda8af
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,9FA9E963,?,00DDA915,000000FF,00000006,?,00000000), ref: 00DDA8C9

Strings

api-ms-, xrefs: 00DDA85F
ext-ms-, xrefs: 00DDA873

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: ac07703e82bb807f07819c19097f8d360a8b9c658bf6539971435cb9796a1839
Instruction ID: 89d003cbe7f97d5142f2c18269a52bd341057c3a6c767378835c0e424c8daef0
Opcode Fuzzy Hash: ac07703e82bb807f07819c19097f8d360a8b9c658bf6539971435cb9796a1839
Instruction Fuzzy Hash: 4A21BB31E01310ABD731AB69DC84A5A7758EF41760B198162FD05EB391E734ED06DAF1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6E50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00DC6E50(intOrPtr* __ecx) {
				intOrPtr _v8;
				struct HINSTANCE__* _t15;
				intOrPtr* _t21;
				intOrPtr* _t28;
				intOrPtr _t32;

				_push(__ecx);
				_t21 = __ecx;
				 *__ecx = 0xdf3f80;
				_t1 = _t21 + 0x10; // 0x10
				 *((intOrPtr*)(__ecx + 8)) = 0xdf4540;
				_v8 = _t1;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t4 = _t21 + 0x20; // 0x20
				_t28 = _t4;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *_t28 = 0;
				 *((intOrPtr*)(_t28 + 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((char*)(__ecx + 0x34)) = 0;
				 *__ecx = 0xdf42b8;
				 *((intOrPtr*)(__ecx + 8)) = 0xdf42ac;
				 *((intOrPtr*)(__ecx + 0x38)) = 0;
				_t15 = GetModuleHandleW(L"kernel32.dll");
				if(_t15 != 0) {
					 *((intOrPtr*)(_t21 + 0x38)) = GetProcAddress(_t15, "RtlCaptureStackBackTrace");
				}
				_t32 = _v8;
				if(E00DE3EC9(_t32, 0xdebd58, 0x10) != 0) {
					_t14 = _t21 + 8; // 0x8
					__imp__RegisterTraceGuidsW(E00DC913F, _t14, _t32, 1, 0xdf8aa0, 0, 0, _t28);
				}
				return _t21;
			}

0x00dc6e53
0x00dc6e55
0x00dc6e5e
0x00dc6e64
0x00dc6e67
0x00dc6e70
0x00dc6e7a
0x00dc6e7b
0x00dc6e7c
0x00dc6e7d
0x00dc6e7e
0x00dc6e7e
0x00dc6e81
0x00dc6e84
0x00dc6e86
0x00dc6e89
0x00dc6e8c
0x00dc6e8f
0x00dc6e92
0x00dc6e98
0x00dc6e9f
0x00dc6ea2
0x00dc6eaa
0x00dc6eb8
0x00dc6eb8
0x00dc6ebb
0x00dc6ed0
0x00dc6edf
0x00dc6ee8
0x00dc6ee8
0x00dc6ef4

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00000000,00000000,?,00DC360F,00000040,?,00DC36FF,00DF6410,00000028,00DC37DC,?,00DC39A1,?), ref: 00DC6EA2
GetProcAddress.KERNEL32(00000000,RtlCaptureStackBackTrace), ref: 00DC6EB2
_memcmp.LIBVCRUNTIME ref: 00DC6EC6
RegisterTraceGuidsW.ADVAPI32(00DC913F,00000008,00000000,00000001,00DF8AA0,00000000,00000000,00000020,00000001,00000000), ref: 00DC6EE8

Strings

kernel32.dll, xrefs: 00DC6E75
RtlCaptureStackBackTrace, xrefs: 00DC6EAC

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: AddressGuidsHandleModuleProcRegisterTrace_memcmp
String ID: RtlCaptureStackBackTrace$kernel32.dll
API String ID: 658899046-94782561
Opcode ID: da4127ac8d6e66f986dddc081aca707a3608d5e7608a8d922549e0f5448fce5e
Instruction ID: 74330c65e9bc3c8eb62ac3f04648b96d9b3fb3ed38668808c86a7788dfffc017
Opcode Fuzzy Hash: da4127ac8d6e66f986dddc081aca707a3608d5e7608a8d922549e0f5448fce5e
Instruction Fuzzy Hash: 9F119DB1604305AFCB049F08ECC5B667BA8EF09710B15806ABE08DF389D7B0D944CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6D93 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00DC6D93(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				short _v2060;
				char _v2064;
				void* __ebp;
				signed int _t11;
				void* _t22;
				void* _t28;
				void* _t40;
				intOrPtr _t43;
				signed int _t45;

				_t11 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t11 ^ _t45;
				_t40 = __edx;
				_t28 = __ecx;
				E00DD1190(__edx,  &_v2060, 0, 0x802);
				_t43 =  *0xdf9f18; // 0xecd228
				E00DC78AC( &_v2064, 0);
				E00DC13C0(wsprintfW( &_v2060, L"Exception %x in %s %s %u\r\n\r\n%hs:%d\r\n", _t28, _v2064, _t43, 0, "base\\logging.cc", _t40), _v2064 - 0x10);
				E00DC9029( &_v2060);
				_t22 = MessageBoxW(0,  &_v2060, L"Exception", 0x250012) - 3;
				if(_t22 == 0) {
					ExitProcess(0xffffffff);
				}
				if(_t22 == 1) {
					asm("int3");
				}
				return E00DCF35B(_v8 ^ _t45);
			}

0x00dc6d9c
0x00dc6da3
0x00dc6db4
0x00dc6db9
0x00dc6dbb
0x00dc6dc0
0x00dc6dce
0x00dc6e01
0x00dc6e0c
0x00dc6e2d
0x00dc6e30
0x00dc6e49
0x00dc6e49
0x00dc6e35
0x00dc6e37
0x00dc6e37
0x00dc6e46

APIs

wsprintfW.USER32 ref: 00DC6DEF

Part of subcall function 00DC9029: lstrlenW.KERNEL32(?,?,?,00DC6E11), ref: 00DC902E
Part of subcall function 00DC9029: OpenClipboard.USER32(00000000), ref: 00DC9038
Part of subcall function 00DC9029: EmptyClipboard.USER32(00ECD228,?,?,00DC6E11), ref: 00DC9043
Part of subcall function 00DC9029: GlobalAlloc.KERNEL32(00002002,00000000,?,?,00DC6E11), ref: 00DC9056
Part of subcall function 00DC9029: GlobalLock.KERNEL32 ref: 00DC905F
Part of subcall function 00DC9029: GlobalUnlock.KERNEL32(00000000,?,?,00DC6E11), ref: 00DC9075
Part of subcall function 00DC9029: SetClipboardData.USER32 ref: 00DC907E
Part of subcall function 00DC9029: GlobalFree.KERNEL32 ref: 00DC9089

MessageBoxW.USER32(00000000,?,Exception,00250012), ref: 00DC6E24
ExitProcess.KERNEL32 ref: 00DC6E49

Strings

Exception, xrefs: 00DC6E16
base\logging.cc, xrefs: 00DC6DD4
Exception %x in %s %s %u%hs:%d, xrefs: 00DC6DE9

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: Global$Clipboard$AllocDataEmptyExitFreeLockMessageOpenProcessUnlocklstrlenwsprintf
String ID: Exception$Exception %x in %s %s %u%hs:%d$base\logging.cc
API String ID: 489455310-1730742759
Opcode ID: 58bc89c637203a9f8d38382992c26c8887d6009ca6fa9cbf0881cde207962966
Instruction ID: 1374c2dfd30ae3c37fbe67ec380ae4328a393509012e0ae4bb02233022802e35
Opcode Fuzzy Hash: 58bc89c637203a9f8d38382992c26c8887d6009ca6fa9cbf0881cde207962966
Instruction Fuzzy Hash: CC11C174A00219ABCB94EF64DC89FAA77B8EB45710F0080A8B154971C1CE709E8CCBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC43CE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00DC43CE(intOrPtr __ecx, void* __eflags) {
				WCHAR* _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t8;
				void* _t9;
				intOrPtr _t13;
				void* _t14;
				WCHAR** _t25;
				void* _t30;

				_t30 = __eflags;
				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx;
				_v12 = __ecx;
				OutputDebugStringW(L"LOG_SYSTEM: trying to move log file to backup\n");
				_t25 = _t13 + 0x14;
				E00DC47F9( &_v8, _t25, _t30, L".bak");
				_t28 = _v8;
				_t8 = MoveFileExW( *_t25, _v8, 0xb);
				_t14 = 0;
				if(_t8 != 0) {
					_t9 = 0;
				} else {
					_t9 = E00DC7ED7();
				}
				if(_t9 >= 0) {
					_t14 = 1;
				} else {
					OutputDebugStringW(L"LOG_SYSTEM: failed to move log file to backup\n");
					_t9 = E00DC444D(_t14, _v12, _t25, _t28);
					_t33 = _t9;
					if(_t9 == 0) {
						_t9 = E00DC50F6( *_t25, _t28, _t25, _t33);
					}
				}
				E00DC13C0(_t9, _t28 - 0x10);
				return _t14;
			}

0x00dc43ce
0x00dc43d1
0x00dc43d2
0x00dc43d6
0x00dc43dd
0x00dc43e0
0x00dc43e6
0x00dc43f3
0x00dc43f8
0x00dc4401
0x00dc4407
0x00dc440b
0x00dc4414
0x00dc440d
0x00dc440d
0x00dc440d
0x00dc4418
0x00dc443c
0x00dc441a
0x00dc441f
0x00dc4428
0x00dc442d
0x00dc442f
0x00dc4435
0x00dc4435
0x00dc442f
0x00dc4441
0x00dc444c

APIs

OutputDebugStringW.KERNEL32(LOG_SYSTEM: trying to move log file to backup,?,?,?,?,?,?,00DC41F7), ref: 00DC43E0
MoveFileExW.KERNEL32(?,?,0000000B,?,?,?,?,?,?,00DC41F7), ref: 00DC4401
OutputDebugStringW.KERNEL32(LOG_SYSTEM: failed to move log file to backup,?,?,?,?,?,?,00DC41F7), ref: 00DC441F

Part of subcall function 00DC7ED7: GetLastError.KERNEL32(?,00DC6548), ref: 00DC7ED8
Part of subcall function 00DC7ED7: RaiseException.KERNEL32(00000000,00000001,00000000,00000000), ref: 00DC7F0A

Strings

LOG_SYSTEM: failed to move log file to backup, xrefs: 00DC441A
.bak, xrefs: 00DC43E9
LOG_SYSTEM: trying to move log file to backup, xrefs: 00DC43D8

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: DebugOutputString$ErrorExceptionFileLastMoveRaise
String ID: .bak$LOG_SYSTEM: failed to move log file to backup$LOG_SYSTEM: trying to move log file to backup
API String ID: 4067951547-3505153176
Opcode ID: d242e87b2e38f9fb7f0fa5dfb3e8514938512bf637c99943986faadfc597f91f
Instruction ID: b2759f9bebca9a1b8fc402a38f8b761fba2ed6718deb40d26d34e4a8d55a213b
Opcode Fuzzy Hash: d242e87b2e38f9fb7f0fa5dfb3e8514938512bf637c99943986faadfc597f91f
Instruction Fuzzy Hash: 4E01F735304207AF9B18AB94ECB6FAE7768EF41344720046DF601DB241DBB0AD058770

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7A14 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC7A14() {
				void* __edi;
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t3;
				void* _t6;
				void* _t7;
				struct HINSTANCE__* _t8;
				void* _t9;

				if( *0xdf9bbc == 0 ||  *0xdf9bc8 == 0) {
					_t1 = E00DC8D1C(_t6, _t7, _t9);
					if(_t1 != 0) {
						_t1 = GetModuleHandleW(L"kernel32.dll");
						_t8 = _t1;
						if(_t8 != 0) {
							 *0xdf9bbc = GetProcAddress(_t8, "CreateMutexExW");
							_t3 = GetProcAddress(_t8, "CreateEventExW");
							 *0xdf9bc8 = _t3;
							return _t3;
						}
					}
				}
				return _t1;
			}

0x00dc7a1c
0x00dc7a28
0x00dc7a30
0x00dc7a37
0x00dc7a3d
0x00dc7a41
0x00dc7a55
0x00dc7a5a
0x00dc7a60
0x00000000
0x00dc7a60
0x00dc7a41
0x00dc7a30
0x00dc7a66

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00DC7A73,?,00000000,?,00DCA032,00000000,?,?,?,00DCA653,?,00000000,?,?), ref: 00DC7A37
GetProcAddress.KERNEL32(00000000,CreateMutexExW), ref: 00DC7A49
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00DC7A5A

Strings

CreateEventExW, xrefs: 00DC7A4F
kernel32.dll, xrefs: 00DC7A32
CreateMutexExW, xrefs: 00DC7A43

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateEventExW$CreateMutexExW$kernel32.dll
API String ID: 667068680-2423819206
Opcode ID: 07a1d489520786b64b4483e69872a16dc3f1ace946de44f8cea7928ec960e2a2
Instruction ID: 26c7b547e783c47c1ce371d42c643096cebf3c942a234d196d85d548fe2912d0
Opcode Fuzzy Hash: 07a1d489520786b64b4483e69872a16dc3f1ace946de44f8cea7928ec960e2a2
Instruction Fuzzy Hash: F7E09270948302AECB509B78BC9CF3AB3B0A780725F2A901DE104D73E4EB708185CE30

Uniqueness

Uniqueness Score: -1.00%

Function 00DCC8ED Relevance: 9.1, APIs: 6, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00DCC8ED(intOrPtr* __ecx, intOrPtr* _a4, char _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _t37;
				void* _t39;
				intOrPtr* _t42;
				intOrPtr* _t43;
				char _t45;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t64;
				intOrPtr _t70;
				intOrPtr* _t71;
				intOrPtr _t72;
				void* _t76;
				char _t77;
				void* _t78;
				void* _t79;

				_t74 = __ecx;
				_v8 = 0;
				_t67 =  *__ecx;
				if( *((intOrPtr*)(__ecx + 4)) != 0) {
					_t37 = _a8;
					_t64 = _a12;
					_push(0x10);
					if(_t37 !=  *_t67) {
						if(_t37 != _t67) {
							_pop(_t76);
							_v12 = _t37 + 0x10;
							_t39 = E00DE3EC9(_t64, _t37 + 0x10, 0);
							_t79 = _t78 + 0xc;
							if(_t39 >= 0) {
								L13:
								if(E00DE3EC9(_v12, _t64, _t76) >= 0) {
									L23:
									_t42 = E00DCCB7A(_t74,  &_v16, _t67, _t64, _a16);
									_t43 = _a4;
									 *_t43 =  *_t42;
									L24:
									return _t43;
								}
								_t77 = _a8;
								_t67 =  &_v8;
								_v8 = _t77;
								E00DC2070( &_v8);
								_t45 = _v8;
								if(_t45 ==  *_t74) {
									L17:
									_t70 =  *((intOrPtr*)(_t77 + 8));
									_push(_a16);
									_push(_t70);
									_t71 = _t74;
									if( *((char*)(_t70 + 0xd)) == 0) {
										_push(_t45);
										L21:
										_push(1);
										L22:
										_push(_a4);
										E00DCCA5A(_t71);
										_t43 = _a4;
										goto L24;
									}
									_push(_t77);
									L19:
									_push(0);
									goto L22;
								}
								if(E00DE3EC9(_t64, _t45 + 0x10, 0x10) >= 0) {
									goto L23;
								}
								_t77 = _a8;
								_t45 = _v8;
								goto L17;
							}
							_t67 =  &_v8;
							_v8 = _a8;
							_t53 = E00DE3EC9( *((intOrPtr*)(E00DC1FFC( &_v8))), _t64, 0);
							_t79 = _t79 + 0xc;
							if(_t53 >= 0) {
								goto L13;
							}
							_t54 = _v8;
							_push(_a16);
							_t72 =  *((intOrPtr*)(_t54 + 8));
							_push(_t72);
							_t71 = _t74;
							if( *((char*)(_t72 + 0xd)) == 0) {
								_push(_a8);
								goto L21;
							}
							_push(_t54);
							goto L19;
						}
						_t10 = _t67 + 8; // 0xb60f41eb
						_push(_t64);
						_push( *_t10 + 0x10);
						if(E00DE3EC9() >= 0) {
							goto L23;
						}
						_push(_a16);
						_push(_t67);
						_t71 = _t74;
						_push( *((intOrPtr*)( *_t74 + 8)));
						_push(0);
						goto L22;
					}
					_push(_t37 + 0x10);
					_push(_t64);
					if(E00DE3EC9() >= 0) {
						goto L23;
					}
					_push(_a16);
					_push(_t67);
					_push(_a8);
					_t71 = _t74;
					goto L21;
				}
				_push(_a16);
				E00DCCA5A(__ecx, _a4, 1, _t67, _t67);
				return _a4;
			}

0x00dcc8f5
0x00dcc8f9
0x00dcc8fc
0x00dcc901
0x00dcc91c
0x00dcc920
0x00dcc923
0x00dcc927
0x00dcc94e
0x00dcc979
0x00dcc980
0x00dcc983
0x00dcc988
0x00dcc98d
0x00dcc9ca
0x00dcc9d9
0x00dcca2d
0x00dcca38
0x00dcca3f
0x00dcca42
0x00dcca44
0x00000000
0x00dcca44
0x00dcc9db
0x00dcc9de
0x00dcc9e1
0x00dcc9e4
0x00dcc9e9
0x00dcc9ee
0x00dcca09
0x00dcca09
0x00dcca0c
0x00dcca0f
0x00dcca14
0x00dcca16
0x00dcca1d
0x00dcca1e
0x00dcca1e
0x00dcca20
0x00dcca20
0x00dcca23
0x00dcca28
0x00000000
0x00dcca28
0x00dcca18
0x00dcca19
0x00dcca19
0x00000000
0x00dcca19
0x00dcca01
0x00000000
0x00000000
0x00dcca03
0x00dcca06
0x00000000
0x00dcca06
0x00dcc992
0x00dcc995
0x00dcc9a4
0x00dcc9a9
0x00dcc9ae
0x00000000
0x00000000
0x00dcc9b0
0x00dcc9b3
0x00dcc9b6
0x00dcc9b9
0x00dcc9be
0x00dcc9c0
0x00dcc9c5
0x00000000
0x00dcc9c5
0x00dcc9c2
0x00000000
0x00dcc9c2
0x00dcc950
0x00dcc956
0x00dcc957
0x00dcc962
0x00000000
0x00000000
0x00dcc968
0x00dcc96d
0x00dcc96e
0x00dcc970
0x00dcc973
0x00000000
0x00dcc973
0x00dcc92c
0x00dcc92d
0x00dcc938
0x00000000
0x00000000
0x00dcc93e
0x00dcc941
0x00dcc942
0x00dcc945
0x00000000
0x00dcc945
0x00dcc903
0x00dcc90f
0x00000000

APIs

_memcmp.LIBVCRUNTIME ref: 00DCC92E

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 093fe16c142ff3c9d98dfb4bc9c6a0d372a06be5c7951a027dea2351222d9892
Instruction ID: 01014208836b145c3bbc037872fd5fb332559be53bee81087fcf11b7a8e4297f
Opcode Fuzzy Hash: 093fe16c142ff3c9d98dfb4bc9c6a0d372a06be5c7951a027dea2351222d9892
Instruction Fuzzy Hash: 13414AB1A1011ABBDF01DF59CC49FAE7BA9EB04344F149058FA09E7252EA71EE50DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00DD19DA Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00DD19DA(void* __ecx) {
				void* _t4;
				void* _t11;
				long _t25;
				void* _t28;

				if( *0xdf8020 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E00DD1CCE(__eflags,  *0xdf8020);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00DD1D09(__eflags,  *0xdf8020, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_push(1);
								_t28 = E00DD4E20();
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00DD1D09(__eflags,  *0xdf8020, 0);
								} else {
									__eflags = E00DD1D09(__eflags,  *0xdf8020, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00DD3557(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x00dd19e1
0x00dd19f4
0x00dd19fb
0x00dd19fe
0x00dd1a01
0x00dd1a1a
0x00dd1a1a
0x00dd1a03
0x00dd1a03
0x00dd1a05
0x00dd1a0f
0x00dd1a16
0x00dd1a18
0x00dd1a1f
0x00dd1a21
0x00dd1a28
0x00dd1a2c
0x00dd1a2e
0x00dd1a42
0x00dd1a42
0x00dd1a4b
0x00dd1a30
0x00dd1a3e
0x00dd1a40
0x00dd1a54
0x00dd1a56
0x00dd1a56
0x00000000
0x00000000
0x00000000
0x00dd1a40
0x00dd1a59
0x00000000
0x00000000
0x00000000
0x00dd1a18
0x00dd1a05
0x00dd1a61
0x00dd1a6b
0x00dd19e3
0x00dd19e5
0x00dd19e5

APIs

GetLastError.KERNEL32(?,?,00DD19D1,00DD1765), ref: 00DD19E8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00DD19F6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00DD1A0F
SetLastError.KERNEL32(00000000,?,00DD19D1,00DD1765), ref: 00DD1A61

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e1605df348febe51a9b2bbbb088ef33dcdfdab3065f559e43a70f2c201a07efe
Instruction ID: 17c5174798dbb370e2848a6f0ff7f2528cf0ca8a57620bf9db3c9f541322f973
Opcode Fuzzy Hash: e1605df348febe51a9b2bbbb088ef33dcdfdab3065f559e43a70f2c201a07efe
Instruction Fuzzy Hash: B001473F61E7127EAB242BB4BC8562A2B99EB01372734122BF514843F0FF514C06A178

Uniqueness

Uniqueness Score: -1.00%

Function 00DCE634 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 184
threadCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00DCE634(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v4;
				signed int _v8;
				char _v732;
				long _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				char _v996;
				char _v1000;
				char _v1252;
				char _v1508;
				char _v1512;
				intOrPtr _v1564;
				char* _v1568;
				char* _v1572;
				intOrPtr _v1576;
				char _v1588;
				intOrPtr _v1592;
				char* _v1596;
				char _v1600;
				intOrPtr _v1604;
				intOrPtr _v1616;
				signed int _v1644;
				signed int _v1656;
				char _v2368;
				intOrPtr _v2372;
				intOrPtr _v2380;
				char _v2636;
				char _v3144;
				char _v3148;
				intOrPtr _v3200;
				char* _v3204;
				char* _v3208;
				intOrPtr _v3212;
				char _v3224;
				intOrPtr _v3228;
				char* _v3232;
				char _v3236;
				void* _v3248;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t75;
				char* _t93;
				char* _t98;
				signed int _t100;
				char* _t110;
				char* _t115;
				intOrPtr* _t123;
				intOrPtr* _t128;
				void* _t132;
				intOrPtr _t133;
				long* _t134;
				intOrPtr _t139;
				void* _t144;
				intOrPtr _t145;
				struct _CRITICAL_SECTION* _t147;
				void* _t150;
				char _t151;
				char _t152;
				intOrPtr _t153;
				void* _t156;
				signed int _t157;
				signed int _t159;
				signed int _t161;
				signed int _t167;
				signed int _t169;
				signed int _t172;

				_t161 = (_t159 & 0xfffffff8) - 0x644;
				_t75 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t75 ^ _t161;
				_t133 = _a8;
				_t145 = _a4;
				_v1604 = _a12;
				E00DCE4E6( &_v1600, _t145, _t150);
				_t151 = _v1600;
				E00DD1190(_t145,  &_v1508, 0, 0x308);
				E00DC9C43( &_v1508, 0x80, 0xffffffff, L"%s", _t145);
				E00DC9C43( &_v1252, 0x80, 0xffffffff, L"%s", _t133);
				E00DC9C43( &_v996, 0x80, 0xffffffff, L"%s", _v1604);
				_v740 = _a16;
				_v736 = 1;
				E00DD1190(_t145,  &_v1588, 0, 0x50);
				E00DD1190(_t145,  &_v732, 0, 0x2cc);
				_t167 = _t161 + 0x60;
				_v1596 =  &_v1588;
				_t93 =  &_v732;
				_v1592 = _t93;
				__imp__RtlCaptureContext(_t93, _t144, _t150, _t132);
				_v1592 = 0xc000000d;
				_v1572 =  &_v1512;
				_v1568 =  &_v1000;
				_v1564 = _v744;
				_push( &_v1512);
				_v1576 = 3;
				_t98 =  &_v1600;
				_push(_t98);
				if( *((intOrPtr*)(_t151 + 0xc)) == 0) {
					L15();
				} else {
					_push(GetCurrentThreadId());
					_t98 = E00DCE943(_t133, _t151);
				}
				if(_t98 == 0) {
					_t128 =  *((intOrPtr*)(_t151 + 0x80));
					if(_t128 == 0) {
						E00DD3439();
					} else {
						 *_t128(_t145, _t133, _v1616, _a16, _a20);
						_t167 = _t167 + 0x14;
					}
				}
				E00DD3F79(0);
				asm("int3");
				_t157 = _t167;
				_t169 = (_t167 & 0xfffffff8) - 0x640;
				_t100 =  *0xdf8008; // 0x9fa9e963
				_v1644 = _t100 ^ _t169;
				E00DCE4E6( &_v3236, _t145, _t151);
				_t152 = _v3236;
				E00DD1190(0,  &_v3144, 0, 0x308);
				_v2372 = 2;
				E00DD1190(0,  &_v3224, 0, 0x50);
				E00DD1190(0,  &_v2368, 0, 0x2cc);
				_t172 = _t169 + 0x24;
				_v3232 =  &_v3224;
				_t110 =  &_v2368;
				_v3228 = _t110;
				__imp__RtlCaptureContext(_t110, _t145, _t151, _t156);
				_v3228 = 0xc0000025;
				_v3208 =  &_v3148;
				_v3204 =  &_v2636;
				_v3200 = _v2380;
				_push( &_v3148);
				_v3212 = 3;
				_t115 =  &_v3236;
				_push(_t115);
				if( *((intOrPtr*)(_t152 + 0xc)) == 0) {
					_t139 = _t152;
					L15();
				} else {
					_push(GetCurrentThreadId());
					_t139 = _t152;
					_t115 = E00DCE943(_t133, _t139);
				}
				if(_t115 != 0) {
					L14:
					E00DD3F79(0);
					asm("int3");
					_push(_t157);
					_push(_t133);
					_push(_t152);
					_t153 = _t139;
					_push(0);
					_t147 = _t153 + 0x90;
					EnterCriticalSection(_t147);
					_t134 = 0;
					__eflags =  *((intOrPtr*)(_t153 + 0x88));
					if( *((intOrPtr*)(_t153 + 0x88)) != 0) {
						 *((intOrPtr*)(_t153 + 0xb0)) = GetCurrentThreadId();
						 *(_t153 + 0xb4) = _v8;
						 *((intOrPtr*)(_t153 + 0xb8)) = _v4;
						ReleaseSemaphore( *(_t153 + 0xa8), 1, 0);
						WaitForSingleObject( *(_t153 + 0xac), 0xffffffff);
						 *((intOrPtr*)(_t153 + 0xb0)) = 0;
						 *(_t153 + 0xb4) = 0;
						 *((intOrPtr*)(_t153 + 0xb8)) = 0;
						_t134 =  *((intOrPtr*)(_t153 + 0xbc));
					}
					LeaveCriticalSection(_t147);
					return _t134;
				} else {
					_t123 =  *((intOrPtr*)(_t152 + 0x84));
					_t179 = _t123;
					if(_t123 != 0) {
						 *_t123();
						goto L14;
					} else {
						E00DCE553(_t179);
						return E00DCF35B(_v1656 ^ _t172);
					}
				}
			}

0x00dce63a
0x00dce640
0x00dce647
0x00dce656
0x00dce65b
0x00dce65e
0x00dce662
0x00dce667
0x00dce677
0x00dce691
0x00dce6ae
0x00dce6ce
0x00dce6d9
0x00dce6e4
0x00dce6f4
0x00dce70b
0x00dce710
0x00dce717
0x00dce71b
0x00dce722
0x00dce727
0x00dce731
0x00dce739
0x00dce744
0x00dce74f
0x00dce757
0x00dce758
0x00dce760
0x00dce768
0x00dce769
0x00dce77d
0x00dce76b
0x00dce771
0x00dce774
0x00dce774
0x00dce784
0x00dce786
0x00dce78e
0x00dce7a3
0x00dce790
0x00dce79c
0x00dce79e
0x00dce79e
0x00dce78e
0x00dce7aa
0x00dce7af
0x00dce7b1
0x00dce7b6
0x00dce7bc
0x00dce7c3
0x00dce7d0
0x00dce7d5
0x00dce7e6
0x00dce7ee
0x00dce801
0x00dce817
0x00dce81c
0x00dce823
0x00dce827
0x00dce82e
0x00dce833
0x00dce83d
0x00dce845
0x00dce850
0x00dce85b
0x00dce863
0x00dce864
0x00dce86c
0x00dce870
0x00dce874
0x00dce886
0x00dce888
0x00dce876
0x00dce87c
0x00dce87d
0x00dce87f
0x00dce87f
0x00dce88f
0x00dce8ba
0x00dce8bb
0x00dce8c0
0x00dce8c1
0x00dce8c4
0x00dce8c5
0x00dce8c6
0x00dce8c8
0x00dce8c9
0x00dce8d0
0x00dce8d6
0x00dce8d8
0x00dce8de
0x00dce8e7
0x00dce8f8
0x00dce901
0x00dce907
0x00dce915
0x00dce91b
0x00dce921
0x00dce927
0x00dce92d
0x00dce92d
0x00dce934
0x00dce940
0x00dce891
0x00dce891
0x00dce897
0x00dce899
0x00dce8b8
0x00000000
0x00dce89b
0x00dce89f
0x00dce8b7
0x00dce8b7
0x00dce899

APIs

Part of subcall function 00DCE4E6: EnterCriticalSection.KERNEL32(00DF9E1C,?,?,00DCE59B), ref: 00DCE4EF
Part of subcall function 00DCE4E6: SetUnhandledExceptionFilter.KERNEL32(?,?,?,00DCE59B), ref: 00DCE526

RtlCaptureContext.KERNEL32(?), ref: 00DCE727
GetCurrentThreadId.KERNEL32 ref: 00DCE76B

Part of subcall function 00DCE8C1: EnterCriticalSection.KERNEL32(?,?,?,00000001,?,00DCE610,?,00000000), ref: 00DCE8D0
Part of subcall function 00DCE8C1: GetCurrentThreadId.KERNEL32 ref: 00DCE8E0
Part of subcall function 00DCE8C1: ReleaseSemaphore.KERNEL32(?,00000001,00000000,?,00DCE610,?,00000000), ref: 00DCE907
Part of subcall function 00DCE8C1: WaitForSingleObject.KERNEL32(?,000000FF,?,00DCE610,?,00000000), ref: 00DCE915
Part of subcall function 00DCE8C1: LeaveCriticalSection.KERNEL32(?,?,00DCE610,?,00000000), ref: 00DCE934

RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00DCE833
GetCurrentThreadId.KERNEL32 ref: 00DCE876

Strings

%, xrefs: 00DCE83D

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: CriticalCurrentSectionThread$CaptureContextEnter$ExceptionFilterLeaveObjectReleaseSemaphoreSingleUnhandledWait
String ID: %
API String ID: 4000429020-2567322570
Opcode ID: 1af9a0ab034a5d291f73f32ff5b87ad315ee5eb61edda443b09241d6db273c23
Instruction ID: db7ac56d5beb4749f998fce9847c551de33462a6ab877d74ee28a5fb8fba6a21
Opcode Fuzzy Hash: 1af9a0ab034a5d291f73f32ff5b87ad315ee5eb61edda443b09241d6db273c23
Instruction Fuzzy Hash: 43614BB1508345ABD720EF60D845F9BB7E8EB84714F000A1EF5A9D7281EB34D6098BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DC3F04 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00DC3F04(intOrPtr* __ecx, void* __edx, void* __eflags, signed int _a4, WCHAR* _a8) {
				void* __edi;
				void* __esi;
				void* _t25;
				void* _t28;
				signed int _t32;
				signed int _t36;
				void* _t39;
				intOrPtr* _t45;
				WCHAR* _t57;
				void* _t58;

				_t58 = __eflags;
				_t54 = __edx;
				_t45 = __ecx;
				 *__ecx = 0xdf3f6c;
				 *(__ecx + 4) = 0x989680;
				 *((short*)(__ecx + 8)) = 0;
				 *((char*)(__ecx + 0xa)) = _a8;
				 *((char*)(__ecx + 0xb)) = 1;
				_t25 = E00DC13D8();
				_t6 = _t45 + 0xc; // 0xc
				E00DC1AD8(_t6, __edx, _t25);
				_t8 = _t45 + 0x14; // 0x14
				 *((intOrPtr*)(_t45 + 0x10)) = 0;
				E00DC189E(_t8, _t54, _t58, _a4);
				 *((intOrPtr*)(_t45 + 0x18)) = 0;
				_t28 = E00DC13D8();
				_t11 = _t45 + 0x1c; // 0x1c
				E00DC1AD8(_t11, _t54, _t28);
				asm("sbb eax, eax");
				_t32 =  ~( *0xdf9f1d & 0x000000ff) & 0x00df9e40;
				_a4 = _t32;
				if(_t32 != 0) {
					E00DC3E17(_t32, 0,  &_a8);
					_t57 = _a8;
					if( *((intOrPtr*)(_t57 - 0xc)) == 0) {
						 *(_t45 + 4) = 0x989680;
						_t36 = 1;
						__eflags = 1;
					} else {
						 *(_t45 + 4) = GetPrivateProfileIntW(L"LoggingSettings", L"MaxLogFileSize", 0x989680, _t57);
						_t36 = GetPrivateProfileIntW(L"LoggingSettings", L"LogFileWide", 1, _t57) & 0xffffff00 | _t44 != 0x00000000;
					}
					 *(_t45 + 0xb) = _t36;
					_t21 = _t45 + 0x1c; // 0x1c
					_t39 = E00DC4860(_t21, _t57, _a4 + 0x54);
					_t23 = _t57 - 0x10; // -15
					E00DC13C0(_t39, _t23);
				}
				return _t45;
			}

0x00dc3f04
0x00dc3f04
0x00dc3f0b
0x00dc3f0f
0x00dc3f15
0x00dc3f1c
0x00dc3f22
0x00dc3f25
0x00dc3f29
0x00dc3f2f
0x00dc3f32
0x00dc3f3c
0x00dc3f3f
0x00dc3f42
0x00dc3f47
0x00dc3f4a
0x00dc3f50
0x00dc3f53
0x00dc3f61
0x00dc3f63
0x00dc3f68
0x00dc3f6b
0x00dc3f73
0x00dc3f78
0x00dc3f7e
0x00dc3fb5
0x00dc3fbc
0x00dc3fbc
0x00dc3f80
0x00dc3f98
0x00dc3fae
0x00dc3fae
0x00dc3fbd
0x00dc3fc0
0x00dc3fca
0x00dc3fcf
0x00dc3fd2
0x00dc3fd2
0x00dc3fdd

APIs

Part of subcall function 00DC13D8: GetProcessHeap.KERNEL32(00DC3B5B,?,?,?,?,?,?,00DC15F8,?,?,?,?,?), ref: 00DC13E9

GetPrivateProfileIntW.KERNEL32 ref: 00DC3F96
GetPrivateProfileIntW.KERNEL32 ref: 00DC3FAA

Strings

MaxLogFileSize, xrefs: 00DC3F8C
LoggingSettings, xrefs: 00DC3F91, 00DC3FA5
LogFileWide, xrefs: 00DC3FA0

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: PrivateProfile$HeapProcess
String ID: LogFileWide$LoggingSettings$MaxLogFileSize
API String ID: 3069165953-2181087832
Opcode ID: a3ce38450a46210186df27f36604b209af9c41fbc337a312b66282b5276638cb
Instruction ID: 1b1dc0d4d739971c11265c008e1a2055fb79b52a6b9e091be5ce9b2f70f572c1
Opcode Fuzzy Hash: a3ce38450a46210186df27f36604b209af9c41fbc337a312b66282b5276638cb
Instruction Fuzzy Hash: AA21FF71500244AECB04EF28C881EBABBA8EF51314709C19DF905DF247DBB4D618CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC3B31 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00DC3B31(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, intOrPtr _a20) {
				char _v8;
				void* __ebp;
				void* _t20;
				void* _t25;
				void* _t31;
				void* _t34;
				void* _t46;
				void* _t50;
				WCHAR* _t52;

				_t46 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t52 = _a16;
				_t34 = __ecx;
				if(_t52 != 0 && (_a4 != 0 || _a12 <= 2)) {
					E00DC1AD8( &_v8, _t46, E00DC13D8());
					E00DC1AD8( &_a16, _t46, E00DC13D8());
					_t25 = _t34 + 0x58;
					_t50 = 1;
					while(E00DC7B75(_t25, 0) == 0) {
						Sleep(0x32);
						_t50 = _t50 + 1;
						_t25 = _t34 + 0x58;
						if(_t50 <= 0x14) {
							continue;
						} else {
						}
						L8:
						if(_t50 > 0x14) {
							OutputDebugStringA("LOG_SYSTEM: Couldn\'t acquire lock - ");
							OutputDebugStringW(_t52);
							OutputDebugStringW(L"\n\r");
						}
						_t20 = E00DC13C0(E00DC13C0(_t31, _a16 - 0x10), _v8 - 0x10);
						goto L11;
					}
					E00DC3A54(_t34, __eflags);
					_t31 =  *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x58)) + 8))(_a4, _a8, _a12,  &_v8,  &_a16, _t52, _a20);
					goto L8;
				}
				L11:
				return _t20;
			}

0x00dc3b31
0x00dc3b34
0x00dc3b35
0x00dc3b38
0x00dc3b3b
0x00dc3b40
0x00dc3b5f
0x00dc3b6d
0x00dc3b74
0x00dc3b77
0x00dc3b78
0x00dc3b87
0x00dc3b8d
0x00dc3b8e
0x00dc3b94
0x00000000
0x00000000
0x00dc3b96
0x00dc3bbc
0x00dc3bbf
0x00dc3bc6
0x00dc3bd3
0x00dc3bda
0x00dc3bda
0x00dc3bed
0x00000000
0x00dc3bed
0x00dc3baf
0x00dc3bb9
0x00000000
0x00dc3bb9
0x00dc3bf2
0x00dc3bf6

APIs

Sleep.KERNEL32(00000032,00000000,00000000,00000000,?,?,?,?,?,?,00DC15F8,?,?,?,?,?), ref: 00DC3B87
OutputDebugStringA.KERNEL32(LOG_SYSTEM: Couldn't acquire lock - ,?,?,?,?,?,?,00DC15F8,?,?,?,?,?), ref: 00DC3BC6
OutputDebugStringW.KERNEL32(?,?,?,?,?,?,?,00DC15F8,?,?,?,?,?), ref: 00DC3BD3
OutputDebugStringW.KERNEL32(00DF3B88,?,?,?,?,?,?,00DC15F8,?,?,?,?,?), ref: 00DC3BDA

Strings

LOG_SYSTEM: Couldn't acquire lock - , xrefs: 00DC3BC1

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: DebugOutputString$Sleep
String ID: LOG_SYSTEM: Couldn't acquire lock -
API String ID: 3789842296-1219263422
Opcode ID: 255adda85a4095be48b87577788b54fdf945c7d4934c96d9c8e9e34587794ae5
Instruction ID: b34840153ff8b2437795133a0f61fd455e501a0a26ff54a4159b231c430a2776
Opcode Fuzzy Hash: 255adda85a4095be48b87577788b54fdf945c7d4934c96d9c8e9e34587794ae5
Instruction Fuzzy Hash: 0C21A13520025AABCF18EF58DC86EEE376AEF41304B00415DF802D7152DA71EE55CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7516 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00DC7516(WCHAR* __ecx) {
				intOrPtr _v8;
				signed int _t9;
				void* _t10;
				intOrPtr _t14;
				signed short _t16;
				int _t20;
				signed short* _t22;
				WCHAR* _t25;

				_push(__ecx);
				_t25 = __ecx;
				_t20 = lstrlenW(__ecx);
				_v8 = _t20;
				_t9 = lstrlenW(L".google.com");
				if(_t9 > _t20) {
					L6:
					_t10 = 0;
				} else {
					_t22 =  &((L".google.com")[_t9]);
					if(_t22 < L".google.com") {
						L5:
						_t10 = 1;
					} else {
						_t14 = _v8 + _v8 - _t22 + _t25;
						_v8 = _t14;
						while(1) {
							_t16 = CharLowerW( *(_t14 + _t22) & 0x0000ffff);
							if((_t16 & 0x0000ffff) != (CharLowerW( *_t22 & 0x0000ffff) & 0x0000ffff)) {
								goto L6;
							}
							_t14 = _v8;
							_t22 = _t22 - 2;
							if(_t22 >= L".google.com") {
								continue;
							} else {
								goto L5;
							}
							goto L7;
						}
						goto L6;
					}
				}
				L7:
				return _t10;
			}

0x00dc7519
0x00dc7523
0x00dc7528
0x00dc752f
0x00dc7532
0x00dc7536
0x00dc7585
0x00dc7585
0x00dc7538
0x00dc7538
0x00dc7545
0x00dc7581
0x00dc7581
0x00dc7547
0x00dc754e
0x00dc7550
0x00dc7553
0x00dc755b
0x00dc7571
0x00000000
0x00000000
0x00dc7573
0x00dc7576
0x00dc757f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00dc757f
0x00000000
0x00dc7553
0x00dc7545
0x00dc7587
0x00dc758b

APIs

lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,00DCC2A1,?,?,?,00000000), ref: 00DC7526
lstrlenW.KERNEL32(.google.com,?,00DCC2A1,?,?,?,00000000), ref: 00DC7532
CharLowerW.USER32(?,?,00DCC2A1,?,?,?,00000000), ref: 00DC755B
CharLowerW.USER32(76EC69A0,?,00DCC2A1,?,?,?,00000000), ref: 00DC7565

Strings

.google.com, xrefs: 00DC752A, 00DC753F, 00DC7579

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: CharLowerlstrlen
String ID: .google.com
API String ID: 1209591262-3181933784
Opcode ID: 3bb3dedd4077b77a1bed4dc12bb78a3165e099716474e39f950a2403a9009354
Instruction ID: 9b144a9e5b5f86fdfc32893a3b6388f2770e4ce8ad45ee2420f07ae2b8e72fae
Opcode Fuzzy Hash: 3bb3dedd4077b77a1bed4dc12bb78a3165e099716474e39f950a2403a9009354
Instruction Fuzzy Hash: 5601D122958328AFCB409FED9CC9AFA73F8DB0530035540AAE900C7311D5B4DD01AB70

Uniqueness

Uniqueness Score: -1.00%

Function 00DC402F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00DC402F(void* __ebx, void* __ecx, void* __edi) {
				void* __esi;
				WCHAR* _t13;
				void* _t14;
				WCHAR* _t16;
				void* _t17;
				void* _t21;
				void* _t22;

				_t21 = __edi;
				_t17 = __ebx;
				_t22 = __ecx;
				_t26 =  *((char*)(__ecx + 8));
				if( *((char*)(__ecx + 8)) != 0) {
					L10:
					return _t13;
				} else {
					 *((char*)(__ecx + 8)) = 1;
					_t13 = E00DC40DE(__ecx, _t26);
					if( *(_t22 + 0x10) == 0) {
						goto L10;
					} else {
						if(_t13 != 0) {
							 *((char*)(_t22 + 0xa)) = 1;
						}
						_t14 = E00DC470B(_t22);
						_t29 = _t14;
						if(_t14 != 0) {
							_t13 = E00DC41A3(_t17, _t22, _t21, _t22, __eflags);
							__eflags =  *(_t22 + 0x18);
							if(__eflags == 0) {
								_push( *((intOrPtr*)(_t22 + 0x14)));
								_push( *((intOrPtr*)(_t22 + 0x1c)));
								_push(L"LOG_SYSTEM: [%s]: Could not create logging file %s\n");
								_t13 = E00DC6CB8(__eflags);
								OutputDebugStringW(_t13);
							}
							__eflags =  *(_t22 + 0x10);
							 *((char*)(_t22 + 9)) = 1;
							if( *(_t22 + 0x10) != 0) {
								return ReleaseMutex( *(_t22 + 0x10));
							}
							goto L10;
						} else {
							_push( *((intOrPtr*)(_t22 + 0xc)));
							_push( *((intOrPtr*)(_t22 + 0x1c)));
							_push(L"LOG_SYSTEM: [%s]: Could not acquire logging mutex %s\n");
							_t16 = E00DC6CB8(_t29);
							OutputDebugStringW(_t16);
							return _t16;
						}
					}
				}
			}

0x00dc402f
0x00dc402f
0x00dc4030
0x00dc4032
0x00dc4036
0x00dc40b1
0x00dc40b1
0x00dc4038
0x00dc4038
0x00dc403c
0x00dc4045
0x00000000
0x00dc4047
0x00dc4049
0x00dc404b
0x00dc404b
0x00dc4051
0x00dc4056
0x00dc4058
0x00dc4078
0x00dc407d
0x00dc4081
0x00dc4083
0x00dc4086
0x00dc4089
0x00dc408e
0x00dc4097
0x00dc4097
0x00dc409d
0x00dc40a1
0x00dc40a5
0x00000000
0x00dc40aa
0x00000000
0x00dc405a
0x00dc405a
0x00dc405d
0x00dc4060
0x00dc4065
0x00dc406e
0x00dc4075
0x00dc4075
0x00dc4058
0x00dc4045

APIs

Part of subcall function 00DC40DE: GetLastError.KERNEL32(00DF3FAC,?,00000000), ref: 00DC4173

OutputDebugStringW.KERNEL32(00000000), ref: 00DC406E

Part of subcall function 00DC41A3: CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000000,00000080,00000000), ref: 00DC4219

ReleaseMutex.KERNEL32(00000000,?,00DC459F), ref: 00DC40AA

Part of subcall function 00DC6CB8: wvsprintfW.USER32(00000000,00000000,00000001), ref: 00DC6D50

OutputDebugStringW.KERNEL32(00000000), ref: 00DC4097

Strings

LOG_SYSTEM: [%s]: Could not create logging file %s, xrefs: 00DC4089
LOG_SYSTEM: [%s]: Could not acquire logging mutex %s, xrefs: 00DC4060

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: DebugOutputString$CreateErrorFileLastMutexReleasewvsprintf
String ID: LOG_SYSTEM: [%s]: Could not acquire logging mutex %s$LOG_SYSTEM: [%s]: Could not create logging file %s
API String ID: 1265178759-2023621912
Opcode ID: ed3b3c90a020e95cbe7d1b9714830b6bc6c12eb0ffc5642eca1daa31cadc7559
Instruction ID: 09bc9844fb5d406cc56c0bfae547d26afd580c77ab34baf2edec02ad01daf256
Opcode Fuzzy Hash: ed3b3c90a020e95cbe7d1b9714830b6bc6c12eb0ffc5642eca1daa31cadc7559
Instruction Fuzzy Hash: 5501DF30440B429FDF353B64A828F467BF1AF10304F08884CE682035A2CBB6989DD7B6

Uniqueness

Uniqueness Score: -1.00%

Function 00DD3E8E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E00DD3E8E(intOrPtr _a4) {
				char _v16;
				signed int _v20;
				signed int _t11;
				int _t14;
				void* _t16;
				void* _t20;
				int _t22;
				signed int _t23;

				_t11 =  *0xdf8008; // 0x9fa9e963
				 *[fs:0x0] =  &_v16;
				_v20 = _v20 & 0x00000000;
				_t14 =  &_v20;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t14, _t11 ^ _t23, _t20, _t16,  *[fs:0x0], 0xde644d, 0xffffffff);
				if(_t14 != 0) {
					_t14 = GetProcAddress(_v20, "CorExitProcess");
					_t22 = _t14;
					if(_t22 != 0) {
						 *0xde7348(_a4);
						_t14 =  *_t22();
					}
				}
				if(_v20 != 0) {
					_t14 = FreeLibrary(_v20);
				}
				 *[fs:0x0] = _v16;
				return _t14;
			}

0x00dd3ea3
0x00dd3eae
0x00dd3eb4
0x00dd3eb8
0x00dd3ec3
0x00dd3ecb
0x00dd3ed5
0x00dd3edb
0x00dd3edf
0x00dd3ee6
0x00dd3eec
0x00dd3eec
0x00dd3edf
0x00dd3ef2
0x00dd3ef7
0x00dd3ef7
0x00dd3f00
0x00dd3f0a

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,9FA9E963,?,?,00000000,00DE644D,000000FF,?,00DD3E61,?,?,00DD3E35,00000022), ref: 00DD3EC3
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00DD3ED5
FreeLibrary.KERNEL32(00000000,?,00000000,00DE644D,000000FF,?,00DD3E61,?,?,00DD3E35,00000022), ref: 00DD3EF7

Strings

CorExitProcess, xrefs: 00DD3ECD
mscoree.dll, xrefs: 00DD3EBC

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bfaa38237c7ca921a3fcd896dc9fc6f8ab80407810857a44f87c0229281b91e6
Instruction ID: b957302c3cf1cc5e90e12cef1684c516771e8c4411a7ec808f109f279373142f
Opcode Fuzzy Hash: bfaa38237c7ca921a3fcd896dc9fc6f8ab80407810857a44f87c0229281b91e6
Instruction Fuzzy Hash: 59018F31A04799AFCB01AB91DC05FAEBBB8FB04B10F040629F821E23D0DB749904CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00DDDB60 Relevance: 7.7, APIs: 5, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00DDDB60(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebp;
				signed int _t41;
				intOrPtr _t46;
				signed int _t49;
				void* _t53;
				signed int _t57;
				void* _t63;
				intOrPtr _t65;
				void* _t66;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t72;
				intOrPtr* _t92;
				intOrPtr* _t95;
				intOrPtr* _t97;
				signed int _t98;
				void* _t99;
				intOrPtr* _t100;
				intOrPtr* _t102;
				void* _t105;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t41 ^ _t98;
				_t72 = _a20;
				if(_t72 > 0) {
					_t70 = E00DE0DED(_a16, _t72);
					_t105 = _t70 - _t72;
					_t4 = _t70 + 1; // 0x1
					_t72 = _t4;
					if(_t105 >= 0) {
						_t72 = _t70;
					}
				}
				_t76 = _a32;
				if(_a32 == 0) {
					_t69 =  *((intOrPtr*)( *_a4 + 8));
					_t76 = _t69;
					_a32 = _t69;
				}
				_t46 = E00DDA532(_t76, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t72, 0, 0);
				_t100 = _t99 + 0x18;
				_v12 = _t46;
				if(_t46 == 0) {
					L41:
					return E00DCF35B(_v8 ^ _t98);
				} else {
					_t16 = _t46 + _t46 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t46 + _t46 & _t16;
					if(_t49 == 0) {
						_t95 = 0;
						L39:
						_t74 = 0;
						L40:
						E00DDBE40(_t95);
						goto L41;
					}
					if(_t49 > 0x400) {
						_t92 = E00DD9617(_t49);
						if(_t92 == 0) {
							L13:
							_t95 = _t92;
							if(_t92 == 0) {
								goto L39;
							}
							_t53 = E00DDA532(_a32, 1, _a16, _t72, _t92, _v12);
							_t102 = _t100 + 0x18;
							if(_t53 == 0) {
								goto L39;
							}
							_t96 = _v12;
							_t74 = E00DDAAE0(_a8, _a12, _t92, _v12, 0, 0, 0, 0, 0);
							if(_t74 == 0) {
								L19:
								_t95 = _t92;
								goto L39;
							}
							if((_a12 & 0x00000400) == 0) {
								_t31 = _t74 + _t74 + 8; // 0x8
								asm("sbb eax, eax");
								_t57 = _t74 + _t74 & _t31;
								if(_t57 == 0) {
									_t97 = 0;
									L37:
									E00DDBE40(_t97);
									goto L19;
								}
								if(_t57 > 0x400) {
									_t97 = E00DD9617(_t57);
									if(_t97 == 0) {
										goto L37;
									}
									 *_t97 = 0xdddd;
									L28:
									_t97 = _t97 + 8;
									if(_t97 == 0 || E00DDAAE0(_a8, _a12, _t92, _v12, _t97, _t74, 0, 0, 0) == 0) {
										goto L37;
									} else {
										_push(0);
										_push(0);
										if(_a28 != 0) {
											_push(_a28);
											_push(_a24);
										} else {
											_push(0);
											_push(0);
										}
										_push(_t74);
										_push(_t97);
										_push(0);
										_push(_a32);
										_t63 = E00DDA5AE();
										_t74 = _t63;
										if(_t63 == 0) {
											goto L37;
										} else {
											E00DDBE40(_t97);
											L34:
											_t95 = _t92;
											goto L40;
										}
									}
								}
								E00DE3B80();
								_t97 = _t102;
								if(_t97 == 0) {
									goto L37;
								}
								 *_t97 = 0xcccc;
								goto L28;
							}
							_t65 = _a28;
							if(_t65 == 0) {
								goto L34;
							}
							if(_t74 <= _t65) {
								_t66 = E00DDAAE0(_a8, _a12, _t92, _t96, _a24, _t65, 0, 0, 0);
								_t74 = _t66;
								if(_t66 != 0) {
									goto L34;
								}
							}
							goto L19;
						}
						 *_t92 = 0xdddd;
						L12:
						_t92 = _t92 + 8;
						goto L13;
					}
					E00DE3B80();
					_t92 = _t100;
					if(_t92 == 0) {
						goto L13;
					}
					 *_t92 = 0xcccc;
					goto L12;
				}
			}

0x00dddb65
0x00dddb66
0x00dddb67
0x00dddb6e
0x00dddb72
0x00dddb79
0x00dddb7f
0x00dddb85
0x00dddb88
0x00dddb88
0x00dddb8b
0x00dddb8d
0x00dddb8d
0x00dddb8b
0x00dddb8f
0x00dddb94
0x00dddb9b
0x00dddb9e
0x00dddba0
0x00dddba0
0x00dddbbc
0x00dddbc1
0x00dddbc4
0x00dddbc9
0x00dddd3c
0x00dddd4d
0x00dddbcf
0x00dddbd1
0x00dddbd6
0x00dddbd8
0x00dddbda
0x00dddd2f
0x00dddd31
0x00dddd31
0x00dddd33
0x00dddd34
0x00000000
0x00dddd3a
0x00dddbe5
0x00dddc00
0x00dddc05
0x00dddc10
0x00dddc10
0x00dddc14
0x00000000
0x00000000
0x00dddc27
0x00dddc2c
0x00dddc31
0x00000000
0x00000000
0x00dddc37
0x00dddc4e
0x00dddc52
0x00dddc6d
0x00dddc6d
0x00000000
0x00dddc6d
0x00dddc5c
0x00dddc99
0x00dddc9e
0x00dddca0
0x00dddca2
0x00dddd21
0x00dddd23
0x00dddd24
0x00000000
0x00dddd29
0x00dddca6
0x00dddcc1
0x00dddcc6
0x00000000
0x00000000
0x00dddcc8
0x00dddcce
0x00dddcce
0x00dddcd3
0x00000000
0x00dddcef
0x00dddcf1
0x00dddcf2
0x00dddcf6
0x00dddd19
0x00dddd1c
0x00dddcf8
0x00dddcf8
0x00dddcf9
0x00dddcf9
0x00dddcfa
0x00dddcfb
0x00dddcfc
0x00dddcfd
0x00dddd00
0x00dddd05
0x00dddd0c
0x00000000
0x00dddd0e
0x00dddd0f
0x00dddd15
0x00dddd15
0x00000000
0x00dddd15
0x00dddd0c
0x00dddcd3
0x00dddca8
0x00dddcad
0x00dddcb1
0x00000000
0x00000000
0x00dddcb3
0x00000000
0x00dddcb3
0x00dddc5e
0x00dddc63
0x00000000
0x00000000
0x00dddc6b
0x00dddc85
0x00dddc8a
0x00dddc8e
0x00000000
0x00000000
0x00dddc94
0x00000000
0x00dddc6b
0x00dddc07
0x00dddc0d
0x00dddc0d
0x00000000
0x00dddc0d
0x00dddbe7
0x00dddbec
0x00dddbf0
0x00000000
0x00000000
0x00dddbf2
0x00000000
0x00dddbf2

APIs

__alloca_probe_16.LIBCMT ref: 00DDDBE7
__alloca_probe_16.LIBCMT ref: 00DDDCA8
__freea.LIBCMT ref: 00DDDD0F

Part of subcall function 00DD9617: HeapAlloc.KERNEL32(00000000,00DDA030,?,?,00DDA030,00000220,?,?,?), ref: 00DD9649

__freea.LIBCMT ref: 00DDDD24
__freea.LIBCMT ref: 00DDDD34

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 51e81bff16e557a2aa36c745f689c6fb96380ebf48055e4fecca67d7677cdafa
Instruction ID: fed52ab1643e84740bb4611706a1ba3c3cb30ae408822f9e7baea15c9c9a4213
Opcode Fuzzy Hash: 51e81bff16e557a2aa36c745f689c6fb96380ebf48055e4fecca67d7677cdafa
Instruction Fuzzy Hash: F3518F7260021AABEF219FA8CC81EBB7AABDB48354F19052AFD04D7351E671CD50C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DCEA19 Relevance: 7.7, APIs: 5, Instructions: 157
filethreadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00DCEA19(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12, void* _a16) {
				signed int _v12;
				void* _v24;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* _v44;
				char* _v48;
				long _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				signed int _v68;
				void* _v72;
				char* _v76;
				char _v80;
				long _v84;
				intOrPtr _v88;
				void* _v92;
				char _v116;
				struct _MEMORY_BASIC_INFORMATION _v144;
				void* __ebp;
				signed int _t74;
				void* _t79;
				signed int _t82;
				intOrPtr* _t83;
				long _t85;
				signed int _t88;
				void* _t94;
				intOrPtr _t95;
				void* _t97;
				intOrPtr _t99;
				signed int _t100;
				void* _t103;
				void* _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t111;
				intOrPtr _t119;
				void* _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				signed int _t131;
				void* _t134;
				void* _t135;
				void* _t136;
				signed int _t137;
				void* _t145;
				void* _t147;

				_t74 =  *0xdf8008; // 0x9fa9e963
				_v12 = _t74 ^ _t137;
				_t131 = _a8;
				_t103 = 0;
				_t127 = __ecx;
				_v68 = _t131;
				_v40 = __ecx;
				_v44 = _a16;
				if( *((intOrPtr*)(__ecx + 0x68)) != 0) {
					_t79 = CreateFileW( *(__ecx + 0x60), 0x40000000, 0, 0, 1, 0x80, 0);
					_v72 = _t79;
					if(_t79 != 0xffffffff) {
						_v92 = _a4;
						_v88 = _t131;
						_v84 = 0;
						_v52 = 0;
						_v48 =  &_v116;
						_v32 = 3;
						GetCurrentThreadId();
						_t109 = _v52;
						_t82 = _t109 * 0xc;
						_t110 = _t109 + 1;
						_v52 = _t110;
						 *((intOrPtr*)(_t137 + _t82 - 0x68)) =  &_v32;
						_t124 = _a12;
						 *((intOrPtr*)(_t137 + _t82 - 0x70)) = 0x47670001;
						 *((intOrPtr*)(_t137 + _t82 - 0x6c)) = 0xc;
						if(_t124 != 0) {
							_t100 = _t110 * 0xc;
							 *((intOrPtr*)(_t137 + _t100 - 0x70)) = 0x47670002;
							 *((intOrPtr*)(_t137 + _t100 - 0x6c)) = 0x308;
							 *((intOrPtr*)(_t137 + _t100 - 0x68)) = _t124;
							_v52 = _t110 + 1;
						}
						if(_t131 != 0) {
							_t135 =  *( *((intOrPtr*)(_t131 + 4)) + 0xb8);
							_v24 = _t135;
							if(VirtualQueryEx(_v44, _t135,  &_v144, 0x1c) != 0 && _v144.State == 0x1000) {
								_t94 = _v144.BaseAddress;
								_t136 = _t135 + 0xffffff80;
								_t119 = _t103;
								asm("cdq");
								asm("adc ecx, 0xffffffff");
								_v64 = _t124;
								_t145 = _t124 - _t119;
								if(_t145 > 0 || _t145 >= 0 && _t94 >= _t136) {
									_t136 = _t94;
								} else {
									_t124 = _t119;
								}
								_t121 = _v144.RegionSize + _t94;
								_t95 = 0;
								asm("adc eax, [ebp-0x3c]");
								_v36 = _t95;
								_t97 = _v24 + 0x80;
								asm("adc edi, ebx");
								_t147 = _v36 - _t103;
								_t127 = _v40;
								if(_t147 > 0 || _t147 >= 0 && _t121 >= _t97) {
									_t121 = _t97;
								}
								_t99 =  *((intOrPtr*)( *((intOrPtr*)(_t127 + 0xc0))));
								 *(_t99 + 8) = _t136;
								 *((intOrPtr*)(_t99 + 0xc)) = _t124;
								 *((intOrPtr*)(_t99 + 0x10)) = _t121 - _t136;
							}
						}
						_t111 =  *((intOrPtr*)(_t127 + 0xc0));
						_v60 = _t103;
						_t83 =  *_t111;
						_v60 = _t83;
						_v56 = _t111;
						if(( *(_t83 + 8) |  *(_t83 + 0xc)) == 0) {
							_v60 =  *_t83;
						}
						_t104 = _v44;
						_v80 = E00DCE9B3;
						_v76 =  &_v60;
						_t85 = GetProcessId(_t104);
						asm("sbb ecx, ecx");
						_t134 = _v72;
						_t88 =  ~( *((intOrPtr*)( *((intOrPtr*)(_t127 + 0x68))))(_t104, _t85, _t134,  *((intOrPtr*)(_v40 + 0x6c)),  ~_v68 &  &_v92,  &_v52,  &_v80) - 1);
						asm("sbb al, al");
						_t72 = _t88 + 1; // 0x0
						_t103 = _t72;
						CloseHandle(_t134);
					}
				}
				return E00DCF35B(_v12 ^ _t137);
			}

0x00dcea22
0x00dcea29
0x00dcea31
0x00dcea34
0x00dcea37
0x00dcea39
0x00dcea3c
0x00dcea3f
0x00dcea45
0x00dcea5d
0x00dcea63
0x00dcea69
0x00dcea75
0x00dcea78
0x00dcea7b
0x00dcea7e
0x00dcea81
0x00dcea84
0x00dcea8b
0x00dcea91
0x00dcea97
0x00dcea9a
0x00dcea9b
0x00dcea9e
0x00dceaa2
0x00dceaa5
0x00dceaad
0x00dceab7
0x00dceab9
0x00dceabc
0x00dceac4
0x00dceacc
0x00dcead3
0x00dcead3
0x00dcead8
0x00dceae3
0x00dceaf4
0x00dceaff
0x00dceb0a
0x00dceb10
0x00dceb13
0x00dceb15
0x00dceb16
0x00dceb19
0x00dceb1c
0x00dceb1e
0x00dceb2a
0x00dceb26
0x00dceb26
0x00dceb26
0x00dceb31
0x00dceb35
0x00dceb36
0x00dceb39
0x00dceb3f
0x00dceb44
0x00dceb46
0x00dceb49
0x00dceb4c
0x00dceb54
0x00dceb54
0x00dceb5e
0x00dceb60
0x00dceb63
0x00dceb66
0x00dceb66
0x00dceaff
0x00dceb69
0x00dceb6f
0x00dceb72
0x00dceb74
0x00dceb77
0x00dceb80
0x00dceb84
0x00dceb84
0x00dceb8d
0x00dceb97
0x00dceb9e
0x00dceba1
0x00dcebb7
0x00dcebbd
0x00dcebc6
0x00dcebc9
0x00dcebcb
0x00dcebcb
0x00dcebce
0x00dcebce
0x00dcea69
0x00dcebe4

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 00DCEA5D
GetCurrentThreadId.KERNEL32 ref: 00DCEA8B
VirtualQueryEx.KERNEL32(?,?,?,0000001C,?,?), ref: 00DCEAF7
GetProcessId.KERNEL32(?,?,?), ref: 00DCEBA1
CloseHandle.KERNEL32(?,?,?), ref: 00DCEBCE

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: CloseCreateCurrentFileHandleProcessQueryThreadVirtual
String ID:
API String ID: 1837238986-0
Opcode ID: 17955bc7b2974d66f8bcb1a6a5346ea458e4f6dcc86ba43ed4ed6c6636072e90
Instruction ID: 87163b5e17e60e8532e8fbded28d5d3fdc3b1f82fc6f2463b68594667dc740e2
Opcode Fuzzy Hash: 17955bc7b2974d66f8bcb1a6a5346ea458e4f6dcc86ba43ed4ed6c6636072e90
Instruction Fuzzy Hash: 6C51F5B1A0021A9FDB14CFA8D884AADBBB5FF48314F14456EE816EB390D770AD45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00DC2C7E Relevance: 7.6, APIs: 5, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC2C7E(void* __ecx) {
				int _v8;
				int _v12;
				short _v16;
				void* _v20;
				void* _v24;
				struct _ACL* _v28;
				struct _ACL* _v32;
				void* _t33;
				void* _t37;
				void* _t62;

				_t62 = __ecx;
				if( *(__ecx + 4) == 0) {
					return _t33;
				}
				_v16 = _v16 & 0x00000000;
				if(GetSecurityDescriptorControl( *(__ecx + 4),  &_v16,  &_v32) != 0 && (_v16 & 0x00008000) == 0) {
					GetSecurityDescriptorOwner( *(_t62 + 4),  &_v20,  &_v8);
					E00DD3557(_v20);
					GetSecurityDescriptorGroup( *(_t62 + 4),  &_v24,  &_v8);
					E00DD3557(_v24);
					GetSecurityDescriptorDacl( *(_t62 + 4),  &_v12,  &_v28,  &_v8);
					if(_v12 != 0) {
						E00DD3557(_v28);
					}
					GetSecurityDescriptorSacl( *(_t62 + 4),  &_v12,  &_v32,  &_v8);
					if(_v12 != 0) {
						E00DD3557(_v32);
					}
				}
				_t37 = E00DD3557( *(_t62 + 4));
				 *(_t62 + 4) =  *(_t62 + 4) & 0x00000000;
				return _t37;
			}

0x00dc2c85
0x00dc2c8b
0x00dc2d42
0x00dc2d42
0x00dc2c91
0x00dc2ca8
0x00dc2cc2
0x00dc2ccb
0x00dc2cdc
0x00dc2ce5
0x00dc2cfa
0x00dc2d04
0x00dc2d09
0x00dc2d0e
0x00dc2d1e
0x00dc2d28
0x00dc2d2d
0x00dc2d32
0x00dc2d28
0x00dc2d36
0x00dc2d3b
0x00000000

APIs

GetSecurityDescriptorControl.ADVAPI32(00000000,00000000,?,00000000), ref: 00DC2CA0
GetSecurityDescriptorOwner.ADVAPI32(00000000,?,00DC5C00), ref: 00DC2CC2
GetSecurityDescriptorGroup.ADVAPI32(00000000,?,00DC5C00), ref: 00DC2CDC
GetSecurityDescriptorDacl.ADVAPI32(00000000,?,?,00DC5C00), ref: 00DC2CFA
GetSecurityDescriptorSacl.ADVAPI32(00000000,00000000,?,00DC5C00), ref: 00DC2D1E

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: DescriptorSecurity$ControlDaclGroupOwnerSacl
String ID:
API String ID: 1158139820-0
Opcode ID: 4e7d0bf892662bcec48275b3017fc316eac40d691906fedf94fa087cdc2950c2
Instruction ID: dd08a0baae19456eb9fc8c6e5aa78be63dd4c4c4fa83040c1bd0b3e6bc5cb8db
Opcode Fuzzy Hash: 4e7d0bf892662bcec48275b3017fc316eac40d691906fedf94fa087cdc2950c2
Instruction Fuzzy Hash: D421E972804209EFDB12EF94DD45EEFB7BDEF04301F14446AE516A15A0DB30AB48DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DCE8C1 Relevance: 7.5, APIs: 5, Instructions: 37
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DCE8C1(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				long* _t20;
				struct _CRITICAL_SECTION* _t22;
				void* _t23;

				_t23 = __ecx;
				_t22 = __ecx + 0x90;
				EnterCriticalSection(_t22);
				_t20 = 0;
				if( *((intOrPtr*)(_t23 + 0x88)) != 0) {
					 *((intOrPtr*)(_t23 + 0xb0)) = GetCurrentThreadId();
					 *((intOrPtr*)(_t23 + 0xb4)) = _a4;
					 *((intOrPtr*)(_t23 + 0xb8)) = _a8;
					ReleaseSemaphore( *(_t23 + 0xa8), 1, 0);
					WaitForSingleObject( *(_t23 + 0xac), 0xffffffff);
					 *((intOrPtr*)(_t23 + 0xb0)) = 0;
					 *((intOrPtr*)(_t23 + 0xb4)) = 0;
					 *((intOrPtr*)(_t23 + 0xb8)) = 0;
					_t20 =  *((intOrPtr*)(_t23 + 0xbc));
				}
				LeaveCriticalSection(_t22);
				return _t20;
			}

0x00dce8c6
0x00dce8c9
0x00dce8d0
0x00dce8d6
0x00dce8de
0x00dce8e7
0x00dce8f8
0x00dce901
0x00dce907
0x00dce915
0x00dce91b
0x00dce921
0x00dce927
0x00dce92d
0x00dce92d
0x00dce934
0x00dce940

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000001,?,00DCE610,?,00000000), ref: 00DCE8D0
GetCurrentThreadId.KERNEL32 ref: 00DCE8E0
ReleaseSemaphore.KERNEL32(?,00000001,00000000,?,00DCE610,?,00000000), ref: 00DCE907
WaitForSingleObject.KERNEL32(?,000000FF,?,00DCE610,?,00000000), ref: 00DCE915
LeaveCriticalSection.KERNEL32(?,?,00DCE610,?,00000000), ref: 00DCE934

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveObjectReleaseSemaphoreSingleThreadWait
String ID:
API String ID: 3216651733-0
Opcode ID: 667c2a8d7f64cf894cc7465bc3ccfff40b9f82b6d0f021c1967a5b10345c75f1
Instruction ID: 86cafdb0e26f1c935b963927d0b35b10777d12cf37f884bc533d81673828d472
Opcode Fuzzy Hash: 667c2a8d7f64cf894cc7465bc3ccfff40b9f82b6d0f021c1967a5b10345c75f1
Instruction Fuzzy Hash: C701E876508740AFD7A09F78D884BD6BBE9FB09210F00452EF5AEC6251CB712445DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7B75 Relevance: 7.5, APIs: 5, Instructions: 27
sleepCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00DC7B75(void* __ecx, intOrPtr _a4) {
				long _v8;
				void* _t6;
				struct _CRITICAL_SECTION* _t13;

				_push(__ecx);
				_t13 = __ecx + 4;
				if(TryEnterCriticalSection(_t13) != 0) {
					L5:
					_t6 = 1;
				} else {
					_v8 = GetTickCount();
					while(1) {
						Sleep(0);
						if(TryEnterCriticalSection(_t13) != 0) {
							goto L5;
						}
						if(GetTickCount() - _v8 < _a4) {
							continue;
						} else {
							_t6 = 0;
						}
						goto L6;
					}
					goto L5;
				}
				L6:
				return _t6;
			}

0x00dc7b78
0x00dc7b7a
0x00dc7b86
0x00dc7bb6
0x00dc7bb6
0x00dc7b88
0x00dc7b8e
0x00dc7b91
0x00dc7b93
0x00dc7ba2
0x00000000
0x00000000
0x00dc7bb0
0x00000000
0x00dc7bb2
0x00dc7bb2
0x00dc7bb2
0x00000000
0x00dc7bb0
0x00000000
0x00dc7b91
0x00dc7bb8
0x00dc7bba

APIs

TryEnterCriticalSection.KERNEL32(?,?,?,?,00DC3B81,00000000,00000000,00000000,?,?,?,?,?,?,00DC15F8,?), ref: 00DC7B7E
GetTickCount.KERNEL32 ref: 00DC7B88
Sleep.KERNEL32(00000000,?,00DC3B81,00000000,00000000,00000000,?,?,?,?,?,?,00DC15F8,?,?,?), ref: 00DC7B93
TryEnterCriticalSection.KERNEL32(?,?,00DC3B81,00000000,00000000,00000000,?,?,?,?,?,?,00DC15F8,?,?,?), ref: 00DC7B9A
GetTickCount.KERNEL32 ref: 00DC7BA4

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: CountCriticalEnterSectionTick$Sleep
String ID:
API String ID: 1544504822-0
Opcode ID: c67fbf259612597fe56bbef36ad7046e334544d72e703639ccd06286e6a0a490
Instruction ID: b8a39403965192bfac0cbdbeb25f602ae99fb4a62b7b724e815ac8570cfbc88a
Opcode Fuzzy Hash: c67fbf259612597fe56bbef36ad7046e334544d72e703639ccd06286e6a0a490
Instruction Fuzzy Hash: 50E06531108316BBCB40AF61DD89E9E3BA9EF01345B101084ED01DF214E7309E02DFB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DCCA5A Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00DCCA5A(intOrPtr* __ecx, intOrPtr* _a4, char _a8, void* _a12, intOrPtr* _a20) {
				intOrPtr* _v0;
				char _v12;
				signed int _v16;
				void* _v20;
				intOrPtr* _v24;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr _t76;
				intOrPtr* _t82;
				intOrPtr* _t84;
				intOrPtr* _t88;
				void* _t90;
				intOrPtr* _t92;
				intOrPtr* _t96;
				intOrPtr* _t97;
				void* _t117;
				intOrPtr* _t119;
				signed int _t125;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr* _t134;
				intOrPtr* _t137;
				char _t138;
				intOrPtr* _t140;
				void* _t144;
				void* _t145;

				_t121 = __ecx;
				_t76 =  *((intOrPtr*)(__ecx + 4));
				if(_t76 >= 0x4ec4ec3) {
					E00DCCA4B(_a20);
					_push("map/set<T> too long");
					E00DD017C();
					asm("int3");
					_t145 = _t144 - 0xc;
					_t117 =  *_t121;
					_t125 = 1;
					_v24 = _t121;
					_v20 = 1;
					_t137 =  *((intOrPtr*)(_t117 + 4));
					if( *((char*)(_t137 + 0xd)) == 0) {
						do {
							_t51 = _t137 + 0x10; // 0x10
							_t117 = _t137;
							_t90 = E00DE3EC9(_a8, _t51, 0x10);
							_t145 = _t145 + 0xc;
							_t125 = _t125 & 0xffffff00 | _t90 < 0x00000000;
							_v16 = _t125;
							if(_t90 >= 0) {
								_t137 =  *((intOrPtr*)(_t137 + 8));
							} else {
								_t137 =  *_t137;
							}
						} while ( *((char*)(_t137 + 0xd)) == 0);
						_t121 = _v20;
					}
					_t138 = _t117;
					_v12 = _t138;
					if(_t125 == 0) {
						L34:
						_t132 = _v0;
						_t67 = _t138 + 0x10; // 0x20
						if(E00DE3EC9(_t67, _a8, 0x10) >= 0) {
							E00DCC7C7(_t117, _a12, _t132);
							 *_t132 = _t138;
							 *((char*)(_t132 + 4)) = 0;
						} else {
							_push(_a12);
							_t84 = E00DCCA5A(_v20,  &_a12, _v16, _t117, _t121);
							 *((char*)(_t132 + 4)) = 1;
							 *_t132 =  *_t84;
						}
						_t82 = _t132;
					} else {
						if(_t117 !=  *((intOrPtr*)( *_t121))) {
							_t121 =  &_v12;
							E00DC1FFC( &_v12);
							_t138 = _v12;
							goto L34;
						} else {
							_push(_a12);
							_t88 = E00DCCA5A(_t121,  &_a12, 1, _t117, _t121);
							_t82 = _v0;
							 *_t82 =  *_t88;
							 *((char*)(_t82 + 4)) = 1;
						}
					}
					return _t82;
				} else {
					_push(_t136);
					_push(_t131);
					_t134 = _a20;
					 *((intOrPtr*)(__ecx + 4)) = _t76 + 1;
					_t92 = _a12;
					 *((intOrPtr*)(_t134 + 4)) = _t92;
					_t127 =  *__ecx;
					if(_t92 != _t127) {
						if(_a8 == 0) {
							 *((intOrPtr*)(_t92 + 8)) = _t134;
							_t128 =  *__ecx;
							if(_t92 ==  *((intOrPtr*)(_t128 + 8))) {
								 *((intOrPtr*)(_t128 + 8)) = _t134;
							}
						} else {
							 *_t92 = _t134;
							_t130 =  *__ecx;
							if(_t92 ==  *_t130) {
								 *_t130 = _t134;
							}
						}
					} else {
						 *((intOrPtr*)(_t127 + 4)) = _t134;
						 *((intOrPtr*)( *__ecx)) = _t134;
						 *((intOrPtr*)( *__ecx + 8)) = _t134;
					}
					_t12 = _t134 + 4; // 0xf89088b
					_t140 = _t134;
					if( *((char*)( *_t12 + 0xc)) == 0) {
						_push(_t116);
						do {
							_t14 = _t140 + 4; // 0xf89088b
							_t97 =  *_t14;
							_t119 =  *((intOrPtr*)(_t97 + 4));
							_t129 =  *_t119;
							if(_t97 != _t129) {
								if( *((char*)(_t129 + 0xc)) != 0) {
									if(_t140 ==  *_t97) {
										_t140 = _t97;
										E00DC2296(_t121, _t140);
									}
									_t34 = _t140 + 4; // 0xf89088b
									 *((char*)( *_t34 + 0xc)) = 1;
									_t36 = _t140 + 4; // 0xf89088b
									 *((char*)( *((intOrPtr*)( *_t36 + 4)) + 0xc)) = 0;
									_t39 = _t140 + 4; // 0xf89088b
									E00DC22DC(_t121,  *((intOrPtr*)( *_t39 + 4)));
								} else {
									goto L16;
								}
							} else {
								_t129 =  *((intOrPtr*)(_t119 + 8));
								if( *((char*)(_t129 + 0xc)) == 0) {
									L16:
									 *((char*)(_t97 + 0xc)) = 1;
									 *((char*)(_t129 + 0xc)) = 1;
									_t29 = _t140 + 4; // 0xf89088b
									 *((char*)( *((intOrPtr*)( *_t29 + 4)) + 0xc)) = 0;
									_t32 = _t140 + 4; // 0xf89088b
									_t140 =  *((intOrPtr*)( *_t32 + 4));
								} else {
									if(_t140 ==  *((intOrPtr*)(_t97 + 8))) {
										_t140 = _t97;
										E00DC22DC(_t121, _t140);
									}
									 *((char*)( *((intOrPtr*)(_t140 + 4)) + 0xc)) = 1;
									 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t140 + 4)) + 4)) + 0xc)) = 0;
									E00DC2296(_t121,  *((intOrPtr*)( *((intOrPtr*)(_t140 + 4)) + 4)));
								}
							}
							_t41 = _t140 + 4; // 0xf89088b
						} while ( *((char*)( *_t41 + 0xc)) == 0);
					}
					 *((char*)( *((intOrPtr*)( *_t121 + 4)) + 0xc)) = 1;
					_t96 = _a4;
					 *_t96 = _t134;
					return _t96;
				}
			}

0x00dcca5a
0x00dcca5d
0x00dcca65
0x00dccb6a
0x00dccb6f
0x00dccb74
0x00dccb79
0x00dccb7d
0x00dccb81
0x00dccb83
0x00dccb86
0x00dccb89
0x00dccb8c
0x00dccb93
0x00dccb95
0x00dccb97
0x00dccb9a
0x00dccba0
0x00dccba5
0x00dccbaa
0x00dccbad
0x00dccbb2
0x00dccbb8
0x00dccbb4
0x00dccbb4
0x00dccbb4
0x00dccbbb
0x00dccbc1
0x00dccbc1
0x00dccbc4
0x00dccbc6
0x00dccbcb
0x00dccbfb
0x00dccbfc
0x00dccbff
0x00dccc12
0x00dccc35
0x00dccc3a
0x00dccc3c
0x00dccc14
0x00dccc14
0x00dccc23
0x00dccc28
0x00dccc2e
0x00dccc2e
0x00dccc40
0x00dccbcd
0x00dccbd1
0x00dccbf0
0x00dccbf3
0x00dccbf8
0x00000000
0x00dccbd3
0x00dccbd3
0x00dccbde
0x00dccbe5
0x00dccbe8
0x00dccbea
0x00dccbea
0x00dccbd1
0x00dccc46
0x00dcca6b
0x00dcca6b
0x00dcca6c
0x00dcca6d
0x00dcca71
0x00dcca74
0x00dcca77
0x00dcca7a
0x00dcca7e
0x00dcca92
0x00dccaa0
0x00dccaa3
0x00dccaa8
0x00dccaaa
0x00dccaaa
0x00dcca94
0x00dcca94
0x00dcca96
0x00dcca9a
0x00dcca9c
0x00dcca9c
0x00dcca9a
0x00dcca80
0x00dcca80
0x00dcca85
0x00dcca89
0x00dcca89
0x00dccaad
0x00dccab0
0x00dccab6
0x00dccabc
0x00dccabd
0x00dccabd
0x00dccabd
0x00dccac0
0x00dccac3
0x00dccac7
0x00dccb01
0x00dccb1f
0x00dccb21
0x00dccb24
0x00dccb24
0x00dccb29
0x00dccb2c
0x00dccb30
0x00dccb36
0x00dccb3a
0x00dccb40
0x00000000
0x00000000
0x00000000
0x00dccac9
0x00dccac9
0x00dccad0
0x00dccb03
0x00dccb03
0x00dccb07
0x00dccb0b
0x00dccb11
0x00dccb15
0x00dccb18
0x00dccad2
0x00dccad5
0x00dccad7
0x00dccada
0x00dccada
0x00dccae2
0x00dccaec
0x00dccaf6
0x00dccaf6
0x00dccad0
0x00dccb45
0x00dccb48
0x00dccb52
0x00dccb58
0x00dccb5c
0x00dccb5f
0x00dccb64
0x00dccb64

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00DCCB74
_memcmp.LIBVCRUNTIME ref: 00DCCBA0
_memcmp.LIBVCRUNTIME ref: 00DCCC08

Strings

map/set<T> too long, xrefs: 00DCCB6F

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: _memcmp$Xinvalid_argumentstd::_
String ID: map/set<T> too long
API String ID: 3765847870-1285458680
Opcode ID: 7cef8b6b1dd798612c26b255fde44d1e4d035345795573ec4ca7f81d7a8000ea
Instruction ID: 75504b713375509d47b60bf326e4db02272b5e4f4725b08b815e1d4e868c6bbc
Opcode Fuzzy Hash: 7cef8b6b1dd798612c26b255fde44d1e4d035345795573ec4ca7f81d7a8000ea
Instruction Fuzzy Hash: 3D716675A1024A9FCB11CF58C589F96FBE5AF15314F19D488EA889B362C371EC80CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA183 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 105
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DCA183(char __ecx, void* __edx, void* __eflags) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v36;
				void* _v40;
				char _v44;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t39;
				void* _t47;
				intOrPtr _t51;
				long _t53;
				intOrPtr _t54;
				signed int _t56;
				long _t81;
				signed int _t82;
				void* _t83;
				char _t84;

				_t75 = __edx;
				_v5 = __ecx;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				if(E00DC9D31( &_v32, __edx, 0, __eflags) < 0) {
					L14:
					_t81 = 1;
					__eflags = 1;
				} else {
					_t54 = _v28;
					if(_v32 == _t54) {
						goto L14;
					} else {
						E00DCB8E6(_t75);
						_t88 = _v5;
						_t39 = L"HKLM\\Software\\Google\\Update\\";
						if(_v5 == 0) {
							_t39 = L"HKCU\\Software\\Google\\Update\\";
						}
						E00DC189E( &_v12, _t75, _t88, _t39);
						E00DC189E( &_v16, _t75, _t88, L"uid");
						E00DC13C0(E00DC13C0(E00DC4860( &_v12, _t83, E00DC6413( &_v20,  &_v12,  &_v16)), _v20 - 0x10), _v16 - 0x10);
						_t84 = _v12;
						_t47 = E00DC86B2(_t84,  &_v12, _t88);
						_t89 = _t47;
						if(_t47 != 0) {
							_v44 = 0xdf41c0;
							_v40 = 0;
							_v36 = 0x200;
							_t81 = E00DC80D1( &_v44,  &_v12, __eflags, _t84, 1);
							__eflags = _t81;
							if(_t81 >= 0) {
								_t51 = _v32;
								_t82 = 0;
								_t56 = _t54 - _t51 >> 2;
								__eflags = _t56;
								if(_t56 == 0) {
									L10:
									__eflags = 0;
									_t81 = E00DCA2B7(_v5, 0, 0);
								} else {
									while(1) {
										_t53 = RegQueryValueExW(_v40,  *(_t51 + _t82 * 4), 0, 0, 0, 0);
										__eflags = _t53;
										if(_t53 == 0) {
											break;
										}
										_t51 = _v32;
										_t82 = _t82 + 1;
										__eflags = _t82 - _t56;
										if(_t82 < _t56) {
											continue;
										} else {
											goto L10;
										}
										goto L11;
									}
									_t81 = 0;
								}
							}
							L11:
							_v44 = 0xdf41c0;
							_t49 = E00DC7F74( &_v44);
						} else {
							_t81 = E00DCA2B7(_v5, 1, _t89);
						}
						_t33 = _t84 - 0x10; // -16
						E00DC13C0(_t49, _t33);
					}
				}
				E00DC51E9();
				return _t81;
			}

0x00dca183
0x00dca18e
0x00dca194
0x00dca197
0x00dca19a
0x00dca1a4
0x00dca2a5
0x00dca2a7
0x00dca2a7
0x00dca1aa
0x00dca1aa
0x00dca1b0
0x00000000
0x00dca1b6
0x00dca1b6
0x00dca1bb
0x00dca1bf
0x00dca1c4
0x00dca1c6
0x00dca1c6
0x00dca1cf
0x00dca1dc
0x00dca20b
0x00dca210
0x00dca215
0x00dca21a
0x00dca21c
0x00dca232
0x00dca239
0x00dca23c
0x00dca248
0x00dca24a
0x00dca24c
0x00dca24e
0x00dca251
0x00dca255
0x00dca258
0x00dca25a
0x00dca27c
0x00dca27f
0x00dca286
0x00dca25c
0x00dca25c
0x00dca26a
0x00dca270
0x00dca272
0x00000000
0x00000000
0x00dca274
0x00dca277
0x00dca278
0x00dca27a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00dca27a
0x00dca2a1
0x00dca2a1
0x00dca25a
0x00dca288
0x00dca28b
0x00dca292
0x00dca21e
0x00dca228
0x00dca228
0x00dca297
0x00dca29a
0x00dca29a
0x00dca1b0
0x00dca2ab
0x00dca2b6

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,uid,HKLM\Software\Google\Update\,?,HKLM\Software\Google\Update\,?,?), ref: 00DCA26A

Strings

HKCU\Software\Google\Update\, xrefs: 00DCA1C6, 00DCA1CB
uid, xrefs: 00DCA1D4
HKLM\Software\Google\Update\, xrefs: 00DCA18A, 00DCA1BF

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: QueryValue
String ID: HKCU\Software\Google\Update\$HKLM\Software\Google\Update\$uid
API String ID: 3660427363-1370543165
Opcode ID: 50551d686b9962a1148b2e9f742194ee587e93d345ad5748245bfe7e6419251e
Instruction ID: cb8b88d8f7aecfce8031d07d4e9e178bb5a52c877eacf0beb501dbed067c88cf
Opcode Fuzzy Hash: 50551d686b9962a1148b2e9f742194ee587e93d345ad5748245bfe7e6419251e
Instruction Fuzzy Hash: B131AF3190425FAACB00ABA4C891FEEFBB5EF90308F14115DE51267281DB719A4ACBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC2E47 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00DC2E47(void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				struct _BY_HANDLE_FILE_INFORMATION _v60;
				void* __ebp;
				signed int _t6;
				void* _t26;
				signed int _t27;

				_t6 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t6 ^ _t27;
				_t26 = __ecx;
				if(__ecx != 0) {
					E00DD1190(__edi,  &_v60, 0, 0x34);
					__eflags = GetFileInformationByHandle(_t26,  &_v60);
					if(__eflags != 0) {
						__eflags = _v60.dwFileAttributes >> 0x0000000a & 0x00000001;
					} else {
						_push(GetLastError());
						_push(L"LOG_SYSTEM: ERROR - [::GetFileInformationByHandle failed][%d]");
						OutputDebugStringW(E00DC6CB8(__eflags));
						goto L1;
					}
				} else {
					L1:
				}
				return E00DCF35B(_v8 ^ _t27);
			}

0x00dc2e4d
0x00dc2e54
0x00dc2e58
0x00dc2e5c
0x00dc2e6a
0x00dc2e7d
0x00dc2e7f
0x00dc2ea3
0x00dc2e81
0x00dc2e87
0x00dc2e88
0x00dc2e95
0x00000000
0x00dc2e95
0x00dc2e5e
0x00dc2e5e
0x00dc2e5e
0x00dc2eb1

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 00DC2E77
GetLastError.KERNEL32(?,?), ref: 00DC2E81
OutputDebugStringW.KERNEL32(00000000,?,?), ref: 00DC2E95

Strings

LOG_SYSTEM: ERROR - [::GetFileInformationByHandle failed][%d], xrefs: 00DC2E88

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: DebugErrorFileHandleInformationLastOutputString
String ID: LOG_SYSTEM: ERROR - [::GetFileInformationByHandle failed][%d]
API String ID: 2968764131-979073235
Opcode ID: 91b144314d4460890374c2147db58a6dd59aa1661867b850dba88adad2df610d
Instruction ID: cdbdb69bfcb4241630fad7a1bf10fb0ea14dda6c8bc80eabb5b007e1386e441e
Opcode Fuzzy Hash: 91b144314d4460890374c2147db58a6dd59aa1661867b850dba88adad2df610d
Instruction Fuzzy Hash: 34F06275A04309BBD714BBA4EC46FBE77ACEB14710F950019F901EB280EA70AA0597B5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8DBF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00DC8DBF() {
				void _v40;
				signed int _t5;
				signed int _t8;
				signed int _t12;
				intOrPtr* _t14;
				void* _t15;

				_t5 =  *0xdf8a90; // 0xffff
				if(_t5 == 0xffff) {
					_t14 = GetProcAddress(GetModuleHandleW(L"kernel32"), "GetNativeSystemInfo");
					_t8 = 0;
					if(_t14 != 0) {
						_t12 = 9;
						memset( &_v40, 0, _t12 << 2);
						 *_t14( &_v40, _t15);
						_t8 = _v40 & 0x0000ffff;
					}
					 *0xdf8a90 = _t8;
					return _t8;
				}
				return _t5;
			}

0x00dc8dc2
0x00dc8dcf
0x00dc8de8
0x00dc8dea
0x00dc8dee
0x00dc8df3
0x00dc8df7
0x00dc8dfd
0x00dc8dff
0x00dc8e03
0x00dc8e04
0x00000000
0x00dc8e04
0x00dc8e0a

APIs

GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,?,?,?,?,?,?,00DC8E7C), ref: 00DC8DD6
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00DC8DE2

Strings

kernel32, xrefs: 00DC8DD1
GetNativeSystemInfo, xrefs: 00DC8DDC

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetNativeSystemInfo$kernel32
API String ID: 1646373207-3846845290
Opcode ID: 5dc30dd6ec0ba433a7d11ad4c3a2174e0872353eb6474297b0528b0b52b99534
Instruction ID: 7337a3a43e0936873da95ba8d60879f2d0e295cd8cc5126491986b2b645bbefc
Opcode Fuzzy Hash: 5dc30dd6ec0ba433a7d11ad4c3a2174e0872353eb6474297b0528b0b52b99534
Instruction Fuzzy Hash: 3FE0E572A043055BCF10ABADD805CAB73E9AB88704B118436F601E7250EF71E94496B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC3AF8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC3AF8(void* __eax) {
				void* _t5;
				void* _t12;

				_t5 = __eax;
				OutputDebugStringA("Unexpected exception in: omaha::Logging::InternalLogMessageMaskedVA\r\n");
				OutputDebugStringW( *(_t12 + 0x1c));
				OutputDebugStringW(L"\n\r");
				 *((intOrPtr*)(_t12 - 4)) = 0xfffffffe;
				 *[fs:0x0] =  *((intOrPtr*)(_t12 - 0x10));
				return _t5;
			}

0x00dc3af8
0x00dc3b00
0x00dc3b0f
0x00dc3b16
0x00dc3b18
0x00dc3b22
0x00dc3b2e

APIs

OutputDebugStringA.KERNEL32(Unexpected exception in: omaha::Logging::InternalLogMessageMaskedVA), ref: 00DC3B00
OutputDebugStringW.KERNEL32(?), ref: 00DC3B0F
OutputDebugStringW.KERNEL32(00DF3B88), ref: 00DC3B16

Strings

Unexpected exception in: omaha::Logging::InternalLogMessageMaskedVA, xrefs: 00DC3AFB

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: DebugOutputString
String ID: Unexpected exception in: omaha::Logging::InternalLogMessageMaskedVA
API String ID: 1166629820-3049550389
Opcode ID: 7e2767ba9bc68ab5a5bdeb57c739967cd39a0835a75ca4ce327596c0355d147b
Instruction ID: cc69164bd7d3bc984d0ab0f1d35a19042099f952aa6781081c2c1181c84f9468
Opcode Fuzzy Hash: 7e2767ba9bc68ab5a5bdeb57c739967cd39a0835a75ca4ce327596c0355d147b
Instruction Fuzzy Hash: 49D08C32A04359DFCB149F88E80299DBB30EB44730F01815BEA1293290973015128B60

Uniqueness

Uniqueness Score: -1.00%

Function 00DDDF41 Relevance: 6.3, APIs: 4, Instructions: 338
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E00DDDF41(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v16;
				signed int _v20;
				char _v28;
				char _v35;
				signed char _v36;
				void _v44;
				long _v48;
				signed char* _v52;
				char _v53;
				long _v60;
				intOrPtr _v64;
				struct _OVERLAPPED* _v68;
				signed int _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				void _v92;
				long _v96;
				signed char* _v100;
				void* _v104;
				intOrPtr _v108;
				char _v112;
				int _v116;
				struct _OVERLAPPED* _v120;
				struct _OVERLAPPED* _v124;
				struct _OVERLAPPED* _v128;
				struct _OVERLAPPED* _v132;
				void* __ebp;
				signed int _t177;
				signed int _t178;
				signed int _t180;
				int _t186;
				signed char* _t190;
				signed char _t195;
				intOrPtr _t198;
				void* _t200;
				signed char* _t201;
				long _t205;
				intOrPtr _t210;
				void _t212;
				signed char* _t217;
				void* _t224;
				char _t227;
				struct _OVERLAPPED* _t229;
				void* _t238;
				signed int _t240;
				signed char* _t243;
				long _t246;
				intOrPtr _t247;
				signed char* _t248;
				void* _t258;
				intOrPtr _t265;
				struct _OVERLAPPED* _t267;
				signed int _t268;
				signed int _t273;
				intOrPtr* _t279;
				signed int _t281;
				signed int _t285;
				char _t286;
				long _t287;
				signed int _t291;
				signed char* _t292;
				void* _t296;
				struct _OVERLAPPED* _t297;
				signed int _t301;
				signed int _t303;
				struct _OVERLAPPED* _t304;
				signed char* _t307;
				intOrPtr* _t308;
				signed int _t310;
				long _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				void* _t315;
				void* _t316;
				void* _t317;

				_push(0xffffffff);
				_push(0xde64a4);
				_push( *[fs:0x0]);
				_t316 = _t315 - 0x74;
				_t177 =  *0xdf8008; // 0x9fa9e963
				_t178 = _t177 ^ _t314;
				_v20 = _t178;
				_push(_t178);
				 *[fs:0x0] =  &_v16;
				_t180 = _a8;
				_t307 = _a12;
				_t265 = _a20;
				_t268 = (_t180 & 0x0000003f) * 0x38;
				_t291 = _t180 >> 6;
				_v100 = _t307;
				_v64 = _t265;
				_v84 = _t291;
				_v72 = _t268;
				_v104 =  *((intOrPtr*)( *((intOrPtr*)(0xdf9720 + _t291 * 4)) + _t268 + 0x18));
				_v88 = _a16 + _t307;
				_t186 = GetConsoleOutputCP();
				_t318 =  *((char*)(_t265 + 0x14));
				_v116 = _t186;
				if( *((char*)(_t265 + 0x14)) == 0) {
					E00DD8A50(_t265, _t291, _t318);
				}
				_t308 = _a4;
				_v108 =  *((intOrPtr*)( *((intOrPtr*)(_t265 + 0xc)) + 8));
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t190 = _v100;
				_t292 = _t190;
				_v52 = _t292;
				if(_t190 < _v88) {
					_t301 = _v72;
					_t267 = 0;
					_v76 = 0;
					do {
						_v53 =  *_t292;
						_v68 = _t267;
						_v48 = 1;
						_t273 =  *(0xdf9720 + _v84 * 4);
						_v80 = _t273;
						if(_v108 != 0xfde9) {
							_t195 =  *((intOrPtr*)(_t301 + _t273 + 0x2d));
							__eflags = _t195 & 0x00000004;
							if((_t195 & 0x00000004) == 0) {
								_t273 =  *_t292 & 0x000000ff;
								_t198 =  *((intOrPtr*)( *((intOrPtr*)(_v64 + 0xc))));
								__eflags =  *((intOrPtr*)(_t198 + _t273 * 2)) - _t267;
								if( *((intOrPtr*)(_t198 + _t273 * 2)) >= _t267) {
									_push(_v64);
									_push(1);
									_push(_t292);
									goto L29;
								} else {
									_t217 =  &(_t292[1]);
									_v60 = _t217;
									__eflags = _t217 - _v88;
									if(_t217 >= _v88) {
										 *((char*)(_t301 + _v80 + 0x2e)) =  *_t292;
										 *( *(0xdf9720 + _v84 * 4) + _t301 + 0x2d) =  *( *(0xdf9720 + _v84 * 4) + _t301 + 0x2d) | 0x00000004;
										 *((intOrPtr*)(_t308 + 4)) = _v76 + 1;
									} else {
										_t224 = E00DDD48E(_t273, _t292,  &_v68, _t292, 2, _v64);
										_t317 = _t316 + 0x10;
										__eflags = _t224 - 0xffffffff;
										if(_t224 != 0xffffffff) {
											_t201 = _v60;
											goto L31;
										}
									}
								}
							} else {
								_push(_v64);
								_v36 =  *(_t301 + _t273 + 0x2e) & 0x000000fb;
								_t227 =  *_t292;
								_v35 = _t227;
								 *((char*)(_t301 + _t273 + 0x2d)) = _t227;
								_push(2);
								_push( &_v36);
								L29:
								_push( &_v68);
								_t200 = E00DDD48E(_t273, _t292);
								_t317 = _t316 + 0x10;
								__eflags = _t200 - 0xffffffff;
								if(_t200 != 0xffffffff) {
									_t201 = _v52;
									goto L31;
								}
							}
						} else {
							_t229 = _t267;
							_t279 = _t273 + 0x2e + _t301;
							while( *_t279 != _t267) {
								_t229 =  &(_t229->Internal);
								_t279 = _t279 + 1;
								if(_t229 < 5) {
									continue;
								}
								break;
							}
							_t303 = _v88 - _t292;
							_v48 = _t229;
							if(_t229 == 0) {
								_t73 = ( *_t292 & 0x000000ff) + 0xdf8788; // 0x0
								_t281 =  *_t73 + 1;
								_v80 = _t281;
								__eflags = _t281 - _t303;
								if(_t281 > _t303) {
									__eflags = _t303;
									if(_t303 <= 0) {
										goto L44;
									} else {
										_t310 = _v72;
										do {
											 *((char*)( *(0xdf9720 + _v84 * 4) + _t310 + _t267 + 0x2e)) =  *((intOrPtr*)(_t267 + _t292));
											_t267 =  &(_t267->Internal);
											__eflags = _t267 - _t303;
										} while (_t267 < _t303);
										goto L43;
									}
									L52:
								} else {
									_v132 = _t267;
									__eflags = _t281 - 4;
									_v128 = _t267;
									_v60 = _t292;
									_v48 = (_t281 == 4) + 1;
									_t238 = E00DE0A8D( &_v132,  &_v68,  &_v60, (_t281 == 4) + 1,  &_v132, _v64);
									_t317 = _t316 + 0x14;
									__eflags = _t238 - 0xffffffff;
									if(_t238 != 0xffffffff) {
										_t240 =  &(_v52[_v80]);
										__eflags = _t240;
										_t301 = _v72;
										goto L21;
									}
								}
							} else {
								_t285 = _v72;
								_t243 = _v80 + 0x2e + _t285;
								_v80 = _t243;
								_t246 =  *((char*)(( *_t243 & 0x000000ff) + 0xdf8788)) + 1;
								_v60 = _t246;
								_t247 = _t246 - _v48;
								_v76 = _t247;
								if(_t247 > _t303) {
									__eflags = _t303;
									if(_t303 > 0) {
										_t248 = _v52;
										_t311 = _v48;
										do {
											_t286 =  *((intOrPtr*)(_t267 + _t248));
											_t296 =  *(0xdf9720 + _v84 * 4) + _t285 + _t267;
											_t267 =  &(_t267->Internal);
											 *((char*)(_t296 + _t311 + 0x2e)) = _t286;
											_t285 = _v72;
											__eflags = _t267 - _t303;
										} while (_t267 < _t303);
										L43:
										_t308 = _a4;
									}
									L44:
									 *((intOrPtr*)(_t308 + 4)) =  *((intOrPtr*)(_t308 + 4)) + _t303;
								} else {
									_t287 = _v48;
									_t304 = _t267;
									_t312 = _v80;
									do {
										 *((char*)(_t314 + _t304 - 0x18)) =  *_t312;
										_t304 =  &(_t304->Internal);
										_t312 = _t312 + 1;
									} while (_t304 < _t287);
									_t305 = _v76;
									if(_v76 > 0) {
										E00DD0C10( &_v28 + _t287, _t292, _t305);
										_t287 = _v48;
										_t316 = _t316 + 0xc;
									}
									_t301 = _v72;
									_t297 = _t267;
									_t313 = _v84;
									do {
										 *( *((intOrPtr*)(0xdf9720 + _t313 * 4)) + _t301 + _t297 + 0x2e) = _t267;
										_t297 =  &(_t297->Internal);
									} while (_t297 < _t287);
									_t308 = _a4;
									_v112 =  &_v28;
									_v124 = _t267;
									_v120 = _t267;
									_v48 = (_v60 == 4) + 1;
									_t258 = E00DE0A8D( &_v124,  &_v68,  &_v112, (_v60 == 4) + 1,  &_v124, _v64);
									_t317 = _t316 + 0x14;
									if(_t258 != 0xffffffff) {
										_t240 =  &(_v52[_v76]);
										L21:
										_t201 = _t240 - 1;
										L31:
										_v52 = _t201 + 1;
										_t205 = E00DDA5AE(_v116, _t267,  &_v68, _v48,  &_v44, 5, _t267, _t267);
										_t316 = _t317 + 0x20;
										_v60 = _t205;
										if(_t205 != 0) {
											if(WriteFile(_v104,  &_v44, _t205,  &_v96, _t267) == 0) {
												L50:
												 *_t308 = GetLastError();
											} else {
												_t292 = _v52;
												_t210 =  *((intOrPtr*)(_t308 + 8)) + _t292 - _v100;
												_v76 = _t210;
												 *((intOrPtr*)(_t308 + 4)) = _t210;
												if(_v96 >= _v60) {
													if(_v53 != 0xa) {
														goto L38;
													} else {
														_t212 = 0xd;
														_v92 = _t212;
														if(WriteFile(_v104,  &_v92, 1,  &_v96, _t267) == 0) {
															goto L50;
														} else {
															if(_v96 >= 1) {
																 *((intOrPtr*)(_t308 + 8)) =  *((intOrPtr*)(_t308 + 8)) + 1;
																 *((intOrPtr*)(_t308 + 4)) =  *((intOrPtr*)(_t308 + 4)) + 1;
																_t292 = _v52;
																_v76 =  *((intOrPtr*)(_t308 + 4));
																goto L38;
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L51;
						L38:
					} while (_t292 < _v88);
				}
				L51:
				 *[fs:0x0] = _v16;
				return E00DCF35B(_v20 ^ _t314);
				goto L52;
			}

0x00dddf46
0x00dddf48
0x00dddf53
0x00dddf54
0x00dddf57
0x00dddf5c
0x00dddf5e
0x00dddf64
0x00dddf68
0x00dddf6e
0x00dddf73
0x00dddf79
0x00dddf7c
0x00dddf7f
0x00dddf82
0x00dddf85
0x00dddf88
0x00dddf92
0x00dddf99
0x00dddfa1
0x00dddfa4
0x00dddfaa
0x00dddfae
0x00dddfb1
0x00dddfb5
0x00dddfb5
0x00dddfbd
0x00dddfc5
0x00dddfca
0x00dddfcb
0x00dddfcc
0x00dddfcd
0x00dddfd0
0x00dddfd2
0x00dddfd8
0x00dddfde
0x00dddfe1
0x00dddfe3
0x00dddfe6
0x00dddfef
0x00dddff5
0x00dddff8
0x00dddfff
0x00dde006
0x00dde009
0x00dde143
0x00dde147
0x00dde14a
0x00dde16d
0x00dde173
0x00dde175
0x00dde179
0x00dde1aa
0x00dde1ad
0x00dde1af
0x00000000
0x00dde17b
0x00dde17b
0x00dde17e
0x00dde181
0x00dde184
0x00dde2ce
0x00dde2dc
0x00dde2e5
0x00dde18a
0x00dde194
0x00dde199
0x00dde19c
0x00dde19f
0x00dde1a5
0x00000000
0x00dde1a5
0x00dde19f
0x00dde184
0x00dde14c
0x00dde153
0x00dde156
0x00dde159
0x00dde15b
0x00dde15e
0x00dde165
0x00dde167
0x00dde1b0
0x00dde1b3
0x00dde1b4
0x00dde1b9
0x00dde1bc
0x00dde1bf
0x00dde1c5
0x00000000
0x00dde1c5
0x00dde1bf
0x00dde00f
0x00dde012
0x00dde014
0x00dde016
0x00dde01a
0x00dde01b
0x00dde01f
0x00000000
0x00000000
0x00000000
0x00dde01f
0x00dde024
0x00dde026
0x00dde02b
0x00dde0eb
0x00dde0f2
0x00dde0f3
0x00dde0f6
0x00dde0f8
0x00dde2a8
0x00dde2aa
0x00000000
0x00dde2ac
0x00dde2ac
0x00dde2af
0x00dde2be
0x00dde2c2
0x00dde2c3
0x00dde2c3
0x00000000
0x00dde2c7
0x00000000
0x00dde0fe
0x00dde103
0x00dde106
0x00dde109
0x00dde10f
0x00dde118
0x00dde123
0x00dde128
0x00dde12b
0x00dde12e
0x00dde137
0x00dde137
0x00dde13a
0x00000000
0x00dde13a
0x00dde12e
0x00dde031
0x00dde034
0x00dde03a
0x00dde03c
0x00dde049
0x00dde04a
0x00dde04d
0x00dde050
0x00dde055
0x00dde279
0x00dde27b
0x00dde27d
0x00dde280
0x00dde283
0x00dde28f
0x00dde292
0x00dde294
0x00dde295
0x00dde299
0x00dde29c
0x00dde29c
0x00dde2a0
0x00dde2a0
0x00dde2a0
0x00dde2a3
0x00dde2a3
0x00dde05b
0x00dde05b
0x00dde05e
0x00dde060
0x00dde063
0x00dde065
0x00dde069
0x00dde06a
0x00dde06b
0x00dde06f
0x00dde074
0x00dde07e
0x00dde083
0x00dde086
0x00dde086
0x00dde089
0x00dde08c
0x00dde08e
0x00dde091
0x00dde09a
0x00dde09e
0x00dde09f
0x00dde0a6
0x00dde0ac
0x00dde0b4
0x00dde0bf
0x00dde0c4
0x00dde0cf
0x00dde0d4
0x00dde0da
0x00dde0e3
0x00dde13d
0x00dde13d
0x00dde1c8
0x00dde1cd
0x00dde1df
0x00dde1e4
0x00dde1e7
0x00dde1ec
0x00dde207
0x00dde2ea
0x00dde2f0
0x00dde20d
0x00dde20d
0x00dde218
0x00dde21a
0x00dde21d
0x00dde226
0x00dde230
0x00000000
0x00dde232
0x00dde234
0x00dde236
0x00dde24f
0x00000000
0x00dde255
0x00dde259
0x00dde25f
0x00dde262
0x00dde268
0x00dde26b
0x00000000
0x00dde26b
0x00dde259
0x00dde24f
0x00dde230
0x00dde226
0x00dde207
0x00dde1ec
0x00dde0da
0x00dde055
0x00dde02b
0x00000000
0x00dde26e
0x00dde26e
0x00dde277
0x00dde2f2
0x00dde2f7
0x00dde30d
0x00000000

APIs

GetConsoleOutputCP.KERNEL32(9FA9E963,?,00000000,00000022), ref: 00DDDFA4

Part of subcall function 00DDA5AE: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00DDDD05,?,00000000,-00000008), ref: 00DDA65A

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00DDE1FF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00DDE247
GetLastError.KERNEL32 ref: 00DDE2EA

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: ad13a9f3d889e63106302a982f12dd5ec1ff0dd28a005460da1a72ed01066a4a
Instruction ID: 8cd509a30725d5d94254082020e6905be89f13080a1aa670b6888ea370e31f39
Opcode Fuzzy Hash: ad13a9f3d889e63106302a982f12dd5ec1ff0dd28a005460da1a72ed01066a4a
Instruction Fuzzy Hash: BFD148B5E042589FCF15DFE8D880AADFBB9FF49310F18812AE855EB351D630A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DD1FC4 Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00DD1FC4(void* __eflags) {
				signed char* _t52;
				signed int _t53;
				signed int _t57;
				signed int _t60;
				intOrPtr _t70;
				signed int _t73;
				signed int _t77;
				signed char _t79;
				signed char _t82;
				signed int _t83;
				signed int _t84;
				signed char _t96;
				signed int* _t97;
				signed char* _t99;
				signed int _t104;
				void* _t108;

				E00DCFE60(0xdf6720, 0x10);
				_t73 = 0;
				_t52 =  *(_t108 + 0x10);
				_t79 = _t52[4];
				if(_t79 == 0 ||  *((intOrPtr*)(_t79 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t82 = _t52[8];
					if(_t82 != 0 ||  *_t52 < 0) {
						_t96 =  *_t52;
						_t104 =  *(_t108 + 0xc);
						if(_t96 >= 0) {
							_t104 = _t104 + 0xc + _t82;
						}
						 *(_t108 - 4) = _t73;
						_t99 =  *(_t108 + 0x14);
						if(_t96 >= 0 || ( *_t99 & 0x00000010) == 0) {
							L10:
							_t83 =  *(_t108 + 8);
							__eflags = _t96 & 0x00000008;
							if(__eflags == 0) {
								__eflags =  *_t99 & 0x00000001;
								if(( *_t99 & 0x00000001) == 0) {
									_t83 =  *(_t83 + 0x18);
									__eflags = _t99[0x18] - _t73;
									if(_t99[0x18] != _t73) {
										__eflags = _t83;
										if(__eflags == 0) {
											goto L32;
										} else {
											__eflags = _t104;
											if(__eflags == 0) {
												goto L32;
											} else {
												__eflags =  *_t99 & 0x00000004;
												_t77 = 0;
												_t73 = (_t77 & 0xffffff00 | ( *_t99 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t73;
												 *(_t108 - 0x20) = _t73;
												goto L29;
											}
										}
									} else {
										__eflags = _t83;
										if(__eflags == 0) {
											goto L32;
										} else {
											__eflags = _t104;
											if(__eflags == 0) {
												goto L32;
											} else {
												E00DD0690(_t104, E00DD2FEF(_t83,  &(_t99[8])), _t99[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t83 + 0x18);
									if(__eflags == 0) {
										goto L32;
									} else {
										__eflags = _t104;
										if(__eflags == 0) {
											goto L32;
										} else {
											E00DD0690(_t104,  *(_t83 + 0x18), _t99[0x14]);
											__eflags = _t99[0x14] - 4;
											if(_t99[0x14] == 4) {
												__eflags =  *_t104;
												if( *_t104 != 0) {
													_push( &(_t99[8]));
													_push( *_t104);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t83 =  *(_t83 + 0x18);
								goto L12;
							}
						} else {
							_t70 =  *0xdf924c; // 0x0
							 *((intOrPtr*)(_t108 - 0x1c)) = _t70;
							if(_t70 == 0) {
								goto L10;
							} else {
								 *0xde7348();
								_t83 =  *((intOrPtr*)(_t108 - 0x1c))();
								L12:
								if(_t83 == 0 || _t104 == 0) {
									L32:
									E00DD4C30(_t73, _t83, _t96, _t99, _t104, __eflags);
									asm("int3");
									E00DCFE60(0xdf6740, 8);
									_t97 =  *(_t108 + 0x10);
									_t84 =  *(_t108 + 0xc);
									__eflags =  *_t97;
									if(__eflags >= 0) {
										_t101 = _t84 + 0xc + _t97[2];
										__eflags = _t84 + 0xc + _t97[2];
									} else {
										_t101 = _t84;
									}
									 *(_t108 - 4) =  *(_t108 - 4) & 0x00000000;
									_t105 =  *(_t108 + 0x14);
									_push( *(_t108 + 0x14));
									_push(_t97);
									_push(_t84);
									_t75 =  *(_t108 + 8);
									_push( *(_t108 + 8));
									_t57 = E00DD1FC4(__eflags) - 1;
									__eflags = _t57;
									if(_t57 == 0) {
										_t60 = E00DD2CB4(_t101, _t105[0x18], E00DD2FEF( *((intOrPtr*)(_t75 + 0x18)),  &(_t105[8])));
									} else {
										_t60 = _t57 - 1;
										__eflags = _t60;
										if(_t60 == 0) {
											_t60 = E00DD2CC4(_t101, _t105[0x18], E00DD2FEF( *((intOrPtr*)(_t75 + 0x18)),  &(_t105[8])), 1);
										}
									}
									 *(_t108 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0x10));
									return _t60;
								} else {
									 *_t104 = _t83;
									_push( &(_t99[8]));
									_push(_t83);
									L21:
									 *_t104 = E00DD2FEF();
									L29:
									 *(_t108 - 4) = 0xfffffffe;
									_t53 = _t73;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x00dd1fcb
0x00dd1fd0
0x00dd1fd2
0x00dd1fd5
0x00dd1fda
0x00dd20ea
0x00dd20ea
0x00dd20ea
0x00000000
0x00dd1fe9
0x00dd1fe9
0x00dd1fee
0x00dd1ff8
0x00dd1ffa
0x00dd1fff
0x00dd2004
0x00dd2004
0x00dd2006
0x00dd2009
0x00dd200e
0x00dd2030
0x00dd2030
0x00dd2033
0x00dd2036
0x00dd2054
0x00dd2057
0x00dd2096
0x00dd2099
0x00dd209c
0x00dd20c1
0x00dd20c3
0x00000000
0x00dd20c5
0x00dd20c5
0x00dd20c7
0x00000000
0x00dd20c9
0x00dd20c9
0x00dd20ce
0x00dd20d2
0x00dd20d2
0x00dd20d3
0x00000000
0x00dd20d3
0x00dd20c7
0x00dd209e
0x00dd209e
0x00dd20a0
0x00000000
0x00dd20a2
0x00dd20a2
0x00dd20a4
0x00000000
0x00dd20a6
0x00dd20b7
0x00000000
0x00dd20bc
0x00dd20a4
0x00dd20a0
0x00dd2059
0x00dd2059
0x00dd205d
0x00000000
0x00dd2063
0x00dd2063
0x00dd2065
0x00000000
0x00dd206b
0x00dd2072
0x00dd207a
0x00dd207e
0x00dd2080
0x00dd2083
0x00dd2088
0x00dd2089
0x00000000
0x00dd2089
0x00dd2083
0x00000000
0x00dd207e
0x00dd2065
0x00dd205d
0x00dd2038
0x00dd2038
0x00000000
0x00dd2038
0x00dd2015
0x00dd2015
0x00dd201a
0x00dd201f
0x00000000
0x00dd2021
0x00dd2023
0x00dd202c
0x00dd203b
0x00dd203d
0x00dd20fc
0x00dd20fc
0x00dd2101
0x00dd2109
0x00dd210e
0x00dd2111
0x00dd2114
0x00dd2117
0x00dd2120
0x00dd2120
0x00dd2119
0x00dd2119
0x00dd2119
0x00dd2123
0x00dd2127
0x00dd212a
0x00dd212b
0x00dd212c
0x00dd212d
0x00dd2130
0x00dd2139
0x00dd2139
0x00dd213c
0x00dd2172
0x00dd213e
0x00dd213e
0x00dd213e
0x00dd2141
0x00dd2158
0x00dd2158
0x00dd2141
0x00dd2177
0x00dd2181
0x00dd218d
0x00dd204b
0x00dd204b
0x00dd2050
0x00dd2051
0x00dd208b
0x00dd2092
0x00dd20d6
0x00dd20d6
0x00dd20dd
0x00dd20ec
0x00dd20ef
0x00dd20fb
0x00dd20fb
0x00dd203d
0x00dd201f
0x00000000
0x00000000
0x00000000
0x00dd1fee

APIs

___AdjustPointer.LIBCMT ref: 00DD208B
___AdjustPointer.LIBCMT ref: 00DD20AE
___AdjustPointer.LIBCMT ref: 00DD214A

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 791f6eda1a5703f4219405cdaa1f085c1da9d0b14f5a8a875bbcddaf136b91f3
Instruction ID: 2b2c75fdea99ec7a2aacf5b8b507aab5550ac747936c83a737dd96e6736432b4
Opcode Fuzzy Hash: 791f6eda1a5703f4219405cdaa1f085c1da9d0b14f5a8a875bbcddaf136b91f3
Instruction Fuzzy Hash: D851D172601206AFEB298F54D881BBA77A5FF24310F28452FE90587781D732EC81D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC5AB2 Relevance: 6.2, APIs: 4, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00DC5AB2(struct _SECURITY_DESCRIPTOR* __ebx, DWORD* __ecx, void* __edi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				struct _SECURITY_DESCRIPTOR* _v24;
				void* _v28;
				long _v32;
				long _v36;
				short _v40;
				signed char _v60;
				void* __ebp;
				int _t58;
				struct _SECURITY_DESCRIPTOR* _t63;
				int _t68;
				long _t79;
				struct _ACL* _t85;
				struct _ACL* _t89;
				DWORD* _t95;
				intOrPtr* _t96;
				void* _t108;
				DWORD* _t110;
				DWORD* _t112;
				struct _ACL* _t115;
				intOrPtr* _t116;
				void* _t121;
				void* _t125;
				void* _t126;

				_t95 = __ecx;
				_t93 = __ebx;
				_t121 = _t125;
				_t126 = _t125 - 0x24;
				_t110 = __ecx;
				if(__ecx[1] == 0) {
					L28:
					return _t58;
				} else {
					_t115 = 0;
					_v40 = 0;
					_t58 = GetSecurityDescriptorControl(__ecx[1],  &_v40,  &_v32);
					if(_t58 == 0) {
						_push(0x80004005);
						goto L32;
					} else {
						if((_v40 & 0x00008000) == 0) {
							L27:
							goto L28;
						} else {
							_v20 = 0;
							_v16 = 0;
							_v8 = 0;
							_v12 = 0;
							_v36 = 0;
							MakeAbsoluteSD( *(_t110 + 4), 0,  &_v36, 0,  &_v16, 0,  &_v20, 0,  &_v12, 0,  &_v8);
							if(GetLastError() != 0x7a) {
								L33:
								E00DC239D(_t93, _t95, _t108);
								asm("int3");
								_push(_t115);
								_push(_t110);
								_t112 = _t95;
								_t63 = E00DD3B1B();
								_t112[1] = _t63;
								_t96 = 0x14;
								if(_t63 == 0) {
									_push(0x8007000e);
									goto L39;
								} else {
									_t68 = InitializeSecurityDescriptor(_t63, 1);
									if(_t68 != 0) {
										return _t68;
									} else {
										_t115 = E00DC2482();
										E00DD3557(_t112[1]);
										_t112[1] = _t112[1] & 0x00000000;
										_pop(_t96);
										_push(_t115);
										L39:
										E00DC1185(_t96);
										asm("int3");
										_push(_t121);
										_push(_t115);
										_t116 = _t96;
										 *_t116 = 0xdf41c0;
										E00DC7F74(_t96);
										if((_v60 & 0x00000001) != 0) {
											_push(0xc);
											E00DCF62D(_t116);
										}
										return _t116;
									}
								}
							} else {
								_push(__ebx);
								_push(_v36);
								_t93 = E00DD3B1B();
								if(_v12 == 0) {
									_v24 = 0;
								} else {
									_push(_v12);
									_v24 = E00DD3B1B();
								}
								if(_v8 == _t115) {
									_v28 = _t115;
								} else {
									_push(_v8);
									_v28 = E00DD3B1B();
								}
								_t79 = _v16;
								if(_t79 == 0) {
									_v32 = _t115;
								} else {
									_push(_t79);
									_v32 = E00DD3B1B();
									_t79 = _v16;
								}
								_t95 = _v20;
								if(_t95 != 0) {
									_push(_t95);
									_t89 = E00DD3B1B();
									_t95 = _v20;
									_t115 = _t89;
									_t79 = _v16;
								}
								if(_t93 == 0 || _v12 != 0 && _v24 == 0) {
									L29:
									_t110 = 0x8007000e;
									goto L30;
								} else {
									_t108 = _v28;
									if(_v8 == 0 || _t108 != 0) {
										_t85 = _v32;
										if(_t79 == 0 || _t85 != 0) {
											if(_t95 == 0 || _t115 != 0) {
												_t95 =  &_v16;
												if(MakeAbsoluteSD( *(_t110 + 4), _t93,  &_v36, _t85, _t95, _t115,  &_v20, _v24,  &_v12, _t108,  &_v8) != 0) {
													_t58 = E00DC2C7E(_t110);
													 *(_t110 + 4) = _t93;
													goto L27;
												} else {
													_t110 = E00DC2482();
													L30:
													E00DD3557(_t93);
													E00DD3557(_v24);
													E00DD3557(_v28);
													E00DD3557(_v32);
													E00DD3557(_t115);
													_t126 = _t126 + 0x14;
													_push(_t110);
													L32:
													E00DC1185(_t95);
													goto L33;
												}
											} else {
												goto L29;
											}
										} else {
											goto L29;
										}
									} else {
										goto L29;
									}
								}
							}
						}
					}
				}
			}

0x00dc5ab2
0x00dc5ab2
0x00dc5ab3
0x00dc5ab5
0x00dc5ab9
0x00dc5abf
0x00dc5c05
0x00dc5c07
0x00dc5ac5
0x00dc5ac9
0x00dc5acf
0x00dc5ad6
0x00dc5ade
0x00dc5c37
0x00000000
0x00dc5ae4
0x00dc5aeb
0x00dc5c04
0x00000000
0x00dc5af1
0x00dc5af4
0x00dc5afc
0x00dc5b04
0x00dc5b0c
0x00dc5b14
0x00dc5b1c
0x00dc5b2b
0x00dc5c41
0x00dc5c41
0x00dc5c46
0x00dc5c47
0x00dc5c48
0x00dc5c4b
0x00dc5c4d
0x00dc5c52
0x00dc5c55
0x00dc5c58
0x00dc5c81
0x00000000
0x00dc5c5a
0x00dc5c5d
0x00dc5c65
0x00dc5c80
0x00dc5c67
0x00dc5c6f
0x00dc5c71
0x00dc5c76
0x00dc5c7a
0x00dc5c7b
0x00dc5c86
0x00dc5c86
0x00dc5c8b
0x00dc5c8c
0x00dc5c8f
0x00dc5c90
0x00dc5c92
0x00dc5c98
0x00dc5ca1
0x00dc5ca3
0x00dc5ca6
0x00dc5cac
0x00dc5cb1
0x00dc5cb1
0x00dc5c65
0x00dc5b31
0x00dc5b31
0x00dc5b32
0x00dc5b3a
0x00dc5b40
0x00dc5b50
0x00dc5b42
0x00dc5b42
0x00dc5b4b
0x00dc5b4b
0x00dc5b56
0x00dc5b66
0x00dc5b58
0x00dc5b58
0x00dc5b61
0x00dc5b61
0x00dc5b69
0x00dc5b6e
0x00dc5b7f
0x00dc5b70
0x00dc5b70
0x00dc5b76
0x00dc5b79
0x00dc5b7c
0x00dc5b82
0x00dc5b87
0x00dc5b89
0x00dc5b8a
0x00dc5b90
0x00dc5b93
0x00dc5b95
0x00dc5b95
0x00dc5b9a
0x00dc5c08
0x00dc5c08
0x00000000
0x00dc5ba8
0x00dc5bac
0x00dc5baf
0x00dc5bb7
0x00dc5bba
0x00dc5bc2
0x00dc5bd9
0x00dc5bee
0x00dc5bfb
0x00dc5c00
0x00000000
0x00dc5bf0
0x00dc5bf5
0x00dc5c0d
0x00dc5c0e
0x00dc5c16
0x00dc5c1e
0x00dc5c26
0x00dc5c2c
0x00dc5c31
0x00dc5c34
0x00dc5c3c
0x00dc5c3c
0x00000000
0x00dc5c3c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00dc5baf
0x00dc5b9a
0x00dc5b2b
0x00dc5aeb
0x00dc5ade

APIs

GetSecurityDescriptorControl.ADVAPI32(00000000,?,?,00000000,00000000), ref: 00DC5AD6
MakeAbsoluteSD.ADVAPI32(00000000,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?), ref: 00DC5B1C
GetLastError.KERNEL32 ref: 00DC5B22
MakeAbsoluteSD.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,00000000,?,00000000,00000220), ref: 00DC5BE6

Part of subcall function 00DC2C7E: GetSecurityDescriptorControl.ADVAPI32(00000000,00000000,?,00000000), ref: 00DC2CA0
Part of subcall function 00DC2C7E: GetSecurityDescriptorOwner.ADVAPI32(00000000,?,00DC5C00), ref: 00DC2CC2
Part of subcall function 00DC2C7E: GetSecurityDescriptorGroup.ADVAPI32(00000000,?,00DC5C00), ref: 00DC2CDC
Part of subcall function 00DC2C7E: GetSecurityDescriptorDacl.ADVAPI32(00000000,?,?,00DC5C00), ref: 00DC2CFA
Part of subcall function 00DC2C7E: GetSecurityDescriptorSacl.ADVAPI32(00000000,00000000,?,00DC5C00), ref: 00DC2D1E

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: DescriptorSecurity$AbsoluteControlMake$DaclErrorGroupLastOwnerSacl
String ID:
API String ID: 2915467597-0
Opcode ID: 42204dd4734b60c3f4ae8d187fe8f604f496ecdcd702bb58a4a4e8f2a51fcf5f
Instruction ID: 5b5e51ab02312e28d75994315818500e4d94925c7a2746704139bd3736aef42b
Opcode Fuzzy Hash: 42204dd4734b60c3f4ae8d187fe8f604f496ecdcd702bb58a4a4e8f2a51fcf5f
Instruction Fuzzy Hash: E5511AB190161AAADB14DF94ED85FEFBBB9EF44700F18412EE411A3254D730AE80CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6A13 Relevance: 6.1, APIs: 4, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00DC6A13(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				long _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v32;
				void* __ebp;
				signed int _t19;
				long _t26;
				void* _t27;
				void* _t35;
				void* _t37;
				void* _t47;
				void* _t48;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;

				_t47 = __edi;
				_t19 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t19 ^ _t52;
				_v20 = __ecx;
				if(_a4 == 0) {
					L12:
					__eflags = 0;
					L13:
					return E00DCF35B(_v8 ^ _t52);
				}
				_t37 = 0;
				GetTokenInformation( *(__ecx + 4), 6, 0, 0,  &_v12);
				if(GetLastError() != 0x7a) {
					goto L12;
				}
				_t26 = _v12;
				_t51 = 0;
				_v16 = 0;
				_t57 = _t26 - 0x400;
				if(_t26 > 0x400) {
					L5:
					_push(_t26);
					_t27 = L00DC4F66(_t37,  &_v16, _t47, _t51);
					_t51 = _v16;
					_t48 = _t27;
					L6:
					if(_t48 != 0 && GetTokenInformation( *(_v20 + 4), 6, _t48, _v12,  &_v12) != 0) {
						E00DC2969(_a4);
						_push( *_t48);
						E00DC544A(_t37, _a4,  *_t48);
						_t37 = 1;
					}
					while(_t51 != 0) {
						_t51 =  *_t51;
						E00DD3557(_t51);
					}
					goto L13;
				}
				_t35 = E00DC4B82(_t26, _t57);
				_t26 = _v12;
				if(_t35 == 0) {
					goto L5;
				}
				E00DE3B80();
				_t48 = _t53;
				goto L6;
			}

0x00dc6a13
0x00dc6a19
0x00dc6a20
0x00dc6a2c
0x00dc6a2f
0x00dc6acd
0x00dc6acd
0x00dc6acf
0x00dc6ae0
0x00dc6ae0
0x00dc6a38
0x00dc6a42
0x00dc6a51
0x00000000
0x00000000
0x00dc6a53
0x00dc6a56
0x00dc6a58
0x00dc6a5b
0x00dc6a60
0x00dc6a79
0x00dc6a79
0x00dc6a7d
0x00dc6a82
0x00dc6a85
0x00dc6a87
0x00dc6a89
0x00dc6aaa
0x00dc6ab2
0x00dc6ab3
0x00dc6ab8
0x00dc6ab8
0x00dc6ac5
0x00dc6abd
0x00dc6abf
0x00dc6ac4
0x00000000
0x00dc6ac9
0x00dc6a64
0x00dc6a6b
0x00dc6a6e
0x00000000
0x00000000
0x00dc6a70
0x00dc6a75
0x00000000

APIs

GetTokenInformation.ADVAPI32(00000000,00000006,00000000,00000000,00000000,?,?,00000000,0000005C,00000000), ref: 00DC6A42
GetLastError.KERNEL32 ref: 00DC6A48
GetTokenInformation.ADVAPI32(?,00000006,00000000,00000000,00000000,00000000), ref: 00DC6A9B

Part of subcall function 00DC4B82: __alloca_probe_16.LIBCMT ref: 00DC4BA5

__alloca_probe_16.LIBCMT ref: 00DC6A70

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: InformationToken__alloca_probe_16$ErrorLast
String ID:
API String ID: 434645856-0
Opcode ID: 94f971e19631c2ac92b7975942e9eb6676baf58e4e5c7c6737ef82e7dfe9a399
Instruction ID: ce8c1345049870ea8fd7689e3bbedafecb948b1284b8b531ab524b689cb63367
Opcode Fuzzy Hash: 94f971e19631c2ac92b7975942e9eb6676baf58e4e5c7c6737ef82e7dfe9a399
Instruction Fuzzy Hash: 84214A31A0011ABBDB10AF94D895EAEBBB9EF44350F58806DE401EB251DB31EE44CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6AE3 Relevance: 6.1, APIs: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00DC6AE3(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				long _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v32;
				void* __ebp;
				signed int _t18;
				long _t25;
				void* _t26;
				void* _t33;
				void* _t35;
				void* _t44;
				void* _t45;
				intOrPtr* _t47;
				signed int _t48;
				void* _t49;

				_t44 = __edi;
				_t18 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t18 ^ _t48;
				_v20 = __ecx;
				if(_a4 == 0) {
					L12:
					__eflags = 0;
					L13:
					return E00DCF35B(_v8 ^ _t48);
				}
				_t35 = 0;
				GetTokenInformation( *(__ecx + 4), 4, 0, 0,  &_v12);
				if(GetLastError() != 0x7a) {
					goto L12;
				}
				_t25 = _v12;
				_t47 = 0;
				_v16 = 0;
				_t53 = _t25 - 0x400;
				if(_t25 > 0x400) {
					L5:
					_push(_t25);
					_t26 = L00DC4F66(_t35,  &_v16, _t44, _t47);
					_t47 = _v16;
					_t45 = _t26;
					L6:
					if(_t45 != 0 && GetTokenInformation( *(_v20 + 4), 4, _t45, _v12,  &_v12) != 0) {
						E00DC4C42(_a4,  *_t45);
						_t35 = 1;
					}
					while(_t47 != 0) {
						_t47 =  *_t47;
						E00DD3557(_t47);
					}
					goto L13;
				}
				_t33 = E00DC4B82(_t25, _t53);
				_t25 = _v12;
				if(_t33 == 0) {
					goto L5;
				}
				E00DE3B80();
				_t45 = _t49;
				goto L6;
			}

0x00dc6ae3
0x00dc6ae9
0x00dc6af0
0x00dc6afc
0x00dc6aff
0x00dc6b94
0x00dc6b94
0x00dc6b96
0x00dc6ba7
0x00dc6ba7
0x00dc6b08
0x00dc6b12
0x00dc6b21
0x00000000
0x00000000
0x00dc6b23
0x00dc6b26
0x00dc6b28
0x00dc6b2b
0x00dc6b30
0x00dc6b49
0x00dc6b49
0x00dc6b4d
0x00dc6b52
0x00dc6b55
0x00dc6b57
0x00dc6b59
0x00dc6b7a
0x00dc6b7f
0x00dc6b7f
0x00dc6b8c
0x00dc6b84
0x00dc6b86
0x00dc6b8b
0x00000000
0x00dc6b90
0x00dc6b34
0x00dc6b3b
0x00dc6b3e
0x00000000
0x00000000
0x00dc6b40
0x00dc6b45
0x00000000

APIs

GetTokenInformation.ADVAPI32(?,00000004,00000000,00000000,00000000,00DF4000,00000004,00000000,00000000,00000000), ref: 00DC6B12
GetLastError.KERNEL32 ref: 00DC6B18
GetTokenInformation.ADVAPI32(?,00000004,00000000,00000000,00000000,00000000), ref: 00DC6B6B

Part of subcall function 00DC4B82: __alloca_probe_16.LIBCMT ref: 00DC4BA5

__alloca_probe_16.LIBCMT ref: 00DC6B40

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: InformationToken__alloca_probe_16$ErrorLast
String ID:
API String ID: 434645856-0
Opcode ID: b8ee8410c52f9b2e4a70d5007c6d8017c5763a4fc77cc8a3d1dc7749da183cde
Instruction ID: 0cd6c0ccb7619a1790220e17039c4b0b34a108b0604d79300a2796cdc6234fd3
Opcode Fuzzy Hash: b8ee8410c52f9b2e4a70d5007c6d8017c5763a4fc77cc8a3d1dc7749da183cde
Instruction Fuzzy Hash: 16215071A0010AAFDB10AF94D895FAEBBB9EF44360F58416DE501E7251DB30EE05CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6BAA Relevance: 6.1, APIs: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00DC6BAA(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				long _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v32;
				void* __ebp;
				signed int _t18;
				long _t25;
				void* _t26;
				void* _t33;
				void* _t35;
				void* _t44;
				void* _t45;
				intOrPtr* _t47;
				signed int _t48;
				void* _t49;

				_t44 = __edi;
				_t18 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t18 ^ _t48;
				_v20 = __ecx;
				if(_a4 == 0) {
					L12:
					__eflags = 0;
					L13:
					return E00DCF35B(_v8 ^ _t48);
				}
				_t35 = 0;
				GetTokenInformation( *(__ecx + 4), 5, 0, 0,  &_v12);
				if(GetLastError() != 0x7a) {
					goto L12;
				}
				_t25 = _v12;
				_t47 = 0;
				_v16 = 0;
				_t53 = _t25 - 0x400;
				if(_t25 > 0x400) {
					L5:
					_push(_t25);
					_t26 = L00DC4F66(_t35,  &_v16, _t44, _t47);
					_t47 = _v16;
					_t45 = _t26;
					L6:
					if(_t45 != 0 && GetTokenInformation( *(_v20 + 4), 5, _t45, _v12,  &_v12) != 0) {
						E00DC4C42(_a4,  *_t45);
						_t35 = 1;
					}
					while(_t47 != 0) {
						_t47 =  *_t47;
						E00DD3557(_t47);
					}
					goto L13;
				}
				_t33 = E00DC4B82(_t25, _t53);
				_t25 = _v12;
				if(_t33 == 0) {
					goto L5;
				}
				E00DE3B80();
				_t45 = _t49;
				goto L6;
			}

0x00dc6baa
0x00dc6bb0
0x00dc6bb7
0x00dc6bc3
0x00dc6bc6
0x00dc6c5b
0x00dc6c5b
0x00dc6c5d
0x00dc6c6e
0x00dc6c6e
0x00dc6bcf
0x00dc6bd9
0x00dc6be8
0x00000000
0x00000000
0x00dc6bea
0x00dc6bed
0x00dc6bef
0x00dc6bf2
0x00dc6bf7
0x00dc6c10
0x00dc6c10
0x00dc6c14
0x00dc6c19
0x00dc6c1c
0x00dc6c1e
0x00dc6c20
0x00dc6c41
0x00dc6c46
0x00dc6c46
0x00dc6c53
0x00dc6c4b
0x00dc6c4d
0x00dc6c52
0x00000000
0x00dc6c57
0x00dc6bfb
0x00dc6c02
0x00dc6c05
0x00000000
0x00000000
0x00dc6c07
0x00dc6c0c
0x00000000

APIs

GetTokenInformation.ADVAPI32(?,00000005(TokenIntegrityLevel),00000000,00000000,00000000,00DF4000,00000004,00000000,00000000,00000000), ref: 00DC6BD9
GetLastError.KERNEL32 ref: 00DC6BDF
GetTokenInformation.ADVAPI32(?,00000005(TokenIntegrityLevel),00000000,00000000,00000000,00000000), ref: 00DC6C32

Part of subcall function 00DC4B82: __alloca_probe_16.LIBCMT ref: 00DC4BA5

__alloca_probe_16.LIBCMT ref: 00DC6C07

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: InformationToken__alloca_probe_16$ErrorLast
String ID:
API String ID: 434645856-0
Opcode ID: 6c4b3ed7f94b4061ad8ab8674fb65e4a9d49b481474215c6e2da01414969b4c9
Instruction ID: 788eccf8d783b06805797666f251b4035e2e2e2f1bc595b2a67ae3327611a955
Opcode Fuzzy Hash: 6c4b3ed7f94b4061ad8ab8674fb65e4a9d49b481474215c6e2da01414969b4c9
Instruction Fuzzy Hash: F9218031A0010AAFDB10AF94DD95FAEBBB8EF44350F58406DE555A7251EB30EE44DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC585E Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00DC585E(void* __ebx, void* __edx, struct _ACL* __edi, long _a4) {
				long _v0;
				void* _v4;
				signed int _v8;
				int _v12;
				struct _ACL* _v16;
				long _v20;
				long _v24;
				long _v28;
				long _v32;
				struct _SECURITY_DESCRIPTOR* _v36;
				void* _v40;
				long _v44;
				long _v48;
				short _v52;
				signed char _v136;
				void* __ecx;
				void* __esi;
				void* __ebp;
				struct _SECURITY_DESCRIPTOR* _t104;
				void* _t105;
				int _t107;
				int _t112;
				struct _SECURITY_DESCRIPTOR* _t117;
				int _t122;
				long _t133;
				struct _ACL* _t139;
				struct _ACL* _t143;
				void* _t147;
				void* _t149;
				long _t153;
				int _t155;
				struct _SECURITY_DESCRIPTOR* _t160;
				long _t163;
				int _t165;
				struct _SECURITY_DESCRIPTOR* _t170;
				void* _t173;
				struct _SECURITY_DESCRIPTOR* _t174;
				void* _t176;
				PSID* _t178;
				PSID* _t180;
				DWORD* _t183;
				intOrPtr* _t184;
				struct _ACL* _t208;
				DWORD* _t210;
				DWORD* _t212;
				void* _t217;
				PSID* _t218;
				PSID* _t219;
				struct _ACL* _t221;
				intOrPtr* _t222;
				void* _t229;
				void* _t230;
				void* _t231;
				void* _t233;
				void* _t239;
				void* _t240;
				void* _t242;

				_t208 = __edi;
				_t207 = __edx;
				_t173 = __ebx;
				_t229 = _t239;
				_push(_t176);
				_push(_t176);
				_t217 = _t176;
				_push(__edi);
				if( *(_t217 + 4) == 0) {
					L4:
					L85();
					_v8 = _v8 & 0x00000000;
					goto L5;
				} else {
					L51();
					_t170 =  *(_t217 + 4);
					if(_t170 == 0) {
						goto L4;
					} else {
						_t178 =  &_v8;
						if(GetSecurityDescriptorOwner(_t170, _t178,  &_v12) == 0) {
							E00DC239D(__ebx, _t178, _t207);
							goto L13;
						} else {
							L5:
							_t208 = _a4;
							_t178 = _t208;
							if(E00DC2678(_t178) == 0) {
								L13:
								_push(0x80004005);
								goto L14;
							} else {
								_push(_t173);
								_t8 =  &(_t208->AceCount); // 0xdc60d1
								_t173 = _t8;
								_t163 = GetLengthSid(_t173);
								_a4 = _t163;
								_t208 = E00DD3B1B();
								_t178 = _t163;
								if(_t208 != 0) {
									_t165 = CopySid(_a4, _t208, _t173);
									_pop(_t173);
									if(_t165 == 0 || SetSecurityDescriptorOwner( *(_t217 + 4), _t208, 0) == 0) {
										_t217 = E00DC2482();
										E00DD3557(_t208);
										_pop(_t178);
										_push(_t217);
										goto L14;
									} else {
										return E00DD3557(_v8);
									}
								} else {
									_push(0x8007000e);
									L14:
									E00DC1185(_t178);
									asm("int3");
									_push(_t229);
									_t230 = _t239;
									_push(_t178);
									_push(_t178);
									_push(_t217);
									_t218 = _t178;
									_push(_t208);
									if(_t218[1] == 0) {
										L19:
										L85();
										_v12 = _v12 & 0x00000000;
										goto L20;
									} else {
										L51();
										_t160 = _t218[1];
										if(_t160 == 0) {
											goto L19;
										} else {
											_t180 =  &_v12;
											if(GetSecurityDescriptorGroup(_t160, _t180,  &_v16) == 0) {
												E00DC239D(_t173, _t180, _t207);
												goto L28;
											} else {
												L20:
												_t208 = _v0;
												_t180 = _t208;
												if(E00DC2678(_t180) == 0) {
													L28:
													_push(0x80004005);
													goto L29;
												} else {
													_push(_t173);
													_t20 =  &(_t208->AceCount); // 0xdc60d1
													_t173 = _t20;
													_t153 = GetLengthSid(_t173);
													_v0 = _t153;
													_t208 = E00DD3B1B();
													_t180 = _t153;
													if(_t208 != 0) {
														_t155 = CopySid(_v0, _t208, _t173);
														_pop(_t173);
														if(_t155 == 0 || SetSecurityDescriptorGroup(_t218[1], _t208, 0) == 0) {
															_t218 = E00DC2482();
															E00DD3557(_t208);
															_pop(_t180);
															_push(_t218);
															goto L29;
														} else {
															return E00DD3557(_v12);
														}
													} else {
														_push(0x8007000e);
														L29:
														E00DC1185(_t180);
														asm("int3");
														_push(_t230);
														_t231 = _t239;
														_t240 = _t239 - 0xc;
														_push(_t218);
														_t219 = _t180;
														_push(_t208);
														_t104 = _t219[1];
														if(_t104 != 0) {
															L51();
															_t104 = _t219[1];
														}
														_v16 = _v16 & 0x00000000;
														if(_t104 == 0) {
															L85();
															goto L36;
														} else {
															_t183 =  &_v24;
															if(GetSecurityDescriptorDacl(_t104, _t183,  &_v16,  &_v20) == 0) {
																E00DC239D(_t173, _t183, _t207);
																goto L49;
															} else {
																L36:
																_push(_t173);
																_t174 = _v4;
																_t33 =  &(_t174->Group); // 0x6a206a53
																_t105 =  *_t33;
																if(_t105 != 0 ||  *((intOrPtr*)(_t174 + 0x14)) == 0) {
																	_t208 = 0;
																	goto L41;
																} else {
																	_t147 = E00DC53FF(_t174, _t174, _t207, _t208, _t219);
																	_v4 = _t147;
																	_t208 = E00DD3B1B();
																	_t183 = _t147;
																	if(_t208 == 0) {
																		L49:
																		_push(0x8007000e);
																		goto L50;
																	} else {
																		_t149 = E00DC2712(_t174, _t174, _t208, _t219);
																		_t207 = _v4;
																		E00DC23B6(_t174, _t208, _v4, _t149, _v4);
																		_t38 =  &(_t174->Group); // 0x6a206a53
																		_t105 =  *_t38;
																		L41:
																		_pop(_t174);
																		if(_t105 != 0 || _t208 != 0) {
																			_t107 = 1;
																		} else {
																			_t107 = 0;
																		}
																		if(SetSecurityDescriptorDacl(_t219[1], _t107, _t208, 0) != 0) {
																			return E00DD3557(_v16);
																		} else {
																			_t219 = E00DC2482();
																			E00DD3557(_t208);
																			_pop(_t183);
																			_push(_t219);
																			L50:
																			_t112 = E00DC1185(_t183);
																			asm("int3");
																			_push(_t231);
																			_t233 = _t240;
																			_t242 = _t240 - 0x24;
																			_push(_t208);
																			_t210 = _t183;
																			if(_t210[1] == 0) {
																				L79:
																				return _t112;
																			} else {
																				_push(_t219);
																				_t221 = 0;
																				_v52 = 0;
																				_t112 = GetSecurityDescriptorControl(_t210[1],  &_v52,  &_v44);
																				if(_t112 == 0) {
																					_push(0x80004005);
																					goto L83;
																				} else {
																					if((_v52 & 0x00008000) == 0) {
																						L78:
																						goto L79;
																					} else {
																						_v32 = 0;
																						_v28 = 0;
																						_v20 = 0;
																						_v24 = 0;
																						_v48 = 0;
																						MakeAbsoluteSD(_t210[1], 0,  &_v48, 0,  &_v28, 0,  &_v32, 0,  &_v24, 0,  &_v20);
																						if(GetLastError() != 0x7a) {
																							L84:
																							E00DC239D(_t174, _t183, _t207);
																							asm("int3");
																							_push(_t221);
																							_push(_t210);
																							_t212 = _t183;
																							_t117 = E00DD3B1B();
																							_t212[1] = _t117;
																							_t184 = 0x14;
																							if(_t117 == 0) {
																								_push(0x8007000e);
																								goto L90;
																							} else {
																								_t122 = InitializeSecurityDescriptor(_t117, 1);
																								if(_t122 != 0) {
																									return _t122;
																								} else {
																									_t221 = E00DC2482();
																									E00DD3557(_t212[1]);
																									_t212[1] = _t212[1] & 0x00000000;
																									_pop(_t184);
																									_push(_t221);
																									L90:
																									E00DC1185(_t184);
																									asm("int3");
																									_push(_t233);
																									_push(_t221);
																									_t222 = _t184;
																									 *_t222 = 0xdf41c0;
																									E00DC7F74(_t184);
																									if((_v136 & 0x00000001) != 0) {
																										_push(0xc);
																										E00DCF62D(_t222);
																									}
																									return _t222;
																								}
																							}
																						} else {
																							_push(_t174);
																							_push(_v48);
																							_t174 = E00DD3B1B();
																							if(_v24 == 0) {
																								_v36 = 0;
																							} else {
																								_push(_v24);
																								_v36 = E00DD3B1B();
																							}
																							if(_v20 == _t221) {
																								_v40 = _t221;
																							} else {
																								_push(_v20);
																								_v40 = E00DD3B1B();
																							}
																							_t133 = _v28;
																							if(_t133 == 0) {
																								_v44 = _t221;
																							} else {
																								_push(_t133);
																								_v44 = E00DD3B1B();
																								_t133 = _v28;
																							}
																							_t183 = _v32;
																							if(_t183 != 0) {
																								_push(_t183);
																								_t143 = E00DD3B1B();
																								_t183 = _v32;
																								_t221 = _t143;
																								_t133 = _v28;
																							}
																							if(_t174 == 0 || _v24 != 0 && _v36 == 0) {
																								L80:
																								_t210 = 0x8007000e;
																								goto L81;
																							} else {
																								_t207 = _v40;
																								if(_v20 == 0 || _t207 != 0) {
																									_t139 = _v44;
																									if(_t133 == 0 || _t139 != 0) {
																										if(_t183 == 0 || _t221 != 0) {
																											_t183 =  &_v28;
																											if(MakeAbsoluteSD(_t210[1], _t174,  &_v48, _t139, _t183, _t221,  &_v32, _v36,  &_v24, _t207,  &_v20) != 0) {
																												_t112 = E00DC2C7E(_t210);
																												_t210[1] = _t174;
																												goto L78;
																											} else {
																												_t210 = E00DC2482();
																												L81:
																												E00DD3557(_t174);
																												E00DD3557(_v36);
																												E00DD3557(_v40);
																												E00DD3557(_v44);
																												E00DD3557(_t221);
																												_t242 = _t242 + 0x14;
																												_push(_t210);
																												L83:
																												E00DC1185(_t183);
																												goto L84;
																											}
																										} else {
																											goto L80;
																										}
																									} else {
																										goto L80;
																									}
																								} else {
																									goto L80;
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00dc585e
0x00dc585e
0x00dc585e
0x00dc585f
0x00dc5861
0x00dc5862
0x00dc5864
0x00dc5866
0x00dc586c
0x00dc588f
0x00dc5891
0x00dc5896
0x00000000
0x00dc586e
0x00dc586e
0x00dc5873
0x00dc5878
0x00000000
0x00dc587a
0x00dc587e
0x00dc588b
0x00dc590a
0x00000000
0x00dc588d
0x00dc589a
0x00dc589a
0x00dc589d
0x00dc58a6
0x00dc590f
0x00dc590f
0x00000000
0x00dc58a8
0x00dc58a8
0x00dc58a9
0x00dc58a9
0x00dc58ad
0x00dc58b4
0x00dc58bc
0x00dc58be
0x00dc58c1
0x00dc58cf
0x00dc58d5
0x00dc58d8
0x00dc58ff
0x00dc5901
0x00dc5906
0x00dc5907
0x00000000
0x00dc58ea
0x00dc58f6
0x00dc58f6
0x00dc58c3
0x00dc58c3
0x00dc5914
0x00dc5914
0x00dc5919
0x00dc591a
0x00dc591b
0x00dc591d
0x00dc591e
0x00dc591f
0x00dc5920
0x00dc5922
0x00dc5928
0x00dc594b
0x00dc594d
0x00dc5952
0x00000000
0x00dc592a
0x00dc592a
0x00dc592f
0x00dc5934
0x00000000
0x00dc5936
0x00dc593a
0x00dc5947
0x00dc59c6
0x00000000
0x00dc5949
0x00dc5956
0x00dc5956
0x00dc5959
0x00dc5962
0x00dc59cb
0x00dc59cb
0x00000000
0x00dc5964
0x00dc5964
0x00dc5965
0x00dc5965
0x00dc5969
0x00dc5970
0x00dc5978
0x00dc597a
0x00dc597d
0x00dc598b
0x00dc5991
0x00dc5994
0x00dc59bb
0x00dc59bd
0x00dc59c2
0x00dc59c3
0x00000000
0x00dc59a6
0x00dc59b2
0x00dc59b2
0x00dc597f
0x00dc597f
0x00dc59d0
0x00dc59d0
0x00dc59d5
0x00dc59d6
0x00dc59d7
0x00dc59d9
0x00dc59dc
0x00dc59dd
0x00dc59df
0x00dc59e0
0x00dc59e5
0x00dc59e7
0x00dc59ec
0x00dc59ec
0x00dc59ef
0x00dc59f5
0x00dc5a16
0x00000000
0x00dc59f7
0x00dc59ff
0x00dc5a0c
0x00dc5aa2
0x00000000
0x00dc5a12
0x00dc5a1b
0x00dc5a1b
0x00dc5a1c
0x00dc5a1f
0x00dc5a1f
0x00dc5a24
0x00dc5a5f
0x00000000
0x00dc5a2c
0x00dc5a2e
0x00dc5a34
0x00dc5a3c
0x00dc5a3e
0x00dc5a41
0x00dc5aa7
0x00dc5aa7
0x00000000
0x00dc5a43
0x00dc5a48
0x00dc5a4d
0x00dc5a53
0x00dc5a58
0x00dc5a58
0x00dc5a61
0x00dc5a61
0x00dc5a64
0x00dc5a70
0x00dc5a6a
0x00dc5a6a
0x00dc5a6a
0x00dc5a80
0x00dc5a9f
0x00dc5a82
0x00dc5a88
0x00dc5a8a
0x00dc5a8f
0x00dc5a90
0x00dc5aac
0x00dc5aac
0x00dc5ab1
0x00dc5ab2
0x00dc5ab3
0x00dc5ab5
0x00dc5ab8
0x00dc5ab9
0x00dc5abf
0x00dc5c05
0x00dc5c07
0x00dc5ac5
0x00dc5ac5
0x00dc5ac9
0x00dc5acf
0x00dc5ad6
0x00dc5ade
0x00dc5c37
0x00000000
0x00dc5ae4
0x00dc5aeb
0x00dc5c04
0x00000000
0x00dc5af1
0x00dc5af4
0x00dc5afc
0x00dc5b04
0x00dc5b0c
0x00dc5b14
0x00dc5b1c
0x00dc5b2b
0x00dc5c41
0x00dc5c41
0x00dc5c46
0x00dc5c47
0x00dc5c48
0x00dc5c4b
0x00dc5c4d
0x00dc5c52
0x00dc5c55
0x00dc5c58
0x00dc5c81
0x00000000
0x00dc5c5a
0x00dc5c5d
0x00dc5c65
0x00dc5c80
0x00dc5c67
0x00dc5c6f
0x00dc5c71
0x00dc5c76
0x00dc5c7a
0x00dc5c7b
0x00dc5c86
0x00dc5c86
0x00dc5c8b
0x00dc5c8c
0x00dc5c8f
0x00dc5c90
0x00dc5c92
0x00dc5c98
0x00dc5ca1
0x00dc5ca3
0x00dc5ca6
0x00dc5cac
0x00dc5cb1
0x00dc5cb1
0x00dc5c65
0x00dc5b31
0x00dc5b31
0x00dc5b32
0x00dc5b3a
0x00dc5b40
0x00dc5b50
0x00dc5b42
0x00dc5b42
0x00dc5b4b
0x00dc5b4b
0x00dc5b56
0x00dc5b66
0x00dc5b58
0x00dc5b58
0x00dc5b61
0x00dc5b61
0x00dc5b69
0x00dc5b6e
0x00dc5b7f
0x00dc5b70
0x00dc5b70
0x00dc5b76
0x00dc5b79
0x00dc5b7c
0x00dc5b82
0x00dc5b87
0x00dc5b89
0x00dc5b8a
0x00dc5b90
0x00dc5b93
0x00dc5b95
0x00dc5b95
0x00dc5b9a
0x00dc5c08
0x00dc5c08
0x00000000
0x00dc5ba8
0x00dc5bac
0x00dc5baf
0x00dc5bb7
0x00dc5bba
0x00dc5bc2
0x00dc5bd9
0x00dc5bee
0x00dc5bfb
0x00dc5c00
0x00000000
0x00dc5bf0
0x00dc5bf5
0x00dc5c0d
0x00dc5c0e
0x00dc5c16
0x00dc5c1e
0x00dc5c26
0x00dc5c2c
0x00dc5c31
0x00dc5c34
0x00dc5c3c
0x00dc5c3c
0x00000000
0x00dc5c3c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00dc5baf
0x00dc5b9a
0x00dc5b2b
0x00dc5aeb
0x00dc5ade
0x00dc5abf
0x00dc5a80
0x00dc5a41
0x00dc5a24
0x00dc5a0c
0x00dc59f5
0x00dc597d
0x00dc5962
0x00dc5947
0x00dc5934
0x00dc5928
0x00dc58c1
0x00dc58a6
0x00dc588b
0x00dc5878

APIs

GetLengthSid.ADVAPI32(00DC60D1,00000220,00DF35C8,00000000,00000000,00000000,?,00DC60CD), ref: 00DC58AD

Part of subcall function 00DC5AB2: GetSecurityDescriptorControl.ADVAPI32(00000000,?,?,00000000,00000000), ref: 00DC5AD6
Part of subcall function 00DC5AB2: MakeAbsoluteSD.ADVAPI32(00000000,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?), ref: 00DC5B1C
Part of subcall function 00DC5AB2: GetLastError.KERNEL32 ref: 00DC5B22

GetSecurityDescriptorOwner.ADVAPI32(?,?,00DC60CD,00DF35C8,00000000,00000000,00000000,?,00DC60CD,?,00000220,?,10000000,00000000), ref: 00DC5883

Part of subcall function 00DC2482: GetLastError.KERNEL32(00DC26DB,?,00DC4C65,?,?,?,00DC5040,00000000), ref: 00DC2482

CopySid.ADVAPI32(00DC60CD,00000000,00DC60D1,?,00DC60CD), ref: 00DC58CF
SetSecurityDescriptorOwner.ADVAPI32(?,00000000,00000000,00DC60CD), ref: 00DC58E0

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: DescriptorSecurity$ErrorLastOwner$AbsoluteControlCopyLengthMake
String ID:
API String ID: 3905656193-0
Opcode ID: d41f3167fb95f8b4c9f0d71f6b4fb901c847eef87227de306e4b5b42d3197d65
Instruction ID: eaa7a1dba29b3a4fea2fa1cb9ddcecc383e1b59162f912ef31b465ebf53838d7
Opcode Fuzzy Hash: d41f3167fb95f8b4c9f0d71f6b4fb901c847eef87227de306e4b5b42d3197d65
Instruction Fuzzy Hash: C511AF76204746EBDB14AB64EC45FAE77ACDF44760B14411EB406E7241EF74FE808AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC591A Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00DC591A(void* __ebx, void* __edx, struct _ACL* __edi, long _a4) {
				void* _v0;
				signed int _v8;
				struct _ACL* _v12;
				long _v16;
				long _v20;
				long _v24;
				long _v28;
				struct _SECURITY_DESCRIPTOR* _v32;
				void* _v36;
				long _v40;
				long _v44;
				short _v48;
				signed char _v112;
				void* __ecx;
				void* __esi;
				void* __ebp;
				struct _SECURITY_DESCRIPTOR* _t89;
				void* _t90;
				int _t92;
				int _t97;
				struct _SECURITY_DESCRIPTOR* _t102;
				int _t107;
				long _t118;
				struct _ACL* _t124;
				struct _ACL* _t128;
				void* _t132;
				void* _t134;
				long _t138;
				int _t140;
				struct _SECURITY_DESCRIPTOR* _t145;
				void* _t148;
				struct _SECURITY_DESCRIPTOR* _t149;
				void* _t151;
				PSID* _t153;
				DWORD* _t156;
				intOrPtr* _t157;
				struct _ACL* _t179;
				DWORD* _t181;
				DWORD* _t183;
				void* _t187;
				PSID* _t188;
				struct _ACL* _t190;
				intOrPtr* _t191;
				void* _t197;
				void* _t198;
				void* _t200;
				void* _t205;
				void* _t206;
				void* _t208;

				_t179 = __edi;
				_t178 = __edx;
				_t148 = __ebx;
				_t197 = _t205;
				_push(_t151);
				_push(_t151);
				_t187 = _t151;
				_push(__edi);
				if( *(_t187 + 4) == 0) {
					L4:
					L70();
					_v8 = _v8 & 0x00000000;
					goto L5;
				} else {
					L36();
					_t145 =  *(_t187 + 4);
					if(_t145 == 0) {
						goto L4;
					} else {
						_t153 =  &_v8;
						if(GetSecurityDescriptorGroup(_t145, _t153,  &_v12) == 0) {
							E00DC239D(__ebx, _t153, _t178);
							goto L13;
						} else {
							L5:
							_t179 = _a4;
							_t153 = _t179;
							if(E00DC2678(_t153) == 0) {
								L13:
								_push(0x80004005);
								goto L14;
							} else {
								_push(_t148);
								_t8 =  &(_t179->AceCount); // 0xdc60d1
								_t148 = _t8;
								_t138 = GetLengthSid(_t148);
								_a4 = _t138;
								_t179 = E00DD3B1B();
								_t153 = _t138;
								if(_t179 != 0) {
									_t140 = CopySid(_a4, _t179, _t148);
									_pop(_t148);
									if(_t140 == 0 || SetSecurityDescriptorGroup( *(_t187 + 4), _t179, 0) == 0) {
										_t187 = E00DC2482();
										E00DD3557(_t179);
										_pop(_t153);
										_push(_t187);
										goto L14;
									} else {
										return E00DD3557(_v8);
									}
								} else {
									_push(0x8007000e);
									L14:
									E00DC1185(_t153);
									asm("int3");
									_push(_t197);
									_t198 = _t205;
									_t206 = _t205 - 0xc;
									_push(_t187);
									_t188 = _t153;
									_push(_t179);
									_t89 = _t188[1];
									if(_t89 != 0) {
										L36();
										_t89 = _t188[1];
									}
									_v12 = _v12 & 0x00000000;
									if(_t89 == 0) {
										L70();
										goto L21;
									} else {
										_t156 =  &_v20;
										if(GetSecurityDescriptorDacl(_t89, _t156,  &_v12,  &_v16) == 0) {
											E00DC239D(_t148, _t156, _t178);
											goto L34;
										} else {
											L21:
											_push(_t148);
											_t149 = _v0;
											_t21 =  &(_t149->Group); // 0x6a206a53
											_t90 =  *_t21;
											if(_t90 != 0 ||  *((intOrPtr*)(_t149 + 0x14)) == 0) {
												_t179 = 0;
												goto L26;
											} else {
												_t132 = E00DC53FF(_t149, _t149, _t178, _t179, _t188);
												_v0 = _t132;
												_t179 = E00DD3B1B();
												_t156 = _t132;
												if(_t179 == 0) {
													L34:
													_push(0x8007000e);
													goto L35;
												} else {
													_t134 = E00DC2712(_t149, _t149, _t179, _t188);
													_t178 = _v0;
													E00DC23B6(_t149, _t179, _v0, _t134, _v0);
													_t26 =  &(_t149->Group); // 0x6a206a53
													_t90 =  *_t26;
													L26:
													_pop(_t149);
													if(_t90 != 0 || _t179 != 0) {
														_t92 = 1;
													} else {
														_t92 = 0;
													}
													if(SetSecurityDescriptorDacl(_t188[1], _t92, _t179, 0) != 0) {
														return E00DD3557(_v12);
													} else {
														_t188 = E00DC2482();
														E00DD3557(_t179);
														_pop(_t156);
														_push(_t188);
														L35:
														_t97 = E00DC1185(_t156);
														asm("int3");
														_push(_t198);
														_t200 = _t206;
														_t208 = _t206 - 0x24;
														_push(_t179);
														_t181 = _t156;
														if(_t181[1] == 0) {
															L64:
															return _t97;
														} else {
															_push(_t188);
															_t190 = 0;
															_v48 = 0;
															_t97 = GetSecurityDescriptorControl(_t181[1],  &_v48,  &_v40);
															if(_t97 == 0) {
																_push(0x80004005);
																goto L68;
															} else {
																if((_v48 & 0x00008000) == 0) {
																	L63:
																	goto L64;
																} else {
																	_v28 = 0;
																	_v24 = 0;
																	_v16 = 0;
																	_v20 = 0;
																	_v44 = 0;
																	MakeAbsoluteSD(_t181[1], 0,  &_v44, 0,  &_v24, 0,  &_v28, 0,  &_v20, 0,  &_v16);
																	if(GetLastError() != 0x7a) {
																		L69:
																		E00DC239D(_t149, _t156, _t178);
																		asm("int3");
																		_push(_t190);
																		_push(_t181);
																		_t183 = _t156;
																		_t102 = E00DD3B1B();
																		_t183[1] = _t102;
																		_t157 = 0x14;
																		if(_t102 == 0) {
																			_push(0x8007000e);
																			goto L75;
																		} else {
																			_t107 = InitializeSecurityDescriptor(_t102, 1);
																			if(_t107 != 0) {
																				return _t107;
																			} else {
																				_t190 = E00DC2482();
																				E00DD3557(_t183[1]);
																				_t183[1] = _t183[1] & 0x00000000;
																				_pop(_t157);
																				_push(_t190);
																				L75:
																				E00DC1185(_t157);
																				asm("int3");
																				_push(_t200);
																				_push(_t190);
																				_t191 = _t157;
																				 *_t191 = 0xdf41c0;
																				E00DC7F74(_t157);
																				if((_v112 & 0x00000001) != 0) {
																					_push(0xc);
																					E00DCF62D(_t191);
																				}
																				return _t191;
																			}
																		}
																	} else {
																		_push(_t149);
																		_push(_v44);
																		_t149 = E00DD3B1B();
																		if(_v20 == 0) {
																			_v32 = 0;
																		} else {
																			_push(_v20);
																			_v32 = E00DD3B1B();
																		}
																		if(_v16 == _t190) {
																			_v36 = _t190;
																		} else {
																			_push(_v16);
																			_v36 = E00DD3B1B();
																		}
																		_t118 = _v24;
																		if(_t118 == 0) {
																			_v40 = _t190;
																		} else {
																			_push(_t118);
																			_v40 = E00DD3B1B();
																			_t118 = _v24;
																		}
																		_t156 = _v28;
																		if(_t156 != 0) {
																			_push(_t156);
																			_t128 = E00DD3B1B();
																			_t156 = _v28;
																			_t190 = _t128;
																			_t118 = _v24;
																		}
																		if(_t149 == 0 || _v20 != 0 && _v32 == 0) {
																			L65:
																			_t181 = 0x8007000e;
																			goto L66;
																		} else {
																			_t178 = _v36;
																			if(_v16 == 0 || _t178 != 0) {
																				_t124 = _v40;
																				if(_t118 == 0 || _t124 != 0) {
																					if(_t156 == 0 || _t190 != 0) {
																						_t156 =  &_v24;
																						if(MakeAbsoluteSD(_t181[1], _t149,  &_v44, _t124, _t156, _t190,  &_v28, _v32,  &_v20, _t178,  &_v16) != 0) {
																							_t97 = E00DC2C7E(_t181);
																							_t181[1] = _t149;
																							goto L63;
																						} else {
																							_t181 = E00DC2482();
																							L66:
																							E00DD3557(_t149);
																							E00DD3557(_v32);
																							E00DD3557(_v36);
																							E00DD3557(_v40);
																							E00DD3557(_t190);
																							_t208 = _t208 + 0x14;
																							_push(_t181);
																							L68:
																							E00DC1185(_t156);
																							goto L69;
																						}
																					} else {
																						goto L65;
																					}
																				} else {
																					goto L65;
																				}
																			} else {
																				goto L65;
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00dc591a
0x00dc591a
0x00dc591a
0x00dc591b
0x00dc591d
0x00dc591e
0x00dc5920
0x00dc5922
0x00dc5928
0x00dc594b
0x00dc594d
0x00dc5952
0x00000000
0x00dc592a
0x00dc592a
0x00dc592f
0x00dc5934
0x00000000
0x00dc5936
0x00dc593a
0x00dc5947
0x00dc59c6
0x00000000
0x00dc5949
0x00dc5956
0x00dc5956
0x00dc5959
0x00dc5962
0x00dc59cb
0x00dc59cb
0x00000000
0x00dc5964
0x00dc5964
0x00dc5965
0x00dc5965
0x00dc5969
0x00dc5970
0x00dc5978
0x00dc597a
0x00dc597d
0x00dc598b
0x00dc5991
0x00dc5994
0x00dc59bb
0x00dc59bd
0x00dc59c2
0x00dc59c3
0x00000000
0x00dc59a6
0x00dc59b2
0x00dc59b2
0x00dc597f
0x00dc597f
0x00dc59d0
0x00dc59d0
0x00dc59d5
0x00dc59d6
0x00dc59d7
0x00dc59d9
0x00dc59dc
0x00dc59dd
0x00dc59df
0x00dc59e0
0x00dc59e5
0x00dc59e7
0x00dc59ec
0x00dc59ec
0x00dc59ef
0x00dc59f5
0x00dc5a16
0x00000000
0x00dc59f7
0x00dc59ff
0x00dc5a0c
0x00dc5aa2
0x00000000
0x00dc5a12
0x00dc5a1b
0x00dc5a1b
0x00dc5a1c
0x00dc5a1f
0x00dc5a1f
0x00dc5a24
0x00dc5a5f
0x00000000
0x00dc5a2c
0x00dc5a2e
0x00dc5a34
0x00dc5a3c
0x00dc5a3e
0x00dc5a41
0x00dc5aa7
0x00dc5aa7
0x00000000
0x00dc5a43
0x00dc5a48
0x00dc5a4d
0x00dc5a53
0x00dc5a58
0x00dc5a58
0x00dc5a61
0x00dc5a61
0x00dc5a64
0x00dc5a70
0x00dc5a6a
0x00dc5a6a
0x00dc5a6a
0x00dc5a80
0x00dc5a9f
0x00dc5a82
0x00dc5a88
0x00dc5a8a
0x00dc5a8f
0x00dc5a90
0x00dc5aac
0x00dc5aac
0x00dc5ab1
0x00dc5ab2
0x00dc5ab3
0x00dc5ab5
0x00dc5ab8
0x00dc5ab9
0x00dc5abf
0x00dc5c05
0x00dc5c07
0x00dc5ac5
0x00dc5ac5
0x00dc5ac9
0x00dc5acf
0x00dc5ad6
0x00dc5ade
0x00dc5c37
0x00000000
0x00dc5ae4
0x00dc5aeb
0x00dc5c04
0x00000000
0x00dc5af1
0x00dc5af4
0x00dc5afc
0x00dc5b04
0x00dc5b0c
0x00dc5b14
0x00dc5b1c
0x00dc5b2b
0x00dc5c41
0x00dc5c41
0x00dc5c46
0x00dc5c47
0x00dc5c48
0x00dc5c4b
0x00dc5c4d
0x00dc5c52
0x00dc5c55
0x00dc5c58
0x00dc5c81
0x00000000
0x00dc5c5a
0x00dc5c5d
0x00dc5c65
0x00dc5c80
0x00dc5c67
0x00dc5c6f
0x00dc5c71
0x00dc5c76
0x00dc5c7a
0x00dc5c7b
0x00dc5c86
0x00dc5c86
0x00dc5c8b
0x00dc5c8c
0x00dc5c8f
0x00dc5c90
0x00dc5c92
0x00dc5c98
0x00dc5ca1
0x00dc5ca3
0x00dc5ca6
0x00dc5cac
0x00dc5cb1
0x00dc5cb1
0x00dc5c65
0x00dc5b31
0x00dc5b31
0x00dc5b32
0x00dc5b3a
0x00dc5b40
0x00dc5b50
0x00dc5b42
0x00dc5b42
0x00dc5b4b
0x00dc5b4b
0x00dc5b56
0x00dc5b66
0x00dc5b58
0x00dc5b58
0x00dc5b61
0x00dc5b61
0x00dc5b69
0x00dc5b6e
0x00dc5b7f
0x00dc5b70
0x00dc5b70
0x00dc5b76
0x00dc5b79
0x00dc5b7c
0x00dc5b82
0x00dc5b87
0x00dc5b89
0x00dc5b8a
0x00dc5b90
0x00dc5b93
0x00dc5b95
0x00dc5b95
0x00dc5b9a
0x00dc5c08
0x00dc5c08
0x00000000
0x00dc5ba8
0x00dc5bac
0x00dc5baf
0x00dc5bb7
0x00dc5bba
0x00dc5bc2
0x00dc5bd9
0x00dc5bee
0x00dc5bfb
0x00dc5c00
0x00000000
0x00dc5bf0
0x00dc5bf5
0x00dc5c0d
0x00dc5c0e
0x00dc5c16
0x00dc5c1e
0x00dc5c26
0x00dc5c2c
0x00dc5c31
0x00dc5c34
0x00dc5c3c
0x00dc5c3c
0x00000000
0x00dc5c3c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00dc5baf
0x00dc5b9a
0x00dc5b2b
0x00dc5aeb
0x00dc5ade
0x00dc5abf
0x00dc5a80
0x00dc5a41
0x00dc5a24
0x00dc5a0c
0x00dc59f5
0x00dc597d
0x00dc5962
0x00dc5947
0x00dc5934

APIs

GetLengthSid.ADVAPI32(00DC60D1,00000220,00DC60CD,00000000,?,?,?,80004005,00DF35C8,00000000,00000000,00000000,?,00DC60CD), ref: 00DC5969

Part of subcall function 00DC5AB2: GetSecurityDescriptorControl.ADVAPI32(00000000,?,?,00000000,00000000), ref: 00DC5AD6
Part of subcall function 00DC5AB2: MakeAbsoluteSD.ADVAPI32(00000000,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?), ref: 00DC5B1C
Part of subcall function 00DC5AB2: GetLastError.KERNEL32 ref: 00DC5B22

GetSecurityDescriptorGroup.ADVAPI32(?,00000000,00DC60CD,00DC60CD,00000000,?,?,?,80004005,00DF35C8,00000000,00000000,00000000,?,00DC60CD), ref: 00DC593F

Part of subcall function 00DC2482: GetLastError.KERNEL32(00DC26DB,?,00DC4C65,?,?,?,00DC5040,00000000), ref: 00DC2482

CopySid.ADVAPI32(00DC60CD,00000000,00DC60D1,?,?,?,80004005,00DF35C8,00000000,00000000,00000000,?,00DC60CD), ref: 00DC598B
SetSecurityDescriptorGroup.ADVAPI32(?,00000000,00000000,?,?,80004005,00DF35C8,00000000,00000000,00000000,?,00DC60CD), ref: 00DC599C

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: DescriptorSecurity$ErrorGroupLast$AbsoluteControlCopyLengthMake
String ID:
API String ID: 3828051983-0
Opcode ID: be874a31b1239546fad4311a1436a5a9570318d473f003e74a8f36a6c6525456
Instruction ID: 1ad8b5e132824aadd19c6b2b38e5d308822528c63d0c733c949969ffdee3599b
Opcode Fuzzy Hash: be874a31b1239546fad4311a1436a5a9570318d473f003e74a8f36a6c6525456
Instruction Fuzzy Hash: 8F119D72200646EBDB24AB65EC4AF6A77ACDF41760B18015EF505A7285EF70FD809A70

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8D1C Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E00DC8D1C(void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				struct _OSVERSIONINFOEXW _v300;
				void* __ebp;
				signed int _t15;
				void* _t30;
				intOrPtr* _t34;
				signed int _t35;

				_t30 = __edx;
				_t15 =  *0xdf8008; // 0x9fa9e963
				_v8 = _t15 ^ _t35;
				_v300.dwOSVersionInfoSize = 0x11c;
				_v300.dwBuildNumber = 0;
				_v300.dwPlatformId = 0;
				E00DD1190(0,  &(_v300.szCSDVersion), 0, 0x100);
				_t34 = __imp__VerSetConditionMask;
				_v300.wSuiteMask = 0;
				_v300.wServicePackMinor = 0;
				 *_t34(0, 0, 2, 3, 1, 3, 0x20, 3);
				 *_t34(0, _t30);
				 *_t34(0, _t30);
				_push(_t30);
				_v300.dwMajorVersion = 6;
				_v300.dwMinorVersion = 0;
				_v300.wServicePackMajor = 0;
				VerifyVersionInfoW( &_v300, 0x23, 0);
				return E00DCF35B(_v8 ^ _t35);
			}

0x00dc8d1c
0x00dc8d25
0x00dc8d2c
0x00dc8d33
0x00dc8d48
0x00dc8d50
0x00dc8d56
0x00dc8d5b
0x00dc8d66
0x00dc8d69
0x00dc8d7b
0x00dc8d7f
0x00dc8d83
0x00dc8d85
0x00dc8d8f
0x00dc8d9b
0x00dc8da2
0x00dc8da6
0x00dc8dbe

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,?), ref: 00DC8D7B
VerSetConditionMask.KERNEL32(00000000,?,?,?,?), ref: 00DC8D7F
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,?), ref: 00DC8D83
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00DC8DA6

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: ad430977464edc89631e1d6975cddd2f9b6e91e033bba2efdb1892c7c91856bf
Instruction ID: 6d9286bac4985c68f2cabb5beeb731f7f75697aebcbb76dee913bd7aa1d1a6b6
Opcode Fuzzy Hash: ad430977464edc89631e1d6975cddd2f9b6e91e033bba2efdb1892c7c91856bf
Instruction Fuzzy Hash: 89111670A403586ADB60DB659C4AFEFBBBCDFC4710F004099B504E6280DA745B548AA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC90C3 Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00DC90C3(intOrPtr* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				char _t16;
				void* _t25;
				long _t26;
				intOrPtr _t30;
				intOrPtr* _t31;

				_t30 = __edx;
				_t31 = __ecx;
				_t16 = _a4 - 4;
				if(_t16 == 0) {
					__imp__GetTraceLoggerHandle(_a8);
					_t26 = 0;
					 *((intOrPtr*)(__ecx + 0x20)) = _t16;
					 *((intOrPtr*)(__ecx + 0x24)) = __edx;
					if(_t16 != 0 || __edx != 0) {
						__imp__GetTraceEnableFlags(_t16, _t30);
						 *((intOrPtr*)(_t31 + 0x28)) = _t16;
						__imp__GetTraceEnableLevel( *((intOrPtr*)(_t31 + 0x20)),  *((intOrPtr*)(_t31 + 0x24)));
						 *((char*)(_t31 + 0x2c)) = _t16;
						 *((intOrPtr*)( *_t31 + 4))();
					} else {
						_t26 = GetLastError();
					}
					return _t26;
				}
				if(_t16 == 1) {
					 *((char*)(__ecx + 0x2c)) = 0;
					 *((intOrPtr*)(__ecx + 0x28)) = 0;
					 *((intOrPtr*)(__ecx + 0x20)) = 0;
					 *((intOrPtr*)(__ecx + 0x24)) = 0;
					 *((intOrPtr*)( *__ecx + 8))();
					return 0;
				}
				_t25 = 0x57;
				return _t25;
			}

0x00dc90c3
0x00dc90cb
0x00dc90cd
0x00dc90d0
0x00dc90f6
0x00dc90fc
0x00dc90fe
0x00dc9101
0x00dc9106
0x00dc9118
0x00dc9121
0x00dc9127
0x00dc912d
0x00dc9134
0x00dc910c
0x00dc9112
0x00dc9112
0x00000000
0x00dc9137
0x00dc90d5
0x00dc90e0
0x00dc90e3
0x00dc90e6
0x00dc90e9
0x00dc90ec
0x00000000
0x00dc90ef
0x00dc90d9
0x00000000

APIs

GetTraceLoggerHandle.ADVAPI32(?), ref: 00DC90F6
GetLastError.KERNEL32 ref: 00DC910C

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: ErrorHandleLastLoggerTrace
String ID:
API String ID: 2334736533-0
Opcode ID: 249479871efce4f147738f1e8d1986856fd3883b9158243f54a68e9fea1ffbf3
Instruction ID: 604e7243cbc924ecd3fefb0173f24d95a1905b16db92e7dc0f23a3df4e6cd961
Opcode Fuzzy Hash: 249479871efce4f147738f1e8d1986856fd3883b9158243f54a68e9fea1ffbf3
Instruction Fuzzy Hash: 85012975604B02EFD721AF79D89C966FBF4FB1C3507584A2EE58AC7620D631E800DB24

Uniqueness

Uniqueness Score: -1.00%

Function 00DE1DF6 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00DE1DF6(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0xdf8890, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E00DE1DDF();
					E00DE1DA1();
					_t13 = WriteConsoleW( *0xdf8890, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x00de1e13
0x00de1e17
0x00de1e24
0x00de1e29
0x00de1e44
0x00de1e44
0x00de1e4a

APIs

WriteConsoleW.KERNEL32(?,00000022,00000000,00000000,?,?,00DE102E,?,00000001,?,00000022,?,00DDE33E,00000022,?,00000000), ref: 00DE1E0D
GetLastError.KERNEL32(?,00DE102E,?,00000001,?,00000022,?,00DDE33E,00000022,?,00000000,00000022,00000022,?,00DDE8C5,?), ref: 00DE1E19

Part of subcall function 00DE1DDF: CloseHandle.KERNEL32(FFFFFFFE,00DE1E29,?,00DE102E,?,00000001,?,00000022,?,00DDE33E,00000022,?,00000000,00000022,00000022), ref: 00DE1DEF

___initconout.LIBCMT ref: 00DE1E29

Part of subcall function 00DE1DA1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00DE1DD0,00DE101B,00000022,?,00DDE33E,00000022,?,00000000,00000022), ref: 00DE1DB4

WriteConsoleW.KERNEL32(?,00000022,00000000,00000000,?,00DE102E,?,00000001,?,00000022,?,00DDE33E,00000022,?,00000000,00000022), ref: 00DE1E3E

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: d96dc9f0f9c0b8d61114d4bdcacba68be6838ea17f9fd12f0242fd0d3891d71b
Instruction ID: bf907e255a43d26cea0a86ba01f5454ddf2be757b440685fea7e192665216351
Opcode Fuzzy Hash: d96dc9f0f9c0b8d61114d4bdcacba68be6838ea17f9fd12f0242fd0d3891d71b
Instruction Fuzzy Hash: E8F0A2365003A4BBCF623F96EC499993F66FB487B5B444010FE19D5220D6318860DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC1348 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC1348(void* __ecx, long _a4, long _a8) {
				long _t7;
				void* _t13;

				_t7 = _a4;
				if(_t7 != 0) {
					_t13 =  *(__ecx + 4);
					if(_a8 != 0) {
						return HeapReAlloc(_t13, 0, _t7, _a8);
					}
					HeapFree(_t13, 0, _t7);
					return 0;
				}
				return HeapAlloc( *(__ecx + 4), _t7, _a8);
			}

0x00dc134b
0x00dc1350
0x00dc1365
0x00dc1368
0x00000000
0x00dc137f
0x00dc136e
0x00000000
0x00dc1374
0x00000000

APIs

HeapAlloc.KERNEL32(?,?,?), ref: 00DC1359
HeapFree.KERNEL32(?,00000000,?), ref: 00DC136E

Strings

Uvpdv, xrefs: 00DC136E

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: Heap$AllocFree
String ID: Uvpdv
API String ID: 1379380650-921773013
Opcode ID: 32bce650a1fc56baced77677dbc3b04fe452ca20e64090a64362a86f391a98d7
Instruction ID: f49ed24ec0721b3e8f73d3e9ec2459970a72573f1dfe0ca3d9927868c9d474e7
Opcode Fuzzy Hash: 32bce650a1fc56baced77677dbc3b04fe452ca20e64090a64362a86f391a98d7
Instruction Fuzzy Hash: 87E06534104385FFEB106FA0CC48F663B6CAB09319F10C108F905CA151C332E8109B70

Uniqueness

Uniqueness Score: -1.00%

Function 00DD25BA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E00DD25BA(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed int _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E00DD19CC(_t96, __ecx, __edx, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E00DD19CC(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E00DD16D7(_t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E00DD1609(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E00DD219B(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E00DD4C30(_t96, _t100, _t110, 0, _t121, __eflags);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					__eflags = _t78;
					if(_t78 == 0) {
						L41:
						_t80 = 1;
						__eflags = 1;
					} else {
						_t101 = _t78 + 8;
						__eflags =  *_t101;
						if( *_t101 == 0) {
							goto L41;
						} else {
							__eflags =  *_t111 & 0x00000080;
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0) {
								L23:
								_t97 = _t116[4];
								_t123 = 0;
								__eflags = _t78 - _t97;
								if(_t78 == _t97) {
									L33:
									__eflags =  *_t116 & 0x00000002;
									if(( *_t116 & 0x00000002) == 0) {
										L35:
										_t81 = _a8;
										__eflags =  *_t81 & 0x00000001;
										if(( *_t81 & 0x00000001) == 0) {
											L37:
											__eflags =  *_t81 & 0x00000002;
											if(( *_t81 & 0x00000002) == 0) {
												L39:
												_t123 = 1;
												__eflags = 1;
											} else {
												__eflags =  *_t111 & 0x00000002;
												if(( *_t111 & 0x00000002) != 0) {
													goto L39;
												}
											}
										} else {
											__eflags =  *_t111 & 0x00000001;
											if(( *_t111 & 0x00000001) != 0) {
												goto L37;
											}
										}
									} else {
										__eflags =  *_t111 & 0x00000008;
										if(( *_t111 & 0x00000008) != 0) {
											goto L35;
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										__eflags = _t98 -  *_t82;
										if(_t98 !=  *_t82) {
											break;
										}
										__eflags = _t98;
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											__eflags = _t99 -  *((intOrPtr*)(_t82 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												__eflags = _t99;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										__eflags = _t83;
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									__eflags = _t83;
									goto L31;
								}
							} else {
								__eflags =  *_t116 & 0x00000010;
								if(( *_t116 & 0x00000010) != 0) {
									goto L41;
								} else {
									goto L23;
								}
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x00dd25ba
0x00dd25ba
0x00dd25c1
0x00dd25ca
0x00dd26e9
0x00dd25d0
0x00dd25d0
0x00dd25d1
0x00dd25d2
0x00dd25dc
0x00dd25df
0x00dd25e5
0x00dd25ef
0x00dd2614
0x00dd2619
0x00dd261e
0x00dd26e5
0x00000000
0x00dd26e6
0x00dd261e
0x00dd25ef
0x00dd2624
0x00dd2627
0x00dd262a
0x00dd2630
0x00dd2636
0x00dd2648
0x00dd264d
0x00dd2650
0x00dd2653
0x00dd2656
0x00dd2659
0x00dd265f
0x00dd2665
0x00dd2668
0x00dd266b
0x00dd267a
0x00dd267b
0x00dd267b
0x00dd2680
0x00dd2693
0x00dd2695
0x00dd269a
0x00dd26a5
0x00dd26a7
0x00dd26a9
0x00dd26c5
0x00dd26ca
0x00dd26cd
0x00dd26cd
0x00dd26a5
0x00dd269a
0x00dd26d3
0x00dd26d4
0x00dd26d7
0x00dd26da
0x00dd26dd
0x00dd26e0
0x00dd266b
0x00000000
0x00dd265f
0x00dd26ea
0x00dd26ef
0x00dd26f3
0x00dd26f6
0x00dd26f7
0x00dd26f8
0x00dd26f9
0x00dd26fc
0x00dd26fe
0x00dd2776
0x00dd2778
0x00dd2778
0x00dd2700
0x00dd2700
0x00dd2703
0x00dd2706
0x00000000
0x00dd2708
0x00dd2708
0x00dd270b
0x00dd270e
0x00dd2715
0x00dd2715
0x00dd2718
0x00dd271a
0x00dd271c
0x00dd274e
0x00dd274e
0x00dd2751
0x00dd2758
0x00dd2758
0x00dd275b
0x00dd275e
0x00dd2765
0x00dd2765
0x00dd2768
0x00dd276f
0x00dd2771
0x00dd2771
0x00dd276a
0x00dd276a
0x00dd276d
0x00000000
0x00000000
0x00dd276d
0x00dd2760
0x00dd2760
0x00dd2763
0x00000000
0x00000000
0x00dd2763
0x00dd2753
0x00dd2753
0x00dd2756
0x00000000
0x00000000
0x00dd2756
0x00dd2772
0x00dd271e
0x00dd271e
0x00dd271e
0x00dd2721
0x00dd2721
0x00dd2723
0x00dd2725
0x00000000
0x00000000
0x00dd2727
0x00dd2729
0x00dd273d
0x00dd273d
0x00dd272b
0x00dd272b
0x00dd272e
0x00dd2731
0x00000000
0x00dd2733
0x00dd2733
0x00dd2736
0x00dd2739
0x00dd273b
0x00000000
0x00000000
0x00000000
0x00000000
0x00dd273b
0x00dd2731
0x00dd2746
0x00dd2746
0x00dd2748
0x00000000
0x00dd274a
0x00dd274a
0x00dd274a
0x00000000
0x00dd2748
0x00dd2741
0x00dd2743
0x00dd2743
0x00000000
0x00dd2743
0x00dd2710
0x00dd2710
0x00dd2713
0x00000000
0x00000000
0x00000000
0x00000000
0x00dd2713
0x00dd270e
0x00dd2706
0x00dd2779
0x00dd277d
0x00dd277d

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00DD25DF

Strings

MOC, xrefs: 00DD25F1
RCC, xrefs: 00DD25F9

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: de8ba929aa0d1bac5a990988ce0e8b84aca20f3b3e9e79fb329650505965e083
Instruction ID: 4d4d1dae7751c66473c1f782df1e5293503cad950363ffa8aaf4e5244acdf3d4
Opcode Fuzzy Hash: de8ba929aa0d1bac5a990988ce0e8b84aca20f3b3e9e79fb329650505965e083
Instruction Fuzzy Hash: 9D414772900209AFCF16DF98DD81AAEBBB5FF58314F18809AF904A7211D335D951DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DC9604 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00DC9604(intOrPtr* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v9;
				char _v12;
				char _v16;
				intOrPtr _v17;
				void* __edi;
				void* __ebp;
				void* _t27;
				char _t44;
				void* _t48;
				intOrPtr* _t52;
				void* _t62;

				_t62 = __eflags;
				_t48 = __edx;
				_v9 = 0;
				_t52 = __ecx;
				EnumWindows(E00DC96C9,  &_v9);
				E00DC1AD8( &_v12, _t48, E00DC13D8());
				_push(_a8);
				E00DC7D9C( &_v16, L"%s\\%s.dmp", _a4);
				E00DC7D09( &_v16);
				_t34 = _v17;
				_t27 = E00DCAD79(_v17,  *_t52, _t62,  &_v16);
				if( *((char*)(_t52 + 1)) == 0) {
					_t55 = _v12;
				} else {
					_push(_a8);
					E00DC7D9C( &_v12, L"%s\\%s-full.dmp", _a4);
					E00DC7D09( &_v12);
					_t55 = _v12;
					_t44 = _v12;
					_t27 = E00DC506D(_t44, _t52);
					_t64 = _t27;
					if(_t27 != 0) {
						_push(_t44);
						_t27 = E00DCAD79(_t34,  *_t52, _t64,  &_v12);
					}
				}
				return E00DC13C0(_t27, _t55 - 0x10);
			}

0x00dc9604
0x00dc9604
0x00dc9614
0x00dc961f
0x00dc9621
0x00dc9631
0x00dc9636
0x00dc9646
0x00dc964f
0x00dc9654
0x00dc9664
0x00dc966f
0x00dc96b4
0x00dc9671
0x00dc9671
0x00dc9681
0x00dc968d
0x00dc9692
0x00dc9696
0x00dc9698
0x00dc969d
0x00dc969f
0x00dc96a7
0x00dc96ab
0x00dc96b1
0x00dc969f
0x00dc96c6

APIs

EnumWindows.USER32(00DC96C9,?), ref: 00DC9621

Part of subcall function 00DC13D8: GetProcessHeap.KERNEL32(00DC3B5B,?,?,?,?,?,?,00DC15F8,?,?,?,?,?), ref: 00DC13E9

Part of subcall function 00DC506D: GetFileAttributesExW.KERNEL32(000000FF,00000000,?,000000FF,?,?,?,00DC6279,000000FF,00000000,0000005C,00000000,?,?,000000FF), ref: 00DC5091

Strings

%s\%s-full.dmp, xrefs: 00DC967B
%s\%s.dmp, xrefs: 00DC9640

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: AttributesEnumFileHeapProcessWindows
String ID: %s\%s-full.dmp$%s\%s.dmp
API String ID: 600023215-1721437685
Opcode ID: 8ece9c6b45e6e60182613a5bdba93dbfc713184fc3476aaf593e80604ffe00dd
Instruction ID: 01e9cee1d0437ae16c11ffe13b0dedbcb7d251b6daa9846b74de08e3b1628224
Opcode Fuzzy Hash: 8ece9c6b45e6e60182613a5bdba93dbfc713184fc3476aaf593e80604ffe00dd
Instruction Fuzzy Hash: 6611D8760082479ACB04FF60E812EEABBE8DF41318F14055DF88597292EA319A1D87B2

Uniqueness

Uniqueness Score: -1.00%

Function 00DC33D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00DC33D6(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4) {
				WCHAR* _v8;
				void* __ebp;
				void* _t21;
				intOrPtr _t23;
				void* _t24;
				void* _t44;
				WCHAR* _t48;
				intOrPtr* _t50;

				_push(__ecx);
				E00DC1AD8( &_v8, __edx, E00DC13D8());
				_t48 = _v8;
				if((1 -  *((intOrPtr*)(_t48 - 4)) |  *((intOrPtr*)(_t48 - 8)) - 0x00000104) < 0) {
					E00DC1BA8( &_v8, 0x104, 0x104);
					_t48 = _v8;
				}
				__imp__SHGetFolderPathW(0, 0x23, 0, 0, _t48);
				if(0 >= 0) {
					if(PathAppendW(_t48, L"Google\\Update\\Log") == 0) {
						goto L3;
					} else {
						_t11 = _t48 - 0x10; // -16
						_t24 = E00DC1B55(_t11, _t44);
						_t50 = _a4;
						 *_t50 = _t24 + 0x10;
						E00DC13C0(E00DC48AE( &_v8, 0xffffffff), _t11);
						_t23 = _t50;
					}
				} else {
					L3:
					E00DC189E(_a4, 0x104, 0, 0xdf12c8);
					_t21 = E00DC48AE( &_v8, 0xffffffff);
					_t9 = _t48 - 0x10; // -16
					E00DC13C0(_t21, _t9);
					_t23 = _a4;
				}
				return _t23;
			}

0x00dc33d9
0x00dc33e4
0x00dc33e9
0x00dc33fe
0x00dc3404
0x00dc3409
0x00dc3409
0x00dc3414
0x00dc341c
0x00dc3450
0x00000000
0x00dc3452
0x00dc3453
0x00dc3458
0x00dc345d
0x00dc3468
0x00dc3471
0x00dc3476
0x00dc3478
0x00dc341e
0x00dc341e
0x00dc3426
0x00dc3430
0x00dc3435
0x00dc3438
0x00dc343d
0x00dc343d
0x00dc347b

APIs

Part of subcall function 00DC13D8: GetProcessHeap.KERNEL32(00DC3B5B,?,?,?,?,?,?,00DC15F8,?,?,?,?,?), ref: 00DC13E9

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,?,?,?,00DC348C,00000000,?,?,?,00DC3554,00000000), ref: 00DC3414
PathAppendW.SHLWAPI(00000000,Google\Update\Log,?,?,?,00DC348C,00000000,?,?,?,00DC3554,00000000,?,?,00000000), ref: 00DC3448

Strings

Google\Update\Log, xrefs: 00DC3442

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: Path$AppendFolderHeapProcess
String ID: Google\Update\Log
API String ID: 3687224657-1952252280
Opcode ID: 3c30f01051cd2599b5f11c6b6f1f2494bb92018e412814144570f5976e73e9cd
Instruction ID: 48dfb0a4a8ebca8c13b08a2e6840c73415f72e48cc5fbe537131e9dc42605f26
Opcode Fuzzy Hash: 3c30f01051cd2599b5f11c6b6f1f2494bb92018e412814144570f5976e73e9cd
Instruction Fuzzy Hash: 4A11BF35600126ABDB08FF64CC52EBE77A8EF52310710462CF502E7182DB30AF058B70

Uniqueness

Uniqueness Score: -1.00%

Function 00DCF36C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00DCF36C(void* __eflags, intOrPtr _a4) {
				char _v20;
				void* _t9;
				intOrPtr _t10;
				intOrPtr _t14;
				char* _t21;
				void* _t24;
				void* _t27;

				_t24 = _t27;
				while(1) {
					_push(_a4);
					_t9 = E00DD3B1B();
					if(_t9 != 0) {
						break;
					}
					_t10 = E00DD3A28(__eflags, _a4);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags = _a4 - 0xffffffff;
						if(_a4 != 0xffffffff) {
							_push(_t24);
							_t24 = _t27;
							_t27 = _t27 - 0xc;
							E00DCF9C7( &_v20);
							E00DD1560( &_v20, 0xdf652c);
							asm("int3");
						}
						_push(_t24);
						_t21 =  &_v20;
						E00DCF9FA(_t21);
						E00DD1560( &_v20, 0xdf6580);
						asm("int3");
						_t14 =  *((intOrPtr*)(_t21 + 4));
						__eflags = _t14;
						if(_t14 == 0) {
							return "Unknown exception";
						}
						return _t14;
					} else {
						continue;
					}
					L10:
				}
				return _t9;
				goto L10;
			}

0x00dcf36d
0x00dcf37e
0x00dcf37e
0x00dcf381
0x00dcf389
0x00000000
0x00000000
0x00dcf374
0x00dcf37a
0x00dcf37c
0x00dcf38d
0x00dcf391
0x00dcfa7c
0x00dcfa7d
0x00dcfa7f
0x00dcfa85
0x00dcfa93
0x00dcfa98
0x00dcfa98
0x00dcfa99
0x00dcfa9f
0x00dcfaa2
0x00dcfab0
0x00dcfab5
0x00dcfab6
0x00dcfab9
0x00dcfabb
0x00000000
0x00dcfabd
0x00dcfac2
0x00000000
0x00000000
0x00000000
0x00000000
0x00dcf37c
0x00dcf38c
0x00000000

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00DCFA93

Part of subcall function 00DD1560: RaiseException.KERNEL32(?,?,?,00DCFAB5,00DF8B40,00EC7CE0,?,?,?,?,?,?,00DCFAB5,00000003,00DF6580,00000003), ref: 00DD15C0

__CxxThrowException@8.LIBVCRUNTIME ref: 00DCFAB0

Strings

Unknown exception, xrefs: 00DCFABD

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 8b2a23ea7873205c4e443dfe8166362ae220047c785ed018cdcb0a7184f82250
Instruction ID: ea6038551ea21928a9224f077633962dc2516e8c5153510d11a9e38824affc76
Opcode Fuzzy Hash: 8b2a23ea7873205c4e443dfe8166362ae220047c785ed018cdcb0a7184f82250
Instruction Fuzzy Hash: 2DF0A42890020E7A8F00FBB4E805FED776E9E00350B54423AF958D75D1EB70EA1589B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA413 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00DCA413(void* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				void* _t19;
				void* _t24;

				_t19 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t24 = __ecx;
				E00DC8623(_t24, L"uid-create-time", E00DE3B10(E00DC7495(__ecx), _t19, 0x989680, 0) + 0x49ef6f00);
				_v8 = _v8 & 0x00000000;
				E00DC8413(_t24, L"uid-num-rotations",  &_v8);
				_v8 = _v8 + 1;
				return E00DC8623(_t24, L"uid-num-rotations", _v8 + 1);
			}

0x00dca413
0x00dca416
0x00dca417
0x00dca41a
0x00dca43c
0x00dca441
0x00dca451
0x00dca45e
0x00dca469

APIs

Part of subcall function 00DC7495: GetSystemTimeAsFileTime.KERNEL32(?,00DF36B4,00DF36B4,?,00DC33BA,00000000,?,?,00000000,00DCB7E8,?,00000001,00000000), ref: 00DC74B5

__aulldiv.LIBCMT ref: 00DCA42A

Part of subcall function 00DC8623: RegSetValueExW.ADVAPI32(00DC7F74,00000000,00000000,00000004,?,00000004,?,00DC81F8,?,?,00000000,?), ref: 00DC8636

Part of subcall function 00DC8413: SHQueryValueExW.SHLWAPI(00DC7F74,00000000,00000000,00000000,?,00000000,00DF41C0,00DF41C0,?,00DC8347,IsEnrolledToDomain,?,00000000,00000000,?,HKLM\Software\Google\UpdateDev\), ref: 00DC8436

Strings

uid-create-time, xrefs: 00DCA437
uid-num-rotations, xrefs: 00DCA449, 00DCA450, 00DCA45D

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: TimeValue$FileQuerySystem__aulldiv
String ID: uid-create-time$uid-num-rotations
API String ID: 2700563484-461279828
Opcode ID: 801abd2004b3616031629a1b52dc097476f5af24e00daf6c28067fac4860afb3
Instruction ID: dfd75a7be40fb6b6b67a10fa7e6477128227498cb0807c43247edaa7c942038c
Opcode Fuzzy Hash: 801abd2004b3616031629a1b52dc097476f5af24e00daf6c28067fac4860afb3
Instruction Fuzzy Hash: C9F0A0B2B002097BDB18A765CD0AFBFA5ACCBC1B24F11009DB501E7281DAA09E0096B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6502 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC6502(void* __ecx, WCHAR* __edx, void* __eflags) {
				WCHAR* _t9;
				long _t15;
				void* _t16;

				_t9 = __edx;
				_t16 = __ecx;
				E00DC1AD8(_t16, __edx, E00DC13D8());
				_t15 = GetEnvironmentVariableW(_t9, 0, 0);
				if(_t15 == 0) {
					E00DC7ED7();
				} else {
					GetEnvironmentVariableW(_t9, E00DC19E5(_t16, _t15), _t15);
					E00DC48AE(_t16, 0xffffffff);
				}
				return _t16;
			}

0x00dc6505
0x00dc6507
0x00dc6511
0x00dc6521
0x00dc6525
0x00dc6543
0x00dc6527
0x00dc6532
0x00dc653c
0x00dc653c
0x00dc654d

APIs

Part of subcall function 00DC13D8: GetProcessHeap.KERNEL32(00DC3B5B,?,?,?,?,?,?,00DC15F8,?,?,?,?,?), ref: 00DC13E9

GetEnvironmentVariableW.KERNEL32(LocalAppData,00000000,00000000,00000000,00000000,?,0000001C,00DC6367), ref: 00DC651B
GetEnvironmentVariableW.KERNEL32(LocalAppData,00000000,00000000,00000000), ref: 00DC6532

Strings

LocalAppData, xrefs: 00DC651A, 00DC6531

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: EnvironmentVariable$HeapProcess
String ID: LocalAppData
API String ID: 2836036715-1192612098
Opcode ID: e7da924839901262d3c02ad04a42df01e303d73d05fa8602c7ad378824b372e0
Instruction ID: 116d166d603eba6314ff9fb306a503998cf540aa9d1c0e1c22a0b2c9824a6715
Opcode Fuzzy Hash: e7da924839901262d3c02ad04a42df01e303d73d05fa8602c7ad378824b372e0
Instruction Fuzzy Hash: 02E09A663006A223C624326E2C56F3F805DCFD6B21B24015EF212DB2A2CEA4CD0102B4

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6C71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC6C71(void* __ecx, void* __edx) {
				intOrPtr* _t9;
				void* _t11;
				void* _t12;

				_t12 = __ecx;
				_t11 = __edx;
				if(__ecx == 0x80000003 || IsDebuggerPresent() != 0) {
					return 0;
				} else {
					OutputDebugStringW(L"**SehSendMinidump**\r\n");
					_t9 =  *0xdf9bb8; // 0x0
					if(_t9 == 0) {
						return 1;
					}
					return  *((intOrPtr*)( *_t9 + 4))(_t12, _t11, 0x23c34600, 0);
				}
			}

0x00dc6c72
0x00dc6c75
0x00dc6c7d
0x00000000
0x00dc6c89
0x00dc6c8e
0x00dc6c94
0x00dc6c9c
0x00000000
0x00dc6cb0
0x00000000
0x00dc6ca9

APIs

IsDebuggerPresent.KERNEL32(?,?,00DC3AF5), ref: 00DC6C7F
OutputDebugStringW.KERNEL32(**SehSendMinidump**,?,?,00DC3AF5), ref: 00DC6C8E

Strings

**SehSendMinidump**, xrefs: 00DC6C89

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: DebugDebuggerOutputPresentString
String ID: **SehSendMinidump**
API String ID: 4086329628-2587082360
Opcode ID: cc61bf9eb77c32ff387385330fdbcf3eb227b9a07add501eb0132952e3161980
Instruction ID: 3e94fb00e5d0f41d6984ebafca4ae3fa09af2fd002620eff3f2a25ac3477e393
Opcode Fuzzy Hash: cc61bf9eb77c32ff387385330fdbcf3eb227b9a07add501eb0132952e3161980
Instruction Fuzzy Hash: 70E0DF3A3182135FD3682F25FE88FB73AA8DBC1701B2A40BDB996D7210D650DD529170

Uniqueness

Uniqueness Score: -1.00%

Function 00DC470B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00DC470B(void* __ecx) {
				long _t6;
				void* _t11;

				_t11 = __ecx;
				if( *(__ecx + 0x10) != 0) {
					_t6 = WaitForSingleObject( *(__ecx + 0x10), 0x1f4);
					__eflags = _t6;
					if(_t6 == 0) {
						L5:
						return 1;
					} else {
						__eflags = _t6 - 0x80;
						if(__eflags == 0) {
							goto L5;
						} else {
							_push( *((intOrPtr*)(_t11 + 0xc)));
							_push( *((intOrPtr*)(_t11 + 0x1c)));
							_push(L"LOG_SYSTEM: [%s]: Could not acquire logging mutex %s\n");
							OutputDebugStringW(E00DC6CB8(__eflags));
							 *((char*)(_t11 + 9)) = 0;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x00dc470c
0x00dc4712
0x00dc4720
0x00dc4726
0x00dc4728
0x00dc4751
0x00dc4754
0x00dc472a
0x00dc472a
0x00dc472f
0x00000000
0x00dc4731
0x00dc4731
0x00dc4734
0x00dc4737
0x00dc4745
0x00dc474b
0x00000000
0x00dc474b
0x00dc472f
0x00dc4714
0x00dc4714
0x00dc4717
0x00dc4717

APIs

WaitForSingleObject.KERNEL32(00000000,000001F4,?,00DC45B0), ref: 00DC4720
OutputDebugStringW.KERNEL32(00000000), ref: 00DC4745

Strings

LOG_SYSTEM: [%s]: Could not acquire logging mutex %s, xrefs: 00DC4737

Memory Dump Source

Source File: 00000011.00000002.562618509.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000011.00000002.562604920.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562792296.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562828422.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.562834326.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_ChromeRecovery.jbxd

Similarity

API ID: DebugObjectOutputSingleStringWait
String ID: LOG_SYSTEM: [%s]: Could not acquire logging mutex %s
API String ID: 3023325665-3861772780
Opcode ID: 1e74f9ac951856792721c0127b3f7403e3de68706ea706df1568afaec670a0c8
Instruction ID: 4dbdd324fb572b66d232db2ccb9590eaea80471b5fe0b39700cd218bb2a904de
Opcode Fuzzy Hash: 1e74f9ac951856792721c0127b3f7403e3de68706ea706df1568afaec670a0c8
Instruction Fuzzy Hash: 90E0DF31404352AFCF702F24AC48F963BE5EB02311F09885DF5A28BAD0D761D99E97B0

Uniqueness

Uniqueness Score: -1.00%

Source: Ruleset Data.1.dr	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: Filtering Rules.1.dr, Ruleset Data.1.dr	String found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
Source: Filtering Rules.1.dr	String found in binary or memory: www.facebook.com0 equals www.facebook.com (Facebook)

Source: elevation_service.exe, 0000000E.00000003.558851279.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552265185.0000014707742000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.556469698.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552309841.000001470773A000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.560992358.000001470773D000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: elevation_service.exe, 0000000E.00000003.558851279.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552265185.0000014707742000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.556469698.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552309841.000001470773A000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.560992358.000001470773D000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: elevation_service.exe, 0000000E.00000003.558851279.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552265185.0000014707742000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.556469698.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552309841.000001470773A000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.560992358.000001470773D000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: elevation_service.exe, 0000000E.00000003.558851279.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552265185.0000014707742000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.556469698.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552309841.000001470773A000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.560992358.000001470773D000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: elevation_service.exe, 0000000E.00000003.558851279.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552265185.0000014707742000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.556469698.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552309841.000001470773A000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.560992358.000001470773D000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ChromeRecovery.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: elevation_service.exe, 0000000E.00000003.558851279.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552265185.0000014707742000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.556469698.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552309841.000001470773A000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.560992358.000001470773D000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: authrootstl.cab_Zone.Identifier.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d187249b7de2e
Source: elevation_service.exe, 0000000E.00000003.558851279.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552265185.0000014707742000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.556469698.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552309841.000001470773A000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.560992358.000001470773D000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: elevation_service.exe, 0000000E.00000003.558851279.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552265185.0000014707742000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.556469698.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552309841.000001470773A000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.560992358.000001470773D000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: elevation_service.exe, 0000000E.00000003.558851279.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552265185.0000014707742000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.556469698.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552309841.000001470773A000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.560992358.000001470773D000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: elevation_service.exe, 0000000E.00000003.558851279.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552265185.0000014707742000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.556469698.000001470773D000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.552309841.000001470773A000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000000E.00000003.560992358.000001470773D000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.14.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	String found in binary or memory: https://accounts.google.com
Source: craw_window.js.1.dr	String found in binary or memory: https://accounts.google.com/MergeSession
Source: d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	String found in binary or memory: https://apis.google.com
Source: d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	String found in binary or memory: https://clients2.google.com
Source: manifest.json.1.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: LICENSE.txt.1.dr	String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.1.dr	String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: 0b6b6f12-a23f-4eca-9dbc-aa10a76b0d74.tmp.2.dr, d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, 05187f3a-574f-40d6-b7f6-b4de239a77c6.tmp.2.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	String found in binary or memory: https://dns.google
Source: LICENSE.txt.1.dr	String found in binary or memory: https://easylist.to/)
Source: 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	String found in binary or memory: https://fonts.googleapis.com
Source: d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	String found in binary or memory: https://fonts.gstatic.com
Source: LICENSE.txt.1.dr	String found in binary or memory: https://github.com/easylist)
Source: craw_background.js.1.dr, craw_window.js.1.dr	String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	String found in binary or memory: https://ogs.google.com
Source: manifest.json.1.dr, craw_window.js.1.dr	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr	String found in binary or memory: https://r3---sn-1gi7znek.gvt1.com
Source: d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr	String found in binary or memory: https://redirector.gvt1.com
Source: manifest.json.1.dr, craw_window.js.1.dr	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	String found in binary or memory: https://ssl.gstatic.com
Source: craw_background.js.1.dr, craw_window.js.1.dr	String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	String found in binary or memory: https://www.google.com
Source: manifest.json.1.dr	String found in binary or memory: https://www.google.com/
Source: craw_window.js.1.dr	String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.1.dr	String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.1.dr	String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.1.dr	String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.1.dr	String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, craw_background.js.1.dr, craw_window.js.1.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	String found in binary or memory: https://www.googleapis.com
Source: manifest.json.1.dr	String found in binary or memory: https://www.googleapis.com/
Source: manifest.json.1.dr	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.1.dr	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json.1.dr	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.1.dr	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: d37cb5e6-bbfb-4996-9e2c-e16b34133ad2.tmp.2.dr, 690e0051-d682-4267-8c8f-e41f19bd3b24.tmp.2.dr	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d187249b7de2efd8

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecovery.exe

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\ChromeRecoveryCRX.crx

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\_metadata\verified_contents.json

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6728_1367142130\manifest.json

C:\Users\user\AppData\Local\Google\Chrome\User Data\2db15e99-6dfc-42b5-beea-8434781f5299.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\426527fa-1326-451c-ab76-fc2c90e7ffeb.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\4f2d5ca0-f60d-498f-965c-dc3d8f7f9e3c.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\6cd790b6-5099-416e-9dac-a9f89a1d53f5.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\8bec16de-ccc2-4bdd-884b-5a4ae16f8318.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\8e3d563a-7914-407b-945b-76d626f1938d.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\9729e2f1-e929-420b-9a9e-5255264f83b0.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\000001.dbtmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\000002.dbtmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\066e39b9-23bd-4f7c-bb6c-a7165e9ed069.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\11da441b-c044-4c92-a38b-87f8969125b6.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\21468ea5-c2f9-4805-900a-a85c6a81064d.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\67b09b8d-05f5-4327-8bbf-a835e0389c40.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\690e0051-d682-4267-8c8f-e41f19bd3b24.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\6b026497-acd5-444c-9805-8f953863c848.tmp

Windows Analysis Report
http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d187249b7de2efd8